63-9
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 63 Configuring IKE, Load Balancing, and NAC
Configuring IPsec
Configuring IPsec
The adaptive security appliance uses IPsec for LAN-to-LAN VPN connections, and provides the option
of using IPsec for client-to-LAN VPN connections. In IPsec terminology, a “peer” is a remote-access
client or another secure gateway.
Note The ASA supports LAN-to-LAN IPsec connections with Cisco peers (IPv4 or IPv6), and with third-party
peers that comply with all relevant standards.
During tunnel establishment, the two peers negotiate security associations that govern authentication,
encryption, encapsulation, and key management. These negotiations involve two phases: first, to
establish the tunnel (the IKE SA); and second, to govern traffic within the tunnel (the IPsec SA).
A LAN-to-LAN VPN connects networks in different geographic locations. In IPsec LAN-to-LAN
connections, the adaptive security appliance can function as initiator or responder. In IPsec
client-to-LAN connections, the adaptive security appliance functions only as responder. Initiators
propose SAs; responders accept, reject, or make counter-proposals—all in accordance with configured
SA parameters. To establish a connection, both entities must agree on the SAs.
The adaptive security appliance supports these IPsec attributes:
• Main mode for negotiating phase one ISAKMP security associations when using digital certificates
for authentication
• Aggressive mode for negotiating phase one ISAKMP Security Associations (SAs) when using
preshared keys for authentication
• Authentication Algorithms:
–
ESP-MD5-HMAC-128
–
ESP-SHA1-HMAC-160
• Authentication Modes:
–
Preshared Keys
–
X.509 Digital Certificates
• Diffie-Hellman Groups 1, 2, and 5.
• Encryption Algorithms:
–
AES-128, -192, and -256
–
3DES-168
–
DES-56
–
ESP-NULL
• Extended Authentication (XAuth)
Firewall Mode Security Context
Routed Transparent Single
Multiple
Context System
• — • ——
To Next Page
Loading...
Need help?
General
