Crypto Map Mode Commands
14-110 Configuring the VPN
Sample Output
Thefollowingoutputdisplayswhenamasterkeyisgenerated:
XSR(config)#crypto key master generate
New key is 8573 4583 3994 2ff5
183b 4bdf fe92 dbc1
1132 ffe0 f8d9 3759
Ascriptdisplayswhenamasterkeyisspecified,promptingyouforthefollowinginformation:
XSR(config)#crypto key master specify
Specify first encryption key in hex digits: []: 8573 4583 3994 2ff5
Specify second encryption key in hex digits: []: 183b 4bdf fe92 dbc1
Specify third encryption key in hex digits: []: 1132 ffe0 f9d9 3759
Are you sure? [y]:
Crypto Map Mode Commands
crypto map (Global IPSec)
Thiscommandcreatesormodifiesacryptomapentry.ItalsoacquiresCryptoMapmode.Along
withthesettingofatransform‐set,thisconstitutesIPSecPhase2configuration.
InCryptoMapmode,thefollowingsub‐commandsareavailable:
•
match address ‐CorrelatesACLstomap.Refertopage14‐111forthecommanddefinition.
•
mode ‐Selectsencapsulationtype‐tunnelortransport‐foratransform‐set.Referto
page14‐112forthecommanddefinition.
•
set peer ‐Specifiespeer’sIPaddress.Refertopage14‐113forthecommanddefinition.
•
set security-association level per-host ‐SpecifiesseparateSAsberequestedforeach
source/destination hostpair.Refertopage14‐114forthecommanddefinition.
•
set transform-set ‐Correlatestransform‐setswithmap.Refertopage14‐114forthe
commanddefinition.
Crypto Map
Cryptomapsprovidetwofunctions:filterandclassifytraffictobeprotectedaswellasdefinethe
policytobeappliedtothattraffic.Thefirstuseaffectstheflowoftrafficonaninterface;thesecond
affectsthenegotiationperformed(viaIKE)onbehalfofthattraffic.
IPSeccryptomaps
linkdefinitionsofthefollowing:
•Whichtrafficshouldbeprotected.
•WhichIPSecpeerstheprotectedtrafficcanbeforwardedto‐thesearethepeerswithwhicha
SecurityAssociation(SA)canbebuilt.
•Whichtransform‐setsareacceptableforusewiththeprotectedtraffic.
•HowkeysandSAsshouldbeusedormanaged.
Note: A crypto map has no effect until it is attached to an interface.