Cisco ASA 5505 Configuration Manual page 1391

Chapter 64 General VPN Setup
•
•
•
Managing CA Certificates
Clicking Manage under IKE Peer Authentication opens the Manage CA Certificates dialog box. Use this
dialog box to view, add, edit, and delete entries on the list of CA certificates available for IKE peer
authentication.
The Manage CA Certificates dialog box lists information about currently configured certificates,
including information about whom the certificate was issued to, who issued the certificate, when the
certificate expires, and usage data.
Fields
•
•
•
Modes
The following table shows the modes in which this feature is available:
OL-20339-01
Enable Reverse Route Injection—Provides the ability for static routes to be automatically inserted
into the routing process for those networks and hosts that are protected by a remote tunnel endpoint.
Security Association Lifetime—Configures the duration of a Security Association (SA). This
parameter specifies how to measure the lifetime of the IPsec SA keys, which is how long the IPsec
SA lasts until it expires and must be renegotiated with new keys.
Time—Specifies the SA lifetime in terms of hours (hh), minutes (mm) and seconds (ss).
–
Traffic Volume—Defines the SA lifetime in terms of kilobytes of traffic. Enter the number of
–
kilobytes of payload data after which the IPsec SA expires. Minimum is 100 KB, default is
10000 KB, maximum is 2147483647 KB.
Static Crypto Map Entry Parameters—Configure these additional parameters when the Peer IP
Address is specified as Static:
Connection Type—Specify the allowed negotiation as bidirectional, answer-only, or
–
originate-only.
Send ID Cert. Chain—Enables transmission of the entire certificate chain.
–
IKE Negotiation Mode—Sets the mode for exchanging key information for setting up the SAs,
–
Main or Aggressive. It also sets the mode that the initiator of the negotiation uses; the responder
auto-negotiates. Aggressive Mode is faster, using fewer packets and fewer exchanges, but it
does not protect the identity of the communicating parties. Main Mode is slower, using more
packets and more exchanges, but it protects the identities of the communicating parties. This
mode is more secure and it is the default selection. If you select Aggressive, the Diffie-Hellman
Group list becomes active.
Diffie-Hellman Group—An identifier which the two IPsec peers use to derive a shared secret
–
without transmitting it to each other. The choices are Group 1 (768-bits), Group 2 (1024-bits),
and Group 5 (1536-bits).
Add or Edit—Opens the Install Certificate dialog box or the Edit Certificate dialog box, which let
you specify information about and install a certificate.
Show Details—Displays detailed information about a certificate that you select in the table.
Delete—Removes the selected certificate from the table. There is no confirmation or undo.
Mapping Certificates to IPsec or SSL VPN Connection Profiles
Cisco ASA 5500 Series Configuration Guide using ASDM
64-81