1-37
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Configuring IPsec and ISAKMP
  Configuring IPsec
For example:
crypto dynamic-map dyn1 10 set security-association lifetime seconds 2700
This example shortens the timed lifetime for dynamic crypto map dyn1 10 to 2700 seconds 
(45 minutes). The time volume lifetime is not changed.
Step 4 (Optional) Specify that IPsec ask for PFS when requesting new SAs for this dynamic crypto map, or 
should demand PFS in requests received from the peer:
crypto dynamic-map dynamic-map-name dynamic-seq-num set pfs [group1 | group2 | group5 | 
group7]
Dynamic-map-name specifies the name of the crypto map entry that refers to a pre-existing dynamic 
crypto map. Dynamic-seq-num specifies the sequence number that corresponds to the dynamic crypto 
map entry.
For example:
crypto dynamic-map dyn1 10 set pfs group5
Step 5 Add the dynamic crypto map set into a static crypto map set. 
Be sure to set the crypto maps referencing dynamic maps to be the lowest priority entries (highest 
sequence numbers) in a crypto map set.
crypto map map-name seq-num ipsec-isakmp dynamic dynamic-map-name
Map-name specifies the name of the crypto map set. Dynamic-map-name specifies the name of the 
crypto map entry that refers to a pre-existing dynamic crypto map. 
For example:
crypto map mymap 200 ipsec-isakmp dynamic dyn1
Providing Site-to-Site Redundancy
You can define multiple IKEv1 peers by using crypto maps to provide redundancy. This configuration is 
useful for site-to-site VPNs. This feature is not supported with IKEv2.
If one peer fails, the ASA establishes a tunnel to the next peer associated with the crypto map. It sends 
data to the peer that it has successfully negotiated with, and that peer becomes the active peer. The active 
peer is the peer that the ASA keeps trying first for follow-on negotiations until a negotiation fails. At 
that point the ASA goes on to the next peer. The ASA cycles back to the first peer when all peers 
associated with the crypto map have failed.
Viewing an IPsec Configuration
Table 1-6 lists commands that you can enter in either single or multiple context mode to view 
information about your IPsec configuration.