In addition to the advanced features discussed in the preceding section, you can optionally tweak many default parameters to optimize the site-to-site connections. This section discusses these parameters.
Perfect Forward Secrecy
Perfect Forward Secrecy (PFS) is a cryptographic technique where the newly generated keys are unrelated to any previously generated key. With PFS enabled, the security Cisco ASA generates a new set of keys which is used during the IPSec Phase 2 negotiations. Without PFS, the Cisco ASA uses Phase 1 keys during the Phase 2 negotiations. The Cisco ASA uses Diffie-Hellman group 1, 2, 5, and 7 for PFS to generate the keys. Diffie-Hellman group 1 uses 768-bits modulus size to generate the keys, while group 2 uses 1024-bits and group 5 uses a 1536 bits modulus size. Group 7, where the elliptical curve field size is 163 bits, is designed for the faster computation of keys usually used by the handheld PCs. Group 5 is the most secure technique but requires more processing overhead. The syntax to configure PFS is
crypto map map-name seq-num set pfs {group1 | group2 | group5 | group7}
Example 15-22 shows you how to enable PFS group 5 for a peer with a sequence number 10.
Example 15-22. Configuring PFS Group 5 for a Peer
Chicago(config)# crypto map IPSec_map 10 set pfs group5
Security Association Lifetimes
If you do not specify the IPSec security association lifetimes, the Cisco ASA uses the default values of 28,800 seconds or 4,275,000 KB. The IPSec security association lifetimes can be set either globally or per crypto map instance. To configure it globally, the command syntax is
crypto ipsec security-association lifetime [{seconds 120-2147483647 kilobytes 10- 2147483647}]
Lifetime in seconds can vary between 120 and 2,147,483,647, and lifetime can range from 10 to 2,147,483,647 KB.
If you only want to specify unique security association lifetime values per crypto map instance, the command syntax is
crypto map map-name seq-num set security-association lifetime [{seconds 120- 2147483647 kilobytes 10-2147483647}]
Phase 1 Mode
ISAKMP implementation in the Cisco ASA uses main mode for Phase 1 negotiations, by default. If you want to change Phase 1 mode for a specific peer, use the following command syntax:
crypto map map-name seq-num set phase1-mode {main | aggressive [group1 | group2 | group5 | group7]}
If the remote VPN peer initiates a site-to-site tunnel using aggressive mode, then the ASA uses that for tunnel negotiations. Aggressive mode has some security weaknesses, so it is recommended to use main mode where possible. However, if you do not want to accept connections using aggressive mode, you can disable it globally, as shown in Example 15-23.
Example 15-23. Disabling Aggressive Mode
Chicago(config)# crypto isakmp am-disable
Connection Type
The Cisco ASA in the site-to-site tunnel can respond and initiate a VPN connection. This bidirectional default behavior can be changed to answer-only or originate-only mode. For example, if you want to limit the security Cisco ASA to just initiate IKE tunnels, you can set the connection type to originate-only. This way, if the remote VPN peer tries to initiate the connection, the local Cisco ASA will not honor the request. Similarly, if you want the security Cisco ASA to accept IKE tunnels only from the peer, then you can set the connection type to answer-only. The command syntax to set the connection type is
crypto map map-name seq-num set connection-type {answer-only | bidirectional | originate-only}
Note
If you need to specify multiple peers in your crypto map sequence number for redundancy, then you need to set your connection type to originate-only mode.
Example 15-24 shows that Chicago ASA's connection type is set up as originate-only for the peer 209.165.201.1.
Example 15-24. Configuring Connection Type to Originate-Only for a Peer
Chicago(config)# crypto map IPSec_map 10 set connection-type originate-only
Inheritance
Inheritance is a way to specify how the security Cisco ASA creates the Phase 2 IPSec SAs. You can either use ACL or data rules to configure inheritance. In ACL rule inheritance, the default behavior, all the hosts in a proxy identity can use the same IPSec SA given that the crypto ACL contains an IP network. However, in data rule inheritance, the security Cisco ASA creates one tunnel for every address pair within the address ranges specified in the encryption ACL. Thus, each host uses a separate tunnel, and consequently separate keys. While this selection is more secure, it requires additional processing overhead. Thus, it is recommended to use the data rules to achieve optimum performance.
Example 15-25 shows how to change behavior to data rule inheritance.
Example 15-25. Changing Inheritance from ACL to Data
Chicago(config)# crypto map IPSec_map 1 set inheritance data
ISAKMP Keepalives
The ISAKMP keepalives feature is a way to determine whether the remote VPN peer is still up and whether there are lingering SAs. The Cisco ASA starts sending Dead Peer Detection (DPD) packets once it stops receiving encrypted traffic over the tunnel from the peer. By default, if it does not hear from its peer for 10 seconds, it sends out a DPD R_U_THERE packet. It keeps sending the R_U_THERE packets every 2 seconds. If it does not receive R_U_THERE_ACK for the four consecutive DPDs, the security Cisco ASA deletes the corresponding ISAKMP and IPSec SAs.
The DPD messages are sent out once the IKE and IPSec SAs are negotiated and the Cisco ASA does not receive any traffic from the other side. If you are not interested in sending DPD messages for a specific peer, it can be disabled under the tunnel-group IPSec subconfiguration menu. Example 15-26 illustrates how to disable ISAKMP keepalives for peer 209.165.201.
Example 15-26. Disabling ISAKMP Keepalives
Chicago(config)# tunnel-group 209.165.201.1 ipsec-attributes Chicago(config-ipsec)# isakmp keepalive disable
You can also tweak the keepalive parameters to suit your needs. Example 15-27 shows that if the Cisco ASA does not receive encrypted traffic for 30 seconds, it will send out the first DPD packet. It is also configured to send periodic DPDs every 5 seconds if it fails to get an ACK.
Example 15-27. Changing the Default ISAKMP Keepalive Timers
Chicago(config)# tunnel-group 209.165.201.1 ipsec-attributes Chicago(config-ipsec)# isakmp keepalive threshold 30 retry 5
Part I: Product Overview
Introduction to Network Security
Product History
Hardware Overview
Part II: Firewall Solution
Initial Setup and System Maintenance
Network Access Control
IP Routing
Authentication, Authorization, and Accounting (AAA)
Application Inspection
Security Contexts
Transparent Firewalls
Failover and Redundancy
Quality of Service
Part III: Intrusion Prevention System (IPS) Solution
Intrusion Prevention System Integration
Configuring and Troubleshooting Cisco IPS Software via CLI
Part IV: Virtual Private Network (VPN) Solution
Site-to-Site IPSec VPNs
Remote Access VPN
Public Key Infrastructure (PKI)
Part V: Adaptive Security Device Manager
Introduction to ASDM
Firewall Management Using ASDM
IPS Management Using ASDM
VPN Management Using ASDM
Case Studies