Cisco ASA 1000V ASDM Configuration Guide, 6.7
General VPN Setup
Downloads: This chapterpdf (PDF - 163.0KB) The complete bookPDF (PDF - 11.09MB) | Feedback

General VPN Setup

Table Of Contents

General VPN Setup

Default Tunnel Gateway

Group Policies

Configuring External Group Policies

Adding an LDAP or RADIUS Server to an External Group Policy

Configuring Site-to-Site Internal Group Policies

Assigning Connection Profiles to Group Policies

Site-to-Site Connection Profiles

Add/Edit Site-to-Site Connection

Adding or Editing a Site-to-Site Tunnel Group

Crypto Map Entry

Crypto Map Entry for Static Peer Address

Configuring Tunnel Group for Site-to-Site VPN

System Options


General VPN Setup


A virtual private network is a network of virtual circuits that carry private traffic over a public network such as the Internet. VPNs can connect two or more LANS or remote users to a LAN. VPNs provide privacy and security by requiring all users to authenticate and by encrypting all data traffic.

Default Tunnel Gateway

Group Policies

Site-to-Site Connection Profiles

System Options

Default Tunnel Gateway

To configure the default tunnel gateway, click the Static Route link. The Configuration > Device Setup > Routing > Routing > Static Route dialog box opens.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Group Policies

The Group Policies pane lets you manage VPN group policies. A VPN group policy is a collection of user-oriented attribute/value pairs stored either internally on the device or externally on a RADIUS or LDAP server. Configuring the VPN group policy lets users inherit attributes that you have not configured at the individual group or username level. By default, VPN users have no group policy association. The group policy information is used by VPN tunnel groups and user accounts.

The "child" panes and dialog boxes let you configure the group parameters, including those for the default group. The default group parameters are those that are most likely to be common across all groups and users, and they streamline the configuration task. Groups can "inherit" parameters from this default group, and users can "inherit" parameters from their group or the default group. You can override these parameters as you configure groups and users.


Note You can only configure group policies on the ASA 1000V in ASDM mode.


You can configure either an internal or an external group policy. An internal group policy is stored locally, and an external group policy is stored externally on a RADIUS or LDAP server. Clicking Edit opens a similar dialog box on which you can create a new group policy or modify an existing one.

In these dialog boxes, you configure the following kinds of parameters:

Tunneling protocols IPSec IKEv1 or IPsec IKEv2.

Access Control Rules

Idle Timeout

Before configuring these parameters, you should configure:

Access hours.

Rules and filters.

IPsec Security Associations.

Network lists for filtering and split tunneling

User authentication servers, and specifically the internal authentication server.

You can configure group policies for these different types of VPN connections:

Configuring External Group Policies

Configuring Site-to-Site Internal Group Policies

Group Policy Pane Fields

Lists the currently configured group policies and Add, Edit, and Delete buttons to help you manage VPN group policies.

Add—Offers a drop-down menu on which you can select whether to add an internal or an external group policy. If you simply click Add, then by default, you create an internal group policy. Clicking Add opens the Add Internal Group Policy dialog box or the Add External Group Policy dialog box, which let you add a new group policy to the list. This dialog box includes three menu sections. Click each menu item to display its parameters. As you move from item to item, ASDM retains your settings. When you have finished setting parameters on all menu sections, click Apply or Cancel. Offers a drop-down menu from which you can select whether to add an internal or an external group policy. If you simply click Add, then by default, you create an internal group policy.

Edit—Displays the Edit Group Policy dialog box, which lets you modify an existing group policy.

Delete—Lets you remove a AAA group policy from the list. There is no confirmation or undo.

Assign—Lets you assign a group policy to one ore more connection profiles. A connection profile can only be assigned to one group policy.

Name—Lists the name of the currently configured group policies.

Type—Lists the type of each currently configured group policy.

Tunneling Protocol—Lists the tunneling protocol that each currently configured group policy uses.

Connection Profiles/Users Assigned to—Lists the connection profiles and users configured directly on the ASA that are associated with this group policy.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Configuring External Group Policies

An external group policy points the ASA to the RADIUS or LDAP server to retrieve much of the policy information that would otherwise be configured in an internal group policy.

