Filter
Top Products
CHAPTER
34-1
Cisco ASDM User Guide
OL-16647-01
34
IKE
IKE, also called ISAKMP, is the negotiation protocol that lets two hosts agree on how to build an IPsec
security association. To configure the security appliance for virtual private networks, you set global IKE
parameters that apply system wide, and you also create IKE policies that the peers negotiate to establish
a VPN connection.
Here is some text marked print. Print is hidden.
IKE Parameters
This panel lets you set system wide values for VPN connections. The following sections describe each
of the options.
Enabling IKE on Interfaces
You must enable IKE for each interface that you want to use for VPN connections.
Enabling IPsec over NAT-T
NAT-T lets IPsec peers establish both remote access and LAN-to-LAN connections through a NAT
device. It does this by encapsulating IPsec traffic in UDP datagrams, using port 4500, thereby providing
NAT devices with port information. NAT-T auto-detects any NAT devices, and only encapsulates IPsec
traffic when necessary. This feature is disabled by default.
• The security appliance can simultaneously support standard IPsec, IPsec over TCP, NAT-T, and
IPsec over UDP, depending on the client with which it is exchanging data.
• When both NAT-T and IPsec over UDP are enabled, NAT-T takes precedence.
• When enabled, IPsec over TCP takes precedence over all other connection methods.
The security appliance implementation of NAT-T supports IPsec peers behind a single NAT/PAT device
as follows:
• One LAN-to-LAN connection.
• Either a LAN-to-LAN connection or multiple remote access clients, but not a mixture of both.
To use NAT-T you must:
• Open port 4500 on the security appliance.
• Enable IPsec over NAT-T globally in this panel.