Configure a Router with IPSec Using Pre-shared Keys
Step 4 – Create crypto maps

Crypto map entries created for IPSec set up security association parameters, tying together the various parts configured for IPSec. Some of these parameters are shown in Figure .

Crypto map entries with the same crypto map name, but different map sequence numbers, are grouped into a crypto map set. These crypto map sets are applied to interfaces. Then all IP traffic passing through the interface is evaluated against the applied crypto map set. If a crypto map entry sees outbound IP traffic that should be protected and the crypto map specifies the use of IKE, a security association is negotiated with the remote peer according to the parameters included in the crypto map entry. If the crypto map entry specifies the use of manual security associations, a security association should have already been established in the configuration. If a dynamic crypto map entry sees outbound traffic that should be protected and no security association exists, the packet is dropped.

The policy described in the crypto map entries is used during the negotiation of security associations. If the local router initiates the negotiation, it will use the policy specified in the static crypto map entries to create the offer to be sent to the specified IPSec peer. If the IPSec peer initiates the negotiation, the local router will check the policy from the static crypto map entries, as well as any referenced dynamic crypto map entries to decide whether to accept or reject the request of the peer.

When two IPSec peers try to establish a security association, they must each have at least one crypto map entry that is compatible with one of the crypto map entries on the other peer. For two crypto map entries to be compatible, they must at least meet the following criteria:

  • The crypto map entries must contain compatible crypto access lists, such as mirror image access lists. In the case where the responding peer is using dynamic crypto maps, the entries in the local crypto access list must be permitted by the crypto access list of the remote peer.
  • The crypto map entries must each identify the other peer, unless the responding peer is using dynamic crypto maps.
  • The crypto map entries must have at least one transform set in common.

Only one crypto map set can be applied to a single interface. The crypto map set can include a combination of Cisco Encryption Technology (CET), IPSec using IKE, and IPSec with manually configured SA entries. Multiple interfaces can share the same crypto map set so that the same policy can be applied to multiple interfaces.

If more than one crypto map entry is created for a given interface, use the sequence number of each map entry to rank the map entries. The lower the sequence number, the higher the priority. At the interface that has the crypto map set, traffic is evaluated against higher priority map entries first.

Multiple crypto map entries can be created for a given interface if any of the following conditions exist:

  • If different data flows are to be handled by separate IPSec peers.
  • If different IPSec security needs to be applied to different types of traffic, either to the same or separate IPSec peers. For example, if traffic between one set of subnets needs to be authenticated, and traffic between another set of subnets needs to be both authenticated and encrypted. In this case, the different types of traffic should have been defined in two separate ACLs, and a separate crypto map entry must be created for each crypto ACL.
  • If IKE is not being used to establish a particular set of security associations, multiple ACL entries need to be specified, separate ACLs must be created, one per permit entry, and a separate crypto map entry for each ACL must be specified.

Use the crypto map global configuration command to create or modify a crypto map entry and enter the crypto map configuration mode . Set the crypto map entries referencing dynamic maps to be the lowest priority entries in a crypto map set. Remember that the lowest priority entries have the highest sequence numbers. Use the no form of this command to delete a crypto map entry or set.

Figure illustrates a crypto map with two peers specified for redundancy. If the first peer cannot be contacted, the second peer is used. There is no limit to the number of redundant peers that can be configured.

The crypto map command has a crypto map configuration mode with the commands and syntax shown in the table in Figure .