Filter
Top Products
28-17
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 28 Group Encrypted Transport (GET) VPNs
Configuring Global Settings for GET VPN
Table 28-2 Global Settings for GET VPN
Element Description
Enable Keepalive (Key
Servers Only)
Whether to enable dead peer detection (DPD) keepalive messages
between key servers. If there is more than one key server (cooperative
key servers), you should enable periodic keepalive so the servers know
each other’s status and can elect a new primary server when necessary.
Configure the following settings:
• Interval—When you also select Periodic, the number of seconds
between DPD messages. If you do not select Periodic, it is the
number of seconds during which traffic is not received from the
peer before DPD retry messages are sent. The range is from 10 to
3600 seconds.
• Retry—The number of seconds between DPD retry messages if the
DPD retry message is missed by the peer; the range is from 2 to 60
seconds. The default DPD retry message is sent every 2 seconds.
Five aggressive DPD retry messages can be missed before the key
server is marked as down.
• Periodic—Whether to send DPD messages at regular intervals
(regardless of traffic received from the other key servers). For GET
VPN, you should select Periodic.
Identity During Phase I IKE negotiations, peers must identify themselves to
each other. Select the ISAKMP identity to use:
• Address—(Default) The IP address of the interface that
participates in IKE negotiations. Use the address if only one
interface participates in negotiations, and its IP address is known
(static).
• Hostname—The fully-qualified host name (for example,
router1.example.com).
• Distinguished Name
SA Requests System Limit The maximum number of SA requests allowed before IKE starts
rejecting them. The specified value must equal or exceed the number of
peers, or the VPN tunnels might be disconnected.
You can enter a value in the range of 0-99999.
SA Requests System
Threshold
The percentage of system resources that can be used before IKE starts
rejecting new SA requests. The default is 75 percent.