HP ProCurve 7102dl Reference Manual page 354

SROS Command Line Interface Reference Guide Global Configuration Mode Command Set
Usage Examples
The following example creates a new IPSec IKE crypto map called testMap with a map index of 10:
ProCurve(config)#crypto map testMap 10 ipsec-ike
ProCurve(config-crypto-map)#
Technology Review
A crypto map entry is a single policy that describes how certain traffic is to be secured. There are two
types of crypto map entries: ipsec-manual and ipsec-ike. Each entry is given an index, which is used to sort
the ordered list. When a non-secured packet arrives on an interface, the crypto map set associated with
that interface is processed in order. If a crypto map entry matches the non-secured traffic, the traffic is
discarded.
When a packet is to be transmitted on an interface, the crypto map set associated with that interface is
processed in order. The first crypto map entry that matches the packet will be used to secure the packet.
If a suitable SA (security association) exists, that is used for transmission. Otherwise, IKE is used to
establish an SA with the peer. If no SA exists, and the crypto map entry is "respond only", the packet is
discarded.
When a secured packet arrives on an interface, its SPI (security parameter index) is used to look up an SA.
If an SA does not exist, or if the packet fails any of the security checks (bad authentication, traffic does not
match SA selectors, etc.), it is discarded. If all checks pass, the packet is forwarded normally.
5991-2114 © Copyright 2007 Hewlett-Packard Development Company, L.P. 352