Chapter 37
Configuring IPsec Network Security
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Command
Step 3
switch(config-crypto-map-ip)# set peer
auto-peer
switch(config-crypto-map-ip)# no set
peer auto-peer
About Perfect Forward Secrecy
To specify SA lifetime negotiation values, you can also optionally configure the perfect forward secrecy
(PFS) value in the crypto map.
The PFS feature is disabled by default. If you set the PFS group, you can set one of the DH groups: 1,
2, 5, or 14. If you do not specify a DH group, the software uses group 1 by default.
Configuring Perfect Forward Secrecy
To configure the PFS value, follow these steps:
Command
Step 1
switch# config terminal
switch(config)#
Step 2
switch(config)# crypto map domain ipsec
SampleMap 31
ips-hac1(config-crypto-map-ip)#
Step 3
switch(config-crypto-map-ip)# set pfs
group 2
switch(config-crypto-map-ip)# no set pfs
About Crypto Map Set Interface Application
You need to apply a crypto map set to each interface through which IPsec traffic will flow. Applying the
crypto map set to an interface instructs the switch to evaluate all the interface's traffic against the crypto
map set and to use the specified policy during connection or SA negotiation on behalf of the traffic to be
protected by crypto.
You can apply only one crypto map set to an interface. You can apply the same crypto map to multiple
interfaces. However, you cannot apply more than one crypto map set to each interface.
OL-18084-01, Cisco MDS NX-OS Release 4.x
Purpose
Directs the software to select (during the SA setup) the
destination peer IP address dynamically.
Deletes the auto-peer configuration.
Purpose
Enters configuration mode.
Places you in the crypto map configuration mode for
the entry named SampleMap with 31 as its sequence
number.
Specifies that IPsec should ask for PFS when
requesting new SAs for this crypto map entry, or
should demand PFS in requests received from the
IPsec peer.
Deletes the configured DH group and reverts to the
factory default of disabling PFS.
Cisco MDS 9000 Family CLI Configuration Guide
Crypto IPv4-ACLs
37-27