-
Cisco Security Appliance Command Line Configuration Guide, Version 8.0
-
Index
-
About This Guide
-
Getting Started and General Information
-
Introduction to the Security Appliance
-
Getting Started
-
Enabling Multiple Context Mode
-
Configuring Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
-
Configuring Ethernet Settings and Subinterfaces
-
Adding and Managing Security Contexts
-
Configuring Interface Parameters
-
Configuring Basic Settings
-
Configuring IP Routing
-
Configuring Multicast Routing
-
Configuring DHCP, DDNS, and WCCP Services
-
Configuring IPv6
-
Configuring AAA Servers and the Local Database
-
Configuring Failover
-
-
Configuring the Firewall
-
Firewall Mode Overview
-
Identifying Traffic With Access Lists
-
Configuring NAT
-
Permitting or Denying Network Access
-
Applying AAA for Network Access
-
Applying Filtering Services
-
Using Modular Policy Framework
-
Managing AIP SSM and CSC SSM
-
Preventing Network Attacks
-
Applying QoS Policies
-
Applying Application Layer Protocol Inspection
-
Configuring ARP Inspection and Bridging Parameters in Transparent Mode
-
-
Configuring VPN
-
Configuring IPSec and ISAKMP
-
Configuring L2TP over IPSec
-
Setting General VPN Parameters
-
Configuring Tunnel Groups, Group Policies, and Users
-
Configuring IP Addresses for VPN
-
Configuring Remote Access VPNs
-
Configuring Network Admission Control
-
Configuring Easy VPN on the ASA 5505
-
Configuring the PPPoE Client
-
Configuring LAN-to-LAN VPNs
-
Configuring Clientless SSL VPN
-
Configuring AnyConnect VPN Client Connections
-
Configuring Certificates
-
- System Administration
- Reference
-
Glossary
-
Table Of Contents
Configuring Connection Profiles, Group Policies, and Users
Overview of Connection Profiles, Group Policies, and Users
General Connection Profile Connection Parameters
IPSec Tunnel-Group Connection Parameters
Connection Profile Connection Parameters for Clientless SSL VPN Sessions
Configuring Connection Profiles
Default IPSec Remote Access Connection Profile Configuration
Configuring IPSec Tunnel-Group General Attributes
Configuring IPSec Remote-Access Connection Profiles
Specifying a Name and Type for the IPSec Remote Access Connection Profile
Configuring IPSec Remote-Access Connection Profile General Attributes
Configuring IPSec Remote-Access Connection Profile IPSec Attributes
Configuring IPSec Remote-Access Connection Profile PPP Attributes
Configuring LAN-to-LAN Connection Profiles
Default LAN-to-LAN Connection Profile Configuration
Specifying a Name and Type for a LAN-to-LAN Connection Profile
Configuring LAN-to-LAN Connection Profile General Attributes
Configuring LAN-to-LAN IPSec Attributes
Configuring Connection Profiles for Clientless SSL VPN Sessions
Specifying a Connection Profile Name and Type for Clientless SSL VPN Sessions
Configuring General Tunnel-Group Attributes for Clientless SSL VPN Sessions
Configuring Tunnel-Group Attributes for Clientless SSL VPN Sessions
Customizing Login Windows for Users of Clientless SSL VPN sessions
Configuring Microsoft Active Directory Settings for Password Management
Using Active Directory to Force the User to Change Password at Next Logon
Using Active Directory to Specify Maximum Password Age
Using Active Directory to Override an Account Disabled AAA Indicator
Using Active Directory to Enforce Minimum Password Length
Using Active Directory to Enforce Password Complexity
Configuring the Connection Profile for RADIUS/SDI Message Support for the AnyConnect Client
AnyConnect Client and RADIUS/SDI Server Interaction
Configuring the Security Appliance to Support RADIUS/SDI Messages
Configuring an External Group Policy
Configuring an Internal Group Policy
Configuring Group Policy Attributes
Configuring WINS and DNS Servers
Configuring VPN-Specific Attributes
Configuring Security Attributes
Configuring the Banner Message
Configuring IPSec-UDP Attributes
Configuring Split-Tunneling Attributes
Configuring Domain Attributes for Tunneling
Configuring Attributes for VPN Hardware Clients
Configuring Backup Server Attributes
Configuring Microsoft Internet Explorer Client Parameters
Configuring Network Admission Control Parameters
Configuring Client Access Rules
Configuring Group-Policy Attributes for Clientless SSL VPN Sessions
Viewing the Username Configuration
Configuring Attributes for Specific Users
Setting a User Password and Privilege Level
Configuring VPN User Attributes
Configuring Clientless SSL VPN Access for Specific Users
Configuring Connection Profiles, Group Policies, and Users
This chapter describes how to configure VPN connection profiles (formerly called "tunnel groups"), group policies, and users. This chapter includes the following sections.
