Cisco ASA Series Cli Configuration Manual page 1583
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 1
Configuring IPsec and ISAKMP
Proposal tag is the name of the IKEv2 IPsec proposal, a string from 1 to 64 characters.
For example:
hostname(config)# crypto ipsec ikev2 ipsec-proposal secure
In this example, secure is the name of the proposal. Enter a protocol and encryption types:
hostname(config-ipsec-proposal)# protocol esp encryption 3des aes des
Conversely, the following command chooses which AES-GCM or AES-GMAC algorithm to use:
hostname(config-ipsec-proposal)# [no] protocol esp encryption [3des | aes | aes-192 |
aes-256 | aes-gcm | aes-gcm-192 | aes-gcm-256 | aes-gmac | aes-gmac-192 | aes-gmac-256 |
des | null]
If SHA-2 or null is chosen, you must choose which algorithm to use as an IPsec integrity algorithm. You
must choose the null integriy algorithm if AES-GCM/GMAC is configured as the encryption algorithm:
hostname(config-ipsec-proposal)# [no] protocol esp integrity [md5 | sha-1 | sha-256 |
sha-384 | sha-512 | null]
Note
Step 3
(Optional) An administrator can enable path maximum transfer unit (PMTU) aging and set the interval
at which the PMTU value is reset to its original value.
hostname(config-ipsec-proposal)# [no] crypto ipsec security-association pmtu-aging
<reset-interval>
Step 4
To create a crypto map, perform the following site-to-site steps using either single or multiple context
mode:
a.
Assign an access list to a crypto map:
crypto map map-name seq-num match address access-list-name
A crypto map set is a collection of crypto map entries, each with a different sequence number
(seq-num) but the same map name. Use the access-list-name to specify the access list ID, as a string
or integer up to 241 characters in length. In the following example, mymap is the name of the crypto
map set. The map set sequence number 10, which is used to rank multiple entries within one crypto
map set. The lower the sequence number, the higher the priority.
crypto map mymap 10 match address 101
In this example, the access list named 101 is assigned to crypto map mymap.
b.
Specify the peer to which the IPsec-protected traffic can be forwarded:
crypto map map-name seq-num set peer ip-address
For example:
crypto map mymap 10 set peer 192.168.1.100
The ASA sets up an SA with the peer assigned the IP address 192.168.1.100. Specify multiple peers
by repeating this command.
You must choose the null integrity algorithm if AES-GCM/GMAC has been configured as the
encryption algorithm. SHA-256 can be used for integrity and PRF to establish IKEv2 tunnels,
but it can also be used for ESP integrity protection on the newer ASA platforms (and not 5505,
5510, 5520, 5540, or 5550).
Cisco ASA Series CLI Configuration Guide
Configuring IPsec
1-33
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
