Table Of Contents
VPN
VPN Wizard
VPN Overview
VPN Tunnel Type
Remote Site Peer
IKE Policy
IPsec Rule
Hosts and Networks
Remote Access Client
VPN Client Authentication Method and Name
Client Authentication
New Authentication Server Group
User Accounts
Address Pool
Attributes Pushed to Client
IPsec Settings (Optional)
Summary
VPN
This chapter describes how to configure a basic VPN connection using the IPsec VPN wizard. It includes the following sections:
•
VPN Wizard
•VPN Tunnel Type
•Remote Site Peer
•IKE Policy
•IPsec Rule
•Hosts and Networks
•Remote Access Client
•VPN Client Authentication Method and Name
•Client Authentication
•New Authentication Server Group
•User Accounts
•Address Pool
•Attributes Pushed to Client
•IPsec Settings (Optional)
•Summary
The adaptive security appliance creates a virtual private network by creating a secure connection across a TCP/IP network (such as the Internet) that users see as a private connection. It can create single-user-to-LAN connections and LAN-to-LAN connections. The secure connection is called a tunnel, and the adaptive security appliance uses tunneling protocols to negotiate security parameters, create and manage tunnels, encapsulate packets, transmit or receive them through the tunnel, and unencapsulate them. The adaptive security appliance functions as a bidirectional tunnel endpoint: it can receive plain packets, encapsulate them, and send them to the other end of the tunnel, where they are unencapsulated and sent to their final destination. It can also receive encapsulated packets, unencapsulate them, and send them to their final destination.
The adaptive security appliance performs the following VPN functions:
•Establishes tunnels
•Negotiates tunnel parameters
•Enforces VPN policies
•Authenticates users
•Authorizes users for specific levels of use and access
•Performs accounting functions
•Assigns user addresses
•Encrypts and decrypts data
•Manages security keys
•Manages data transfer across the tunnel
•Manages data transfer inbound and outbound as a tunnel endpoint or router
The adaptive security appliance invokes various standard protocols to accomplish these functions
VPN Wizard
The VPN wizard lets you configure basic LAN-to-LAN and remote access VPN connections. Use ASDM to edit and configure advanced features.
Note The VPN wizard lets you assign either preshared keys or digital certificates for authentication. However, to use certificates, you must enroll with a certification authority and configure a trustpoint prior to using the wizard. Use the ASDM Device Administration > Certificate panes and online Help to accomplish these tasks.
VPN Overview
The adaptive security appliance creates a Virtual Private Network by creating a secure connection across a TCP/IP network (such as the Internet) that users see as a private connection. It can create single-user-to-LAN connections and LAN-to-LAN connections.
For LAN-to-LAN connections using both IPv4 and IPv6 addressing, the security appliance supports VPN tunnels if both peers are Cisco ASA 5500 series security appliances, and if both inside networks have matching addressing schemes (both IPv4 or both IPv6). This is also true if both peer inside networks are IPv6 and the outside network is IPv6.
The secure connection is called a tunnel, and the adaptive security appliance uses tunneling protocols to negotiate security parameters, create and manage tunnels, encapsulate packets, transmit or receive them through the tunnel, and unencapsulate them. The adaptive security appliance functions as a bidirectional tunnel endpoint: it can receive plain packets, encapsulate them, and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination. It can also receive encapsulated packets, unencapsulate them, and send them to their final destination.
The adaptive security appliance performs the following functions:
•Establishes tunnels
•Negotiates tunnel parameters
•Authenticates users
•Assigns user addresses
•Encrypts and decrypts data
•Manages security keys
•Manages data transfer across the tunnel
•Manages data transfer inbound and outbound as a tunnel endpoint or router
VPN Tunnel Type
Use the VPN Tunnel Type pane to select the type of VPN tunnel to define, remote access or LAN-to-LAN, and to identify the interface that connects to the remote IPsec peer.
Fields
•Site-to-Site—Click to create a LAN-to-LAN VPN configuration. Use between two IPsec security gateways, which can include adaptive security appliances, VPN concentrators, or other devices that support site-to-site IPsec connectivity. When you select this option, the VPN wizard displays a series of panes that let you to enter the attributes a site-to-site VPN requires.
