Create the Crypto

The crypto map is the component that consolidates all the IPsec configuration pieces. The following items are defined in the crypto map:

• Which traffic is to be encrypted (reference to the access list)

• How granular the protected data flow should be

• Where the encrypted data should be sent (the SA peer)

• The local address used for encrypted data (local router interface address)

• What security should be applied to the traffic (reference to transform sets)

• How the IPsec SA should be established (manual or IKE)

• Any other parameters for the IPsec SA

This command requires multiple lines. Each line of the command addresses a different portion of the configuration. The syntax of the crypto map command is as follows:

crypto map map-name seq-number connection

The command crypto map is entered from the global configuration mode and identifies the crypto map by name and sequence number. It also configures how the IPsec SA should be established. Table 19-4 lists the possible commands for configuring the IPsec SA.


This is the default value and indicates that IPsec will not be used but will be replaced with CET. This transform is being phased out.


This value indicates that IKE will not be used to establish the IPsec SA. ipsec-isakmp

This value indicates that IKE will be used to establish the IPsec SA. dynamic

This optional command specifies that a pre-existing static crypto map be referenced for the correct configuration. This option is only available after the ipsec-isakmp parameter.

0 0

Post a comment