Filter
Top Products
32-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 32 Managing Remote Access VPNs on IOS and PIX 6.3 Devices
Overview of Remote Access VPN Policies for IOS and PIX 6.3 Devices
Overview of Remote Access VPN Policies for IOS and PIX 6.3
Devices
When you configure remote access VPNs on IOS or PIX 6.3 devices, you use the following policies
based on the type of VPN you are configuring. Note that you cannot configure SSL VPNs on PIX 6.3
devices.
• Policies used with both IPsec and SSL remote access VPNs:
–
Global Settings—You can define global settings that apply to all devices in your remote access
VPNs. These settings include Internet Key Exchange (IKE), IPsec, NAT, and fragmentation
definitions. The global settings typically have defaults that work in most situations, so
configuring the Global Settings policy is optional; configure it only if you need non-default
behavior. For more information, see Configuring VPN Global Settings, page 25-29.
–
Public Key Infrastructure—You can create a Public Key Infrastructure (PKI) policy to
generate enrollment requests for CA certificates and RSA keys, and to manage keys and
certificates. Certification Authority (CA) servers are used to manage these certificate requests
and issue certificates to users who connect to your IPsec or SSL remote access VPN. For more
information, see Understanding Public Key Infrastructure Policies, page 25-47 and Configuring
Public Key Infrastructure Policies for Remote Access VPNs, page 25-52.
• Policies used in remote access IPsec VPNs only:
–
IKE Proposal—Internet Key Exchange (IKE), also called ISAKMP, is the negotiation protocol
that enables two hosts to agree on how to build an IPsec security association. IKE is used to
authenticate IPsec peers, negotiate and distribute IPsec encryption keys, and to automatically
establish IPsec security associations (SAs). Use the IKE Proposal policy to define the
requirements for phase 1 of the IKE negotiation. For more information, see Configuring an IKE
Proposal, page 25-9.
–
IPsec Proposal (IOS/PIX 6.x)—An IPsec proposal is a collection of one or more crypto maps.
A crypto map combines all the components required to set up IPsec security associations (SAs),
including IPsec rules, transform sets, remote peers, and other parameters that might be
necessary to define an IPsec SA. The policy is used for IKE phase 2 negotiations. For more
information, see Configuring an IPsec Proposal on a Remote Access VPN Server (IOS, PIX 6.3
Devices), page 32-3.
–
High Availability—High Availability (HA) is supported by the creation of an HA group made
up of two or more hub devices that use Hot Standby Routing Protocol (HSRP) to provide
transparent, automatic device failover. For more information, see Configuring High Availability
in Remote Access VPNs (IOS), page 32-11.
–
User Groups (IOS/PIX 6.x)—A user group policy specifies the attributes that determine user
access to and use of the VPN. For more information, see Configuring User Group Policies,
page 32-13.
• Policies used in remote access SSL VPNs only:
–
SSL VPN—The SSL VPN policy table lists all of the contexts that define the virtual
configurations of the SSL VPN. Each context has a gateway, domain or virtual hostname, and
user group policies. For more information, see Configuring an SSL VPN Policy (IOS),
page 32-14.