You are here: Home > CLI Commands > Just_CLI_Topics > crypto dynamic-map

crypto dynamic-map

crypto dynamic-map <dynamic-map-name> <dynamic-map-number>

disable

no ...

set pfs {group1|group2|group14|group19|group20}

set security-association lifetime kilobytes <kilobytes>

set security-association lifetime seconds <seconds>

set transform-set <name1> [[<name2>] [<name3>] [<name4>]]

version {v1|v2}

Description

This command configures a new or existing dynamic map.

Syntax

Parameter

Description

Range

Default

<dynamic-map-name>

Name of the map.

<dynamic-map-number>

Priority number of the map.

1-10000

10000

disable

Disables the dynamic map.

no

Negates a configured parameter.

set pfs

Enables Perfect Forward Secrecy (PFSPerfect Forward Secrecy. PFS refers to the condition in which a current session key or long-term private key does not compromise the past or subsequent keys.) mode. Use one of the following:

group1: 768-bit Diffie Hellman prime modulus group.

group2: 1024-bit Diffie Hellman

group14: 2048-bit Diffie Hellman.

group19: 256-bit random Diffie Hellman ECP modulus group.

group20: 384-bit random Diffie Hellman ECP modulus group.

group1

set security-association

lifetime seconds <seconds>

Lifetime for the security association (SASecurity Association. SA is the establishment of shared security attributes between two network entities to support secure communication.) in seconds.

300-86400

7200

set security-association

lifetime kilobytes <kilobytes>

Lifetime for the security association (SASecurity Association. SA is the establishment of shared security attributes between two network entities to support secure communication.) in kilobytes.

1000 - 1000000000

set transform-set <name1>

[[<name2>] [<name3>] [<name4>]]

Name of the transform set for this dynamic map. You can specify up to four transform sets. You configure transform sets with the crypto ipsec transform-set command.

default-transform

version {v1|v2}

Version of IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. protocol used to set up a security association (SASecurity Association. SA is the establishment of shared security attributes between two network entities to support secure communication.) in the IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. protocol suite:

v1:IKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.

v2: IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306.

v1

Usage Guidelines

Dynamic maps enable IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. SASecurity Association. SA is the establishment of shared security attributes between two network entities to support secure communication. negotiations from dynamically addressed IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. peers. Once you have defined a dynamic map, you can optionally associate that map with the default global map using the command crypto map global-map.

Example

The following command configures a dynamic map:

(host) [mynode] (config) #crypto dynamic-map dmap1 100

set pfs group2

set security-association lifetime seconds 300

Related Commands

Command

Description

show crypto dynamic-map

Displays IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. dynamic map configurations.

Command History

Release

Modification

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

Licensing

Command Mode

All platforms

The group19 and group20 PFSPerfect Forward Secrecy. PFS refers to the condition in which a current session key or long-term private key does not compromise the past or subsequent keys. options requires the Advanced Cryptography (ACR) license. All other parameters are available in the base operating system.

Config mode on Mobility Master.

/*]]>*/