The adaptive security appliance supports LAN-to-LAN VPN connections to Cisco or third-party peers when the two peers have IPv4 inside and outside networks (IPv4 addresses on the inside and outside interfaces).
For LAN-to-LAN connections using mixed IPv4 and IPv6 addressing, or all IPv6 addressing, the security appliance supports VPN tunnels if both peers are Cisco ASA 5500 series security appliances, and if both inside networks have matching addressing schemes (both IPv4 or both IPv6).
Specifically, the following topologies are supported when both peers are Cisco ASA 5500 series adaptive security appliances:
–The adaptive security appliances have IPv4 inside networks and the outside network is IPv6 (IPv4 addresses on the inside interfaces and IPv6 addresses on the outside interfaces).
–The adaptive security appliances have IPv6 inside networks and the outside network is IPv4 (IPv6 addresses on the inside interface and IPv4 addresses on the outside interfaces).
–The adaptive security appliances have IPv6 inside networks and the outside network is IPv6 (IPv6 addresses on the inside and outside interfaces).
•Remote Access—Click to create a configuration that achieves secure remote access for VPN clients, such as mobile users. This option lets remote users securely access centralized network resources. When you select this option, the VPN wizard displays a series of panes that let you enter the attributes a remote access VPN requires.
•VPN Tunnel Interface—Choose the interface that establishes a secure tunnel with the remote IPsec peer. If the adaptive security appliance has multiple interfaces, you need to plan the VPN configuration before running this wizard, identifying the interface to use for each remote IPsec peer with which you plan to establish a secure connection.
•Enable inbound IPsec sessions to bypass interface access lists—Enable IPsec authenticated inbound sessions to always be permitted through the security appliance (that is, without a check of the interface access-list statements). Be aware that the inbound sessions bypass only the interface ACLs. Configured group-policy, user, and downloaded ACLs still apply.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
Remote Site Peer
Use the Remote Site Peer pane for the following tasks:
1. Providing the IP address of the remote IPsec peer that terminates this VPN tunnel.
2. Selecting and configuring an authentication method.
3. Creating a connection policy (tunnel group).
Fields
•Peer IP Address—Type the IP address of the remote IPsec peer that terminates the VPN tunnel. The peer might be another adaptive security appliance, a VPN concentrator, or any other gateway device that supports IPsec.
•Authentication Method—The remote site peer authenticates either with a preshared key or a certificate.
–Pre-shared Key—Click to use a preshared key for authentication between the local adaptive security appliance and the remote IPsec peer.
Using a preshared key is a quick and easy way to set up communication with a limited number of remote peers and a stable network. It may cause scalability problems in a large network because each IPsec peer requires configuration information for each peer with which it establishes secure connections.
Each pair of IPsec peers must exchange preshared keys to establish secure tunnels. Use a secure method to exchange the preshared key with the administrator of the remote site.
–Pre-shared Key—Type the preshared key. Maximum 127 characters.
–Certificate—Click to use certificates for authentication between the local adaptive security appliance and the remote IPsec peer. To complete this section, you must have previously enrolled with a CA and downloaded one or more certificates to the adaptive security appliance.
Digital certificates are an efficient way to manage the security keys used to establish an IPsec tunnel. A digital certificate contains information that identifies a user or device, such as a name, serial number, company, department or IP address. A digital certificate also contains a copy of the public key.
To use digital certificates, each peer enrolls with a certification authority (CA), which is responsible for issuing digital certificates. A CA can be a trusted vendor or a private CA that you establish within an organization.
When two peers want to communicate, they exchange certificates and digitally sign data to authenticate each other. When you add a new peer to the network, it enrolls with a CA, and none of the other peers require additional configuration.
–Certificate Signing Algorithm—Displays the algorithm for signing digital certificates, rsa-sig for RSA.
–Certificate Name—Choose the name that identifies the certificate the adaptive security appliance sends to the remote peer. This list displays trustpoints with a certificate of the type previously selected in the certificate signing algorithm list.
