About Crypto Map Entries; Sa Establishment Between Peers - HP Cisco MDS 9216 - Fabric Switch Configuration Manual

Crypto IPv4-ACLs
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m

About Crypto Map Entries

Once you have created the crypto IPv4-ACLs and transform sets, you can create crypto map entries that
combine the various parts of the IPsec SA, including the following:
•
•
•
•
•
•
Crypto map entries with the same crypto map name (but different map sequence numbers) are grouped
into a crypto map set.
When you apply a crypto map set to an interface, the following events occur:
•
•
If a crypto map entry sees outbound IP traffic that requires protection, an SA is negotiated with the
remote peer according to the parameters included in the crypto map entry.
The policy derived from the crypto map entries is used during the negotiation of SAs. If the local switch
initiates the negotiation, it will use the policy specified in the crypto map entries to create the offer to be
sent to the specified IPsec peer. If the IPsec peer initiates the negotiation, the local switch checks the
policy from the crypto map entries and decides whether to accept or reject the peer's request (offer).
For IPsec to succeed between two IPsec peers, both peers' crypto map entries must contain compatible
configuration statements.

SA Establishment Between Peers

When two peers try to establish an SA, they must each have at least one crypto map entry that is
compatible with one of the other peer's crypto map entries.
For two crypto map entries to be compatible, they must at least meet the following criteria:
•
•
•
•
When a packet matches a permit entry in a particular IPv4-ACL, the corresponding crypto map entry is
tagged, and the connections are established.
Cisco MDS 9000 Family CLI Configuration Guide
44-28
The traffic to be protected by IPsec (per the crypto IPv4-ACL). A crypto map set can contain
multiple entries, each with a different IPv4-ACL.
The granularity of the flow to be protected by a set of SAs.
The IPsec-protected traffic destination (who the remote IPsec peer is).
The local address to be used for the IPsec traffic (applying to an interface).
The IPsec security to be applied to this traffic (selecting from a list of one or more transform sets).
Other parameters to define an IPsec SA.
A security policy database (SPD) is created for that interface.
All IP traffic passing through the interface is evaluated against the SPD.
The crypto map entries must contain compatible crypto IPv4-ACLs (for example, mirror image
IPv4-ACLs). If the responding peer entry is in the local crypto, the IPv4-ACL must be permitted by
the peer's crypto IPv4-ACL.
The crypto map entries must each identify the other peer or must have auto peer configured.
If you create more than one crypto map entry for a given interface, use the
entry to rank the map entries: the lower the
the crypto map set, traffic is evaluated against higher priority map entries first.
The crypto map entries must have at least one transform set in common, where IKE negotiations are
carried out and SAs are established. During the IPsec SA negotiation, the peers agree to use a
particular transform set when protecting a particular data flow.
Chapter 44 Configuring IPsec Network Security
, the higher the priority. At the interface that has
seq-num
OL-16184-01, Cisco MDS SAN-OS Release 3.x
of each map
seq-num