Cisco PIX 500 Series Configuration Manual page 566

Configuring ISAKMP
Table 27-1 ISAKMP Policy Keywords for CLI Commands (continued)
Command
crypto isakmp policy group
crypto isakmp policy lifetime
Each configuration supports a maximum of 20 ISAKMP policies, each with a different set of values.
Assign a unique priority to each policy you create. The lower the priority number, the higher the priority.
When ISAKMP negotiations begin, the peer that initiates the negotiation sends all of its policies to the
remote peer, and the remote peer tries to find a match. The remote peer checks all of the peer's policies
against each of its configured policies in priority order (highest priority first) until it discovers a match.
A match exists when both policies from the two peers contain the same encryption, hash, authentication,
and Diffie-Hellman parameter values, and when the remote peer policy specifies a lifetime less than or
equal to the lifetime in the policy the initiator sent. If the lifetimes are not identical, the security
appliance uses the shorter lifetime. If no acceptable match exists, ISAKMP refuses negotiation and the
SA is not established.
There is an implicit trade-off between security and performance when you choose a specific value for
each parameter. The level of security the default values provide is adequate for the security requirements
of most organizations. If you are interoperating with a peer that supports only one of the values for a
parameter, your choice is limited to that value.
Cisco Security Appliance Command Line Configuration Guide
27-4
Keyword Meaning
1 Group 1 (768-bit)
2 (default) Group 2 (1024-bit)
5 Group 5 (1536-bit)
7 Group 7 (Elliptical
curve field size is 163
bits.)
integer value 120 to 2147483647
seconds
(86400 =
default)
Chapter 27 Configuring IPSec and ISAKMP
Description
Specifies the Diffie-Hellman group
identifier, which the two IPSec peers use to
derive a shared secret without transmitting
it to each other.
With the exception of Group 7, the lower
the Diffie-Hellman group no., the less CPU
time it requires to execute. The higher the
Diffie-Hellman group no., the greater the
security.
Cisco VPN Client Version 3.x or higher
requires a minimum of Group 2. (If you
configure DH Group 1, the Cisco VPN
Client cannot connect.)
AES support is available on security
appliances licensed for VPN-3DES only. To
support the large key sizes required by AES,
ISAKMP negotiation should use
Diffie-Hellman (DH) Group 5.
Designed for devices with low processing
power, such as PDAs and mobile
telephones, Group 7 provides the greatest
security. The Certicom Movian Client
requires Group 7.
Specifies the SA lifetime. The default is
86,400 seconds or 24 hours. As a general
rule, a shorter lifetime provides more secure
ISAKMP negotiations (up to a point).
However, with shorter lifetimes, the
security appliance sets up future IPSec SAs
more quickly.
OL-12172-03