Chapter17 IP Security
IPSec Policies
17-10
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Destination
Enter the address of the destination subnet, and specify t he mask for that subnet.
You can either select a subnet mask from the list or type in a custom mask. The
subnet number and mask must be entered in dotted decimal format.
All traffic going to the hosts in this subnet will be encrypted.
IPSec Rule (Create/Select an access-list for IPSec traffic)
You can add or change the IPSec rule used in this crypto map. Use this option if
you need to specify multiple sources and destinations, and/or sp ecific types of
traffic to encrypt. An IPSec rule can consist of multiple entries, each specifying
different traffic types and different sources and destinations. Any packets that do
not match the criteria in the IPSec rule are sent unencrypted.
Note If you are adding an IPSec rule for a VPN conne ction that uses a tunnel interface,
the rule must specify the same source and destination data as the tunnel
configuration.
To add or change the IPSec rule for the crypto map, click the button to the right
of the IPSec rule field and choose one of the following:
Select an existing rule (ACL)—If the rule you want to use has already been
created, choose the rule, then click OK.
Create a new rule and select—If the rule you need has not been created,
create the rule, then click OK.
None—If you want to clear a rule association. The IPSec rule field shows the
name of the IPSec rule in use, but if you choose None, the field becomes
blank.
Another way to add or change the IPSec rule for this crypto map is to enter the
number of the IPSec rule directly in the IPSec rule field.
Note IPSec rules must be extended rules, not standard rules. If the number or name you
enter identifies a standard rule, Cisco SDM will display a warning message when
you click OK.