Step 5 Apply the Crypto Map to the Interface

After the crypto map is successfully configured, it must be applied to an interface to be operational. Remember that the crypto map is a collection of the IP address of the remote peer, the interesting traffic that will flow through the IPsec tunnel, and the IPsec security parameters (transform set) that will be used to protect the data. Figure 13-8 shows the application of the crypto map to an interface.

Figure 13-8 IPsec Interface Configuration

Figure 13-8 IPsec Interface Configuration

192.168.102.0/24

crypto map to-central 10 ipsec-isakmp set peer 10.1.3.2 match address 170 set transform-set set-70

Central Office

192.168.101.0/24

192.168.101.0/24

192.168.102.0/24

crypto map to-central 10 ipsec-isakmp set peer 10.1.3.2 match address 170 set transform-set set-70

crypto map to-remote 10 ipsec-isakmp set peer 172.16.1.2 match address 155 set transform-set set-55

interface serial 2/1 ip address 172.16.1.2 255.255.255.0 crypto map to-central interface serial 3/2 ip address 10.1.3.2 255.255.255.0 crypto map to-remote ip route 192.168.101.0 255.255.255.0 10.1.3.2

ip route 192.168.1.0 255.255.255.0 172.16.1.2

In Figure 13-8, the respective crypto map commands remain to compare two items. Notice that the command crypto map is used both globally to create the map and locally on the interface to apply it. It is important to note that the name used to create the map must be used when the map is applied to the interface. The remote office applies the crypto map to-central to its serial interface, while the central office applies the crypto map to-remote to the serial interface that connects to the remote office. Crypto maps are typically applied to outbound interfaces, and the IP address on that interface becomes the source address of the IPsec VPN.

One other necessary configuration on each side is a manual addition to the routing table. From the remote office, the intent is that all devices on the 192.168.1.0/24 subnet communicate across the IPsec VPN to the 192.168.101.0/24 devices. However, Router A knows nothing about the 192.168.101.0/24 subnet, because that subnet is not being advertised to the Internet from the central office. So a static route is added to each router to detail where the remote subnet is located.

For the remote office, subnet 192.168.101.0/24 can be found at gateway 10.1.3.2. A similar configuration is seen on Router B to reach the remote office.

Was this article helpful?

0 0

Post a comment