Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Creating IPsec Rule/Tunnel Policy (Crypto Map)

68-15

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter68 Configuring IKE, Load Balancing, and NAC

Configuring IPsec

•Enable Perfect Forwarding Secrecy—Check to enable perfect forward secrecy for the policy. PFS is

a cryptographic concept where each new key is unrelated to any previous key. In IPsec negotiations,

Phase 2 keys are based on Phase 1 keys unless you specify Perfect Forward Secrecy.

•Diffie-Hellman Group—When you enable PFS you must also choose a Diffie-Hellman group which

the ASA uses to generate session keys. The choices are as follows:

–

Group 1 (768-bits) = Use perfect forward secrecy, and use Diffie-Hellman Group 1 to generate

IPsec session keys, where the prime and generator numbers are 768 bits. This option is more

secure but requires more processing overhead.

–

Group 2 (1024-bits) = Use perfect forward secrecy, and use Diffie-Hellman Group 2 to generate

IPsec session keys, where the prime and generator numbers are 1024 bits. This option is more

secure than Group 1 but requires more processing overhead.

–

Group 5 (1536-bits) = Use perfect forward secrecy, and use Diffie-Hellman Group 5 to generate

IPsec session keys, where the prime and generator numbers are 1536 bits. This option is more

secure than Group 2 but requires more processing overhead.

Modes

The following table shows the modes in which this feature is available:

Creating IPsec Rule/Tunnel Policy (Crypto Map) - Advanced Tab

Fields

•Security Association Lifetime parameters—Configures the duration of a Security Association (SA).

This parameter specifies how to measure the lifetime of the IPsec SA keys, which is how long the

IPsec SA lasts until it expires and must be renegotiated with new keys.

–

Time—Specifies the SA lifetime in terms of hours (hh), minutes (mm) and seconds (ss).

–

Traffic Volume—Defines the SA lifetime in terms of kilobytes of traffic. Enter the number of

kilobytes of payload data after which the IPsec SA expires. Minimum is 100 KB, default is

10000 KB, maximum is 2147483647 KB.

•Enable NAT-T— Enables NAT Traversal (NAT-T) for this policy.

•Enable Reverse Route Injection—Enables Reverse Route Injection for this policy.

Reverse Route Injection (RRI) is used to populate the routing table of an internal router that runs

dynanmic routing protocols such as Open Shortest Path First (OSPF), or Enhanced Interior Gateway

Routing Protocol (EIGRP) , if you run ASA 8.0, or Routing Information Protocol (RIP) for remote

VPN Clients or LAN²LAN sessions.

•Static Type Only Settings—Specifies parameters for static tunnel policies.

–

CA Certificate—Choose the certificate to use. If you choose something other than None(Use

Preshared Keys), which is the default, the Enable entire chain transmission check box becomes

active.

–

Enable entire chain transmission—Enables transmission of the entire trust point chain.

Firewall Mode Security Context

Routed Transparent Single

Multiple

Context System

•—•——

Cisco Systems Creating IPsec Rule/Tunnel Policy (Crypto Map) - Advanced Tab

Models: ASA 5510 ASA 5512-X ASA 5515-X ASA 5520 ASA 5525-X ASA 5540 ASA 5545-X ASA 5550 ASA 5555-X ASA 5580 ASA 5585-X ASA 5505