External group policies take their attribute values from the external server that you specify. For an external group policy, you must identify the RADIUS or LDAP server group that the ASA 1000V can query for attributes and specify the password to use when retrieving attributes from that external server group. If you are using an external authentication server, and if your external group-policy attributes exist in the same RADIUS server as the users that you plan to authenticate, you have to make sure that there is no name duplication between them.


Note External group names on the ASA 1000V refer to user names on the RADIUS server. In other words, if you configure external group X on the ASA 1000V, the RADIUS server sees the query as an authentication request for user X. So external groups are really just user accounts on the RADIUS server that have special meaning to the ASA 1000V. If your external group attributes exist in the same RADIUS server as the users that you plan to authenticate, there must be no name duplication between them.


The ASA 1000V supports user authorization on an external LDAP or RADIUS server. Before you configure the ASA 1000V to use an external server, you must configure the server with the correct ASA 1000V authorization attributes and, from a subset of these attributes, assign specific permissions to individual users. Follow the instructions in "Configuring an External Server for Authorization and Authentication" to configure your external server.


Note You can only configure group policies on the ASA 1000V in ASDM mode.


Fields

Name—Identifies the group policy to be added or changed. For Edit External Group Policy, this field is display-only.

Server Group—Lists the available server groups to which to apply this policy.

New—Allows you create a new RADIUS server group or a new LDAP server group. Either of these options opens the Add AAA Server Group dialog box.

Password—Specifies the password for this server group policy.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Adding an LDAP or RADIUS Server to an External Group Policy

The Add AAA Server Group dialog box lets you configure a new AAA server group. The Accounting Mode attribute applies only to RADIUS and TACACS+ protocols.

Fields

AAA Server Group—Specifies the name of the server group.

Protocol—(Display only) Indicates whether this is a RADIUS or an LDAP server group.

Accounting Mode (RADIUS)—Indicates whether to use simultaneous or single accounting mode. In single mode, the ASA 1000V sends accounting data to only one server. In simultaneous mode, the ASA 1000V sends accounting data to all servers in the group. The Accounting Mode attribute applies only to RADIUS and TACACS+ protocols.

Reactivation Mode (LDAP)—Specifies the method by which failed servers are reactivated: Depletion or Timed reactivation mode. In Depletion mode, failed servers are reactivated only after all of the servers in the group become inactive. In Timed mode, failed servers are reactivated after 30 seconds of down time.

Dead Time—Specifies, for depletion mode, the number of minutes (0 through 1440) that must elapse between the disabling of the last server in the group and the subsequent re-enabling of all servers. The default value is 10 minutes. This field is not available for timed mode.

Max Failed Attempts— Specifies the number (an integer in the range 1 through 5) of failed connection attempts allowed before declaring a nonresponsive server inactive. The default value is 3 attempts.

Configuring Site-to-Site Internal Group Policies

The Add or Edit Group Policy dialog box lets you specify tunneling protocols, filters, connection settings, and servers for the group policy being added or modified. For each of the fields in this dialog box, checking the Inherit check box lets the corresponding setting take its value from the default group policy. Inherit is the default value for all of the attributes on this dialog box.


Note You can only configure group policies on the ASA 1000V in ASDM mode.


Fields

The following attributes appear in the Add Internal Group Policy > General dialog box. They apply to SSL VPN and IPsec sessions, or clientless SSL VPN sessions. Thus, several are present for one type of session, but not the other.

Name—Specifies the name of this group policy. For the Edit function, this field is read-only.

Tunneling Protocols—Specifies the tunneling protocols that this group can use. Users can use only the selected protocols. These are the valid choices for Site-to-Site VPN group policies:

IPsec IKEv1—IP Security Protocol. Regarded as the most secure protocol, IPsec provides the most complete architecture for VPN tunnels. Both Site-to-Site (peer-to-peer) connections and Cisco VPN client-to-LAN connections can use IPsec IKEv1.

IPsec IKEv2


Note If you do not select a protocol, an error message appears.


Filter—(Network (Client) Access only)

Idle Timeout—If the Inherit check box is not checked, this parameter specifies this user's idle timeout period in minutes. If there is no communication activity on the user connection in this period, the system terminates the connection. The minimum time is 1 minute, and the maximum time is 10080 minutes. The default is 30 minutes. To allow unlimited connection time, check Unlimited. This value does not apply to Clientless SSL VPN users.

