To define a profile's VPN crypto map settings:
Go to .
Select a target profile from those displayed on the screen.
Expand Security and select VPN..
Select the Crypto Map tab.
If requiring a new crypto map configuration, select the Add button. If updating the configuration of an existing crypto map, select it from amongst those available and select the Edit button.
If adding a new crypto map, assign it a name up to 32 characters in length as an unique identifier. Select the Continue button to proceed to the VPN Crypto Map screen.
If requiring a new crypto map configuration, select the Add button. If updating the configuration of an existing crypto map, select it from amongst those available and select the Edit button.
Define the following Settings to set the crypto map configuration:
|
Sequence |
Each crypto map configuration uses a list of entries based on a sequence number. Specifying multiple sequence numbers within the same crypto map extends connection flexibility to multiple peers on the same interface, based on this selected sequence number (from 1 - 1,000). |
|
Type |
Define the site-to-site-manual, site-to-site-auto or remote VPN configuration defined for each listed crypto map configuration. |
|
IP Firewall Rules |
Use the pull-down menu to select the ACL used to protect IPSec VPN traffic. New access/deny rules can be defined for the crypto map by selecting the Create icon, or an existing set of firewall rules can be modified by selecting the Edit icon. |
|
IPSec Transform Set |
Select the transform set (encryption and hash algorithms) to apply to this crypto map configuration. |
|
Mode |
Use the pull-down menu to define which mode (pull or push) is used to assign a virtual IP. This setting is relevant for IKEv1 only, since IKEv2 always uses the configuration payload in pull mode. The default setting is push. |
|
Local End Point |
Select this radio button to define an IP address as a local tunnel end point address. This setting represents an alternative to an interface IP address. |
|
Perfect Forward Secrecy (PFS) |
PFS is key-establishment protocol, used to secure VPN communications. If one encryption key is compromised, only data encrypted by that specific key is compromised. For PFS to exist, the key used to protect data transmissions must not be used to derive any additional keys. Options include None, 2, 5 and 14. The default setting is None. |
|
Lifetime (kB) |
Select this option to define a connection volume lifetime (in kilobytes) for the duration of an IPSec VPN security association. Once the set volume is exceeded, the association is timed out. Use the spinner control to set the volume from 500 - 2,147,483,646 kilobytes. |
|
Lifetime (seconds) |
Select this option to define a lifetime (in seconds) for the duration of an IPSec VPN security association. Once the set value is exceeded, the association is timed out. The available range is from 120 - 86,400 seconds. The default setting is 120 seconds. |
|
Protocol |
Select the security protocol used with the VPN IPSec tunnel connection. SAs are unidirectional, existing in each direction and established per security protocol. Options include ESP and AH. The default setting is ESP. |
|
Remote VPN Type |
Define the remote VPN type as either None or XAuth. XAuth (extended authentication) provides additional authentication validation by permitting an edge device to request extended authentication information from an IPSec host. This forces the host to respond with additional authentication credentials. The edge device responds with a failed or passed message. The default setting is XAuth. |
|
Manual Peer IP |
Select this option to define the IP address of an additional encryption/decryption peer. |
|
Time Out |
Set an IPSec security association (SA) timeout in either Seconds (120 - 86,400), Minutes (2 - 1,440), Hours (1 - 24) or Days (1). The default setting is 15 minutes. |
|
Enable NAT after IPSec |
Enable this setting to utilize IP/Port NAT on the VPN tunnel. This setting is disabled by default. |
Select OK to save the updates made to the Crypto Map Entry screen. Selecting Reset reverts the screen to its last saved setting.