Cisco ASA 5505 User Manual

67-19

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 67 Configuring Connection Profiles, Group Policies, and Users

Configuring Connection Profiles

The available options are req (required), cert (if supported by certificate), and nocheck (do not check).
The default is req. For example, the following command sets the peer-id-validate option to nocheck:

hostname(config-tunnel-ipsec)# peer-id-validate nocheck

hostname(config-tunnel-ipsec)#

Step 4

Specify whether to enable sending of a certificate chain. This action includes the root certificate and any
subordinate CA certificates in the transmission:

hostname(config-tunnel-ipsec)# chain

hostname(config-tunnel-ipsec)#

You can apply this attribute to all tunnel-group types.

Step 5

Specify the name of a trustpoint that identifies the certificate to be sent to the IKE peer:

hostname(config-tunnel-ipsec)# trust-point trust-point-name

hostname(config-tunnel-ipsec)#

For example, the following command sets the trustpoint name to mytrustpoint:

hostname(config-tunnel-ipsec)# trust-point mytrustpoint

hostname(config-tunnel-ipsec)#

You can apply this attribute to all tunnel-group types.

Step 6

Specify the ISAKMP (IKE) keepalive threshold and the number of retries allowed. The threshold
parameter specifies the number of seconds (10 through 3600) that the peer is allowed to idle before
beginning keepalive monitoring. The retry parameter is the interval (2 through 10 seconds) between
retries after a keepalive response has not been received. IKE keepalives are enabled by default. To
disable ISAKMP keepalives, enter isakmp keepalive disable.

For example, the following command sets the ISAKMP keepalive threshold to 15 seconds and sets the
retry interval to 10 seconds:

hostname(config-tunnel-ipsec)# isakmp keepalive threshold 15 retry 10

hostname(config-tunnel-ipsec)#

The default value for the threshold parameter for LAN-to-LAN is 10, and the default value for the retry
parameter is 2.

To specify that the central site (“head end”) should never initiate ISAKMP monitoring, enter the
following command:

hostname(config-tunnel-ipsec)# isakmp keepalive threshold infinite

hostname(config-tunnel-ipsec)#

Step 7

Specify the ISAKMP hybrid authentication method, XAUTH or hybrid XAUTH.

You use isakmp ikev1-user-authentication command to implement hybrid XAUTH authentication
when you need to use digital certificates for ASA authentication and a different, legacy method for
remote VPN user authentication, such as RADIUS, TACACS+ or SecurID. Hybrid XAUTH breaks phase
1 of IKE down into the following two steps, together called hybrid authentication:

a.

The ASA authenticates to the remote VPN user with standard public key techniques. This
establishes an IKE security association that is unidirectionally authenticated.

b.

An XAUTH exchange then authenticates the remote VPN user. This extended authentication can use
one of the supported legacy authentication methods.