Cisco ASA 5505 Configuration Manual page 1293

Chapter 63 Configuring IKE, Load Balancing, and NAC
Firewall Mode
Routed
•
Creating IPsec Rule/Tunnel Policy (Crypto Map) - Advanced Tab
Fields
•
•
•
•
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
Routed
•
OL-20339-01
Security Context
Transparent Single
— •
Security Association Lifetime parameters—Configures the duration of a Security Association (SA).
This parameter specifies how to measure the lifetime of the IPsec SA keys, which is how long the
IPsec SA lasts until it expires and must be renegotiated with new keys.
– Time—Specifies the SA lifetime in terms of hours (hh), minutes (mm) and seconds (ss).
– Traffic Volume—Defines the SA lifetime in terms of kilobytes of traffic. Enter the number of
kilobytes of payload data after which the IPsec SA expires. Minimum is 100 KB, default is
10000 KB, maximum is 2147483647 KB.
Enable NAT-T— Enables NAT Traversal (NAT-T) for this policy.
Enable Reverse Route Injection—Enables Reverse Route Injection for this policy.
Reverse Route Injection (RRI) is used to populate the routing table of an internal router that runs
dynanmic routing protocols such as Open Shortest Path First (OSPF), or Enhanced Interior Gateway
Routing Protocol (EIGRP) , if you run ASA 8.0, or Routing Information Protocol (RIP) for remote
VPN Clients or LAN²LAN sessions.
Static Type Only Settings—Specifies parameters for static tunnel policies.
CA Certificate—Choose the certificate to use. If you choose something other than None (Use
–
Preshared Keys), which is the default, the Enable entire chain transmission check box becomes
active.
– Enable entire chain transmission—Enables transmission of the entire trust point chain.
– IKE Negotiation Mode—Chooses the IKE negotiation mode, Main or Aggressive. This
parameter sets the mode for exchanging key information and setting up the SAs. It sets the mode
that the initiator of the negotiation uses; the responder auto-negotiates. Aggressive Mode is
faster, using fewer packets and fewer exchanges, but it does not protect the identity of the
communicating parties. Main Mode is slower, using more packets and more exchanges, but it
protects the identities of the communicating parties. This mode is more secure and it is the
default selection. If you choose Aggressive, the Diffie-Hellman Group list becomes active.
Diffie-Hellman Group—Choose the Diffie-Hellman group to apply. The choices are as follows:
–
Group 1 (768-bits), Group 2 (1024-bits), or Group 5 (1536-bits).
Security Context
Transparent Single
— •
Multiple
Context System
— —
Multiple
Context System
— —
Cisco ASA 5500 Series Configuration Guide using ASDM
Configuring IPsec
63-13