Manualshelf

Manual

ManualsBrandsCisco ManualsSoftwareCisco IOS Software Release 12.3(11)T
21222324252627282930
Cisco Packet Data Serving Node (PDSN) Release 2.0
Resource Management
27
12.3(11)T
The policy described in the crypto map entries is used during the negotiation of security association, for
IPSec to succeed between two IPSec peers, both peers’ crypto map entries must a contain compatible
configuration statement.
Only one crypto map set is applied to single interface; Multiple interfaces can share the same crypto map
set.
Multiple Crypto map entries can be created for interface; the sequence number of each map-entry is used
to rank the map-entries.
Multiple Crypto map entries must be created for a given interface if different data flows are handled by
separate IPSec peers. If different IPSec security is required for different types of traffic, create a separate
access list for each type of traffic, and create a separate crypto map entry for each access list.
The following configuration example illustrates the minimum requirement to establish Crypto map
entries that use IKE.
Router(config)# access-list mobile-example permit ip 10.0.0.0 0.0.0.255
Router(config)# crypto ipsec transform-set mobile-set1 esp-3des
Router(config)# crypto map map-mobile-example 10 ipsec-isakmp
match mobile-example
set transform-set transform-set mobile-set1
set peer 10.0.0.34
Router(config)# interface FastEthernet0/1
ip address 10.0.0.32
crypto map map-mobile-example
Cisco employs two additional mechanisms to define cryptomaps:
Dynamic Crypto-maps: these are crypto-maps with fe fields that relate to policy. They are only
suitable for applications that do not require initiating IKE, but only respond to IKE.
IPSec Profiles: is a mechanism to convert a Crypto Map into a template that can be used to
dynamically set up an identical policy.
Router(config)# access-list mobile-example permit ip 10.0.0.0 0.0.0.255
Router(config)# crypto ipsec transform-set mobile-set1 esp-3des
Router(config)# crypto map map-mobile-example 10 ipsec-isakmp profile example-profile
match mobile-example
set transform-set transform-set mobile-set1
set peer 10.0.0.34
The following example illustrates the minimum Crypto configuration for IS835-based IPSec:
Router(config)# crypto isakmp policy 1
hash md5
authentication pre-share
Router(config)# crypto isakmp key <cisco> address <peer ip address7.0.0.10>
Router(config)# crypto ipsec transform-set testtrans esp-3des
Router(config)#crypto ipsec profile testprof
description new cli
set transform-set testtrans