64-9
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter64 Configuring IPsec and ISAKMP
Configuring ISAKMP
Configuring IKEv1 and IKEv2 Policies
To create an IKE policy, enter the crypto ikev1 | ikev2 policy command from global configuration mode.
The prompt displays IKE policy configuration mode. For example:
hostname(config)# crypto ikev1 policy 1
hostname(config-ikev1-policy)#
After creating the policy, you can specify the settings for the policy.
Table64-1 and Table 64-2 provide information about the IKEv1 and IKEv2 policy keywords and their
values.
Table64-1 IKEv1 Policy Keywords for CLI Commands
Command Keyword Meaning Description
authentication rsa-sig A digital certificate with
keys generated by the
RSA signatures algorithm
Specifies the authentication method the ASA uses to
establish the identity of each IPsec peer.
crack Challenge/Response for
Authenticated
Cryptographic Keys
CRACK provides strong mutual authentication when the
client authenticates using a legacy method such as
RADIUS, and the server uses public key authentication.
pre-share
(default)
Preshared keys Preshared keys do not scale well with a growing network
but are easier to set up in a small network.
encryption des
3des (default)
56-bit DES-CBC
168-bit Triple DES
Specifies the symmetric encryption algorithm that protects
data transmitted between two IPsec peers. The default is
168-bit Triple DES.
aes
aes-192
aes-256
The Advanced Encryption Standard supports key lengths of
128, 192, 256 bits.
hash sha (default) SHA-1 (HMAC variant) Specifies the hash algorithm used to ensure data integrity. It
ensures that a packet comes from where it says it comes
from and that it has not been modified in transit.
md5 MD5 (HMAC variant) The default is SHA-1. MD5 has a smaller digest and is
considered to be slightly faster than SHA-1. A successful
(but extremely difficult) attack against MD5 has occurred;
however, the HMAC variant IKE uses prevents this attack.