Cisco Firepower 4110 Preparative Procedures & Operational User Manual page 39

Cisco Preparative Procedures & Operational User Guide
o DH Groups: 14, 24

ESP Ciphers*:
o Encryption algorithms: AES-CBC-128, AES-CBC-256
o Integrity algorithms: SHA-1

Authentication: X.509v3 certificates
o create authority trustpoint_name

Traffic Selector: remote host or subnet
o set local-addr ip_address
o set remote-addr ip_address
o set remote-subnet ip/mask
o set remote-ike-ident remote_identity_name

IKE SA Life Time: Configurable up to 24 hours. Only time is supported.
o set ike-rekey-time minutes

IKE Child SA Life Time: Configurable up to 8 hours. Only time is supported.
o set esp-rekey-time minutes
* Not configurable
Security Policy Database (SPD)
In FXOS, the SPDs are pretty simple because FXOS is not operating as a VPN gateway, and the SPDs are
just based on IP addresses, so the type of traffic being tunneled (syslog, LDAP, etc.) is irrelevant to the
tunneling decisions.

The local-addr is the local management IP.

The remote-addr is the IP of the IPsec peer (in tunnel mode or transport mode).

A remote-subnet is applicable only in tunnel mode, and defines the subnet that would be
reachable beyond the remote-addr.

Outbound traffic will be encrypted when the source address is local-addr, *and*:
o the destination address is the remote-addr (in tunnel or transport mode); *or*
o the destination address is on the remote-subnet (in tunnel mode).

Outbound traffic will bypass the tunnel if:
o the destination address is *not* the remote-addr; *and*
o the destination address is *not* on the remote-subnet.

Inbound traffic will be dropped if:
o the source address (prior to decryption) is on the remote-subnet (in tunnel mode); *or*
o the source address is the remote-address, *and* the packets are *not* IKE or ESP.
© 2016 Cisco Systems, Inc. All rights reserved.