VPN Interface IPsec

Feature history for VPN interface IPsec

Table 1. Feature History

Feature Name

Release Information

Description

SHA256 Support for IPSec Tunnels

Cisco IOS XE Catalyst SD-WAN Release 17.2.1r

This feature adds support for HMAC_SHA256 algorithms for enhanced security.

Configure VPN interface IPsec

Use one of these methods to configure geofencing:

Configure IPsec on the transport VPN using a configuration group

Follow these steps to configure IPSEC on the transport VPN using a configuration group.

If...

  • you are running Cisco SD-WAN Manager releases from SD-WAN Manager 20.15.1 to SD-WAN Manager 20.15.3, and

  • you are using the IPSEC feature to configure an edge device using Cisco IOS XE Catalyst SD-WAN Release 17.12.x or earlier,

then you must also configure a command using a CLI add-on profile. This command provides backward compatibility for edge devices using Cisco IOS XE Catalyst SD-WAN Release 17.12.x or earlier. Without this, the tunnel does not operate correctly.

To do this, create the CLI add-on profile and add it to the configuration group that you are using the configure the device. In the profile, include the tunnel mode ipsec ipv4-old command.

Using the CLI add-on profile with the tunnel mode ipsec ipv4-old command is not necessary in these releases:

  • SD-WAN Manager 20.15.4 and later releases of 20.15.x

  • SD-WAN Manager 20.18.1 and later releases

Before you begin

On the Configuration > Configuration Groups page, choose SD-WAN as the solution type.

Procedure


Step 1

From the Cisco SD-WAN Manager menu, choose Configuration > Configuration Groups.

Step 2

Create and configure the basic IPSEC.

  1. Configure a basic IPsec tunnel interface.

    Table 2. Basic Configuration

    Field

    Description

    Interface Name

    Enter the name of the IPsec interface.

    Description

    Enter a description of the IPsec interface.
    Tunnel Mode

    Choose from one of the following IPsec tunnel modes:

    • ipv4: IPsec tunnel with IPv4 overlay and IPv4 underlay. IPv4 underlay is the default value.

    • ipv6: IPsec tunnel with IPv6 overlay and IPv6 underlay.

    • ipv4-v6overlay: IPsec tunnel with IPv6 overlay and IPv4 underlay.

    Multiplexing

    Choose Yes to enable multiplexing, if there is a tunnel in the transport VPN.

    Default: No

    Interface Address

    Enter the IPv4 or IPv6 address of the IPsec interface, based on your choice from the Tunnel Mode drop-down list.

    Mask

    Enter the subnet mask.

    Preshared Key for IKE

    Enter the preshared key (PSK) for authentication.

    Associated Tracker / Tracker Group

    Choose a tracker or a tracker group from the drop-down list to associate with the IPsec tunnel.

    Tunnel Source

    Enter the source of the IPsec interface:

    • IP Address: Enter the source IP address of the IPsec tunnel interface. Enter an IPv4 or IPv6 address that is based on your selection in the Tunnel Mode option. This address is on the local router.

    • Interface: Enter the physical interface in the IPsec Source Interface field, which is the source of the IPsec tunnel.

    Tunnel Destination

    Enter the destination IP address of the IPsec tunnel interface. This address is on a remote device.
    • Address: Enter the destination IP address of the IPsec tunnel interface. Enter an IPv4 or IPv6 address based on your selection in the Tunnel Mode option.

    • Application: Choose an application from the drop-down list.

      • None

      • Sig

  2. Configure Internet Key Exchange fields.

    Table 3. Internet Key Exchange

    Field

    Description

    IKE Version

    Enter 1 to choose IKEv1.

    Enter 2 to choose IKEv2.

    Default: IKEv1

    IKE Integrity Protocol Choose one of the following modes for the exchange of keying information and setting up IKE security associations:
    • Main: Establishes an IKE SA session before starting IPsec negotiations.

    • Aggressive: Negotiation is quicker, and the initiator and responder ID pass in the clear. Aggressive mode does not provide identity protection for communicating parties.

    Default: Main mode

    IPsec Rekey Interval

    Specify the interval for refreshing IKE keys.