•
Overview of Connection Profiles, Group Policies, and Users
•
In summary, you first configure connection profiles to set the values for the connection. Then you configure group policies. These set values for users in the aggregate. Then you configure users, which can inherit values from groups and configure certain values on an individual user basis. This chapter describes how and why to configure these entities.
Overview of Connection Profiles, Group Policies, and Users
Groups and users are core concepts in managing the security of virtual private networks (VPNs) and in configuring the security appliance. They specify attributes that determine user access to and use of the VPN. A group is a collection of users treated as a single entity. Users get their attributes from group policies. Connection profiles identify the group policy for a specific connection. If you do not assign a particular group policy to a user, the default group policy for the connection applies.
Note
Connection profiles and group policies simplify system management. To streamline the configuration task, the security appliance provides a default LAN-to-LAN connection profile, a default remote access connection profile, a default connection profile for clientless SSL VPN, and a default group policy (DfltGrpPolicy). The default connection profiles and group policy provide settings that are likely to be common for many users. As you add users, you can specify that they "inherit" parameters from a group policy. Thus you can quickly configure VPN access for large numbers of users.
If you decide to grant identical rights to all VPN users, then you do not need to configure specific connection profiles or group policies, but VPNs seldom work that way. For example, you might allow a finance group to access one part of a private network, a customer support group to access another part, and an MIS group to access other parts. In addition, you might allow specific users within MIS to access systems that other MIS users cannot access. Connection profiles and group policies provide the flexibility to do so securely.
Note
The security appliance can apply attribute values from a variety of sources. It applies them according to the following hierarchy:
1.
2.
3.
4.
5.
Therefore, DAP values for an attribute have a higher priority than those configured for a user, group policy, or connection profile.
When you enable or disable an attribute for a DAP record, the security appliance applies that value and enforces it. For example, when you disable HTTP proxy in dap webvpn mode, the security appliance looks no further for a value. When you instead use the no value for the http-proxy command, the attribute is not present in the DAP record, so the security appliance moves down to the AAA attribute in the username, and if necessary, the group policy to find a value to apply. We recommend that you use ASDM to configure DAP.
Connection Profiles
A connection profile consists of a set of records that determines tunnel connection policies. These records identify the servers to which the tunnel user is authenticated, as well as the accounting servers, if any, to which connection information is sent. They also identify a default group policy for the connection, and they contain protocol-specific connection parameters. Connection profiles include a small number of attributes that pertain to creating the tunnel itself. Connection profiles include a pointer to a group policy that defines user-oriented attributes.
The security appliance provides the following default connection profiles: DefaultL2Lgroup for LAN-to-LAN connections, DefaultRAgroup for remote access connections, and DefaultWEBVPNGroup for clientless SSL VPN (browser-based) connections. You can modify these default connection profiles, but you cannot delete them. You can also create one or more connection profiles specific to your environment. Connection profiles are local to the security appliance and are not configurable on external servers.
