Table 222 Supported IPsec Attributes

Option

Supported Attribute

How Cisco Easy VPN Works?

The communication between the client and the Easy VPN Server begins with the client requesting a connection. The following is an overview of the connection steps: Step 1.

Preshared key The client initiates IKE Phase 1 via aggressive mode (AM). The accompanying group name entered in the configuration GUI (ID_KEY_ID) is used to identify the group profile associated with this client.

Step 2.

Digital certificates The client initiates IKE Phase 1 via main mode (MM). The organizational unit (OU) field of a distinguished name (DN) is used to identify the group profile.

Because the client may be configured for preshared key authentication, which initiates IKE AM, it is recommended that the administrator change the identity of the Cisco IOS VPN device via the crypto isakmp identity hostname command. This will not affect certificate authentication via IKE MM:

• The client attempts to establish an IKE SA between its public IP address and the public IP address of the Cisco IOS VPN device. To reduce the amount of manual configuration on the client, every combination of encryption and hash algorithms, in addition to authentication methods and Diffie-Hellman group sizes, is proposed.

• Depending on its IKE policy configuration, the Cisco IOS VPN device will determine which proposal is acceptable to continue negotiating Phase 1. IKE policy is global for the Cisco IOS VPN device and can consist of several proposals. In the case of multiple proposals, the Cisco IOS VPN device will use the first match, so you should always list your most secure policies first.

0 0

Post a comment