Cisco SA-VAM - VPN Acceleration Module Installation And Configuration Manual page 53

Chapter 4 Configuring the SA-VAM2+
Command
Step 3
Router(config-crypto-m)# match address
access-list-id
Step 4
Router(config-crypto-m)# set peer {hostname |
ip-address}
Step 5
Router(config-crypto-m)# set security-association
lifetime seconds seconds
and
Router (config-crypto-m)# set security-association
lifetime kilobytes kilobytes
Step 6
Router(config-crypto-m)# set pfs [group1 | group2]
Step 7
Router(config-crypto-m)# exit
Step 8
Repeat these steps to create additional crypto map entries as required.
To add a dynamic crypto map set into a crypto map set, use the following command in global
configuration mode:
OL-5979-03
Purpose
(Optional) Accesses list number or name of an
extended access list. This access list determines
which traffic should be protected by IPSec and which
traffic should not be protected by IPSec security in
the context of this crypto map entry.
Although access-lists are optional for
Note
dynamic crypto maps, they are highly
recommended
If this is configured, the data flow identity proposed
by the IPSec peer must fall within a permit statement
for this crypto access list.
If this is not configured, the router will accept any
data flow identity proposed by the IPSec peer.
However, if this is configured but the specified access
list does not exist or is empty, the router will drop all
packets. This is similar to static crypto maps because
they also require that an access list be specified.
Care must be taken if the any keyword is used in the
access list, because the access list is used for packet
filtering as well as for negotiation.
(Optional) Specifies a remote IPSec peer. Repeat for
multiple remote peers.
This is rarely configured in dynamic crypto map
entries. Dynamic crypto map entries are often used
for unknown remote peers.
(Optional) If you want the security associations for
this crypto map to be negotiated using shorter IPSec
security association lifetimes than the globally
specified lifetimes, specify a key lifetime for the
crypto map entry.
(Optional) Specifies that IPSec should ask for perfect
forward secrecy when requesting new security
associations for this crypto map entry or should
demand perfect forward secrecy in requests received
from the IPSec peer.
Exits crypto-map configuration mode and return to
global configuration mode.
VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide
Configuration Tasks
4-13