TMS zl Management and Configuration Guide ST.1.1.100226
A-140
Command-Line Reference
IPsec Policy Context
preview. Before you apply the IPsec policy, you should preview it to make
sure that everything is correct. To preview your policy, enter the following
command from any IPsec policy context:
Syntax: preview
The command is also available from other contexts accessed through the
IPsec policy context.
pfs. Using PFS (Perfect Forward Secrecy) for keys forces the tunnel end-
points to generate new keys for the IPsec SA.
To enable PFS, enter the following command:
Syntax: pfs enable dh-group <group1-768 | group2-1024 | group5-1536>
The group determines the length of the prime number used during the
exchange. The larger the number, the more secure the key generated by the
exchange.
To disable PFS, enter the following command:
Syntax: no pfs enable
sa-lifetime. The SA lifetime values command determines how long the IPsec
SA remains open.
Syntax: sa-lifetime seconds <seconds> kilobytes <kilobytes>
Replace <seconds> with the number of seconds that you want the SA to
remain open. Type a value between 300 (5 minutes) and 86400 (24 hours). Or
type 0 if you do not want to specify a lifetime in seconds (in this case, you
must specify a lifetime in kilobytes).
Replace <kilobytes> with the number of kilobytes that the SA can handle.
Type a value between 2560 and 4194304. Or type 0 if you do not want to specify
a lifetime in kilobytes (in this case, you must specify a lifetime in seconds).
When the lifetime of the SA reaches 80 percent of the total lifetime (in seconds
or kilobytes, whichever comes first), the TMS zl Module checks whether the
SA has experienced any activity. If it has, the module negotiates a new SA and
then deletes the old SA. If the SA is inactive, the module waits for the complete
lifetime to expire. Then, if the SA is still inactive, the module deletes the SA.
For example, to set the SA to expire in 28800 seconds or after handling 500,000
kilobytes, enter the following command: