Home > Articles > Cisco Network Technology > General Networking > Configuring the Cisco ASA IPSec VPN

Configuring the Cisco ASA IPSec VPN

Article Description

The security of data that is being transmitted over a network is one of the key responsibilities of a security engineer/administrator. One of the ways that this data can be secured is by using IP Security (IPsec). IPsec can be configured on the Cisco Adaptive Security Appliance (ASA) to secure data going between LAN devices (LAN-to-LAN) and between a LAN device and an IPsec client (e.g., Windows, Linux, or Mac clients). Sean Wilkins goes over the high-level basics of how IPsec operates and how it can be configured on a Cisco ASA.
Phase 1 IKE Policy

Phase 1 IKE Policy

The Cisco ASA supports two different versions of IKE: version 1(v1) and version 2(v2). IKEv1 connections use the legacy Cisco VPN client; IKEv2 connections use the Cisco AnyConnect VPN client. When using IKEv1, the parameters used between devices to set up the Phase 1 IKE SA is also referred to as an IKEv1 policy and includes the following:

  • Authentication Type (Pre-Shared Key (PSK) or RSA Signature (using certificates)
  • Encryption Method (DES, 3DES, AES ([128, 192, 25])—Used to protect the initial communications
  • Hash Method (MD5 or SHA)—Used to ensure the identity of the sender and the integrity of the message from sender to receiver
  • Diffie-Hellman (DH) group (1, 2, or 5)—Used to determine the strength of the encryption key determination algorithm that is used to derive the encryption and hash keys
  • Encryption Key Lifetime (86,400 seconds [24 hours])

When using IKEv2, the parameters used between devices to set up the Phase 1 IKE SA are also referred to as an IKEv2 policy and includes the following (IKEv2 does not support negotiating Authentication Type):

  • Encryption Method (DES, 3DES, or AES [128, 192, 256])—Used to protect the initial communications
  • Hash Method (MD5, SHA-1, SHA-2 [256, 384, 512])—Used to ensure the identity of the sender and the integrity of the message from sender to receiver
  • Diffie-Hellman (DH) group (1, 2, 5, 14, 19, 20, 21, 24)—Used to determine the strength of the encryption key determination algorithm that is used to derive the encryption and hash keys
  • Pseudo-Random Function (PRF) (MD5, SHA-1, SHA-2 [256, 384, 512])—Used to derive keying material and hashing operations
  • Encryption Key Lifetime (86,400 seconds [24 hours])
3. Phase 2 IKE IPSec Transform Sets (v1) and Proposals (v2) | Next Section Previous Section