Table of Contents
Advertisement
Chapter 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Configuration parameters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 11
General
A security association can only be established between the CN3000 and a peer if the
policy is enabled.
Important: The IPSec tunnel cannot be used to transport customer traffic. To prevent
customer traffic from entering the tunnel, you may need to define access list definitions
to DENY access to all subnets on the other side of the tunnel (only if you setup the
IPSec tunnel in "tunnel mode"). The tunnel should be used to carry management traffic
only (RADIUS, SNMP, management sessions).
Name
Specify a name for the policy. This identifies the policy in the IPSec security policy
database.
Phase 1 mode
• Main mode: This option is supported by most IPSec clients. It provides support for
• Aggressive mode: Aggressive mode does not provide identity protection as main
Mode
Choose the mode of operation. Two options are available.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 260 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ID type and ID
Security association lifetimes
Perfect forward secrecy (PFS)
peer authentication via X.509 certificates or pre-shared keys.
mode does. It is helpful when setting up a LAN-to-LAN tunnel when the Internet IP
address is dynamic. The remote gateway can then use the group name to know
which LAN-to-LAN tunnel to activate.
• If you enable Preshared key for
Authentication method, the CN3000
automatically sets:
ID type = IP address
ID = IP address assigned to the Internet
port.
To establish a security association the
peer must also set its IP type to IP
address.
• If you enable X.509 certificates for
Authentication method, the CN3000
automatically sets:
ID type = DER_ASN1_DN
ID = the distinguished name included in
the local certificate. The peer however
can use any of the four formats the
CN3000 supports: IP address, fully
qualified user name, fully qualified host
name, or DER_ASN1_DN.
• Phase 1: 6 hours
• Phase 2: 1 hour
New keying material will be generated for
each IPsec security association rather
than being derived from the ISAKMP SA
keying material.
- Quick Links:
- Introduction
- Wireless Radio
- Logging in
- Reset Button
Hide quick links:
Advertisement
Table of Contents
