User Guide for Cisco Security Manager 4.4
Chapter 25 Configuring IKE and IPsec Policies
Understanding IKE
Hash Algorithm The hash algorithm used in the IKE proposal. The hash algorithm
creates a message digest, which is used to ensure message integrity.
Options are:
• SHA (Secure Hash Algorithm)—Produces a 160-bit digest. SHA is
more resistant to brute-force attacks than MD5.
• MD5 (Message Digest 5)—Produces a 128-bit digest. MD5 uses
less processing time than SHA.
Modulus Group The Diffie-Hellman group to use for deriving a shared secret between
the two IPsec peers without transmitting it to each other. A larger
modulus provides higher security but requires more processing time.
The two peers must have a matching modulus group. Options are:
Tip For IKEv1, ASA devices support groups 2 and 5 only.
• 1—Diffie-Hellman Group 1 (768-bit modulus).
• 2—Diffie-Hellman Group 2 (1024-bit modulus).
• 5—Diffie-Hellman Group 5 (1536-bit modulus, considered good
protection for 128-bit keys, but group 14 is better). If you are using
AES encryption, use this group (or higher).
• 7—Diffie-Hellman Group 7 (163-bit elliptical curve field size).
• 14—Diffie-Hellman Group 14 (2048-bit modulus, considered good
protection for 128-bit keys).
• 15—Diffie-Hellman Group 15 (3072-bit modulus, considered good
protection for 192-bit keys).
• 16—Diffie-Hellman Group 16 (4096-bit modulus, considered good
protection for 256-bit keys).
Note Although Diffie-Hellman groups 19-24 are listed, they are not
supported for IKEv1 and will cause a validation error if
selected for IKEv1 policies.
Lifetime The lifetime of the security association (SA), in seconds. When the
lifetime is exceeded, the SA expires and must be renegotiated between
the two peers. As a general rule, the shorter the lifetime (up to a point),
the more secure your IKE negotiations will be. However, with longer
lifetimes, future IPsec security associations can be set up more quickly
than with shorter lifetimes.
You can specify a value from 60 to 2147483647 seconds. The default is
Table 25-1 IKEv1 Proposal Dialog Box (Continued)
Element Description