Creating an ikev1 transform set, Creating an ikev1 transform set” section on – Cisco ASA 5505 User Manual

Page 1581

Advertising
background image

73-5

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 73 Configuring LAN-to-LAN IPsec VPNs

Creating an IKEv1 Transform Set

Perform the following steps and use the command syntax in the following examples as a guide:

Step 1

Enter IPsec IKEv2 policy configuration mode. For example:

hostname(config)# crypto ikev2 policy 1

hostname(config-ikev2-policy)#

Step 2

Set the encryption method. The following example configures 3DES:

hostname(config-ikev2-policy)# encryption 3des

hostname(config-ikev2-policy)#

Step 3

Set the Diffie-Hellman group. The following example configures Group 2:

hostname(config-ikev2-policy)# group 2

hostname(config-ikev2-policy)#

Step 4

Set the pseudo-random function (PRF) used as the algorithm to derive keying material and hashing
operations required for the IKEv2 tunnel encryption. The following example configures SHA-1 (an
HMAC variant):

hostname(config-ikev12-policy)# prf sha

hostname(config-ikev2-policy)#

Step 5

Set the encryption key lifetime. The following example configures 43,200 seconds (12 hours):

hostname(config-ikev2-policy)# lifetime 43200

hostname(config-ikev2-policy)#

Step 6

Enable IKEv2 on the interface named outside:

hostname(config)# crypto ikev2 enable outside

hostname(config)#

Step 7

To save your changes, enter the write memory command:

hostname(config)# write memory

hostname(config)#

Creating an IKEv1 Transform Set

An IKEv1 transform set combines an encryption method and an authentication method. During the IPsec
security association negotiation with ISAKMP, the peers agree to use a particular transform set to protect
a particular data flow. The transform set must be the same for both peers.

A transform set protects the data flows for the access list specified in the associated crypto map entry.
You can create transform sets in the ASA configuration, and then specify a maximum of 11 of them in
a crypto map or dynamic crypto map entry.

Table 73-1

lists valid encryption and authentication methods.

Table 73-1

Valid Encryption and Authentication Methods

Valid Encryption Methods

Valid Authentication Methods

esp-des esp-md5-hmac

esp-3des (default)

esp-sha-hmac (default)

esp-aes (128-bit encryption)

esp-aes-192

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals