Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Crypto Map Entry

69-87

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter69 General VPN Setup

Mapping Certificates to IPsec or SSL VPN Connection Profiles

–

Manage—Opens the Manage Identity Certificates dialog box, on which you can see the

certificates that are already configured, add new certificates, show details for a certificate, and

edit or delete a certificate.

–

Remote Peer Pre-shared Key—Specify the value of the remote peer pre-shared key for the

tunnel group. The maximum length of the pre-shared key is 128 characters.

–

Remote Peer Certificate Authentication—Check Allowed to allow certificate authentication for

IKEv2 connections for this connection profile.

–

Manage—Opens the Manage CA Certificates dialog where you can view certificates and add

new ones.

–

IKE Policy—Specifies one or more encryption algorithms to use for the IKE proposal.

–

Manage—Opens the Configure IKEv1 Proposals dialog box.

–

IPsec Proposal—Specifies one or more encryption algorithms to use for the IPsec IKEv1

proposal.

–

Select—Opens the Select IPsec Proposals (Transform Sets) dialog box, where you can assign a

proposal to the connection profile for IKEv2 connections.

•IKE Keepalive —Enables and configures IKE keepalive monitoring. You can select only one of the

following attributes.

–

Disable Keep Alives—Enables or disables IKE keep alives.

–

Monitor Keep Alives—Enables or disables IKE keep alive monitoring. Selecting this option

makes available the Confidence Interval and Retry Interval fields.

–

Confidence Interval—Specifies the IKE keep alive confidence interval. This is the number of

seconds the ASA should allow a peer to idle before beginning keepalive monitoring. The

minimum is 10 seconds; the maximum is 300 seconds. The default for a remote access group is

10 seconds.

–

Retry Interval—Specifies number of seconds to wait between IKE keep alive retries. The default

is 2 seconds.

–

Head end will never initiate keepalive monitoring—Specifies that the central-site ASA never

initiates keepalive monitoring.

Modes

The following table shows the modes in which this feature is available:

Crypto Map Entry

In this dialog box, specify crypto parameters for the Connection Profile.

Firewall Mode Security Context

Routed Transparent Single

Multiple

Context System

•—•——

Cisco Systems Crypto Map Entry

Models: ASA 5510 ASA 5512-X ASA 5515-X ASA 5520 ASA 5525-X ASA 5540 ASA 5545-X ASA 5550 ASA 5555-X ASA 5580 ASA 5585-X ASA 5505