Brocade Mobility RFS7000-GR Controller CLI Reference Guide (Supporting software release 4.1.0.0-040GR and later) User Manual

290

Brocade Mobility RFS7000-GR Controller CLI Reference Guide

53-1001945-01

Crypto Map Config Commands

10

Parameters

Usage Guidelines

RFS7000(config-crypto-map)#set peer (name)

If no peer IP address is configured, the manual crypto map is not valid and not complete. A peer IP
address is required for manual crypto maps. To change the peer IP address, the no set peer
command must be issued first; then the new peer IP address can be configured.

RFS7000(config-crypto-map)#set pfs

localid

Sets local identity.

•

dn – Distinguished name.

•

hostname – Hostname.

mode

Sets the mode of the tunnels of this Crypto Map.

•

aggressive – Initiates aggressive mode.

•

main – Initiates main mode.

peer

Use the set peer command to set the IP address of the peer device. This can be set
for multiple remote peers. Remote peer can be either in IP Address or hostname.
NOTE: For manual mode, only one remote peer can be added for crypto map.

•

IP address – Enter the IP address of the peer device. If this is not configured, it
implies responder only to any peer.

pfs

Use the set pfs command to choose the type of perfect forward secrecy (if any) that
will be required during IPSec negotiation of security associations for this crypto map.
Use the no form of this command to require no PFS.

•

group 1 – IPSec is required to use Diffie-Hellman Group 1 (768-bit modulus)
exchange during IPSec SA key generation.

•

group 2 – IPSec is required to use Diffie-Hellman Group 2 (1024-bit modulus)
exchange during IPSec SA key generation.

•

group 5 – IPSec is required to use Diffie-Hellman Group 5

remote-type

Sets the remote VPN client type.

•

ipsec-l2tp – Specify remote VPN client as using IPSEC/L2TP.

•

xauth – Specify remote VPN client as using XAUTH with mode config.

security-association

Use the set security-association lifetime command to define the lifetime (in kilobytes
and/or seconds) of the IPSec SAs created by this crypto map.

•

level(perhost) – Specify a security association granularity level for identities

•

lifetime(kilobyte|seconds) – Security association lifetime.

session-key

Use the set session-key command to define the encryption and authentication keys
for this crypto map.

•

inbound – Use this keyword to define encryption keys for inbound traffic.

•

outbound – Use this keyword to define encryption keys for outbound traffic.

inbound/outbound (ah|esp)

Use this keyword to define encryption keys for inbound/outbound traffic.

•

ah – Authentication header protocol.

•

<256-4294967295> – Security Parameter Index (SPI) for Security
Association

•

esp – Encapsulating security payload protocol.

•

<256-4294967295> – Security Parameter Index.

•

cipher –

Specify encryption/decryption key.

•

authenticator <hex key data> – Specify authentication key.

transformset <name>

Use the set transform-set command to assign a transform-set to a crypto map.