30-35
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Working with IPSec VPN Policies
IKEv1 Transform Sets
IKEv2 Transform Sets
The transform sets to use for your tunnel policy. Transform sets specify
which authentication and encryption algorithms will be used to secure
the traffic in the tunnel. The transform sets are different for each IKE
version; select objects for each supported version. You can select up to
11 transform sets for each. For more information, see Understanding
Transform Sets, page 25-19.
If more than one of your selected transform sets is supported by both
peers, the transform set that provides the highest security will be used.
Click Select to select the IPsec transform set policy objects to use in the
topology. If the required object is not yet defined, you can click the
Create (+) button beneath the available objects list in the selection
dialog box to create a new one. For more information, see Configuring
IPSec IKEv1 or IKEv2 Transform Set Policy Objects, page 25-25.
Reverse Route Injection Reverse Route Injection (RRI) enables static routes to be automatically
inserted into the routing process for those networks and hosts protected
by a remote tunnel endpoint. For more information, see Understanding
Reverse Route Injection, page 25-20.
Select one of the following options to configure RRI on the crypto map:
• None—Disables the configuration of RRI on the crypto map.
• Standard—Creates routes based on the destination information
defined in the crypto map access control list (ACL). This is the
default option.
Enable Network Address
Translation Traversal
Whether to allow Network Address Translation traversal (NAT-T).
Use NAT traversal when there is a device between a VPN-connected
hub and spoke that performs Network Address Translation (NAT) on
the IPsec traffic. For information about NAT traversal, see
Understanding NAT in VPNs, page 25-37
ESPv3 Settings (ASA 9.0.1+ only)
Specify whether incoming ICMP error messages are validated for cryptography and dynamic
cryptography maps, set the per-security association policy, or enable traffic flow packets:
Validate Incoming ICMP
error messages
Whether to validate those ICMP error messages received through an
IPsec tunnel and destined for an interior host on the private network.
Enable Do Not Fragment
(DF) Policy
Define how the IPsec subsystem handles large packets that have the
do-not-fragment (DF) bit set in the IP header. Choose one of the
following:
• Set—Sets and uses the DF bit.
• Copy—Maintains the DF bit.
• Clear—Ignores the DF bit.
Table 30-15 IPsec Proposal Editor, ASA and PIX 7.0+ Devices) (Continued)
Element Description