Cisco Systems SM-ISM, SA-ISA manual Creating Crypto Maps

Page 43

Chapter 4 Configuring the ISA and ISM

Creating Crypto Maps

Table 4-1shows allowed transform combinations.

Table 4-1 Allowed Transform Combinations

AH Transform1

 

ESP Encryption Transform1

ESP Authentication Transform2

Transform

Description

Transform

Description

Transform

Description

 

 

 

 

 

 

ah-md5-hma

AH with MD5

esp-3des

ESP with 168-bit Triple

esp-md5-hma

ESP with MD5

c

(HMAC variant)

 

DES encryption algorithm

c

(HMAC variant)

 

authentication

 

 

 

authentication

 

algorithm

 

 

 

algorithm

 

 

 

 

 

 

ah-sha-hmac

AH with SHA

esp-des

ESP with 56-bit DES

esp-sha-hmac

ESP with SHA

 

(HMAC variant)

 

encryption algorithm

 

(HMAC variant)

 

authentication

 

 

 

authentication

 

algorithm

 

 

 

algorithm

 

 

 

 

 

 

 

 

esp-null

ESP transform without

 

 

 

 

 

cipher

 

 

 

 

 

 

 

 

1.Pick one transform option.

2.Pick one transform option, but only if you selected esp-null or ESP encryption transform.

Creating Crypto Maps

Crypto map entries created for IPSec pull together the various elements used to set up IPSec security associations, including:

Which traffic should be protected by IPSec (according to a crypto access list)

Granularity of the flow to be protected by a set of security associations

Where IPSec-protected traffic should be sent (who the remote IPSec peer is)

Local address to be used for the IPSec traffic (see the “Applying Crypto Maps to Interfaces” section on page 4-9for more details)

What IPSec security should be applied to this traffic (selecting from a list of one or more transform sets)

Whether security associations are manually established or are established through IKE

Other parameters that might be necessary to define an IPSec security association

Crypto map entries with the same crypto map name (but different map sequence numbers) are grouped into a crypto map set. Later, you will apply these crypto map sets to interfaces; then, all IP traffic passing through the interface is evaluated against the applied crypto map set. If a crypto map entry sees outbound IP traffic that should be protected and the crypto map specifies the use of IKE, a security association is negotiated with the remote peer according to the parameters included in the crypto map entry; otherwise, if the crypto map entry specifies the use of manual security associations, a security association should have already been established through configuration.

(If a dynamic crypto map entry sees outbound traffic that should be protected and no security association exists, the packet is dropped.)

The policy described in the crypto map entries is used during the negotiation of security associations. If the local router initiates the negotiation, it uses the policy specified in the static crypto map entries to create the offer to be sent to the specified IPSec peer. If the IPSec peer initiates the negotiation, the local router checks the policy from the static crypto map entries, as well as any referenced dynamic crypto map entries, to decide whether to accept or reject the peer’s request (offer).

Integrated Services Adapter and Integrated Services Module Installation and Configuration

 

OL-3575-01 B0

4-7

 

 

 

Image 43
Contents Text Part Number OL-3575-01 B0 Corporate HeadquartersCopyright 1999- 2003 Cisco Systems, Inc All rights reserved N T E N T S Configuring the ISA and ISM Objectives PrefaceAudience Installation WarningBoldface font Document OrganizationDocument Conventions Section Title DescriptionIndicates a comment line Italic screen fontVii Terms and AcronymsViii Related DocumentationCisco 7100 series routers Cisco.com Obtaining DocumentationOrdering Documentation Documentation CD-ROMDocumentation Feedback Technical Assistance Center Obtaining Technical AssistanceCisco TAC Escalation Center Obtaining Additional Publications and InformationXiv ISA and ISM Overview OverviewData Encryption Overview Feature Description FeaturesCisco 7100 Series Routers Slot Numbering Port Adapter Slot Locations on the Supported PlatformsPort adapter in slot ISM in slot Cisco 7200 Series Routers Slot NumberingLEDs LEDsLED Label Color State Function BootOL-3575-01 B0 Required Tools and Equipment Preparing for InstallationPlatform Recommended Minimum Cisco IOS Release ISA and ISA ISA with VAM Safety GuidelinesSafety Warnings Encryption mppe commandPreparing for Installation Safety Guidelines Preventing Electrostatic Discharge Damage Electrical Equipment GuidelinesOL-3575-01 B0 Handling the ISA or the ISM Removing and Installing the ISA and the ISMHandling the ISM Online Insertion and RemovalRemoving and Installing the ISA and the ISM ISA or ISM Removal and Installation Step Cisco 7100 Series-Removing and Installing the ISMGuide Cisco 7200 Series-Removing and Installing the ISAOverview Configuring the ISA and ISMEnabling Mppe Using the Exec Command InterpreterEnter controller configuration mode on Enables Mppe encryptionSpecify the encryption algorithm Configuring IKEConfig-isakmp command mode Identify the policy to create, and enterCreating Crypto Access Lists Configuring IPSecDefining a Transform Set Step Command Purpose Creating Crypto Maps Exit crypto map configuration mode Crypto map configuration modeSpecify an extended access list. This Access list determines which traffic isApply a crypto map set to an interface Verifying ConfigurationExit interface configuration mode Applying Crypto Maps to InterfacesCommand Purpose Router# show crypto ipsec sa interface Ethernet0 IPSec Example Configuring the ISA and ISM IPSec ExampleRouter B Configuration OL-3575-01 B0 D E IN-2