Chapter 4 Configuring the ISA and ISM
Creating Crypto Maps
For IPSec to succeed between two IPSec peers, both peers’ crypto map entries must contain compatible configuration statements.
When two peers try to establish a security association, each must have at least one crypto map entry that is compatible with one of the other peer’s crypto map entries. For two crypto map entries to be compatible, they must meet the following criteria:
•The crypto map entries must contain compatible crypto access lists (for example, mirror image access lists). When the responding peer is using dynamic crypto maps, the entries in the local crypto access list must be “permitted” by the peer’s crypto access list.
•The crypto map entries must each identify the other peer (unless the responding peer is using dynamic crypto maps).
•The crypto map entries must have at least one transform set in common.
When IKE is used to establish security associations, the IPSec peers can negotiate the settings they will use for the new security associations. This means that you can specify lists (such as lists of acceptable transforms) within the crypto map entry.
To create crypto map entries that use IKE to establish the security associations, use the following commands, starting in global configuration mode:
Step | Command | Purpose |
|
|
|
1. | crypto map | Create the crypto map and enter |
| crypto map configuration mode. | |
|
|
|
2. | match address | Specify an extended access list. This |
|
| access list determines which traffic is |
|
| protected by IPSec and which is not. |
|
|
|
3. | set peer {hostname | Specify a remote IPSec peer. This is |
|
| the peer to which |
|
| traffic can be forwarded. |
|
| Repeat for multiple remote peers. |
|
|
|
4. | set | Specify which transform sets are |
| allowed for this crypto map entry. | |
|
| List multiple transform sets in order |
|
| of priority (highest priority first). |
|
|
|
5. | end | Exit crypto map configuration mode. |
|
|
|
Repeat these steps to create additional crypto map entries as required.
For detailed information on configuring crypto maps, refer to the “Configuring IPSec Network Security” chapter in the Security Configuration Guide publication. This chapter contains information on the following topics:
•About Crypto Maps
•Load Sharing
•How Many Crypto Maps Should You Create?
•Creating Crypto Map Entries for Establishing Manual Security Associations
•Creating Crypto Map Entries That Use IKE to Establish Security Associations
•Creating Dynamic Crypto Maps
Integrated Services Adapter and Integrated Services Module Installation and Configuration
|
| |
|
