Filter
Top Products
25-23
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Understanding IPsec Proposals
Enable Perfect Forward
Secrecy
Modulus Group
Whether to use Perfect Forward Secrecy (PFS) to generate and use a
unique session key for each encrypted exchange. The unique session
key protects the exchange from subsequent decryption, even if the
entire exchange was recorded and the attacker has obtained the
preshared or private keys used by the endpoint devices.
If you select this option, also select the Diffie-Hellman key derivation
algorithm to use when generating the PFS session key in the Modulus
Group list. For an explanation of the options, see Deciding Which
Diffie-Hellman Modulus Group to Use, page 25-7.
Lifetime (sec)
Lifetime (kbytes)
The global lifetime settings for the crypto IPsec security association
(SA). You can specify the IPsec lifetime in seconds, in kilobytes, or
both.
• Seconds (sec)—The number of seconds an SA will exist before
expiring. The default is 3600 seconds (one hour).
• Kilobytes (kbytes)—The volume of traffic (in kilobytes) that can
pass between IPsec peers using a given SA before it expires. Valid
values depend on the device type. Enter a value within the range
10-2147483647 for an IOS router, and 2560-536870912 for an
ASA/PIX7.0+ device.
The default value is 4,608,000 kilobytes.
QoS Preclassify Supported on Cisco IOS routers, except 7600 devices.
When selected, enables the classification of packets before tunneling
and encryption occur.
The Quality of Service (QoS) for VPNs feature enables Cisco IOS QoS
services to operate with tunneling and encryption on an interface. The
QoS features on the output interface classify packets and apply the
appropriate QoS service before the data is encrypted and tunneled,
enabling traffic flows to be adjusted in congested environments, and
resulting in more effective packet tunneling.
Table 25-3 IPsec Proposal Page, Site-to-Site VPNs (except Easy VPN) (Continued)
Element Description