73-3
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter73 Configuring LAN-to-LAN IPsec VPNs
Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface
hostname(config-if)##
Step4 To enable the interface, enter the no version of the shutdown command. By default, interfaces are
disabled.
hostname(config-if)# no shutdown
hostname(config-if)#
Step5 To save your changes, enter the write memory command.
hostname(config-if)# write memory
hostname(config-if)#
Step6 To configure a second interface, use the same procedure.
Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface
ISAKMP is the negotiation protocol that lets two hosts agree on how to build an IPsec security
association (SA). It provides a common framework for agreeing on the format of SA attributes. This
includes negotiating with the peer about the SA, and modifying or deleting the SA. ISAKMP separates
negotiation into two phases: Phase 1 and Phase 2. Phase 1 creates the first tunnel, which protects later
ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data.
IKE uses ISAKMP to setup the SA for IPsec to use. IKE creates the cryptographic keys used to
authenticate peers.
The ASA supports IKEv1 for connections from the legacy Cisco VPN client, and IKEv2 for the
AnyConnect VPN client.
To set the terms of the ISAKMP negotiations, you create an IKE policy, which includes the following:
The authentication type required of the IKEv1 peer, either RSA signature using certificates or
preshared key (PSK).
An encryption method, to protect the data and ensure privacy.
A Hashed Message Authentication Codes (HMAC) method to ensure the identity of the sender, and
to ensure that the message has not been modified in transit.
A Diffie-Hellman group to determine the strength of the encryption-key-determination algorithm.
The ASA uses this algorithm to derive the encryption and hash keys.
For IKEv2, a separate pseudo-random function (PRF) used as the algorithm to derive keying
material and hashing operations required for the IKEv2 tunnel encryption, etc.
A limit to the time the ASA uses an encryption key before replacing it.
With IKEv1 policies, for each parameter, you set one value. For IKEv2, you can configure multiple
encryption and authentication types, and multiple integrity algorithms for a single policy. The ASA
orders the settings from the most secure to the least secure and negotiates with the peer using that order.
This allows you to potentially send a single proposal to convey all the allowed transforms instead of the
need to send each allowed combination as with IKEv1.
The following sections provide procedures for creating IKEv1 and IKEv2 policies and enabling them on
an interface:
Configuring ISAKMP Policies for IKEv1 Connections, page73-4