Filter
Top Products
35-58
Cisco ASDM User Guide
OL-16647-01
Chapter 35 General
Mapping Certificates to IPSec or SSL VPN Connection Profiles
• Perfect Forward Secrecy—Ensures that the key for a given IPSec SA was not derived from any
other secret (like some other keys). If someone were to break a key, PFS ensures that the attacker
would not be able to derive any other key. If you enable PFS, the Diffie-Hellman Group list becomes
active.
–
Diffie-Hellman Group—An identifier which the two IPSec peers use to derive a shared secret
without transmitting it to each other. The choices are Group 1 (768-bits), Group 2 (1024-bits),
Group 5 (1536-bits), and Group 7 (ECC).
• Enable NAT-T— Enables NAT Traversal (NAT-T) for this policy, which lets IPSec peers establish
both remote access and LAN-to-LAN connections through a NAT device.
• Enable Reverse Route Injection—Provides the ability for static routes to be automatically inserted
into the routing process for those networks and hosts that are protected by a remote tunnel endpoint.
• Security Association Lifetime—Configures the duration of a Security Association (SA). This
parameter specifies how to measure the lifetime of the IPsec SA keys, which is how long the IPsec
SA lasts until it expires and must be renegotiated with new keys.
–
Time—Specifies the SA lifetime in terms of hours (hh), minutes (mm) and seconds (ss).
–
Traffic Volume—Defines the SA lifetime in terms of kilobytes of traffic. Enter the number of
kilobytes of payload data after which the IPsec SA expires. Minimum is 100 KB, default is
10000 KB, maximum is 2147483647 KB.
• Static Crypto Map Entry Parameters—Configure these additional parameters when the Peer IP
Address is specified as Static:
–
Connection Type—Specify the allowed negotiation as bidirectional, answer-only, or
originate-only.
–
Send ID Cert. Chain—Enables transmission of the entire certificate chain.
–
IKE Negotiation Mode—Sets the mode for exchanging key information for setting up the SAs,
Main or Aggressive. It also sets the mode that the initiator of the negotiation uses; the responder
auto-negotiates. Aggressive Mode is faster, using fewer packets and fewer exchanges, but it
does not protect the identity of the communicating parties. Main Mode is slower, using more
packets and more exchanges, but it protects the identities of the communicating parties. This
mode is more secure and it is the default selection. If you select Aggressive, the Diffie-Hellman
Group list becomes active.
–
Diffie-Hellman Group—An identifier which the two IPSec peers use to derive a shared secret
without transmitting it to each other. The choices are Group 1 (768-bits), Group 2 (1024-bits),
Group 5 (1536-bits), and Group 7 (ECC).
Managing CA Certificates
Clicking Manage under IKE Peer Authentication opens the Manage CA Certificates window. Use this
window to view, add, edit, and delete entries on the list of CA certificates available for IKE peer
authentication.
The Manage CA Certificates window lists information about currently configured certificates, including
information about whom the certificate was issued to, who issued the certificate, when the certificate
expires, and usage data.
Fields
• Add or Edit—Opens the Install Certificate window or the Edit Certificate window, which let you
specify information about and install a certificate.