Assigning Connection Profiles to Group Policies


Step 1 Select Configuration > Site-to-Site VPN > Group Policies.

Step 2 Select a group policy and click Assign.

Step 3 Check the connection profiles you want to assign to the group policy.

More than one connection profile can be assigned to a group policy; however, a connection profile can only be assigned to one group policy. Assigning all the connection profiles to a group policy will remove those connection profile associations from other group policies.

Step 4 Click OK.


Site-to-Site Connection Profiles

The Connection Profiles dialog box shows the attributes of the currently configured Site-to-Site connection profiles (also called "tunnel groups"), lets you select the delimiter to use when parsing connection profile names, and lets you add, modify, or delete connection profiles.

The security appliance supports IPsec LAN-to-LAN VPN connections for IPv4 or IPv6 using IKEv1 or IKEv2 and supports both inside and outside networks using the inner and outer IP headers.

Fields

Access Interfaces Area—Displays a table of device interfaces where you can enable access by a remote peer device on the interface:

Interface—The device interface to enable or disable access.

Allow IKEv1 Access—Check to enable IPsec IKEv1 access by a peer device.

Allow IKEv2 Access—Check to enable IPsec IKEv2 access by a peer device.

Connection Profiles Area—Displays a table of connection profiles where you can add, edit, or delete profiles:

Add—Opens the Add IPsec Site-to-Site connection profile dialog box.

Edit—Opens the Edit IPsec Site-to-Site connection profile dialog box.

Delete—Removes the selected connection profile. There is no confirmation or undo.

Name—The name of the connection profile.

Interface—The interface the connection profile is enabled on.

Local Network—Specifies the IP address of the local network.

Remote Network—Specifies the IP address of the remote network.

IKEv1 Enabled—Shows if IKEv1 enabled for the connection profile.

IKEv2 Enabled—Shows if IKEv2 enabled for the connection profile.

Group Policy—Shows the group policy associated with the connection profile.

Add/Edit Site-to-Site Connection

The Add or Edit IPsec Site-to-Site Connection dialog box lets you create or modify an IPsec Site-to-Site connection. These dialog boxes let you specify the peer IPv4 address, specify a connection name, select an interface, specify IKEv1 and IKEv2 peer and user authentication parameters, specify protected networks, and specify encryption algorithms.

The ASA 1000V supports LAN-to-LAN VPN connections to Cisco or third-party peers when the two peers have IPv4 inside and outside networks (IPv4 addresses on the inside and outside interfaces).

Fields in Basic Configuration Screen

Peer IP Address—Lets you specify an IPv4 address and whether that address is static.

Connection Name—Specifies the name assigned to this connection profile. For the Edit function, this field is display-only. You can specify that the connection name is the same as the IP address specified in the Peer IP Address field.

Interface—Selects the interface to use for this connection.

Protected Networks—Selects or specifies the local and remote network protected for this connection.

IP Address Type—Specifies the address is an IPv4 address.

Local Network—Specifies the IP address of the local network.

Click the Local Network ellipsis button to open the Browse Local Network dialog box, in which you can select a local network.

Remote Network—Specifies the IP address of the remote network.

Click the Remote Network ellipsis button to open the Browse Local Network dialog box, in which you can select a remote network.

IPsec Enabling—Specifies the group policy for this connection profile and the key exchange protocol specified in that policy:

Group Policy Name—Specifies the group policy associated with this connection profile.

Manage—Click Manage to open the open the Configure Group Policies dialog box and configure a group policy for this connection profile

Enable IKEv1—Enables the key exchange protocol IKEv1 in the specified group policy.

Enable IKEv2—Enables the key exchange protocol IKEv2 in the specified group policy.

IKEv1 Settings tab—Specifies authentication and encryption settings for IKEv1:

Pre-shared Key—Specify the value of the pre-shared key for the connection profile. The maximum length of the pre-shared key is 128 characters.

Device Certificate—Specifies the name of the identity certificate, if available, to use for authentication.

Manage—Opens the Manage Identity Certificates dialog box, on which you can see the certificates that are already configured, add new certificates, show details for a certificate, and edit or delete a certificate.

IKE Policy—Specifies one or more encryption algorithms to use for the IKE proposal.

