Motorola RFS6000 Reference Manual page 471

Crypto-map Instance 10-15
RFSwitch(config-crypto-map)#set pfs
If left at the default setting, no perfect forward secrecy (PFS) is used during IPSec SA key
generation. If PFS is specified, the specified Diffie-Hellman Group exchange is used for the
initial (and all subsequent) key generations. This means no data linkage between prior
keys and future keys.
RFSwitch(config-crypto-map)#set security-association lifetime
(kilobytes|seconds)
Values can be entered in both kilobytes and seconds. Whichever limit is reached first, ends
the security association.
RFSwitch(config-crypto-map)#set session-key
[inbound|outbound]{ah|esp}
RFSwitch(config-crypto-map)#set session-key [inbound|outbound]
ah <hexkey data>
RFSwitch(config-crypto-map)#set session-key [inbound|outbound]
esp <SPI> cipher <hexdata key> authenticator <hexkey data>
The inbound local SPI (security parameter index) must equal the outbound remote SPI. The
outbound local SPI must equal the inbound remote SPI. The key values are the
hexadecimal representations of the keys.
They are not true ASCII strings. Therefore, a key of 3031323334353637 represents
"01234567".
RFSwitch(config-crypto-map)#set transformset name
Crypto map entries do not directly contain the transform configuration for securing data.
Instead, the crypto map is associated with transform sets which contain specific security
algorithms.
If a transform-set is not configured for a crypto map, the entry is incomplete and has no
effect. For manual key crypto maps, only one transform set can be specified.
Example
RFSwitch(config-crypto-map)#set localid hostname TestMapHost
RFSwitch(config-crypto-map)#