Filter
Top Products
4-8
Integrated Services Adapter and Integrated Services Module Installation and Configuration
OL-3575-01 B0
Chapter 4 Configuring the ISA and ISM
Creating Crypto Maps
For IPSec to succeed between two IPSec peers, both peers’ crypto map entries must contain compatible
configuration statements.
When two peers try to establish a security association, each must have at least one crypto map entry that
is compatible with one of the other peer’s crypto map entries. For two crypto map entries to be
compatible, they must meet the following criteria:
• The crypto map entries must contain compatible crypto access lists (for example, mirror image
access lists). When the responding peer is using dynamic crypto maps, the entries in the local crypto
access list must be “permitted” by the peer’s crypto access list.
• The crypto map entries must each identify the other peer (unless the responding peer is using
dynamic crypto maps).
• The crypto map entries must have at least one transform set in common.
When IKE is used to establish security associations, the IPSec peers can negotiate the settings they will
use for the new security associations. This means that you can specify lists (such as lists of acceptable
transforms) within the crypto map entry.
To create crypto map entries that use IKE to establish the security associations, use the following
commands, starting in global configuration mode:
Repeat these steps to create additional crypto map entries as required.
For detailed information on configuring crypto maps, refer to the “Configuring IPSec Network Security”
chapter in the Security Configuration Guide publication. This chapter contains information on the
following topics:
• About Crypto Maps
• Load Sharing
• How Many Crypto Maps Should You Create?
• Creating Crypto Map Entries for Establishing Manual Security Associations
• Creating Crypto Map Entries That Use IKE to Establish Security Associations
• Creating Dynamic Crypto Maps
Step Command Purpose
1. crypto map map-name seq-num
ipsec-isakmp
Create the crypto map and enter
crypto map configuration mode.
2. match address access-list-id Specify an extended access list. This
access list determines which traffic is
protected by IPSec and which is not.
3. set peer {hostname | ip-address} Specify a remote IPSec peer. This is
the peer to which IPSec-protected
traffic can be forwarded.
Repeat for multiple remote peers.
4. set transform-set transform-set-name1
[transform-set-name2...transform-set-name6]
Specify which transform sets are
allowed for this crypto map entry.
List multiple transform sets in order
of priority (highest priority first).
5. end Exit crypto map configuration mode.