Configuration | system | tunneling protocols – Cisco VPN 3002 User Manual

6-2

VPN 3002 Hardware Client Reference

OL-1893-01

Chapter 6 Tunneling

Configuration | System | Tunneling Protocols

Configuration | System | Tunneling Protocols

This section lets you configure the IPSec tunneling protocol.

Click IPSec on the Tunneling Protocols screen.

Figure 6-1

Configuration | System | Tunneling Protocols Screen

Configuration | System | Tunneling Protocols | IPSec

The VPN 3002 complies with the IPSec protocol and is specifically designed to work with the VPN
Concentrator. IPSec provides the most complete architecture for VPN tunnels, and it is perceived as the
most secure protocol.

In IPSec terminology, a “peer” is a remote-access client or another secure gateway. During tunnel
establishment under IPSec, the two peers negotiate Security Associations (SAs) that govern
authentication, encryption, encapsulation, key management, etc. These negotiations involve two phases:
the first phase establishes the tunnel (the IKE SA); the second phase governs traffic within the tunnel
(the IPSec SA).

The VPN 3002 initiates all tunnels with the VPN Concentrator; the VPN Concentrator functions only as
responder. The VPN 3002 as initiator proposes SAs; the responder accepts, rejects, or makes
counter-proposals—all in accordance with configured SA parameters. To establish a connection, both
entities must agree on the SAs.

The Cisco VPN 3002 supports these IPSec attributes, but they are configurable on the central-site VPN
Concentrator, not on the VPN 3002:

•

Main mode for negotiating phase one of establishing ISAKMP Secure Associations (SAs)
(automatic if you are using certificates)

•

Aggressive mode for negotiating phase one of establishing ISAKMP SAs

•

Authentication Algorithms:

–

ESP-MD5-HMAC-128

–

ESP-SHA1-HMAC-160

•

Authentication Modes:

–

Preshared Keys

–

X.509 Digital Certificates

•

Diffie-Hellman Groups 1 and 2

•

Encryption Algorithms: