set { control-dont-fragment { clear-bit | copy-bit | set-bit } | isakmp natt [keepalive time] | pfs { group1 | group2 | group5} | phase1-idtype { id-key-id | ipv4-address } [ mode { aggressive | main } ] | phase2-idtype { ipv4-address | ipv4-address-subnet} | security-association lifetime { keepalive | kilo-bytes kbytes | seconds secs } | transform-set transform_name [ transform-set transform_name2 ... transform-set transform_name6 ] }no set { pfs | security-association lifetime {keepalive | kilo-bytes | seconds } | phase1-idtype | phase2-idtype | transform-set transform_name [ transform-set transform_name2 ... transform-set transform_name6 ] }
• clear-bit: Clears the DF bit from the outer IP header (sets it to 0).
• copy-bit: Copies the DF bit from the inner IP header to the outer IP header. This is the default action.
• set-bit: Sets the DF bit in the outer IP header (sets it to 1).keepalive time: The time to keep the NAT connection alive in seconds. time must be an integer of from 1 through 3600 seconds.
• group1 : Diffie-Hellman Group1 (768-bit modp)
• group2 :- Diffie-Hellman Group2 (1024-bit modp)
• group5 :- Diffie-Hellman Group5 (1536-bit modp)id-key-id: Use ID_KEY_ID as the Phase 1 payload identifier.ipv4-address: Use IPV4_ADDR as the Phase 1 payload identifier.mode { aggressive | main }: Specify the IKE mode.ipv4-address: Use IPV4_ADDR as the Phase 2 payload identifier.ipv4-address-subnet: Use IPV4_ADDR_SUBNET as the Phase 2 payload identifier.
• kilo-bytes: 4608000 kbytes
• seconds: 28800 seconds
• keepalive : The SA lifetime expires only when a keepalive message is not responded to by the far end.
• kilo-bytes kbytes : This specifies the amount of data in kilobytes to allow through the tunnel before the SA lifetime expires. kbytes must be an integer from 2560 through 4294967294.
• seconds secs : The number of seconds to wait before the SA lifetime expires. secs must be an integer from 1200 through 86400.Important: If the dynamic crypto map is being used in conjunction with Mobile IP and the Mobile IP renewal timer is less than the crypto map’s SA lifetime (either in terms of kilobytes or seconds), then the keepalive parameter must be configured.
This keyword specifies the name of a transform set configured in the same context that will be associated with the crypto map. Refer to the command crypto ipsec transform-set for information on creating transform sets.trasnform_name is the name of the transform set and must be an alpha and/or numeric string from 1 to 127 characters and is case sensitive.
![]() |
Cisco Systems Inc. |
Tel: 408-526-4000 |
Fax: 408-527-0883 |