configure

 

phase1-lifetime < 600–999999>

 

selects the length of time in seconds you want the Security Association to last before

 

new authentication and encryption keys must be exchanged (between 600 and

 

999999 seconds, default 28800).

 

phase2-dh-group < 1 2 5 >

 

selects the Diffie-Hellman group number for IKE phase 2.

 

phase2-encryption < null des-cbc 3des-cbc aes-cbc-128 aes-cbc-192

 

aes-cbc-256 >

 

configures encryption for IKE phase 2. Some options are only valid on the High

 

Encryption agent, which can be downloaded from the TMC.

 

phase2-integrity < none esp-sha1-hmac esp-md5-hmac ah-md5

 

ah-sha1 >

 

configures integrity for IKE phase 2.

 

phase2-lifetime < 300–999999>

 

selects the length of time in seconds you want the Security Association to last before

 

new authentication and encryption keys must be exchanged (between 300 and

 

999999 seconds, default 3600).

 

phase2-strict-id-check < enable disable >

 

enables or disables strict ID checking.

 

phase2-zero-id < enable disable >

 

enables the IP subnet tunnels without specified local and remote IDs. When this

 

option is enabled, administrators must control traffic through the routing

 

configuration and firewall rules.

 

tight-phase2-control < enable disable >

 

when enabled, improves interoperability with VPN devices that automatically delete

 

all the phase 2 Security Associations when the phase 1 Security Association

 

terminates.

 

remove name

 

deletes an IKE proposal.

 

 

 

Using conf t vpn ike

configure local

Use configure terminal vpn ike local-idto configure the local ID as a domain name or email address.

ID to be a

In this example, the domain name is set as xyz.com and then the email address is set as

domain name

jdoe@xyz.com:

or email

 

address

hostname# conf t vpn ike local-id domain xyz.com

 

hostname# conf t vpn ike local-id email jdoe@xyz.com

X Family CLI Reference V 2.5.1

73