Command Reference Guide Crypto Map IKE Command Set
61200510L1-35E Copyright © 2005 ADTRAN 1234
Usage Examples
The following example shows setting up an ACL (called NewList) and then assigning the new list to a
crypto map (called NewMap):
(config)#ip access-list extended NewList
Configuring New Extended ACL "NewList"
(config-ext-nacl)#exit
(config)#crypto map NewMap 10 ipsec-ike
(config-crypto-map)#match address NewList
Technology Review
A crypto map entry is a single policy that describes how certain traf fic is to be secured. There are two
types of crypto map entries: ipsec-manual and ipsec-ike. Each entry is given an index, which is used to
sort the ordere d list.
When a nonsecured packet arrives on an interface, the crypto map set associated with that interface is
processed in order. If a crypto map entry matches the nonsecured traffic, the traffic is discarded.
When a packet is to be transmitted on an interface, the crypto map set associated with that interface is
processed in order. The first crypto map entry that matches the packet will be used to secure the packet.
If a suitable SA exists, that is used for transmission. Otherwise, IKE is used to establish an SA with the
peer. If no SA exists, and the crypto map entry is “respond only,” th e packet is discarded.
When a secured packet arrives on an interface, its SPI is used to look up an SA. If an SA does not exist,
or if the packet fails any of the security checks (bad authentication, traffic does not match SA selectors,
etc.), it is discarded. If all checks pass, the packet is forwarded normally.