Purpose of Crypto Maps

Crypto maps pull together the various parts configured for IPsec, including:

■ Which traffic should be protected by IPsec

■ Where IPsec-protected traffic should be sent

■ The local address to be used for the IPsec traffic

■ Which IPsec type should be applied to this traffic

■ Whether SAs are established manually or via IKE

■ Other parameters needed to define an IPsec SA

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0^-27

Crypto map entries must be created for IPsec to set up SAs for traffic flows that must be encrypted.

Crypto map entries created for IPsec set up SA parameters, tying together the various parts configured for IPsec, including these:

■ Which traffic should be protected by IPsec (per a crypto ACL)

■ Where IPsec-protected traffic should be sent (who the remote IPsec peer is)

■ The local address to be used for the IPsec traffic

■ Which IPsec security type should be applied to this traffic (transform sets)

■ Whether SAs are established manually or are established via IKE

■ Other parameters that might be necessary to define an IPsec SA

Crypto map entries with the same crypto map name (but different map sequence numbers) are grouped into a crypto map set. Later, you will apply these crypto map sets to interfaces; then, all IP traffic passing through the interface is evaluated against the applied crypto map set. If a crypto map entry sees outbound IP traffic that should be protected and the crypto map specifies the use of IKE, an SA is negotiated with the remote peer according to the parameters included in the crypto map entry. Otherwise, if the crypto map entry specifies the use of manual SAs, an SA should have already been established via configuration. (If a dynamic crypto map entry sees outbound traffic that should be protected and no SA exists, the packet is dropped.)

© 2007 Cisco Systems, Inc. Secured Connectivity 4-83

The policy described in the crypto map entries is used during the negotiation of SAs. If the local router initiates the negotiation, it will use the policy specified in the static crypto map entries to create the offer to be sent to the specified IPsec peer. If the IPsec peer initiates the negotiation, the local router will check the policy from the static crypto map entries and any referenced dynamic crypto map entries to decide whether to accept or reject the request (offer) from the peer.

For IPsec to succeed between two IPsec peers, the crypto map entries of both peers must contain compatible configuration statements.

When two peers try to establish an SA, they must each have at least one crypto map entry that is compatible with one of the crypto map entries of the other peer. For two crypto map entries to be compatible, they must at least meet the following criteria:

■ The crypto map entries must contain compatible crypto ACLs (for example, mirror image ACLs). In the case where the responding peer is using dynamic crypto maps, the entries in the local crypto ACL must be permitted by the peer crypto ACL.

■ The crypto map entries must each identify the other peer (unless the responding peer is using dynamic crypto maps).

■ The crypto map entries must have at least one transform set in common.

+1 0

Post a comment