Cisco Systems SM-ISM, SA-ISA manual Applying Crypto Maps to Interfaces, Verifying Configuration

Page 45

Chapter 4 Configuring the ISA and ISM

Applying Crypto Maps to Interfaces

Applying Crypto Maps to Interfaces

You need to apply a crypto map set to each interface through which IPSec traffic flows. Applying the crypto map set to an interface instructs the router to evaluate all the interface’s traffic against the crypto map set and to use the specified policy during connection or security association negotiation on behalf of traffic to be protected by encryption.

To apply a crypto map set to an interface, use the following commands, starting in global configuration mode:

Step

Command

Purpose

 

 

 

1.

interface type number

Specify an interface on which to apply the

 

 

crypto map and enter interface configuration

 

 

mode.

 

 

 

2.

crypto map map-name

Apply a crypto map set to an interface.

 

 

 

3.

end

Exit interface configuration mode.

 

 

 

For redundancy, you could apply the same crypto map set to more than one interface. The default behavior is as follows:

Each interface has its own piece of the security association database.

The IP address of the local interface is used as the local address for IPSec traffic originating from or destined to that interface.

If you apply the same crypto map set to multiple interfaces for redundancy purposes, you need to specify an identifying interface. This has the following effects:

The per-interface portion of the IPSec security association database is established one time and shared for traffic through all the interfaces that share the same crypto map.

The IP address of the identifying interface is used as the local address for IPSec traffic originating from or destined to those interfaces sharing the same crypto map set.

One suggestion is to use a loopback interface as the identifying interface.

To specify redundant interfaces and name an identifying interface, use the following command in global configuration mode:

crypto map map-namelocal-address interface-id

This command permits redundant interfaces to share the same crypto map, using the same local identity.

Verifying Configuration

Certain configuration changes only take effect when subsequent security associations are negotiated. If you want the new settings to take immediate effect, you must clear the existing security associations so that they are reestablished with the changed configuration. For manually established security associations, you must clear and reinitialize the security associations, or the changes do not take effect. If the router is actively processing IPSec traffic, it is desirable to clear only the portion of the security association database that would be affected by the configuration changes (that is, clear only the security associations established by a given crypto map set). Clearing the full security association database should be reserved for large-scale changes or when the router is processing very little other IPSec traffic.

Integrated Services Adapter and Integrated Services Module Installation and Configuration

 

OL-3575-01 B0

4-9

 

 

 

Page 44 Page 46
Image 45
Page 44 Page 46
Contents Text Part Number OL-3575-01 B0 Corporate HeadquartersCopyright 1999- 2003 Cisco Systems, Inc All rights reserved N T E N T S Configuring the ISA and ISM Objectives PrefaceAudience Installation WarningDocument Conventions Document OrganizationSection Title Description Boldface fontIndicates a comment line Italic screen fontVii Terms and AcronymsViii Related DocumentationCisco 7100 series routers Cisco.com Obtaining DocumentationDocumentation CD-ROM Ordering DocumentationDocumentation Feedback Technical Assistance Center Obtaining Technical AssistanceCisco TAC Escalation Center Obtaining Additional Publications and InformationXiv ISA and ISM Overview OverviewData Encryption Overview Feature Description FeaturesCisco 7100 Series Routers Slot Numbering Port Adapter Slot Locations on the Supported PlatformsPort adapter in slot ISM in slot Cisco 7200 Series Routers Slot NumberingLEDs LEDsLED Label Color State Function BootOL-3575-01 B0 Required Tools and Equipment Preparing for InstallationPlatform Recommended Minimum Cisco IOS Release Safety Warnings Safety GuidelinesEncryption mppe command ISA and ISA ISA with VAMPreparing for Installation Safety Guidelines Preventing Electrostatic Discharge Damage Electrical Equipment GuidelinesOL-3575-01 B0 Handling the ISA or the ISM Removing and Installing the ISA and the ISMHandling the ISM Online Insertion and RemovalRemoving and Installing the ISA and the ISM ISA or ISM Removal and Installation Step Cisco 7100 Series-Removing and Installing the ISMGuide Cisco 7200 Series-Removing and Installing the ISAOverview Configuring the ISA and ISMEnter controller configuration mode on Using the Exec Command InterpreterEnables Mppe encryption Enabling MppeConfig-isakmp command mode Configuring IKEIdentify the policy to create, and enter Specify the encryption algorithmCreating Crypto Access Lists Configuring IPSecDefining a Transform Set Step Command Purpose Creating Crypto Maps Specify an extended access list. This Crypto map configuration modeAccess list determines which traffic is Exit crypto map configuration modeExit interface configuration mode Verifying ConfigurationApplying Crypto Maps to Interfaces Apply a crypto map set to an interfaceCommand Purpose Router# show crypto ipsec sa interface Ethernet0 IPSec Example Configuring the ISA and ISM IPSec ExampleRouter B Configuration OL-3575-01 B0 D E IN-2
Top Page Image Contents