Filter
Top Products
34-12
Cisco ASDM User Guide
OL-16647-01
Chapter 34 IKE
IPsec
central-site device. A dynamic tunnel policy is useful when the remote access clients have dynamically
assigned IP addresses or when you do not want to configure separate policies for a large number of
remote access clients.
Fields
• Interface—Select the interface name to which this policy applies.
• Policy Type—Select the type, static or dynamic, of this tunnel policy.
• Priority—Enter the priority of the policy.
• Transform Set to Be Added—Select the transform set for the policy and click Add to move it to
the list of active transform sets. Click Move Up or Move Down to rearrange the order of the
transform sets in the list box. You can add a maximum of 11 transform sets to a crypto map entry or
a dynamic crypto map entry.
• Peer Settings - Optional for Dynamic Crypto Map Entries—Configure the peer settings for the
policy.
–
Connection Type—(Meaningful only for static tunnel policies.) Select bidirectional,
originate-only, or answer-only to specify the connection type of this policy. For LAN-to-LAN
connections, select bidirectional or answer-only (not originate-only). Select answer-only for
LAN-to-LAN redundancy.
–
IP Address of Peer to Be Added—Enter the IP address of the IPsec peer you are adding.
• Enable Perfect Forwarding Secrecy—Check to enable Perfect Forward Secrecy for the policy.
PFS is a cryptographic concept where each new key is unrelated to any previous key. In IPsec
negotiations, Phase 2 keys are based on Phase 1 keys unless you specify Perfect Forward Secrecy.
• Diffie-Hellman Group—When you enable PFS you must also select a Diffie-Hellman group which
the security appliance uses to generate session keys. The choices are as follows:
–
Group 1 (768-bits) = Use Perfect Forward Secrecy, and use Diffie-Hellman Group 1 to generate
IPsec session keys, where the prime and generator numbers are 768 bits. This option is more
secure but requires more processing overhead.
–
Group 2 (1024-bits) = Use Perfect Forward Secrecy, and use Diffie-Hellman Group 2 to
generate IPsec session keys, where the prime and generator numbers are 1024 bits. This option
is more secure than Group 1 but requires more processing overhead.
–
Group 5 (1536-bits) = Use Perfect Forward Secrecy, and use Diffie-Hellman Group 5 to
generate IPsec session keys, where the prime and generator numbers are 1536 bits. This option
is more secure than Group 2 but requires more processing overhead.
–
Group 7 (ECC) = Use Perfect Forward Secrecy, and use Diffie-Hellman Group 7 (ECC) to
generate IPsec session keys, where the elliptic curve field size is 163 bits. This option is the
fastest and requires the least overhead. It is intended for use with the Movian VPN client, but
you can use it with any peers that support Group 7 (ECC).
Modes
The following table shows the modes in which this feature is available:
Firewall Mode Security Context
Routed Transparent Single
Multiple
Context System
• — • ——