Switch User Manual
12 User Management
12-40
VPN 3000 Concentrator Series User Guide
Note: The setting of the 
Inherit? check box takes priority over an entry in a Value field. Examine this box before 
continuing and be sure its setting reflects your intent.
IPSec SA
Click the drop-down menu button and select the IPSec Security Association (SA) assigned to this IPSec 
user. During tunnel establishment, the user client and server negotiate a Security Association that 
governs authentication, encryption, encapsulation, key management, etc. You configure IPSec Security 
Associations on the 
Configuration | Policy Management | Traffic Management | Security Associations screens.
To use IPSec with remote-access clients, you must assign an SA. With IPSec LAN-to-LAN connections, 
the system ignores this selection and uses parameters from the 
Configuration | System | Tunneling Protocols 
| IPSec LAN-to-LAN
 screens.
The VPN Concentrator supplies these default selections:
--None-- = No SA assigned.
ESP-DES-MD5 = This SA uses DES 56-bit data encryption for both the IKE tunnel and IPSec traffic, 
ESP/MD5/HMAC-128 authentication for IPSec traffic, and MD5/HMAC-128 authentication for the 
IKE tunnel.
ESP-3DES-MD5 = This SA uses Triple-DES 168-bit data encryption and ESP/MD5/HMAC-128 
authentication for IPSec traffic, and DES-56 encryption and MD5/HMAC-128 authentication for 
the IKE tunnel.
ESP/IKE-3DES-MD5 = This SA uses Triple-DES 168-bit data encryption for both the IKE tunnel and 
IPSec traffic, ESP/MD5/HMAC-128 authentication for IPSec traffic, and MD5/HMAC-128 
authentication for the IKE tunnel.
ESP-3DES-NONE = This SA uses Triple-DES 168-bit data encryption and no authentication for IPSec 
traffic, and DES-56 encryption and MD5/HMAC-128 authentication for the IKE tunnel.
ESP-L2TP-TRANSPORT = This SA uses DES 56-bit data encryption and ESP/MD5/HMAC-128 
authentication for IPSec traffic (with ESP applied only to the transport layer segment), and it uses 
Triple-DES 168-bit data encryption and MD5/HMAC-128 for the IKE tunnel. Use this SA with the 
L2TP over IPSec tunneling protocol.
Additional SAs that you have configured also appear on the list.
Store Password on Client
Check the box to allow this IPSec user (client) to store the login password on the client system. If you 
do not allow password storage, IPSec users must enter their password each time they seek access to the 
VPN. For maximum security, we recommend that you not allow password storage.










