Support User Manuals

Enterasys Networks XSR CLI Router User Manual

Open as PDF

of 684

Crypto Transform Mode Commands

XSR CLI Reference Guide 14-117

Mode

CryptoTransformconfiguration:XSR(cfg-crypto-tran)#

Example

ThisexampleselectsPFSgroup2wheneveranewSAisnegotiatedforcryptomapACMEmap:

XSR(config)#crypto map ACMEmap 7 ipsec-isakmp

XSR(config)#crypto ipsec transform-set t-set1 esp-3des esp-sha-hmac

XSR(cfg-crypto-tran)#set pfs group2

set security-association lifetime

ThiscommandsetsthelifetimeintervalusedwhennegotiatingIPSecSecurityAssociations(SAs).

DatapassingthroughtheXSRisencryptedusingkeysgeneratedduringIKEexchange.The

lifetimeofthosekeysmaybedefinedinsecondsorindatavolumewhichwasencryptedusing

thosekeys.Whenthatlifetimeexpiresnew

keysaregeneratedandtrafficcontinuestobepassed

usingnewkeys.

Syntax

set security-association lifetime {seconds seconds | kilobytes kilobytes}

Syntax of the “no” Form

Thenoformofthiscommanddisablesthespecifiedlifetimemetric.Itdoesnotresetthedefault:

no set security-association lifetime {seconds | kilobytes}

Default

3600secondswithnolimitontrafficvolume.

Mode

CryptoTransformconfiguration:XSR(cfg-crypto-tran)#

Example

ThefollowingexamplesetstheSAlifetimeto7,200KBytesanddisablesthesecondsparameter:

XSR(cfg-crypto-tran)#)#set security-association lifetime kilobytes 7200

XSR(cfg-crypto-tran)#)#no set security-association lifetime seconds

seconds

TheintervalanSAlivesbeforeexpiring,rangingfrom300to86,400,000seconds.

kilobytes

Thevolumeoftraffic,inKBytes,thatcanpassbetweenIPSecpeersusingagiven

SAbeforethatSAexpires,rangingfrom1MByteto1000GBytes.

previous next