Value / Inherit; Ipsec Sa - Cisco VPN 3000 User Manual

Value / Inherit?

On this tabbed section:
• The Inherit? check box refers to base-group parameters: Does this specific group inherit the given
setting from the base group? To inherit the setting, check the box (default). To override the base-group
setting, clear the check box. If you clear the check box, you must also enter or change any
corresponding Value field; do not leave the field blank.
• The Value column thus shows either base-group parameter settings that also apply to this group
( Inherit? checked), or unique parameter settings configured for this group ( Inherit? cleared).
Note:
The setting of the Inherit? check box takes priority over an entry in a Value field. Examine this box before
continuing and be sure its setting reflects your intent.

IPSec SA

Click the drop-down menu button and select the IPSec Security Association (SA) assigned to this
group's IPSec clients. During tunnel establishment, the client and server negotiate a Security
Association that governs authentication, encryption, encapsulation, key management, etc. You configure
IPSec Security Associations on the Configuration | Policy Management | Traffic Management | Security
Associations
To use IPSec with remote-access clients, you must assign an SA. With IPSec LAN-to-LAN connections,
the system ignores this selection and uses parameters from the Configuration | System | Tunneling Protocols
| IPSec LAN-to-LAN
The VPN Concentrator supplies these default selections:
Additional SAs that you have configured also appear on the list.
VPN 3000 Concentrator Series User Guide
screens.
screens.
= No SA assigned.
--None--
ESP-DES-MD5 = This SA uses DES 56-bit data encryption for both the IKE tunnel and IPSec traffic,
ESP/MD5/HMAC-128 authentication for IPSec traffic, and MD5/HMAC-128 authentication for the
IKE tunnel.
= This SA uses Triple-DES 168-bit data encryption and ESP/MD5/HMAC-128
ESP-3DES-MD5
authentication for IPSec traffic, and DES-56 encryption and MD5/HMAC-128 authentication for
the IKE tunnel.
ESP/IKE-3DES-MD5 = This SA uses Triple-DES 168-bit data encryption for both the IKE tunnel and
IPSec traffic, ESP/MD5/HMAC-128 authentication for IPSec traffic, and MD5/HMAC-128
authentication for the IKE tunnel.
ESP-3DES-NONE = This SA uses Triple-DES 168-bit data encryption and no authentication for IPSec
traffic, and DES-56 encryption and MD5/HMAC-128 authentication for the IKE tunnel.
ESP-L2TP-TRANSPORT = This SA uses DES 56-bit data encryption and ESP/MD5/HMAC-128
authentication for IPSec traffic (with ESP applied only to the transport layer segment), and it uses
Triple-DES 168-bit data encryption and MD5/HMAC-128 for the IKE tunnel. Use this SA with the
L2TP over IPSec tunneling protocol.
Configuration | User Management | Groups | Add or Modify (Internal)
12-25