Cisco ASA 5505 User Manual

64-11

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 64 Configuring IPsec and ISAKMP

Configuring ISAKMP

IKEv1 and IKEv2 each support a maximum of 20 IKE policies, each with a different set of values.
Assign a unique priority to each policy that you create. The lower the priority number, the higher the
priority.

When IKE negotiations begin, the peer that initiates the negotiation sends all of its policies to the remote
peer, and the remote peer tries to find a match. The remote peer checks all of the peer's policies against
each of its configured policies in priority order (highest priority first) until it discovers a match.

A match exists when both policies from the two peers contain the same encryption, hash, authentication,
and Diffie-Hellman parameter values. For IKEv1, the remote peer policy must also specify a lifetime
less than or equal to the lifetime in the policy the initiator sent. If the lifetimes are not identical, the ASA
uses the shorter lifetime. For IKEv2 the lifetime is not negotiated but managed locally between each
peer, making it possible to configure lifetime independently on each peer. If no acceptable match exists,
IKE refuses negotiation and the SA is not established.

prf

sha (default)

SHA-1 (HMAC variant)

Specifies the pseudo random function (PRF)—the
algorithm used to generate keying material.

md5

MD5 (HMAC variant)

The default is SHA-1. MD5 has a smaller digest and is
considered to be slightly faster than SHA-1. A successful
(but extremely difficult) attack against MD5 has occurred;
however, the HMAC variant IKE uses prevents this attack.

sha256

SHA 2, 256-bit digest

Specifies the Secure Hash Algorithm SHA 2 with the
256-bit digest.

sha384

SHA 2, 384-bit digest

Specifies the Secure Hash Algorithm SHA 2 with the
384-bit digest.

sha512

SHA 2, 512-bit digest

Specifies the Secure Hash Algorithm SHA 2 with the
512-bit digest.

group

1

Group 1 (768-bit)

Specifies the Diffie-Hellman group identifier, which the
two IPsec peers use to derive a shared secret without
transmitting it to each other.

The lower the Diffie-Hellman group number, the less CPU
time it requires to execute. The higher the Diffie-Hellman
group number, the greater the security.

The AnyConnect client supports DH group 1, 2, and 5 in
non-FIPS mode, and groups 2 and only in FIPS mode.

AES support is available on security appliances licensed for
VPN-3DES only. To support the large key sizes required by
AES, ISAKMP negotiation should use Diffie-Hellman
(DH) Group 5.

2 (default)

Group 2 (1024-bit)

5

Group 5 (1536-bit)

lifetime

integer value

(86400 =
default)

120 to 2147483647
seconds

Specifies the SA lifetime. The default is 86,400 seconds or
24 hours. As a general rule, a shorter lifetime provides more
secure ISAKMP negotiations (up to a point). However, with
shorter lifetimes, the ASA sets up future IPsec SAs more
quickly.

Table 64-2

IKEv2 Policy Keywords for CLI Commands (continued)

Command

Keyword

Meaning

Description