Support User Manuals

Brocade Communications Systems RFS7000 Network Router User Manual

Open as PDF

of 839

382 Brocade Mobility RFS4000, RFS6000 and RFS7000 CLI Reference Guide

53-1001931-01

Crypto Map config commands

10

Usage Guidelines

RFController(config-crypto-map)#set peer name

If no peer IP address is configured, the manual crypto map is not valid and not complete. A peer IP

address is required for manual crypto maps. To change the peer IP address, the no set peer

command must be issued first; then the new peer IP address can be configured.

RFController(config-crypto-map)#set pfs

If left at the default setting, no perfect forward secrecy (PFS) is used during IPSec SA key

generation. If PFS is specified, the specified Diffie-Hellman Group exchange is used for the initial

(and all subsequent) key generations. This means no data linkage between prior keys and future

keys.

RFController(config-crypto-map)#set security-association lifetime

(kilobytes|seconds)

Values can be entered in both kilobytes and seconds. Whichever limit is reached first, ends the

security association.

RFController(config-crypto-map)#set session-key [inbound|outbound]{ah|esp}

RFController(config-crypto-map)#set session-key [inbound|outbound] ah <hexkey

data>

RFController(config-crypto-map)#set session-key [inbound|outbound] esp <SPI>

cipher <hexdata key> authenticator <hexkey data>

The inbound local SPI (security parameter index) must equal the outbound remote SPI. The

outbound local SPI must equal the inbound remote SPI. The key values are the hexadecimal

representations of the keys.

They are not true ASCII strings. Therefore, a key of 3031323334353637 represents “01234567”.

RFController(config-crypto-map)#set transformset name

session-key

[inbound|outbound]

{ah|esp}

<256-4294967295>

cipher

Use the set session-key command to define the encryption and

authentication keys for this crypto map

• inbound [ah|esp] – Defines encryption keys for inbound

traffic

• outbound [ah|esp] – Defines encryption keys for outbound

traffic

For information on how to create a key for authentication and

encryption, refer Usage Guideline in Global Configuration

commands under crypto on page 233.

• ah <256-4294967295> – Authentication header protocol

• <256-4294967295> – Security Parameter Index (SPI)

for the security association

• esp <256-4294967295>– Encapsulating security payload

protocol

• <256-4294967295> cipher – Defines the security

parameter index

• cipher – Specify encryption/decryption key

authenticator <hex key data> – Specify an authentication key

transformset <name> Use the set transform-set command to assign a transform-set to a

crypto map

previous next