Crypto map entries created for IPSec set up security association
parameters, tying together the various parts configured for IPSec. Some of
these parameters are shown in Figure
.
Crypto
map entries with the same crypto map name, but different map sequence numbers,
are grouped into a crypto map set. These crypto map sets are applied to
interfaces. Then all IP traffic passing through the interface is evaluated
against the applied crypto map set. If a crypto map entry sees outbound IP
traffic that should be protected and the crypto map specifies the use of IKE, a
security association is negotiated with the remote peer according to the
parameters included in the crypto map entry. If the crypto map entry specifies
the use of manual security associations, a security association should have
already been established in the configuration. If a dynamic crypto map entry
sees outbound traffic that should be protected and no security association
exists, the packet is dropped.
The policy described in the crypto map
entries is used during the negotiation of security associations. If the local
router initiates the negotiation, it will use the policy specified in the
static crypto map entries to create the offer to be sent to the specified IPSec
peer. If the IPSec peer initiates the negotiation, the local router will check
the policy from the static crypto map entries, as well as any referenced
dynamic crypto map entries to decide whether to accept or reject the request of
the peer.
When two IPSec peers try to establish a security association, they must each
have at least one crypto map entry that is compatible with one of the crypto
map entries on the other peer. For two crypto map entries to be compatible,
they must at least meet the following criteria:
- The crypto map entries must contain compatible crypto access lists, such as
mirror image access lists. In the case where the responding peer is using
dynamic crypto maps, the entries in the local crypto access list must be
permitted by the crypto access list of the remote peer.
- The crypto map entries must each identify the other peer, unless the
responding peer is using dynamic crypto maps.
- The crypto map entries must have at least one transform set in common.
Only one crypto map set can be applied to a single interface. The
crypto map set can include a combination of Cisco Encryption Technology (CET),
IPSec using IKE, and IPSec with manually configured SA entries. Multiple
interfaces can share the same crypto map set so that the same policy can be
applied to multiple interfaces.
If more than one crypto map entry is
created for a given interface, use the sequence number of each map entry to
rank the map entries. The lower the sequence number, the higher the priority.
At the interface that has the crypto map set, traffic is evaluated against
higher priority map entries first.
Multiple crypto map entries can be
created for a given interface if any of the following conditions exist:
- If different data flows are to be handled by separate IPSec peers.
- If different IPSec security needs to be applied to different types of
traffic, either to the same or separate IPSec peers. For example, if traffic
between one set of subnets needs to be authenticated, and traffic between
another set of subnets needs to be both authenticated and encrypted. In this
case, the different types of traffic should have been defined in two separate
ACLs, and a separate crypto map entry must be created for each crypto ACL.
- If IKE is not being used to establish a particular set of security
associations, multiple ACL entries need to be specified, separate ACLs must be
created, one per permit entry, and a separate crypto map entry for each ACL
must be specified.
Use the crypto map global configuration command to
create or modify a crypto map entry and enter the crypto map configuration mode
. Set the
crypto map entries referencing dynamic maps to be the lowest priority entries
in a crypto map set. Remember that the lowest priority entries have the highest
sequence numbers. Use the no form of this command to delete
a crypto map entry or set.
Figure
illustrates a
crypto map with two peers specified for redundancy. If the first peer cannot be
contacted, the second peer is used. There is no limit to the number of
redundant peers that can be configured.
The crypto
map command has a crypto map configuration mode with the commands
and syntax shown in the table in Figure
.