–Challenge/response authentication (CRACK)—Provides strong mutual authentication when the client authenticates using a popular method such as RADIUS and the server uses public key authentication. The security appliance supports CRACK as an IKE option in order to authenticate the Nokia VPN Client on Nokia 92xx Communicator Series devices.
• Tunnel Group Name—Type a name to create the record that contains tunnel connection policies for this IPsec connection. A connection policy can specify authentication, authorization, and accounting servers, a default group policy, and IKE attributes. A policy that you configure with this VPN wizard specifies an authentication method, and uses the adaptive security appliance Default Group Policy.
By default, ASDM populates this field with the value of the Peer IP address. You can change this name. Maximum 64 characters.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
IKE Policy
IKE, also called Internet Security Association and Key Management Protocol (ISAKMP), is the negotiation protocol that lets two hosts agree on how to build an IPsec Security Association. Each IKE negotiation is divided into two sections called Phase1 and Phase 2.
•Phase 1 creates the first tunnel, which protects later IKE negotiation messages.
•Phase 2 creates the tunnel that protects data.
Use the IKE Policy pane to set the terms of the Phase 1 IKE negotiations, which include the following:
•An encryption method to protect the data and ensure privacy.
•An authentication method to ensure the identity of the peers.
•A Diffie-Hellman group to establish the strength of the of the encryption-key-determination algorithm. The adaptive security appliance uses this algorithm to derive the encryption and hash keys.
Fields
•Encryption—Select the symmetric encryption algorithm the adaptive security appliance uses to establish the Phase 1 SA that protects Phase 2 negotiations. The adaptive security appliance supports the following encryption algorithms:
Algorithm
|
Explanation
|
DES
|
Data Encryption Standard. Uses a 56-bit key.
|
3DES
|
Triple DES. Performs encryption three times using a 56-bit key.
|
AES-128
|
Advanced Encryption Standard. Uses a 128-bit key.
|
AES-192
|
AES using a 192-bit key.
|
AES-256
|
AES using a 256-bit key
|
The default, 3DES, is more secure than DES but requires more processing for encryption and decryption. Similarly, the AES options provide increased security, but also require increased processing.
•Authentication—Choose the hash algorithm used for authentication and ensuring data integrity. The default is SHA. MD5 has a smaller digest and is considered to be slightly faster than SHA. There has been a demonstrated successful (but extremely difficult) attack against MD5. However, the Keyed-Hash Message Authentication Code (HMAC) version used by the adaptive security appliance prevents this attack.
•Diffie-Hellman Group—Choose the Diffie-Hellman group identifier, which the two IPsec peers use to derive a shared secret without transmitting it to each other. The default, Group 2 (1024-bit Diffie-Hellman), requires less CPU time to execute but is less secure than Group 5 (1536-bit).
Note The default value for the VPN 3000 Series Concentrator is MD5. A connection between the adaptive security appliance and the VPN Concentrator requires that the authentication method for Phase I and II IKE negotiations be the same on both sides of the connection.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
IPsec Rule
Use this IPsec Rule pane to select the encryption and authentication methods to use for Phase 2 IKE negotiations, which create the secure VPN tunnel. These values must be exactly the same for both peers.
Fields
•Encryption—Choose the symmetric encryption algorithm the adaptive security appliance uses to establish the VPN tunnel. The adaptive security appliance uses encryption to protect the data that travels across the tunnel and ensure privacy. Valid encryption methods include the following:
Encryption Method
|
Explanation
|
DES
|
Data Encryption Standard. Uses a 56-bit key.
|
3DES
|
Triple DES. Encrypts three times using a 56-bit key.
|
AES-128
|
Advanced Encryption Standard. Uses a 128-bit key.
|
AES-192
|
AES using a 192-bit key.
|
AES-256
|
AES using a 256-bit key
|
The default, 3DES, is more secure than DES but requires more processing for encryption and decryption. Similarly, the AES options provide increased security, but also require increased processing.
•Authentication—Choose the hash algorithm used for authentication and ensuring data integrity. The default is SHA. MD5 has a smaller digest and is considered to be slightly faster than SHA. There has been a demonstrated successful (but extremely difficult) attack against MD5. However, the Keyed-Hash Message Authentication Code (HMAC) version used by the adaptive security appliance prevents this attack.
