Send documentation comments to mdsfeedback-doc@cisco.com.
29-15
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-6965-03, Cisco MDS SAN-OS Release 2.x
Chapter 29 IPsec and IKE
Modifying IKE and IPsec
Figure 29-6 iSCSI with End-to-End IPsec Using the Auto-Peer Option
SA Lifetime Negotiation
To specify SA lifetime negotiation values, you can optionally configure the lifetime value for a specified
crypto map. If you do, this value overrides the globally set values. If you do not specify the crypto map
specific lifetime, the global value (or global default) is used.
Perfect Forwarding Secrecy
To specify SA lifetime negotiation values, you can also optionally configure the perfect forwarding
secrecy (PFS) value in the crypto map.
The PFS feature is disabled by default. If you set the PFS group, you can set one of DH groups: 1, 2, 5,
or 14. If you do not specify a DH group, the software uses group 1 by default.
Creating or Modifying Crypto Maps
When configuring crypto map entries, follow these guidelines:
•The sequence number for each crypto map decides the order in which the policies are applied. A
lower sequence number is assigned a higher priority.
•Only one ACL is allowed for each crypto map entry (the ACL itself can have multiple entry or deny
entries).
•When the tunnel endpoint is the same as the destination address, you can used the AutoPeer option
to dynamically configure the peer.
MDS A
iPSEC
iPSEC
iPSEC
Host 2
Host 3
Host 1
Router
iPSEC
120879
Subnet X