Filter
Top Products
29-11
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 29 Managing Remote Access VPNs: The Basics
Overview of Remote Access VPN Policies
You can match the group from the DN rules, the Organization Unit (OU) field, the IKE identity,
or the peer IP address. You can use any or all of these methods. For more information, see
Configuring Certificate to Connection Profile Map Policies (ASA), page 30-29.
–
IKE Proposal—Internet Key Exchange (IKE), also called ISAKMP, is the negotiation protocol
that enables two hosts to agree on how to build an IPsec security association. IKE is used to
authenticate IPsec peers, negotiate and distribute IPsec encryption keys, and to automatically
establish IPsec security associations (SAs). Use the IKE Proposal policy to define the
requirements for phase 1 of the IKE negotiation. For more information, see Configuring an IKE
Proposal, page 25-9.
–
IPsec Proposal (ASA/PIX 7.x)—An IPsec proposal is a collection of one or more crypto maps.
A crypto map combines all the components required to set up IPsec security associations (SAs),
including IPsec rules, transform sets, remote peers, and other parameters that might be
necessary to define an IPsec SA. The policy is used for IKE phase 2 negotiations. For more
information, see Configuring an IPsec Proposal on a Remote Access VPN Server (ASA, PIX
7.0+ Devices), page 30-33.
–
IPsec Proposal (IOS/PIX 6.x)—An IPsec proposal is a collection of one or more crypto maps.
A crypto map combines all the components required to set up IPsec security associations (SAs),
including IPsec rules, transform sets, remote peers, and other parameters that might be
necessary to define an IPsec SA. The policy is used for IKE phase 2 negotiations. For more
information, see Configuring an IPsec Proposal on a Remote Access VPN Server (IOS, PIX 6.3
Devices), page 32-3.
–
High Availability (IOS/PIX 6.3)—High Availability (HA) is supported by the creation of an
HA group made up of two or more hub devices that use Hot Standby Routing Protocol (HSRP)
to provide transparent, automatic device failover. For more information, see Configuring High
Availability in Remote Access VPNs (IOS), page 32-11.
–
User Groups (IOS/PIX 6.x)—A user group policy specifies the attributes that determine user
access to and use of the VPN. For more information, see Configuring User Group Policies,
page 32-13.
• Policies used in remote access IKEv2 IPSec and SSL VPNs only:
–
Access (ASA only.)—An Access policy specifies the security appliance interfaces on which a
remote access SSL or IKEv2 IPsec VPN connection profile can be enabled, the port to be used
for the connection profile, Datagram Transport Layer Security (DTLS) settings, the SSL VPN
session timeout and maximum number of sessions. You can also specify whether to use the
AnyConnect VPN Client or AnyConnect Essentials Client. For more information, see
Understanding SSL VPN Access Policies (ASA), page 30-36.
–
Other Settings (ASA only.)—The SSL VPN Other Settings policy defines settings that include
caching, content rewriting, character encoding, proxy and proxy bypass definitions, browser
plug-ins, AnyConnect client images and profiles, Kerberos Constrained Delegation, and some
other advanced settings. For more information, see Configuring Other SSL VPN Settings
(ASA), page 30-41.
–
Shared License (ASA only.)—Use the SSL VPN Shared License page to configure your SSL
VPN Shared License. For more information, see Configuring SSL VPN Shared Licenses (ASA
8.2+), page 30-62.
–
SSL VPN (IOS devices only.)—The SSL VPN policy table lists all of the contexts that define
the virtual configurations of the SSL VPN. Each context has a gateway, domain or virtual
hostname, and user group policies. For more information, see Configuring an SSL VPN Policy
(IOS), page 32-14.