Cisco SA520-K9 Administration Guide - Page 151
Integrity Algorithm, Key-In, Key-Out, SHA-1, SHA2-256, SHA2-384, SHA2-512, Auto Policy Parameters
UPC - 882658266744
View all Cisco SA520-K9 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 151 highlights
Configuring VPN Advanced Configuration of IPsec VPN 7 • Integrity Algorithm: Choose the algorithm that is used to verify the integrity of the data. • Key-In: Enter the integrity key (for ESP with Integrity-mode) for the inbound policy. • Key-Out: Enter the integrity key (for ESP with Integrity-mode) for the inbound policy. The length of the key depends on the chosen algorithm: - MD5: 16 characters - SHA-1: 20 characters - SHA2-256: 32 characters - SHA2-384: 48 characters - SHA2-512: 64 characters STEP 6 If you chose Auto Policy as the Policy type, enter the following information in the Auto Policy Parameters area: • SA Lifetime: Enter the lifetime of the Security Association, and specify whether it is in seconds or kilobytes. - Seconds: If you specify the SA Lifetime in seconds, this value represents the interval after which the Security Association becomes invalid. The SA is renegotiated after this interval. The default value is 3600 seconds. - Kilobytes: If you specify the SA Lifetime in kilobytes, the SA is renegotiated after the specified number of kilobytes of data is transferred over the original SA. The minimum value is 300 seconds or 1920000 KB. NOTE For every policy, two SAs are created, one for inbound traffic and one for outbound traffic. When using a lifetime configured in kilobytes (also known as lifebyte) along with a lifetime in seconds, the SA expires asymmetrically. For example, the lifebyte for a download stream expires frequently if the downstream traffic is very high, but the lifebyte of the upload stream expires less frequently or only when it reaches its timeout period. When setting the lifetime in both seconds and kilobytes, you should reduce the difference in expiry frequencies of the SAs; otherwise the system could eventually run out of resources as a result of this asymmetry. The lifebyte specifications are generally recommended for advanced users only. Cisco SA500 Series Security Appliances Administration Guide 151