Configures
parameters for the dynamic crypto map.
Important:
HNBGW is not supported from Release 20 and later, and HeNBGW is not supported in Releases 20, 21.0 and 21.1. This command must not be used for HNBGW and HeNBGW in these releases. For more information, contact your Cisco account representative.
Product
ePDG
FA
GGSN
HA
HeNBGW
HNBGW
HSGW
MME
P-GW
PDSN
S-GW
SAEGW
SCM
SecGW
SGSN
Privilege
Security
Administrator
Mode
Exec > Global
Configuration > Context Configuration > Crypto Map IPSec IKEv1
Configuration
configure > context
context_name
> crypto map
policy_name
ipsec-ikev1
Entering the above
command sequence results in the following prompt:
[context_name]host_name(config-crypto-map)#
Syntax
Syntax Description
set { bgp
peer_address
| control-dont-fragment {
clear-bit | copy-bit | set-bit } | ikev1 natt [ keepalive
sec
] | ip mtu
bytes
| ipv6 mtu
bytes
| mode { aggressive | main
}
| peer
peer_address
| pfs { group1 | group2 |
group5 } |
phase1-idtype { id-key-id |
ipv4-address [ mode { aggressive | main } ] |
phase2-idtype { ipv4-address
| ipv4-address-subnet } | security-association lifetime { disable-phase2-rekey
| keepalive | kilo-bytes
kbytes
| seconds
secs
}
transform-set
transform_name
[ transform-set
transform_name2
...
transform-set
transform_name6
]
no set { ikev1 natt | pfs | phase1-idtype |
phase2-idtype |
security-association lifetime { disable-phase2-rekey | keepalive | kilo-bytes |
seconds } | transform-set
transform_name
[ transform-set
transform_name2
...
transform-set
transform_name6
]
bgp
peer_address
Specifies the IP
address of the BGP peer in IPv4 dotted-decimal or IPv6
colon-separated-hexadecimal notation.
control-dont-fragment { clear-bit | copy-bit | set-bit
}
Controls the don't
fragment (DF) bit in the outer IP header of the IPSec tunnel data packet.
Options are:
-
clear-bit:
Clears the DF bit from the outer IP header (sets it to 0).
-
copy-bit:
Copies the DF bit from the inner IP header to the outer IP header. This is the
default action.
-
set-bit: Sets
the DF bit in the outer IP header (sets it to 1).
ikev1 natt [ keepalive
time
]
Specifies IKE
parameters.
natt: Enables IPSec NAT Traversal.
keepalive
time: The
time to keep the NAT connection alive in seconds.
time must be
an integer of from 1 through 3600.
ip mtu
bytes
Specifies the IPv4
Maximum Transmission Unit (MTU) in bytes as an integer from 576 to 2048.
ipv6 mtu
bytes
Specifies the IPv6
Maximum Transmission Unit (MTU) in bytes as an integer from 576 to 2048.
mode { aggressive | main }
Configures the IKE
negotiation mode as AGRESSIVE or MAIN.
peer
peer_address
Specifies the peer
IP address of a remote gateway in IPv4 dotted-decimal or IPv6
colon-separated-hexadecimal notation.
pfs { group1 | group2 | group5 }
Specifies the modp
Oakley group (also known as the Diffie-Hellman [D-H] group) that is used to
determine the length of the base prime numbers that are used for Perfect
Forward Secrecy (PFS).
-
group1:
Diffie-Hellman Group1 (768-bit modp)
-
group2:
Diffie-Hellman Group2 (1024-bit modp)
-
group5:
Diffie-Hellman Group5 (1536-bit modp)
phase1-idtype { id-key-id | ipv4-address [ mode { aggressive |
main } ]
Sets the IKE
negotiations Phase 1 payload identifier. Default: id-key-id
id-key-id: ID KEY
ID
ipv4-address: ID
IPV4 Address
phase2-idtype { ipv4-address | ipv4-address-subnet
}
Sets the IKE
negotiations Phase 2 payload identifier.
Default:
ipv4-address-subnet
security-association lifetime { disable-phase2-rekey | keepalive
| kilo-bytes
kbytes
| seconds
secs
}
Specifies the
parameters that determine the length of time an IKE Security Association (SA)
is active when no data is passing through a tunnel. When the lifetime expires,
the tunnel is torn down. Whichever parameter is reached first expires the SA
lifetime.
-
disable-phase2-rekey: If this keyword is
specified, the Phase2 SA is not rekeyed when the lifetime expires.
-
keepalive:
The SA lifetime expires only when a keepalive message is not responded to by
the far end.
-
kilo-bytes:
This specifies the amount of data (n kilobytes) to allow through the tunnel
before the SA lifetime expires.
kbytes must
be an integer from 2560 through 4294967294.
-
seconds: The
number of seconds to wait before the SA lifetime expires.
secs must be
an integer from 1200 through 86400.
Important:
If the dynamic
crypto map is being used in conjunction with Mobile IP and the Mobile IP
renewal timer is less than the crypto map's SA lifetime (either in terms of
kilobytes or seconds), then the keepalive parameter must be configured.
transform-set
transform_name
[
transform-set
transform_name2
...
transform-set
transform_name6
]
Specifies the name
of a transform set configured in the same context that will be associated with
the crypto map. Refer to the command
crypto ipsec
transform-set for information on creating transform sets.
You can repeat
this keyword up to 6 times on the command line to specify multiple transform
sets.
transform_name is the name of the transform set
entered as an alphanumeric string of 1 through 127 characters that is case
sensitive.
no
Deletes the
specified parameter or resets the specified parameter to the default value.
Usage Guidelines
Use this command
to set parameters for a dynamic crypto map.
Example
The following
command sets the PFS group to Group1:
set pfs group1
The following
command sets the SA lifetime to
50000 KB:
set security-association lifetime kilo-bytes 50000
The following
command sets the SA lifetime to
10000
seconds:
set security-association lifetime seconds 10000
The following
command enables the SA to re-key when the tunnel lifetime expires:
set security-association lifetime keepalive
The following
command defines transform sets
tset1 and
tset2.
set transform-set tset1 transform-set tset2