Connection profiles specify the following attributes:
•
•
•
General Connection Profile Connection Parameters
General parameters are common to all VPN connections. The general parameters include the following:
•
–
–
•
•
–
–
–
A server group can consist of one or more servers.
•
•
•
•
•
When you specify the strip-group command, the security appliance selects the connection profile for user connections by obtaining the group name from the username presented by the VPN client. The security appliance then sends only the user part of the username for authorization/authentication. Otherwise (if disabled), the security appliance sends the entire username, including the realm.
Strip-realm processing removes the realm from the username when sending the username to the authentication or authorization server. If the command is enabled, the security appliance sends only the user part of the username authorization/authentication. Otherwise, the security appliance sends the entire username.
•
•
IPSec Tunnel-Group Connection Parameters
IPSec parameters include the following:
•
–
–
•
You use isakmp ikev1-user-authentication command to implement hybrid XAUTH authentication when you need to use digital certificates for security appliance authentication and a different, legacy method for remote VPN user authentication, such as RADIUS, TACACS+ or SecurID.
•
There are various forms of IKE keepalives. For this feature to work, both the security appliance and its remote peer must support a common form. This feature works with the following peers:
–
–
–
–
–
–
–
Non-Cisco VPN clients do not support IKE keepalives.
If you are configuring a group of mixed peers, and some of those peers support IKE keepalives and others do not, enable IKE keepalives for the entire group. The feature does not affect the peers that do not support it.
If you disable IKE keepalives, connections with unresponsive peers remain active until they time out, so we recommend that you keep your idle timeout short. To change your idle timeout, see "Configuring Group Policies" section.
Note
If you do disable IKE keepalives, the client disconnects only when either its IKE or IPSec keys expire. Failed traffic does not disconnect the tunnel with the Peer Timeout Profile values as it does when IKE keepalives are enabled.
Note
•
•
•
Connection Profile Connection Parameters for Clientless SSL VPN Sessions
Table 30-1 provides a list of connection profile attributes that are specific to clientless SSL VPN. In addition to these attributes, you configure general connection profile attributes common to all VPN connections. For step-by-step information on configuring connection profiles, see "Configuring Connection Profiles for Clientless SSL VPN Sessions" in "Configuring Connection Profiles, Group Policies, and Users."
Note
Configuring Connection Profiles
The following sections describe the contents and configuration of connection profiles:
•
•
•
•
•
•
•
You can modify the default connection profiles, and you can configure a new connection profile as any of the three tunnel-group types. If you don't explicitly configure an attribute in a connection profile, that attribute gets its value from the default connection profile. The default connection-profile type is remote access. The subsequent parameters depend upon your choice of tunnel type. To see the current configured and default configuration of all your connection profiles, including the default connection profile, enter the show running-config all tunnel-group command.
Default IPSec Remote Access Connection Profile Configuration
The contents of the default remote-access connection profile are as follows:
tunnel-group DefaultRAGroup type remote-accesstunnel-group DefaultRAGroup general-attributesno address-poolno ipv6-address-poolauthentication-server-group LOCALaccounting-server-group RADIUSdefault-group-policy DfltGrpPolicyno dhcp-serverno strip-realmno password-managementno override-account-disableno strip-groupno authorization-requiredauthorization-dn-attributes CN OUtunnel-group DefaultRAGroup webvpn-attributeshic-fail-group-policy DfltGrpPolicycustomization DfltCustomizationauthentication aaano override-svc-downloadno radius-reject-messagedns-group DefaultDNStunnel-group DefaultRAGroup ipsec-attributesno pre-shared-keypeer-id-validate reqno chainno trust-pointisakmp keepalive threshold 1500 retry 2no radius-sdi-xauthisakmp ikev1-user-authentication xauthtunnel-group DefaultRAGroup ppp-attributesno authentication papauthentication chapauthentication ms-chap-v1no authentication ms-chap-v2no authentication eap-proxyConfiguring IPSec Tunnel-Group General Attributes
The general attributes are common across more than one tunnel-group type. IPSec remote access and clientless SSL VPN tunnels share most of the same general attributes. IPSec LAN-to-LAN tunnels use a subset. Refer to the Cisco Security Appliance Command Reference for complete descriptions of all commands. The following sections describe, in order, how to configure IPSec remote-access connection profiles, IPSec LAN-to-LAN connection profiles, and clientless SSL VPN connection profiles.
