Table of Contents
Advertisement
Wizards
Using the Site-to-Site Wizard to Establish the Site-to-Site VPN Tunnels
STEP 3
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
•
HASH: Specify the authentication algorithm for the VPN header. There are
two HASH algorithms supported by the security appliance: SHA1 and MD5.
Ensure that the authentication algorithm is configured identically on
NOTE
both sides.
•
Authentication: Specify the authentication method that the security
appliance uses to establish the identity of each IPSec peer.
-
PRE-SHARE: Uses a simple password based key to authenticate. The
alpha-numeric key is shared with IKE peer. Pre-shared keys do not scale
well with a growing network but are easier to set up in a small network.
-
RSA-SIG: Uses a digital certificate to authenticate. RSA-SIG is a digital
certificate with keys generated by the RSA signatures algorithm. In this
case, a certificate must be configured in order for the RSA-Signature to
work.
•
D-H Group: Choose the Diffie-Hellman group identifier. The identifier is used
by two IPsec peers to derive a shared secret without transmitting it to each
other. The D-H Group sets the strength of the algorithm in bits. The default is
D-H Group 5. The lower the Diffie-Hellman group number, the less CPU time
it requires to execute. The higher the Diffie-Hellman group number, the
greater the security.
-
Group 2 (1024-bit)
-
Group 5 (1536-bit)
-
Group 14 (2048-bit)
•
Lifetime: Enter the number of seconds for the IKE Security Association to
remain valid. The default is 24 hours. As a general rule, a shorter lifetime
provides more secure ISAKMP negotiations. However, with shorter lifetimes,
the security appliance sets up future IPsec SAs more quickly.
Click OK to save your settings.
2
56
Hide quick links:
Advertisement
Table of Contents
