Creating an ikev1 transform set, Creating an ikev1 transform set” section on – Cisco ASA 5505 User Manual

Page 1581

background image


Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 73 Configuring LAN-to-LAN IPsec VPNs

Creating an IKEv1 Transform Set

Perform the following steps and use the command syntax in the following examples as a guide:

Step 1

Enter IPsec IKEv2 policy configuration mode. For example:

hostname(config)# crypto ikev2 policy 1


Step 2

Set the encryption method. The following example configures 3DES:

hostname(config-ikev2-policy)# encryption 3des


Step 3

Set the Diffie-Hellman group. The following example configures Group 2:

hostname(config-ikev2-policy)# group 2


Step 4

Set the pseudo-random function (PRF) used as the algorithm to derive keying material and hashing
operations required for the IKEv2 tunnel encryption. The following example configures SHA-1 (an
HMAC variant):

hostname(config-ikev12-policy)# prf sha


Step 5

Set the encryption key lifetime. The following example configures 43,200 seconds (12 hours):

hostname(config-ikev2-policy)# lifetime 43200


Step 6

Enable IKEv2 on the interface named outside:

hostname(config)# crypto ikev2 enable outside


Step 7

To save your changes, enter the write memory command:

hostname(config)# write memory


Creating an IKEv1 Transform Set

An IKEv1 transform set combines an encryption method and an authentication method. During the IPsec
security association negotiation with ISAKMP, the peers agree to use a particular transform set to protect
a particular data flow. The transform set must be the same for both peers.

A transform set protects the data flows for the access list specified in the associated crypto map entry.
You can create transform sets in the ASA configuration, and then specify a maximum of 11 of them in
a crypto map or dynamic crypto map entry.

Table 73-1

lists valid encryption and authentication methods.

Table 73-1

Valid Encryption and Authentication Methods

Valid Encryption Methods

Valid Authentication Methods

esp-des esp-md5-hmac

esp-3des (default)

esp-sha-hmac (default)

esp-aes (128-bit encryption)
