29-25
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 29 Managing Remote Access VPNs: The Basics
Using the Remote Access VPN Configuration Wizard
Specify the pools as address ranges or network/host objects that contain address ranges, in the
format Start_Address-End_Address, for example, 10.100.10.2-10.100.10.254. Click Select to select
network/host objects or to create new objects.
Step 7 On the Connection Profile page, configure the AAA options for authentication, authorization, and
accounting, which will later appear on the AAA tab of the connection profile (see AAA Tab (Connection
Profiles), page 30-11).
Step 8 Click Next to move to the IPsec Settings page.
Step 9 On the IPSec Settings page, configure the options for IPSec, which will later appear on the IPSec tab of
the connection profile (see IPSec Tab (Connection Profiles), page 30-16). Note that some of these
settings apply to IKEv1 only.
• Preshared Key, Confirm—Enter the IKEv1 preshared key for the tunnel group in each field. The
maximum length of a preshared key is 127 characters.
You cannot configure a preshared key for remote access IKEv2 IPsec VPNs.
• Trustpoint Name—Enter the name of the PKI enrollment policy object that defines the trustpoint
name, if any trustpoints are configured, for an IKEv1 connection. A trustpoint represents a
Certificate Authority (CA)/identity pair and contains the identity of the CA, CA-specific
configuration parameters, and an association with one enrolled identity certificate. Click Select to
select the object from a list or to create a new object.
For IKEv2, the trustpoint name is not configured here, but on the IKEv2 Settings tab of the Global
Settings policy. The configuration is explained later in this procedure.
• The other options (other than the client table) apply to both IKEv1 and IKEv2. Change the settings
if you need non-default behavior. For an explanation of the options, including the client software
update table, see Remote Access VPN Configuration Wizard—IPSec Settings Page (ASA),
page 29-28.
Step 10 Click Next to move to the VPN Defaults page.
Step 11 On the Defaults page, select the additional shared policies that you want to assign to the VPN. Initially,
the policies listed are those chosen on the Security Manager Administration VPN Defaults page.
For more information about selecting these policies, see Remote Access VPN Configuration
Wizard—Defaults Page, page 29-30.
Step 12 Click Finish to save your changes.
Because the wizard does not configure all possible options, inspect the policies created and configure
any additional options that you want to implement.
The remaining steps are required if you selected IKE version 2 as a supported IKE version, or if you
specified an IPsec trustpoint.
Step 13 (IKEv2 Optional.) Configure group aliases and double authentication if required:
a. Select the Connection Profiles policy.
b. Select the connection profile you configured in the wizard, and click the Edit Row (pencil) button
to open the Connection Profiles dialog box.
• If you want to configure double authentication, select the Secondary AAA tab and configure the
required settings. For more information, see Secondary AAA Tab (Connection Profiles),
page 30-14.
• If you want to configure aliases for the profile, which helps users select the correct profile
during login, select the SSL tab and configure the alias table. For more information, see SSL
Tab (Connection Profiles), page 30-18.