Support User Manuals

Cisco Systems CL-28826-01 Security Camera User Manual

Open as PDF

of 2616

25-31

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 25 Configuring IKE and IPsec Policies

Configuring VPN Global Settings

Navigation Path

• For remote access VPNs, do one of the following:

–

(Device View) Select Remote Access VPN > Global Settings from the Policy selector. Click

the ISAKMP/IPsec Settings tab.

–

(Policy View) Select Remote Access VPN > Global Settings from the Policy Type selector.

Select an existing policy or create a new one, then click the ISAKMP/IPsec Settings tab.

• For site-to-site VPNs, do one of the following:

–

Open the Site-to-Site VPN Manager Window, page 24-18, select a topology in the VPNs

selector, then select VPN Global Settings in the Policies selector. Click the ISAKMP/IPsec

Settings tab.

–

(Policy view) Select Site-to-Site VPN > VPN Global Settings from the Policy Types selector.

Select an existing shared policy or create a new one, then click the ISAKMP/IPsec Settings tab.

Related Topics

• Configuring VPN Global Settings, page 25-29

• Understanding IKE, page 25-5

• Understanding IPsec Proposals, page 25-17

Field Reference

Table 25-5 VPN Global Settings Page, ISAKMP/IPsec Settings Tab

Element Description

ISAKMP Settings

Enable Keepalive Whether to configure dead-peer detection (DPD) settings. If the peer

fails to respond, a new tunnel is constructed on the assumption that the

peer is no longer available. IKE keepalive is defined on the spokes in a

hub-and-spoke VPN topology, on both devices in a point-to-point VPN

topology, or in remote access VPN configurations.

Configure the following options:

• Interval—The number of seconds the peer can be idle before

beginning keepalive monitoring. The range is 10-3600 seconds.

The default is 10, although the ASA device default for remote

access groups is 300.

• Retry—The interval in seconds between retries after a keepalive

response has not been received. The range is 2-10 seconds for

ASA, 2-60 for IOS devices. The default is 2 seconds.

• Periodic—(Routers running IOS Software version 12.3(7)T and

later, except 7600 devices.) Whether to send DPD keepalive

messages at regular intervals regardless of IPsec traffic. This

changes how the interval value is used.

• Infinite—(ASA only.) Whether to ignore the interval and retry

settings and allow the peer to be idle indefinitely.

previous next