Support User Manuals

Enterasys Networks XSR CLI Router User Manual

Open as PDF

of 684

IPSec Clear and Show Commands

XSR CLI Reference Guide 14-109

Default

Ifanaccesslistnumberisnotspecified,allaccesslistsareshown.

Mode

EXECorGlobalconfiguration:XSR> or XSR(config)#

Examples

ThefollowingexampledisplaysconfiguredaccesslistsontheXSR:

XSR#show access-lists

Extended IP access list 100

permit ip any host 192.168.1.0

Thefollowingexampledisplaysthelogthreshold:

XSR(config)#show access-lists log-update-threshold

access-list log-update-threshold 10000

crypto key master

Thiscommandcreates,deletes,orspecifiesamasterencryptionkey,whichencodesallotherkeys

ontheXSRincludingAAAuserdatabaseandprivatekeysusedbyPKI(

user.dat,cert.dat and

hostkey.dat).BeforeconfiguringyourVPN,youmustgeneratethiskey.

Syntax

crypto key master {generate | remove | specify}

Mode

Globalconfiguration:XSR(config)#

number

Accesslistnumberdefinedusingtheaccess-list command.

log-update-threshold

Packetceiling, whenmet,willtriggerviolationslog.

Caution: The master encryption key is stored in hardware, not Flash, and you cannot read the

key - only overwrite the old key by writing a new one. To ensure router security, it is critical not to

compromise the key. There are situations where you may want to keep the key, for example, to

save the user database off-line in order to later download it to the XSR. In order to encrypt the

user database, you need the same master key, indicating the key designation with the master

key specify command. Be aware that if the XSR is inoperable and you press the Default

button, the master key is erased and you must generate a new one.

generate

Createamasterencryptionkey.

remove

Deletethemasterencryptionandhostkeypair(hostkey.dat).

specify

Specifyamasterencryptionkey.

previous next