Reference Guide

Table Of Contents
200 | crypto-local ipsec-map Dell PowerConnect W-Series ArubaOS 6.1 CLI | Reference Guide
Syntax
Parameter Description Range Default
<map> Name of the IPsec map.
<priority> Priority of the entry. 1-9998
dst-net IP address and netmask for the destination network.
force-natt Include this parameter to always enforce UDP 4500 for
IKE and IPsec. This option is disabled by default.
——
no Negates a configured parameter.
local-fqdn <local_id_fqdn> If the local controller has a dynamic IP address, you
must specify the fully qualified domain name (FQDN)
of the controller to configure it as a initiator of IKE
aggressive-mode.
peer-cert-dn <peer-dn> If you are using IKEv2 to establish a site-to-site VPN to
a statically addressed remote peer, identify the peer
device by entering its certificate subject name in the
Peer Certificate Subject Name field
peer-ip <ipaddr> If you are using IKEv1 to establish a site-to-site VPN to
a statically addressed remote peer, identify the peer
device by enteringIP address of the peer gateway.
NOTE: If you are configuring an IPsec map for a static-
ip controller with a dynamically addressed remote
peer, you must leave the peer gateway set to its
default value of 0.0.0.0.
——
peer-fqdn For site-to-site VPNs with dynamically addressed
peers, specify a fully qualified domain name (FQDN)
for the controller.
any-fqdn
fqdn-id
any-fqdn
any-fqdn If the controller is defined as a dynamically addressed
responder, you can select any-fqdn to make the
controller a responder for all VPN peers,
fqdn-id <peer-id-fqdn> Specify the FQDN of a peer to make the controller a
responder for one specific initiator only.
pre-connect Enables or disables pre-connection. enable/
disable
disabled
set ca-certificate <cacert-
name>
User-defined name of a trusted CA certificate installed
in the controller. Use the show crypto-local pki
TrustedCA command to display the CA certificates
that have been imported into the controller.
——
set pfs If you enable Perfect Forward Secrecy (PFS) mode,
new session keys are not derived from previously
used session keys. Therefore, if a key is compromised,
that compromised key will not affect any previous
session keys. To enable this feature, specify one of the
following Perfect Forward Secrecy modes:
group1 : 768-bit Diffie Hellman prime modulus
group.
group2: 1024-bit Diffie Hellman prime modulus
group.
group19: 256-bit random Diffie Hellman ECP
modulus group. (For IKEv2 only)
group20: 384-bit random Diffie Hellman ECP
modulus group. (For IKEv2 only)
group1
group2
group19
group20
disabled