Configuring IPSec Remote-Access Connection Profiles
Use an IPSec remote-access connection profile when setting up a connection between a remote client and a central-site security appliance, using a hardware or software client.To configure an IPSec remote-access connection profile, first configure the tunnel-group general attributes, then the IPSec remote-access attributes. An IPSec Remote Access VPN connection profile applies only to remote-access IPSec client connections. To configure an IPSec remote-access connection profile, see the following sections:
•
•
•
Specifying a Name and Type for the IPSec Remote Access Connection Profile
Create the connection profile, specifying its name and type, by entering the tunnel-group command. For an IPSec remote-access tunnel, the type is remote-access
hostname(config)# tunnel-group tunnel_group_name type remote-accesshostname(config)#For example, to create an IPSec remote-access connection profile named TunnelGroup1, enter the following command:
hostname(config)# tunnel-group TunnelGroup1 type remote-accesshostname(config)#Configuring IPSec Remote-Access Connection Profile General Attributes
To configure or change the connection profile general attributes, specify the parameters in the following steps.
Step 1
hostname(config)# tunnel-group tunnel_group_name general-attributeshostname(config-tunnel-general)#Step 2
hostname(config-tunnel-general)# authentication-server-group [(interface_name)] groupname [LOCAL]hostname(config-tunnel-general)#The name of the authentication server group can be up to 16 characters long.
You can optionally configure interface-specific authentication by including the name of an interface after the group name. The interface name, which specifies where the IPSec tunnel terminates, must be enclosed in parentheses. The following command configures interface-specific authentication for the interface named test using the server named servergroup1 for authentication:
hostname(config-tunnel-general)# authentication-server-group (test) servergroup1hostname(config-tunnel-general)#Step 3
hostname(config-tunnel-general)# authorization-server-group groupnamehostname(config-tunnel-general)#The name of the authorization server group can be up to 16 characters long. For example, the following command specifies the use of the authorization-server group FinGroup:
hostname(config-tunnel-general)# authorization-server-group FinGrouphostname(config-tunnel-general)#Step 4
hostname(config-tunnel-general)# accounting-server-group groupnamehostname(config-tunnel-general)#The name of the accounting server group can be up to 16 characters long. For example, the following command specifies the use of the accounting-server group named comptroller:
hostname(config-tunnel-general)# accounting-server-group comptrollerhostname(config-tunnel-general)#Step 5
hostname(config-tunnel-general)# default-group-policy policynamehostname(config-tunnel-general)#The name of the group policy can be up to 64 characters long. The following example sets DfltGrpPolicy as the name of the default group policy:
hostname(config-tunnel-general)# default-group-policy DfltGrpPolicyhostname(config-tunnel-general)#Step 6
hostname(config-tunnel-general)# dhcp-server server1 [...server10]hostname(config-tunnel-general)# address-pool [(interface name)] address_pool1 [...address_pool6]hostname(config-tunnel-general)#
Note
You configure address pools with the ip local pool command in global configuration mode.
