Remote access VPNs allow users to connect to
a central site through a secure connection over a TCP/IP network. The Internet
Security Association and Key Management Protocol, also called IKE, is the
negotiation protocol that lets the IPsec client on the remote PC and the ASA
agree on how to build an IPsec Security Association. Each ISAKMP negotiation is
divided into two sections called Phase1 and Phase2.
Phase 1 creates the first tunnel to protect later ISAKMP
negotiation messages. Phase 2 creates the tunnel that protects data travelling
across the secure connection.
To set the terms of the ISAKMP negotiations, you create an
ISAKMP policy. It includes the following:
An authentication method, to ensure the identity of the peers.
An encryption method, to protect the data and ensure privacy.
A Hashed Message Authentication Codes (HMAC) method to ensure
the identity of the sender and to ensure that the message has not been modified
A Diffie-Hellman group to set the size of the encryption key.
A time limit for how long the ASA uses an encryption key before
A transform set combines an
encryption method and an authentication method. During the IPsec security
association negotiation with ISAKMP, the peers agree to use a particular
transform set to protect a particular data flow. The transform set must be the
same for both peers.
A transform set protects the data flows for the ACL specified in
the associated crypto map entry. You can create transform sets in the ASA
configuration, and then specify a maximum of 11 of them in a crypto map or
dynamic crypto map entry. For more overview information, including a table that
lists valid encryption and authentication methods, see
Create an IKEv1 Transform Set or IKEv2 Proposal.
You can configure the ASA to assign an IPv4 address, an IPv6
address, or both an IPv4 and an IPv6 address to an AnyConnect client by
creating internal pools of addresses on the ASA or by assigning a dedicated
address to a local user on the ASA.
The endpoint must have the dual-stack protocol implemented in
its operating system to be assigned both types of addresses. In both scenarios,
when no IPv6 address pools are left but IPv4 addresses are available or when no
IPv4 address pools are left but IPv6 addresses are available, connection still
occurs. The client is not notified; however, so the administrator must look
through the ASA logs for the details.
Assigning an IPv6 address to the client is supported for the SSL
protocol. This feature is not supported for the IKEv2/IPsec protocol.