Filter
Top Products
34-9
Cisco ASDM User Guide
OL-16647-01
Chapter 34 IKE
IPsec
Note The ASA supports LAN-to-LAN IPsec connections with Cisco peers, and with third-party peers that
comply with all relevant standards.
During tunnel establishment, the two peers negotiate security associations that govern authentication,
encryption, encapsulation, and key management. These negotiations involve two phases: first, to
establish the tunnel (the IKE SA); and second, to govern traffic within the tunnel (the IPsec SA).
A LAN-to-LAN VPN connects networks in different geographic locations. In IPsec LAN-to-LAN
connections, the security appliance can function as initiator or responder. In IPsec client-to-LAN
connections, the security appliance functions only as responder. Initiators propose SAs; responders
accept, reject, or make counter-proposals—all in accordance with configured SA parameters. To
establish a connection, both entities must agree on the SAs.
Thesecurity appliance supports these IPsec attributes:
• Main mode for negotiating phase one ISAKMP security associations when using digital certificates
for authentication
• Aggressive mode for negotiating phase one ISAKMP Security Associations (SAs) when using
preshared keys for authentication
• Authentication Algorithms:
–
ESP-MD5-HMAC-128
–
ESP-SHA1-HMAC-160
• Authentication Modes:
–
Preshared Keys
–
X.509 Digital Certificates
• Diffie-Hellman Groups 1, 2, 5, and 7
• Encryption Algorithms:
–
AES-128, -192, and -256
–
3DES-168
–
DES-56
–
ESP-NULL
• Extended Authentication (XAuth)
• Mode Configuration (also known as ISAKMP Configuration Method)
• Tunnel Encapsulation Mode
• IP compression (IPCOMP) using LZS
Crypto Maps
This pane shows the currently configured crypto maps, including the IPsec rules. Use it to add, edit,
delete and move up, move down, cut, copy, and paste an IPsec rule.