I use this as a reminder.

Cisco IPsec VPN Parts and Pieces

The ASA uses the ISAKMP and IPsec tunneling standards to build and manage tunnels. ISAKMP and IPsec accomplish the following: 

• Negotiate tunnel parameters 
• Establish tunnels 
• Authenticate users and data 
• Manage security keys 
• Encrypt and decrypt data 
• Manage data transfer across the tunnel 
• Manage data transfer inbound and outbound as a tunnel endpoint or router 

—————————————-
IKE (Internet Key Exchange), also known as ISAKMP (Internet Security Association and Key Management Protocol), is the negotiation protocol that lets two hosts agree on how to build an IPsec security association. ISAKMP separates negotiation into two phases: Phase 1 and Phase 2. 

To set the terms of the ISAKMP negotiations, you create an ISAKMP policy, which includes the following:

• An authentication method, to ensure the identity of the peers. 
• An encryption method, to protect the data and ensure privacy. 
• A Hashed Message Authentication Codes (HMAC) method to ensure the identity of the sender, and to ensure that the message has not been modified in transit. 
• A Diffie-Hellman group to determine the strength of the encryption-key-determination algorithm. The ASA uses this algorithm to derive the encryption and hash keys. 
• A limit to the time the ASA uses an encryption key before replacing it.

—————————————-

A security association (SA) is a term used to generalize the IPsec connection parameters as a whole. An SA is a relationship between two or more entities that describes how the entities will use security services to communicate securely.

—————————————-
NAT-T lets IPsec peers establish a connection through a NAT device. It does this by encapsulating IPsec traffic in UDP datagrams, using port 4500, thereby providing NAT devices with port information. NAT-T auto-detects any NAT devices, and only encapsulates IPsec traffic when necessary. This feature is disabled by default. IPsec was not designed to work through NAT so that is where NAT-Traversal comes in.

To enable NAT-T use the following command: crypto isakmp nat-traversal

—————————————-
A transform set is a combination of security protocols and algorithms that define how the ASA protects data. 

During the IPsec security association negotiation with ISAKMP, the peers agree to use a particular transform set to protect a particular data flow.

The transform set must be the same for both peers.

—————————————-
A tunnel group is a set of records that contain tunnel connection policies. You configure a tunnel group to identify AAA servers, specify connection parameters, and define a default group policy.

—————————————-
To configure IP address pools to use for VPN remote access tunnels, enter the ip local pool command in global configuration mode.

—————————————-
Crypto maps define the IPsec policy to be negotiated in the IPsec SA. They include the following:

• Access list to identify the packets that the IPsec connection permits and protects. 
• Peer identification 
• Local address for the IPsec traffic
• Up to six transform sets with which to attempt to match the peer security settings. 

—————————————-
A dynamic crypto map is a crypto map without all of the parameters configured. It acts as a policy template where the missing parameters are later dynamically learned, as the result of an IPsec negotiation, to match the peer requirements. The ASA applies a dynamic crypto map to let a peer negotiate a tunnel if its IP address is not already identified in a static crypto map. This occurs with the following types of peers:

• Peers with dynamically assigned public IP addresses.
  Both LAN-to-LAN and remote access peers can use DHCP to obtain a public IP address. The ASA
  uses this address only to initiate the tunnel. 
• Peers with dynamically assigned private IP addresses.
  Peers requesting remote access tunnels typically have private IP addresses assigned by the headend. Generally, LAN-to-LAN tunnels have a predetermined set of private networks that are used to configure static maps and therefore used to establish IPsec SAs. 

Dynamic crypto maps can ease IPsec configuration and we recommend them for use in networks where the peers are not always predetermined. Use dynamic crypto maps for Cisco VPN clients (such as mobile users) and routers that obtain dynamically assigned IP addresses.

—————————————-
Split tunneling controls what traffic is or isn’t protected by the tunnel. By default, all VPN traffic is forced to route to the ASA first. By configuring split tunneling we can allow our users to use their Internet connection to browse the web, instead of their traffic hitting the ASA and then going to the Internet. This filters only the traffic that needs to travel to the corporate network.