Filter
Top Products
25-33
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Configuring VPN Global Settings
Xauth Timeout Supported on Cisco IOS routers and Catalyst 6500/7600 devices in
remote access VPN and Easy VPN topologies only.
The number of seconds the device will wait for a system response to the
Xauth challenge.
When negotiating tunnel parameters for establishing IPsec tunnels in a
remote access or Easy VPN configuration, Xauth adds another level of
authentication that identifies the user who requests the IPsec
connection. Using the Xauth feature, the client waits for a
username/password (Xauth) challenge after the IKE SA has been
established. When the end user responds to the challenge, the response
is forwarded to the IPsec peers for an additional level of authentication.
Max Sessions Supported on ASA devices and PIX 7.0+ devices.
The maximum number of security associations (SAs) that can be
enabled simultaneously on the device. The maximum number differs
based on device model. For ASA devices, the limits are:
• 5505—10 sessions.
• 5510—250 sessions.
• 5520—750 sessions.
• 5540, 5550, 5585-X with SSP-10—5000 sessions.
• 5580, 5585-X (other models)—10000 sessions.
Enable IPsec via Sysopt Supported on ASA devices, and PIX Firewalls versions 6.3 or 7.0+.
Whether to bypass the access rules defined on the VPN interface for
VPN traffic.
By default, the device allows VPN traffic to terminate on an interface;
you do not need to allow IKE or ESP (or other types of VPN packets)
in an interface access list. By default, you also do not need an interface
access list for local IP addresses of decrypted VPN packets. Because
the VPN tunnel was terminated successfully using VPN security
mechanisms, this feature simplifies configuration and maximizes the
device performance without any security risks. (Group policy and
per-user authorization access lists still apply to the traffic.)
If you deselect this option, the interface access rules are also applied to
VPN traffic. The access list applies to the local IP address and not to
the original client IP address used before the VPN packet was
decrypted. The command applied is no sysopt connection permit-vpn.
Table 25-5 VPN Global Settings Page, ISAKMP/IPsec Settings Tab (Continued)
Element Description