The Auto-Peer Option - Cisco DS-X9530-SF1-K9 - Supervisor-1 Module - Control Processor Configuration Manual

Chapter 30 Configuring IPsec Network Security
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m .
See the
To set the SA lifetime for a specified crypto map entry, follow these steps:
Command
Step 1
switch# config terminal
switch(config)#
Step 2
switch(config)# crypto map
SampleMap 31
ips-hac1(config-crypto-map-ip)#
Step 3
switch(config-crypto-map-ip)# set
security-association lifetime seconds
8640
switch(config-crypto-map-ip)# no set
security-association lifetime seconds
8640
Step 4
switch(config-crypto-map-ip)# set
security-association lifetime kilobytes
2560
switch(config-crypto-map-ip)# set
security-association lifetime gigabytes
4000
switch(config-crypto-map-ip)# set
security-association lifetime megabytes
5000
switch(config-crypto-map-ip)# no set
security-association lifetime megabytes

The auto-peer Option

Setting peer address as auto-peer in the crypto map indicates that the destination endpoint of the traffic
should be used as the peer address for the SA. Using the same crypto map, a unique SA can be setup to
each of the endpoints in the subnet specified by the crypto map's ACL entry. Auto-peer simplifies
configuration when traffic endpoints are IPsec capable. It is particularly useful for iSCSI, where the
iSCSI hosts in the same subnet do not require separate configuration.
Figure 30-4
option, only one crypto map entry is needed for all the hosts from subnet X to setup SAs with the switch.
Each host will setup its own SA, but will share the crypto map entry. Without the auto-peer option, each
host needs one crypto map entry.
Refer to
OL-6973-03, Cisco MDS SAN-OS Release 2.x
"Global Lifetime Values" section on page 30-22
domain ipsec
shows a scenario where the auto-peer option can simplify configuration. Using the auto-peer
Figure 30-6 on page 30-35
for more information on global lifetime values.
Purpose
Enters configuration mode.
Place you in the crypto map configuration mode for
the entry named SampleMap with 31 as its sequence
number.
Specifies a SA lifetime for this crypto map entry using
different IPsec SA lifetimes than the global lifetimes,
for the crypto map entry.
Deletes the entry-specific configuration and reverts to
the global settings.
Configures the traffic-volume lifetime for this SA in
kilobytes. The lifetime ranges from 2560 to
2147483647 kilobytes.
Configures the traffic-volume lifetime for this SA to
time out after the specified amount of traffic (in
gigabytes) have passed through the FCIP link using
the SA. The lifetime ranges from 1 to 4095 gigabytes.
Configures the traffic-volume lifetime for this SA in
megabytes. The lifetime ranges from 3 to 4193280
megabytes.
Reverts to the global settings.
for more details.
Cisco MDS 9000 Family Configuration Guide
Configuring IPsec
30-19