    Range: 3600 through 1209600 seconds (1 hour through 14 days)

    Default: 14400 seconds (4 hours)

    IKE Cipher Suite

    Specify the type of authentication and encryption to use during IKE key exchange.

    Values: aes128-cbc-sha1, aes128-cbc-sha2, aes256-cbc-sha1, aes256-cbc-sha2

    Default: aes256-cbc-sha1

    IKE Diffie-Hellman Group

    Specify the Diffie-Hellman group to use in IKE key exchanges.

    Values: 2, 14, 15, 16, 19, 20, 21, 24

    Default: 16

    IKE ID for Local End Point

    If the remote IKE peer requires a local endpoint identifier, specify it.

    Range: 1 through 64 characters

    Default: Source IP address of the tunnel

    IKE ID for Remote End Point

    If the remote IKE peer requires a remote endpoint identifier, specify it.

    Range: 1 through 64 characters

    Default: Destination IP address of the tunnel

    There is no default option if you choose IKEv2.

  3. Configure IPSEC fields.

    Table 4. IPSEC

    Field

    Description

    IPsec Rekey Interval

    Specify the interval for refreshing IKE keys.

    Range: 3600 through 1209600 seconds (1 hour through 14 days)

    Default: 3600 seconds (1 hour)

    IPsec Replay Window

    Specify the replay window size for the IPsec tunnel.

    Values: 64, 128, 256, 512, 1024, 2048, 4096, 8192 bytes

    Default: 512 bytes

    IPsec Cipher Suite

    Specify the authentication and encryption to use on the IPsec tunnel.

    Values: aes256-cbc-sha1, aes256-gcm, null-sha1

    Default: aes256-gcm

    Perfect Forward Secrecy

    Specify the PFS settings to use on the IPsec tunnel by choosing one of the following values:
    • group-2: Use the 1024 bit Diffie-Hellman prime modulus group

    • group-14: Use the 2048 bit Diffie-Hellman prime modulus group

    • group-15: Use the 3072 bit Diffie-Hellman prime modulus group

    • group-16: Use the 4096 bit Diffie-Hellman prime modulus group

    • none: Disable PFS

    Default: group-16

  4. Configure advanced IPsec fields.

    Table 5. Advanced

    Field

    Description

    Associated VPN

    Select a VPN from the drop-down list to associate with the IPsec tunnel.

    Tunnel Route Via

    Specify the tunnel route details to steer the application traffic through.

    Note

     

    You cannot use the tunnel route via option to configure IPSec tunnels on a cellular interface because cellular interfaces do not include a next hop IP address for the default route.

    DPD Interval

    Specify the interval for IKE to send Hello packets on the connection.

    Range: 10 through 3600 seconds (1 hour)

    Default: 10 seconds

    DPD Retries

    Specify how many unacknowledged packets to accept before declaring an IKE peer to be dead and then removing the tunnel to the peer.

    Range: 2 through 60

    Default: 3

    TCP MSS

    Specify the maximum segment size (MSS) of TPC SYN packets passing through the Cisco IOS XE Catalyst SD-WAN device. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

    Range: 552 through 1460 bytes

    Default: None

    Clear-Dont-Fragment

    Click On to clear the Don't Fragment bit in the IPv4 packet header for packets being transmitted out the interface.

    IP MTU

    Based on your choice in the Tunnel Mode option, specify the maximum MTU size of the IPv4 or IPv4 packets on the interface.

    Range: 576 through 9216

    Default: 1500 bytes

    Shutdown

    Click Off to enable the interface.

What to do next

Also see Deploy a configuration group.

Configure IPsec on the service VPN using a configuration group

Follow these steps to configure IPsec on the service VPN using a configuration group.

Before you begin

On the Configuration > Configuration Groups page, choose SD-WAN as the solution type.

Procedure


Step 1

From the Cisco SD-WAN Manager menu, choose Configuration > Configuration Groups.

Step 2

Create and configure the VPN interface IPsec feature.

  1. Configure basic configuration fields.

    Table 6. Basic Configuration

    Field

    Description

    Interface Name

    Enter the name of the IPsec interface.

    Description

    Enter a description of the IPsec interface.
    Tunnel Mode

    Choose from one of the following IPsec tunnel modes:

    • ipv4: IPsec tunnel with IPv4 overlay and IPv4 underlay. IPv4 underlay is the default value.

