Cisco Systems ASA 5510 Network Router User Manual


  Open as PDF
of 2086
 
68-8
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 68 Configuring IKE, Load Balancing, and NAC
Creating IKE Policies
Add/Edit IKEv2 Policy (Proposal)
Fields
Priority #—Type a number to set a priority for the IKEv2 policy. The range is 1 to 65535, with 1 the
highest priority.
Encryption—Choose an encryption method. This is a symmetric encryption method that protects data
transmitted between two IPsec peers.The choices follow:
D-H Group—Choose the Diffie-Hellman group identifier, which the two IPsec peers use to derive a
shared secret without transmitting it to each other.
Integrity Hash—Choose the hash algorithm that ensures data integrity for the ESP protocol. It ensures
that a packet comes from whom you think it comes from, and that it has not been modified in transit.
Pseudo-Random Function (PRF)—Specify the PRF used for the construction of keying material for all
of the cryptographic algorithms used in the SA..
des Specifies 56-bit DES-CBC encryption for ESP.
3des (Default) Specifies the triple DES encryption algorithm for ESP.
aes Specifies AES with a 128-bit key encryption for ESP.
aes-192 Specifies AES with a 192-bit key encryption for ESP.
aes-256 Specifies AES with a 256-bit key encryption for ESP.
1 Group 1 (768-bit) The default, Group 2 (1024-bit Diffie-Hellman) requires less
CPU time to execute but is less secure than Group 2 or 5.
2 Group 2 (1024-bit)
5 Group 5 (1536-bit)
sha SHA 1 The default is SHA 1. MD5 has a smaller digest and is considered to
be slightly faster than SHA 1. A successful (but extremely difficult)
attack against MD5 has occurred; however, the HMAC variant IKE
uses prevents this attack.
md5 MD5
sha256 SHA 2, 256-bit
digest
Specifies the Secure Hash Algorithm SHA 2 with the 256-bit digest.
sha384 SHA 2, 384-bit
digest
Specifies the Secure Hash Algorithm SHA 2 with the 384-bit digest.
sha512 SHA 2, 512-bit
digest
Specifies the Secure Hash Algorithm SHA 2 with the 512-bit digest.
sha SHA-1 The default is SHA-1. MD5 has a smaller digest and is considered to
be slightly faster than SHA-1. A successful (but extremely difficult)
attack against MD5 has occurred; however, the HMAC variant IKE
uses prevents this attack.
md5 MD5
sha256 SHA 2, 256-bit
digest
Specifies the Secure Hash Algorithm SHA 2 with the 256-bit digest.