Configuring automatic xauth authentication, Configuring ipsec over tcp – Cisco ASA 5505 User Manual

Page 1562

Advertising
background image

71-4

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 71 Configuring Easy VPN Services on the ASA 5505

Configuring Automatic Xauth Authentication

In this scenario, the security appliance builds the tunnel only for vlan1, the interface with the highest
security level. If you want to encrypt traffic from vlan12, you must change the security level of interface
vlan1 to a lower value than that of vlan 12.

Configuring Automatic Xauth Authentication

The ASA 5505 configured as an Easy VPN hardware client automatically authenticates when it connects
to the Easy VPN server if all of the following conditions are true:

Secure unit authentication is disabled on the server.

The server requests IKE Extended Authenticate (Xauth) credentials.

Xauth provides the capability of authenticating a user within IKE using TACACS+ or RADIUS.
Xauth authenticates a user (in this case, the Easy VPN hardware client) using RADIUS or any of the
other supported user authentication protocols.

The client configuration contains an Xauth username and password.

Enter the following command in global configuration mode to configure the Xauth username and
password:

vpnclient username xauth_username password xauth password

You can use up to 64 characters for each.

For example, enter the following command to configure the Easy VPN hardware client to use the
XAUTH username testuser and password ppurkm1:

hostname(config)# vpnclient username testuser password ppurkm1

hostname(config)#

To remove the username and password from the running configuration, enter the following command:

no vpnclient username

For example:

hostname(config)# no vpnclient username

hostname(config)#

Configuring IPsec Over TCP

By default, the Easy VPN hardware client and server encapsulate IPsec in User Datagram Protocol
(UDP) packets. Some environments, such as those with certain firewall rules, or NAT and PAT devices,
prohibit UDP. To use standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key
Exchange (IKE, UDP 500) in such environments, you must configure the client and the server to
encapsulate IPsec within TCP packets to enable secure tunneling. If your environment allows UDP,
however, configuring IPsec over TCP adds unnecessary overhead.

To configure the Easy VPN hardware client to use TCP-encapsulated IPsec, enter the following
command in global configuration mode:

vpnclient ipsec-over-tcp [port tcp_port]

The Easy VPN hardware client uses port 10000 if the command does not specify a port number.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals