Implementing IPSec Network Security on Cisco IOS XR Software
How to Implement General IPSec Configurations for IPSec Networks
SC-85
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
OL-20382-01
During negotiation, the set pfs command causes IPSec to request PFS when requesting new security
associations for the crypto profile entry. If the set pfs command statement does not specify a group, the
default (group1) is sent. If the peer initiates the negotiation and the local configuration specifies PFS,
the remote peer must perform a PFS exchange or the negotiation fails. If the local configuration does not
specify a group, a default of group1 is assumed, and an offer of either group1, group2, or group5 is
accepted. If the local configuration specifies group2 or group5, the group must be part of the offer from
the peer or the negotiation fails. If the local configuration does not specify PFS, the configuration accepts
any offer of PFS from the peer.
Checkpointing
IPSec checkpoints SAs in the local database. If an IPSec process restarts, SAs are retrieved from the
local database and need not be re-established with remote peers.
How to Implement General IPSec Configurations for IPSec
Networks
This section contains the following implementation procedures:
• Setting Global Lifetimes for IPSec Security Associations, page 85 (optional)
• Creating Crypto Access Lists, page 88 (required)
• Defining Transform Sets, page 90 (required)
• Configuring Crypto Profiles, page 91 (required)
• Applying Crypto Profiles to tunnel-ipsec Interfaces, page 98 (required)
• Applying Crypto Profiles to Crypto Transport, page 99 (required)
Setting Global Lifetimes for IPSec Security Associations
This task sets global lifetimes for IPSec security associations.
SUMMARY STEPS
1. configure
2. crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}
3. end
or
commit
4. clear crypto ipsec sa {sa-id | all}
To Next Page
Loading...
Need help?
General
