VPN
Configuring a Site-to-Site VPN
Cisco ISA500 Series Integrated Security Appliances Administration Guide 350
8
NOTE: Ensure that the authentication algorithm is configured identically on
both sides.
•Authentication: Specify the authentication method that the security
appliance uses to establish the identity of each IPsec peer.
-Pre-shared Key: Uses a simple, password-based key to authenticate.
The alpha-numeric key is shared with the IKE peer. Pre-shared keys do
not scale well with a growing network but are easier to set up in a small
network.
-RSA_SIG: Uses a digital certificate to authenticate. RSA_SIG is a digital
certificate with keys generated by the RSA signatures algorithm. In this
case, a certificate must be configured in order for the RSA-Signature to
work.
•D-H Group: Choose the Diffie-Hellman group identifier, which the two IPsec
peers use to derive a shared secret without transmitting it to each other. The
D-H Group sets the strength of the algorithm in bits. The lower the
Diffie-Hellman group number, the less CPU time it requires to be executed.
The higher the Diffie-Hellman group number, the greater the security.
- Group 2 (1024-bit)
- Group 5 (1536-bit)
- Group 14 (2048-bit)
•Lifetime: Enter the number of seconds for the IKE Security Association (SA)
to remain valid. As a general rule, a shorter lifetime provides more secure
ISAKMP (Internet Security Association and Key Management Protocol)
negotiations (up to a point). However, with shorter lifetimes, the security
appliance sets up future IPsec SAs more quickly. The default value is 24
hours.
STEP 4 Click OK to save your settings.
STEP 5 Click Save to apply your settings.