ZyXEL Communications UAG Series User Manual page 179

Table 104 crypto Commands: IPSec SAs (continued)
COMMAND
crypto map rename map_name map_name
crypto map map_name
activate
deactivate
adjust-mss {auto | <200..1500>}
ipsec-isakmp policy_name
encapsulation {tunnel | transport}
transform-set crypto_algo_esp
[crypto_algo_esp [crypto_algo_esp]]
transform-set crypto_algo_ah
[crypto_algo_ah [crypto_algo_ah]]
scenario {site-to-site-static|site-to-
site-dynamic|remote-access-server|remote-
access-client}
set security-association lifetime seconds
<180..3000000>
set pfs {group1 | group2 | group5 | none}
local-policy address_name
remote-policy address_name
[no] policy-enforcement
UAG CLI Reference Guide
DESCRIPTION
Renames the specified IPSec SA (first map_name) to the specified
name (second map_name).
Activates or deactivates the specified IPSec SA.
Set a specific number of bytes for the Maximum Segment Size
(MSS) meaning the largest amount of data in a single TCP
segment or IP datagram for this VPN connection or use auto to
have the UAG automatically set it.
Specifies the IKE SA for this IPSec SA and disables manual key.
Sets the encapsulation mode.
Sets the active protocol to ESP and sets the encryption and
authentication algorithms for each proposal.
crypto_algo_esp: esp-null-md5 | esp-null-sha | esp-null-sha256
| esp-null-sha512 | esp-des-md5 | esp-des-sha | esp-des-sha256
| esp-des-sha512 | esp-3des-md5 | esp-3des-sha | esp-3des-
sha256 | esp-3des-sha512 | esp-aes128-md5 | esp-aes128-sha |
esp-aes128-sha256 | esp-aes128-sha512 | esp-aes192-md5 |
esp-aes192-sha | esp-aes192-sha256 | esp-aes192-sha512 | esp-
aes256-md5 | esp-aes256-sha | esp-aes256-sha256 | esp-
aes256-sha512
Sets the active protocol to AH and sets the encryption and
authentication algorithms for each proposal.
crypto_algo_ah: ah-md5 | ah-sha | ah-sha256 | ah-sha512
Select the scenario that best describes your intended VPN
connection.
Site-to-site: The remote IPSec router has a static IP address or
a domain name. This UAG can initiate the VPN tunnel.
site-to-site-dynamic: The remote IPSec router has a dynamic
IP address. Only the remote IPSec router can initiate the VPN
tunnel.
remote-access-server: Allow incoming connections from IPSec
VPN clients. The clients have dynamic IP addresses and are also
known as dial-in users. Only the clients can initiate the VPN tunnel.
remote-access-client: Choose this to connect to an IPSec
server. This UAG is the client (dial-in user) and can initiate the VPN
tunnel.
Sets the IPSec SA life time.
Enables Perfect Forward Secrecy group.
Sets the address object for the local policy (local network).
Sets the address object for the remote policy (remote network).
Drops traffic whose source and destination IP addresses do not
match the local and remote policy. This makes the IPSec SA more
secure. The command allows traffic whose source and
no
destination IP addresses do not match the local and remote policy.
Note: You must allow traffic whose source and destination IP
addresses do not match the local and remote policy, if you
want to use the IPSec SA in a VPN concentrator.
Chapter 34 IPSec VPN
179