Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
30-36
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Working with SSL and IKEv2 IPSec VPN Policies
Working with SSL and IKEv2 IPSec VPN Policies
Certain policies need to be configured for SSL VPNs. These policies are also used with remote access
IKEv2 IPSec VPNs. The topics listed below explain these remote access VPN policies.
This section contains the following topics:
Understanding SSL VPN Access Policies (ASA), page 30-36
Configuring Other SSL VPN Settings (ASA), page 30-41
Configuring SSL VPN Shared Licenses (ASA 8.2+), page 30-62
Understanding SSL VPN Access Policies (ASA)
An Access policy specifies the security appliance interfaces on which a remote access SSL or IKEv2
IPsec VPN connection profile can be enabled, the port to be used for the connection profile, Datagram
Transport Layer Security (DTLS) settings, the SSL VPN session timeout and maximum number of
sessions. You can also specify whether to use the AnyConnect VPN Client or AnyConnect Essentials
Client.
For more information about the Anyconnect VPN Client, see Understanding SSL VPN AnyConnect
Client Settings, page 30-52. The remainder of this topic explains DTLS and AnyConnect Essentials in
more detail.
Datagram Transport Layer Security (DTLS)
Enabling Datagram Transport Layer Security (DTLS) allows the AnyConnect client establishing an SSL
VPN connection to use two simultaneous tunnels—an SSL tunnel and a DTLS tunnel. Using DTLS
avoids latency and bandwidth problems associated with SSL connections and improves the performance
of real-time applications that are sensitive to packet delays. By default, DTLS is enabled when SSL VPN
access is enabled on an interface. If you disable DTLS, SSL VPN connections connect with an SSL VPN
tunnel only.
Note In order for DTLS to fall back to a TLS connection, you must specify a fallback trustpoint. If you do not
specify a fallback trustpoint and the DTLS connection experiences a problem, the connection terminates
instead of falling back to the specified trustpoint.
Enable Traffic Flow
Confidentiality (TFC)
Packets
Enable dummy TFC packets that mask the traffic profile which
traverses the tunnel.
Note You must have an IKEv2 IPsec proposal set on the Tunnel
Policy (Crypto Map) Basic tab before enabling TFC. Traffic
Flow Confidentiality is not available when IKEv1 is enabled.
Use the Burst, Payload Size, and Timeout parameters to generate
random length packets at random intervals across the specified SA.
Table 30-15 IPsec Proposal Editor, ASA and PIX 7.0+ Devices) (Continued)
Element Description