Table of Contents
Advertisement
Media Flow Manager Administrator's Guide
crypto
Media Flow Manager only. Configure IPSec cryptographic settings.
crypto ipsec peer <IP_address> local <IP_address> keying ike [preshared-key
<string> | prompt-preshared-key]
[mode {transport|tunnel}] [exchange-mode {main|aggressive|base}]
[pfs_group <group #>] [lifetime <seconds>]
[encrypt {3des|aes-cbc|none}] [auth {hmac-md5|hmac-sha1}]
no crypto ipsec peer <IP_address> local <IP_address>
Add an IPSec peering relationship to the address specified, using a specified local address;
the no variant removes the relationship. This pair of IP addresses uniquely define an IPSec
peering entry. The IPSec peering relationship is keyed using IKE. Notes:
•
preshared-key | prompt-preshared-key
initial IKE exchange; it is used in the initial setup for both ESP (encapsulating security
payload) and AH (authentication header). If prompt-preshared-key is chosen, the user is
prompted for the preshared key rather than entering it on the command line.
•
—If transport is used, only the payload (the data you transfer) of the IP packet is
mode
encrypted and/or authenticated; this is used for host-to-host communications. If tunnel is
used, the entire IP packet (data and IP header) is encrypted and/or authenticated; this is
used to create Virtual Private Networks for network-to-network communications (e.g.
between routers to link sites), host-to-network communications (e.g. remote user access),
and host-to-host communications (e.g. private chat).
•
exchange_mode
configuration)to the client as part of an IKE negotiation. Choose aggressive for the highest
security.
•
pfs_group
IPSec policy, a new Diffie-Hellman exchange is performed with each quick mode,
providing keying material that has greater entropy (key material life) and thereby greater
resistance to cryptographic attacks. Each Diffie-Hellman exchange requires large
exponentiations, thereby increasing CPU use and exacting a performance cost.
•
lifetime
•
encrypt
(default), aes-cbc (for AES), or none (a.k.a. NULL encryption).
•
—The authentication method used can be specified as either hmac-md5 (MD5
auth
HMAC variant) (default), or hmac-sha1 (SHA1 HMAC variant).
show crypto [configured]
Display various run-time cryptographic states. Use the configured subcommand to display
various cryptographic settings.
There are many good references on IPSEC on the Internet, here's one:
Four: Internet Key Exchange
—Allows a gateway to download an IP address (and other network level
—Enter an IPv4 address. If perfect forward secrecy (PFS) is specified in the
—The lifetime of the IKE SA (security association) in seconds.
—The encryption algorithm used can be specified as either 3des (for triple DES)
(IKE).
CHAPTER 5 CLI Commands
—The specified preshared-key is used for the
IPSec Overview Part
crypto
115
Advertisement
Table of Contents
