Cisco IPSEC (VPN) Default Values
How IPSec Works

 ... snip ...

IPSec operates in two phases to allow the confidential exchange of a shared secret: 

Phase 1, which handles the negotiation of security parameters required to
	 establish a secure channel between two IPSec peers. Phase 1 is
	 generally implemented through the Internet Key Exchange (IKE)
	 protocol. If the remote IPSec peer cannot perform IKE, you can use
	 manual configuration with pre-shared keys to complete Phase 1. 

Phase 2, which uses the secure tunnel established in Phase 1 to exchange
	 the security parameters required to actually transmit user data.
	
	

		
			 ISAKMP (Phase 1) 
			
		
		
			 Parameter   Default Value 
		
		
			 Encryption Algorithm   DES 56Kb 
		
		
			 Hash Algorithm   SHA-1 
		
		
			 Authentication method   RSA 
		
		
			 Diffe-Hellman group   1 (768b) 
		
		
			 Lifetime   86400 (24 Hrs.) 
		
	
	
		
			IPSEC (Phase 2)
			
		

			
		 Transforms include : AH, ESP Encryption, ESP Authentication and IP Compression
			
		
		
			 Parameter   Default Value 
		
		
			 Encryption Algorithm   N/A  
		
		
			 Authentication   N/A 
		
		
			 PFS   OFF 
		
		
			 IPSEC SA Lifetime   3600 (1 Hr.) 
		
		
			 IPSEC SA Data / per Lifetime   4,608,000 KB 
		
		
			 Mode   Tunnel 
		
	

IPSec Protocols: Encapsulation Security Protocol and Authentication Header
	
		
			
Router(config)#crypto ipsec transform-set TEST-TRANSFORM-SET ? 

 ah-md5-hmac   AH-HMAC-MD5 transform
 ah-sha-hmac   AH-HMAC-SHA transform
 comp-lzs      IP Compression using the LZS compression algorithm
 esp-3des      ESP transform using 3DES(EDE) cipher (168 bits)
 esp-des       ESP transform using DES cipher (56 bits)
 esp-md5-hmac  ESP transform using HMAC-MD5 auth
 esp-null      ESP transform w/o cipher
 esp-sha-hmac  ESP transform using HMAC-SHA auth
 <cr>

			
		
	
 
	
		
			
Router(config)#crypto ipsec security-association lifetime ?

 kilobytes  Volume-based key duration
 seconds    Time-based key duration

			
		
	
	
		
			

!  -----------------------------------
!
!  The following minimal configuration results in
!  the default parameters displayed in the 
!  'show command output' below.
!
!  ------ begin minimal config ------
!
!     - default isakmp policy -
!
crypto isakmp policy 10
!
!     - sample transform sets -
!
! crypto ipsec transform-set strong esp-3des esp-sha-hmac
! crypto ipsec transform-set medium esp-3des esp-md5-hmac
!
crypto ipsec transform-set TEST-TRANSFORM-SET esp-3des esp-md5-hmac
!
crypto map TEST 100 ipsec-isakmp
set peer 1.1.1.1
match address TEST-ACL
set transform-set TEST-TRANSFORM-SET
!
!
ip access-list extended TEST-ACL
permit ip host 22.22.22.22 host 33.33.33.33
!
!
interface Serial0/0
crypto map TEST
!
!
!  ------ end minimal config ------

 
!  ------ begin show command output ------
!
!
Router#sh crypto isakmp policy

Protection suite of priority 10
       encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
       hash algorithm:         Secure Hash Standard
       authentication method:  Rivest-Shamir-Adleman Signature
       Diffie-Hellman group:   #1 (768 bit)
       lifetime:               86400 seconds, no volume limit

Default protection suite
       encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
       hash algorithm:         Secure Hash Standard
       authentication method:  Rivest-Shamir-Adleman Signature
       Diffie-Hellman group:   #1 (768 bit)
       lifetime:               86400 seconds, no volume limit

Router#sh crypto map tag TEST
Crypto Map "TEST" 100 ipsec-isakmp
       Peer = 1.1.1.1
       Extended IP access list TEST-ACL
           access-list TEST-ACL permit ip host 22.22.22.22 host 33.33.33.33
       Current peer: 1.1.1.1
       Security association lifetime: 4608000 kilobytes/3600 seconds
       PFS (Y/N): N
       Transform sets={ 
               TEST-TRANSFORM-SET,
       }
       Interfaces using crypto map TEST:
	                Serial2/0
!
!  ------ end show command output ------
Cisco Router VPN
