Table of Contents
Advertisement
Chapter 9
Scenario: IPsec Remote-Access VPN Configuration
To enable split tunneling, check the Enable Split Tunneling check box. Split
Step 2
tunneling allows traffic outside the configured networks to be sent out directly to
the Internet instead of over the encrypted VPN tunnel.
To enable perfect forwarding secrecy (PFS), check the Enable Perfect
Step 3
Forwarding Secrecy check box. Enabling PFS sets the size of the numbers to use
in generating Phase 2 IPsec keys.
PFS is a cryptographic concept where each new key is unrelated to any previous
key. In IPsec negotiations, Phase 2 keys are based on Phase 1 keys unless PFS is
enabled. PFS uses Diffie-Hellman techniques to generate the keys. PFS ensures
that a session key derived from a set of long-term public and private keys is not
compromised if one of the private keys is compromised in the future.
Note
Step 4
Select the Diffie-Hellman group identifier, which the two IPsec peers use to derive
a shared secret without transmitting it to each other. The default, Group 2
(1024-bit Diffie-Hellman), requires less CPU time to execute but is less secure
than Group 5 (1536-bit). Group 7 is for use with the Movian VPN client, but
works with any peer that supports Group 7 (ECC).
Click Next to continue.
Step 5
78-19186-01
PFS must be enabled on both sides of the connection.
Implementing the IPsec Remote-Access VPN Scenario
Cisco ASA 5500 Series Getting Started Guide
9-15
Hide quick links:
Advertisement
Table of Contents
