Cisco ASA 5505 Configuration Manual page 1337

Chapter 64 General VPN Setup
Add/Edit Internal Group Policy > IPsec Client
The Add or Edit Group Policy > IPsec dialog box lets you specify tunneling protocols, filters, connection
settings, and servers for the group policy being added or modified.
Fields
•
•
•
•
•
Note
•
•
•
•
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
Routed
•
OL-20339-01
Re-Authentication on IKE Re-key—Enables or disables reauthentication when IKE re-key occurs,
unless the Inherit check box is checked. The user has 30 seconds to enter credentials, and up to three
attempts before the SA expires at approximately two minutes and the tunnel terminates.
Allow entry of authentication credentials until SA expires—Allow users the time to reenter
authentication credentials until the maximum lifetime of the configured SA.
IP Compression—Enables or disables IP Compression, unless the Inherit check box is checked.
Perfect Forward Secrecy—Enables or disables perfect forward secrecy (PFS), unless the Inherit
check box is selected. PFS ensures that the key for a given IPsec SA was not derived from any other
secret (like some other keys). In other words, if someone were to break a key, PFS ensures that the
attacker would not be able to derive any other key. If PFS were not enabled, someone could
hypothetically break the IKE SA secret key, copy all the IPsec protected data, and then use
knowledge of the IKE SA secret to compromise the IPsec SAs set up by this IKE SA. With PFS,
breaking IKE would not give an attacker immediate access to IPsec. The attacker would have to
break each IPsec SA individually.
Store Password on Client System—Enables or disables storing the password on the client system.
Storing the password on a client system can constitute a potential security risk.
IPsec over UDP—Enables or disables using IPsec over UDP.
IPsec over UDP Port—Specifies the UDP port to use for IPsec over UDP.
Tunnel Group Lock—Enables locking the tunnel group you select from the list, unless the Inherit
check box or the value None is selected.
IPsec Backup Servers—Activates the Server Configuration and Server IP Addresses fields, so you
can specify the UDP backup servers to use if these values are not inherited.
Server Configuration—Lists the server configuration options to use as an IPsec backup server.
–
The available options are: Keep Client Configuration (the default), Use the Backup Servers
Below, and Clear Client Configuration.
Server Addresses (space delimited)—Specifies the IP addresses of the IPsec backup servers.
–
This field is available only when the value of the Server Configuration selection is Use the
Backup Servers Below.
Security Context
Transparent Single
—
•
Multiple
Context System
— —
Cisco ASA 5500 Series Configuration Guide using ASDM
ACL Manager
64-27