Configuration | System | Tunneling Protocols | Ipsec Lan-To-Lan - Cisco VPN 3000 User Manual

7
Tunneling Protocols
• Extended Authentication (XAuth)
• Mode Configuration (also known as ISAKMP Configuration Method)
• Tunnel Encapsulation Mode
You configure IKE proposals (parameters for the IKE SA) here. You apply them to IPSec LAN-to-LAN
connections in this section, and to IPSec SAs on the Configuration | Policy Management | Traffic Management
| Security Associations
IPSec parameters. Cisco supplies default IKE proposals that you can use or modify.
Figure 7-4: Configuration | System | Tunneling Protocols | IPSec screen
Configuration | System | Tunneling Protocols |
IPSec LAN-to-LAN
This section of the Manager lets you configure, add, modify, and delete IPSec LAN-to-LAN connections
between two VPN Concentrators.
While the VPN Concentrator can establish LAN-to-LAN connections with other protocol-compliant
VPN secure gateways, these instructions assume VPN Concentrators on both sides. And here, the "peer"
is the other VPN Concentrator or secure gateway.
In a LAN-to-LAN connection, IPSec creates a tunnel between the public interfaces of two VPN
Concentrators, which correspondingly route secure traffic to and from many hosts on their private LANs.
There is no user configuration or authentication in a LAN-to-LAN connection; all hosts configured on
the private networks can access hosts on the other side of the connection, at any time.
If you have a WAN connection as the public interface, you still use this section to configure a
LAN-to-WAN connection.
To fully configure a LAN-to-LAN connection, you must configure identical basic IPSec parameters on
both VPN Concentrators, and configure mirror-image private network addresses or network lists.
The VPN Concentrator also provides a network autodiscovery feature that dynamically discovers and
updates the private network addresses on each side of the LAN-to-LAN connection, so you don't have
to explicitly configure them. This feature works only when both devices are VPN Concentrators.
However, network autodiscovery is not allowed on a WAN interface.
You must configure a public interface on the VPN Concentrator before you can configure an IPSec
LAN-to-LAN connection. See the Configuration | Interfaces screens. You must also configure IKE
proposals before configuring LAN-to-LAN connections. See the Configuration | System | Tunneling
Protocols | IPSec | IKE Proposals
You can configure only one LAN-to-LAN connection with each VPN Concentrator (or other secure
gateway) peer.
7-8
screens. Therefore, you should configure IKE proposals before configuring other
screens.
VPN 3000 Concentrator Series User Guide