Cisco ASA 5505 User Manual

Page 1364

Advertising
background image

64-12

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 64 Configuring IPsec and ISAKMP

Configuring ISAKMP

There is an implicit trade-off between security and performance when you choose a specific value for
each parameter. The level of security the default values provide is adequate for the security requirements
of most organizations. If you are interoperating with a peer that supports only one of the values for a
parameter, your choice is limited to that value.

Note

New ASA configurations do not have a default IKEv1 or IKEv2 policy.

To configure IKE policies, in global configuration mode, use the crypto ikev1 | ikev2 policy command
to enter IKE policy configuration mode:

crypto ikev1 | ikev2 policy priority

You must include the priority in each of the ISAKMP commands. The priority number uniquely
identifies the policy and determines the priority of the policy in IKE negotiations.

To enable and configure IKE, complete the following steps, using the IKEv1 examples as a guide:

Note

If you do not specify a value for a given policy parameter, the default value applies.

Step 1

Enter IKEv1 policy configuration mode:

hostname(config)# crypto ikev1 policy 1

hostname(config-ikev1-policy)#

Step 2

Specify the encryption algorithm. The default is Triple DES. This example sets encryption to DES.

encryption

[aes | aes-192 | aes-256 | des | 3des]

For example:

hostname(config-ikev1-policy)# encryption des

Step 3

Specify the hash algorithm. The default is SHA-1. This example configures MD5.

hash

[md5 | sha]

For example:

hostname(config-ikev1-policy)# hash md5

Step 4

Specify the authentication method. The default is preshared keys. This example configures RSA
signatures.

authentication

[pre-share | crack | rsa-sig]

For example:

hostname(config-ikev1-policy)# authentication rsa-sig

Step 5

Specify the Diffie-Hellman group identifier. The default is Group 2. This example configures Group 5.

group

[1 | 2 | 5]

For example:

hostname(config-ikev1-policy)# group 5

Step 6

Specify the SA lifetime. This examples sets a lifetime of 4 hours (14400 seconds). The default is 86400
seconds (24 hours).

lifetime

seconds

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals