69-11
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter69 Configuring Remote Access IPsec VPNs
Configuring Remote Access IPsec VPNs
Defining a Tunnel Group
This section describes how to configure a tunnel group, which is a set of records that contain tunnel
connection policies. You configure a tunnel group to identify AAA servers, specify connection
parameters, and define a default group policy. The ASA stores tunnel groups internally.
Command Purpose
To configure an IKEv1 transform set:
crypto ipsec ikev1 transform-set
transform-set-name encryption-method
[authentication]
Example:
hostname(config)# crypto ipsec transform set
FirstSet esp-3des esp-md5-hmac
hostname(config)#
Configures an IKEv1 transform set that specifies the IPsec IKEv1
encryption and hash algorithms to be used to ensure data integrity.
Use one of the following values for encryption:
esp-aes to use AES with a 128-bit key.
esp-aes-192 to use AES with a 192-bit key.
esp-aes-256 to use AES with a 256-bit key.
esp-des to use 56-bit DES-CBC.
esp-3des to use triple DES algorithm.
esp-null to not use encryption.
Use one of the following values for authentication:
esp-md5-hmac to use the MD5/HMAC-128 as the hash algorithm.
esp-sha-hmac to use the SHA/HMAC-160 as the hash algorithm.
esp-none to not use HMAC authentication.
To configure an IKEv2 proposal:
crypto ipsec ikev2 ipsec-proposal
proposal_name
Then:
protocol {esp} {encryption {des | 3des | aes
| aes-192 | aes-256 | null} | integrity {md5
| sha-1}
Example:
hostname(config)# crypto ipsec ikev2
ipsec-proposal secure_proposal
hostname(config-ipsec-proposal)# protocol
esp encryption des integrity md5
Configures an IKEv2 proposal set that specifies the IPsec IKEv2
protocol, encryption, and integrity algorithms to be used.
esp specifies the Encapsulating Security Payload (ESP) IPsec protocol
(currently the only supported protocol for IPsec).
Use one of the following values for encryption:
des to use 56-bit DES-CBC encryption for ESP.
3des (default) to use the triple DES encryption algorithm for ESP.
aes to use AES with a 128-bit key encryption for ESP.
aes-192 to use AES with a 192-bit key encryption for ESP.
aes-256 to use AES with a 256-bit key encryption for ESP.
null to not use encryption for ESP.
Use one of the following values for integrity:
md5 specifies the md5 algorithm for the ESP integrity protection.
sha-1 (default) specifies the Secure Hash Algorithm (SHA) SHA-1,
defined in the U.S. Federal Information Processing Standard (FIPS),
for ESP integrity protection.