Chapter 63
Configuring IKE, Load Balancing, and NAC
Firewall Mode
Routed
•
Configuring IPsec
The adaptive security appliance uses IPsec for LAN-to-LAN VPN connections, and provides the option
of using IPsec for client-to-LAN VPN connections. In IPsec terminology, a "peer" is a remote-access
client or another secure gateway.
Note
The ASA supports LAN-to-LAN IPsec connections with Cisco peers (IPv4 or IPv6), and with third-party
peers that comply with all relevant standards.
During tunnel establishment, the two peers negotiate security associations that govern authentication,
encryption, encapsulation, and key management. These negotiations involve two phases: first, to
establish the tunnel (the IKE SA); and second, to govern traffic within the tunnel (the IPsec SA).
A LAN-to-LAN VPN connects networks in different geographic locations. In IPsec LAN-to-LAN
connections, the adaptive security appliance can function as initiator or responder. In IPsec
client-to-LAN connections, the adaptive security appliance functions only as responder. Initiators
propose SAs; responders accept, reject, or make counter-proposals—all in accordance with configured
SA parameters. To establish a connection, both entities must agree on the SAs.
The adaptive security appliance supports these IPsec attributes:
•
•
•
•
•
•
•
OL-20339-01
Security Context
Transparent Single
—
•
Main mode for negotiating phase one ISAKMP security associations when using digital certificates
for authentication
Aggressive mode for negotiating phase one ISAKMP Security Associations (SAs) when using
preshared keys for authentication
Authentication Algorithms:
ESP-MD5-HMAC-128
–
ESP-SHA1-HMAC-160
–
Authentication Modes:
–
Preshared Keys
–
X.509 Digital Certificates
Diffie-Hellman Groups 1, 2, and 5.
Encryption Algorithms:
AES-128, -192, and -256
–
3DES-168
–
DES-56
–
ESP-NULL
–
Extended Authentication (XAuth)
Multiple
Context
System
—
—
Cisco ASA 5500 Series Configuration Guide using ASDM
Configuring IPsec
63-9