64-14
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter64 Configuring IPsec and ISAKMP
Configuring ISAKMP
The ASA uses the Phase I ID to send to the peer. This is true for all VPN scenarios except LAN-to-LAN
IKEv1 connections in main mode that authenticate with preshared keys.
The default setting is auto.
To change the peer identification method, enter the following command:
crypto isakmp identity {address | hostname | key-id id-string | auto}
For example, the following command sets the peer identification method to hostname:
hostname(config)# crypto isakmp identity hostname
Enabling IPsec over NAT-T
NAT-T lets IPsec peers establish a connection through a NAT device. It does this by encapsulating IPsec
traffic in UDP datagrams, using port 4500, which provides NAT devices with port information. NAT-T
auto-detects any NAT devices and only encapsulates IPsec traffic when necessary. This feature is
disabled by default.
Note Due to a limitation of the AnyConnect client, you must enable NAT-T for the AnyConnect client to
successfully connect using IKEv2. This requirement applies even if the client is not behind a NAT-T
device.
With the exception of the home zone on the Cisco ASA 5505, the ASA can simultaneously support
standard IPsec, IPsec over TCP, NAT-T, and IPsec over UDP, depending on the client with which it is
exchanging data.
The following breakdown shows the connections with each option enabled:
Note When IPsec over TCP is enabled, it takes precedence over all other connection methods.
Address Uses the IP addresses of the hosts exchanging ISAKMP identity information.
Automatic Determines ISAKMP negotiation by connection type:
IP address for preshared key.
Cert Distinguished Name for certificate authentication.
Hostname Uses the fully qualified domain name of the hosts exchanging ISAKMP identity
information (default). This name comprises the hostname and the domain name.
Key ID Uses the string the remote peer uses to look up the preshared key.
Options Enabled Feature Client Position Feature Used
Option 1 If NAT-T is enabled
and client is behind NAT, then NAT-T is used
and no NAT exists, then Native IPsec (ESP) is used
Option 2 If IPsec over UDP is enabled
and client is behind NAT, then IPsec over UDP is used
and no NAT exists, then IPsec over UDP is used
Option 3
If both NAT-T and
IPsec over UDP are enabled
and client is behind NAT, then NAT-T is used
and no NAT exists, then IPsec over UDP is used