32-5
Cisco ASDM User Guide
OL-16647-01
Chapter 32 VPN
VPN Wizard
Fields
• Encryption—Select the symmetric encryption algorithm the security appliance uses to establish the
Phase 1 SA that protects Phase 2 negotiations. The security appliance supports the following
encryption algorithms:
The default, 3DES, is more secure than DES but requires more processing for encryption and
decryption. Similarly, the AES options provide increased security, but also require increased
processing.
• Authentication—Select the hash algorithm used for authentication and ensuring data integrity. The
default is SHA. MD5 has a smaller digest and is considered to be slightly faster than SHA. There
has been a demonstrated successful (but extremely difficult) attack against MD5. However, the
Keyed-Hash Message Authentication Code (HMAC) version used by the security appliance prevents
this attack.
• Diffie-Hellman Group—Select the Diffie-Hellman group identifier, which the two IPsec peers use
to derive a shared secret without transmitting it to each other. The default, Group 2 (1024-bit
Diffie-Hellman), requires less CPU time to execute but is less secure than Group 5 (1536-bit). Group
7 is for use with the Movian VPN client, but works with any peer that supports Group 7 (ECC).
Note The default value for the VPN 3000 Series Concentrator is MD5. A connection between the security
appliance and the VPN Concentrator requires that the authentication method for Phase I and II IKE
negotiations be the same on both sides of the connection.
Modes
The following table shows the modes in which this feature is available:
Hosts and Networks
Use the Hosts and Networks panel to identify local and remote hosts and networks that can use this
LAN-to-LAN IPsec tunnel to send and receive data.
Algorithm Explanation
DES Data Encryption Standard. Uses a 56-bit key.
3DES Triple DES. Performs encryption three times using a 56-bit key.
AES-128 Advanced Encryption Standard. Uses a 128-bit key.
AES-192 AES using a 192-bit key.
AES-256 AES using a 256-bit key
Firewall Mode Security Context
Routed Transparent Single
Multiple
Context System
• — • ——