Configuring Ipsec Security Associations (Crypto Map); Creating Crypto Map Entry For Establishing Manual Security Associations; Creating Crypto Map Entry That Use Ike To Establish Security Association - Motorola WS5100 Series Migration Giude

3-24 WS5100 Series Switch Migration Guide
2. After the IKE SA is successfully established, and if the switch is configured for Xauth, the client waits for
a "username/password" challenge and then responds to the challenge of the switch.
3. The information that is entered is checked against authentication entities (either configured on the
switch or using radius server).
4. If the switch indicates that authentication was successful, the client requests further configuration
parameters from the switch. The remaining system parameters (for example, IP address, DNS, and split
tunnel attributes) are pushed to the client at this time using Client Mode Configuration.
5. After the client has received the configuration parameters, IKE quick mode is initiated to negotiate IPsec
SA establishment.
6. Following this IPsec SAs are created and the connection is complete.
Once we configure the client related parameters as a group using mode configuration, we can attach this
group to the cryto map entry that will be assigned on an interface.

3.4.7 Configuring IPSec Security Associations (Crypto Map)

To configure SA's we will use the concept of crypto-map entries. Crypto map entries created for IPSec pull
together the various parts used to set up IPSec security associations, including:
• Crypto access list defines what traffic should be protected and what traffic should not be protected – for
example access list can be created to protect traffic between Subnet A and Subnet Y or between Host A
and Host B. The particular crypto map entry will reference the specific access list that defines whether
IPSec processing is to be applied to the traffic matching the permit in the access list.
• Where IPSec-protected traffic should be sent (who the remote IPSec peer is)
• The local address to be used for the IPSec traffic
• What IPSec security should be applied to this traffic (selecting from a list of one or more transform sets)
• Whether security associations are manually established or are established via IKE
• Other parameters that might be necessary to define an IPSec security association
The policy described in the crypto map entries is used during the negotiation of security associations. For
IPSec to succeed between two IPSec peers, both peers' crypto map entries must contain compatible
configuration statements.
NOTE: You can apply only one crypto map set to a single interface. The crypto map set
can include a combination of IPSec/IKE, and IPSec/manual entries. Multiple interfaces can
share the same crypto map set if you want to apply the same policy to multiple interfaces.

3.4.7.1 Creating Crypto Map Entry for Establishing Manual Security Associations

The use of manual security associations is a result of a prior arrangement between the users of the local
switch and the IPSec peer. If IKE is not used for establishing the security associations, there is no negotiation
of security associations, so the configuration information in both systems must be the same in order for
traffic to be processed successfully by IPSec.

3.4.7.2 Creating Crypto Map Entry that Use IKE to Establish Security Association

When IKE is used to establish security associations, the IPSec peers can negotiate the settings they will use
for the new security associations. This means that you can specify lists (such as lists of acceptable
transforms) within the crypto map entry.