Cisco PIX 500 Series Configuration Manual page 565

Chapter 27 Configuring IPSec and ISAKMP
Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the
tunnel that protects data.
To set the terms of the ISAKMP negotiations, you create an ISAKMP policy, which includes the
following:
•
•
•
•
•
Table 27-1
Table 27-1 ISAKMP Policy Keywords for CLI Commands
Command
crypto isakmp policy authentication rsa-sig
crypto isakmp policy encryption
crypto isakmp policy hash
OL-12172-03
An authentication method, to ensure the identity of the peers.
An encryption method, to protect the data and ensure privacy.
A Hashed Message Authentication Codes (HMAC) method to ensure the identity of the sender, and
to ensure that the message has not been modified in transit.
A Diffie-Hellman group to determine the strength of the encryption-key-determination algorithm.
The security appliance uses this algorithm to derive the encryption and hash keys.
A limit to the time the security appliance uses an encryption key before replacing it.
provides information about the ISAKMP policy keywords and their values.
Keyword
crack
pre-share
(default)
des
3des (default)
aes
aes-192
aes-256
sha (default)
md5
Meaning Description
A digital certificate Specifies the authentication method the
with keys generated security appliance uses to establish the
by the RSA signatures identity of each IPSec peer.
algorithm
Challenge/Response CRACK provides strong mutual
for Authenticated authentication when the client authenticates
Cryptographic Keys using a legacy method such as RADIUS and
the server uses public key authentication.
Preshared keys Preshared keys do not scale well with a
growing network but are easier to set up in
a small network.
56-bit DES-CBC Specifies the symmetric encryption
algorithm that protects data transmitted
168-bit Triple DES
between two IPSec peers. The default is
168-bit Triple DES.
The Advanced Encryption Standard
supports key lengths of 128, 192, 256 bits.
SHA-1 (HMAC Specifies the hash algorithm used to ensure
variant) data integrity. It ensures that a packet comes
from where it says it comes from, and that it
has not been modified in transit.
MD5 (HMAC variant) The default is SHA-1. MD5 has a smaller
digest and is considered to be slightly faster
than SHA-1. A successful (but extremely
difficult) attack against MD5 has occurred;
however, the HMAC variant IKE uses
prevents this attack.
Cisco Security Appliance Command Line Configuration Guide
Configuring ISAKMP
27-3