Implementing IPSec Network Security on Cisco IOS XR Software
How to Implement General IPSec Configurations for IPSec Networks
SC-93
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
OL-20382-01
Step 4
set pfs {group1 | group2 | group5}
Example:
RP/0/RP0/CPU0:router(config-new)# set pfs
group5
(Optional) Specifies that IPSec should ask for perfect
forward secrecy (PFS) when requesting new security
associations for this crypto profile entry, or should demand
PFS in requests received from the IPSec peer.
Step 5
set type {static | dynamic}
Example:
RP/0/RP0/CPU0:router(config-new)# set type
dynamic
(Optional) Sets the profile mode type.
• Default is static mode, which means that the peer is
identified in the configuration.
• Dynamic mode lets the profile be dynamic, which
means that SA negotiation from any authenticated peer
is allowed.
Step 6
set transform-set transform-set-name
Example:
RP/0/RP0/CPU0:router(config-new)# set
transform-set ts1
Specifies a list of transform sets in priority order. The set
transform-set command is used in profiles that are attached
to service-gre interfaces. The description for this command
is similar to the match transform-set command but used on
a different interface.
Note You can configure up to five different
transform-sets.
Use the transform-set-name argument to name the
transform-set. The maximum characters is 32.
Step 7
reverse-route
Example:
RP/0/RP0/CPU0:router(config-new)# reverse-route
Creates source proxy information for a crypto profile entry.
Step 8
set security-association idle-time seconds
Example:
RP/0/RP0/CPU0:router(config-new)# set
security-association idle-time 800
Specifies the maximum time in which the current peer can
be idle before the default peer is used.
• Use the seconds argument to specify the number of
seconds for which the current peer can be idle before
the default peer is used. The valid values are 600 to
86400.
Command or Action Purpose
To Next Page
Loading...
Need help?
General
