Modification(s) to an existing dynamic crypto map configuration will not take effect until the related security association has been cleared. Refer to the description of the clear crypto security-association command in the Exec Mode Commands chapter for more information.
set { control-dont-fragment { clear-bit | copy-bit | set-bit } | isakmp natt [keepalive time ] | pfs { group1 | group2 | group5} | phase1-idtype { id-key-id | ipv4-address } [ mode { aggressive | main } ] | phase2-idtype { ipv4-address | ipv4-address-subnet} | security-association lifetime { keepalive | kilo-bytes kbytes | seconds secs } | transform-set transform_name [ transform-set transform_name2 ... transform-set transform_name6 ] }
no set { pfs | security-association lifetime {keepalive | kilo-bytes | seconds } | phase1-idtype | phase2-idtype | transform-set transform_name [ transform-set transform_name2 ... transform-set transform_name6 ] }
|
•
|
clear-bit: Clears the DF bit from the outer IP header (sets it to 0).
|
|
•
|
copy-bit: Copies the DF bit from the inner IP header to the outer IP header. This is the default action.
|
|
•
|
set-bit: Sets the DF bit in the outer IP header (sets it to 1).
|
keepalive time: The time to keep the NAT connection alive in seconds. time must be an integer of from 1 through 3600.
|
•
|
group1: Diffie-Hellman Group1 (768-bit modp)
|
|
•
|
group2:- Diffie-Hellman Group2 (1024-bit modp)
|
|
•
|
group5:- Diffie-Hellman Group5 (1536-bit modp)
|
id-key-id: Use ID_KEY_ID as the Phase 1 payload identifier.
ipv4-address: Use IPV4_ADDR as the Phase 1 payload identifier.
mode { aggressive | main }: Specify the IKE mode.
ipv4-address: Use IPV4_ADDR as the Phase 2 payload identifier.
ipv4-address-subnet: Use IPV4_ADDR_SUBNET as the Phase 2 payload identifier.
|
•
|
keepalive: Disabled
|
|
•
|
kilo-bytes: 4608000 kbytes
|
|
•
|
seconds: 28800 seconds
|
|
•
|
keepalive: The SA lifetime expires only when a keepalive message is not responded to by the far end.
|
|
•
|
kilo-bytes: This specifies the amount of data in kilobytes to allow through the tunnel before the SA lifetime expires; entered as an integer from 2560 through 4294967294.
|
|
•
|
seconds: The number of seconds to wait before the SA lifetime expires; entered as an integer from 1200 through 86400.
|
Important: If the dynamic crypto map is being used in conjunction with Mobile IP and the Mobile IP renewal timer is less than the crypto map’s SA lifetime (either in terms of kilobytes or seconds), then the keepalive parameter must be configured.Specifies the name of a transform set configured in the same context that will be associated with the crypto map. Refer to the command crypto ipsec transform-set for information on creating transform sets.
trasnform_name is the name of the transform set entered as an alphanumeric string from 1 through 127 characters that is case sensitive.
The following command sets the SA lifetime to 10000 seconds:
