67-19
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter67 Configuring Connection Profiles, Group Policies, and Users
Configuring Connection Profiles
The available options are req (required), cert (if supported by certificate), and nocheck (do not check).
The default is req. For example, the following command sets the peer-id-validate option to nocheck:
hostname(config-tunnel-ipsec)# peer-id-validate nocheck
hostname(config-tunnel-ipsec)#
Step4 Specify whether to enable sending of a certificate chain. This action includes the root certificate and any
subordinate CA certificates in the transmission:
hostname(config-tunnel-ipsec)# chain
hostname(config-tunnel-ipsec)#
You can apply this attribute to all tunnel-group types.
Step5 Specify the name of a trustpoint that identifies the certificate to be sent to the IKE peer:
hostname(config-tunnel-ipsec)# trust-point trust-point-name
hostname(config-tunnel-ipsec)#
For example, the following command sets the trustpoint name to mytrustpoint:
hostname(config-tunnel-ipsec)# trust-point mytrustpoint
hostname(config-tunnel-ipsec)#
You can apply this attribute to all tunnel-group types.
Step6 Specify the ISAKMP (IKE) keepalive threshold and the number of retries allowed. The threshold
parameter specifies the number of seconds (10 through 3600) that the peer is allowed to idle before
beginning keepalive monitoring. The retry parameter is the interval (2 through 10 seconds) between
retries after a keepalive response has not been received. IKE keepalives are enabled by default. To
disable ISAKMP keepalives, enter isakmp keepalive disable.
For example, the following command sets the ISAKMP keepalive threshold to 15 seconds and sets the
retry interval to 10 seconds:
hostname(config-tunnel-ipsec)# isakmp keepalive threshold 15 retry 10
hostname(config-tunnel-ipsec)#
The default value for the threshold parameter for LAN-to-LAN is 10, and the default value for the retry
parameter is 2.
To specify that the central site (“head end”) should never initiate ISAKMP monitoring, enter the
following command:
hostname(config-tunnel-ipsec)# isakmp keepalive threshold infinite
hostname(config-tunnel-ipsec)#
Step7 Specify the ISAKMP hybrid authentication method, XAUTH or hybrid XAUTH.
You u se isakmp ikev1-user-authentication command to implement hybrid XAUTH authentication
when you need to use digital certificates for ASA authentication and a different, legacy method for
remote VPN user authentication, such as RADIUS, TACACS+ or SecurID. Hybrid XAUTH breaks phase
1 of IKE down into the following two steps, together called hybrid authentication:
a. The ASA authenticates to the remote VPN user with standard public key techniques. This
establishes an IKE security association that is unidirectionally authenticated.
b. An XAUTH exchange then authenticates the remote VPN user. This extended authentication can use
one of the supported legacy authentication methods.