Support User Manuals

Enterasys Networks XSR CLI Router User Manual

Open as PDF

of 684

Crypto Transform Mode Commands

14-116 Configuring the VPN

Mode of the “no” Form

Thenoformofthecommanddeletesatransform‐set:

no crypto ipsec transform-set transform-set-name

Mode

Globalconfiguration:XSR(config)#

Next Mode

CryptoTransformconfiguration: XSR(cfg-crypto-tran)#

Example

Thefollowingexampledefinesthetransformstoapplyfort‐set1SAnegoatiation:

XSR(config)#crypto ipsec transform-set t-set1 esp-3des esp-sha-hmac

set pfs

ThiscommandspecifiesthatIPSecaskfor PerfectForwardSecrecy(PFS)whenrequestingnew

SecurityAssociations(SAs)forthiscryptomapentry,orthatIPSecrequiresPFSwhenreceiving

requestsfornewSAs.

PFSisasecurityconditionunderwhichthereisconfidencethatthecompromiseofasession’skey

will

notleadtoeasiercompromiseofthekeyusedinthenextsession(afterthekeyisrefreshed).

WhenPFSisusedasession’skeysaregeneratedindependently,soakeycompromisedinone

sessionwillnotaffectthekeysusedinsubsequentsessions.

Syntax

set pfs [group1 | group2]

Syntax of the “no” Form

UsethenoformofthecommandforIPSecnottorequestPFS:

no set pfs

Default

Disabled

Note: Due to the lack of an IETF standard, IKE Diffie-Helman bit groups 2048, 3072, and 4096 are

not enabled.

group1

SpecifiesthatIPSecshouldusethe768‐bitDiffie‐Hellmanprimemodulusgroup

whenperformingthenewDiffie‐Hellmanexchange.

group2

SpecifiesthatIPSecshouldusethe1024‐bitDiffie‐Hellmanprimemodulusgroup

whenperformingthenewDiffie‐Hellmanexchange.

previous next