Using the tunnel-group-map default-group command, Configuring ipsec, Understanding ipsec tunnels – Cisco ASA 5505 User Manual

Page 1371

Advertising
background image

64-19

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 64 Configuring IPsec and ISAKMP

Configuring IPsec

Using the Tunnel-group-map default-group Command

This command specifies a default tunnel group to use when the configuration does not specify a tunnel
group.

The syntax is tunnel-group-map [rule-index] default-group tunnel-group-name where rule-index is the
priority for the rule, and tunnel-group name must be for a tunnel group that already exists.

Configuring IPsec

This section provides background information about IPsec and describes the procedures required to
configure the ASA when using IPsec to implement a VPN. It contains the following topics:

Understanding IPsec Tunnels, page 64-19

Understanding IKEv1 Transform Sets and IKEv2 Proposals, page 64-19

Defining Crypto Maps, page 64-20

Applying Crypto Maps to Interfaces, page 64-26

Using Interface Access Lists, page 64-26

Changing IPsec SA Lifetimes, page 64-29

Creating a Basic IPsec Configuration, page 64-29

Using Dynamic Crypto Maps, page 64-31

Providing Site-to-Site Redundancy, page 64-34

Viewing an IPsec Configuration, page 64-34

Understanding IPsec Tunnels

IPsec tunnels are sets of SAs that the ASA establishes between peers. The SAs specify the protocols and
algorithms to apply to sensitive data and also specify the keying material that the peers use. IPsec SAs
control the actual transmission of user traffic. SAs are unidirectional, but are generally established in
pairs (inbound and outbound).

The peers negotiate the settings to use for each SA. Each SA consists of the following:

IKEv1 transform sets or IKEv2 proposals

Crypto maps

Access lists

Tunnel groups

Prefragmentation policies

Understanding IKEv1 Transform Sets and IKEv2 Proposals

An IKEv1 transform set or an IKEv2 proposal is a combination of security protocols and algorithms that
define how the ASA protects data. During IPsec SA negotiations, the peers must identify a transform set
or proposal that is the same at both peers. The ASA then applies the matching transform set or proposal
to create an SA that protects data flows in the access list for that crypto map.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals