Cisco ASA 5505 User Manual

Page 1362

64-10

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 64 Configuring IPsec and ISAKMP

Configuring ISAKMP

group

Group 1 (768-bit)

Specifies the Diffie-Hellman group identifier, which the
two IPsec peers use to derive a shared secret without
transmitting it to each other.

The lower the Diffie-Hellman group number, the less CPU
time it requires to execute. The higher the Diffie-Hellman
group number, the greater the security.

Cisco VPN Client Version 3.x or higher requires a minimum
of Group 2. (If you configure DH Group 1, the Cisco VPN
Client cannot connect.)

AES support is available on security appliances licensed for
VPN-3DES only. To support the large key sizes required by
AES, ISAKMP negotiation should use Diffie-Hellman
(DH) Group 5.

2 (default)

Group 2 (1024-bit)

Group 5 (1536-bit)

lifetime

integer value

(86400 =
default)

120 to 2147483647
seconds

Specifies the SA lifetime. The default is 86,400 seconds or
24 hours. As a general rule, a shorter lifetime provides more
secure ISAKMP negotiations (up to a point). However, with
shorter lifetimes, the ASA sets up future IPsec SAs more
quickly.

Table 64-2

IKEv2 Policy Keywords for CLI Commands

Command

Keyword

Meaning

Description

integrity

sha (default)

SHA-1 (HMAC variant)

Specifies the hash algorithm used to ensure data integrity. It
ensures that a packet comes from where it says it comes
from and that it has not been modified in transit.

md5

MD5 (HMAC variant)

The default is SHA-1. MD5 has a smaller digest and is
considered to be slightly faster than SHA-1. A successful
(but extremely difficult) attack against MD5 has occurred;
however, the HMAC variant IKE user prevents this attack.

sha256

SHA 2, 256-bit digest

Specifies the Secure Hash Algorithm SHA 2 with the
256-bit digest.

sha384

SHA 2, 384-bit digest

Specifies the Secure Hash Algorithm SHA 2 with the
384-bit digest.

sha512

SHA 2, 512-bit digest

Specifies the Secure Hash Algorithm SHA 2 with the
512-bit digest.

encryption

des

3des (default)

56-bit DES-CBC

168-bit Triple DES

Specifies the symmetric encryption algorithm that protects
data transmitted between two IPsec peers. The default is
168-bit Triple DES.

aes
aes-192
aes-256

The Advanced Encryption Standard supports key lengths of
128, 192, 256 bits.

Table 64-1

IKEv1 Policy Keywords for CLI Commands (continued)

Command

Keyword

Meaning

Description

This manual is related to the following products:

ASA 5585-X ASA 5555-X ASA 5545-X ASA 5525-X ASA 5515-X ASA 5512-X ASA 5580 ASA 5550 ASA 5540 ASA 5520 ASA 5510 ASA 5500 Series