Specifications

ManualsBrandsADTRAN ManualsNetwork RouterStub Routing

151

152

153

154

155

156

157

158

159

160

Global Configuration Mode Command Set Command Reference Guide

Functional Notes

Crypto map entries do not directly contain the transform configuration for securing data. Instead, the crypto

map is associated with transform sets which contain specific security algorithms (see

crypto ipsec

transform-set <setname> <parameters>

on page 155).

Crypto map entries do not directly contain the selectors used to determine which data to secure. Instead, the

crypto map entry refers to an access control list. An access control list is assigned to the crypto map using the

match address

command (see

match address <listname>

on page 277).

If no transform-set or access-list is configured for a crypto map, the entry is incomplete and will have no effect

on the system.

When you apply a crypto map to an interface (using the

crypto map

command within the interface’s command

set), you are applying all crypto maps with the given map name. This allows you to apply multiple crypto maps

if you have created maps which share the same name but have different map index numbers.

Usage Examples

The following example creates a new IPSec IKE crypto map called

testMap

with a map index of

(config)#

crypto map testMap 10 ipsec-ike

(config-crypto-map)#

Technology Review

A crypto map entry is a single policy that describes how certain traffic is to be secured. There are two types of

crypto map entries: ipsec-manual and ipsec-ike. Each entry is given an index, which is used to sort the ordered

list. When a non-secured packet arrives on an interface, the crypto map set associated with that interface is

processed in order. If a crypto map entry matches the non-secured traffic, the traffic is discarded.

When a packet is to be transmitted on an interface, the crypto map set associated with that interface is

processed in order. The first crypto map entry that matches the packet will be used to secure the packet. If a

suitable SA (security association) exists, that is used for transmission. Otherwise, IKE is used to establish an

SA with the peer. If no SA exists, and the crypto map entry is “respond only”, the packet is discarded.

When a secured packet arrives on an interface, its SPI (security parameter index) is used to look up an SA. If

an SA does not exist, or if the packet fails any of the security checks (bad authentication, traffic does not match

SA selectors, etc.), it is discarded. If all checks pass, the packet is forwarded normally.