Chapter 4

Configuration via the Command Line Interface

4.5.4Set the Connection Security Descriptor Parameters

modify command The ipsec connection descriptor modify command sets or modifies the connection descriptor parameters.

The Descriptors must match at both tunnel ends in order to have a successful outcome of the Phase 2 negotiation.

Example In this example, the parameters of the previously defined Connection Security Descriptor cnctdes1 are set to the following values:

crypto = AES key length = 128 integrity = HMAC-MD5

Perfect Forward Secrecy = disabled lifetime secs = 3600

lifetime kbytes = 10000 Encapsulation mode = tunnel mode

[ipsec connection descriptor]=>modify

 

name = cnctdes1

 

 

[crypto] =

 

 

DES

 

 

3DES

 

 

AES

 

 

NULL

 

 

[crypto] = AES

 

 

keylen =

192

256

128

keylen = 128

 

 

[integrity] =

 

 

HMAC-MD5

 

 

HMAC-SHA1

 

 

[integrity] = HMAC-MD5

 

 

[pfs] = disabled

 

 

[lifetime_secs] = 3600

 

 

[lifetime_kbytes]

=

10000

[encapsulation] =

tunnel

:ipsec connection

descriptor modify name=cnctdes1 crypto=AES keylen=128

integrity=HMAC-MD5

lifetime_secs=3600 lifetime_kbytes=10000

[ipsec connection

descriptor]=>

The parameters of the pre-defined descriptors can also be changed with the modify command. Use this feature for example if you want to change the lifetime parameter only.

The descriptors must match at both peers in order to have a successful outcome of the Phase 2 negotiation.

E-DOC-CTC-20051017-0169 v0.1

133

 

Page 134 Page 136
Page 135
Image 135
Nortel Networks 608(WL), 620 manual Set the Connection Security Descriptor Parameters, Name = cnctdes1
Page 134 Page 136
Top Page Image Contents