30-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 30 Configuring Tunnel Groups, Group Policies, and Users
Configuring Tunnel Groups
The authorization-dn-attributes are C (Country), CN (Common Name), DNQ (DN qualifier), EA
(E-mail Address), GENQ (Generational qualifier), GN (Given Name), I (Initials), L (Locality),
N (Name), O (Organization), OU (Organizational Unit), SER (Serial Number), SN (Surname),
SP (State/Province), T (Title), and UID (User ID)
Step 12 Specify whether to require a successful authorization before allowing a user to connect. The default is
not to require authorization.
hostname(config-tunnel-ipsec)# authorization-required
hostname(config-tunnel-ipsec)#
Configuring IPSec Remote-Access Tunnel Group IPSec Attributes
To configure the IPSec attributes for a remote-access tunnel group, do the following steps. The following
description assumes that you have already created the IPSec remote-access tunnel group. IPSec
remote-access tunnel groups have more attributes than IPSec LAN-to-LAN tunnel groups:
Step 1 To specify the attributes of an IPSec remote-access tunnel-group, enter tunnel-group ipsec-attributes
mode by entering the following command. The prompt changes to indicate the mode change:
hostname(config)# tunnel-group tunnel-group-name ipsec-attributes
hostname(config-tunnel-ipsec)#
This command enters tunnel-group ipsec-attributes configuration mode, in which you configure the
remote-access tunnel-group IPSec attributes.
For example, the following command designates that the tunnel-group ipsec-attributes mode commands
that follow pertain to the tunnel group named TG1. Notice that the prompt changes to indicate that you
are now in tunnel-group ipsec-attributes mode:
hostname(config)# tunnel-group TG1 type ipsec-ra
hostname(config)# tunnel-group TG1 ipsec-attributes
hostname(config-tunnel-ipsec)#
Step 2 Specify the preshared key to support IKE connections based on preshared keys. For example, the
following command specifies the preshared key xyzx to support IKE connections for an IPSec remote
access tunnel group:
hostname(config-tunnel-ipsec)# pre-shared-key xyzx
hostname(config-tunnel-ipsec)#
Step 3 Specify whether to validate the identity of the peer using the peer’s certificate:
hostname(config-tunnel-ipsec)# peer-id-validate option
hostname(config-tunnel-ipsec)#
The available options are req (required), cert (if supported by certificate), and nocheck (do not check).
The default is req.
For example, the following command specifies that peer-id validation is required:
hostname(config-tunnel-ipsec)# peer-id-validate req
hostname(config-tunnel-ipsec)#
Step 4 Specify whether to
Step 5 Specify whether to enable sending of a certificate chain. The following command includes the root
certificate and any subordinate CA certificates in the transmission:
To Next Page
Loading...
Need help?
General