1-32
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring IPsec and ISAKMP
Configuring IPsec
The peers negotiate a new SA before crossing the lifetime threshold of the existing SA to ensure that a
new SA is ready when the existing one expires. The peers negotiate a new SA when about 5 to 15 percent
of the lifetime of the existing SA remains.
Creating a Basic IPsec Configuration
You can create basic IPsec configurations with static or dynamic crypto maps.
To create a basic IPsec configuration using a static crypto map, perform the following steps:
Step 1 To create an access list to define the traffic to protect, enter the following command:
access-list access-list-name {deny | permit} ip source source-netmask destination
destination-netmask
For example:
hostname(config)# access-list 101 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
The access-list-name specifies the access list ID, as a string or integer up to 241 characters in length.
The destination-netmask and source-netmask specifies an IPv4 network address and subnet mask. In this
example, the permit keyword causes all traffic that matches the specified conditions to be protected by
crypto.
Step 2 To configure an IKEv1 transform set that defines how to protect the traffic, enter the following
command:
crypto ipsec ikev1 transform-set transform-set-name encryption [authentication]
Encryption specifies which encryption method protects IPsec data flows:
• esp-aes—Uses AES with a 128-bit key.
• esp-aes-192—Uses AES with a 192-bit key.
• esp-aes-256—Uses AES with a 256-bit key.\
• esp-des—Uses 56-bit DES-CBC.
• esp-3des—Uses triple DES algorithm.
• esp-null—No encryption.
Authentication specifies which encryption method to protect IPsec data flows:
• esp-md5-hmac—Uses the MD5/HMAC-128 as the hash algorithm.
• esp-sha-hmac—Uses the SHA/HMAC-160 as the hash algorithm.
• esp-none—No HMAC authentication.
For example:
hostname(config)# crypto ipsec ikev1 transform-set myset1 esp-des esp-sha-hmac
hostname(config)# crypto ipsec ikev1 transform-set myset2 esp-3des esp-sha-hmac
hostname(config)# crypto ipsec ikev1 transform-set aes_set esp-md5-hmac esp-aes-256
In this example, myset1 and myset2 and aes_set are the names of the transform sets.
To configure an IKEv2 proposal that also defines how to protect the traffic, enter the crypto ipsec ikev2
ipsec-proposal command to create the proposal and enter the ipsec proposal configuration mode where
you can specify multiple encryption and integrity types for the proposal:
crypto ipsec ikev2 ipsec-proposal [proposal tag]
To Next Page
Loading...
Need help?
General
