25-34
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Configuring VPN Global Settings
Configuring VPN Global IKEv2 Settings
Use the IKEv2 Settings tab of the VPN Global Settings page to specify global settings for Internet Key
Exchange (IKE) version 2. These settings apply to ASA 8.4(x) devices only.
Internet Key Exchange (IKE), also called Internet Security Association and Key Management Protocol
(ISAKMP), is the negotiation protocol that lets two hosts agree on how to build an IPsec security
association (SA).
Preventing DoS Attacks by Limiting IKEv2 Open SAs
You can prevent denial-of-service (DoS) attacks for IPsec IKEv2 connections by always cookie
challenging incoming security associations (SAs) or by limiting the number of open SAs and cookie
challenging any additional connections. By default, the ASA does not limit the number of open SAs and
never cookie challenges SAs.
You can also limit the number of SAs allowed, which stops further connections from negotiating to
protect against memory or CPU attacks that the cookie-challenge feature may be unable to thwart.
Limiting the maximum number of SAs can protect the current connections.
With a DoS attack, an attacker initiates the attack when the peer device sends an SA initiate packet and
the ASA sends its response, but the peer device does not respond further. If the peer device does this
continually, all the allowed SA requests on the ASA can be used up until it stops responding.
Enabling a threshold percentage for cookie challenges limits the number of open SA negotiations. For
example, with the default setting of 50%, when 50% of the allowed SAs are in-negotiation (open), the
ASA cookie challenges any additional SA initiate packets that arrive. For the Cisco ASA 5580 with
10,000 allowed IKEv2 SAs, after 5000 SAs become open, any more incoming SAs are
cookie-challenged.
Enable SPI Recovery
(Site-to-site VPNs only.)
Supported on routers running IOS version 12.3(2)T and later, in
addition to Catalyst 6500/7600 devices running version 12.2(18)SXE
and later.
When selected, enables the SPI recovery feature to configure your
device so that if an invalid SPI (Security Parameter Index) occurs, an
IKE SA will be initiated.
SPI is a number which, together with a destination IP address and
security protocol, uniquely identifies a particular security association.
When using IKE to establish security associations, the SPI for each
security association is a pseudo-randomly derived number. Without
IKE, the SPI is manually specified for each security association. When
an invalid SPI occurs during IPsec packet processing, the SPI recovery
feature enables an IKE SA to be established.
ESPv3 Settings
Enable PMTU (Path
Maximum Transmission
Unit) Aging
Supported for IKEv2 on ASA devices versions 9.0.1+.
Whether to enable Path Maximum Transmission Unit aging.
If you select this option, configure the interval, in minutes, at which the
PMTU value is reset to its original value. The value can be from 10 to
30 minutes. The default is 10 minutes.
Table25-5 VPN Global Settings Page, ISAKMP/IPsec Settings Tab (Continued)
Element Description