Filter
Top Products
64-19
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 64 Configuring IPsec and ISAKMP
Configuring IPsec
Using the Tunnel-group-map default-group Command
This command specifies a default tunnel group to use when the configuration does not specify a tunnel
group.
The syntax is tunnel-group-map [rule-index] default-group tunnel-group-name where rule-index is the
priority for the rule, and tunnel-group name must be for a tunnel group that already exists.
Configuring IPsec
This section provides background information about IPsec and describes the procedures required to
configure the ASA when using IPsec to implement a VPN. It contains the following topics:
• Understanding IPsec Tunnels, page 64-19
• Understanding IKEv1 Transform Sets and IKEv2 Proposals, page 64-19
• Defining Crypto Maps, page 64-20
• Applying Crypto Maps to Interfaces, page 64-26
• Using Interface Access Lists, page 64-26
• Changing IPsec SA Lifetimes, page 64-29
• Creating a Basic IPsec Configuration, page 64-29
• Using Dynamic Crypto Maps, page 64-31
• Providing Site-to-Site Redundancy, page 64-34
• Viewing an IPsec Configuration, page 64-34
Understanding IPsec Tunnels
IPsec tunnels are sets of SAs that the ASA establishes between peers. The SAs specify the protocols and
algorithms to apply to sensitive data and also specify the keying material that the peers use. IPsec SAs
control the actual transmission of user traffic. SAs are unidirectional, but are generally established in
pairs (inbound and outbound).
The peers negotiate the settings to use for each SA. Each SA consists of the following:
• IKEv1 transform sets or IKEv2 proposals
• Crypto maps
• Access lists
• Tunnel groups
• Prefragmentation policies
Understanding IKEv1 Transform Sets and IKEv2 Proposals
An IKEv1 transform set or an IKEv2 proposal is a combination of security protocols and algorithms that
define how the ASA protects data. During IPsec SA negotiations, the peers must identify a transform set
or proposal that is the same at both peers. The ASA then applies the matching transform set or proposal
to create an SA that protects data flows in the access list for that crypto map.