Note The default value for the VPN 3000 Series Concentrator is MD5. A connection between the adaptive security appliance and the VPN Concentrator requires that the authentication method for Phase I and Phase II IKE negotiations be the same on both sides of the connection.
•Enable Perfect Forwarding Secrecy (PFS)—Specify whether to use Perfect Forward Secrecy, and the size of the numbers to use, in generating Phase 2 IPsec keys. PFS is a cryptographic concept where each new key is unrelated to any previous key. In IPsec negotiations, Phase 2 keys are based on Phase 1 keys unless PFS is enabled. PFS uses Diffie-Hellman techniques to generate the keys.
PFS ensures that a session key derived from a set of long-term public and private keys is not compromised if one of the private keys is compromised in the future.
PFS must be enabled on both sides of the connection.
–Diffie-Hellman Group—Select the Diffie-Hellman group identifier, which the two IPsec peers use to derive a shared secret without transmitting it to each other. The default, Group 2 (1024-bit Diffie-Hellman), requires less CPU time to execute but is less secure than Group 5 (1536-bit).
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
Hosts and Networks
Use the Hosts and Networks pane to identify local and remote hosts and networks that can use this LAN-to-LAN IPsec tunnel to send and receive data.
For IPsec to succeed, both peers in the LAN-to-LAN connection must have compatible entries for hosts and networks. The hosts and networks you configure as Local Hosts and Networks in this pane must be configured as Remote Hosts and Networks on the device at the remote site for the LAN-to-LAN connection. The local adaptive security appliance and the remote device must have at least one transform set in common for this LAN-to-LAN connection.
The security appliance supports IPv6 for IKEv1 IPsec LAN-to-LAN VPN connections, including support for both inside and outside networks using the inner and outer IP headers.
Fields
•Network Type—Choose IPv4 or IPv6.
•Local networks—Select the local hosts and networks.
•Remote networks—Select the remote hosts and networks.
•Exempt ASA side host/network from address translation—Allows traffic to pass through the security appliance without address translation.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
Remote Access Client
Use the Remote Access Client pane to identify the type of remote access users this connection serves.
Fields
•Cisco VPN Client Version 3.x or higher, or other Easy VPN Remote product—Click for IPsec connections, including compatible software and hardware clients other than those named here.
•Microsoft Windows client using L2TP over IPsec—Click to enable connections from Microsoft Windows and Microsoft Windows Mobile clients over a public IP network. L2TP uses PPP over UDP (port 1701) to tunnel the data. Enable one or more of the following PPP authentication protocols:
–PAP—Passes cleartext username and password during authentication and is not secure.
–CHAP—In response to the server challenge, the client returns the encrypted [challenge plus password] with a cleartext username. This protocol is more secure than the PAP, but it does not encrypt data.
–MS-CHAP, Version 1—Similar to CHAP but more secure in that the server stores and compares only encrypted passwords rather than cleartext passwords as in CHAP.
–MS-CHAP, Version 2—Contains security enhancements over MS-CHAP, Version 1.
–EAP-Proxy—Enables EAP which permits the adaptive security appliance to proxy the PPP authentication process to an external RADIUS authentication server.
•Client will send the tunnel group name as username@tunnelgroup—Check to enable the adaptive security appliance to associate different users that are establishing L2TP over IPsec connections with different connection policies. Since each connection policy has its own AAA server group and IP address pools, users can authenticate through methods specific to their policy.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
VPN Client Authentication Method and Name
Use the VPN Client Authentication Method and Name pane to configure an authentication method and create a connection policy (tunnel group).
Fields
•Authentication Method—The remote site peer authenticates either with a preshared key or a certificate.
–Pre-shared Key—Click to use a preshared key for authentication between the local adaptive security appliance and the remote IPsec peer.
Using a preshared key is a quick and easy way to set up communication with a limited number of remote peers and a stable network. It may cause scalability problems in a large network because each IPsec peer requires configuration information for each peer with which it establishes secure connections.
Each pair of IPsec peers must exchange preshared keys to establish secure tunnels. Use a secure method to exchange the preshared key with the administrator of the remote site.
–Pre-shared Key—Type the preshared key.
