Cisco ROUTER-SDM-CD User Manual page 375

Chapter 14 Enhanced Easy VPN
Transform Set Columns
Time Based IPSec SA Lifetime
Traffic Volume Based IPSec SA Lifetime
IPSec SA Idle Time
Perfect Forwarding Secrecy
OL-4015-12
Use the two columns at the top of the dialog to specify the transform sets that you
want to include in the profile. The left-hand column contains the transform sets
configured on the router. To add a configured tranform set to the profile, select it
and click the >> button. If there are no tranform sets in the left-hand column, or
if you need a transform set that has not been created, click Add and create the
transform set in the displayed dialog.
Click Time Based IPSec SA Lifetime if you want a new SA to be established
after a set period of time has elapsed. Enter the time period in the HH:MM:SS
fields to the right. The range is from 0:2:0 (2 minutes) to 24:0:0 (24 hours).
Click Traffic Volume Based IPSec SA Lifetime if you want a new SA to be
established after a specified amount of traffic has passed through the IPSec tunnel.
Enter the number of kilobytes that should pass through the tunnel before an
existing SA is taken down and a new one is established. The range is from 2560
KB to 536870912 KB.
Click IPSec SA Idle Time if you want a new SA to be established after the peer
has been idle for a specified amount of time. Enter the idle time period in the
HH:MM:SS fields to the right. The range is from 0:1:0 (one minute) to 24:0:0 (24
hours).
Click Perfect Forwarding Secrecy if IPSec should ask for perfect forward
secrecy (PFS) when requesting new security associations for this virtual template
interface, or should require PFS in requests received from the peer. You can
specify the following values:
group1—The 768-bit Diffie-Hellman prime modulus group is used to encrypt
•
the PFS request.
group2—The 1024-bit Diffie-Hellman prime modulus group is used to
•
encrypt the PFS request.
Cisco Router and Security Device Manager 2.5 User's Guide
14-9