73-5
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter73 Configuring LAN-to-LAN IPsec VPNs
Creating an IKEv1 Transform Set
Perform the following steps and use the command syntax in the following examples as a guide:
Step1 Enter IPsec IKEv2 policy configuration mode. For example:
hostname(config)# crypto ikev2 policy 1
hostname(config-ikev2-policy)#
Step2 Set the encryption method. The following example configures 3DES:
hostname(config-ikev2-policy)# encryption 3des
hostname(config-ikev2-policy)#
Step3 Set the Diffie-Hellman group. The following example configures Group 2:
hostname(config-ikev2-policy)# group 2
hostname(config-ikev2-policy)#
Step4 Set the pseudo-random function (PRF) used as the algorithm to derive keying material and hashing
operations required for the IKEv2 tunnel encryption. The following example configures SHA-1 (an
HMAC variant):
hostname(config-ikev12-policy)# prf sha
hostname(config-ikev2-policy)#
Step5 Set the encryption key lifetime. The following example configures 43,200 seconds (12 hours):
hostname(config-ikev2-policy)# lifetime 43200
hostname(config-ikev2-policy)#
Step6 Enable IKEv2 on the interface named outside:
hostname(config)# crypto ikev2 enable outside
hostname(config)#
Step7 To save your changes, enter the write memory command:
hostname(config)# write memory
hostname(config)#
Creating an IKEv1 Transform Set
An IKEv1 transform set combines an encryption method and an authentication method. During the IPsec
security association negotiation with ISAKMP, the peers agree to use a particular transform set to protect
a particular data flow. The transform set must be the same for both peers.
A transform set protects the data flows for the access list specified in the associated crypto map entry.
You can create transform sets in the ASA configuration, and then specify a maximum of 11 of them in
a crypto map or dynamic crypto map entry.
Table73-1 lists valid encryption and authentication methods.
Table73-1 Valid Encryption and Authentication Methods
Valid Encryption Methods Valid Authentication Methods
esp-des esp-md5-hmac
esp-3des (default) esp-sha-hmac (default)
esp-aes (128-bit encryption)
esp-aes-192