Table of Contents
Advertisement
Crypto Transform Mode Commands
Mode of the "no" Form
The no form of the command deletes a transform‐set:
no crypto ipsec transform-set transform-set-name
Mode
Global configuration:
Next Mode
Crypto Transform configuration:
Example
The following example defines the transforms to apply for t‐set1 SA negoatiation:
XSR(config)#crypto ipsec transform-set t-set1 esp-3des esp-sha-hmac
set pfs
This command specifies that IPSec ask for Perfect Forward Secrecy (PFS) when requesting new
Security Associations (SAs) for this crypto map entry, or that IPSec requires PFS when receiving
requests for new SAs.
PFS is a security condition under which there is confidence that the compromise of a session's key
will not lead to easier compromise of the key used in the next session (after the key is refreshed).
When PFS is used a session's keys are generated independently, so a key compromised in one
session will not affect the keys used in subsequent sessions.
Syntax
set pfs [group1 | group2]
group1
group2
Syntax of the "no" Form
Use the no form of the command for IPSec not to request PFS:
no set pfs
Default
Disabled
14-116 Configuring the VPN
XSR(config)#
Note: Due to the lack of an IETF standard, IKE Diffie-Helman bit groups 2048, 3072, and 4096 are
not enabled.
Specifies that IPSec should use the 768‐bit Diffie‐Hellman prime modulus group
when performing the new Diffie‐Hellman exchange.
Specifies that IPSec should use the 1024‐bit Diffie‐Hellman prime modulus group
when performing the new Diffie‐Hellman exchange.
XSR(cfg-crypto-tran)#
Advertisement
Table of Contents
