Cisco WS-CE500 Administration Manual page 151

Configuring VPN
Advanced Configuration of IPsec VPN
STEP 6
Cisco SA500 Series Security Appliances Administration Guide
• Integrity Algorithm: Choose the algorithm that is used to verify the integrity
of the data.
• Key-In: Enter the integrity key (for ESP with Integrity-mode) for the inbound
policy.
• Key-Out: Enter the integrity key (for ESP with Integrity-mode) for the
inbound policy.
The length of the key depends on the chosen algorithm:
- MD5: 16 characters
- SHA-1: 20 characters
- SHA2-256: 32 characters
- SHA2-384: 48 characters
- SHA2-512: 64 characters
If you chose Auto Policy as the Policy type, enter the following information in the
Auto Policy Parameters area:
• SA Lifetime: Enter the lifetime of the Security Association, and specify
whether it is in seconds or kilobytes.
- Seconds: If you specify the SA Lifetime in seconds, this value represents
the interval after which the Security Association becomes invalid. The SA
is renegotiated after this interval. The default value is 3600 seconds.
- Kilobytes: If you specify the SA Lifetime in kilobytes, the SA is
renegotiated after the specified number of kilobytes of data is
transferred over the original SA. The minimum value is 300 seconds or
1920000 KB.
For every policy, two SAs are created, one for inbound traffic and
NOTE
one for outbound traffic. When using a lifetime configured in kilobytes
(also known as lifebyte) along with a lifetime in seconds, the SA expires
asymmetrically. For example, the lifebyte for a download stream expires
frequently if the downstream traffic is very high, but the lifebyte of the
upload stream expires less frequently or only when it reaches its timeout
period. When setting the lifetime in both seconds and kilobytes, you
should reduce the difference in expiry frequencies of the SAs; otherwise
the system could eventually run out of resources as a result of this
asymmetry. The lifebyte specifications are generally recommended for
advanced users only.
7
151