9-15
Cisco ASA 5500 Series Getting Started Guide
78-19186-01
Chapter 9 Scenario: IPsec Remote-Access VPN Configuration
Implementing the IPsec Remote-Access VPN Scenario
Step 2 To enable split tunneling, check the Enable Split Tunneling check box. Split
tunneling allows traffic outside the configured networks to be sent out directly to
the Internet instead of over the encrypted VPN tunnel.
Step 3 To enable perfect forwarding secrecy (PFS), check the Enable Perfect
Forwarding Secrecy check box. Enabling PFS sets the size of the numbers to use
in generating Phase 2 IPsec keys.
PFS is a cryptographic concept where each new key is unrelated to any previous
key. In IPsec negotiations, Phase 2 keys are based on Phase 1 keys unless PFS is
enabled. PFS uses Diffie-Hellman techniques to generate the keys. PFS ensures
that a session key derived from a set of long-term public and private keys is not
compromised if one of the private keys is compromised in the future.
Note PFS must be enabled on both sides of the connection.
Step 4 Select the Diffie-Hellman group identifier, which the two IPsec peers use to derive
a shared secret without transmitting it to each other. The default, Group 2
(1024-bit Diffie-Hellman), requires less CPU time to execute but is less secure
than Group 5 (1536-bit). Group 7 is for use with the Movian VPN client, but
works with any peer that supports Group 7 (ECC).
Step 5 Click Next to continue.
To Next Page
Loading...
Need help?
General
