Support User Manuals

Apple iPod and iPod Touch Cell Phone User Manual

Open as PDF

of 58

Appendix A Cisco VPN Server Configuration 47

Certificates

When setting up and installing certificates, make sure of the following:

Â The server identity certificate must contain the server’s DNS name and/or IP address

in the subject alternate name (SubjectAltName) field. The device uses this

information to verify that the certificate belongs to the server. You can specify the

SubjectAltName using wildcard characters for per-segment matching, such as

vpn.*.mycompany.com, for more flexibility. The DNS name can be put in the common

name field, if no SubjectAltName is specified.

Â The certificate of the CA that signed the server’s certificate should be installed on the

device. If it isn’t a root certificate, install the remainder of the trust chain so that the

certificate is trusted.

Â If client certificates are used, make sure that the trusted CA certificate that signed the

client’s certificate is installed on the VPN server.

Â The certificates and certificate authorities must be valid (not expired, for example.).

Â Sending of certificate chains by the server isn’t supported and should be turned off.

Â When using certificate-based authentication, make sure that the server is set up to

identify the user’s group based on fields in the client certificate. See “Authentication

Groups” on page 46.

IPSec Settings

Use the following IPSec settings:

Â Mode: Tunnel Mode

Â IKE Exchange Modes: Aggressive Mode for pre-shared key and hybrid authentication,

Main Mode for certificate authentication.

Â Encryption Algorithms: 3DES, AES-128, AES-256

Â Authentication Algorithms: HMAC-MD5, HMAC-SHA1

Â Diffie Hellman Groups: Group 2 is required for pre-shared key and hybrid.

authentication. For certificate authentication, use Group 2 with 3DES and AES-128.

Use Group 2 or 5 with AES-256.

Â PFS (Perfect Forward Secrecy): For IKE phase 2, if PFS is used the Diffie Hellman group

must be the same as was used for IKE phase 1.

Â Mode Configuration: Must be enabled.

Â Dead Peer Detection: Recommended.

Â Standard NAT Transversal: Supported and can be enabled if desired. (IPSec over TCP

isn’t supported).

Â Load Balancing: Supported and can be enabled if desired.

Â Re-keying of Phase 1: Not currently supported. Recommend that re-keying times on

the server be set to approximately one hour.

previous next