Filter
Top Products
25-17
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Understanding IPsec Proposals
Understanding IPsec Proposals
IPsec is one of the most secure methods for setting up a VPN. IPsec provides data encryption at the IP
packet level, offering a robust security solution that is standards-based. With IPsec, data is transmitted
over a public network through tunnels. A tunnel is a secure, logical communication path between two
peers, which can be devices in a site-to-site VPN or a device and user in remote access IPsec VPNs.
Traffic that enters an IPsec tunnel is secured by a combination of security protocols and algorithms
called a transform set.
An IPsec proposal is used in Phase 2 of an IKE negotiation, as explained in Understanding IKE,
page 25-5. The specific content of the proposal varies according to topology type (site-to-site or remote
access) and device type, although the proposals are broadly similar and contain many of the same
elements, such as IPsec transform sets.
Modulus Group The Diffie-Hellman group to use for deriving a shared secret between
the two IPsec peers without transmitting it to each other. A larger
modulus provides higher security but requires more processing time.
The two peers must have a matching modulus group. Click Select and
select all of the groups that you want to allow in the VPN:
• 1—Diffie-Hellman Group 1 (768-bit modulus).
• 2—Diffie-Hellman Group 2 (1024-bit modulus).
• 5—Diffie-Hellman Group 5 (1536-bit modulus, considered good
protection for 128-bit keys, but group 14 is better). If you are using
AES encryption, use this group (or higher).
• 14—Diffie-Hellman Group 14 (2048-bit modulus, considered good
protection for 128-bit keys). (ASA 9.0.1+ devices only).
• 19—Diffie-Hellman Group 19 (256-bit elliptical curve field size).
(ASA 9.0.1+ devices only).
• 20—Diffie-Hellman Group 20 (384-bit elliptical curve field size).
(ASA 9.0.1+ devices only).
• 21—Diffie-Hellman Group 21 (521-bit elliptical curve field size).
(ASA 9.0.1+ devices only).
• 24—Diffie-Hellman Group 24 ( 2048-bit modulus and 256-bit
prime order subgroup). (ASA 9.0.1+ devices only).
Lifetime The lifetime of the security association (SA), in seconds. When the
lifetime is exceeded, the SA expires and must be renegotiated between
the two peers. As a general rule, the shorter the lifetime (up to a point),
the more secure your IKE negotiations will be. However, with longer
lifetimes, future IPsec security associations can be set up more quickly
than with shorter lifetimes.
You can specify a value from 120 to 2147483647 seconds. The default
is 86400.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-12.
Table 25-2 IKEv2 Proposal Dialog Box (Continued)
Element Description