Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : CCSP-Cisco Certified Security Professional : Step 3-4 Configure Crypto Maps

Step 3-4 Configure Crypto Maps

Sep 27,2009 by alperen

small font medium font large font
image

Step 3-4 Configure Crypto Maps

Crypto map entries must be created for IPSec to set up SAs for traffic flows that must be protected. Crypto map entries created for IPSec set up security association parameters, tying together the various parts configured for IPSec, including

  • Which traffic should be protected by IPSec (crypto ACL)

  • Which IPSec peers the protected traffic can be forwarded to—the peers with which a security association can be established

  • Which transform sets are to be used with the protected traffic

  • How keys and security associations should be used or managed (or what the keys are, if IKE isn’t used)

  • Other parameters that might be necessary to define an IPSec SA

As with applying packet filtering, it’s only possible to apply one crypto map set to a particular interface. You can apply the same crypto map to multiple interfaces to apply the same policy to all included interfaces. The crypto map set can include a combination of IPSec using IKE and IPSec with manually configured SA entries.

To create more than one crypto map entry for a particular interface, use a unique sequence number (seq-num) of each map entry. The number assigned to the seq-num shouldn’t be arbitrary; it’s used to rank multiple crypto map entries within a crypto map set. Within a crypto map set, a crypto map entry with a lower seq-num has a higher priority and is evaluated before a map entry with a higher seq-num. Be sure to space the sequence numbers to allow for future technology to be inserted without having to completely reconfigure.

Use the global crypto map command to create a crypto map entry and enter the Crypto Map Configuration mode. Use the no form of the command to delete a crypto map entry or set. Use the crypto map map-name seq-num command without a keyword to modify an existing crypto map entry. Once a crypto map entry is created, you can’t change the global configuration parameters because those parameters determine which configuration commands are valid at the crypto map level. For example, once a map entry is created as ipsec-isakmp, it can’t be changed to ipsec-manual. It must be deleted and reentered.

The command syntax follows:

Rtr1(config)#crypto map map-name seq-num ipsec-manual
Rtr1(config)#crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name][discover]
Rtr1(config)#no crypto map map-name [seq-num]

map-name

Identifies the crypto map set. Assigned when the crypto map was created.

seq-num

A sequencing number assigned to a crypto map entry that determines its processing order. A lower number is used before a higher number.

ipsec-manual

Indicates IKE will not be used to establish the IPSec SAs for protecting the traffic specified by this crypto map entry.

ipsec-isakmp

Indicates IKE will be used to establish the IPSec SAs for protecting the traffic specified by this crypto map entry.

dynamic

(Optional) Specifies this crypto map entry is to reference a preexisting dynamic crypto map. Dynamic crypto maps are policy templates used in processing negotiation requests from a peer IPSec device. None of the crypto map configuration commands are available with this option.

dynamic-map-name

(Optional) Name of the dynamic crypto map set to use as the policy template.

discover

(Optional) Enables peer discovery. Added in v12.0(5)T to support Tunnel Endpoint Discovery (TED).

By default, no crypto maps exist and peer discovery isn’t enabled.

After typing the crypto map command, the Crypto Map Configuration mode is invoked, as shown in the following output:

Rtr1(config)#crypto map testmap 50 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
Rtr1(config-crypto-map)#

From here, the set command can be used to define the crypto map parameters. You can also add a description, a match statement to link the crypto ACL that defines the traffic, and, finally, exit to end the session. The following example demonstrates pulling choices from the earlier exercises:

Rtr1(config)#crypto map testmap 50 ipsec-isakmp
Rtr1(config-crypto-map)#description VPN Link to branch in Tacoma, WA
Rtr1(config-crypto-map)#set peer 10.0.50.2
Rtr1(config-crypto-map)#set security-association lifetime seconds 1800
Rtr1(config-crypto-map)#set pfs group2
Rtr1(config-crypto-map)#set transform-set CPU-HOG
Rtr1(config-crypto-map)#match address 125
Rtr1(config-crypto-map)#exit
Rtr1(config)#

This next example demonstrates creating a second crypto map entry for testmap that creates a VPN to San Antonio, TX. Because of the larger seq-num (100), this choice is always considered after the original entries.

Rtr1(config)#crypto map testmap 100 ipsec-isakmp
Rtr1(config-crypto-map)#description VPN Link to branch in San Antonio, TX
Rtr1(config-crypto-map)#set peer 10.1.195.130
Rtr1(config-crypto-map)#set security-association lifetime seconds 2700
Rtr1(config-crypto-map)#set pfs group2
Rtr1(config-crypto-map)#set transform-set DES-ONLY
Rtr1(config-crypto-map)#match address 150
Rtr1(config-crypto-map)#exit

After crypto map entries are defined, the crypto map set is assigned to interfaces using the crypto map (interface IPSec) command, covered in the next section.


4653 times read

Related news
» Step 3-5 Apply the Crypto Maps to the Interface
by alperen posted on Sep 27,2009
» Step 4-4 Display the Configured Crypto Maps
by alperen posted on Sep 27,2009
» Configuring IPSec Manually
by alperen posted on Sep 28,2009
» Cisco IOS IPSec for Preshared Keys Review
by alperen posted on Sep 29,2009
» Peer Host Name Enhancement
by alperen posted on Oct 18,2009
Did you enjoy this article?
1 2 3 4 5
Rating: 5.00Rating: 5.00Rating: 5.00Rating: 5.00Rating: 5.00 (total 5 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

admin

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.