64-10
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter64 Configuring IPsec and ISAKMP
Configuring ISAKMP
group 1 Group 1 (768-bit) Specifies the Diffie-Hellman group identifier, which the
two IPsec peers use to derive a shared secret without
transmitting it to each other.
The lower the Diffie-Hellman group number, the less CPU
time it requires to execute. The higher the Diffie-Hellman
group number, the greater the security.
Cisco VPN Client Version 3.x or higher requires a minimum
of Group 2. (If you configure DH Group 1, the Cisco VPN
Client cannot connect.)
AES support is available on security appliances licensed for
VPN-3DES only. To support the large key sizes required by
AES, ISAKMP negotiation should use Diffie-Hellman
(DH) Group 5.
2 (default) Group 2 (1024-bit)
5Group 5 (1536-bit)
lifetime integer value
(86400 =
default)
120 to 2147483647
seconds
Specifies the SA lifetime. The default is 86,400 seconds or
24 hours. As a general rule, a shorter lifetime provides more
secure ISAKMP negotiations (up to a point). However, with
shorter lifetimes, the ASA sets up future IPsec SAs more
quickly.
Table64-2 IKEv2 Policy Keywords for CLI Commands
Command Keyword Meaning Description
integrity sha (default) SHA-1 (HMAC variant) Specifies the hash algorithm used to ensure data integrity. It
ensures that a packet comes from where it says it comes
from and that it has not been modified in transit.
md5 MD5 (HMAC variant) The default is SHA-1. MD5 has a smaller digest and is
considered to be slightly faster than SHA-1. A successful
(but extremely difficult) attack against MD5 has occurred;
however, the HMAC variant IKE user prevents this attack.
sha256 SHA 2, 256-bit digest Specifies the Secure Hash Algorithm SHA 2 with the
256-bit digest.
sha384 SHA 2, 384-bit digest Specifies the Secure Hash Algorithm SHA 2 with the
384-bit digest.
sha512 SHA 2, 512-bit digest Specifies the Secure Hash Algorithm SHA 2 with the
512-bit digest.
encryption des
3des (default)
56-bit DES-CBC
168-bit Triple DES
Specifies the symmetric encryption algorithm that protects
data transmitted between two IPsec peers. The default is
168-bit Triple DES.
aes
aes-192
aes-256
The Advanced Encryption Standard supports key lengths of
128, 192, 256 bits.
Table64-1 IKEv1 Policy Keywords for CLI Commands (continued)
Command Keyword Meaning Description