Cisco MDS 9000 Series Configuration Manual page 209

Configuring IPSec Network Security
Step 5
switch(config)# no crypto transform-set domain ipsec test esp-3des
(Optional) Deletes the applied transform set.
About Crypto Map Entries
Once you have created the crypto IPv4-ACLs and transform sets, you can create crypto map entries that
combine the various parts of the IPsec SA, including the following:
• The traffic to be protected by IPsec (per the crypto IPv4-ACL). A crypto map set can contain multiple
• The granularity of the flow to be protected by a set of SAs.
• The IPsec-protected traffic destination (who the remote IPsec peer is).
• The local address to be used for the IPsec traffic (applying to an interface).
• The IPsec security to be applied to this traffic (selecting from a list of one or more transform sets).
• Other parameters to define an IPsec SA.
Crypto map entries with the same crypto map name (but different map sequence numbers) are grouped into
a crypto map set.
When you apply a crypto map set to an interface, the following events occur:
• A security policy database (SPD) is created for that interface.
• All IP traffic passing through the interface is evaluated against the SPD.
If a crypto map entry sees outbound IP traffic that requires protection, an SA is negotiated with the remote
peer according to the parameters included in the crypto map entry.
The policy derived from the crypto map entries is used during the negotiation of SAs. If the local switch
initiates the negotiation, it will use the policy specified in the crypto map entries to create the offer to be sent
to the specified IPsec peer. If the IPsec peer initiates the negotiation, the local switch checks the policy from
the crypto map entries and decides whether to accept or reject the peer's request (offer).
For IPsec to succeed between two IPsec peers, both peers' crypto map entries must contain compatible
configuration statements.
SA Establishment Between Peers
When two peers try to establish an SA, they must each have at least one crypto map entry that is compatible
with one of the other peer's crypto map entries.
For two crypto map entries to be compatible, they must at least meet the following criteria:
• The crypto map entries must contain compatible crypto IPv4-ACLs (for example, mirror image
• The crypto map entries must each identify the other peer or must have auto peer configured.
• If you create more than one crypto map entry for a given interface, use the seq-num of each map entry
• The crypto map entries must have at least one transform set in common, where IKE negotiations are
entries, each with a different IPv4-ACL.
IPv4-ACLs). If the responding peer entry is in the local crypto, the IPv4-ACL must be permitted by the
peer's crypto IPv4-ACL.
to rank the map entries: the lower the seq-num, the higher the priority. At the interface that has the crypto
map set, traffic is evaluated against higher priority map entries first.
carried out and SAs are established. During the IPsec SA negotiation, the peers agree to use a particular
transform set when protecting a particular data flow.
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
About Crypto Map Entries
191