PDN Gateway Configuration
▀ Configuring Optional Features on the P-GW
▄ Cisco ASR 5x00 Packet Data Network Gateway Administration Guide
180
encryption aes-cbc-128
group 2
hmac sha1-96
lifetime <
sec
>
prf sha1
end
Notes:
The encryption algorithm,
aes-cbc-128
, or Advanced Encryption Standard Cipher Block Chaining, is the
default algorithm for IKEv2 transform sets configured on the system.
The
group 2
command specifies the Diffie-Hellman algorithm as Group 2, indicating medium security. The
Diffie-Hellman algorithm controls the strength of the crypto exponentials. This is the default setting for IKEv2
transform sets configured on the system.
The
hmac
command configures the Encapsulating Security Payload (ESP) integrity algorithm. The
sha1-96
keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for
IKEv2 transform sets configured on the system.
The
lifetime
command configures the time the security key is allowed to exist, in seconds.
The
prf
command configures the IKE Pseudo-random Function which produces a string of bits that cannot be
distinguished from a random bit string without knowledge of the secret key. The
sha1
keyword uses a 160-bit
secret key to produce a 160-bit authenticator value. This is the default setting for IKEv2 transform sets
configured on the system.
Creating and Configuring a Crypto Map
The following example configures an IKEv2 crypto map:
configure
context <
pgw_context_name
>
crypto map <
crypto_map_name
> ikev2-ipv4
match address <
acl_name
>
peer <
ipv4_address
>
authentication local pre-shared-key key <
text
>
authentication remote pre-shared-key key <
text
>
ikev2-ikesa transform-set list <
name1
> . . .
name6
>
payload <
name
> match ipv4
lifetime <
seconds
>