Cisco Systems SA-ISA, SM-ISM manual Crypto map map-name seq-num Create the crypto map and enter

Page 44

Chapter 4 Configuring the ISA and ISM

Creating Crypto Maps

For IPSec to succeed between two IPSec peers, both peers’ crypto map entries must contain compatible configuration statements.

When two peers try to establish a security association, each must have at least one crypto map entry that is compatible with one of the other peer’s crypto map entries. For two crypto map entries to be compatible, they must meet the following criteria:

The crypto map entries must contain compatible crypto access lists (for example, mirror image access lists). When the responding peer is using dynamic crypto maps, the entries in the local crypto access list must be “permitted” by the peer’s crypto access list.

The crypto map entries must each identify the other peer (unless the responding peer is using dynamic crypto maps).

The crypto map entries must have at least one transform set in common.

When IKE is used to establish security associations, the IPSec peers can negotiate the settings they will use for the new security associations. This means that you can specify lists (such as lists of acceptable transforms) within the crypto map entry.

To create crypto map entries that use IKE to establish the security associations, use the following commands, starting in global configuration mode:

Step

Command

Purpose

 

 

 

1.

crypto map map-name seq-num

Create the crypto map and enter

 

ipsec-isakmp

crypto map configuration mode.

 

 

 

2.

match address access-list-id

Specify an extended access list. This

 

 

access list determines which traffic is

 

 

protected by IPSec and which is not.

 

 

 

3.

set peer {hostname ip-address}

Specify a remote IPSec peer. This is

 

 

the peer to which IPSec-protected

 

 

traffic can be forwarded.

 

 

Repeat for multiple remote peers.

 

 

 

4.

set transform-settransform-set-name1

Specify which transform sets are

 

[transform-set-name2...transform-set-name6]

allowed for this crypto map entry.

 

 

List multiple transform sets in order

 

 

of priority (highest priority first).

 

 

 

5.

end

Exit crypto map configuration mode.

 

 

 

Repeat these steps to create additional crypto map entries as required.

For detailed information on configuring crypto maps, refer to the “Configuring IPSec Network Security” chapter in the Security Configuration Guide publication. This chapter contains information on the following topics:

About Crypto Maps

Load Sharing

How Many Crypto Maps Should You Create?

Creating Crypto Map Entries for Establishing Manual Security Associations

Creating Crypto Map Entries That Use IKE to Establish Security Associations

Creating Dynamic Crypto Maps

Integrated Services Adapter and Integrated Services Module Installation and Configuration

4-8

OL-3575-01 B0

 

 

Page 43 Page 45
Image 44
Page 43 Page 45
Contents Corporate Headquarters Text Part Number OL-3575-01 B0Copyright 1999- 2003 Cisco Systems, Inc All rights reserved N T E N T S Configuring the ISA and ISM Preface ObjectivesInstallation Warning AudienceDocument Organization Document ConventionsSection Title Description Boldface fontItalic screen font Indicates a comment lineTerms and Acronyms ViiRelated Documentation ViiiCisco 7100 series routers Obtaining Documentation Cisco.comDocumentation Feedback Documentation CD-ROMOrdering Documentation Obtaining Technical Assistance Technical Assistance CenterObtaining Additional Publications and Information Cisco TAC Escalation CenterXiv Overview ISA and ISM OverviewData Encryption Overview Features Feature DescriptionPort Adapter Slot Locations on the Supported Platforms Cisco 7100 Series Routers Slot NumberingCisco 7200 Series Routers Slot Numbering Port adapter in slot ISM in slotLEDs LEDsBoot LED Label Color State FunctionOL-3575-01 B0 Preparing for Installation Required Tools and EquipmentPlatform Recommended Minimum Cisco IOS Release Safety Guidelines Safety WarningsEncryption mppe command ISA and ISA ISA with VAMPreparing for Installation Safety Guidelines Electrical Equipment Guidelines Preventing Electrostatic Discharge DamageOL-3575-01 B0 Removing and Installing the ISA and the ISM Handling the ISA or the ISMOnline Insertion and Removal Handling the ISMRemoving and Installing the ISA and the ISM ISA or ISM Removal and Installation Cisco 7100 Series-Removing and Installing the ISM StepCisco 7200 Series-Removing and Installing the ISA GuideConfiguring the ISA and ISM OverviewUsing the Exec Command Interpreter Enter controller configuration mode onEnables Mppe encryption Enabling MppeConfiguring IKE Config-isakmp command modeIdentify the policy to create, and enter Specify the encryption algorithmConfiguring IPSec Creating Crypto Access ListsDefining a Transform Set Step Command Purpose Creating Crypto Maps Crypto map configuration mode Specify an extended access list. ThisAccess list determines which traffic is Exit crypto map configuration modeVerifying Configuration Exit interface configuration modeApplying Crypto Maps to Interfaces Apply a crypto map set to an interfaceCommand Purpose Router# show crypto ipsec sa interface Ethernet0 Configuring the ISA and ISM IPSec Example IPSec ExampleRouter B Configuration OL-3575-01 B0 D E IN-2
Top Page Image Contents