64-20
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter64 Configuring IPsec and ISAKMP
Configuring IPsec
With IKEv1 transform sets, you set one value for each parameter. For IKEv2 proposals, you can
configure multiple encryption and authentication types and multiple integrity algorithms for a single
proposal. The ASA orders the settings from the most secure to the least secure and negotiates with the
peer using that order. This allows you to potentially send a single proposal to convey all the allowed
combinations instead of the need to send each allowed combination individually as with IKEv1.
The ASA tears down the tunnel if you change the definition of the transform set or proposal used to
create its SA. See “Clearing Security Associations” for further information.
Note If you clear or delete the only element in a transform set or proposal, the ASA automatically removes
the crypto map references to it.
Defining Crypto Maps
Crypto maps define the IPsec policy to be negotiated in the IPsec SA. They include the following:
Access list to identify the packets that the IPsec connection permits and protects.
Peer identification.
Local address for the IPsec traffic. (See “Applying Crypto Maps to Interfaces” for more details.)
Up to 11 IKEv1 transform sets or IKEv2 proposals, with which to attempt to match the peer security
settings.
A crypto map set consists of one or more crypto maps that have the same map name. You create a crypto
map set when you create its first crypto map. The following command syntax creates or adds to a crypto
map:
crypto map map-name seq-num match address access-list-name
You can continue to enter this command to add crypto maps to the crypto map set. In the following
example, mymap is the name of the crypto map set to which you might want to add crypto maps:
crypto map mymap 10 match address 101
The sequence number (seq-num) shown in the syntax above distinguishes one crypto map from another
one with the same name. The sequence number assigned to a crypto map also determines its priority
among the other crypto maps within a crypto map set. The lower the sequence number, the higher the
priority. After you assign a crypto map set to an interface, the ASA evaluates all IP traffic passing
through the interface against the crypto maps in the set, beginning with the crypto map with the lowest
sequence number.
The ACL assigned to a crypto map consists of all of the ACEs that have the same access list name, as
shown in the following command syntax:
access-list access-list-name {deny | permit} ip source source-netmask destination
destination-netmask
Each ACL consists of one or more ACEs that have the same access list name. You create an ACL when
you create its first ACE. The following command syntax creates or adds to an ACL:
access-list access-list-name {deny | permit} ip source source-netmask destination
destination-netmask
In the following example, the ASA applies the IPsec protections assigned to the crypto map to all traffic
flowing from the 10.0.0.0 subnet to the 10.1.1.0 subnet:
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0