Send documentation comments to mdsfeedback-doc@cisco.com.
29-12
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-6965-03, Cisco MDS SAN-OS Release 2.x
Chapter 29 IPsec and IKE
Modifying IKE and IPsec

The any Keyword in Crypto ACLs

Tip We recommend that you configure mirror image crypto ACLs for use by IPsec and that you avoid using
the any option.
The any option in a permit statement is discouraged when you have multicast traffic flowing through the
IPsec interface—this configuration can cause multicast traffic to fail.
The permit any any statement causes all outbound traffic to be protected (and all protected traffic sent
to the peer specified in the corresponding crypto map entry) and requires protection for all inbound
traffic. Then, all inbound packets that lack IPsec protection are silently dropped, including packets for
routing protocols, NTP, echo, echo response, and so forth.
You need to be sure you define which packets to protect. If you must use the any option in a permit
statement, you must preface that statement with a series of deny statements to filter out any traffic (that
would otherwise fall within that permit statement) that you do not want to be protected.

Configuring Crypto IP-ACLs

You can configure IP-ACLs for crypto using the guidelines in the “Crypto ACL Guidelines” section on
page 29-9.
See Chapter 28, “IP Access Control Lists” for guidelines on creating IP-ACLs using Fabric Manager.

Transform Sets

A transform set represents a certain combination of security protocols and algorithms. During the IPsec
security association negotiation, the peers agree to use a particular transform set for protecting a
particular data flow.
You can specify multiple transform sets, and then specify one or more of these transform sets in a crypto
map entry. The transform set defined in the crypto map entry is used in the IPsec security association
negotiation to protect the data flows specified by that crypto map entry’s access list.
During IPsec security association negotiations with IKE, the peers search for a transform set that is the
same at both peers. When such a transform set is found, it is selected and applied to the protected traffic
as part of both peers’ IPsec security associations.
Tip If you change a transform set definition, the change is only applied to crypto map entries that reference
the transform set. The change is not applied to existing security associations, but used in subsequent
negotiations to establish new security associations. If you want the new settings to take effect sooner,
you can clear all or part of the security association database.