Support User Manuals

Enterasys Networks XSR CLI Router User Manual

Open as PDF

of 684

Crypto Transform Mode Commands

XSR CLI Reference Guide 14-115

Example

Thisexampledefinestwotransform‐sets,specifyingbothcanbeusedwithinacryptomapentry.

WhentrafficmatchesACL101,theSA canuseeithertransform‐setmy_t_set1(firstpriority)or

my_t_set2(secondpriority)depend ingonwhichtransform‐setmatchestheremotepeerʹs

transform‐sets.

XSR(config)#crypto ipsec transform-set my_t_set1 esp-des esp-sha-hmac

XSR(config)#crypto ipsec transform-set my_t_set2 ah-sha-hmac esp-des esp-sha-hmac

XSR(config)#crypto map ACMEmap 7 ipsec-isakmp

XSR(config-crypto-m)#match address 101

XSR(config-crypto-m)#set transform-set my_t_set1 my_t_set2

XSR(config-crypto-m)#set peer 10.0.0.1

Crypto Transform Mode Commands

crypto ipsec transform-set

Thiscommanddefinesatransform‐setwhichisanacceptablecombinationofsecurityprotocols

andalgorithmstoapplytoIP Securityprotectedtraffic.DuringIPSecSecurityAssociation(SA)

negotiation,peersagreetouseaparticulartransform‐setwhenprotectingaparticulardataflow.

ThiscommandacquiresCryptoTransformconfigurationMode.The

followingsub‐commandsare

availableinthismode:

•

set pfs ‐SpecifiesthatIPSecshouldaskforPFSwhenseekingnewSAsforthiscryptomap

entry,orthatIPSecrequiresPFSwhengettingrequestsfornewSAs.Refertopage14‐116

for

thecommanddefinition.

•

set security-association lifetime ‐SpecifiestheintervalusedwhennegotiatingIPSec

SAs.Refertopage14‐117forthecommanddefinition.

Atransform‐setisanacceptablecombination ofsecurityprotocols,algorithmsandothersettings

toapplytoIPSecurity‐protectedtraffic.DuringIPSecSAnegotiation,thepeersagreetousea

particulartransform‐set

whenprotectingaparticulardataflow.

Syntax

crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]

transform-

set-name

Nameofthetransform‐settocreateormodify.

transform1

Specifyupto3transformsdefiningtheIPSecsecurityprotocolsand

algorithms.Thechoicesare:

• ah‐md5‐hmac:AHtransformwithHMAC‐MD5algorithm.

• ah‐sha‐hmac:AHtransformwithHMAC‐SHAalgorithm.

• esp‐3des:ESPtransformwith56‐bitDESencryption(168 ‐bits).

• esp‐aes:ESPtransformwith

128‐bitAESencryption.

• esp‐des:ESPtransformwith168‐bitTripleDESencryption.

• esp‐md5‐hmac:ESPtransformwithHMAC‐MD5dataintegrityalgorithm.

• esp‐null:ESPtransformwithnoencryption.

• esp‐sha‐hmac:ESPtransformwithHMAC‐SHAdataintegrityalgorithm.

previous next