Modification(s) to an existing IKEv1 crypto map configuration will not take effect until the related security association has been cleared. Refer to the description of the clear crypto security-association command in the Exec Mode Commands chapter for more information.
Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).Matches or associates the crypto map to an access control list (ACL) configured in the same context.
[ no ] match address acl_name priority
match address acl_name
Important: The priorities are only compared for ACLs matched to other crypto maps or to policy ACLs (those applied to the entire context).The following command sets the crypto map ACL to the ACL named ACLlist1 and sets the crypto maps priority to the highest level.
match crypto group group_name
The following command associates the crypto map to a crypto group called group1 and dictates that it will serve as the primary tunnel policy:
[ no ] match ip pool pool-name pool_name[ destination-network ip_address { / mask | mask ip_mask } ]
match ip pool pool-name pool_name
/mask specifies the subnet mask bits (representing the subnet mask) and must be an integer from 1 to 32 (CIDR notation). This variable must be entered in theIPv4 dotted-decimal notation/subnet bits format (for example, 10.1.1.1/24).
mask ip_mask specifies the subnet mask in dotted decimal notation.
Important: Each invocation of this command will add another destination network to the IP pool, with a maximum of eight destination networks per crypto map.
Important: If an IP address pool that is matched to a IKEv1 crypto map is resized, removed, or added, the corresponding security association must be cleared in order for the change to take effect. Refer to the clear crypto command in the Exec mode for information on clearing security associations.The following command sets a rule for the current crypto map that will match an IP pool named ippool1:
set { control-dont-fragment { clear-bit | copy-bit | set-bit } | ikev1 natt [ keepalive time ] | pfs { group1 | group2 | group5 } | phase1-idtype { id-key-id | ipv4-address [ mode { aggressive | main } ] | phase2-idtype { ipv4-address | ipv4-address-subnet } | security-association lifetime { disable-phase2-rekey | keepalive | kilo-bytes kbytes | seconds secs } transform-set transform_name [ transform-set transform_name2 ... transform-set transform_name6 ]
no set { ikev1 natt | pfs | phase1-idtype | phase2-idtype | security-association lifetime { disable-phase2-rekey | keepalive | kilo-bytes | seconds } | transform-set transform_name [ transform-set transform_name2 ... transform-set transform_name6 ]
|
•
|
clear-bit: Clears the DF bit from the outer IP header (sets it to 0).
|
|
•
|
copy-bit: Copies the DF bit from the inner IP header to the outer IP header. This is the default action.
|
|
•
|
set-bit: Sets the DF bit in the outer IP header (sets it to 1).
|
natt: Enables IPSec NAT Traversal.
keepalive time: The time to keep the NAT connection alive in seconds. time must be an integer of from 1 through 3600.
|
•
|
group1: Diffie-Hellman Group1 (768-bit modp)
|
|
•
|
group2: Diffie-Hellman Group2 (1024-bit modp)
|
|
•
|
group5: Diffie-Hellman Group5 (1536-bit modp)
|
|
•
|
mode: Configures IKE mode
|
|
•
|
aggressive: IKE negotiation mode: AGGRESSIVE
|
|
•
|
main: IKE negotiation mode: MAIN
|
|
•
|
ipv4-address: Use IPV4_ADDR as the Phase 2 payload identifier.
|
|
•
|
ipv4-address-subnet: Use IPV4_ADDR_SUBNET as the Phase 2 payload identifier.
|
set security-association lifetime { disable-phase2-rekey | keepalive | kilo-bytes kbytes | seconds secs }
|
•
|
disable-phase2-rekey: Rekeying is enabled by default
|
|
•
|
keepalive: Disabled
|
|
•
|
kilo-bytes: 4608000 kbytes
|
|
•
|
seconds: 28800 seconds
|
|
•
|
disable-phase2-rekey: If this keyword is specified, the Phase2 SA is not rekeyed when the lifetime expires.
|
|
•
|
keepalive: The SA lifetime expires only when a keepalive message is not responded to by the far end.
|
|
•
|
kilo-bytes: This specifies the amount of data (n kilobytes) to allow through the tunnel before the SA lifetime expires. kbytes must be an integer from 2560 through 4294967294.
|
|
•
|
set seconds: The number of seconds to wait before the SA lifetime expires. secs must be an integer from 1200 through 86400.
|
Important: If the dynamic crypto map is being used in conjunction with Mobile IP and the Mobile IP renewal timer is less than the crypto map’s SA lifetime (either in terms of kilobytes or seconds), then the keepalive parameter must be configured.Specifies the name of a transform set configured in the same context that will be associated with the crypto map. Refer to the command crypto ipsec transform-set for information on creating transform sets.
transform_name is the name of the transform set entered as an alphanumeric string of 1 through 127 characters that is case sensitive.
The following command sets the SA lifetime to 10000 seconds:
