Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Creating IKE Policies

68-5

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter68 Configuring IKE, Load Balancing, and NAC

Creating IKE Policies

–

Maximum Number of SAs Allowed—Limits the number of allowed IKEv2 connections on the

ASA. By default, the limit is the maximum number of connections specified by the license.

Modes

The following table shows the modes in which this feature is available:

Creating IKE Policies

Each IKE negotiation is divided into two sections called Phase1 and Phase 2.

Phase 1 creates the first tunnel, which protects later IKE negotiation messages. Phase 2 creates the tunnel

that protects data.

To set the terms of the IKE negotiations, you create one or more IKE policies, which include the

following:

•A unique priority (1 through 65,543, with 1 the highest priority).

•An authentication method, to ensure the identity of the peers.

•An encryption method, to protect the data and ensure privacy.

•An HMAC method to ensure the identity of the sender, and to ensure that the message has not been

modified in transit.

•A Diffie-Hellman group to establish the strength of the of the encryption-key-determination

algorithm. The ASA uses this algorithm to derive the encryption and hash keys.

•A limit for how long the ASA uses an encryption key before replacing it.

For IKEv1, you can only enable one setting for each parameter. For IKEv2, each proposal can have

multiples settings for Encryption, D-H Group, Integrity Hash, and PRF Hash.

If you do not configure any IKE policies, the ASA uses the default policy, which is always set to the

lowest priority, and which contains the default value for each parameter. If you do not specify a value

for a specific parameter, the default value takes effect.

When IKE negotiation begins, the peer that initiates the negotiation sends all of its policies to the remote

peer, and the remote peer searches for a match with its own policies, in priority order.

A match between IKE policies exists if they have the same encryption, hash, authentication, and

Diffie-Hellman values, and an SA lifetime less than or equal to the lifetime in the policy sent. If the

lifetimes are not identical, the shorter lifetime—from the remote peer policy—applies. If no match

exists, IKE refuses negotiation and the IKE SA is not established.

Fields

•IKEv1 Policies—Displays parameter settings for each configured IKE policy.

–

Priority #—Shows the priority of the policy.

–

Encryption—Shows the encryption method.

Firewall Mode Security Context

Routed Transparent Single

Multiple

Context System

•—•——

Cisco Systems Creating IKE Policies