Step 7
The following example identifies acs-group1 as the authentication server group to be used for NAC posture validation:
hostname(config-group-policy)# nac-authentication-server-group acs-group1hostname(config-group-policy)The following example inherits the authentication server group from the default remote access group.
hostname(config-group-policy)# no nac-authentication-server-grouphostname(config-group-policy)
Note
Step 8
hostname(config-tunnel-general)# strip-grouphostname(config-tunnel-general)# strip-realmhostname(config-tunnel-general)#A realm is an administrative domain. If you strip the realm, the security appliance uses the username and the group (if present) authentication. If you strip the group, the security appliance uses the username and the realm (if present) for authentication.Enter the strip-realm command to remove the realm qualifier, and use the strip-group command to remove the group qualilfier from the username during authentication. If you remove both qualifiers, authentication is based on the username alone. Otherwise, authentication is based on the full username@realm or username<delimiter> group string. You must specify strip-realm if your server is unable to parse delimiters.
Step 9
Note
Sun—The DN configured on the security appliance to access a Sun directory server must be able to access the default password policy on that server. We recommend using the directory administrator, or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the default password policy.
Microsoft—You must configure LDAP over SSL to enable password management with Microsoft Active Directory.
See the "Setting the LDAP Server Type" section on page 13-13 for more information.This feature, which is enabled by default, warns a user when the current password is about to expire. The default is to begin warning the user 14 days before expiration:
hostname(config-tunnel-general)# password-managementhostname(config-tunnel-general)#If the server is an LDAP server, you can specify the number of days (0 through 180) before expiration to begin warning the user about the pending expiration:
hostname(config-tunnel-general)# password-management [password-expire in days n]hostname(config-tunnel-general)#
Note
When you configure the password-management command, the security appliance notifies the remote user at login that the user's current password is about to expire or has expired. The security appliance then offers the user the opportunity to change the password. If the current password has not yet expired, the user can still log in using that password. The security appliance ignores this command if RADIUS or LDAP authentication has not been configured.
Note that this does not change the number of days before the password expires, but rather, the number of days ahead of expiration that the security appliance starts warning the user that the password is about to expire.
If you do specify the password-expire-in-days keyword, you must also specify the number of days.
Specifying this command with the number of days set to 0 disables this command. The security appliance does not notify the user of the pending expiration, but the user can change the password after it expires.
See Configuring Microsoft Active Directory Settings for Password Management for more information.
Note
Some RADIUS servers that support MS-CHAP do not currently support MS-CHAPv2. The password-management command requires MS-CHAPv2, so please check with your vendor.
The RADIUS server (for example, Cisco ACS) could proxy the authentication request to another authentication server. However, from the security appliance perspective, it is talking only to a RADIUS server.
For LDAP, the method to change a password is proprietary for the different LDAP servers on the market. Currently, the security appliance implements the proprietary password management logic only for Microsoft Active Directory and Sun LDAP servers. Native LDAP requires an SSL connection. You must enable LDAP over SSL before attempting to do password management for LDAP. By default, LDAP uses port 636.Step 10
hostname(config-tunnel-general)# override-account-disablehostname(config-tunnel-general)#
Note
Step 11
hostname(config-tunnel-general)# authorization-dn-attributes {primary-attribute [secondary-attribute] | use-entire-name}For example, the following command specifies the use of the CN attribute as the username for authorization:
hostname(config-tunnel-general)# authorization-dn-attributes CNhostname(config-tunnel-general)#The authorization-dn-attributes are C (Country), CN (Common Name), DNQ (DN qualifier), EA (E-mail Address), GENQ (Generational qualifier), GN (Given Name), I (Initials), L (Locality), N (Name), O (Organization), OU (Organizational Unit), SER (Serial Number), SN (Surname), SP (State/Province), T (Title), UID (User ID), and UPN (User Principal Name).
Step 12
hostname(config-tunnel-general)# authorization-requiredhostname(config-tunnel-general)#
Enabling IPv6 VPN Access
The security appliance allows access to IPv6 resources over a public IPv4 connection (Windows XP SP2, Windows Vista, Mac OSX, and Linux only). If you want to configure IPv6 access, you must use the command-line interface to configure IPv6; ASDM does not support IPv6.
