25-18
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Understanding IPsec Proposals
The following topics explain IPsec proposal concepts and procedures in more detail:
Understanding IPsec Proposals for Site-to-Site VPNs, page 25-18
Understanding Crypto Maps, page 25-18
Understanding Transform Sets, page 25-19
Understanding Reverse Route Injection, page 25-20
Configuring IPsec Proposals in Site-to-Site VPNs, page 25-21
Configuring IPSec IKEv1 or IKEv2 Transform Set Policy Objects, page25-25
Configuring an IPsec Proposal for Easy VPN, page 27-10
Configuring an IPsec Proposal on a Remote Access VPN Server (ASA, PIX 7.0+ Devices),
page 30-33
Configuring an IPsec Proposal on a Remote Access VPN Server (IOS, PIX 6.3 Devices), page32-3
Understanding IPsec Proposals for Site-to-Site VPNs
IPsec is one of the most secure methods for setting up a VPN. IPsec provides data encryption at the IP
packet level, offering a robust security solution that is standards-based. Pure IPsec configurations cannot
use routing protocols—the policy created is used for pure IPsec provisioning. You can configure pure
IPsec on Cisco IOS routers, PIX Firewalls, Catalyst VPN Service Modules, and Adaptive Security
Appliance (ASA) devices.
With IPsec, data is transmitted over a public network through tunnels. A tunnel is a secure, logical
communication path between two peers. Traffic that enters an IPsec tunnel is secured by a combination
of security protocols and algorithms called a transform set.
In Security Manager, you use an IPsec Proposal policy to define the settings required for a IPsec tunnels.
An IPsec proposal is a collection of one or more crypto maps that are applied to the VPN interfaces on
the devices. A crypto map combines all the components required to set up IPsec security associations,
including transform sets. A crypto map can also be configured with Reverse Route Injection (RRI).
The following topics provide more information:
Understanding Crypto Maps, page 25-18
Understanding Transform Sets, page 25-19
Understanding Reverse Route Injection, page 25-20
Related Topics
Configuring IPsec Proposals in Site-to-Site VPNs, page 25-21

Understanding Crypto Maps

A crypto map combines all components required to set up IPsec security associations (SA), including
IPsec rules, transform sets, remote peers, and other parameters that might be necessary to define an IPsec
SA. A crypto map entry is a named series of CLI commands. Crypto map entries with the same crypto
map name (but different map sequence numbers) are grouped into a crypto map set, which is applied to
the VPN interfaces on relevant devices. All IP traffic passing through the interface is evaluated against
the applied crypto map set.