3-32 Command Line Interface Commands Reference
cp { name | index } ipsec suite encapsulation { esp | ah | esp+ah }
[ encryption { des | 3des | null } ]
[ authentication esp { md5 | hmac-md5-96 | sha1 | hmac-sha1-96 } ]
[ authentication ah { md5 | hmac-md5-96 | sha1 | hmac-sha1-96 } ]
[ compression lzs ]
show cp { name | index } ipsec suite
Note: This is an extended version of an existing CLI command. The existing command is modified to add an
encapsulation clause and to allow for one or two authentication clauses. See “IPSec/IKE” on page 3-26 for
more information.
These commands set or display the IPSec encapsulation, encryption, authentication, and compression
parameters for the specified connection profile.
Note: The authentication clause may appear either one or two times; if it appears twice, one occurrence must
specify ah and the other must specify esp.
The keywords md5 and hmac-md5-96 are synonyms, although the latter keyword is preferred, the former being
retained only for backwards compatibility. The keywords sha1 and hmac-sha1-96 are synonyms, although the
latter keyword is preferred, the former being retained only for backwards compatibility.
cp { name | index } ipsec ip
[remote
[members {a.b.c.d | a.b.c.d/n | a.b.c.d e.f.g.h | a.b.c.d-e.f.g.h}]
[tep a.b.c.d] ]
[local
[members {a.b.c.d | a.b.c.d/n | a.b.c.d e.f.g.h | a.b.c.d-e.f.g.h}]
[tep a.b.c.d] ]
[via a.b.c.d]
show cp { name | index } ipsec ip
Note: This is an extended version of an existing CLI command. The existing command is modified to allow a
members specification to appear in the local clause and to allow for a host address or an IP address range
(rather than a network address and subnet mask) in the remote and local members clauses. See “IPSec/IKE”
on page 3-26 for more information.
This command sets the pertinent IP values for the IPSec tunnel, and may contain zero or one instances of each
of three possible clauses: remote, local, and via. The remote clause, if specified, may include a members
specification or a tunnel endpoint (“tep”) specification, or both. The local clause, if specified, may contain a
members specification or a tunnel endpoint specification, or both. The optional via clause sets the next hop
gateway. The keyword sg (short for “security-gateway”) is an acceptable synonym for the keyword tep.
cp { name | index } ipsec sa lifetime { seconds | kbytes } { non-negative-integer | none }
show cp { name | index } ipsec sa lifetime [ { seconds | kbytes } ]
no cp { name | index } ipsec sa lifetime [ { seconds | kbytes } ]
These commands set, display, or disable one or both of the two IKE Phase 2 SA lifetimes (in seconds and/or
kbytes protected) for the specified IPSec protocol for the specified connection profile. Specifying neither the
keyword seconds nor the keyword kbytes with the show variant of this command displays both lifetime values.
The keyword none is equivalent to the value zero, and indicates that there is no lifetime of the specified type.
