Filter
Top Products
25-32
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Configuring VPN Global Settings
Identity During Phase I IKE negotiations, peers must identify themselves to
each other. Select one of the following:
• Address—Use the IP address of the host exchanging ISAKMP
identity information. This is the default.
• Hostname—Use the fully-qualified domain name of the host
exchanging ISAKMP identity information.
• Auto/DN—Use automatic selection or distinguished name based
on device type:
–
Distinguished Name (IOS devices only)—Use a distinguished
name (DN) to identify a user group name.
–
Auto (ASA devices only)—Determine ISAKMP negotiation
by connection type; IP address for preshared key or certificate
distinguished name for certificate authentication.
SA Requests System Limit Supported on routers running Cisco IOS Software Release 12.3(8)T
and later, except 7600 routers.
The maximum number of SA requests allowed before IKE starts
rejecting them, from 0 to 99999. The number must equal or exceed the
number of peers, or the VPN tunnels might be disconnected.
SA Requests System
Threshold
Supported on Cisco IOS routers and Catalyst 6500/7600 devices.
The percentage of system resources that can be used before IKE starts
rejecting new SA requests. The default is 75 percent.
Enable Aggressive Mode
(Site to site VPNs only.)
Supported on ASA devices and PIX 7.0+ devices.
When selected, enables you to use aggressive mode in ISAKMP
negotiations. Aggressive mode is enabled by default.
IPsec Settings
Enable Lifetime Select to enable you to configure the global lifetime settings for the
crypto IPsec security associations (SAs) on the devices in your
site-to-site or remote access VPN. Configure the following:
• Lifetime (secs)—The number of seconds a security association will
exist before expiring. The default is 3,600 seconds (1 hour).
• Lifetime (kbytes)—The volume of traffic (in kilobytes) that can
pass between IPsec peers using a given security association before
it expires. The default is 4,608,000 kilobytes.
Table 25-5 VPN Global Settings Page, ISAKMP/IPsec Settings Tab (Continued)
Element Description