Command:  

crypto map


Mode:

Router(config)#


Syntax:

crypto map map-name seq-num ipsec-manual

crypto map map-name seq-num ipsec-isakmp[ dynamic dynamic-map-name] [ discover]

no crypto map map-name[ seq-num]


Syntax Description:

map-name

The name that identifies the crypto map set. This is the name assigned when the crypto map was created.

seq-num

The number you assign to the crypto map entry. See additional explanation for using this argument in the "Usage Guidelines" section.

ipsec-manual

Indicates that Internet Key Exchange will not be used to establish the IP Security security associations for protecting the traffic specified by this crypto map entry.

ipsec-isakmp

Indicates that IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.

dynamic

(Optional) Specifies that this crypto map entry is to reference a preexisting dynamic crypto map. Dynamic crypto maps are policy templates used in processing negotiation requests from a peer IPSec device. If you use this keyword, none of the crypto map configuration commands will be available.

dynamic-map-name

(Optional) Specifies the name of the dynamic crypto map set that should be used as the policy template.

discover

(Optional) Enables peer discovery. By default, peer discovery is not enabled.

 

 

Command Description:

To create or modify a crypto map entry and enter the crypto map configuration mode, use the crypto mapglobal configuration command. To delete a crypto map entry or set, use the noform of this command.


Examples:

The following example shows the minimum required crypto map configuration when IKE will be used to establish the security associations. Specify the crypto map entry to create, for example "mymap10" using IKE to establish the IPSec security associations to protect traffic: Router(config)#crypto map mymap 10 ipsec-isakmp

Next, designate an access list to designate which traffic should be protected by IPSec and which traffic should not be protected by IPSec security in the context of this crypto map entry:

Router(config-crypto-m)#match address 101

Next, specify which transform set should be used:

Router(config-crypto-m)#set transform-set my_t_set1

Now, specify the remote IPSec peer:

Router(config-crypto-m)#set peer 10.0.0.1

The following example shows the minimum required crypto map configuration when IKE will be used to establish the security associations:

crypto map mymap 10 ipsec-isakmp

 match address 101

 set transform-set my_t_set1

 set peer 10.0.0.1

 

The following example shows the minimum required crypto map configuration when the security associations are manually established:

crypto transform-set someset ah-md5-hmac esp-des

crypto map mymap 10 ipsec-manual

 match address 102

 set transform-set someset

 set peer 10.0.0.5

 set session-key inbound ah 256 98765432109876549876543210987654

 set session-key outbound ah 256 fedcbafedcbafedcfedcbafedcbafedc

 set session-key inbound esp 256 cipher 0123456789012345

 set session-key outbound esp 256 cipher abcdefabcdefabcd

 

The following example configures an IPSec crypto map set that includes a reference to a dynamic crypto map set.

Crypto map "mymap 10" allows security associations to be established between the router and either (or both) of two remote IPSec peers for traffic matching access list 101. Crypto map "mymap 20" allows either of two transform sets to be negotiated with the remote peer for traffic matching access list 102.

Crypto map entry "mymap 30" references the dynamic crypto map set "mydynamicmap," which can be used to process inbound security association negotiation requests that do not match "mymap" entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in "mydynamicmap," for a flow "permitted" by the access list 103, IPSec will accept the request and set up security associations with the remote peer without previously knowing about the remote peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the remote peer.

The access list associated with "mydynamicmap 10" is also used as a filter. Inbound packets that match a permitstatement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permitstatement without an existing corresponding IPSec SA are also dropped.

crypto map mymap 10 ipsec-isakmp

 match address 101

 set transform-set my_t_set1

 set peer 10.0.0.1

 set peer 10.0.0.2

crypto map mymap 20 ipsec-isakmp

 match address 102

 set transform-set my_t_set1 my_t_set2

 set peer 10.0.0.3

crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap

!

crypto dynamic-map mydynamicmap 10

 match address 103

 set transform-set my_t_set1 my_t_set2 my_t_set3

 

The following example configures Tunnel Endpoint Discovery on a Cisco router:

crypto map testtag 10 ipsec-isakmp dynamic dmap discover

 

Misconceptions:

None


Related commands:

 

show crypto map


© Cisco Systems, Inc. 2001, 2002
World Wide Education























Converted from CHM to HTML with chm2web Pro 2.85 (unicode)