Command Reference Guide
SROS Command Line Interface Reference Guide Crypto Map Manual Command Set
5991-2114 © Copyright 2005 Hewlett-Packard Development Company, L.P. 413
Step 5:
Create crypto map and define manual keys. A Crypto Map is used to define a set of encryption schemes to
be used for a given interface. A crypto map entry has a unique index within the crypto map set. The crypto
map entry will specify whether IKE is used to generate encryption keys or if manually specified keys will be
used. The crypto map entry will also specify who will be terminating the VPN tunnel, as well as which
transform-set or sets will be used to encrypt and/or authenticate the traffic on that VPN tunnel. It also
specifies the lifetime of all created IPSec Security Associations.
The keys for the algorithms defined in the transform-set associated with the crypto map will be defined by
using the set session-key command. A separate key is needed for both inbound and outbound traffic.
The key format consists of a string of hexadecimal values without the leading 0x for each character. For
example, a cipher key of this is my cipher key would be entered as:
74686973206973206D7920636970686572206B6579.
A unique Security Parameter Index (SPI) is needed for both inbound and outbound traffic. The local
system's inbound SPI and keys will be the peer's outbound SPI and keys. The local system's outbound
SPI and keys will be the peer's inbound SPI and keys. In this example the following keys and SPIs are
used:
• Inbound cipher SPI: 300Inbound cipher key: "2te$#g89jnr(j!@4rvnfhg5e"
• Outbound cipher SPI: 400Outbound cipher key: "8564hgjelrign*&(gnb#1$d3"
• Inbound authenticator key:"r5%^ughembkdhj34$x.<"
• Outbound authenticator key:"io78*7gner#4(mgnsd!3"
•
(config)#crypto map corporate_vpn 1 ipsec-ike
(config-crypto-map)#match address corporate_traffic
(config-crypto-map)#set peer 63.105.15.129
(config-crypto-map)#set transform-set highly_secure
(config-crypto-map)#set session-key inbound esp 300 cipher
32746524236738396A6E72286A21403472766E6668673565 authenticator
7235255E756768656D626B64686A333424782E3C
(config-crypto-map)#set session-key outbound esp 400 cipher
3835363468676A656C7269676E2A2628676E622331246433 authenticator
696F37382A37676E65722334286D676E73642133
Step 6:
Configure public interface. This process includes configuring the IP address for the interface and applying
the appropriate crypto map to the interface. Crypto maps are applied to the interface on which encrypted
traffic will be transmitted.
(config)#interface ppp 1
(config-ppp 1)#ip address 63.97.45.57 255.255.255.248
(config-ppp 1)#crypto map corporate_vpn
(config-ppp 1)#no shutdown
Step 7:
Configure private interface to allow all traffic destined for the VPN tunnel to be routed to the appropriate