Filter
Top Products
25-22
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Understanding IPsec Proposals
• Understanding IPsec Proposals for Site-to-Site VPNs, page 25-18
Field Reference
Table 25-3 IPsec Proposal Page, Site-to-Site VPNs (except Easy VPN)
Element Description
Crypto Map Type
(Hub and spoke and full mesh
topologies only.)
A crypto map combines all the components required to set up IPsec
security associations (SA). When two peers try to establish an SA, they
must each have at least one compatible crypto map entry. For more
information, see Understanding Crypto Maps, page 25-18.
Select the type of crypto map you want to generate:
• Static—Use a static crypto map in a point-to-point or full mesh
VPN topology.
• Dynamic—Dynamic crypto maps can only be used in a
hub-and-spoke VPN topology. Dynamic crypto map policies allow
remote peers to exchange IPsec traffic with a local hub, even if the
hub does not know the remote peer’s identity.
Enable IKEv1
Enable IKEv2
The IKE versions to use during IKE negotiations. IKEv2 is supported
on ASA Software release 8.4(x) only. Select either or both options as
appropriate; you must select IKEv1 if any device in the topology does
not support IKEv2.
When you select both options in hub-and-spoke or full mesh
topologies, Security Manager automatically assigns the IKE version to
devices based on the OS type and version used by the device. You can
change these assignments by clicking the IKE Version tab, then click
the Select button beneath the IKEv1 Enabled Peers or IKEv2 Enabled
Peers to change which version is assigned to the device. You can change
the assignments for devices that support each version only; other
devices are not selectable. For more information, see Selecting the IKE
Version for Devices in Site-to-Site VPNs, page 25-25.
Transform Sets
IKEv2 Transform Sets
The transform sets to use for your tunnel policy. Transform sets specify
which authentication and encryption algorithms will be used to secure
the traffic in the tunnel. The transform sets are different for each IKE
version; select objects for each supported version. You can select up to
11 transform sets for each. For more information, see Understanding
Transform Sets, page 25-19.
If more than one of your selected transform sets is supported by both
peers, the transform set that provides the highest security will be used.
Click Select to select the IPsec transform set policy objects to use in the
topology. If the required object is not yet defined, you can click the
Create (+) button beneath the available objects list in the selection
dialog box to create a new one. For more information, see Configuring
IPSec IKEv1 or IKEv2 Transform Set Policy Objects, page 25-25.
Note IKEv1 Transform sets can use tunnel mode or transport mode
of IPsec operation. However, you cannot use transport mode in
IPsec or Easy VPN topologies.