Configuring IPsec
Tunnel policies can be static or dynamic. A static tunnel policy identifies one or more remote IPsec peers
or subnetworks to which your security appliance permits IPsec connections. A static policy can be used
whether your security appliance initiates the connection or receives a connection request from a remote
host. A static policy requires you to enter the information necessary to identify permitted hosts or
networks.
A dynamic tunnel policy is used when you cannot or do not want to provide information about remote
hosts that are permitted to initiate a connection with the security appliance. If you are only using your
security appliance as a VPN client in relation to a remote VPN central-site device, you do not need to
configure any dynamic tunnel policies. Dynamic tunnel policies are most useful for allowing remote
access clients to initiate a connection to your network through a security appliance acting as the VPN
central-site device. A dynamic tunnel policy is useful when the remote access clients have dynamically
assigned IP addresses or when you do not want to configure separate policies for a large number of
remote access clients.
Fields
Interface—Choose the interface name to which this policy applies.
•
Policy Type—Choose the type, static or dynamic, of this tunnel policy.
•
Priority—Enter the priority of the policy.
•
Transform Set to Be Added—Choose the transform set for the policy and click Add to move it to the
•
list of active transform sets. Click Move Up or Move Down to rearrange the order of the transform
sets in the list box. You can add a maximum of 11 transform sets to a crypto map entry or a dynamic
crypto map entry.
Peer Settings - Optional for Dynamic Crypto Map Entries—Configure the peer settings for the
•
policy.
Enable Perfect Forwarding Secrecy—Check to enable perfect forward secrecy for the policy. PFS is
•
a cryptographic concept where each new key is unrelated to any previous key. In IPsec negotiations,
Phase 2 keys are based on Phase 1 keys unless you specify Perfect Forward Secrecy.
Diffie-Hellman Group—When you enable PFS you must also choose a Diffie-Hellman group which
•
the adaptive security appliance uses to generate session keys. The choices are as follows:
Modes
The following table shows the modes in which this feature is available:
Cisco ASA 5500 Series Configuration Guide using ASDM
63-12
–
Connection Type—(Meaningful only for static tunnel policies.) Choose bidirectional,
originate-only, or answer-only to specify the connection type of this policy. For LAN-to-LAN
connections, choose bidirectional or answer-only (not originate-only). Choose answer-only for
LAN-to-LAN redundancy.
IP Address of Peer to Be Added—Enter the IP address of the IPsec peer you are adding.
–
Group 1 (768-bits) = Use perfect forward secrecy, and use Diffie-Hellman Group 1 to generate
–
IPsec session keys, where the prime and generator numbers are 768 bits. This option is more
secure but requires more processing overhead.
–
Group 2 (1024-bits) = Use perfect forward secrecy, and use Diffie-Hellman Group 2 to generate
IPsec session keys, where the prime and generator numbers are 1024 bits. This option is more
secure than Group 1 but requires more processing overhead.
Group 5 (1536-bits) = Use perfect forward secrecy, and use Diffie-Hellman Group 5 to generate
–
IPsec session keys, where the prime and generator numbers are 1536 bits. This option is more
secure than Group 2 but requires more processing overhead.
Chapter 63
Configuring IKE, Load Balancing, and NAC
OL-20339-01