1-65
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring Connection Profiles, Group Policies, and Users
Group Policies
Step 3 Specify whether to require that users reauthenticate on IKE re-key by using the re-xauth command with
the enable keyword in group-policy configuration mode.
Note IKE re-key is not supported for IKEv2 connections.
If you enable reauthentication on IKE re-key, the ASA prompts the user to enter a username and
password during initial Phase 1 IKE negotiation and also prompts for user authentication whenever an
IKE re-key occurs. Reauthentication provides additional security.
If the configured re-key interval is very short, users might find the repeated authorization requests
inconvenient. To avoid repeated authorization requests, disable reauthentication. To check the
configured re-key interval, in monitoring mode, enter the show crypto ipsec sa command to view the
security association lifetime in seconds and lifetime in kilobytes of data. To disable user reauthentication
on IKE re-key, enter the disable keyword. Reauthentication on IKE re-key is disabled by default.
hostname(config-group-policy)# re-xauth {enable | disable}
hostname(config-group-policy)#
To enable inheritance of a value for reauthentication on IKE re-key from another group policy, remove
the re-xauth attribute from the running configuration by entering the no form of this command:
hostname(config-group-policy)# no re-xauth
hostname(config-group-policy)#
Note Reauthentication fails if there is no user at the other end of the connection.
Step 4 Specify whether to enable perfect forward secrecy. In IPsec negotiations, perfect forward secrecy
ensures that each new cryptographic key is unrelated to any previous key. A group policy can inherit a
value for perfect forward secrecy from another group policy. Perfect forward secrecy is disabled by
default. To enable perfect forward secrecy, use the pfs command with the enable keyword in
group-policy configuration mode.
hostname(config-group-policy)# pfs {enable | disable}
hostname(config-group-policy)#
To disable perfect forward secrecy, enter the pfs command with the disable keyword.
To remove the perfect forward secrecy attribute from the running configuration and prevent inheriting a
value, enter the no form of this command.
hostname(config-group-policy)# no pfs
hostname(config-group-policy)#
Configuring IPsec-UDP Attributes for IKEv1 Clients
IPsec over UDP, sometimes called IPsec through NAT, lets a Cisco VPN client or hardware client
connect via UDP to a ASA that is running NAT. It is disabled by default. IPsec over UDP is proprietary;
it applies only to remote-access connections, and it requires mode configuration. The ASA exchanges
configuration parameters with the client while negotiating SAs. Using IPsec over UDP may slightly
degrade system performance.
To enable IPsec over UDP, configure the ipsec-udp command with the enable keyword in group-policy
configuration mode, as follows:
To Next Page
Loading...
Need help?
General
