35-56
Cisco ASDM User Guide
OL-16647-01
Chapter 35 General
Mapping Certificates to IPSec or SSL VPN Connection Profiles
Adding or Editing a Site-to-Site Tunnel Group
The Add or Edit IPSec Site-to-Site Tunnel Group dialog box lets you specify attributes for the IPSec
site-to-site connection that you are adding. In addition, you can select IKE peer and user authentication
parameters, configure IKE keepalive monitoring, and select the default group policy.
Fields
• Name—Specifies the name assigned to this tunnel group. For the Edit function, this field is
display-only.
• IKE Authentication—Specifies the pre-shared key and Identity certificate parameters to use when
authenticating an IKE peer.
–
Pre-shared Key—Specify the value of the pre-shared key for the tunnel group. The maximum
length of the pre-shared key is 128 characters.
–
Identity Certificate—Specifies the name of the ID certificate to use for authentication, if
available.
–
Manage—Opens the Manage Identity Certificates window, on which you can see the certificates
that are already configured, add new certificates, show details for a certificate, and edit or delete
a certificate.
–
IKE Peer ID Validation—Specifies whether to check IKE peer ID validation. The default is
Required.
• IKE Keepalive ——Enables and configures IKE keepalive monitoring. You can select only one of
the following attributes.
–
Disable Keep Alives—Enables or disables IKE keep alives.
–
Monitor Keep Alives—Enables or disables IKE keep alive monitoring. Selecting this option
makes available the Confidence Interval and Retry Interval fields.
–
Confidence Interval—Specifies the IKE keep alive confidence interval. This is the number of
seconds the security appliance should allow a peer to idle before beginning keepalive
monitoring. The minimum is 10 seconds; the maximum is 300 seconds. The default for a remote
access group is 10 seconds.
–
Retry Interval—Specifies number of seconds to wait between IKE keep alive retries. The default
is 2 seconds.
–
Head end will never initiate keepalive monitoring—Specifies that the central-site security
appliance never initiates keepalive monitoring.
• Default Group Policy—Select the group policy and client protocols that you want to use as the
default for this connection. A VPN group policy is a collection of user-oriented attribute-value pairs
that can be stored internally on the device or externally on a RADIUS server. IPSec connections and
user accounts refer to the group-policy information.
–
Group Policy—Lists the currently configured group policies. The default value is
DfltGrpPolicy.
–
Manage—Opens the Configure Group Policies window, on which you can view the configured
group policies and add, edit, or delete group policies from the list.
–
IPSec Protocol—Enables or disables the IPSec protocol for use by this group policy.
Modes
The following table shows the modes in which this feature is available:
