Cisco ASA 5505 Configuration Manual page 1271
Asa 5500 series
Hide thumbs
Also See for ASA 5505:
- Getting started manual (168 pages) ,
- Administrator's manual (118 pages) ,
- Hardware installation manual (82 pages)
Table of Contents
Advertisement
Chapter 62
VPN
Encryption
Method
AES-192
AES-256
•
The default value for the VPN 3000 Series Concentrator is MD5. A connection between the adaptive
Note
security appliance and the VPN Concentrator requires that the authentication method for Phase I and
Phase II IKE negotiations be the same on both sides of the connection.
•
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
Routed
•
Hosts and Networks
Use the Hosts and Networks pane to identify local and remote hosts and networks that can use this
LAN-to-LAN IPsec tunnel to send and receive data.
OL-20339-01
Explanation
AES using a 192-bit key.
AES using a 256-bit key
The default, 3DES, is more secure than DES but requires more processing for encryption and
decryption. Similarly, the AES options provide increased security, but also require increased
processing.
Authentication—Choose the hash algorithm used for authentication and ensuring data integrity. The
default is SHA. MD5 has a smaller digest and is considered to be slightly faster than SHA. There
has been a demonstrated successful (but extremely difficult) attack against MD5. However, the
Keyed-Hash Message Authentication Code (HMAC) version used by the adaptive security appliance
prevents this attack.
Enable Perfect Forwarding Secrecy (PFS)—Specify whether to use Perfect Forward Secrecy, and the
size of the numbers to use, in generating Phase 2 IPsec keys. PFS is a cryptographic concept where each
new key is unrelated to any previous key. In IPsec negotiations, Phase 2 keys are based on Phase 1 keys
unless PFS is enabled. PFS uses Diffie-Hellman techniques to generate the keys.
PFS ensures that a session key derived from a set of long-term public and private keys is not
compromised if one of the private keys is compromised in the future.
PFS must be enabled on both sides of the connection.
Diffie-Hellman Group—Select the Diffie-Hellman group identifier, which the two IPsec peers
–
use to derive a shared secret without transmitting it to each other. The default, Group 2 (1024-bit
Diffie-Hellman), requires less CPU time to execute but is less secure than Group 5 (1536-bit).
Security Context
Transparent Single
—
•
Multiple
Context
System
—
—
Cisco ASA 5500 Series Configuration Guide using ASDM
VPN Wizard
62-7
- Quick Links:
- Starting Asdm
- Downloading the Asdm Launcher
Hide quick links:
Advertisement
Chapters
Table of Contents
