Filter
Top Products
34-3
Cisco ASDM User Guide
OL-16647-01
Chapter 34 IKE
IKE Parameters
Alerting Peers Before Disconnecting
Client or LAN-to-LAN sessions may be dropped for several reasons, such as: a security appliance
shutdown or reboot, session idle timeout, maximum connection time exceeded, or administrator cut-off.
The security appliance can notify qualified peers (in LAN-to-LAN configurations), VPN Clients and
VPN 3002 Hardware Clients of sessions that are about to be disconnected, and it conveys to them the
reason. The peer or client receiving the alert decodes the reason and displays it in the event log or in a
pop-up panel. This feature is disabled by default.
This panel lets you enable the feature so that the security appliance sends these alerts, and conveys the
reason for the disconnect.
Qualified clients and peers include the following:
• Security appliance devices with Alerts enabled.
• VPN clients running 4.0 or later software (no configuration required).
• VPN 3002 hardware clients running 4.0 or later software, and with Alerts enabled.
• VPN 3000 Series Concentrators running 4.0 or later software, with Alerts enabled.
Waiting for Active Sessions to Terminate Prior to Reboot
You can schedule a security appliance reboot to occur only when all active sessions have terminated
voluntarily. This feature is disabled by default.
Fields
• Enable IKE—Shows IKE status for all configured interfaces.
–
Interface—Displays names of all configured security appliance interfaces.
–
IKE Enabled—Shows whether IKE is enabled for each configured interface.
–
Enable/Disables—Click to enable or disable IKE for the highlighted interface.
• NAT Transparency—Lets you enable or disable IPsec over NAT-T and IPsec over TCP.
–
Enable IPsec over NAT-T—Select to enable IPsec over NAT-T.
–
NAT Keepalive—Type the number of seconds that can elapse with no traffic before the security
appliance terminates the NAT-T session. The default is 20 seconds. The range is 10 to 3600
seconds (one hour).
–
Enable IPsec over TCP—Select to enable IPsec over TCP.
–
Enter up to 10 comma-separated TCP port values—Type up to 10 ports on which to enable
IPsec over TCP. Use a comma to separate the ports. You do not need to use spaces. The default
port is 10,000. The range is 1 to 65,635.
• Identity to Be Sent to Peer—Lets you set the way that IPsec peers identify themselves to each
other.
–
Identity—Select one of the following methods by which IPsec peers identify themselves:
Address Uses the IP addresses of the hosts.
Hostname Uses the fully-qualified domain names of the hosts. This name
comprises the hostname and the domain name.
Key ID Uses the string the remote peer uses to look up the preshared key.
Automatic Determines IKE negotiation by connection type: IP address for
preshared key or cert DN for certificate authentication.