27-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 27 Configuring IPSec and ISAKMP
Configuring ISAKMP
Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the
tunnel that protects data.
To set the terms of the ISAKMP negotiations, you create an ISAKMP policy, which includes the
following:
• An authentication method, to ensure the identity of the peers.
• An encryption method, to protect the data and ensure privacy.
• A Hashed Message Authentication Codes (HMAC) method to ensure the identity of the sender, and
to ensure that the message has not been modified in transit.
• A Diffie-Hellman group to determine the strength of the encryption-key-determination algorithm.
The security appliance uses this algorithm to derive the encryption and hash keys.
• A limit to the time the security appliance uses an encryption key before replacing it.
Table 27-1 provides information about the ISAKMP policy keywords and their values.
Table 27-1 ISAKMP Policy Keywords for CLI Commands
Command Keyword Meaning Description
crypto isakmp policy authentication rsa-sig A digital certificate
with keys generated
by the RSA signatures
algorithm
Specifies the authentication method the
security appliance uses to establish the
identity of each IPSec peer.
crack Challenge/Response
for Authenticated
Cryptographic Keys
CRACK provides strong mutual
authentication when the client authenticates
using a legacy method such as RADIUS and
the server uses public key authentication.
pre-share
(default)
Preshared keys Preshared keys do not scale well with a
growing network but are easier to set up in
a small network.
crypto isakmp policy encryption des
3des (default)
56-bit DES-CBC
168-bit Triple DES
Specifies the symmetric encryption
algorithm that protects data transmitted
between two IPSec peers. The default is
168-bit Triple DES.
aes
aes-192
aes-256
The Advanced Encryption Standard
supports key lengths of 128, 192, 256 bits.
crypto isakmp policy hash sha (default) SHA-1 (HMAC
variant)
Specifies the hash algorithm used to ensure
data integrity. It ensures that a packet comes
from where it says it comes from, and that it
has not been modified in transit.
md5 MD5 (HMAC variant) The default is SHA-1. MD5 has a smaller
digest and is considered to be slightly faster
than SHA-1. A successful (but extremely
difficult) attack against MD5 has occurred;
however, the HMAC variant IKE uses
prevents this attack.
To Next Page
Loading...
