Cisco ASA Series Cli Configuration Manual page 1569

Chapter 1 Configuring IPsec and ISAKMP
•
•
•
Understanding IPsec Tunnels
IPsec tunnels are sets of SAs that the ASA establishes between peers. The SAs specify the protocols and
algorithms to apply to sensitive data and also specify the keying material that the peers use. IPsec SAs
control the actual transmission of user traffic. SAs are unidirectional, but are generally established in
pairs (inbound and outbound).
The peers negotiate the settings to use for each SA. Each SA consists of the following:
•
•
•
•
•
Understanding IKEv1 Transform Sets and IKEv2 Proposals
An IKEv1 transform set or an IKEv2 proposal is a combination of security protocols and algorithms that
define how the ASA protects data. During IPsec SA negotiations, the peers must identify a transform set
or proposal that is the same at both peers. The ASA then applies the matching transform set or proposal
to create an SA that protects data flows in the access list for that crypto map.
With IKEv1 transform sets, you set one value for each parameter. For IKEv2 proposals, you can
configure multiple encryption and authentication types and multiple integrity algorithms for a single
proposal. The ASA orders the settings from the most secure to the least secure and negotiates with the
peer using that order. This allows you to potentially send a single proposal to convey all the allowed
combinations instead of the need to send each allowed combination individually as with IKEv1.
The ASA tears down the tunnel if you change the definition of the transform set or proposal used to
create its SA. See the
Note
If you clear or delete the only element in a transform set or proposal, the ASA automatically removes
the crypto map references to it.
Defining Crypto Maps
Crypto maps define the IPsec policy to be negotiated in the IPsec SA. They include the following:
•
•
•
•
Using Dynamic Crypto Maps, page 1-35
Providing Site-to-Site Redundancy, page 1-37
Viewing an IPsec Configuration, page 1-37
IKEv1 transform sets or IKEv2 proposals
Crypto maps
Access lists
Tunnel groups
Prefragmentation policies
"Clearing Security Associations" section on page
Access list to identify the packets that the IPsec connection permits and protects.
Peer identification.
Local address for the IPsec traffic. (See
Up to 11 IKEv1 transform sets or IKEv2 proposals, with which to attempt to match the peer security
settings.
"Applying Crypto Maps to Interfaces"
Cisco ASA Series CLI Configuration Guide
Configuring IPsec
1-38" for further information.
for more details.)
1-19