[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] CiSCO Commands for "Use Perfect Forward Secrecy"
Specify that IPSec should ask for perfect forward secrecy (PFS) when requesting new security associations for this crypto map entry, or should require PFS in requests received from the peer: crypto map map-name seq-num set pfs [group1 | group2] For example: crypto map mymap 10 set pfs group2 This example specifies that PFS should be used whenever a new security association is negotiated for the crypto map "mymap 10." The 1024-bit Diffie-Hellman prime modulus group will be used when a new security association is negotiated using the Diffie-Hellman exchange. -----Original Message----- From: Chontzopoulos Dimitris [mailto:[email protected]] Sent: Wednesday, October 22, 2003 12:24 PM To: [email protected] Subject: [FW-1] CiSCO Commands for "Use Perfect Forward Secrecy" Hello gurus of the list, This may be an Off-Topic so I apologize. I just have a quick question. Is there a way to create a VPN tunnel between a CP VPN-1 v4.1 SP3 and with a CiSCO Router by *enabling* "Use perfect Forward Secrecy" of the Firewall? I have established a VPN tunnel, but I really don't know if there are appropriate commands for the CiSCO Router to support this feature. Below are the commands I used on the CiSCO side: Access-list 101 permit ip ..xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx Access-list 101 permit ip xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx Crypto isakmp policy 10 authentication pre-share encryption des hash md5 group 2 Crypto isakmp key abcdefghij address xxx.xxx.xxx.xxx Crypro ipsec transform-set testset esp-des esp-md5-hmac Crypto map testmap 10 ipsec-isakmp set peer xxx.xxx.xxx.xxx set transform-set testset match address 101 Interface Ethernet 0 Crypto map testmap Cheers, Dimitris. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|