You enable IPv6 access using the ipv6 enable command as part of enabling SSL VPN connections. The following is an example for an IPv6 connection that enables IPv6 on the outside interface:
hostname(config)# interface GigabitEthernet0/0hostname(config-if)# ipv6 enableTo enable IPV6 SSL VPN, do the following general actions:
1.
2.
3.
4.
To implement this procedure, do the following steps:
Step 1
interface GigabitEthernet0/0nameif outsidesecurity-level 0ip address 192.168.0.1 255.255.255.0ipv6 enable ; Needed for IPv6.!interface GigabitEthernet0/1nameif insidesecurity-level 100ip address 10.10.0.1 255.255.0.0ipv6 address 2001:DB8::1/32 ; Needed for IPv6.ipv6 enable ; Needed for IPv6.Step 2
ipv6 local pool ipv6pool 2001:DB8:1:1::5/32 100 ; Use your IPv6 prefix here
Note
Step 3
tunnel-group YourTunGrp1 general-attributes ipv6-address-pool ipv6pool
Note
Step 4
ipv6 route inside ::/0 X:X:X:X::X tunneled
Configuring IPSec Remote-Access Connection Profile IPSec Attributes
To configure the IPSec attributes for a remote-access connection profile, do the following steps. The following description assumes that you have already created the IPSec remote-access connection profile. IPSec remote-access connection profiles have more attributes than IPSec LAN-to-LAN connection profiles:
Step 1
hostname(config)# tunnel-group tunnel-group-name ipsec-attributeshostname(config-tunnel-ipsec)#This command enters tunnel-group ipsec-attributes configuration mode, in which you configure the remote-access tunnel-group IPSec attributes.
For example, the following command designates that the tunnel-group ipsec-attributes mode commands that follow pertain to the connection profile named TG1. Notice that the prompt changes to indicate that you are now in tunnel-group ipsec-attributes mode:
hostname(config)# tunnel-group TG1 type remote-accesshostname(config)# tunnel-group TG1 ipsec-attributeshostname(config-tunnel-ipsec)#Step 2
hostname(config-tunnel-ipsec)# pre-shared-key xyzxhostname(config-tunnel-ipsec)#Step 3
hostname(config-tunnel-ipsec)# peer-id-validate optionhostname(config-tunnel-ipsec)#The available options are req (required), cert (if supported by certificate), and nocheck (do not check). The default is req.
For example, the following command specifies that peer-id validation is required:
hostname(config-tunnel-ipsec)# peer-id-validate reqhostname(config-tunnel-ipsec)#Step 4
Step 5
hostname(config-tunnel-ipsec)# chainhostname(config-tunnel-ipsec)#This attribute applies to all IPSec tunnel-group types.
Step 6
hostname(config-tunnel-ipsec)# trust-point trust-point-namehostname(config-tunnel-ipsec)#The following command specifies mytrustpoint as the name of the certificate to be sent to the IKE peer:
hostname(config-ipsec)# trust-point mytrustpointStep 7
hostname(config-tunnel-ipsec)# isakmp keepalive threshold <number> retry <number>hostname(config-tunnel-ipsec)#The threshold parameter specifies the number of seconds (10 through 3600) that the peer is allowed to idle before beginning keepalive monitoring. The retry parameter is the interval (2 through 10 seconds) between retries after a keepalive response has not been received. IKE keepalives are enabled by default. To disable IKE keepalives, enter the no form of the isakmp command:
For example, the following command sets the IKE keepalive threshold value to 15 seconds and sets the retry interval to 10 seconds:
hostname(config-tunnel-ipsec)# isakmp keepalive threshold 15 retry 10hostname(config-tunnel-ipsec)#The default value for the threshold parameter is 300 for remote-access and 10 for LAN-to-LAN, and the default value for the retry parameter is 2.
