Command Reference Guide Global Configuration Mode Command Set
61200510L1-35E Copyright © 2005 ADTRAN 377
If no transform set or access list is configured for a crypto map, the entry is incomplete and will have no
effect on the system.
When you apply a crypto map to an interface (using the crypto map command within the interf ace’s
mode), you are applying all crypto map s with the given map name. This allows you to apply multiple crypto
maps if you have created maps that share the same name but have different map index numbers.
Usage Examples
The following example creates a new IPSec IKE crypto map called testMap with a map index of 10:
(config)#crypto map testMap 10 ipsec-ike
(config-crypto-map)#
Technology Review
A crypto map entry is a single policy that describes how cert ain traf fic is to be secured. There are two types
of crypto map entries: ipsec-manual and ipsec-ike. Each entry is given an index, which is used to sort the
ordered list. When a nonsecured packet arrives on an interface, the crypto map set associated with that
interface is processed in order. If a crypto map entry matches the nonsecured traffic, the traffic is
discarded.
When a packet is to be transmitted on an interface, the crypto map set associated with that interface is
processed in order. The first crypto map entry that matches the packet will be used to secure the p acket. If
a suitable security association (SA) exists, that is used for transmission. Otherwise, IKE is used to
establish an SA with the peer. If no SA exists, and the crypto map entry is “respond only,” the packet is
discarded.
When a secured p acket arrives on an interface, it s security parameter index (SPI) is used to look up an SA.
If an SA does not exist, or if the packet fails any of the security ch ecks (bad auth entication, traf fic does not
match SA selectors, etc.), it is discarded. If all checks pass, the packet is forwarded normally.