Filter
Top Products
25-42
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Configuring VPN Global Settings
DF Bit Supported on Cisco IOS routers, Catalyst 6500/7600 devices, PIX 7.0+
and ASA devices.
A Do Not Fragment (DF) bit within an IP header determines whether a
device is allowed to fragment a packet. Select how to handle the DF bit:
• Copy—Copy the DF bit from the encapsulated header in the
current packet to all the device’s packets. If the packet’s DF bit is
set to fragment, all future packets are fragmented. This is the
default option.
• Set—Set the DF bit in the packet you are sending. A large packet
that exceeds the MTU is dropped and an ICMP message is sent to
the packet’s initiator.
• Clear—Fragment packets regardless of the original DF bit setting.
If ICMP is blocked, MTU discovery fails and packets are
fragmented only after encryption.
Enable Fragmentation Before
Encryption
Supported on Cisco IOS routers, Catalyst 6500/7600 devices, PIX 7.0+
and ASA devices.
When selected, enables fragmentation to occur before encryption if the
expected packet size exceeds the MTU.
Look ahead Fragmentation (LAF) is used before encryption takes place
to calculate the packet size that would result after encryption,
depending on the transform sets configured on the IPsec SA. If the
packet size exceeds the specified MTU, the packet will be fragmented
before encryption.
Enable Notification on
Disconnection
Supported on ASA and PIX 7.0+ devices.
When selected, enables the device to notify qualified peers of sessions
that are about to be disconnected. The peer receiving the alert decodes
the reason and displays it in the event log or in a pop-up window. This
feature is disabled by default.
IPsec sessions might be dropped for several reasons, such as a security
appliance shutdown or reboot, session idle timeout, maximum
connection time exceeded, or administrator cut-off.
Enable Split Tunneling
(Site-to-site VPN only.)
When selected (the default), enables you to configure split tunneling in
your site-to-site VPN topology.
Split tunneling allows you to transmit both secured and unsecured
traffic on the same interface. Split tunneling requires that you specify
exactly which traffic will be secured and what the destination of that
traffic is, so that only the specified traffic enters the IPsec tunnel, while
the rest is transmitted unencrypted across the public network.
Enable Spoke-to-Spoke
Connectivity through the
Hub
Supported on ASA and PIX 7.0+ devices.
When selected, enables direct communication between spokes in a
hub-and-spoke VPN topology in which the hub is an ASA or PIX 7.0+
device.
Table 25-8 VPN Global Settings Page, General Settings Tab (Continued)
Element Description