A crypto map set needs to be applied to each interface through which IPSec
traffic will flow. Applying the crypto map set to an interface instructs the
router to evaluate all the traffic that passes through the interface against
the crypto map set and to use the specified policy during connection or
security association negotiation on behalf of traffic to be protected by
IPSec.
To apply a crypto map set to an interface, use the crypto
map map-name command in interface configuration mode
.
For
redundancy, the same crypto map set can be applied to more than one interface.
The default behavior is as follows:
- Each interface will have its own piece of the security association
database.
- The IP address of the local interface will be used as the local address for
IPSec traffic originating from or destined to that interface.
If the same crypto map set is applied to multiple interfaces for
redundancy purposes, an identifying interface needs to be specified. This has
the following effects:
- The per-interface portion of the IPSec security association database will
be established one time and shared for traffic through all the interfaces that
share the same crypto map.
- The IP address of the identifying interface will be used as the local
address for IPSec traffic originating from or destined to those interfaces
sharing the same crypto map set.
One suggestion is to use a loopback interface as the identifying
interface.
To specify redundant interfaces and name an identifying
interface, use the crypto map map-name local-address
interface-id command in global configuration mode.