25-29
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter25 Configuring IKE and IPsec Policies
Configuring VPN Global Settings
Configuring VPN Global Settings
You can define global settings that apply to all devices in your remote access or site-to-site VPN
topology. These settings include Internet Key Exchange (IKE), IKEv2, IPsec, NAT, and fragmentation
definitions. The global settings typically have defaults that work in most situations, so configuring the
Global Settings policy is optional in most cases; configure it only if you need non-default behavior or if
you are supporting IKEv2 negotiations in a remote access IPsec VPN.
Note The VPN Global Settings policy for site-to-site VPNs applies to all technologies except GET VPN. For
an explanation of global settings for GET VPN, see Configuring Global Settings for GET VPN,
page 28-16.
Step 1 Do one of the following to open the global settings policy based on the type of VPN you are configuring:
For remote access VPNs, do one of the following:
ESP Hash Algorithm
(IKEv1)
ESP Integration Algorithm
(IKEv2)
AH Hash Algorithm (IKEv1
only)
The hash or integrity algorithm to use in the transform set for
authentication. For IKEv1, the default is to use SHA for ESP
authentication and to not use AH authentication. For IKEv2, there is no
default. The AH hash algorithm is used on routers only.
For IKEv1, select one of the following options. For IKEv2, click Select
to open a dialog box where you can select all of the options you want
to support.
None—Does not perform ESP or AH authentication.
SHA, SHA-1 (Secure Hash Algorithm version 1)—Produces a
160-bit digest. SHA is more resistant to brute-force attacks than
MD5, but requires more processing time.
The following options, which are even more secure, are available
for IKEv2 configurations on ASA 8.4(2+) devices:
SHA512—A 512-bit key.
SHA384—A 384-bit key.
SHA256—A 256-bit key.
MD5 (Message Digest 5)—Produces a 128-bit digest. MD5 uses
less processing time than SHA, but is less secure.
Null—No encryption algorithm. For use with AES-GCM,
AES-GCM-192, AES-GCM-256, AES-GMAC, AES-GMAC-192,
and AES-GMAC-256 only.
Compression
(IKEv1 only, IOS devices
only.)
Whether to compress the data in the IPSec tunnel using the
Lempel-Ziv-Stac (LZS) algorithm.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-12.
Table25-4 IPSec IKEv1 or IKEv2 Transform Set Dialog Box (Continued)
Element Description