Setting General IPSec VPN Parameters
The security appliance implementation of virtual private networking includes useful features that do not
fit neatly into categories. This chapter describes some of these features. It includes the following
sections:
•
•
•
•
•
•
•
•
Configuring VPNs in Single, Routed Mode
VPNs work only in single, routed mode. VPN functionality is unavailable in configurations that include
either security contexts, also referred to as multi-mode firewall, or Active/Active stateful failover.
The exception to this caveat is that you can configure and use one connection for administrative purposes
to (not through) the security appliance in transparent mode.
Configuring IPSec to Bypass ACLs
To permit any packets that come from an IPSec tunnel without checking ACLs for the source and
destination interfaces, enter the sysopt connection permit-ipsec command in global configuration
mode.
You might want to bypass interface ACLs for IPSec traffic if you use a separate VPN concentrator behind
the security appliance and want to maximize the security appliance performance. Typically, you create
an ACL that permits IPSec packets using the access-list command and apply it to the source interface.
Using an ACL is more secure because you can specify the exact traffic you want to allow through the
security appliance.
The syntax is sysopt connection permit-ipsec. The command has no keywords or arguments.
The following example enables IPSec traffic through the security appliance without checking ACLs:
OL-10088-01
Configuring VPNs in Single, Routed Mode, page 29-1
Configuring IPSec to Bypass ACLs, page 29-1
Permitting Intra-Interface Traffic, page 29-2
Setting Maximum Active IPSec VPN Sessions, page 29-3
Using Client Update to Ensure Acceptable Client Revision Levels, page 29-3
Understanding Load Balancing, page 29-5
Configuring Load Balancing, page 29-9
Configuring VPN Session Limits, page 29-11
C H A P T E R
Cisco Security Appliance Command Line Configuration Guide
29
29-1