Filter
Top Products
34-13
Cisco ASDM User Guide
OL-16647-01
Chapter 34 IKE
IPsec
Create IPsec Rule/Tunnel Policy (Crypto Map) - Advanced Tab
Fields
• Security Association Lifetime parameters—Configures the duration of a Security Association
(SA). This parameter specifies how to measure the lifetime of the IPsec SA keys, which is how long
the IPsec SA lasts until it expires and must be renegotiated with new keys.
–
Time—Specifies the SA lifetime in terms of hours (hh), minutes (mm) and seconds (ss).
–
Traffic Volume—Defines the SA lifetime in terms of kilobytes of traffic. Enter the number of
kilobytes of payload data after which the IPsec SA expires. Minimum is 100 KB, default is
10000 KB, maximum is 2147483647 KB.
• Enable NAT-T— Enables NAT Traversal (NAT-T) for this policy.
• Enable Reverse Route Injection—Enables Reverse Route Injection for this policy.
• Static Type Only Settings—Specifies parameters for static tunnel policies.
–
CA Certificate—Selects the certificate to use. If you select something other than None (Use
Preshared Keys), which is the default, the Enable entire chain transmission check box becomes
active.
–
Enable entire chain transmission—Enables transmission of the entire trust point chain.
–
IKE Negotiation Mode—Selects the IKE negotiation mode, Main or Aggressive. This
parameter sets the mode for exchanging key information and setting up the SAs. It sets the mode
that the initiator of the negotiation uses; the responder auto-negotiates. Aggressive Mode is
faster, using fewer packets and fewer exchanges, but it does not protect the identity of the
communicating parties. Main Mode is slower, using more packets and more exchanges, but it
protects the identities of the communicating parties. This mode is more secure and it is the default
selection. If you select Aggressive, the Diffie-Hellman Group list becomes active.
–
Diffie-Hellman Group—Select the Diffie-Hellman group to apply. The choices are as follows:
Group 1 (768-bits), Group 2 (1024-bits), Group 5 (1536-bits), Group 7 (ECC).
Modes
The following table shows the modes in which this feature is available:
Create IPsec Rule/Traffic Selection Tab
This pane lets you define what traffic to protect (permit) or not protect (deny).
Fields
• Action—Specify the action for this rule to take. The selections are protect and do not protect.
• Source—Specify the IP address, network object group or interface IP address for the source host or
network. A rule cannot use the same address as both the source and destination. Click ... to launch
the Browse Source dialog that contains the following fields:
Firewall Mode Security Context
Routed Transparent Single
Multiple
Context System
• — • ——