Cisco ASA 5505 User Manual
Page 1440
67-14
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 67 Configuring Connection Profiles, Group Policies, and Users
Configuring Connection Profiles
Step 1
To specify the IPsec attributes of an remote-access tunnel-group, enter tunnel-group ipsec-attributes
mode by entering the following command. The prompt changes to indicate the mode change:
hostname(config)# tunnel-group tunnel-group-name ipsec-attributes
hostname(config-tunnel-ipsec)#
This command enters tunnel-group ipsec-attributes configuration mode, in which you configure the
remote-access tunnel-group IPsec attributes.
For example, the following command designates that the tunnel-group ipsec-attributes mode commands
that follow pertain to the connection profile named TG1. Notice that the prompt changes to indicate that
you are now in tunnel-group ipsec-attributes mode:
hostname(config)# tunnel-group TG1 type remote-access
hostname(config)# tunnel-group TG1 ipsec-attributes
hostname(config-tunnel-ipsec)#
Step 2
Specify the preshared key to support IKEv1 connections based on preshared keys. For example, the
following command specifies the preshared key xyzx to support IKEv1 connections for an IPsec IKEv1
remote access connection profile:
hostname(config-tunnel-ipsec)# ikev1 pre-shared-key xyzx
hostname(config-tunnel-ipsec)#
Step 3
Specify whether to validate the identity of the peer using the peer’s certificate:
hostname(config-tunnel-ipsec)# peer-id-validate option
hostname(config-tunnel-ipsec)#
The available options are req (required), cert (if supported by certificate), and nocheck (do not check).
The default is req.
For example, the following command specifies that peer-id validation is required:
hostname(config-tunnel-ipsec)# peer-id-validate req
hostname(config-tunnel-ipsec)#
Step 4
Specify whether to enable sending of a certificate chain. The following command includes the root
certificate and any subordinate CA certificates in the transmission:
hostname(config-tunnel-ipsec)# chain
hostname(config-tunnel-ipsec)#
This attribute applies to all IPsec tunnel-group types.
Step 5
Specify the name of a trustpoint that identifies the certificate to be sent to the IKE peer:
hostname(config-tunnel-ipsec)# ikev1 trust-point trust-point-name
hostname(config-tunnel-ipsec)#
The following command specifies mytrustpoint as the name of the certificate to be sent to the IKE peer:
hostname(config-ipsec)# ikev1 trust-point mytrustpoint
Step 6
Specify the ISAKMP keepalive threshold and the number of retries allowed.
hostname(config-tunnel-ipsec)# isakmp keepalive threshold <number> retry <number>
hostname(config-tunnel-ipsec)#
The threshold parameter specifies the number of seconds (10 through 3600) that the peer is allowed to
idle before beginning keepalive monitoring. The retry parameter is the interval (2 through 10 seconds)
between retries after a keepalive response has not been received. IKE keepalives are enabled by default.
To disable IKE keepalives, enter the no form of the isakmp command: