Configuration Wizards
Using the Site-to-Site VPN Wizard to Configure Site-to-Site VPN
STEP 8
STEP 9
STEP 10
STEP 11
STEP 12
Cisco ISA500 Series Integrated Security Appliances Administration Guide
-
Group 14 (2048-bit)
•
Lifetime: Enter the number of seconds for the IKE Security Association (SA)
to remain valid. As a general rule, a shorter lifetime provides more secure
ISAKMP negotiations. However, with shorter lifetimes, the security appliance
sets up future IKE SAs more quickly.
Click OK to save your settings.
After you are finished, click Next.
Configuring Transform Policies
Use the Transform Policies page to configure the transform policies and to specify
a transform set for the IPsec VPN policy. You can choose the default or a custom
transform set.
Click Add to add a transform set.
Other options: To edit an entry, click Edit. To delete an entry, select it and click
Delete. The default transform set (DefaultTrans) cannot be edited or deleted.
Enter the following information:
•
Name: Enter the name for the transform set.
•
Integrity: Choose the hash algorithm used to ensure data integrity. The hash
algorithm ensures that a packet comes from where it says it comes from, and
that it has not been modified in transit.
-
ESP_SHA1_HMAC: Authentication with SHA1 (160-bit).
-
ESP_MD5_HMAC: Authentication with MD5 (128-bit). MD5 has a smaller
digest and is considered to be slightly faster than SHA1. A successful (but
extremely difficult) attack against MD5 has occurred; however, the HMAC
variant that IKE uses prevents this attack.
•
Encryption: Choose the symmetric encryption algorithm that protects data
transmission between two IPsec peers. The default is ESP_3DES. The
Advanced Encryption Standard supports key lengths of 128, 192, 256 bits.
-
ESP_3DES: Encryption with 3DES (168-bit).
-
ESP_AES_128: Encryption with AES (128-bit).
-
ESP_AES_192: Encryption with AES (192-bit).
-
ESP_AES_256: Encryption with AES (256-bit).
2
69