Brocade Mobility RFS7000-GR Controller CLI Reference Guide (Supporting software release 4.1.0.0-040GR and later) User Manual

Brocade Mobility RFS7000-GR Controller CLI Reference Guide

291

53-1001945-01

Crypto Map Config Commands

10

If left at the default setting, no perfect forward secrecy (PFS) will be used during IPSec SA key
generation. If PFS is specified, then the specified Diffie-Hellman Group exchange will be used for
the initial and all subsequent key generation, thus providing no data linkage between prior keys
and future keys.

RFS7000(config-crypto-map)#set security-association lifetime (kilobytes|seconds)

Values can be entered for this command in both kilobytes and seconds. Whichever limit is reached
first will end the security association.

RFS7000(config-crypto-map)#set session-key (inbound|outbound)(ah|esp)

RFS7000(config-crypto-map)#set session-key (inbound|outbound) ah <hexkey data>

RFS7000(config-crypto-map)#set session-key (inbound|outbound) esp <SPI> cipher

<hexdata key> authenticator <hexkey data>

The inbound local SPI (security parameter index) must equal the outbound remote SPI. The
outbound local SPI must equal the inbound remote SPI. The key values are the hexadecimal
representations of the keys.

They are not true ASCII strings. Therefore, a key of 3031323334353637 represents “01234567”.

RFS7000(config-crypto-map)#set transformset (name)

Crypto map entries do not directly contain the transform configuration for securing data. Instead,
the crypto map is associated with transform sets which contain specific security algorithms.

If no transform-set is configured for a crypto map, then the entry is incomplete and will have no
effect on the system. For manual key crypto maps, only one transform set can be specified.

Example

RFS7000(config-crypto-map)#set localid hostname TestMapHost

RFS7000(config-crypto-map)#