Creating an ikev2 proposal – Cisco ASA 5505 User Manual

Page 1582

Advertising
background image

73-6

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 73 Configuring LAN-to-LAN IPsec VPNs

Creating an IKEv2 Proposal

Tunnel Mode is the usual way to implement IPsec between two ASAs that are connected over an
untrusted network, such as the public Internet. Tunnel mode is the default and requires no configuration.

To configure a transform set, perform the following steps:

Step 1

In global configuration mode enter the crypto ipsec ikev1 transform-set command. The following
example configures a transform set with the name FirstSet, esp-3des encryption, and esp-md5-hmac
authentication. The syntax is as follows:

crypto ipsec ikev1 transform-set transform-set-name encryption-method authentication-method

hostname(config)# crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

hostname(config)#

Step 2

Save your changes.

hostname(config)# write memory

hostname(config)#

Creating an IKEv2 Proposal

For IKEv2, you can configure multiple encryption and authentication types, and multiple integrity
algorithms for a single policy. The ASA orders the settings from the most secure to the least secure and
negotiates with the peer using that order. This allows you to potentially send a single proposal to convey
all the allowed transforms instead of the need to send each allowed combination as with IKEv1.

Table 73-1

lists valid IKEv2 encryption and authentication methods.

To configure an IKEv2 proposal, perform the following steps:

Step 1

In global configuration mode, use the crypto ipsec ikev2 ipsec-proposal command to enter ipsec
proposal configuration mode where you can specify multiple encryption and integrity types for the
proposal. In this example, secure is the name of the proposal:

hostname(config)# crypto ipsec ikev2 ipsec-proposal secure

esp-aes-256

esp-null

Table 73-1

Valid Encryption and Authentication Methods

Valid Encryption Methods

Valid Authentication Methods

Table 73-2

Valid IKEv2 Encryption and Integrity Methods

Valid Encryption Methods

Valid Integrity Methods

des sha

(default)

3des (default)

md5

aes

aes-192

aes-256

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals