Ipsec Tunnel-Group Connection Parameters - Cisco FirePOWER ASA 5500 series Configuration Manual

Chapter 30 Configuring Tunnel Groups, Group Policies, and Users
•
•
•
•
•
•
•

IPSec Tunnel-Group Connection Parameters

IPSec parameters include the following:
•
•
•
OL-10088-01
Default group policy for the connection—A group policy is a set of user-oriented attributes. The
default group policy is the group policy whose attributes the security appliance uses as defaults
when authenticating or authorizing a tunnel user.
Client address assignment method—This method includes values for one or more DHCP servers or
address pools that the security appliance assigns to clients.
Override account disabled—This parameter lets you override the "account-disabled" indicator
received from a AAA server.
Password management—This parameter lets you warn a user that the current password is due to
expire in a specified number of days (the default is 14 days), then offer the user the opportunity to
change the password.
Strip group and strip realm—These parameters direct the way the security appliance processes the
usernames it receives. They apply only to usernames received in the form user@realm. A realm is
an administrative domain appended to a username with the @ delimiter (user@abc).
When you specify the strip-group command, the security appliance selects the tunnel group for user
connections by obtaining the group name from the username presented by the VPN client. The
security appliance then sends only the user part of the username for authorization/authentication.
Otherwise (if disabled), the security appliance sends the entire username, including the realm.
Strip-realm processing removes the realm from the username when sending the username to the
authentication or authorization server. If the command is enabled, the security appliance sends only
the user part of the username authorization/authentication. Otherwise, the security appliance sends
the entire username.
Authorization required—This parameter lets you require authorization before a user can connect, or
turn off that requirement.
Authorization DN attributes—This parameter specifies which Distinguished Name attributes to use
when performing authorization.
A client authentication method: preshared keys, certificates, or both.
For IKE connections based on preshared keys, the alphanumeric key itself (up to 128 characters
–
long), associated with the connection policy.
Peer-ID validation requirement—This parameter specifies whether to require validating the
–
identity of the peer using the peer's certificate.
An extended hybrid authentication method: XAUTH and hybrid XAUTH.
You use isakmp ikev1-user-authentication command to implement hybrid XAUTH authentication
when you need to use digital certificates for security appliance authentication and a different, legacy
method for remote VPN user authentication, such as RADIUS, TACACS+ or SecurID.
ISAKMP (IKE) keepalive settings. This feature lets the security appliance monitor the continued
presence of a remote peer and report its own presence to that peer. If the peer becomes unresponsive,
the security appliance removes the connection. Enabling IKE keepalives prevents hung connections
when the IKE peer loses connectivity.
There are various forms of IKE keepalives. For this feature to work, both the security appliance and
its remote peer must support a common form. This feature works with the following peers:
Cisco VPN client (Release 3.0 and above)
–
Cisco Security Appliance Command Line Configuration Guide
Tunnel Groups
30-3