Manualshelf

System information

ManualsBrandsCisco ManualsComputer equipment3005 - VPN Concentrator - Gateway
12345678910
7
Release Notes for Cisco VPN 3000 Series Concentrator, Release 3.6 Through 3.6.8.B
OL-5637-02
New Features in Release 3.6.1
Note Versions of the VPN Client prior to Release 3.6.1 do not support NAT-T. If you have an older VPN
Client, the VPN Concentrator determines that the client is incapable of NAT-T during tunnel
establishment and the NAT-T setting has no effect for that particular tunnel. These clients, therefore,
continue to work as they did previously.
LAN-to-LAN NAT Traversal
With Release 3.6.1, you can also enable NAT traversal for LAN-to-LAN sessions. For a LAN-to-LAN
connection, you must also check the IPSec over NAT-T check box in the Configuration | System |
Tunneling Protocols | IPSec LAN-to-LAN | Add or Modify screen.
LAN-to-LAN NAT Traversal has the following limitations and requirements:
You must open UDP port 4500 on any firewall you have configured in front of a VPN Concentrator.
This is the destination port for the inbound direction from any source port.
Because NAT-T depends on UDP port 4500 being available, if a previous IPSec/UDP configuration
is already using that port, you must reconfigure that earlier IPSec/UDP configuration to use a
different UDP port.
Advanced Encryption Standard (AES)
Release 3.6.1 adds support for Advanced Encryption Standard (AES), which is more secure than DES
and more efficient than triple DES. It also adds:
One active IKE proposal, IKE-AES 128-SHA, to the default proposal list.
Two inactive proposals, IKE-AES 192-SHA and IKE-AES 256-SHA.
A new default IPSec SA to support the AES algorithm, ESP-AES128-SHA.
If you configure AES on a VPN 3000 Concentrator group, only clients that support AES (such as the
VPN Client, Release 3.6.1) can connect to that group.
To configure AES to the Encryption parameter in Tunneling, go to Configuration | System | Tunneling
Protocols | IPSec LAN-to-LAN or Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN.
Note The VPN Client and the VPN 3002 Hardware Client no longer support DES/SHA encryption. Existing
Connection Entry profiles that use DES/SHA can no longer connect. Redefine the connection to use a
different encryption standard. See the VPN Client Administrator Guide for a list of these standards.
Support for Diffie-Hellman Group 5
Release 3.6.1 adds support for Diffie-Hellman Group 5 for use with LAN-to-LAN connections or VPN
Client connections with digital certificates. You can use DH Group 5 with 3DES.
To configure DH 5 and AES, go to Configuration | System | Tunneling Protocols | IPSec | IKE Proposals.
To add DH 5 and AES to the Perfect Forward Secrecy parameter, go to Configuration | Policy
Management | Traffic Management | Security Associations.