Which of the following are not default values in an IKE policy on an ASA running software version 8.4 or higher?
(Select 2 choices.)
A.
PSKbased authentication method
B.
168bit DES encryption algorithm
C.
1024bit DH group
D.
MD5 hash algorithm
E.
14,400second lifetime
Explanation:
The Message Digest 5 (MD5) algorithm and a 14,400second lifetime are not default values in an Internet Key
Exchange (IKE) policy on a Cisco Adaptive Security Appliance (ASA) running software version 8.2. Virtual
private network (VPN) peers establish a connection through a series of negotiations and authentications.
Initially, the VPN peers negotiate an IKE security association (SA) and establish a tunnel for key management
and authentication. This initial phase is referred to as IKE phase 1. The key management tunnel is used to
protect the subsequent negotiation of IP Security (IPSec) SAs. This secondary negotiation phase is referred to
as IKE phase 2.
Each VPN peer defines a collection of security parameters in an IKE policy. These parameters are used to
negotiate the creation of the key management tunnel in IKE phase 1. There are six required parameters in an
IKE policy:- Policy priority – specifies the order in which policies are negotiated with a peer
– Authentication method – indicates whether a preshared key (PSK) or an RSA digital certificate is used to
verify the identity of an IKE peer
– Encryption algorithm – indicates the data protection method used to secure IKE traffic
– Hashbased Message Authentication Code (HMAC) algorithm – indicates the data integrity method used to
verify the integrity of IKE traffic
– DiffieHellman (DH) group – specifies how keying material is generated between IKE peers
-Lifetime – specifies the length of time that a key is considered valid? the default is 86,400 seconds, or 24 hours
If an IKE policy does not specify a parameter and its associated value, the ASA will use the default value. The
default IKE policy settings are shown below:
The default IKE policy settings are combined with the configuration parameters specified in the running
configuration. For example, because the following block of commands does not specify an HMAC algorithm, an
ASA running software revision 8.4 or higher would use the default value, which is SHA1:
ASA(config)#crypto ikev1 policy 1
ASA(configikev1policy)#authentication rsasig
ASA(configikev1policy)#encryption aes 192
ASA(configikev1policy)#group 1
ASA(configikev1policy)#lifetime 14400
In order for VPN peers to successfully negotiate a key management tunnel during IKE phase 1, the peers must
agree on security parameters. For example, when ASA1 sends an IKE policy proposal to ASA2, the IKE policy
is compared with the IKE policies defined on ASA2. The proposed policy must be an exact match to one of
ASA2’s locally defined policies? otherwise, it will be rejected. The one exception to this rule is the value of the
IKE lifetime parameter. An IKE lifetime is considered a match if the value specified by the remote peer is less
than or equal to the IKE lifetime defined in the local policy. If the IKE lifetime value is less than that of the local
policy, the ASA will use the lesser of the two values.Cisco: Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2: ISAKMP Overview
