User's Manual

Table Of Contents
Wizards
Using the Site-to-Site Wizard to Establish the Site-to-Site VPN Tunnels
Cisco ISA500 Series Integrated Security Appliance Administrator Guide 56
2
HASH: Specify the authentication algorithm for the VPN header. There are
two HASH algorithms supported by the security appliance: SHA1 and MD5.
NOTE Ensure that the authentication algorithm is configured identically on
both sides.
Authentication: Specify the authentication method that the security
appliance uses to establish the identity of each IPSec peer.
- PRE-SHARE: Uses a simple password based key to authenticate. The
alpha-numeric key is shared with IKE peer. Pre-shared keys do not scale
well with a growing network but are easier to set up in a small network.
- RSA-SIG: Uses a digital certificate to authenticate. RSA-SIG is a digital
certificate with keys generated by the RSA signatures algorithm. In this
case, a certificate must be configured in order for the RSA-Signature to
work.
D-H Group: Choose the Diffie-Hellman group identifier. The identifier is used
by two IPsec peers to derive a shared secret without transmitting it to each
other. The D-H Group sets the strength of the algorithm in bits. The default is
D-H Group 5. The lower the Diffie-Hellman group number, the less CPU time
it requires to execute. The higher the Diffie-Hellman group number, the
greater the security.
- Group 2 (1024-bit)
- Group 5 (1536-bit)
- Group 14 (2048-bit)
Lifetime: Enter the number of seconds for the IKE Security Association to
remain valid. The default is 24 hours. As a general rule, a shorter lifetime
provides more secure ISAKMP negotiations. However, with shorter lifetimes,
the security appliance sets up future IPsec SAs more quickly.
STEP 3 Click OK to save your settings.