1-7
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring LAN-to-LAN IPsec VPNs
Creating an IKEv2 Proposal
Step 2 Save your changes.
hostname(config)# write memory
hostname(config)#
Creating an IKEv2 Proposal
For IKEv2, you can configure multiple encryption and authentication types, and multiple integrity
algorithms for a single policy. The ASA orders the settings from the most secure to the least secure and
negotiates with the peer using that order. This allows you to potentially send a single proposal to convey
all the allowed transforms instead of the need to send each allowed combination as with IKEv1.
Table 1-1 lists valid IKEv2 encryption and authentication methods.
To configure an IKEv2 proposal, perform the following tasks in either single or multiple context mode:
Step 1 In global configuration mode, use the crypto ipsec ikev2 ipsec-proposal command to enter ipsec
proposal configuration mode where you can specify multiple encryption and integrity types for the
proposal. In this example, secure is the name of the proposal:
hostname(config)# crypto ipsec ikev2 ipsec-proposal secure
hostname(config-ipsec-proposal)#
Step 2 Then enter a protocol and encryption types. ESP is the only supported protocol. For example:
hostname(config-ipsec-proposal)# protocol esp encryption 3des aes des
hostname(config-ipsec-proposal)#
Step 3 Enter an integrity type. For example:
hostname(config-ipsec-proposal)# protocol esp integrity sha-1
hostname(config-ipsec-proposal)#
Step 4 Save your changes.
Configuring an ACL
The ASA uses access control lists to control network access. By default, the adaptive security appliance
denies all traffic. You need to configure an ACL that permits traffic.
Table 1-2 Valid IKEv2 Encryption and Integrity Methods
Valid Encryption Methods Valid Integrity Methods
des sha (default)
3des (default) md5
aes
aes-192
aes-256
To Next Page
Loading...
Need help?
General