1-11
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Configuring IPsec and ISAKMP
  Configuring ISAKMP
IKEv1 and IKEv2 each support a maximum of 20 IKE policies, each with a different set of values. 
Assign a unique priority to each policy that you create. The lower the priority number, the higher the 
priority.
When IKE negotiations begin, the peer that initiates the negotiation sends all of its policies to the remote 
peer, and the remote peer tries to find a match. The remote peer checks all of the peer's policies against 
each of its configured policies in priority order (highest priority first) until it discovers a match.
A match exists when both policies from the two peers contain the same encryption, hash, authentication, 
and Diffie-Hellman parameter values. For IKEv1, the remote peer policy must also specify a lifetime 
less than or equal to the lifetime in the policy the initiator sent. If the lifetimes are not identical, the ASA 
uses the shorter lifetime. For IKEv2 the lifetime is not negotiated but managed locally between each 
peer, making it possible to configure lifetime independently on each peer. If no acceptable match exists, 
IKE refuses negotiation and the SA is not established.
There is an implicit trade-off between security and performance when you choose a specific value for 
each parameter. The level of security the default values provide is adequate for the security requirements 
of most organizations. If you are interoperating with a peer that supports only one of the values for a 
parameter, your choice is limited to that value. 
Note New ASA configurations do not have a default IKEv1 or IKEv2 policy.
To configure IKE policies, in global configuration mode, use the crypto ikev1 | ikev2 policy priority 
command to enter IKE policy configuration mode.
You must include the priority in each of the ISAKMP commands. The priority number uniquely 
identifies the policy and determines the priority of the policy in IKE negotiations.
To enable and configure IKE, complete the following steps, using the IKEv1 examples as a guide:
group 1 Group 1 (768-bit) Specifies the Diffie-Hellman group identifier, which the 
two IPsec peers use to derive a shared secret without 
transmitting it to each other.
The lower the Diffie-Hellman group number, the less CPU 
time it requires to execute. The higher the Diffie-Hellman 
group number, the greater the security.
The AnyConnect client supports DH group 1, 2, and 5 in 
non-FIPS mode, and groups 2 and only in FIPS mode.
AES support is available on security appliances licensed for 
VPN-3DES only. To support the large key sizes required by 
AES, ISAKMP negotiation should use Diffie-Hellman 
(DH) Group 5.
2 (default) Group 2 (1024-bit)
5 Group 5 (1536-bit)
14
19
20
21
24
lifetime integer value
(86400 = 
default)
120 to 2147483647 
seconds
Specifies the SA lifetime. The default is 86,400 seconds or 
24 hours. As a general rule, a shorter lifetime provides more 
secure ISAKMP negotiations (up to a point). However, with 
shorter lifetimes, the ASA sets up future IPsec SAs more 
quickly.
Table 1-2 IKEv2 Policy Keywords for CLI Commands (continued)
Command Keyword Meaning Description