64-13
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter64 Configuring IPsec and ISAKMP
Configuring ISAKMP
For example:
hostname(config-ikev1-policy)# lifetime 14400
Enabling IKE on the Outside Interface
You must enable IKE on the interface that terminates the VPN tunnel. Typically this is the outside, or
public interface. To enable IKEv1 or IKEv2, use the crypto ikev1 | ikev2 enable command from global
configuration mode:
crypto ikev1 | ikev2 enable interface-name
For example:
hostname(config)# crypto ikev1 enable outside
Disabling IKEv1 Aggressive Mode
Phase 1 IKEv1 negotiations can use either main mode or aggressive mode. Both provide the same
services, but aggressive mode requires only two exchanges between the peers totaling three messages,
rather than three exchanges totaling six messages. Aggressive mode is faster, but does not provide
identity protection for the communicating parties. Therefore, the peers must exchange identification
information before establishing a secure SA. Aggressive mode is enabled by default.
Main mode is slower, using more exchanges, but it protects the identities of the communicating
peers.
Aggressive mode is faster, but does not protect the identities of the peers.
To disable aggressive mode, enter the following command:
crypto ikev1 am-disable
For example:
hostname(config)# crypto ikev1 am-disable
If you have disabled aggressive mode, and want to revert to back to it, use the no form of the command.
For example:
hostname(config)# no crypto ikev1 am-disable
Note Disabling aggressive mode prevents Cisco VPN clients from using preshared key authentication to
establish tunnels to the ASA. However, they may use certificate-based authentication (thatis, ASA or
RSA) to establish tunnels.
Determining an ID Method for IKEv1 and IKEv2 ISAKMP Peers
During ISAKMP Phase I negotiations, either IKEv1 or IKEv2, the peers must identify themselves to
each other. You can choose the identification method from the following options: