Enterasys Networks XSR CLI Router User Manual


  Open as PDF
of 684
 
Crypto Map Mode Commands
XSR CLI Reference Guide 14-111
Crypto Map Rules
Acryptomapisacollectionofrules,eachwithadifferentseqnumbutthesamemapname.So,for
agiveninterface,youcanhavecertaintrafficforwardedtooneIPSecpeerwithspecifiedsecurity
appliedtothattraffic,andothertrafficforwardedtothesameora
differentIPSecpeerwith
differentIPSecsecurityapplied.Toaccomplishthisyoucreatetwocryptomaps,eachwiththe
samemapname,buteachwithadifferentseqnum.Cryptomaprulesaresearchedinorderofseq
num.Sequencenumbers,inadditiontodeterminingtheorderinwhichtraffic
istestedagainstthe
rules,areusedasanantireplaydevicetorejectduplicateandoldpacketsandsopreventan
intruderfromcopyingaconversationandusingittoworkout encryptionalgorithms.
Syntax
crypto map map-name seq-num [ipsec-isakmp]
Syntax of the “no” Form
Todeleteacryptomapentry,usethenoformofthiscommand:
no crypto map map-name [seq-num]
Mode
Globalconfiguration:XSR(config)#
Next Mode
CryptoMapconfiguration: XSR(config-crypto-m)#
Sample Output
ThefollowingexamplecreatesthecryptomapACMEmap:
XSR(config)#crypto map ACMEmap 7
XSR(config-crypto-m)#set transform-set esp-3des-sha
XSR(config-crypto-m)#match address 120
match address
Thiscommandspecifiesanaccesscontrollist(ACL)foracryptomapentry.AnACLisapplied
bidirectionallybyIPSecandtheXSRconsidersits“source”asthelocaladdressandits“destination”
astheremoteaddresssotypicallyonlyonematchaddressandACLisneededtodefinetrafficwith
apeer.
Syntax
match address [access-list-id]
map-name
Cryptomapidentification.Thisisthenameassignedwhenthecrypto
mapwascreated.
seq-num
32bitdigityouassigntothecryptomap.Range:1to4096.
ipsec-isakmp
Thisvalueprovidesbackwardcompatibilitywiththeindustrystandard
CLI.Itisnotmandatory.
 previous next