Filter
Top Products
27-11
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 27 Easy VPN
Configuring an IPsec Proposal for Easy VPN
Field Reference
Table 27-3 Easy VPN IPsec Proposal Tab
Element Description
IKEv1 Transform Sets The transform sets to be used for your tunnel policy. Transform sets
specify which authentication and encryption algorithms will be used to
secure the traffic in the tunnel. You can select up to 11 transform sets.
For more information, see Understanding Transform Sets, page 25-19.
Transform sets may use only tunnel mode IPsec operation.
If more than one of your selected transform sets is supported by both
peers, the transform set that provides the highest security will be used.
Click Select to select the IPsec transform set policy objects to use in the
topology. If the required object is not yet defined, you can click the
Create (+) button beneath the available objects list in the selection
dialog box to create a new one. For more information, see Configuring
IPSec IKEv1 or IKEv2 Transform Set Policy Objects, page 25-25.
Reverse Route Supported on ASA 5500 series devices, PIX 7.0+ devices, and Cisco
IOS routers except 7600 devices.
Reverse Route Injection (RRI) enables static routes to be automatically
inserted into the routing process for those networks and hosts protected
by a remote tunnel endpoint. For more information, see Understanding
Reverse Route Injection, page 25-20.
Select one of the following options to configure RRI on the crypto map:
• None—Disables the configuration of RRI on the crypto map.
• Standard—(ASA, PIX 7.0+, IOS devices) Creates routes based on
the destination information defined in the crypto map access
control list (ACL). This is the default option.
• Remote Peer—(IOS devices only) Creates two routes, one for the
remote endpoint and one for route recursion to the remote endpoint
via the interface to which the crypto map is applied.
• Remote Peer IP—(IOS devices only) Specifies an address as the
explicit next hop to the remote VPN device. Enter the IP address or
a network/host object that specifies the address, or click Select to
select the network/host object from a list or to create a new object.
Note If you use network/host objects, you can select the Allow Value
Override per Device option in the object to override the IP
address, if required, for specific devices that use this object.
Enable Network Address
Translation Traversal
Supported on PIX 7.0+ and ASA 5500 series devices.
Whether to allow Network Address Translation (NAT) traversal.
Use NAT traversal when there is a device between a VPN-connected
hub and spoke, and that performs Network Address Translation (NAT)
on the IPsec traffic. For information about NAT traversal, see
Understanding NAT in VPNs, page 25-37