69-89
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 69 General VPN Setup
Mapping Certificates to IPsec or SSL VPN Connection Profiles
–
Time—Specifies the SA lifetime in terms of hours (hh), minutes (mm) and seconds (ss).
–
Traffic Volume—Defines the SA lifetime in terms of kilobytes of traffic. Enter the number of
kilobytes of payload data after which the IPsec SA expires. Minimum is 100 KB, default is
10000 KB, maximum is 2147483647 KB.
• Static Crypto Map Entry Parameters—Configure these additional parameters when the Peer IP
Address is specified as Static:
–
Connection Type—Specify the allowed negotiation as bidirectional, answer-only, or
originate-only.
–
Send ID Cert. Chain—Enables transmission of the entire certificate chain.
–
IKE Negotiation Mode—Sets the mode for exchanging key information for setting up the SAs,
Main or Aggressive. It also sets the mode that the initiator of the negotiation uses; the responder
auto-negotiates. Aggressive Mode is faster, using fewer packets and fewer exchanges, but it
does not protect the identity of the communicating parties. Main Mode is slower, using more
packets and more exchanges, but it protects the identities of the communicating parties. This
mode is more secure and it is the default selection. If you select Aggressive, the Diffie-Hellman
Group list becomes active.
–
Diffie-Hellman Group—An identifier which the two IPsec peers use to derive a shared secret
without transmitting it to each other. The choices are Group 1 (768-bits), Group 2 (1024-bits),
and Group 5 (1536-bits).
Managing CA Certificates
Clicking Manage under IKE Peer Authentication opens the Manage CA Certificates dialog box. Use this
dialog box to view, add, edit, and delete entries on the list of CA certificates available for IKE peer
authentication.
The Manage CA Certificates dialog box lists information about currently configured certificates,
including information about whom the certificate was issued to, who issued the certificate, when the
certificate expires, and usage data.
Fields
• Add or Edit—Opens the Install Certificate dialog box or the Edit Certificate dialog box, which let
you specify information about and install a certificate.
• Show Details—Displays detailed information about a certificate that you select in the table.
• Delete—Removes the selected certificate from the table. There is no confirmation or undo.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode Security Context
Routed Transparent Single
Multiple
Context System
• — • ——