Print this pagePrint this page

Email this topicEmail this topic

View PDFView PDF

Download EPUBDownload EPUB

security-association

crypto-map-ipsec-isakmp-instance

Defines the IPSec SA‘s (created by this auto site-to-site VPN tunnel or remote VPN client) settings

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

security-association [inactivity-timeout|level|lifetime]
security-association [inactivity-timeout <120-86400>|level perhost]
security-association lifetime [kilobytes <500-2147483646>|seconds <120-86400>]

Parameters

security-association [inactivity-timeout <120-86400>|level perhost]
inactivity-timeout <120-86400> Specifies an inactivity period, in seconds, for this IPSec VPN SA. Once the set value is exceeded, the association is timed out.
  • <120-86400> – Specify a value from 120 - 86400 seconds. The default is 900 seconds.
level perhost Specifies the granularity level for this IPSec VPN SA
  • perhost – Sets the IPSec VPN SA‘s granularity to the host level
 
security-association lifetime [kilobytes <500-2147483646>|seconds <120-86400>]
lifetime [kilobytes <500-2147483646>| seconds <120-86400>] Defines the IPSec SA‘s lifetime (in kilobytes and/or seconds). Values can be entered in both kilobytes and seconds. Which ever limit is reached first, ends the security association.
  • kilobytes <500-2147483646> – Defines volume based key duration. Specify a value from 500 - 2147483646 kilobytes. Select this option to define a connection volume lifetime (in kilobytes) for the duration of the IPSec VPN SA. Once the set volume is exceeded, the association is timed out. This option is disabled by default.
  • seconds <120-86400> – Defines time based key duration. Specify the time frame from 120 - 86400 seconds. Select this option to define a lifetime (in seconds) for the duration of the IPSec VPN SA. Once the set value is exceeded, the association is timed out. This option is disabled by default.

Example

Site-to-site tunnel:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#security-association inactivity-timeout 200

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#security-association level perhost

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#security-association lifetime kilobytes 250000

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context
 crypto map test 1 ipsec-isakmp
  security-association level perhost
  peer 1 ikev2 ikev2Peer1
  local-endpoint-ip 192.168.13.10
  pfs 5
  security-association lifetime kilobytes 250000
  security-association inactivity-timeout 200
  ip nat crypto
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#

Remote VPN client:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#security-association lifetime seconds 10000

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context
 crypto map test 2 ipsec-isakmp dynamic
  peer 1 ikev1 RemoteIKEv1Peer1
  local-endpoint-ip 157.235.204.62
  pfs 14
  security-association lifetime seconds 10000
  remote-type none
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#
Published July 2019prev | next

Email this topicEmail this topic

Print this pagePrint this page