8-61
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
Chapter8 Site-to-Site VPN
Edit Site-to-Site VPN
Security Association Lifetime
IPSec security associations use shared keys. These keys and their securi ty
associations time out together. There are two lifetimes: a timed lifetime and a
traffic-volume lifetime. The security association expires when the first of these
lifetimes is reached.
You can use this field to specify a different security association lifetime for this
crypto map than the lifetime that is specified globally. You can specify the lifetime
in the number of kilobytes sent; in hours, minutes, and seconds; or both. If both
are specified, the lifetime will expire when the first criteria has been satisfied. The
maximum number of kilobytes you can specify is 4608000, and the m aximum
time is 1 hour.
Kilobytes
Specify the number of kilobytes that can pass between IPSec peers using a given
security association before that security association expires
HH:MM:SS
Specify the amount of time that the security association will live before expiring.
Enable Perfect Forwarding Secrecy
To enable PFS, check this box, and select Diffie-Hellman group1, group2, or
group5. When security keys are derived from previously generated keys, there is
a security problem, because if one key is compromised, then the other keys can be
also. PFS guarantees that each key is derived independently. PFS thus ensures that
if one key is compromised, no other keys will be compromised.
Note If your router does not support group5, it will not appear in the list.
Enable Reverse Route Injection
Click to enable Reverse Route Injection (RRI). Reverse Route Injection is used to
populate the routing table of an internal router running Open Sh ortest Path First
(OSPF) protocol or Routing Information Protocol (RIP) for remote VPN clients
or LAN-to-LAN sessions.
Reverse Route Injection dynamically adds static routes to the clients connected to
the Easy VPN server.