Defining a tunnel group – Cisco ASA 5505 User Manual

69-11

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 69 Configuring Remote Access IPsec VPNs

Configuring Remote Access IPsec VPNs

Defining a Tunnel Group

This section describes how to configure a tunnel group, which is a set of records that contain tunnel
connection policies. You configure a tunnel group to identify AAA servers, specify connection
parameters, and define a default group policy. The ASA stores tunnel groups internally.

Command

Purpose

To configure an IKEv1 transform set:

crypto ipsec ikev1 transform-set

transform-set-name encryption-method

[authentication]

Example:

hostname(config)# crypto ipsec transform set

FirstSet esp-3des esp-md5-hmac

hostname(config)#

Configures an IKEv1 transform set that specifies the IPsec IKEv1
encryption and hash algorithms to be used to ensure data integrity.

Use one of the following values for encryption:

•

esp-aes to use AES with a 128-bit key.

•

esp-aes-192 to use AES with a 192-bit key.

•

esp-aes-256 to use AES with a 256-bit key.

•

esp-des to use 56-bit DES-CBC.

•

esp-3des to use triple DES algorithm.

•

esp-null to not use encryption.

Use one of the following values for authentication:

•

esp-md5-hmac to use the MD5/HMAC-128 as the hash algorithm.

•

esp-sha-hmac to use the SHA/HMAC-160 as the hash algorithm.

•

esp-none to not use HMAC authentication.

To configure an IKEv2 proposal:

crypto ipsec ikev2 ipsec-proposal

proposal_name

Then:

protocol

{esp} {encryption {des | 3des | aes

| aes-192 | aes-256 | null} | integrity {md5

|

sha-1}

Example:

hostname(config)# crypto ipsec ikev2

ipsec-proposal secure_proposal

hostname(config-ipsec-proposal)# protocol

esp

encryption des integrity md5

Configures an IKEv2 proposal set that specifies the IPsec IKEv2
protocol, encryption, and integrity algorithms to be used.

esp specifies the Encapsulating Security Payload (ESP) IPsec protocol
(currently the only supported protocol for IPsec).

Use one of the following values for encryption:

•

des to use 56-bit DES-CBC encryption for ESP.

•

3des (default) to use the triple DES encryption algorithm for ESP.

•

aes to use AES with a 128-bit key encryption for ESP.

•

aes-192 to use AES with a 192-bit key encryption for ESP.

•

aes-256 to use AES with a 256-bit key encryption for ESP.

•

null to not use encryption for ESP.

Use one of the following values for integrity:

•

md5 specifies the md5 algorithm for the ESP integrity protection.

•

sha-1 (default) specifies the Secure Hash Algorithm (SHA) SHA-1,
defined in the U.S. Federal Information Processing Standard (FIPS),
for ESP integrity protection.