Table of Contents
Advertisement
Chapter 13
IP Security
Add or Edit Crypto Map: General Panel
Name of IPSec Policy
Description
Sequence Number
Security Association Lifetime
Enable Perfect Forwarding Secrecy
OL-4015-08
Change general crypto map parameters in this window. This window contains the
following fields.
A read-only field that contains the name of the policy in which this crypto map is
used.
Enter or edit a description of the crypto map in this field. This description appears
in the VPN Connections list, and it can be helpful in distinguishing this crypto
map from others in the same IPSec policy.
A number that, along with the IPSec policy name, is used to identify a connection.
SDM generates a sequence number automatically. You can enter your own
sequence number if you wish.
IPSec security associations use shared keys. These keys, and their security
associations time out together. There are two lifetimes: a timed lifetime and a
traffic-volume lifetime. The security association expires when the first of these
lifetimes is reached.
You can use this field to specify a different security association lifetime for this
crypto map than the lifetime that is specified globally. You can specify the lifetime
in the number of kilobytes sent; in hours minutes and seconds; or both. If both are
specified, the lifetime will expire when the first criterion has been satisfied. The
maximum number of kilobytes you can specify is 4608000, and the maximum
time is 1 hour.
When security keys are derived from previously generated keys, there is a security
problem, because if one key is compromised, then the others can be compromised
also. Perfect Forwarding Secrecy (PFS) guarantees that each key is derived
Cisco Router and Security Device Manager Version 2.2 User's Guide
IPSec Policies
13-31
Advertisement
Table of Contents
Troubleshooting
