Cisco Systems MDS 9000 Video Gaming Accessories User Manual

Open as PDF

of 520

Send documentation comments to mdsfeedback-doc@cisco.com.

29-14

Cisco MDS 9000 Family Fabric Manager Configuration Guide

OL-6965-03, Cisco MDS SAN-OS Release 2.x

Chapter 29 IPsec and IKE

Modifying IKE and IPsec

SA Establishment Between Peers

When two peers try to establish an SA, they must each have at least one crypto map entry that is

compatible with one of the other peer's crypto map entries.

For two crypto map entries to be compatible, they must at least meet the following criteria:

• The crypto map entries must contain compatible crypto ACLs (for example, mirror image ACLs). If

the responding peer entry is in the local crypto, the ACL must be permitted by the peer's crypto ACL.

• The crypto map entries must each identify the other peer or must have auto peer configured.

• If you create more than one crypto map entry for a given interface, use the seq-num of each map

entry to rank the map entries: the lower the

seq-num, the higher the priority. At the interface that has

the crypto map set, traffic is evaluated against higher priority map entries first.

• The crypto map entries must have at least one transform set in common where IKE negotiations are

carried out and SAs are established. During the IPsec SA negotiation, the peers agree to use a

particular transform set when protecting a particular data flow.

When a packet matches a permit entry in a particular ACL, the corresponding crypto map entry is tagged,

and connections are established.

The AutoPeer Option

Setting the peer address as AutoPeer in the crypto map indicates that the destination endpoint of the

traffic should be used as the peer address for the SA. Using the same crypto map, a unique SA can be set

up to each of the endpoints in the subnet specified by the crypto map's ACL entry. Auto-peer simplifies

configuration when traffic endpoints are IPsec capable. It is particularly useful for iSCSI, where the

iSCSI hosts in the same subnet do not require separate configuration.

Figure 29-6 shows a scenario where the auto-peer option can simplify configuration. Using the auto-peer

option, only one crypto map entry is needed for all the hosts from subnet X to set up SAs with the switch.

Each host sets up its own SA, but shares the crypto map entry. Without the auto-peer option, each host

needs one crypto map entry.

previous next

Top Automotive Device Types

Top Automotive Brands

Top Baby Care Device Types

Top Baby Care Brands

Top Car Audio & Video Device Types

Top Car Audio & Video Brands

Top Cellphone Device Types

Top Cellphone Brands

Top Communications Device Types

Top Communications Brands

Top Computer Device Types

Top Computer Brands

Top Fitness Device Types

Top Fitness Brands

Top Home Audio Device Types

Top Home Audio Brands

Top Household Appliance Device Types

Top Household Appliance Brands

Top Kitchen Appliance Device Types

Top Kitchen Appliance Brands

Top Laundry Appliance Device Types

Top Laundry Appliance Brands

Top Lawn & Garden Device Types

Top Lawn & Garden Brands

Top Marine Equipment Device Types

Top Marine Equipment Brands

Top Musical Instrument Device Types

Top Musical Instrument Brands

Top Outdoor Cooking Device Types

Top Outdoor Cooking Brands

Top Personal Care Device Types

Top Personal Care Brands

Top Photography Device Types

Top Photography Brands

Top Portable Media Device Types

Top Portable Media Brands

Top Power Tools Device Types

Top Power Tools Brands

Top TV and Video Device Types

Top TV and Video Brands

Top Videogame Device Types

Top Videogame Brands

Cisco Systems MDS 9000 Video Gaming Accessories User Manual