Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
Matches or associates the crypto map to an access control list (ACL) configured in the same context.match address acl_namepriorityacl_name can be from 1 to 79 alpha and/or numeric characters and is case sensitive.Important: The priorities are only compared for ACLs matched to other crypto maps or to policy ACLs (those applied to the entire context).
The following command sets the crypto map ACL to the ACL named ACLlist1 and sets the crypto maps priority to the highest level.match address ACLlist1 0no match crypto group group_nameThe following command associates the crypto map to a crypto group called group1 and dictates that it will serve as the primary tunnel policy:match ip pool pool-name pool_nameno match ip pool pool-name pool_nameImportant: If an IP address pool that is matched to a IKEv1 crypto map is resized, removed, or added, the corresponding security association must be cleared in order for the change to take effect. Refer to the clear crypto command in the Exec mode for information on clearing security associations.
The following command sets a rule for the current crypto map that will match an IP pool named ippool1:match ip pool pool-name ippool1set { control-dont-fragment { clear-bit | copy-bit | set-bit } | ikev1 natt [ keepalive time ] | pfs { group1 | group2 | group5 } | phase1-idtype { id-key-id | ipv4-address [ mode { aggressive | main } ] | phase2-idtype { ipv4-address | ipv4-address-subnet } | security-association lifetime { disable-phase2-rekey | keepalive | kilo-bytes kbytes | seconds secs } transform-set transform_name [ transform-set transform_name2 ... transform-set transform_name6 ]no set { ikev1 natt | pfs | phase1-idtype | phase2-idtype | security-association lifetime { disable-phase2-rekey | keepalive | kilo-bytes | seconds } | transform-set transform_name [ transform-set transform_name2 ... transform-set transform_name6 ]
• clear-bit: Clears the DF bit from the outer IP header (sets it to 0).
• copy-bit: Copies the DF bit from the inner IP header to the outer IP header. This is the default action.
• set-bit : Sets the DF bit in the outer IP header (sets it to 1).natt: Enables IPSec NAT Traversal.keepalive time: The time to keep the NAT connection alive in seconds. time must be an integer of from 1 through 3600 seconds.
• group1 : Diffie-Hellman Group1 (768-bit modp)
• group2 :- Diffie-Hellman Group2 (1024-bit modp)
• group5 :- Diffie-Hellman Group5 (1536-bit modp)ipv4-address: Use IPV4_ADDR as the Phase 2 payload identifier.ipv4-address-subnet: Use IPV4_ADDR_SUBNET as the Phase 2 payload identifier.security-association lifetime { disable-phase2-rekey | keepalive | kilo-bytes kbytes | seconds secs }
• disable-phase2-rekey: Rekeying is enabled by default
• keepalive: Disabled
• kilo-bytes: 4608000 kbytes
• seconds: 28800 seconds
• disable-phase2-rekey : If this keyword is specified, when the lifetime expires, the Phase2 SA is not rekeyed.
• keepalive : The SA lifetime expires only when a keepalive message is not responded to by the far end.
• kilo-bytes kbytes : This specifies the amount of data in kilobytes to allow through the tunnel before the SA lifetime expires. kbytes must be an integer from 2560 through 4294967294.
• seconds secs : The number of seconds to wait before the SA lifetime expires. secs must be an integer from 1200 through 86400.Important: If the dynamic crypto map is being used in conjunction with Mobile IP and the Mobile IP renewal timer is less than the crypto map’s SA lifetime (either in terms of kilobytes or seconds), then the keepalive parameter must be configured.
This keyword specifies the name of a transform set configured in the same context that will be associated with the crypto map. Refer to the command crypto ipsec transform-set for information on creating transform sets.transform_name is the name of the transform set and must be an alpha and/or numeric string from 1 to 127 characters and is case sensitive.
![]() |
Cisco Systems Inc. |
Tel: 408-526-4000 |
Fax: 408-527-0883 |