Configuring ikev1 and ikev2 policies – Cisco ASA 5505 User Manual
Page 1361
64-9
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 64 Configuring IPsec and ISAKMP
Configuring ISAKMP
Configuring IKEv1 and IKEv2 Policies
To create an IKE policy, enter the crypto ikev1 | ikev2 policy command from global configuration mode.
The prompt displays IKE policy configuration mode. For example:
hostname(config)# crypto ikev1 policy 1
hostname(config-ikev1-policy)#
After creating the policy, you can specify the settings for the policy.
and
provide information about the IKEv1 and IKEv2 policy keywords and their
values.
Table 64-1
IKEv1 Policy Keywords for CLI Commands
Command
Keyword
Meaning
Description
authentication
rsa-sig
A digital certificate with
keys generated by the
RSA signatures algorithm
Specifies the authentication method the ASA uses to
establish the identity of each IPsec peer.
crack
Challenge/Response for
Authenticated
Cryptographic Keys
CRACK provides strong mutual authentication when the
client authenticates using a legacy method such as
RADIUS, and the server uses public key authentication.
pre-share
(default)
Preshared keys
Preshared keys do not scale well with a growing network
but are easier to set up in a small network.
encryption
des
3des (default)
56-bit DES-CBC
168-bit Triple DES
Specifies the symmetric encryption algorithm that protects
data transmitted between two IPsec peers. The default is
168-bit Triple DES.
aes
aes-192
aes-256
The Advanced Encryption Standard supports key lengths of
128, 192, 256 bits.
hash
sha (default)
SHA-1 (HMAC variant)
Specifies the hash algorithm used to ensure data integrity. It
ensures that a packet comes from where it says it comes
from and that it has not been modified in transit.
md5
MD5 (HMAC variant)
The default is SHA-1. MD5 has a smaller digest and is
considered to be slightly faster than SHA-1. A successful
(but extremely difficult) attack against MD5 has occurred;
however, the HMAC variant IKE uses prevents this attack.