Configuring IPsec Network Security
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
The permit any statement causes all outbound traffic to be protected (and all protected traffic sent to the
peer specified in the corresponding crypto map entry) and requires protection for all inbound traffic.
Then, all inbound packets that lack IPsec protection are silently dropped, including packets for routing
protocols, NTP, echo, echo response, and so forth.
You need to be sure you define which packets to protect. If you must use any in a permit statement, you
must preface that statement with a series of deny statements to filter out any traffic (that would otherwise
fall within that permit statement) that you do not want to be protected.
Creating Crypto IPv4-ACLs
To create IPv4-ACLs, follow these steps:
switch# config terminal
switch(config)# ip access-list List1 permit
ip 10.1.1.100 0.0.0.255 18.104.22.168 0.0.0.255
The show ip access-list command does not display the crypto map entries. Use the show crypto map
command to display the associated entries.
Add permit and deny statements as appropriate (see
About Transform Sets in IPsec
A transform set represents a certain combination of security protocols and algorithms. During the IPsec
security association negotiation, the peers agree to use a particular transform set for protecting a
particular data flow.
You can specify multiple transform sets, and then specify one or more of these transform sets in a crypto
map entry. The transform set defined in the crypto map entry is used in the IPsec security association
negotiation to protect the data flows specified by that crypto map entry's access list.
During IPsec security association negotiations with IKE, the peers search for a transform set that is the
same at both peers. When such a transform set is found, it is selected and applied to the protected traffic
as part of both peers' IPsec security associations.
If you change a transform set definition, the change is only applied to crypto map entries that reference
the transform set. The change is not applied to existing security associations, but used in subsequent
negotiations to establish new security associations. If you want the new settings to take effect sooner,
you can clear all or part of the security association database.
When you enable IPsec, the Cisco SAN-OS software automatically creates a default transform set
(ipsec_default_tranform_set) using AES-128 encryption and SHA-1 authentication algorithms.
OL-16184-01, Cisco MDS SAN-OS Release 3.x
Lists,"). Each permit and deny specifies conditions to determine which IP packets must be
Enters configuration mode.
Permits all IP traffic from and to the specified
Chapter 33, "Configuring IPv4 and IPv6 Access
Cisco MDS 9000 Family CLI Configuration Guide