Motorola RFS7000 Series Reference Manual page 318

10-10 Overview
security-association
session-key
inbound/outbound
(ah|esp)
transformset <name>
Usage Guidelines
RFS7000(config-crypto-map)#set peer (name)
If no peer IP address is configured, the manual crypto map is not valid and not complete. A peer IP address is
required for manual crypto maps. To change the peer IP address, the no set peer command must be issued first;
then the new peer IP address can be configured.
RFS7000(config-crypto-map)#set pfs
If left at the default setting, no perfect forward secrecy (PFS) will be used during IPSec SA key generation. If
PFS is specified, then the specified Diffie-Hellman Group exchange will be used for the initial and all
subsequent key generation, thus providing no data linkage between prior keys and future keys.
RFS7000(config-crypto-map)#set security-association lifetime (kilobytes|seconds)
Values can be entered for this command in both kilobytes and seconds. Whichever limit is reached first will
end the security association.
RFS7000(config-crypto-map)#set session-key (inbound|outbound)(ah|esp)
RFS7000(config-crypto-map)#set session-key (inbound|outbound) ah <hexkey data>
RFS7000(config-crypto-map)#set session-key (inbound|outbound) esp <SPI> cipher
<hexdata key> authenticator <hexkey data>
The inbound local SPI (security parameter index) must equal the outbound remote SPI. The outbound local SPI
must equal the inbound remote SPI. The key values are the hexadecimal representations of the keys.
They are not true ASCII strings. Therefore, a key of 3031323334353637 represents "01234567".
RFS7000(config-crypto-map)#set transformset (name)
Crypto map entries do not directly contain the transform configuration for securing data. Instead, the crypto
map is associated with transform sets which contain specific security algorithms.
Use the set security-association lifetime command to define the lifetime (in
kilobytes and/or seconds) of the IPSec SAs created by this crypto map.
• level(perhost) – Specify a security association granularity level for
identities
• lifetime(kilobyte|seconds) – Security association lifetime.
Use the set session-key command to define the encryption and authentication
keys for this crypto map.
• inbound – Use this keyword to define encryption keys for inbound traffic.
• outbound – Use this keyword to define encryption keys for outbound
traffic.
Use this keyword to define encryption keys for inbound/outbound traffic.
• ah – Authentication header protocol.
• <256-4294967295> – Security Parameter Index (SPI) for Security
Association
• esp – Encapsulating security payload protocol.
• <256-4294967295> – Security Parameter Index.
• cipher –
•
authenticator <hex key data> – Specify authentication key.
Use the set transform-set command to assign a transform-set to a crypto map.
Specify encryption/decryption key.