Cisco MDS 9000 Series Configuration Manual page 211

Configuring IPSec Network Security
Names an ACL to determine which traffic should be protected and not protected by IPsec in the context of
this crypto map entry.
Step 6
switch(config-crypto-map-ip)# no match address SampleAcl
(Optional) Deletes the matched address.
Step 7 switch(config-crypto-map-ip)# set peer 10.1.1.1
Configures a specific peer IPv4 address.
Note
Step 8
switch(config-crypto-map-ip)# no set peer 10.1.1.1
(Optional) Deletes the configured peer.
Step 9 switch(config-crypto-map-ip)# set transform-set SampleTransform1 SampleTransmfor2
Specifies which transform sets are allowed for the specified crypto map entry or entries. List multiple transform
sets in order of priority (highest priority first).
Step 10 switch(config-(crypto-map-ip))# no set transform-set
(Optional) Deletes the association of all transform sets (regardless of you specifying a transform set name).
About SA Lifetime Negotiation
You can override the global lifetime values (size and time) by configuring an SA-specific lifetime value.
To specify SA lifetime negotiation values, you can optionally configure the lifetime value for a specified
crypto map. If you do, this value overrides the globally set values. If you do not specify the crypto map specific
lifetime, the global value (or global default) is used.
See the
Setting the SA Lifetime
To set the SA lifetime for a specified crypto map entry, follow these steps:
Procedure
Step 1 switch# configure terminal
switch(config)#
Enters configuration mode.
Step 2
switch(config)# crypto map domain ipsec SampleMap 31
switch(config-crypto-map-ip)#
Enters crypto map configuration submode for the entry named SampleMap with 31 as its sequence number.
IKE only supports IPv4 addresses, not IPv6 addresses.
Global Lifetime Values, on page 197 for more information on global lifetime values.
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
About SA Lifetime Negotiation
193