Manage—Opens the Configure IKEv1 Proposals dialog box.

IPsec Proposal—Specifies one or more encryption algorithms to use for the IPsec IKEv1 proposal.

IKE Policy—Specifies one or more encryption algorithms to use for the IKE proposal.

Manage—Opens the Configure IKEv1 Proposals dialog box.

IPsec Proposal—Specifies one or more encryption algorithms to use for the IPsec IKEv1 proposal.

Select—Opens the Select IPsec Proposals (Transform Sets) dialog box, where you can assign a proposal to the connection profile for IKEv1 connections.

IKEv2 Settings tab—Specifies authentication and encryption settings for IKEv2:

Local Pre-shared Key—Specify the value of the pre-shared key for the tunnel group. The maximum length of the pre-shared key is 128 characters.

Local Device Certificate—Specifies the name of the identity certificate, if available, to use for authentication.

Manage—Opens the Manage Identity Certificates dialog box, on which you can see the certificates that are already configured, add new certificates, show details for a certificate, and edit or delete a certificate.

Remote Peer Pre-shared Key—Specify the value of the remote peer pre-shared key for the tunnel group. The maximum length of the pre-shared key is 128 characters.

Remote Peer Certificate Authentication—Check Allowed to allow certificate authentication for IKEv2 connections for this connection profile.

Manage—Opens the Manage CA Certificates dialog where you can view certificates and add new ones.

IKE Policy—Specifies one or more encryption algorithms to use for the IKE proposal.

Manage—Opens the Configure IKEv2 Proposals dialog box.

IPsec Proposal—Specifies one or more encryption algorithms to use for the IPsec IKEv2 proposal.

Select—Opens the Select IPsec Proposals (Transform Sets) dialog box, where you can assign a proposal to the connection profile for IKEv2 connections.

Fields in Advanced > Crypto Map Entry Screen

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Adding or Editing a Site-to-Site Tunnel Group

The Add or Edit IPsec Site-to-Site Tunnel Group dialog box lets you specify attributes for the IPsec site-to-site connection that you are adding. In addition, you can select IKE peer and user authentication parameters, configure IKE keepalive monitoring, and select the default group policy.

Fields

Name—Specifies the name assigned to this tunnel group. For the Edit function, this field is display-only.

IPsec Enabling—Specifies the group policy for this connection profile and the key exchange protocol specified in that policy:

Group Policy Name—Specifies the group policy associated with this connection profile.

Manage—Click Manage to open the Configure Group Policies dialog box and create or edit a group policy for this Tunnel Group.

Enable IKEv1—Enables the key exchange protocol IKEv1 in the specified group policy.

Enable IKEv2—Enables the key exchange protocol IKEv2 in the specified group policy.

IKEv1 Settings tab—Specifies authentication and encryption settings for IKEv1:

Pre-shared Key—Specify the value of the pre-shared key for the tunnel group. The maximum length of the pre-shared key is 128 characters.

Device Certificate—Specifies the name of the identity certificate, if available, to use for authentication.

Manage—Opens the Manage Identity Certificates dialog box, on which you can see the certificates that are already configured, add new certificates, show details for a certificate, and edit or delete a certificate.

IKEv2 Settings tab—Specifies authentication and encryption settings for IKEv2:

Local Pre-shared Key—Specify the value of the pre-shared key for the tunnel group. The maximum length of the pre-shared key is 128 characters.

Local Device Certificate—Specifies the name of the identity certificate, if available, to use for authentication.

Manage—Opens the Manage Identity Certificates dialog box, on which you can see the certificates that are already configured, add new certificates, show details for a certificate, and edit or delete a certificate.

Remote Peer Pre-shared Key—Specify the value of the remote peer pre-shared key for the tunnel group. The maximum length of the pre-shared key is 128 characters.

Remote Peer Certificate Authentication—Check Allowed to allow certificate authentication for IKEv2 connections for this connection profile.

Manage—Opens the Manage CA Certificates dialog where you can view certificates and add new ones.

IKE Peer ID Validation —Specifies whether to check IKE peer ID validation. The default is Required.

IKE Keepalive —Enables and configures IKE keepalive monitoring. You can select only one of the following attributes.

Disable Keep Alives—Enables or disables IKE keep alives.

