Crypto Map Parameters

Site 1

Site 1

Crypto maps define the following:

• The access list to be used

• Remote VPN peers

• Transform set to be used

• Key management method

• Security association lifetimes

Internet

Routefñ

Site 1

Crypto maps define the following:

• The access list to be used

• Remote VPN peers

• Transform set to be used

• Key management method

• Security association lifetimes

'Éncrypbrd traffic

Pouter

or SuhiflHerface

'Éncrypbrd traffic

Pouter

or SuhiflHerface

You can apply only one crypto map set to a single interface. The crypto map set can include a combination of Cisco Encryption Technology (CET) and IPSec using IKE. Multiple interfaces can share the same crypto map set if you want to apply the same policy to multiple interfaces. If you create more than one crypto map entry for a given interface, use the sequence number (seq-num) of each map entry to rank the map entries; the lower the seq-num, the higher the priority. At the interface that has the crypto map set, traffic is evaluated against higher priority map entries first.

You must create multiple crypto map entries for a given interface if any of these conditions exist:

■ If different data flows are to be handled by separate IPSec peers.

■ If you want to apply different IPSec security to different types of traffic (to the same or separate IPSec peers); for example, if you want traffic between one set of subnets to be authenticated, and traffic between another set of subnets to be both authenticated and encrypted. In this case, the different types of traffic should be defined in two separate ACLs, and you must create a separate crypto map entry for each crypto ACL.

■ If you are not using IKE to establish a particular set of security associations, and you want to specify multiple ACL entries, you must create separate ACLs (one per permit entry) and specify a separate crypto map entry for each ACL.

0 0

Post a comment