Filter
Top Products
34-2
Cisco ASDM User Guide
OL-16647-01
Chapter 34 IKE
IKE Parameters
• Select the second or third option for the Fragmentation Policy parameter in the Configuration >
VPN > IPsec > Pre-Fragmentation panel. These options let traffic travel across NAT devices that
do not support IP fragmentation; they do not impede the operation of NAT devices that do support
IP fragmentation.
Enabling IPsec over TCP
IPsec over TCP enables a VPN client to operate in an environment in which standard ESP or IKE cannot
function, or can function only with modification to existing firewall rules. IPsec over TCP encapsulates
both the IKE and IPsec protocols within a TCP packet, and enables secure tunneling through both NAT
and PAT devices and firewalls. This feature is disabled by default.
Note This feature does not work with proxy-based firewalls.
IPsec over TCP works with remote access clients. It works on all physical and VLAN interfaces. It is a
client to security appliance feature only. It does not work for LAN-to-LAN connections.
• The security appliance can simultaneously support standard IPsec, IPsec over TCP, NAT-Traversal,
and IPsec over UDP, depending on the client with which it is exchanging data.
• The VPN 3002 hardware client, which supports one tunnel at a time, can connect using standard
IPsec, IPsec over TCP, NAT-Traversal, or IPsec over UDP.
• When enabled, IPsec over TCP takes precedence over all other connection methods.
You enable IPsec over TCP on both the security appliance and the client to which it connects.
You can enable IPsec over TCP for up to 10 ports that you specify. If you enter a well-known port, for
example port 80 (HTTP) or port 443 (HTTPS), the system displays a warning that the protocol associated
with that port will no longer work. The consequence is that you can no longer use a browser to manage
the security appliance through the IKE-enabled interface. To solve this problem, reconfigure the
HTTP/HTTPS management to different ports.
You must configure TCP port(s) on the client as well as on the security appliance. The client
configuration must include at least one of the ports you set for the security appliance.
Determining ID Method
During IKE negotiations the peers must identify themselves to each other. You can choose the
identification methods from the following options:
Disabling Inbound Aggressive Mode Connections
Phase 1 IKE negotiations can use either Main mode or Aggressive mode. Both provide the same services,
but Aggressive mode requires only two exchanges between the peers, rather than three. Aggressive mode
is faster, but does not provide identity protection for the communicating parties. It is therefore necessary
that they exchange identification information prior to establishing a secure SA in which to encrypt in
formation. This feature is disabled by default.
Address Uses the IP addresses of the hosts exchanging ISAKMP identity information.
Hostname Uses the fully-qualified domain name of the hosts exchanging ISAKMP identity
information (default). This name comprises the hostname and the domain name.
Key ID Uses the string the remote peer uses to look up the preshared key.
Automatic Determines IKE negotiation by connection type:
• IP address for preshared key
• Cert DN for certificate authentication.