Patton electronic SmartNode 4110 Series ユーザーズマニュアル
Key management (IKE)
371
SmartWare Software Configuration Guide
32 • VPN configuration
can optionally also specify a security association lifetime for IKE security associations. If the lifetime of the
security association expires, IKE will automatically negotiate a new security association. The default lifetime
for ISPEC security associations is one hour without any limit on the transmitted data volume. The parameters
defined in this profile are used for the negotiation of IPSEC security associations in quick mode.
security association expires, IKE will automatically negotiate a new security association. The default lifetime
for ISPEC security associations is one hour without any limit on the transmitted data volume. The parameters
defined in this profile are used for the negotiation of IPSEC security associations in quick mode.
The following commands can be used to change the security association lifetime:
Mode: profile ipsec-transform <transform-name>
Creating an ISAKMP transform profile
To define which cryptographic transforms should be used to protect the negotiation of IPsec security associa-
tion and the mutual authentication of the IPSEC peers, you need to create at least one isakmp transform pro-
file. The parameters defined in this profile are used for the negotiation of ISAKMP security associations in
main mode.
To define which cryptographic transforms should be used to protect the negotiation of IPsec security associa-
tion and the mutual authentication of the IPSEC peers, you need to create at least one isakmp transform pro-
file. The parameters defined in this profile are used for the negotiation of ISAKMP security associations in
main mode.
The following commands can be used to create and configure an ISAKMP transform profile:
Mode: configure
Step
Command
Purpose
1
(optional)
node(pf-ipstr)[ctx-name]# key-life-
time-seconds <seconds>
time-seconds <seconds>
Define a new maximum lifetime of the security
associations in seconds.
associations in seconds.
2
(optional)
node(pf-ipstr)[ctx-name]# key-life-
time-kilobytes <kilobytes>
time-kilobytes <kilobytes>
Define a new maximum lifetime of the security
associations in kilobytes.
associations in kilobytes.
Step
Command
Purpose
1
node(cfg)# profile isakmp-transform
<name>
<name>
Create the transform profile with the specified
name and enter its configuration mode.
name and enter its configuration mode.
2
node(pf-ikptr)[<name>]# authentica-
tion-algorithm md5|sha1
tion-algorithm md5|sha1
Define the authentication algorithm to be used,
which can be either md5 or sha1.
which can be either md5 or sha1.
3
node(pf-ikptr)[<name>]# encryption
des-cbc|3des-cbc|aes-cbc [key-
length]
des-cbc|3des-cbc|aes-cbc [key-
length]
Define the encryption and optionally the length
of the encryption keys in bits to be used.
of the encryption keys in bits to be used.
4
(optional)
node(pf-ikptr)[<name>]# key-life-
time-seconds <seconds>
time-seconds <seconds>
Optionally, you can also change the default
ISAKMP security association lifetime in seconds.
The default lifetime is 1 day.
ISAKMP security association lifetime in seconds.
The default lifetime is 1 day.
5
(optional)
node(pf-ikptr)[<name>]# key-life-
time-sessions <sessions>
time-sessions <sessions>
Optionally, you can also change the default
ISAKMP security association lifetime in sessions.
This is the maximum number of quick modes,
which can be created by the ISAKMP SA. By
default there is no limit on the number of ses-
sions.
ISAKMP security association lifetime in sessions.
This is the maximum number of quick modes,
which can be created by the ISAKMP SA. By
default there is no limit on the number of ses-
sions.