    • ipv6: IPsec tunnel with IPv6 overlay and IPv6 underlay.

    • ipv4-v6overlay: IPsec tunnel with IPv6 overlay and IPv4 underlay.

    Interface Address

    Enter the IPv4 or IPv6 address of the IPsec interface, based on your choice from the Tunnel Mode drop-down list.

    Mask

    Enter the subnet mask.

    Tunnel Source

    Enter the source of the IPsec interface:

    • IP Address: Enter the IPv4 or IPv6 address of the IPsec interface, based on your choice from the Tunnel Mode drop-down list.. This address is on the local router.

    • Interface: Enter the physical interface that is the source of the IPsec tunnel.

    Tunnel Destination

    Enter the destination of the IPsec interface:

    • Address: Enter the destination IPv4 or IPv6 address of the IPsec interface, based on your choice from the Tunnel Mode drop-down list. This address is on a remote device.

    • Application: Choose an application from the drop-down list.

    • None

    • Sig

    TCP MSS

    Specify the maximum segment size (MSS) of TPC SYN packets passing through the vEdge router. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

    Range: 552 through 1460 bytes

    Default: None

    Clear-Dont-Fragment

    Click On to clear the Don't Fragment bit in the IPv4 packet header for packets being transmitted out the interface.

    IP MTU

    Specify the maximum MTU size of packets on the interface.

    Range: 576 through 1804

    Default: 1500 bytes

  2. Configure IKE fields.

    Table 7. Internet Key Exchange

    Field

    Description

    IKE Version

    Enter 1 to choose IKEv1.

    Enter 2 to choose IKEv2.

    Default: IKEv1

    IKE Integrity Protocol

    Choose one of the following modes for the exchange of keying information and setting up IKE security associations:
    • Main: Establishes an IKE SA session before starting IPsec negotiations.

    • Aggressive: Negotiation is quicker, and the initiator and responder ID pass in the clear. Aggressive mode does not provide identity protection for communicating parties.

    Default: Main mode

    IPsec Rekey Interval (Seconds)

    Specify the interval for refreshing IKE keys.

    Range: 3600 through 1209600 seconds (1 hour through 14 days)

    Default: 14400 seconds (4 hours)

    IKE Cipher Suite

    Specify the type of authentication and encryption to use during IKE key exchange.

    Values: aes128-cbc-sha1, aes128-cbc-sha2, aes256-cbc-sha1, aes256-cbc-sha2

    Default: aes256-cbc-sha1

    IKE Diffie-Hellman Group

    Specify the Diffie-Hellman group to use in IKE key exchanges.

    Values: 2, 14, 15, 16, 19, 20, 21, 24

    Default: 16

    IKE ID for Local End Point

    If the remote IKE peer requires a local endpoint identifier, specify it.

    Range: 1 through 64 characters

    Default: Source IP address of the tunnel

    IKE ID for Remote End Point

    If the remote IKE peer requires a remote end point identifier, specify it.

    Range: 1 through 64 characters

    Default: Destination IP address of the tunnel

    There is no default option if you have chosen IKEv2.

  3. Configure IPsec fields.

    Table 8. IPSEC

    Field

    Description

    IPsec Rekey Interval

    Specify the interval for refreshing IKE keys.

    Range: 3600 through 1209600 seconds (1 hour through 14 days)

    Default: 3600 seconds

    IPsec Replay Window

    Specify the replay window size for the IPsec tunnel.

    Values: 64, 128, 256, 512, 1024, 2048, 4096, 8192 bytes

    Default: 512 bytes

    IPsec Cipher Suite

    Specify the authentication and encryption to use on the IPsec tunnel.

    Values: aes256-cbc-sha1, aes256-gcm, null-sha1

    Default: aes256-gcm

    Perfect Forward Secrecy

    Specify the PFS settings to use on the IPsec tunnel by choosing one of the following values:
    • group-2: Use the 1024-bit Diffie-Hellman prime modulus group

    • group-14: Use the 2048-bit Diffie-Hellman prime modulus group

    • group-15: Use the 3072-bit Diffie-Hellman prime modulus group

    • group-16: Use the 4096-bit Diffie-Hellman prime modulus group

    • none: Disable PFS

    Default: group-16

  4. Configure advanced fields.

    Table 9. Advanced

    Field

    Description

    Associated VPN

    Select a VPN from the drop-down list to associate with the IPsec tunnel.