–Certificate—Click to use certificates for authentication between the local adaptive security appliance and the remote IPsec peer. To complete this section, you must have previously enrolled with a CA and downloaded one or more certificates to the adaptive security appliance.
Digital certificates are an efficient way to manage the security keys used to establish an IPsec tunnel. A digital certificate contains information that identifies a user or device, such as a name, serial number, company, department or IP address. A digital certificate also contains a copy of the public key.
To use digital certificates, each peer enrolls with a certification authority (CA), which is responsible for issuing digital certificates. A CA can be a trusted vendor or a private CA that you establish within an organization.
When two peers want to communicate, they exchange certificates and digitally sign data to authenticate each other. When you add a new peer to the network, it enrolls with a CA, and none of the other peers require additional configuration.
–Certificate Name—Choose the name that identifies the certificate the adaptive security appliance sends to the remote peer.
–Certificate Signing Algorithm—Displays the algorithm for signing digital certificates, rsa-sig for RSA.
–Challenge/response authentication (CRACK)—Provides strong mutual authentication when the client authenticates using a popular method such as RADIUS and the server uses public key authentication. The security appliance supports CRACK as an IKE option in order to authenticate the Nokia VPN Client on Nokia 92xx Communicator Series devices.
• Name—Type a name to create the record that contains tunnel connection policies for this IPsec connection. A connection policy can specify authentication, authorization, and accounting servers, a default group policy, and IKE attributes. A connection policy that you configure with this VPN wizard specifies an authentication method, and uses the adaptive security appliance Default Group Policy.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
Client Authentication
Use the Client Authentication pane to select the method by which the adaptive security appliance authenticates remote users.
Fields
Select one of the following options:
•Authenticate using the local user database—Click to use authentication internal to the adaptive security appliance. Use this method for environments with a small, stable number of users. The next pane lets you create accounts on the adaptive security appliance for individual users.
•Authenticate using an AAA server group—Click to use an external server group for remote user authentication.
•AAA Server Group Name—Choose a AAA server group configured previously.
•New ...—Click to configure a new AAA server group.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
New Authentication Server Group
User the New Authentication Server Group pane to define one or more new AAA servers.
Fields
To configure a new AAA server group that contains just one server, provide the following information:
•Server Group Name—Type a name for the server group. You associate this name with users whom you want to authenticate using this server.
•Authentication Protocol—Select the authentication protocol the server uses. Options include TACACS+, RADIUS, SDI, NT, and Kerberos.
•Server IP Address—Type the IP address for the AAA server.
•Interface—Choose the adaptive security appliance interface on which the AAA server resides.
•Server Secret Key—Type a case-sensitive, alphanumeric keyword of up to 127 characters. The server and adaptive security appliance use the key to encrypt data that travels between them. The key must be the same on both the adaptive security appliance and server. You can use special characters, but not spaces.
•Confirm Server Secret Key—Type the secret key again.
To add more servers to this new group, or to change other AAA server settings, go to Configuration > Features > Properties > AAA.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
User Accounts
Use the User Accounts pane to add new users to the adaptive security appliance internal user database for authentication purposes.
Fields
Provide the following information:
•Use the fields in this section to add a user.
–Username—Enter the username.
–Password—(Optional) Enter a password.
–Confirm Password—(Optional) Reenter the password.
•Change user password—Check to change the user password.
•User authentication using MSCHAP—Check to use MS-CHAP for user authentication.
•Add—Click to add a user to the database after you have entered the username and optional password.
•Edit—Click to edit a user that you have added to the database.
•Access Restriction—Choose one of the following options:
–Full access (ASDM, SSH, Telnet, and console)
Privilege Level—Choose the correct one from the drop-down list. Administrators are usually assigned 15, the highest available.
–CLI login prompt for SSH, Telnet, and console (no ASDM access)
–No ASDM, SSH, Telnet, or console access
•Delete—To remove a user from the database, highlight the appropriate username and click Delete.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
Address Pool
Use the Address Pool pane to configure a pool of local IP addresses that the adaptive security appliance assigns to remote VPN clients.
Fields
• Name—Displays the name of the connection policy to which the address pool applies. You set this name in the VPN Client Name and Authentication Method pane.
