Crypto Map Manual Configuration Mode Commands


Crypto Map Manual Configuration Mode Commands
 
 
The Crypto Map Manual Configuration Mode is used to configure static IPSec tunnel properties.
Modification(s) to an existing crypto map manual configuration will not take effect until the related security association has been cleared. Refer to the clear crypto security-association command located in the Exec Mode Commands chapter of the Command Line Interface Reference for more information.
Important: Because manual crypto map configurations require the use of static security keys (associations), they are not as secure as crypto maps that rely on dynamically configured keys. Therefore, it is recommended that they only be used for testing purposes.
 
Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
 
end
Exits the current configuration mode and returns to the Exec mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
end
Usage
Return to the Exec mode.
 
exit
Exits the current configuration mode and returns to the context configuration mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
exit
Usage
Return to the context configuration mode.
 
match address
Matches or associates the crypto map to an access control list (ACL) configured in the same context.
Product
PDSN, HA, GGSN, PDIF
Privilege
Security Administrator, Administrator
Syntax
match address acl_name [ priority ]
no match address
no
Removes a previously matched ACL.
acl_name
The name of the ACL that the crypto map is to be matched with.
acl_name can be from 1 to 47 alpha and/or numeric characters and is case sensitive.
priority
Default: 0
Specifies the preference of the ACL. The ACL preference is factored when a single packet matches the criteria of more than one ACL.
The preference can be configured to any integer value from 0 to 4294967295. “0” is the highest priority.
Important: The priorities are only compared for ACLs matched to other crypto maps or to policy ACLs (those applied to the entire context).
Usage
ACLs matched to crypto maps are referred to as crypto ACLs. Crypto ACLs define the criteria that must be met in order for a subscriber data packet to routed over an IPSec tunnel.
Prior to routing, the system examines the properties of each subscriber data packet. If the packet properties match the criteria specified in the crypto ACL, the system will initiate the IPSec policy dictated by the crypto map.
Example
The following command sets the crypto map ACL to the ACL named ACLlist1 and sets the crypto maps priority to the highest level.
match address ACLlist1 0
 
set control-dont-fragment
Controls the don’t fragment (DF) bit in the outer IP header of the IPsec tunnel data packet.
Product
PDSN, HA, GGSN, PDIF
Privilege
Security Administrator, Administrator
Syntax
set control-dont-fragment { clear-bit | copy-bit | set-bit }
default set control-dont-fragment { clear-bit | copy-bit | set-bit }
clear-bit
Clears the DF bit from the outer IP header (sets it to 0).
copy-bit
Copies the DF bit from the inner IP header to the outer IP header. This is the default action.
default
Sets / Restores default value assigned to a specified parameter.
set-bit
Sets the DF bit in the outer IP header (sets it to 1).
Usage
Use this command to clear, copy, or set the don’t fragment (DF) bit in the outer IP header of the IPsec tunnel data packet.
Example
The following command sets the DF bit in the outer IP header.
set control-dont-fragment set-bit
 
set peer
Configures the IP address of the peer security gateway that the system will establish the IPSec tunnel with.
Product
PDSN, HA, GGSN, PDIF
Privilege
Security Administrator, Administrator
Syntax
set peer gw_address
no set peer
no
Removes a previously configured peer address.
gw_address
The IP address of the peer security gateway with which the IPSec tunnel will be established.
Usage
Once the manual crypto map is fully configured and applied to an interface, the system will establish an IPsec tunnel with the security gateway specified by this command.
Because the tunnel relies on statically configured parameters, once created, it never expires; it exists until its configuration is deleted.
Example
The following command configures a security gateway address of 192.168.1.100 for the crypto map to establish a tunnel with.
set peer 192.168.1.100
 
set session-key
Configures session key parameters for the manual crypto map.
Product
PDSN, HA, GGSN, PDIF
Privilege
Security Administrator, Administrator
Syntax
set session-key { inbound | outbound } { ah ah_spi [ encrypted ] key ah_key | esp esp_spi [ encrypted ] cipher encryption_key [ encrypted ] authenticator auth_key }
no set session-key { inbound | outbound }
no
Removes previously configured session key information.
inbound
Specifies that the key(s) will be used for tunnels carrying data sent by the security gateway.
outbound
Specifies that the key(s) will be used for tunnels carrying data sent by the system.
ah ah_spi
Configures the following session key information for the Authentication Header (AH) protocol:
ah_spi : The security parameter index (SPI) used to identify the AH security association (SA) between the system and the security gateway.
The SPI can be configured to any integer value from 256 to 4294967295.
encrypted
Indicates the key provided is encrypted.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key, cipher, and/or authenticator keyword is the encrypted version of the plain text key. Only the encrypted key is saved as part of the configuration file.
key ah_key
Configures the following session key information for the Authentication Header (AH) protocol:
ah_key : The key used by the system to de/encapsulate IP packets using the AH protocol.
The key must be entered as either a string or a hexadecimal number beginning with “0x”.
esp esp_spi
Configures security parameter index (SPI) for the Encapsulating Security Payload (ESP) protocol. The SPI is used to identify the ESP security association (SA) between the system and the security gateway.
esp_spi : The SPI value. It can be configured to any integer value from 256 to 4294967295.
cipher encryption_key
Specifies the key used by the system to de/encrypt the payloads of IP packets using the ESP protocol.
encryption_key must be entered as either a string or a hexadecimal number beginning with “0x”.
authenticator auth_key
Specifies the key used by the system to authenticate the IP packets once encryption has been performed.
auth_key must be entered as either a string or a hexadecimal number beginning with “0x”.
Usage
Manual crypto maps rely on the use of statically configured keys to establish IPSec tunnels. This command allows the configuration of the static keys.
Identical keys must be configured on both the system and the security gateway in order for the tunnel to be established.
This command can be entered up to two time for the same crypto map: once to configure inbound key properties, and once to configure outbound key properties.
Example
The following command configures a manual crypto map with the following session key properties:
set session-key outbound esp 310 cipher sd23r9skd0fi3as authenticator sfd23408imi9yn
 
set transform-set
Configures the name of a transform set that the crypto map is associated with.
Product
PDSN, HA, GGSN, PDIF
Privilege
Security Administrator, Administrator
Syntax
set transform-set transform_name
no set transform-set
no
Removes a previously configured transform set association.
transform_name
Specifies the name of the transform set and must be an alpha and/or numeric string from 1 to 127 characters and is case sensitive.
Usage
System transform sets contain the IPSec policy definitions for crypto maps. Refer to the command crypto ipsec transform-set for information on creating transform sets.
Important: Transform sets must be configured prior to configuring session key information for the crypto map.
Example
The following command associates a transform set named esp_tset with the crypto map:
set transform-set esp_tset
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883