Some important notes about ASA 5500.
-----------------------------------------------------------------
When the security appliance is configured for IPSec VPN, you cannot enable security contexts (also called firewall multmode) or Active/Active stateful failover. Therefore, these features are unavailable.
Phase 1 ISAKMP negotiations can use either main mode or aggressive mode. Both provide the same services, but aggressive mode requires only two exchanges between the peers totaling 3 messages, rather than three exchanges totaling 6 messages. Aggressive mode is faster, but does not provide identity protection for the communicating parties. Therefore, the peers must exchange identification information prior to establishing a secure SA. Aggressive mode is enabled by default.
• Main mode is slower, using more exchanges, but it protects the identities of the communicating peers.
• Aggressive mode is faster, but does not protect the identities of the peers.
IPSec over TCP works with remote access clients. You enable it globally, and it works on all ISAKMP enabled interfaces. It is a client to security appliance feature only. It does not work for LAN-to-LAN connections
No comments:
Post a Comment