Cisco Firepower 4110 Preparative Procedures & Operational User Manual page 38

Cisco Preparative Procedures & Operational User Guide
12) (Optional) Set IKE-SA lifetime in minutes:
set ike-rekey-time minutes
The minutes value can be any integer between 60-1440, inclusive.
13) (Optional) Set Child SA lifetime in minutes (30-480):
set esp-rekey-time minutes
The minutes value can be any integer between 30-480, inclusive.
14) (Optional) Set the number of retransmission sequences to perform during initial connect:
set keyringtries retry_number
The retry_number value can be any integer between 1-5, inclusive.
15) (Optional) Enable or disable the certificate revocation list check:
set revoke-policy [relaxed | strict]
16) Enable the connection:
set admin-state enable
17) Reload all connections:
reload-conns
18) (Optional) Add existing trustpoint name to IPsec:
create authority trustpoint_name
19) Configure the enforcement of matching cryptographic key strength between IKE and SA connections:
set sa-strength-enforcement [yes | no]
If SA enforcement is enabled (yes)
If SA enforcement is disabled (no)
When CC mode is enabled, FXOS supports the following:

IKE version*: version 2

IPsec Mode: tunnel, transport
o set mode {tunnel |transport}

IKEv2 Mode*: main mode

IKEv2 Ciphers*:
o Encryption algorithms: AES-CBC-128, AES-CBC-256, AES-GCM-128
o Integrity algorithms: SHA-1
© 2016 Cisco Systems, Inc. All rights reserved.
When IKE negotiated key size is less then ESP
negotiated key size, the connection fails.
When IKE negotiated key size is larger or equal to the
ESP negotiated key size, SA enforcement check passes
and the connection is successful.
SA enforcement check automatically passes and the
connection is successful.