Monitor Keep Alives—Enables or disables IKE keep alive monitoring. Selecting this option makes available the Confidence Interval and Retry Interval fields.

Confidence Interval—Specifies the IKE keep alive confidence interval. This is the number of seconds the ASA 1000V should allow a peer to idle before beginning keepalive monitoring. The minimum is 10 seconds; the maximum is 300 seconds. The default for a remote access group is 10 seconds.

Retry Interval—Specifies number of seconds to wait between IKE keep alive retries. The default is 2 seconds.

Head end will never initiate keepalive monitoring—Specifies that the central-site ASA 1000V never initiates keepalive monitoring.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Crypto Map Entry

In this dialog box, specify crypto parameters for the Connection Profile.

Fields

Priority—A unique priority (1 through 65,543, with 1 the highest priority). When IKE negotiation begins, the peer that initiates the negotiation sends all of its policies to the remote peer, and the remote peer searches for a match with its own policies, in priority order.

Perfect Forward Secrecy—Ensures that the key for a given IPsec SA was not derived from any other secret (like some other keys). If someone were to break a key, PFS ensures that the attacker would not be able to derive any other key. If you enable PFS, the Diffie-Hellman Group list becomes active.

Diffie-Hellman Group—An identifier which the two IPsec peers use to derive a shared secret without transmitting it to each other. The choices are Group 1 (768-bits), Group 2 (1024-bits), and Group 5 (1536-bits).

Enable NAT-T— Enables NAT Traversal (NAT-T) for this policy, which lets IPsec peers establish both remote access and LAN-to-LAN connections through a NAT device.

Enable Reverse Route Injection—Provides the ability for static routes to be automatically inserted into the routing process for those networks and hosts that are protected by a remote tunnel endpoint.

Security Association Lifetime—Configures the duration of a Security Association (SA). This parameter specifies how to measure the lifetime of the IPsec SA keys, which is how long the IPsec SA lasts until it expires and must be renegotiated with new keys.

Time—Specifies the SA lifetime in terms of hours (hh), minutes (mm) and seconds (ss).

Traffic Volume—Defines the SA lifetime in terms of kilobytes of traffic. Enter the number of kilobytes of payload data after which the IPsec SA expires. Minimum is 100 KB, default is 10000 KB, maximum is 2147483647 KB.

Crypto Map Entry for Static Peer Address

In this dialog box, specify crypto parameters for the Connection Profile when the Peer IP Address is a static address.

Fields

Priority—A unique priority (1 through 65,543, with 1 the highest priority). When IKE negotiation begins, the peer that initiates the negotiation sends all of its policies to the remote peer, and the remote peer searches for a match with its own policies, in priority order.

Perfect Forward Secrecy—Ensures that the key for a given IPsec SA was not derived from any other secret (like some other keys). If someone were to break a key, PFS ensures that the attacker would not be able to derive any other key. If you enable PFS, the Diffie-Hellman Group list becomes active.

Diffie-Hellman Group—An identifier which the two IPsec peers use to derive a shared secret without transmitting it to each other. The choices are Group 1 (768-bits), Group 2 (1024-bits), and Group 5 (1536-bits).

Enable NAT-T— Enables NAT Traversal (NAT-T) for this policy, which lets IPsec peers establish both remote access and LAN-to-LAN connections through a NAT device.

Enable Reverse Route Injection—Provides the ability for static routes to be automatically inserted into the routing process for those networks and hosts that are protected by a remote tunnel endpoint.

Security Association Lifetime—Configures the duration of a Security Association (SA). This parameter specifies how to measure the lifetime of the IPsec SA keys, which is how long the IPsec SA lasts until it expires and must be renegotiated with new keys.

Time—Specifies the SA lifetime in terms of hours (hh), minutes (mm) and seconds (ss).

Traffic Volume—Defines the SA lifetime in terms of kilobytes of traffic. Enter the number of kilobytes of payload data after which the IPsec SA expires. Minimum is 100 KB, default is 10000 KB, maximum is 2147483647 KB.

Static Crypto Map Entry Parameters—Configure these additional parameters when the Peer IP Address is specified as Static:

Connection Type—Specify the allowed negotiation as bidirectional, answer-only, or originate-only.

Send ID Cert. Chain—Enables transmission of the entire certificate chain.

