Cisco Cisco ASA 5540 Adaptive Security Appliance 문제 해결 가이드

Crypto IKEv2 cookie−challenge: Enables the ASA to send cookie challenges to peer devices in
response to half−open SA initiated packets.

•

Crypto IKEv2 limit max−sa: Limits the number of IKEv2 connections on the ASA. By default, the
maximum allowed IKEv2 connection equals the maximum number of connections specified by the
ASA license.

•

Crypto IKEv2 limit max−in−negotiation−sa: Limits the number of IKEv2 in−negotiation (open)
SAs on the ASA. When used in conjunction with the crypto IKEv2 cookie−challenge command,
ensure the cookie−challenge threshold is lower than this limit.

•

Use asymmetric keys. After migration, the configuration can be modified to use asymmetric keys as
shown here:

ASA−2(config)# more system:running−config

tunnel−group <peer_ip−address> type ipsec−l2l

tunnel−group <peer_ip−address> ipsec−attributes

IKEv1 pre−shared−key cisco1234

IKEv2 remote−authentication pre−shared−key cisco1234

IKEv2 local−authentication pre−shared−key cisco123

•

It is important to realize that the configuration needs to be mirrored on the other peer for the IKEv2
pre−shared−key. It will not work if you select and paste the configuration from one side to the other.

Note: These commands are disabled by default.

Related Information

Technical Support & Documentation

•

Updated: Feb 25, 2013

Document ID: 113597