User Guide
Appendix A Cisco VPN Server Configuration 69
IPSec Settings
Use the following IPSec settings:
 Mode: Tunnel Mode
 IKE Exchange Modes: Aggressive Mode for pre-shared key and hybrid authentication,
Main Mode for certificate authentication.
 Encryption Algorithms: 3DES, AES-128, AES-256
 Authentication Algorithms: HMAC-MD5, HMAC-SHA1
 Diffie Hellman Groups: Group 2 is required for pre-shared key and hybrid.
authentication. For certificate authentication, use Group 2 with 3DES and AES-128.
Use Group 2 or 5 with AES-256.
 PFS (Perfect Forward Secrecy): For IKE phase 2, if PFS is used the Diffie-Hellman group
must be the same as was used for IKE phase 1.
 Mode Configuration: Must be enabled.
 Dead Peer Detection: Recommended.
 Standard NAT Transversal: Supported and can be enabled if desired. (IPSec over TCP
isn’t supported).
 Load Balancing: Supported and can be enabled if desired.
 Re-keying of Phase 1: Not currently supported. Recommend that re-keying times on
the server be set to approximately one hour.
 ASA Address Mask: Make sure that all device address pool masks are either not set,
or are set to 255.255.255.255. For example:
asa(config-webvpn)# ip local pool vpn_users 10.0.0.1-10.0.0.254 mask
255.255.255.255.
When using the recommended address mask, some routes assumed by the VPN
configuration might be ignored. To avoid this, make sure that your routing table
contains all necessary routes and verify that the subnet addresses are accessible
before deployment.
Other Supported Features
iPhone and iPod touch support the following:
 Application Version: The client software version is sent to the server, allowing the
server to accept or reject connections based on the device’s software version.
 Banner: The banner, if configured on the server, is displayed on the device and the
user must accept it or disconnect.
 Split Tunnel: Split tunneling is supported.
 Split DNS: Split DNS is supported.
 Default Domain: Default domain is supported.