Configure a Router with IPSec Using Pre-shared Keys
Step 5 – Apply crypto maps to interfaces

A crypto map set needs to be applied to each interface through which IPSec traffic will flow. Applying the crypto map set to an interface instructs the router to evaluate all the traffic that passes through the interface against the crypto map set and to use the specified policy during connection or security association negotiation on behalf of traffic to be protected by IPSec.

To apply a crypto map set to an interface, use the crypto map map-name command in interface configuration mode .

For redundancy, the same crypto map set can be applied to more than one interface. The default behavior is as follows:

  • Each interface will have its own piece of the security association database.
  • The IP address of the local interface will be used as the local address for IPSec traffic originating from or destined to that interface.

If the same crypto map set is applied to multiple interfaces for redundancy purposes, an identifying interface needs to be specified. This has the following effects:

  • The per-interface portion of the IPSec security association database will be established one time and shared for traffic through all the interfaces that share the same crypto map.
  • The IP address of the identifying interface will be used as the local address for IPSec traffic originating from or destined to those interfaces sharing the same crypto map set.

One suggestion is to use a loopback interface as the identifying interface.

To specify redundant interfaces and name an identifying interface, use the crypto map map-name local-address interface-id command in global configuration mode.


Lab Activity

e-Lab Activity: Configure IPSec

In this activity, students will learn how to configure transform set suites.

Interactive Media Activity

Demonstration Activity: Configuring IPSec

In this activity, drag and drop the boxes to the appropriate step to configure IPSec.