Configuring The Autopeer Option; About Perfect Forward Secrecy - HP Cisco MDS 9020 - Fabric Switch Configuration Manual

Chapter 35 Configuring IPsec Network Security
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Figure 35-7
Host 1

Configuring the AutoPeer Option

To configure the auto-peer option, follow these steps:
Command
Step 1
switch# config terminal
switch(config)#
Step 2
switch(config)# crypto map domain ipsec
SampleMap 31
ips-hac1(config-crypto-map-ip)#
Step 3
switch(config-crypto-map-ip)# set peer
auto-peer
switch(config-crypto-map-ip)# no set
peer auto-peer

About Perfect Forward Secrecy

To specify SA lifetime negotiation values, you can also optionally configure the perfect forward secrecy
(PFS) value in the crypto map.
The PFS feature is disabled by default. If you set the PFS group, you can set one of the DH groups: 1,
2, 5, or 14. If you do not specify a DH group, the software uses group 1 by default.
OL-16184-01, Cisco MDS SAN-OS Release 3.x
iSCSI with End-to-End IPsec Using the auto-peer Option
Subnet X
Host 2
iPSEC
iPSEC
Router
iPSEC
Host 3
iPSEC
Purpose
Enters configuration mode.
Places you in the crypto map configuration mode for
the entry named SampleMap with 31 as its sequence
number.
Directs the software to select (during the SA setup) the
destination peer IP address dynamically.
Deletes the auto-peer configuration.
Cisco MDS 9000 Family CLI Configuration Guide
Crypto IPv4-ACLs
MDS A
35-27