Filter
Top Products
32-7
Cisco ASDM User Guide
OL-16647-01
Chapter 32 VPN
VPN Wizard
Fields
• Cisco VPN Client Release 3.x or higher, or other Easy VPN Remote product—Click for IPsec
connections, including compatible software and hardware clients other than those named here.
• Microsoft Windows client using L2TP over IPsec—Click to enable connections from Microsoft
Windows and Microsoft Windows Mobile clients over a public IP network. L2TP uses PPP over
UDP (port 1701) to tunnel the data. Enable one or more of the following PPP authentication
protocols:
–
PAP—Passes cleartext username and password during authentication and is not secure.
–
CHAP—In response to the server challenge, the client returns the encrypted [challenge plus
password] with a cleartext username. This protocol is more secure than the PAP, but it does not
encrypt data.
–
MS-CHAP, Version 1—Similar to CHAP but more secure in that the server stores and compares
only encrypted passwords rather than cleartext passwords as in CHAP.
–
MS-CHAP, Version 2—Contains security enhancements over MS-CHAP, Version 1.
–
EAP-Proxy—Enables EAP which permits the security appliance to proxy the PPP
authentication process to an external RADIUS authentication server.
• Client will send the tunnel group name as username@tunnelgroup—Check to enable the security
appliance to associate different users that are establishing L2TP over IPsec connections with
different tunnel groups. Since each tunnel group has its own AAA server group and IP address pools,
users can be authenticated through methods specific to their tunnel group.
Modes
The following table shows the modes in which this feature is available:
VPN Client Authentication Method and Name
Use the VPN Client Authentication Method and Name panel to configure an authentication method and
create a tunnel group
Fields
• Authentication Method—The remote site peer authenticates either with a preshared key or a
certificate.
–
Pre-shared Key—Click to use a preshared key for authentication between the local security
appliance and the remote IPsec peer.
Using a preshared key is a quick and easy way to set up communication with a limited number
of remote peers and a stable network. It may cause scalability problems in a large network
because each IPsec peer requires configuration information for each peer with which it
establishes secure connections.
Each pair of IPsec peers must exchange preshared keys to establish secure tunnels. Use a secure
method to exchange the preshared key with the administrator of the remote site.
Firewall Mode Security Context
Routed Transparent Single
Multiple
Context System
• — • ——