Manualshelf

System information

ManualsBrandsCisco ManualsComputer equipment3005 - VPN Concentrator - Gateway
12345678910
8
Release Notes for Cisco VPN 3000 Series Concentrator, Release 3.6 Through 3.6.8.B
OL-5637-02
New Features in Release 3.6.1
CRL over HTTP
You can now configure the VPN Concentrator to use the HTTP protocol to retrieve a certificate
revocation list (CRL) from a distribution point. If you choose HTTP, you must assign HTTP rules to the
public interface filter if you access your distribution points through the public interface. For example,
enabling this feature supports the use of public key interfaces (PKI), such as Verisign, that require the
use of HTTP.
To configure CRL over HTTP, go to Configuration | System | Management Protocols | HTTP/HTTPS.
CRL Caching
You can configure the VPN 3000 Concentrator to store certificate revocation list (CRL) information in
volatile memory (RAM). CRL caching can potentially speed up the process of verifying the revocation
status of certificates. With CRL caching enabled, when the VPN Concentrator needs to check the
revocation status of a certificate, it first checks whether the required CRL exists in the cache and has not
expired. Then the VPN Concentrator checks the serial number of the certificate against a list of the serial
numbers in the CRL. If a match exists, the authentication fails.
To configure CRL caching, go to Administration | Certificate Management | Configure CA Certificate.
Backup CRL Distribution Points
You can now configure the VPN Concentrator to retrieve the CRL from the distribution points specified
in the certificate being checked, from a user-specified list of up to five static distribution points, or from
a combination of these.During IKE negotiation, if CRL checking is enabled, the VPN Concentrator
verifies the revocation status of the IKE peer certificate before allowing the tunnel to be established.
CRLs exist on external servers maintained by Certificate Authorities. If you configure retrieval of the
CRL from a list of distribution points, the VPN Concentrator tries each in turn until it either finds the
relevant CRL or exhausts the list.
To configure backup CRL distribution points, go to Administration | Certificate Management and select
the Configure option on the appropriate CA certificate.
SDI Upgrade (ACE/Agent Enhancements)
Release 3.6.1 updates the implementation of the RSA ACE/Agent on the VPN Concentrator to the
RSA/ACE Agent 5.0 release. It supports ACE/Server Replicas (a more advanced primary/backup feature
than what was in earlier versions), two-step authentication, load balancing, and group-based support for
multiple node secrets.
Split DNS
Split DNS lets an internal DNS server resolve a list of centrally-defined Local Domain Names (LDN),
while ISP-assigned DNS servers resolve all other DNS requests. This feature is used in a split-tunneling
connection. You configure LDNs on a Base Group/Group basis.