Cisco Cisco Tunnel Terminating Gateway (TTG)
Crypto Map IPSec Dynamic Configuration Mode Commands
set ▀
Command Line Interface Reference, StarOS Release 16 ▄
2875
control-dont-fragment { clear-bit | copy-bit | set-bit }
Controls the don’t fragment (DF) bit in the outer IP header of the IPSec tunnel data packet. Options are:
clear-bit
: Clears the DF bit from the outer IP header (sets it to 0).
copy-bit
: Copies the DF bit from the inner IP header to the outer IP header. This is the default action.
set-bit
: Sets the DF bit in the outer IP header (sets it to 1).
isakmp natt [keepalive
time ]
Enable IPSec NAT Traversal.
keepalive
time
: The time to keep the NAT connection alive in seconds.
time
must be an integer of from 1
through 3600.
pfs { group1 | group2 | group5 }
Specifies the modp Oakley group (also known as the Diffie-Hellman [D-H] group) that is used to determine
the length of the base prime numbers that are used for Perfect Forward Secrecy (PFS).
the length of the base prime numbers that are used for Perfect Forward Secrecy (PFS).
group1
: Diffie-Hellman Group1 (768-bit modp)
group2
:- Diffie-Hellman Group2 (1024-bit modp)
group5
:- Diffie-Hellman Group5 (1536-bit modp)
phase1-idtype { id-key-id | ipv4-address } [ mode { aggressive | main } ]
Sets the IKE negotiations Phase 1 payload identifier.
Default: ipv4-address
Default: ipv4-address
id-key-id
: Use ID_KEY_ID as the Phase 1 payload identifier.
ipv4-address
: Use IPV4_ADDR as the Phase 1 payload identifier.
mode { aggressive | main }
: Specify the IKE mode.
phase2-idtype { ipv4-address | ipv4-address-subnet }
Sets the IKE negotiations Phase 2 payload identifier.
Default: ipv4-address-subnet
Default: ipv4-address-subnet
ipv4-address
: Use IPV4_ADDR as the Phase 2 payload identifier.
ipv4-address-subnet
: Use IPV4_ADDR_SUBNET as the Phase 2 payload identifier.
security-association lifetime { keepalive | kilo-bytes
kbytes
| seconds
secs
}
Defaults:
keepalive
: Disabled
kilo-bytes
: 4608000 kbytes
seconds
: 28800 seconds
This keyword specifies the parameters that determine the length of time an IKE Security Association (SA) is
active when no data is passing through a tunnel. When the lifetime expires, the tunnel is torn down.
Whichever parameter is reached first expires the SA lifetime.
active when no data is passing through a tunnel. When the lifetime expires, the tunnel is torn down.
Whichever parameter is reached first expires the SA lifetime.
keepalive
: The SA lifetime expires only when a keepalive message is not responded to by the far end.
kilo-bytes
: This specifies the amount of data in kilobytes to allow through the tunnel before the SA
lifetime expires; entered as an integer from 2560 through 4294967294.