Crypto Transform Mode Commands
XSR CLI Reference Guide 14-117
Mode
CryptoTransformconfiguration:XSR(cfg-crypto-tran)#
Example
ThisexampleselectsPFSgroup2wheneveranewSAisnegotiatedforcryptomapACMEmap:
XSR(config)#crypto map ACMEmap 7 ipsec-isakmp
XSR(config)#crypto ipsec transform-set t-set1 esp-3des esp-sha-hmac
XSR(cfg-crypto-tran)#set pfs group2

set security-association lifetime

ThiscommandsetsthelifetimeintervalusedwhennegotiatingIPSecSecurityAssociations(SAs).
DatapassingthroughtheXSRisencryptedusingkeysgeneratedduringIKEexchange.The
lifetimeofthosekeysmaybedefinedinsecondsorindatavolumewhichwasencryptedusing
thosekeys.Whenthatlifetimeexpiresnewkeysaregeneratedandtrafficcontinuestobepassed
usingnewkeys.
Syntax
set security-association lifetime {seconds seconds | kilobytes kilobytes}
Syntax of the “no” Form
Thenoformofthiscommanddisablesthespecifiedlifetimemetric.Itdoesnotresetthedefault:
no set security-association lifetime {seconds | kilobytes}
Default
3600secondswithnolimitontrafficvolume.
Mode
CryptoTransformconfiguration:XSR(cfg-crypto-tran)#
Example
ThefollowingexamplesetstheSAlifetimeto7,200KBytesanddisablesthesecondsparameter:
XSR(cfg-crypto-tran)#)#set security-association lifetime kilobytes 7200
XSR(cfg-crypto-tran)#)#no set security-association lifetime seconds
seconds TheintervalanSAlivesbeforeexpiring,rangingfrom300to86,400,000seconds.
kilobytes Thevolumeoftraffic,inKBytes,thatcanpassbetweenIPSecpeersusingagiven
SAbeforethatSAexpires,rangingfrom1MByteto1000GBytes.