To specify that the central site ("head end") should never initiate ISAKMP monitoring, enter the following command:
hostname(config-tunnel-ipsec)# isakmp keepalive threshold infinitehostname(config-tunnel-ipsec)#Step 8
You use isakmp ikev1-user-authentication command to implement hybrid XAUTH authentication when you need to use digital certificates for security appliance authentication and a different, legacy method for remote VPN user authentication, such as RADIUS, TACACS+ or SecurID. Hybrid XAUTH breaks phase 1 of IKE down into the following two steps, together called hybrid authentication:
a.
b.
Note
You can use the isakmp ikev1-user-authentication command with the optional interface parameter to specify a particular interface. When you omit the interface parameter, the command applies to all the interfaces and serves as a back-up when the per-interface command is not specified. When there are two isakmp ikev1-user-authentication commands specified for a connection profile, and one uses the interface parameter and one does not, the one specifying the interface takes precedence for that particular interface.
For example, the following commands enable hybrid XAUTH on the inside interface for a connection profile called example-group:
hostname(config)# tunnel-group example-group type remote-accesshostname(config)# tunnel-group example-group ipsec-attributeshostname(config-tunnel-ipsec)# isakmp ikev1-user-authentication (inside) hybridhostname(config-tunnel-ipsec)#
Configuring IPSec Remote-Access Connection Profile PPP Attributes
To configure the Point-to-Point Protocol attributes for a remote-access connection profile, do the following steps. PPP attributes apply only to IPSec remote-access connection profiles. The following description assumes that you have already created the IPSec remote-access connection profile.
Step 1
hostname(config)# tunnel-group tunnel-group-name type remote-accesshostname(config)# tunnel-group tunnel-group-name ppp-attributeshostname(config-tunnel-ppp)#For example, the following command designates that the tunnel-group ppp-attributes mode commands that follow pertain to the connection profile named TG1. Notice that the prompt changes to indicate that you are now in tunnel-group ppp-attributes mode:
hostname(config)# tunnel-group TG1 type remote-accesshostname(config)# tunnel-group TG1 ppp-attributeshostname(config-tunnel-ppp)#Step 2
•
•
•
•
CHAP and MSCHAPv1 are enabled by default.
The syntax of this command is:
hostname(config-tunnel-ppp)# authentication protocolhostname(config-tunnel-ppp)#To disable authentication for a specific protocol, use the no form of the command:
hostname(config-tunnel-ppp)# no authentication protocolhostname(config-tunnel-ppp)#For example, the following command enables the use of the PAP protocol for a PPP connection.
hostname(config-tunnel-ppp)# authentication paphostname(config-tunnel-ppp)#The following command enables the use of the MS-CHAP, version 2 protocol for a PPP connection:
hostname(config-tunnel-ppp)# authentication ms-chap-v2hostname(config-tunnel-ppp)#The following command enables the use of the EAP-PROXY protocol for a PPP connection:
hostname(config-tunnel-ppp)# authentication paphostname(config-tunnel-ppp)#The following command disables the use of the MS-CHAP, version 1 protocol for a PPP connection:
hostname(config-tunnel-ppp)# no authentication ms-chap-v1hostname(config-tunnel-ppp)#
Configuring LAN-to-LAN Connection Profiles
An IPSec LAN-to-LAN VPN connection profile applies only to LAN-to-LAN IPSec client connections. While many of the parameters that you configure are the same as for IPSec remote-access connection profiles, LAN-to-LAN tunnels have fewer parameters. To configure a LAN-to-LAN connection profile, follow the steps in this section.
Default LAN-to-LAN Connection Profile Configuration
The contents of the default LAN-to-LAN connection profile are as follows:
tunnel-group DefaultL2LGroup type ipsec-l2ltunnel-group DefaultL2LGroup general-attributesno accounting-server-groupdefault-group-policy DfltGrpPolicytunnel-group DefaultL2LGroup ipsec-attributesno pre-shared-keypeer-id-validate reqno chainno trust-pointisakmp keepalive threshold 10 retry 2LAN-to-LAN connection profiles have fewer parameters than remote-access connection profiles, and most of these are the same for both groups. For your convenience in configuring the connection, they are listed separately here. Any parameters that you do not explicitly configure inherit their values from the default connection profile.
