R(config-crypto-map)# set security-association lifetime {seconds SEC| kilobytes KB}
! Time/Quantity of data after which new keys are generated
R(config-crypto-map)# set security-association idle-time SEC
! When no packets are sent/received for idle-time, the SA is deleted.
R(config-crypto-map)# set security-association level per-host
! By default, all traffic for a peer uses the same SA.
! When using this command, packets for each host/destination pair will use a different SA
R(config-crypto-map)# set security-association replay {window-size SIZE|disable}
! You can customize or disable the anti-replay feature of IPSec.
R(config-crypto-map)# set pfs [group1|group2|group5]
! By default PFS is not requested. If requested, with no param, group1 is used.