Filter
Top Products
25-24
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Understanding IPsec Proposals
Reverse Route Supported on ASA devices, PIX 7.0+ devices, and Cisco IOS routers
except 7600 devices.
Reverse Route Injection (RRI) enables static routes to be automatically
inserted into the routing process for those networks and hosts protected
by a remote tunnel endpoint. For more information, see Understanding
Reverse Route Injection, page 25-20.
Select one of the following options to configure RRI on the crypto map:
• None—Disables the configuration of RRI on the crypto map.
• Standard—(ASA, PIX 7.0+, IOS devices) Creates routes based on
the destination information defined in the crypto map access
control list (ACL). This is the default option.
• Remote Peer—(IOS devices only) Creates two routes, one for the
remote endpoint and one for route recursion to the remote endpoint
via the interface to which the crypto map is applied.
• Remote Peer IP—(IOS devices only) Specifies an address as the
explicit next hop to the remote VPN device. Enter the IP address or
a network/host object that specifies the address, or click Select to
select the network/host object from a list or to create a new object.
Note If you use network/host objects, you can select the Allow Value
Override per Device option in the object to override the IP
address, if required, for specific devices that use this object.
ESPv3 Settings (ASA 9.0.1+ only)
Specify whether incoming ICMP error messages are validated for cryptography and dynamic
cryptography maps, set the per-security association policy, or enable traffic flow packets:
Validate Incoming ICMP
error messages
Whether to validate those ICMP error messages received through an
IPsec tunnel and destined for an interior host on the private network.
Enable Do Not Fragment
(DF) Policy
Define how the IPsec subsystem handles large packets that have the
do-not-fragment (DF) bit set in the IP header. Choose one of the
following:
• Set—Sets and uses the DF bit.
• Copy—Maintains the DF bit.
• Clear—Ignores the DF bit.
Enable Traffic Flow
Confidentiality (TFC)
Packets
Enable dummy TFC packets that mask the traffic profile which
traverses the tunnel.
Note You must have an IKEv2 IPsec proposal set on the Tunnel
Policy (Crypto Map) Basic tab before enabling TFC. Traffic
Flow Confidentiality is not available when IKEv1 is enabled.
Use the Burst, Payload Size, and Timeout parameters to generate
random length packets at random intervals across the specified SA.
Table 25-3 IPsec Proposal Page, Site-to-Site VPNs (except Easy VPN) (Continued)
Element Description