Cisco Systems SM-ISM, SA-ISA manual Applying Crypto Maps to Interfaces, Verifying Configuration

Chapter 4 Configuring the ISA and ISM

Applying Crypto Maps to Interfaces

Applying Crypto Maps to Interfaces

You need to apply a crypto map set to each interface through which IPSec traffic flows. Applying the crypto map set to an interface instructs the router to evaluate all the interface’s traffic against the crypto map set and to use the specified policy during connection or security association negotiation on behalf of traffic to be protected by encryption.

To apply a crypto map set to an interface, use the following commands, starting in global configuration mode:

For redundancy, you could apply the same crypto map set to more than one interface. The default behavior is as follows:

•Each interface has its own piece of the security association database.

•The IP address of the local interface is used as the local address for IPSec traffic originating from or destined to that interface.

If you apply the same crypto map set to multiple interfaces for redundancy purposes, you need to specify an identifying interface. This has the following effects:

•The per-interface portion of the IPSec security association database is established one time and shared for traffic through all the interfaces that share the same crypto map.

•The IP address of the identifying interface is used as the local address for IPSec traffic originating from or destined to those interfaces sharing the same crypto map set.

One suggestion is to use a loopback interface as the identifying interface.

To specify redundant interfaces and name an identifying interface, use the following command in global configuration mode:

crypto map map-namelocal-address interface-id

This command permits redundant interfaces to share the same crypto map, using the same local identity.

Verifying Configuration

Certain configuration changes only take effect when subsequent security associations are negotiated. If you want the new settings to take immediate effect, you must clear the existing security associations so that they are reestablished with the changed configuration. For manually established security associations, you must clear and reinitialize the security associations, or the changes do not take effect. If the router is actively processing IPSec traffic, it is desirable to clear only the portion of the security association database that would be affected by the configuration changes (that is, clear only the security associations established by a given crypto map set). Clearing the full security association database should be reserved for large-scale changes or when the router is processing very little other IPSec traffic.

Integrated Services Adapter and Integrated Services Module Installation and Configuration