    Tunnel Route Via

    Specify the tunnel route details to steer the application traffic through.

    Note

     

    You cannot use the tunnel route via option to configure IPSec tunnels on a cellular interface because cellular interfaces do not include a next hop IP address for the default route.

    DPD Interval

    Specify the interval for IKE to send Hello packets on the connection.

    Range: 10 through 3600 seconds (1 hour)

    Default: 10 seconds

    DPD Retries

    Specify how many unacknowledged packets to accept before declaring an IKE peer to be dead and then removing the tunnel to the peer.

    Range: 2 through 60

    Default: 3

    TCP MSS

    Specify the maximum segment size (MSS) of TPC SYN packets passing through the Cisco vEdge device. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

    Range: 552 through 1460 bytes

    Default: None

    Clear-Dont-Fragment

    Click On to clear the Don't Fragment bit in the IPv4 packet header for packets being transmitted out the interface.

    IP MTU

    Based on your choice in the Tunnel Mode option, specify the maximum MTU size of the IPv4 or IPv4 packets on the interface.

    Range: 576 through 9216

    Default: 1500 bytes

    Shutdown

    Click Off to enable the interface.

What to do next

Also see Deploy a configuration group.

Configure VPN interface IPsec using templates

Follow these steps to configure VPN interface IPsec using a feature template.

Use the VPN Interface IPsec feature template to configure IPsec tunnels on Cisco IOS XE service VPNs that are being used for Internet Key Exchange (IKE) sessions. You can configure IPsec on tunnels for VPN 1 through 65527, except for 512.

Cisco IOS XE Catalyst SD-WAN devices use VRFs in place of VPNs. However, the following steps still apply to configure Cisco IOS XE Catalyst SD-WAN devices through Cisco SD-WAN Manager. In Cisco SD-WAN Manager, the system automatically maps the VPN configurations to VRF configurations.

In controller mode, only Route based IPSec tunnels are supported.

Procedure


Step 1

From the Cisco SD-WAN Manager menu, choose Configuration > Templates.

Step 2

Click Feature Templates.

In Cisco vManage Release 20.7.x and earlier releases, Feature Templates is titled Feature.

  1. Click Add Template.

  2. Choose a Cisco IOS XE Catalyst SD-WAN device from the list.

  3. From the VPN section, click VPN Interface IPsec. The Cisco VPN Interface IPsec template displays.

  4. In Template Name, enter a name for the template. The name can be up to 128 characters and can contain only alphanumeric characters.

  5. In Template Description, enter a description of the template. The description can be up to 2048 characters and can contain only alphanumeric characters.

Step 3

Configure the following VPN interface IPsec parameters:

  1. Configure a basic IPsec tunnel interface.

    Parameter Name Options/Format Description
    Shutdown* Yes / No Click No to enable the interface; click Yes to disable.
    Interface Name* ipsec number (1…255) Enter the name of the IPsec interface. Number can be from 1 through 255.
    Description Enter a description of the IPsec interface.
    IPv4 Address* ipv4‑prefix/length Enter the IPv4 address of the IPsec interface. The address must have a /30 subnet.
    Source * Set the source of the IPsec tunnel that is being used for IKE key exchange:
    IP Address Click and enter the IPv4 address that is the source tunnel interface. This address must be configured in VPN 0.
    Interface

    Click and enter the name of the physical interface that is the source of the IPsec tunnel. This interface must be configured in VPN 0.

    • If you selected the Source as Interface, enter the name of the source interface. If you enter a loopback interface, an additional field Tunnel Route-via Interface displays where you enter the egress interface name.

      Note

       

      You cannot use the tunnel route via option to configure IPSec tunnels on a cellular interface because cellular interfaces do not include a next hop IP address for the default route.

    Destination* Set the destination of the IPsec tunnel that is being used for IKE key exchange.
    IPsec Destination IP Address Enter an IPv4 address that points to the destination.
    TCP MSS

    Specify the maximum segment size (MSS) of TPC SYN packets passing through the router. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

    Range: 552 to 1960 bytes

    Default: None

    IP MTU

    Specify the maximum transmission unit (MTU) size of packets on the interface.

