Cisco Cisco Clean Access 3.5
6-5
Cisco Clean Access Server Installation and Administration Guide
OL-7045-01
Chapter 6 IPSec/L2TP/PPTP/PPP on the CAS
Configure IPSec Encryption
Figure 6-3
IPSec Key—Logout Page for Web Login Users
Figure 6-4
IPSec Key—Clean Access Agent (3.5.1 +) Users
–
Server Key Life (default: 450 seconds) – How long the IPSec security association remains
active. This should be greater than the Client Rekey Time.
active. This should be greater than the Client Rekey Time.
–
Client Rekey Time (default: 300 seconds) – This value is used by the IPSec client. It specifies
how long the IPSec Client will propose that an IPSec SA be allowed to live before being
regenerated. Typically, this value is shorter than the Server Key Life and at least 300 seconds.
how long the IPSec Client will propose that an IPSec SA be allowed to live before being
regenerated. Typically, this value is shorter than the Server Key Life and at least 300 seconds.
–
Perfect Forward Secrecy (PFS) – Enabling PFS (Perfect Forward Secrecy) ensures that the
CAS utilizes completely new material when rekeying session keys. Otherwise, rekeys may be
derived from material created at the point when the initial server key is created. Enabling PFS
ensures that if one key is compromised, no other key is vulnerable due to the compromised key.
CAS utilizes completely new material when rekeying session keys. Otherwise, rekeys may be
derived from material created at the point when the initial server key is created. Enabling PFS
ensures that if one key is compromised, no other key is vulnerable due to the compromised key.
Note
Enabling PFS may result in slower CAS performance. Use of the legacy IPSec Client enables PFS by
default.
default.
IPSec
preshared
key
IPSec
preshared
key