Cisco SA520-K9 Administration Guide - Page 146

Local, Identifier Type, Identifier, Remote, IKE SA Parameters, Encryption Algorithm

Get Cisco SA520-K9 - SA 500 Series Security Appliances PDF manuals and user guides
UPC - 882658266744
View all Cisco SA520-K9 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 146 highlights

Configuring VPN Advanced Configuration of IPsec VPN 7 STEP 4 In the Local area, enter the following information: • Identifier Type and Identifier: Choose the type of identifier for the local device, and then enter the ID in the text box. - Local WAN IP - Internet Address/FQDN - User FQDN - DER ASN1 DN. NOTE Typically, an IP address is used for site-to-site connections since the IP address or FQDN is well known. An IP address is required if you want to use Main Mode. For remote client connections, the User FQDN is never resolved but provides a means of identifying a client that can have different IP address depending on network that is used to make the connection. The DER ASN1 DN is used as an identifier when certificates are used for authentication. STEP 5 In the Remote area, enter the following information: • Identifier Type and Identifier: Choose the type of identifier for the local device, and then enter the ID in the text box. NOTE An IP address is required if you want to use Main Mode. STEP 6 In the IKE SA Parameters area, enter the information about the Security Association (SA) parameters, which define the strength and the mode for negotiating the SA. • Encryption Algorithm: The algorithm used to negotiate the SA. There are five algorithms supported by this router: DES, 3DES, AES-128, AES-192, and AES-256. • Authentication Algorithm: Specify the authentication algorithm for the VPN header. There are five algorithms supported by this router: MD5, SHA-1, SHA2-256, SHA2-384 and SHA2-512. NOTE Ensure that the authentication algorithm is configured identically on both sides. • Authentication Method: Select Pre-shared key for a simple password based key. Selecting RSA-Signature disables the pre-shared key text box and uses the Active Self Certificate uploaded in the Certificates page. In that case, a certificate must be configured in order for RSA-Signature to work. See Managing Certificates for Authentication, page 190. Cisco SA500 Series Security Appliances Administration Guide 146

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
Configuring VPN
Advanced Configuration of IPsec VPN
Cisco SA500 Series Security Appliances Administration Guide
146
7
STEP 4
In the
Local
area, enter the following information:
Identifier Type
and
Identifier:
Choose the type of identifier for the local
device, and then enter the ID in the text box.
-
Local WAN IP
-
Internet Address/FQDN
-
User FQDN
-
DER ASN1 DN.
NOTE
Typically, an IP address is used for site-to-site connections since the
IP address or FQDN is well known. An IP address is required if you want to
use Main Mode. For remote client connections, the User FQDN is never
resolved but provides a means of identifying a client that can have different
IP address depending on network that is used to make the connection. The
DER ASN1 DN is used as an identifier when certificates are used for
authentication.
STEP 5
In the
Remote
area, enter the following information:
Identifier Type
and
Identifier:
Choose the type of identifier for the local
device, and then enter the ID in the text box.
NOTE
An IP address is required if you want to use Main Mode.
STEP
6
In the
IKE SA Parameters
area, enter the information about the Security
Association (SA) parameters, which define the strength and the mode for
negotiating the SA.
Encryption Algorithm:
The algorithm used to negotiate the SA. There are
five algorithms supported by this router: DES, 3DES, AES-128, AES-192, and
AES-256.
Authentication Algorithm:
Specify the authentication algorithm for the VPN
header. There are five algorithms supported by this router: MD5, SHA-1,
SHA2-256, SHA2-384 and SHA2-512.
NOTE
Ensure that the authentication algorithm is configured identically on
both sides.
Authentication Method:
Select Pre-shared key for a simple password
based key. Selecting RSA-Signature disables the pre-shared key text box
and uses the Active Self Certificate uploaded in the Certificates page. In that
case, a certificate must be configured in order for RSA-Signature to work.
See
Managing Certificates for Authentication, page 190
.