    Range: 576 through 2000

    Default: 1500 bytes

  2. Configure Internet key exchange (IKE) dead-peer detection (DPD) to determine whether the connection to an IKE peer is functional and reachable.

    Parameter Name

    Description

    DPD Interval

    Specify the interval for IKE to send Hello packets on the connection.

    Range: 10 through 3600 seconds

    Default: Disabled

    DPD Retries

    Specify how many unacknowledged packets to accept before declaring an IKE peer to be dead and then tearing down the tunnel to the peer.

    Range: 2 through 60

    Default: 3

  3. Configure IKE.

    When you create an IPsec tunnel on a Cisco IOS XE Catalyst SD-WAN device, IKE Version 1 is enabled by default on the tunnel interface.

    Parameter Name Options Description
    IKE Version

    1 IKEv1

    2 IKEv2

    Enter 1 to choose IKEv1.

    Enter 2 to choose IKEv2.

    Default: IKEv1

    Note

     

    In IKEv2 Preshared Keys (PSK), the '\' character is not supported and should not be used.

    IKE Mode

    Aggressive mode

    Main mode

    For IKEv1 only, specify one of the following modes:

    • Aggressive mode - Negotiation is quicker, and the initiator and responder ID pass in the clear.

    • Establishes an IKE SA session before starting IPsec negotiations.

    Note

     

    For IKEv2, there is no mode.

    Note

     

    IKE aggressive mode with pre-shared keys should be avoided where possible. Otherwise a strong pre-shared key should be chosen.

    Default: Main mode

    IPsec Rekey Interval 3600 - 1209600 seconds

    Specify the interval for refreshing IKE keys.

    Range: 1 hour through 14 days

    Default: 14400 seconds (4 hours)

    IKE Cipher Suite
    • AES 256 CBC SHA 256

    • AES 256 CBC SHA 384

    • AES 256 CBC SHA 512

    • AES 256 CBC SHA 1

    • AES 256 GCM

    • Nul SHA 256

    • Nul SHA 384

    • Nul SHA 512

    • Nul SHA 1

    Specify the type of authentication and encryption to use during IKE key exchange.

    Default: AES 256 CBC SHA 1

    IKE Diffie-Hellman Group

    2

    14

    15

    16

    Specify the Diffie-Hellman group to use in IKE key exchange, whether IKEv1 or IKEv2.

    • 1024-bit modulus

    • 2048-bit modulus

    • 3072-bit modulus

    • 4096-bit modulus

    Default: 4096-bit modulus

    IKE Authentication Configure IKE authentication.
    Preshared Key Enter the password to use with the preshared key.
    IKE ID for Local End Point

    If the remote IKE peer requires a local end point identifier, specify it.

    Range: 1 through 64 characters

    Default: Tunnel's source IP address

    IKE ID for Remote End Point

    If the remote IKE peer requires a remote end point identifier, specify it.

    Range: 1 through 64 characters

    Default: Tunnel's destination IP address

    When you are pushing authentication from Cisco SD-WAN Manager, use the authentication string configured for the source and destination stations in double quotes as special characters are not supported. The string can be up to eight characters long.

  4. Configure the IPsec tunnel that carries Internet Key Exchange (IKE) traffic.

    Parameter Name Options Description
    IPsec Rekey Interval 3600 - 1209600 seconds

    Specify the interval for refreshing IKE keys.

    Range: 1 hour through 14 days

    Default: 3600 seconds

    IKE Replay Window 64, 128, 256, 512, 1024, 2048, 4096, 8192

    Specify the replay window size for the IPsec tunnel.

    Default: 512

    IPsec Cipher Suite

    aes256-cbc-sha1

    aes256-gcm

    null-sha1

    Specify the authentication and encryption to use on the IPsec tunnel

    Default: aes256-gcm

    Perfect Forward Secrecy

    2 1024-bit modulus

    14 2048-bit modulus

    15 3072-bit modulus

    16 4096-bit modulus

    none

    Specify the PFS settings to use on the IPsec tunnel.

    Choose one of the following Diffie-Hellman prime modulus groups:

    1024-bit – group-2

    2048-bit – group-14

    3072-bit – group-15

    4096-bit – group-16

    none –disable PFS.

