Cisco MDS 9000 Series Configuration Manual page 212

About the AutoPeer Option
Step 3
switch(config-crypto-map-ip)# set security-association lifetime seconds 8640
Specifies an SA lifetime for this crypto map entry using different IPsec SA lifetimes than the global lifetimes
for the crypto map entry.
Step 4 switch(config-crypto-map-ip)# no set security-association lifetime seconds 8640
(Optional) Deletes the entry-specific configuration and reverts to the global settings.
Step 5
switch(config-crypto-map-ip)# set security-association lifetime gigabytes 4000
Configures the traffic-volume lifetime for this SA to time out after the specified amount of traffic (in gigabytes)
have passed through the FCIP link using the SA. The lifetime ranges from 1 to 4095 gigabytes.
About the AutoPeer Option
Setting the peer address as auto-peer in the crypto map indicates that the destination endpoint of the traffic
should be used as the peer address for the SA. Using the same crypto map, a unique SA can be set up at each
of the endpoints in the subnet specified by the crypto map's IPv4-ACL entry. Auto-peer simplifies configuration
when traffic endpoints are IPsec capable. It is particularly useful for iSCSI, where the iSCSI hosts in the same
subnet do not require separate configuration.
Figure 15: iSCSI with End-to-End IPsec Using the auto-peer Option, on page 195
auto-peer option can simplify configuration. Using the auto-peer option, only one crypto map entry is needed
for all the hosts from subnet X to set up SAs with the switch. Each host will set up its own SA, but will share
the crypto map entry. Without the auto-peer option, each host needs one crypto map entry.
See Sample iSCSI Configuration, on page 208
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
194
for more details.
Configuring IPSec Network Security
shows a scenario where the