About Crypto Map Entries; Sa Establishment Between Peers - HP Cisco MDS 9020 - Fabric Switch Configuration Manual
Cisco mds 9000 family cli configuration guide, release 3.x (ol-16184-01, april 2008)
Hide thumbs
Also See for Cisco MDS 9020 - Fabric Switch:
- Service manual (242 pages) ,
- Configuration manual (1384 pages) ,
- Handbook (141 pages)
Table of Contents
Advertisement
Chapter 35
Configuring IPsec Network Security
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Command
Step 2
switch(config)# crypto transform-set
domain ipsec test esp-3des esp-md5-hmac
switch(config)# no crypto transform-set
domain ipsec test esp-3des esp-md5-hmac
switch(config)# crypto transform-set
domain ipsec test esp-3des
switch(config)# no crypto transform-set
domain ipsec test esp-3des
About Crypto Map Entries
Once you have created the crypto IPv4-ACLs and transform sets, you can create crypto map entries that
combine the various parts of the IPsec SA, including the following:
•
•
•
•
•
•
Crypto map entries with the same crypto map name (but different map sequence numbers) are grouped
into a crypto map set.
When you apply a crypto map set to an interface, the following events occur:
•
•
If a crypto map entry sees outbound IP traffic that requires protection, an SA is negotiated with the
remote peer according to the parameters included in the crypto map entry.
The policy derived from the crypto map entries is used during the negotiation of SAs. If the local switch
initiates the negotiation, it will use the policy specified in the crypto map entries to create the offer to be
sent to the specified IPsec peer. If the IPsec peer initiates the negotiation, the local switch checks the
policy from the crypto map entries and decides whether to accept or reject the peer's request (offer).
For IPsec to succeed between two IPsec peers, both peers' crypto map entries must contain compatible
configuration statements.
SA Establishment Between Peers
When two peers try to establish an SA, they must each have at least one crypto map entry that is
compatible with one of the other peer's crypto map entries.
For two crypto map entries to be compatible, they must at least meet the following criteria:
OL-16184-01, Cisco MDS SAN-OS Release 3.x
The traffic to be protected by IPsec (per the crypto IPv4-ACL). A crypto map set can contain
multiple entries, each with a different IPv4-ACL.
The granularity of the flow to be protected by a set of SAs.
The IPsec-protected traffic destination (who the remote IPsec peer is).
The local address to be used for the IPsec traffic (applying to an interface).
The IPsec security to be applied to this traffic (selecting from a list of one or more transform sets).
Other parameters to define an IPsec SA.
A security policy database (SPD) is created for that interface.
All IP traffic passing through the interface is evaluated against the SPD.
Purpose
Configures a transform set called test specifying the
3DES encryption algorithm and the MD5
authentication algorithm. Refer to
verify the allowed transform combinations.
Deletes the applied transform set.
Configures a transform set called test specifying the
3DES encryption algorithm. In this case, the default
no authentication is performed.
Deletes the applied transform set.
Cisco MDS 9000 Family CLI Configuration Guide
Crypto IPv4-ACLs
Table 35-2
to
35-23
Advertisement
Chapters
Table of Contents
Troubleshooting
