25-16
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Understanding IKE
Integrity (Hash) Algorithm The integrity portion of the hash algorithm used in the IKE proposal.
The hash algorithm creates a message digest, which is used to ensure
message integrity. Click Select and select all of the algorithms that you
want to allow in the VPN:
Note If using AES-GCM, AES-GCM-192, or AES-GCM-256, you
must select Null as the Integrity Algorithm.
• SHA (Secure Hash Algorithm)—SHA is more resistant to
brute-force attacks than MD5.
Standard SHA produces a 160-bit digest.
The following options, which are even more secure, are available
for IKEv2 configurations on ASA 8.4(2+) devices:
–
SHA512—A 512-bit key.
–
SHA384—A 384-bit key.
–
SHA256—A 256-bit key.
• MD5 (Message Digest 5)—Produces a 128-bit digest. MD5 uses
less processing time than SHA.
• Null—No encryption algorithm. For use with AES-GCM,
AES-GCM-192, and AES-GCM-256 only.
Prf Algorithm The pseudo-random function (PRF) portion of the hash algorithm used
in the IKE proposal. In IKEv1, the Integrity and PRF algorithms are not
separated, but in IKEv2, you can specify different algorithms for these
elements. Click Select and select all of the algorithms that you want to
allow in the VPN. The options are described above under Integrity
Algorithm.
Table 25-2 IKEv2 Proposal Dialog Box (Continued)
Element Description
