Cisco ASA Series Cli Configuration Manual page 1559
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 1
Configuring IPsec and ISAKMP
Table 1-1
IKEv1 Policy Keywords for CLI Commands
Command
Keyword
authentication
rsa-sig
crack
pre-share
(default)
encryption
des
3des (default)
hash
sha (default)
md5
group
1
2 (default)
5
lifetime
integer value
(86400 =
default)
Table 1-2
IKEv2 Policy Keywords for CLI Commands
Command
Keyword
integrity
sha (default)
md5
Meaning
A digital certificate with
keys generated by the
RSA signatures algorithm
Challenge/Response for
Authenticated
Cryptographic Keys
Preshared keys
56-bit DES-CBC
168-bit Triple DES
SHA-1 (HMAC variant)
MD5 (HMAC variant)
Group 1 (768-bit)
Group 2 (1024-bit)
Group 5 (1536-bit)
120 to 2147483647
seconds
Meaning
SHA-1 (HMAC variant)
MD5 (HMAC variant)
Description
Specifies the authentication method the ASA uses to
establish the identity of each IPsec peer.
CRACK provides strong mutual authentication when the
client authenticates using a legacy method such as
RADIUS, and the server uses public key authentication.
Preshared keys do not scale well with a growing network
but are easier to set up in a small network.
Specifies the symmetric encryption algorithm that protects
data transmitted between two IPsec peers. The default is
168-bit Triple DES.
Specifies the hash algorithm used to ensure data integrity. It
ensures that a packet comes from where it says it comes
from and that it has not been modified in transit.
The default is SHA-1. MD5 has a smaller digest and is
considered to be slightly faster than SHA-1. A successful
(but extremely difficult) attack against MD5 has occurred;
however, the HMAC variant IKE uses prevents this attack.
Specifies the Diffie-Hellman group identifier, which the
two IPsec peers use to derive a shared secret without
transmitting it to each other.
The lower the Diffie-Hellman group number, the less CPU
time it requires to execute. The higher the Diffie-Hellman
group number, the greater the security.
AES support is available on security appliances licensed for
VPN-3DES only. To support the large key sizes required by
AES, ISAKMP negotiation should use Diffie-Hellman
(DH) Group 5.
Specifies the SA lifetime. The default is 86,400 seconds or
24 hours. As a general rule, a shorter lifetime provides more
secure ISAKMP negotiations (up to a point). However, with
shorter lifetimes, the ASA sets up future IPsec SAs more
quickly.
Description
Specifies the hash algorithm used to ensure data integrity. It
ensures that a packet comes from where it says it comes
from and that it has not been modified in transit.
The default is SHA-1. MD5 has a smaller digest and is
considered to be slightly faster than SHA-1. A successful
(but extremely difficult) attack against MD5 has occurred;
however, the HMAC variant IKE user prevents this attack.
Cisco ASA Series CLI Configuration Guide
Configuring ISAKMP
1-9
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
