Configures
parameters for the dynamic crypto map.
Important
|
HNBGW is not supported from Release 20 and later, and HeNBGW is not supported in Releases 20, 21.0 and 21.1. This command
must not be used for HNBGW and HeNBGW in these releases. For more information, contact your Cisco account representative.
|
Product
ePDG
FA
GGSN
HA
HeNBGW
HNBGW
HSGW
MME
P-GW
PDSN
S-GW
SAEGW
SCM
SecGW
SGSN
Privilege
Security
Administrator, Administrator
Mode
Exec > Global
Configuration > Context Configuration > Crypto Map Dynamic Configuration
configure > context
context_name
> crypto map
policy_name
ipsec-dynamic
Entering the above
command sequence results in the following prompt:
[context_name]host_name(config-crypto-dynamic-map)#
Syntax
set { control-dont-fragment { clear-bit | copy-bit | set-bit } |
ikev1 natt [ keepalive
sec
]
| ip mtu
bytes
| pfs { group1 | group2 |
group5} | phase1-idtype { id-key-id | ipv4-address } [ mode { aggressive | main } ]
| phase2-idtype {
ipv4-address | ipv4-address-subnet} | security-association lifetime { keepalive
| kilo-bytes
kbytes
| seconds
secs
} |
transform-set
transform_name
[ transform-set
transform_name2 ...
transform-set
transform_name6
]
}
no set { ikev1 natt | pfs | security-association lifetime
{keepalive | kilo-bytes | seconds } | phase1-idtype | phase2-idtype |
transform-set
transform_name
[ transform-set
transform_name2 ...
transform-set
transform_name6
] }
no
Deletes the
specified parameter or resets the specified parameter to the default value.
control-dont-fragment { clear-bit | copy-bit | set-bit
}
Controls the don't
fragment (DF) bit in the outer IP header of the IPSec tunnel data packet.
Options are:
- clear-bit : Clears the DF bit from the outer IP
header (sets it to 0).
- copy-bit : Copies the DF bit from the inner IP
header to the outer IP header. This is the default action.
- set-bit : Sets the DF bit in the outer IP header
(sets it to 1).
ikev1 natt [ keepalive
sec
]
Enables IPSec NAT
Traversal.
keepalive
sec : The time
to keep the NAT connection alive in seconds.
sec must be an
integer of from 1 through 3600.
ip mtu
bytes
Specifies the IP
Maximum Transmission Unit (MTU) in bytes as an integer from 576 to 2048.
mode { aggressive | main }
Configures the IKE
negotiation mode as AGRESSIVE or MAIN.
pfs { group1 | group2 | group5 }
Specifies the modp
Oakley group (also known as the Diffie-Hellman [D-H] group) that is used to
determine the length of the base prime numbers that are used for Perfect
Forward Secrecy (PFS).
- group1 : Diffie-Hellman Group1 (768-bit modp)
- group2 :- Diffie-Hellman Group2 (1024-bit modp)
- group5 :- Diffie-Hellman Group5 (1536-bit modp)
phase1-idtype { id-key-id | ipv4-address } [ mode { aggressive |
main } ]
Sets the IKE
negotiations Phase 1 payload identifier.
Default:
ipv4-address
id-key-id : Use ID_KEY_ID as the Phase 1 payload
identifier.
ipv4-address : Use IPV4_ADDR as the Phase 1 payload
identifier.
mode { aggressive | main } : Specify the IKE mode.
phase2-idtype { ipv4-address | ipv4-address-subnet
}
Sets the IKE
negotiations Phase 2 payload identifier.
Default:
ipv4-address-subnet
ipv4-address : Use IPV4_ADDR as the Phase 2 payload
identifier.
ipv4-address-subnet : Use IPV4_ADDR_SUBNET as the
Phase 2 payload identifier.
security-association lifetime { keepalive |
kilo-bytes
kbytes
| seconds
secs
}
This keyword
specifies the parameters that determine the length of time an IKE Security
Association (SA) is active when no data is passing through a tunnel. When the
lifetime expires, the tunnel is torn down. Whichever parameter is reached first
expires the SA lifetime.
-
keepalive :
The SA lifetime expires only when a keepalive message is not responded to by
the far end.
-
kilo-bytes :
This specifies the amount of data in kilobytes to allow through the tunnel
before the SA lifetime expires; entered as an integer from 2560 through
4294967294.
-
seconds : The
number of seconds to wait before the SA lifetime expires; entered as an integer
from 1200 through 86400.
Important
|
If the dynamic
crypto map is being used in conjunction with Mobile IP and the Mobile IP
renewal timer is less than the crypto map's SA lifetime (either in terms of
kilobytes or seconds), then the
keepalive
parameter
must be
configured.
|
transform-set
transform_name
[
transform-set
transform_name2
...
transform-set
transform_name6
]
Specifies the name
of a transform set configured in the same context that will be associated with
the crypto map. Refer to the command
crypto ipsec
transform-set for information on creating transform sets.
You can repeat
this keyword up to 6 times on the command line to specify multiple transform
sets.
trasnform_name is the name of the transform set
entered as an alphanumeric string from 1 through 127 characters that is case
sensitive.
Usage Guidelines
Use this command
to set parameters for a dynamic crypto map.
Example
The following
command sets the PFS group to Group1:
set pfs group1
The following
command sets the SA lifetime to
50000 KB:
set security-association lifetime kilo-bytes 50000
The following
command sets the SA lifetime to
10000
seconds:
set security-association lifetime seconds 10000
The following
command enables the SA to re-key when the tunnel lifetime expires:
set security-association lifetime keepalive
The following
command defines transform sets
tset1 and
tset2 :
set transform-set tset1 transform-set tset2
Feedback