Support User Manuals

Cisco Systems OL-16647-01 Network Router User Manual

Open as PDF

of 1230

35-57

Cisco ASDM User Guide

OL-16647-01

Chapter 35 General

Mapping Certificates to IPSec or SSL VPN Connection Profiles

Crypto Map Entry

In this window, specify crypto parameters for the Connection Profile.

Fields

• Priority—A unique priority (1 through 65,543, with 1 the highest priority). When IKE negotiation

begins, the peer that initiates the negotiation sends all of its policies to the remote peer, and the

remote peer searches for a match with its own policies, in priority order.

• Perfect Forward Secrecy—Ensures that the key for a given IPSec SA was not derived from any

other secret (like some other keys). If someone were to break a key, PFS ensures that the attacker

would not be able to derive any other key. If you enable PFS, the Diffie-Hellman Group list becomes

active.

–

Diffie-Hellman Group—An identifier which the two IPSec peers use to derive a shared secret

without transmitting it to each other. The choices are Group 1 (768-bits), Group 2 (1024-bits),

Group 5 (1536-bits), and Group 7 (ECC).

• Enable NAT-T— Enables NAT Traversal (NAT-T) for this policy, which lets IPSec peers establish

both remote access and LAN-to-LAN connections through a NAT device.

• Enable Reverse Route Injection—Provides the ability for static routes to be automatically inserted

into the routing process for those networks and hosts that are protected by a remote tunnel endpoint.

• Security Association Lifetime—Configures the duration of a Security Association (SA). This

parameter specifies how to measure the lifetime of the IPsec SA keys, which is how long the IPsec

SA lasts until it expires and must be renegotiated with new keys.

–

Time—Specifies the SA lifetime in terms of hours (hh), minutes (mm) and seconds (ss).

–

Traffic Volume—Defines the SA lifetime in terms of kilobytes of traffic. Enter the number of

kilobytes of payload data after which the IPsec SA expires. Minimum is 100 KB, default is

10000 KB, maximum is 2147483647 KB.

Crypto Map Entry for Static Peer Address

In this window, specify crypto parameters for the Connection Profile when the Peer IP Address is a static

address.

Fields

• Priority—A unique priority (1 through 65,543, with 1 the highest priority). When IKE negotiation

begins, the peer that initiates the negotiation sends all of its policies to the remote peer, and the

remote peer searches for a match with its own policies, in priority order.

Firewall Mode Security Context

Routed Transparent Single

Multiple

Context System

• — • ——

previous next