Set Global Lifetimes For Ipsec Security Associations; Specifying Traffic To Protect Using Crypto Acl - Motorola WS5100 Series Migration Giude

11-8 WS5100 Series Switch Migration Guide
2. Create a mode for data traffic.
WS5100(config-crypto-ipsec)# mode tunnel
NOTE: Set
Set mode to

11.3.3.4 Set Global Lifetimes for IPSec Security Associations

The security association (and corresponding keys used to encrypt) will expire according to whichever occurs
sooner, either after the number of seconds has passed (specified by the seconds keyword) or after the
amount of traffic in kilobytes has passed (specified by the kilobytes keyword). A new security association is
negotiated before the lifetime threshold of the existing security association is reached, to ensure that a new
security association is ready for use when the old one expires.
You can change the global lifetime values which are used when negotiating new IPSec security associations.
(These global lifetime values can be overridden for a particular crypto map entry).
These lifetimes only apply to security associations established via IKE. Manually established security
associations do not expire.
There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. A security association expires
after the first of these lifetimes is reached. The default lifetimes are 3600 seconds (one hour) and 4,608,000
kilobytes.
If you change a global lifetime, the new lifetime value will not be applied to currently existing security
associations, but will be used in the negotiation of subsequently established security associations. If you
wish to use the new values immediately, you can clear all or part of the security association database.

11.3.4 Specifying Traffic to Protect using Crypto ACL

The purpose of crypto ACL is to define what traffic should be protected. Basically crypto ACL is an extended
ACL with permit statements.
The following rule is implemented for incoming traffic:
• If the traffic matches a Crypto ACL, the switch applies the information in the appropriate crypto map
entry, to protect it.
• If the traffic does not match a Crypto ACL entry, the switch forwards the traffic normally.
Do not use the keyword
the source/destination as protected traffic. This can cause connectivity problems. Be as specific as possible
about the traffic to be protected. This also reduces the encryption and decryption duration of traffic on the
switch.
NOTE: Unlike the firewall ACL, the Cryto ACL is applied to a crypto map and not on the
interface. The Crypto ACL does not take affect unless the crypto map set is applied to an
interface.
If the interface is enabled for NAT for outgoing traffic, then NAT is done first and then ACL is applied. Thus,
the Crypto ACL should have NATed address in the source address field of the ACL statement. For inbound
traffic, the router handles the IPSec part first and then NAT (if necessary).
NOTE: NAT and IPSec cannot be used together in WS5100.
to if you creating a transform set for site-to-site VPN.
mode tunnel
if you are using remote VPN with WindowXP client.
transport
in Crypto ACL for
any source
or address as it treats all traffic from
destination