Cisco 5510 Getting Started Guide - Page 121
Enable Split Tunneling, Enable Perfect, Forwarding Secrecy, Step 2
UPC - 882658094767
View all Cisco 5510 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 121 highlights
Chapter 9 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Step 2 Step 3 To enable split tunneling, check the Enable Split Tunneling check box. Split tunneling allows traffic outside the configured networks to be sent out directly to the Internet instead of over the encrypted VPN tunnel. To enable perfect forwarding secrecy (PFS), check the Enable Perfect Forwarding Secrecy check box. Enabling PFS sets the size of the numbers to use in generating Phase 2 IPsec keys. PFS is a cryptographic concept where each new key is unrelated to any previous key. In IPsec negotiations, Phase 2 keys are based on Phase 1 keys unless PFS is enabled. PFS uses Diffie-Hellman techniques to generate the keys. PFS ensures that a session key derived from a set of long-term public and private keys is not compromised if one of the private keys is compromised in the future. Note PFS must be enabled on both sides of the connection. Step 4 Step 5 Select the Diffie-Hellman group identifier, which the two IPsec peers use to derive a shared secret without transmitting it to each other. The default, Group 2 (1024-bit Diffie-Hellman), requires less CPU time to execute but is less secure than Group 5 (1536-bit). Group 7 is for use with the Movian VPN client, but works with any peer that supports Group 7 (ECC). Click Next to continue. 78-19186-01 Cisco ASA 5500 Series Getting Started Guide 9-15