Command Reference Guide Crypto Map Manual Command Set
61200510L1-35E Copyright © 2005 ADTRAN 1243
Usage Examples
The following example shows setting up an access list (called NewList) and then assigning th e ne w list to
a crypto map (called NewMap):
(config)#ip access-list extended NewList
Configuring New Extended ACL "NewList"
(config-ext-nacl)#exit
(config)#crypto map NewMap 10 ipsec-manual
(config-crypto-map)#match address NewList
Technology Review
A crypto map entry is a single policy that describes how cert ain traf fic is to be secured. There are two types
of crypto map entries: ip sec- manual and ipsec-ike. Each entry is give n an index, which is used to sort the
ordered list.
When a nonsecured packet arrives on an interface, the crypto map set associated with that interface is
processed in or de r. If a crypto map entr y match e s the nonsecured traffic, the traffic is discarded.
When a packet is to be transmitted on an interface, the crypto map set associated with that interface is
processed in order. The first crypto map entry that matches the packet will be used to secure the p acket. If
a suitable SA exists, that is used for transmission. Otherwise, IKE is used to establish an SA with the peer.
If no SA exists, and the crypto map entry is “respond only,” the packet is discarded.
When a secured packet arrives on an interface, its SPI is used to look up an SA. If an SA does not exist, or
if the packe t fails any of the security ch ecks (bad au thentica tion, traffic does not match SA selectors, etc.),
it is discarded. If all checks pass, the packet is forwarded normally.