25-19
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter25 Configuring IKE and IPsec Policies
Understanding IPsec Proposals
When two peers try to establish an SA, they must each have at least one compatible crypto map entry.
The transform set defined in the crypto map entry is used in the IPsec security negotiation to protect the
data flows specified by that crypto map’s IPsec rules.
Dynamic crypto map policies are used in site-to-site VPNs when an unknown remote peer tries to initiate
an IPsec security association with the local hub. The hub cannot be the initiator of the security
association negotiation. Dynamic crypto policies allow remote peers to exchange IPsec traffic with a
local hub even if the hub does not know the remote peer’s identity. You can create a dynamic crypto
policy on individual hubs or on a device group that contains hubs. The policy is written only to the hubs,
not to any spokes that might be contained in the group. A dynamic crypto map policy essentially creates
a crypto map entry without all the parameters configured. The missing parameters are later dynamically
configured (as the result of an IPsec negotiation) to match a remote peer’s requirements. The peer
addresses for dynamic or static crypto maps are deduced from the VPN topology.
Dynamic crypto map policies apply only in a hub-and-spoke VPN configuration—in a point-to-point or
full mesh VPN topology, you can apply only static crypto map policies.
Note (Site-to-site VPNs.) Except for Extranet VPNs, Security Manager can manage an existing VPN tunnel
only if the tunnel’s peers are managed by Security Manager. In such a case, Security Manager uses the
same crypto map name for the tunnel on the peers. On subsequent deployments, only Security Manager
tunnels are managed (Security Manager maintains a log of all tunnels that were configured).
Related Topics
Understanding IPsec Proposals, page 25-17
Understanding Transform Sets, page 25-19
Configuring IPsec Proposals in Site-to-Site VPNs, page 25-21
Understanding Transform Sets
A transform set is a combination of security protocols and algorithms that secure traffic in an IPsec
tunnel. During the IPsec security association (SA) negotiation, peers search for a transform set that is
the same at both peers. When such a transform set is found, it is applied to create an SA that protects
data flows in the access list for that crypto map, protecting the traffic in the VPN.
There are separate IPsec transform sets for IKEv1 and IKEv2. With IKEv1 transform sets, for each
parameter, you set one value. For IKEv2 transform sets, you can configure multiple encryption and
integration algorithms for a single proposal. ASA devices order the settings from the most secure to the
least secure and negotiate with the peer using that order. This allows you to potentially send a single
proposal to convey all the allowed combinations instead of the need to send each allowed combination
individually as with IKEv1.
You can specify a number of transform sets per IPsec proposal policy. If you are defining the policy on
a spoke or a group of spokes, you do not usually have to specify more than one transform set. This is
because the spoke’s assigned hub would typically be a higher performance router capable of supporting
any transform set that the spoke supports. However, if you are defining the policy on a hub for dynamic
crypto, you should specify more than one transform set to ensure that there will be a transform set match
between the hub and the unknown spoke. If more than one of your selected transform sets is supported
by both peers, the transform set that provides the highest security is used.
Security Manager provides predefined transform sets that you can use in your tunnel policies. You can
also create your own transform sets. For more information, see Configuring IPSec IKEv1 or IKEv2
Transform Set Policy Objects, page 25-25.