Chapter 1
Configuring IPsec and ISAKMP
•
•
With IKEv1 policies, you set one value for each parameter. For IKEv2, you can configure multiple
encryption and authentication types, and multiple integrity algorithms for a single policy. The ASA
orders the settings from the most secure to the least secure and negotiates with the peer using that order.
This ordering allows you to potentially send a single proposal to convey all the allowed transforms
instead of sending each allowed combination as with IKEv1.
Licensing Requirements for
The following table shows the licensing requirements for this feature:
Model
License Requirement
•
ASA 5505
•
•
ASA 5510
•
For IKEv2, a separate pseudo-random function (PRF) used as the algorithm to derive keying
material and hashing operations required for the IKEv2 tunnel encryption and so on.
A limit to the time the ASA uses an encryption key before replacing it.
1
IPsec remote access VPN using IKEv2 (use one of the following):
–
AnyConnect Premium license:
Base license and Security Plus license: 2 sessions.
Optional permanent or time-based licenses: 10 or 25 sessions.
Shared licenses are not supported.
–
AnyConnect Essentials license
IPsec remote access VPN using IKEv1 and IPsec site-to-site VPN using IKEv1 or IKEv2:
–
Base license: 10 sessions.
–
Security Plus license: 25 sessions.
IPsec remote access VPN using IKEv2 (use one of the following):
–
AnyConnect Premium license:
Base and Security Plus license: 2 sessions.
Optional permanent or time-based licenses: 10, 25, 50, 100, or 250 sessions.
Optional Shared licenses
increments of 500 and 50,000-545,000 in increments of 1000.
–
AnyConnect Essentials license
IPsec remote access VPN using IKEv1 and IPsec site-to-site VPN using IKEv1 or IKEv2:
Base license and Security Plus license: 250 sessions.
Licensing Requirements for Remote Access IPsec VPNs
Remote Access IPsec VPNs
2
3
: 25 sessions.
2
: Participant or Server. For the Server license, 500-50,000 in
3
: 250 sessions.
Cisco ASA Series CLI Configuration Guide
1-3