Filter
Top Products
68-4
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 68 Configuring IKE, Load Balancing, and NAC
Setting IKE Parameters
If used in conjunction with the Number of SAs in Negotiation, or the Maximum Number of SAs Allowed,
configure the cookie-challenge threshold lower than these settings for an effective cross-check.
Fields
• Enable IKE—Shows IKE status for all configured interfaces.
–
Interface—Displays names of all configured ASA interfaces.
–
IKE Enabled—Shows whether IKE is enabled for each configured interface.
–
Enable/Disables—Click to enable or disable IKE for the highlighted interface.
• NAT Transparency—Lets you enable or disable IPsec over NAT-T and IPsec over TCP.
–
Enable IPsec over NAT-T—Choose to enable IPsec over NAT-T.
–
NAT Keepalive—Type the number of seconds that can elapse with no traffic before the ASA
terminates the NAT-T session. The default is 20 seconds. The range is 10 to 3600 seconds (one
hour).
–
Enable IPsec over TCP—Choose to enable IPsec over TCP.
–
Enter up to 10 comma-separated TCP port values—Type up to 10 ports on which to enable IPsec
over TCP. Use a comma to separate the ports. You do not need to use spaces. The default port
is 10,000. The range is 1 to 65,635.
• Identity to Be Sent to Peer—Lets you set the way that IPsec peers identify themselves to each other.
–
Identity—Choose one of the following methods by which IPsec peers identify themselves:
–
Key Id String—Type the alpha-numeric string the peers use to look up the preshared key.
• Disable inbound aggressive mode connections—Choose to disable aggressive mode connections.
• Alert peers before disconnecting—Choose to have the ASA notify qualified LAN-to-LAN peers and
remote access clients before disconnecting sessions.
• Wait for all active sessions to voluntarily terminate before rebooting—Choose to have the ASA
postpone a scheduled reboot until all active sessions terminate.
• IKEv2 Specific Settings—These settings apply only to IPsec IKEv2 connections and limit the
number of open SAs. By default, the ASA does not limit the number of open SAs:
–
Cookie Challenge—Enables the ASA to send cookie challenges to peer devices in response to
SA initiate packets.
–
% threshold before incoming SAs are cookie challenged—The percentage of the total allowed
SAs for the ASA that are in-negotiation, which triggers cookie challenges for any future SA
negotiations. The range is zero to 100%. The default is 50%.
–
Number of Allowed SAs in Negotation—Limits the maximum number of SAs that can be in
negotiation at any time. If used in conjunction with Cookie Challenge, configure the cookie
challenge threshold lower than this limit for an effective cross-check.
Address Uses the IP addresses of the hosts.
Hostname Uses the fully-qualified domain names of the hosts. This name
comprises the hostname and the domain name.
Key ID Uses the string the remote peer uses to look up the preshared key.
Automatic Determines IKE negotiation by connection type: IP address for
preshared key or cert DN for certificate authentication.