Cisco Router and Security Device Manager 2.5 User Guide
VPN Global Settings
Download this chapter
VPN Global SettingsVPN Global Settings
Download the complete book
Cisco SDM 2.5 User's GuideCisco SDM 2.5 User's Guide (PDF - 7 MB)
give_us_feedback

Table Of Contents

VPN Global Settings

VPN Global Settings

VPN Global Settings: IKE

VPN Global Settings: IPSec

VPN Global Settings: Easy VPN Server

VPN Key Encryption Settings


VPN Global Settings

These help topics describe the VPN Global Settings windows.

VPN Global Settings

This window displays the VPN global settings for the router.

Field Reference

Table 16-1 describes the fields in this screen.

Table 16-1 VPN Global Settings Fields

Element
Description

Edit Button

Click the Edit button to add or change VPN global settings.

Enable IKE

The value is True if IKE is enabled; it is False if IKE is disabled.

Note If IKE is disabled, VPN configurations will not operate. You can click Edit and enable IKE in the IKE tab of the VPN Global Settings screen.

Enable Aggressive Mode

The value is True if Aggressive Mode is enabled; it is False if Aggressive Mode is disabled.The Aggressive Mode feature allows you to specify RADIUS tunnel attributes for an IPSec peer and to initiate an IKE aggressive mode negotiation with the tunnel attributes.

XAuth Timeout

The number of seconds the router is to wait for a a system to respond to the XAuth challenge.

IKE Identity

Either the host name of the router or the IP address that the router will use to identify itself in IKE negotiations.

Dead Peer Detection

Dead Peer Detection (DPD) enables a router to detect a dead peer and, if detected, delete the IPSec and IKE security associations with that peer. If DPD is enabled, the following additional information is displayed:

IKE Keepalive (Sec)—The value is the number of seconds that the router waits between sending IKE keepalive packets.

IKE Retry (Sec)—The value is the number of seconds that the router waits between attempts to establish an IKE connection with the remote peer. By default, "2" seconds is displayed.

DPD Type—Either On Demand or Periodic. If set to On Demand, DPD messages are sent on the basis of traffic patterns. For example, if a router has to send outbound traffic and the liveliness of the peer is questionable, the router sends a DPD message to query the status of the peer. If a router has no traffic to send, it never sends a DPD message.

If set to Periodic, the router sends DPD messages at the interval specified by the IKE Keepalive value.

IPSec Security Association (SA) Lifetime (Sec)

The amount of time after which IPSec security associations (SAs) will expire and be regenerated. The default is 3600 seconds (1 hour).

IPSec Security Association (SA) Lifetime (Kilobytes)

The number of kilobytes that the router can send over the VPN connection before the IPSec SA expires. The SA will be renewed after the shortest lifetimes is reached.

Syslog Messages for Easy VPN Connections

This field can have the following values:

Enabled—Syslog messages are enabled for all Easy VPN connections.

Enabled for groups name, name—Syslog messages are enabled for the groups listed.

Disabled—Syslog messages are disabled.


VPN Global Settings: IKE

This window lets you specify global settings for IKE and IPSEC.

Enable IKE

Leave this box checked if you want to use VPN.

Caution If IKE is disabled, VPN configurations will not work.

Enable Aggressive mode

The Aggressive Mode feature allows you to specify RADIUS tunnel attributes for an IPSec peer and to initiate an IKE aggressive mode negotiation with the tunnel attributes.

Identity (of this router)

This field specifies the way the router will identify itself. Select either IP address or host name.

XAuth Timeout

The number of seconds the router is to wait for a response from a system requiring XAuth authentication.

Enable Dead Peer Detection (DPD)

Dead Peer Detection (DPD) enables a router to detect a dead peer and, if detected, delete the IPSec and IKE security associations with that peer.

The Enable Dead Peer Detection checkbox is disabled when the Cisco IOS image that the router is using does not support DPD.

Keepalive

Specify the number of seconds that the router should maintain a connection when it is not being used.

Retry

Specify the number of seconds that the router should wait between attempts to establish an IKE connection with a peer. The default value is `2' seconds.

DPD Type

Select On Demand or Periodic.

If set to On Demand, DPD messages are sent on the basis of traffic patterns. For example, if a router has to send outbound traffic and the liveliness of the peer is questionable, the router sends a DPD message to query the status of the peer. If a router has no traffic to send, it never sends a DPD message.

If set to Periodic, the router sends DPD messages at the interval specified by the IKE Keepalive value.

VPN Global Settings: IPSec

Edit global IPSec settings in this window.

Authenticate and Generate new key after every

Check this box and specify the time interval at which the router should authenticate and generate a new key. If you do not specify a value, the router will authenticate and generate a new key every hour.

Generate new key after the current key encrypts a volume of

Check this box and specify the number of kilobytes that should be encrypted by the current key before the router authenticates and generates a new one. If you do not specify a value, the router will authenticate and generate a new key after the current key has encrypted 4,608,000 kilobytes.

VPN Global Settings: Easy VPN Server

Make global settings for Easy VPN server connections in this screen.

Field Reference

Table 16-2 describes the fields in this screen.

Table 16-2 VPN Global Settings: Easy VPN Server Fields

Element
Description

Common Pool

You can configure a common IP address pool for all clients to use. If a group does not have a specific pool, clients belonging to that group will be allocated an IP address from this common pool.

Select a common pool—Select a pool name from this list. If no pools are configured, you click Additional Tasks > Local Pools > Add, and configure a pool in the displayed dialog. Then, return to this screen and select it.

Enable Syslog messages

Check Enable Syslog messages to enable Syslog messages for client connections. You can specify the scope of this option with the following options:

Enable Syslog messages for all client connections—Check this option to enable Syslog messages for all groups that connect to the Easy VPN server.

Enable Syslog messages for the following groups—Check this option to enable Syslog messages for the groups that you specify. Then, enter the group names in the box, separating one group name from another with a comma. A sample set of entries follows: 

WGP-1, WGP-2, ACCTG, CSVC

The router must use Cisco IOS 12.4(4)T or later for this part of the screen to be displayed.


VPN Key Encryption Settings

The VPN Key Encryption Settings window appears if the Cisco IOS image on your router supports Type 6 encryption, also referred to as VPN key encryption. You can use this window to specify a master key to use when encrypting VPN keys, such as pre-shared keys, Easy VPN keys, and XAuth keys. When encrypted, these keys will not be readable by someone viewing the router's configuration file.

Enable VPN Keys Encryption

Check to enable encryption of these keys.

Current Master Key

This field contains asterisks (*) when a master key has been configured.

New Master Key

Enter a new master key in this field. Master keys must be at least 8 characters long and can be as long as 128 characters.

Confirm Master Key

Reenter the master key in this field for confirmation. If the values in this field and in the New Master Key field do not match, Cisco SDM prompts you to reenter the key.