Table of Contents
Advertisement
Table 8-1 Select transform for transform set: Allowed Transform Combinations
AH Transform
Transform
Description
ah-md5-hm
AH with the
ac
MD5 (HMAC
variant)
authenticatio
n algorithm
ah-sha-hm
AH with the
ac
SHA (HMAC
variant)
authenticatio
n algorithm
4. Creat Crypto Map Entries
Crypto map entries created for IPSec including:
Which traffic should be protected by IPSec (per a crypto access list)
♦ The granularity of the flow to be protected by a set of security associations
♦ The local address to be used for the IPSec traffic
♦ The peer address to be used for the IPSec traffic
♦ What IPSec security should be applied to this traffic (selecting from a list of one or more transform
sets)
♦ Whether security associations are manually established or are established via IKE
♦ Other parameters that might be necessary to define an IPSec security association
Crypto map entries with the same crypto map name (but different map sequence numbers) are
grouped into a crypto map set. Later, you will apply these crypto map sets to interfaces; then, all IP
traffic passing through the interface is evaluated against the applied crypto map set. If a crypto map
entry sees outbound IP traffic that should be protected and the crypto map specifies the use of IKE, a
security association is negotiated with the remote peer according to the parameters included in the
crypto map entry; otherwise, if the crypto map entry specifies the use of manual security associations, a
security association should have already been established via configuration. If the local router initiates
the negotiation, it will use the policy specified in the static crypto map entries to create the offer to be
sent to the specified IPSec peer. If the IPSec peer initiates the negotiation, the local router will check
the policy from the static crypto map entries, as well as any referenced dynamic crypto map entries to
decide whether to accept or reject the peer's request .
For IPSec to succeed between two IPSec peers, both peers' crypto map entries must contain
compatible configuration statements.
When two peers try to establish a security association, they must each have at least one crypto map
entry that is compatible with one of the other peer's crypto map entries. For two crypto map entries to
be compatible, they must at least meet the following criteria:
♦ The crypto map entries must contain compatible crypto access lists.
♦ The crypto map entries must each identify the other peer.
♦ The crypto map entries must have at least one transform set in common.
8.4.5 How Many Crypto Maps Should You Create
You can apply only one crypto map set to a single interface. The crypto map set can include a
combination of IPSec/IKE and IPSec/manual entries. Multiple interfaces can share the same crypto
map set if you want to apply the same policy to multiple interfaces.
Model Name
ESP Encryption Transform
Transform
Description
esp-des
ESP with the DES
encryption algorithm
esp-3des
ESP with the 3DES
encryption algorithm
- 365 -
ESP Authentication Transorm
Transform
Description
esp-md5-hmac
ESP with the MD5
(HMAC
authentication
algorithm
esp-sha-hmac
ESP with the SHA
(HMAC
authentication
algorithm
variant)
variant)
Hide quick links:
Advertisement
Table of Contents