    Default: group-16

    From Cisco IOS XE Catalyst SD-WAN Release 17.11.1a, as part of the security hardening, the weaker ciphers are deprecated. As part of this change, the option to configure Diffie-Hellman (DH) groups 1, 2, and 5 is no longer supported. DH groups are used in IKE to establish session keys and are also available in IPsec as support for perfect forward secrecy.


Change the IKE version from IKEv1 to IKEv2

Follow these steps to change the IKE version.

There is no single CLI for changing the IKE version. You need to follow the sequence of steps listed in the Change the IKE Version from IKEv1 to IKEv2 section.

Procedure


Step 1

From the Cisco SD-WAN Manager menu, choose Configuration > Templates.

Step 2

Click Feature Templates, and then click Add Template.

In Cisco vManage Release 20.7.x and earlier releases, Feature Templates is called Feature.

Step 3

Choose the device for which you are creating the template.

Step 4

Click Basic Configuration.

Step 5

Use the shutdown parameter with the yes option (yes shutdown) to shut down the tunnel.

Step 6

Remove the ISAKMP profile from the IPsec profile.

Step 7

Attach the IKEv2 profile with the IPsec profile.

Perform this step if you already have an IKEv2 profile. Otherwise, create an IKEv2 profile first.

Step 8

Use the shutdown parameter with the no option (no shutdown) to start up the tunnel.

You must issue the shutdown operations in two separate operations.


CLI configuration examples for VPN interface IPsec

Basic configuration

The following is an example of the basic IPsec tunnel interface configuration.


crypto
   interface tunnel ifnum
      no shutdown
      vrf forwarding vrf_id
      ip address ip_address[mask]
      tunnel source wanif_ip
      tunnel mode {ipsec ipv4 | gre ip}
      tunnel destination gateway_ip
      tunnel protection ipsec profile ipsec_profile_name 

Dead-Peer detection

The following is an example of Internet key exchange (IKE) dead-peer detection (DPD) configuration.


crypto
   ikev2
      profile ikev2_profile_name
         dpd 10-3600 2-60 {on-demand | periodic}

IKE

The following is an example of ISAKMP CLI configuration for IKEv1.

crypto
   isakmp
      keepalive 60-86400 2-60 {on-demand | periodic}
      policy policy_num
         encryption {AES128-CBC-SHA1 | AES256-CBC-SHA1}
         hash {sha384 | sha256 | sha}
         authentication pre-share
         group {2 | 14 | 16 | 19 | 20 | 21}
         lifetime 60-86400
      profile ikev1_profile_name
         match identity address ip_address [mask]
         keyring keyring_name

The following is an example of IPsec CLI configuration for IKEv1.

profile ipsec_profile_name
         set transform-set transform_set_name
         set isakmp-profile ikev1_profile_name
         set security-association
            lifetime {kilobytes disable | seconds 120-2592000}
            replay {disable | window-size [64 | 128 | 256 | 512 | 1024]}
         set pfs group {14 | 16 | 19 | 20 | 21}
   keyring keyring_name
      pre-shared-key address ip_address [mask] key key_string
   ipsec transform-set transform_set_name {esp-gcm 256 | esp-aes 256 [esp-sha384-hmac | esp-sha256-hmac] mode tunnel

The following is an example configuration for IKE2.

crypto
   ikev2
      proposal proposal_name
         encryption {3des | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des}
         integrity {sha256 | sha384 | sha512}
         group {2 | 14 | 15 | 16}
      keyring idev2_keyring_name
         peer peer_name
         address tunnel_dest_ip [mask]
         pre-shared-key key_string
      profile ikev2_profile_name
         match identity remote address ip_address
         authentication {remote | local} pre-share
         keyring local ikev2_keyring_name
         lifetime 120-86400   

IPsec tunnel

The following is an example configuration of IPsec tunnels.

crypto
   ipsec
      profile ipsec_profile_name
         set ikev2-profile ikev2_profile_name
         set security-association
            lifetime {seconds 120-2592000 | kilobytes disable}  
            replay {disable | window-size {64 | 128 | 256 | 512 | 1024 | 4096 | 8192}
         set pfs group {2 | 14 | 15 | 16 | none}
         set transform-set transform_set_name