Specifying a Name and Type for a LAN-to-LAN Connection Profile
To specify a name and a type for a connection profile, enter the tunnel-group command, as follows:
hostname(config)# tunnel-group tunnel_group_name type tunnel_typeFor a LAN-to-LAN tunnel, the type is ipsec-l2l.; for example, to create the LAN-to-LAN connection profile named docs, enter the following command:
hostname(config)# tunnel-group docs type ipsec-l2lhostname(config)#Configuring LAN-to-LAN Connection Profile General Attributes
To configure the connection profile general attributes, do the following steps:
Step 1
hostname(config)# tunnel-group_tunnel-group-name general-attributeshostname(config-tunnel-general)#The prompt changes to indicate that you are now in config-general mode, in which you configure the tunnel-group general attributes.
For example, for the connection profile named docs, enter the following command:
hostname(config)# tunnel-group_docs general-attributeshostname(config-tunnel-general)#Step 2
hostname(config-tunnel-general)# accounting-server-group groupnamehostname(config-tunnel-general)#For example, the following command specifies the use of the accounting-server group acctgserv1:
hostname(config-tunnel-general)# accounting-server-group acctgserv1hostname(config-tunnel-general)#Step 3
hostname(config-tunnel-general)# default-group-policy policynamehostname(config-tunnel-general)#For example, the following command specifies that the name of the default group policy is MyPolicy:
hostname(config-tunnel-general)# default-group-policy MyPolicyhostname(config-tunnel-general)#
Configuring LAN-to-LAN IPSec Attributes
To configure the IPSec attributes, do the following steps:
Step 1
hostname(config)# tunnel-group tunnel-group-name ipsec-attributeshostname(config-tunnel-ipsec)#For example, the following command enters config-ipsec mode so you can configure the parameters for the connection profile named TG1:
hostname(config)# tunnel-group TG1 ipsec-attributeshostname(config-tunnel-ipsec)#The prompt changes to indicate that you are now in tunnel-group ipsec-attributes configuration mode.
Step 2
hostname(config-tunnel-ipsec)# pre-shared-key keyhostname(config-tunnel-ipsec)#For example, the following command specifies the preshared key XYZX to support IKE connections for an IPSec LAN-to-LAN connection profile:
hostname(config-tunnel-ipsec)# pre-shared-key xyzxhostname(config-tunnel-general)#Step 3
hostname(config-tunnel-ipsec)# peer-id-validate optionhostname(config-tunnel-ipsec)#The available options are req (required), cert (if supported by certificate), and nocheck (do not check). The default is req. For example, the following command sets the peer-id-validate option to nocheck:
hostname(config-tunnel-ipsec)# peer-id-validate nocheckhostname(config-tunnel-ipsec)#Step 4
hostname(config-tunnel-ipsec)# chainhostname(config-tunnel-ipsec)#You can apply this attribute to all tunnel-group types.
Step 5
hostname(config-tunnel-ipsec)# trust-point trust-point-namehostname(config-tunnel-ipsec)#For example, the following command sets the trustpoint name to mytrustpoint:
hostname(config-tunnel-ipsec)# trust-point mytrustpointhostname(config-tunnel-ipsec)#You can apply this attribute to all tunnel-group types.
Step 6
hostname(config)# isakmp keepalive threshold <number> retry <number>hostname(config-tunnel-ipsec)#For example, the following command sets the ISAKMP keepalive threshold to 15 seconds and sets the retry interval to 10 seconds.:
hostname(config-tunnel-ipsec)# isakmp keepalive threshold 15 retry 10hostname(config-tunnel-ipsec)#The
