Crypto Group Configuration Mode Commands

The Crypto Group Configuration Mode is used to configure crypto (tunnel) groups that provide fail-over redundancy for IPSec tunnels to packet data networks (PDNs).

IMPORTANT:

The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).

end

Exits the current configuration mode and returns to the Exec mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax 
end

Usage:

Use this command to return to the Exec mode.

exit

Exits the current mode and returns to the parent configuration mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax 
exit

Usage:

Use this command to return to the parent configuration mode.

match address

Associates an access control list (ACL) with the crypto group.

Platform:

ASR 5000

Product:

PDSN, HA, GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax 
[ no ] match
address acl_name [ preference ]
no

Deletes a previously configured ACL association.

match address acl_name

Specifies the name of the ACL being matched to the crypto group entered as an alphanumeric string of 1 through 47 characters.

preference

The priority of the ACL.

The ACL preference is factored when a single packet matches the criteria of more than one ACL. preference is an integer from 0 through 4294967295; 0 is the highest priority.

If multiple ACLs are assigned the same priority, the last one entered will be used first.

IMPORTANT:

The priorities are only compared for ACLs matched to other groups or to policy ACLs (those applied to the entire context).


Usage:

IP ACLs are associated with crypto groups using this command. Both the crypto group and the ACLs must be configured in the same context.

ISAKMP crypto maps can then be associated with the crypto group. This allows user traffic matching the rules of the ACL to be handled according to the policies configured as part of the crypto map.


Example:
The following command associates an ACL called corporate_acl to the crypto group:
match address corporate_acl
match ip pool

Matches the specified IP pool to the current crypto group. This command can be used multiple times to match more than one IP pool.

Platform:

ASR 5000

Product:

PDSN, HA, GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax 
[ no ] match
ip pool pool-name pool_name
no

Deletes the matching statement for the specified IP pool from the crypto group.

match ip pool pool-name pool_name

Specifies the name of an existing IP pool that should be matched entered as an alphanumeric string of 1 through 31 characters.


Usage:

Use this command to set the names of IP pools that should be matched in the current crypto group.


Example:
The following command sets a rule for the current crypto group that will match an IP pool named ippool1:
match ip pool pool-name
ippool1
switchover

Configures the fail-over properties for the crypto group as part of the Redundant IPSec Fail-Over feature.

Platform:

ASR 5000

Product:

PDSN, HA, GGSN, P-GW


Privilege:

Security Administrator, Administrator


Syntax 
[ no ] switchover
auto [ do-not-revert ]
no

Disables the automatic switchover of tunnels. This applies to switching primary-to-secondary and secondary-to-primary.

switchover auto

Allows the automatic switchover of tunnels. Default: Enabled

do-not-revert

Disables the automatic switchover of secondary tunnels to primary tunnels. Default: Disabled


Usage:

This command configures the fail-over options for the Redundant IPSec Fail-over feature.

If the automatic fail-over options are disabled, tunneled traffic must be manually switched to the alternate tunnel (or manually activated if no alternate tunnel is configured and available) using the following command in the Exec Mode:

crypto-group group_name
activate { primary | secondary }

For a definition of this command, see the crypto-group section of the Exec Mode Commands chapter of this guide.


Example:
The following command disables the automatic secondary-to-primary switchover:
switchover auto do-not-revert