Cisco Preparative Procedures & Operational User Guide
© 2016 Cisco Systems, Inc. All rights reserved.
12) (Optional) Set IKE-SA lifetime in minutes:
set ike-rekey-time minutes
The minutes value can be any integer between 60-1440, inclusive.
13) (Optional) Set Child SA lifetime in minutes (30-480):
set esp-rekey-time minutes
The minutes value can be any integer between 30-480, inclusive.
14) (Optional) Set the number of retransmission sequences to perform during initial connect:
set keyringtries retry_number
The retry_number value can be any integer between 1-5, inclusive.
15) (Optional) Enable or disable the certificate revocation list check:
set revoke-policy [relaxed | strict]
16) Enable the connection:
set admin-state enable
17) Reload all connections:
reload-conns
18) (Optional) Add existing trustpoint name to IPsec:
create authority trustpoint_name
19) Configure the enforcement of matching cryptographic key strength between IKE and SA connections:
set sa-strength-enforcement [yes | no]
If SA enforcement is enabled (yes)
When IKE negotiated key size is less then ESP
negotiated key size, the connection fails.
When IKE negotiated key size is larger or equal to the
ESP negotiated key size, SA enforcement check passes
and the connection is successful.
If SA enforcement is disabled (no)
SA enforcement check automatically passes and the
connection is successful.
When CC mode is enabled, FXOS supports the following:
IKE version*: version 2
IPsec Mode: tunnel, transport
o set mode {tunnel |transport}
IKEv2 Mode*: main mode
IKEv2 Ciphers*:
o Encryption algorithms: AES-CBC-128, AES-CBC-256, AES-GCM-128
o Integrity algorithms: SHA-1
To Next Page
Loading...
Need help?
General