IKE Negotiation Mode—Sets the mode for exchanging key information for setting up the SAs, Main or Aggressive. It also sets the mode that the initiator of the negotiation uses; the responder auto-negotiates. Aggressive Mode is faster, using fewer packets and fewer exchanges, but it does not protect the identity of the communicating parties. Main Mode is slower, using more packets and more exchanges, but it protects the identities of the communicating parties. This mode is more secure and it is the default selection. If you select Aggressive, the Diffie-Hellman Group list becomes active.

Diffie-Hellman Group—An identifier which the two IPsec peers use to derive a shared secret without transmitting it to each other. The choices are Group 1 (768-bits), Group 2 (1024-bits), and Group 5 (1536-bits).

Configuring Tunnel Group for Site-to-Site VPN

The Add or Edit Tunnel Group dialog box lets you configure or edit tunnel group parameters for this Site-to-Site connection profile.

Fields

Certificate Settings—Sets the following certificate chain and IKE peer validation attributes:

Send certificate chain—Enables or disables sending the entire certificate chain. This action includes the root certificate and any subordinate CA certificates in the transmission.

IKE Peer ID Validation—Selects whether IKE peer ID validation is ignored, required, or checked only if supported by a certificate.

IKE Keep Alive—Enables and configures IKE (ISAKMP) keepalive monitoring.

Disable Keepalives—Enables or disables IKE keep alives.

Monitor Keepalives—Enables or disables IKE keep alive monitoring. Selecting this option makes available the Confidence Interval and Retry Interval fields.

Confidence Interval—Specifies the IKE keepalive confidence interval. This is the number of seconds the ASA 1000V should allow a peer to idle before beginning keepalive monitoring. The minimum is 10 seconds; the maximum is 300 seconds. The default for a remote access group is 300 seconds.

Retry Interval—Specifies number of seconds to wait between IKE keepalive retries. The default is 2 seconds.

Head end will never initiate keepalive monitoring—Specifies that the central-site ASA 1000V never initiates keepalive monitoring.

Default Group Policy—Specifies the following group-policy attributes:

Group Policy—Selects a group policy to use as the default group policy. The default value is DfltGrpPolicy.

Manage—Opens the Configure Group Policies dialog box.

IPsec Protocol—Enables or disables the use of the IPsec protocol for this connection profile.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


System Options

The System Options pane lets you configure features specific to VPN sessions on the ASA 1000V.

Fields

Enable inbound IPsec sessions to bypass interface access-lists. Group policy and per-user authorization access lists still apply to the traffic—By default, the ASA 1000V allows VPN traffic to terminate on a ASA 1000V interface; you do not need to allow IKE or ESP (or other types of VPN packets) in an access rule. When this option is checked, you also do not need an access rule for local IP addresses of decrypted VPN packets. Because the VPN tunnel was terminated successfully using VPN security mechanisms, this feature simplifies configuration and maximizes the ASA 1000V performance without any security risks. (Group policy and per-user authorization access lists still apply to the traffic.)

You can require an access rule to apply to the local IP addresses by unchecking this option. The access rule applies to the local IP address, and not to the original client IP address used before the VPN packet was decrypted.

Limit the maximum number of active IPsec VPN sessions—Enables or disables limiting the maximum number of active IPsec VPN sessions. The range depends on the hardware platform and the software license.

Maximum Active IPsec VPN Sessions—Specifies the maximum number of active IPsec VPN sessions allowed. This field is active only when you select the preceding check box to limit the maximum number of active IPsec VPN sessions.

L2TP Tunnel Keep-alive Timeout—Specifies the frequency, in seconds, of keepalive messages. The range is 10 through 300 seconds. The default is 60 seconds.

Preserve stateful VPN flows when tunnel drops for Network-Extension Mode (NEM)—Enables or disables preserving IPsec tunneled flows in Network-Extension Mode. With the persistent IPsec tunneled flows feature enabled, as long as the tunnel is recreated within the timeout dialog box, data continues flowing successfully because the security appliance still has access to the state information. This option is disabled by default.


Note Tunneled TCP flows are not dropped, so they rely on the TCP timeout for cleanup. However, if the timeout is disabled for a particular tunneled flow, that flow remains in the system until being cleared manually or by other means (for example, by a TCP RST from the peer).


Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System