1-9
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring IPsec and ISAKMP
Configuring ISAKMP
Table 1-1 IKEv1 Policy Keywords for CLI Commands
Command Keyword Meaning Description
authentication rsa-sig A digital certificate with
keys generated by the
RSA signatures algorithm
Specifies the authentication method the ASA uses to
establish the identity of each IPsec peer.
crack Challenge/Response for
Authenticated
Cryptographic Keys
CRACK provides strong mutual authentication when the
client authenticates using a legacy method such as
RADIUS, and the server uses public key authentication.
pre-share
(default)
Preshared keys Preshared keys do not scale well with a growing network
but are easier to set up in a small network.
encryption des
3des (default)
56-bit DES-CBC
168-bit Triple DES
Specifies the symmetric encryption algorithm that protects
data transmitted between two IPsec peers. The default is
168-bit Triple DES.
hash sha (default) SHA-1 (HMAC variant) Specifies the hash algorithm used to ensure data integrity. It
ensures that a packet comes from where it says it comes
from and that it has not been modified in transit.
md5 MD5 (HMAC variant) The default is SHA-1. MD5 has a smaller digest and is
considered to be slightly faster than SHA-1. A successful
(but extremely difficult) attack against MD5 has occurred;
however, the HMAC variant IKE uses prevents this attack.
group 1 Group 1 (768-bit) Specifies the Diffie-Hellman group identifier, which the
two IPsec peers use to derive a shared secret without
transmitting it to each other.
The lower the Diffie-Hellman group number, the less CPU
time it requires to execute. The higher the Diffie-Hellman
group number, the greater the security.
AES support is available on security appliances licensed for
VPN-3DES only. To support the large key sizes required by
AES, ISAKMP negotiation should use Diffie-Hellman
(DH) Group 5.
2 (default) Group 2 (1024-bit)
5 Group 5 (1536-bit)
lifetime integer value
(86400 =
default)
120 to 2147483647
seconds
Specifies the SA lifetime. The default is 86,400 seconds or
24 hours. As a general rule, a shorter lifetime provides more
secure ISAKMP negotiations (up to a point). However, with
shorter lifetimes, the ASA sets up future IPsec SAs more
quickly.
Table 1-2 IKEv2 Policy Keywords for CLI Commands
Command Keyword Meaning Description
integrity sha (default) SHA-1 (HMAC variant) Specifies the hash algorithm used to ensure data integrity. It
ensures that a packet comes from where it says it comes
from and that it has not been modified in transit.
md5 MD5 (HMAC variant) The default is SHA-1. MD5 has a smaller digest and is
considered to be slightly faster than SHA-1. A successful
(but extremely difficult) attack against MD5 has occurred;
however, the HMAC variant IKE user prevents this attack.
To Next Page
Loading...
Need help?
General