•Pool Name—Select a descriptive identifier for the address pool.
•New...—Click to configure a new address pool.
•Range Start Address—Type the starting IP address in the address pool.
•Range End Address—Type the ending IP address in the address pool.
•Subnet Mask—(Optional) Choose the subnet mask for these IP addresses
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
Attributes Pushed to Client
Use the Attributes Pushed to Client (Optional) pane to have the adaptive security appliance pass information about DNS and WINS servers and the default domain name to remote access clients.
Fields
Provide information for remote access clients to use.
•Tunnel Group—Displays the name of the connection policy to which the address pool applies. You set this name in the VPN Client Name and Authentication Method pane.
•Primary DNS Server—Type the IP address of the primary DNS server.
•Secondary DNS Server—Type the IP address of the secondary DNS server.
•Primary WINS Server—Type the IP address of the primary WINS server.
•Secondary WINS Server— Type the IP address of the secondary WINS server.
•Default Domain Name—Type the default domain name.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
IPsec Settings (Optional)
Use the IPsec Settings (Optional) pane to identify local hosts/networks which do not require address translation. By default, the adaptive security appliance hides the real IP addresses of internal hosts and networks from outside hosts by using dynamic or static Network Address Translation (NAT). NAT minimizes risks of attack by untrusted outside hosts, but may be improper for those who have been authenticated and protected by VPN.
For example, an inside host using dynamic NAT has its IP address translated by matching it to a randomly selected address from a pool. Only the translated address is visible to the outside. Remote VPN clients that attempt to reach these hosts by sending data to their real IP addresses cannot connect to these hosts, unless you configure a NAT exemption rule.
Note If you want all hosts and networks to be exempt from NAT, configure nothing on this pane. If you have even one entry, all other hosts and networks are subject to NAT.
Fields
•Host/Network to Be Added—Complete these fields to exempt a particular host or network from NAT.
–Interface—Select the name of the interface that connects to the hosts or networks you have selected.
–IP address—Select the IP address of the host or network. Either type the IP address or click the adjacent ... button to view a diagram of the network and select a host or network.
•Add—Click to add the host or network the Selected Hosts/Networks list after you have completed the applicable fields.
•Selected Hosts/Networks—Displays the hosts and networks that are exempt from NAT. If you want all hosts and networks to be exempt from NAT, leave this list empty.
•Enable split tunneling—Select to have traffic from remote access clients destined for the public Internet sent unencrypted. Split tunneling causes traffic for protected networks to be encrypted, while traffic to unprotected networks is unencrypted. When you enable split tunneling, the adaptive security appliance pushes a list of IP addresses to the remote VPN client after authentication. The remote VPN client encrypts traffic to the IP addresses that are behind the adaptive security appliance. All other traffic travels unencrypted directly to the Internet without involving the adaptive security appliance.
•Enable Perfect Forwarding Secrecy (PFS)—Specify whether to use Perfect Forward Secrecy, and the size of the numbers to use, in generating Phase 2 IPsec keys. PFS is a cryptographic concept where each new key is unrelated to any previous key. In IPsec negotiations, Phase 2 keys are based on Phase 1 keys unless PFS is enabled. PFS uses Diffie-Hellman techniques to generate the keys.
PFS ensures that a session key derived from a set of long-term public and private keys is not compromised if one of the private keys is compromised in the future.
PFS must be enabled on both sides of the connection.
–Diffie-Hellman Group—Select the Diffie-Hellman group identifier, which the two IPsec peers use to derive a shared secret without transmitting it to each other. The default, Group 2 (1024-bit Diffie-Hellman), requires less CPU time to execute but is less secure than Group 5 (1536-bit).
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
Summary
The Summary pane displays all of the attributes of this VPN LAN-to-LAN connection as configured.
Fields
Back—To make changes, click Back until you reach the appropriate pane.
Finish—When you are satisfied with the configuration, click Finish. ASDM saves the LAN-to-LAN configuration. After you click Finish, you can no longer use the VPN wizard to make changes to this configuration. Use ASDM to edit and configure advanced features.
Cancel—To remove the configuration, click Cancel.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
Feedback
