Support User Manuals

Cisco Systems OL-16647-01 Network Router User Manual

Open as PDF

of 1230

32-12

Cisco ASDM User Guide

OL-16647-01

Chapter 32 VPN

VPN Wizard

Fields

• Host/Network to Be Added—Complete these fields to exempt a particular host or network from

NAT.

–

Interface—Select the name of the interface that connects to the hosts or networks you have

selected.

–

IP address—Select the IP address of the host or network. Either type the IP address or click the

adjacent ... button to view a diagram of the network and select a host or network.

• Add—Click to add the host or network the Selected Hosts/Networks list after you have completed

the applicable fields.

• Selected Hosts/Networks—Displays the hosts and networks that are exempt from NAT. If you want

all hosts and networks to be exempt from NAT, leave this list empty.

• Enable split tunneling—Select to have traffic from remote access clients destined for the public

Internet sent unencrypted. Split tunneling causes traffic for protected networks to be encrypted,

while traffic to unprotected networks is unencrypted. When you enable split tunneling, the security

appliance pushes a list of IP addresses to the remote VPN client after authentication. The remote

VPN client encrypts traffic to the IP addresses that are behind the security appliance. All other traffic

travels unencrypted directly to the Internet without involving the security appliance.

• Enable Perfect Forwarding Secrecy (PFS)—Specify whether to use Perfect Forward Secrecy, and the

size of the numbers to use, in generating Phase 2 IPsec keys. PFS is a cryptographic concept where each

new key is unrelated to any previous key. In IPsec negotiations, Phase 2 keys are based on Phase 1 keys

unless PFS is enabled. PFS uses Diffie-Hellman techniques to generate the keys.

PFS ensures that a session key derived from a set of long-term public and private keys is not

compromised if one of the private keys is compromised in the future.

PFS must be enabled on both sides of the connection.

–

Diffie-Hellman Group—Select the Diffie-Hellman group identifier, which the two IPsec peers

use to derive a shared secret without transmitting it to each other. The default, Group 2 (1024-bit

Diffie-Hellman), requires less CPU time to execute but is less secure than Group 5 (1536-bit).

Group 7 is for use with the Movian VPN client, but works with any peer that supports Group 7

(ECC).

Modes

The following table shows the modes in which this feature is available:

Firewall Mode Security Context

Routed Transparent Single

Multiple

Context System

• — • ——

previous next