Table of Contents
Advertisement
Command Reference Guide
Global Configuration Mode Command Set
Usage Examples
The following example creates a new IPSec IKE crypto map called testMap with a map index of 10:
(config)#crypto map testMap 10 ipsec-ike
(config-crypto-map)#
Technology Review
A crypto map entry is a single policy that describes how certain traffic is to be secured. There are two types
of crypto map entries: ipsec-manual and ipsec-ike. Each entry is given an index that is used to sort the
ordered list. When a nonsecured packet arrives on an interface, the crypto map set associated with that
interface is processed in order. If a crypto map entry matches the nonsecured traffic, the traffic is
discarded.
When a packet is to be transmitted on an interface, the crypto map set associated with that interface is
processed in order. The first crypto map entry that matches the packet will be used to secure the packet. If
a suitable security association (SA) exists, it is used for transmission. Otherwise, IKE is used to establish
an SA with the peer. If no SA exists, and the crypto map entry is "respond only," the packet is discarded.
When a secured packet arrives on an interface, its security parameter index (SPI) is used to look up an SA.
If an SA does not exist, or if the packet fails any of the security checks (bad authentication, traffic does not
match SA selectors, etc.), it is discarded. If all checks pass, the packet is forwarded normally.
60000CRG0-35E
Copyright © 2012 ADTRAN, Inc.
929
- Quick Links:
- Basic Mode Command Set
Hide quick links:
Advertisement
Table of Contents
