Modification(s) to an existing crypto map manual configuration will not take effect until the related security association has been cleared. Refer to the description of the clear crypto security-association command in the Exec Mode Commands chapter for more information.
Important: Because manual crypto map configurations require the use of static security keys (associations), they are not as secure as crypto maps that rely on dynamically configured keys. Therefore, they only be used for testing purposes.
Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).Matches or associates the crypto map to an access control list (ACL) configured in the same context.
match address acl_name
Specifies the name of the ACL with which the crypto map is to be matched. acl_name is an alphanumeric string of 1 through 47 characters that is case sensitive.
Specifies the preference of the ACL. The ACL preference is factored when a single packet matches the criteria of more than one ACL. priority is an integer from 0 through 4294967295. 0 is the highest priority. Default: 0
Important: The priorities are only compared for ACLs matched to other crypto maps or to policy ACLs (those applied to the entire context).The following command sets the crypto map ACL to the ACL named ACLlist1 and sets the crypto maps priority to the highest level.
[ no ] set peer gw_address
set peer gw_address
The following command configures a security gateway address of 192.168.1.100 for the crypto map with which to establish a tunnel.
set session-key { inbound | outbound } { ah ah_spi [ encrypted ] key ah_key | esp esp_spi [ encrypted ] cipher encryption_key [ encrypted ] authenticator auth_key }
ah ah_spi
Configures the Security Parameter Index (SPI) for the Authentication Header (AH) protocol. The SPI is used to identify the AH security association (SA) between the system and the security gateway. ah_spi is an integer from 256 through 4294967295.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key, cipher, and/or authenticator keyword is the encrypted version of the plain text key. Only the encrypted key is saved as part of the configuration file.
key ah_key
Configures the key used by the system to de/encapsulate IP packets using Authentication Header (AH) protocol. ah_key must be entered as either an alphanumeric string or a hexadecimal number beginning with “0x”.
esp esp_spi
Configures SPI for the Encapsulating Security Payload (ESP) protocol. The SPI is used to identify the ESP security association (SA) between the system and the security gateway. esp_spi is an integer from 256 through 4294967295.
cipher encryption_key
Specifies the key used by the system to de/encrypt the payloads of IP packets using the ESP protocol. encryption_key must be entered as either an alphanumeric string or a hexadecimal number beginning with “0x”.
authenticator auth_key
Specifies the key used by the system to authenticate the IP packets once encryption has been performed. auth_key must be entered as either an alphanumeric string or a hexadecimal number beginning with “0x”.
|
•
|
Encryption key is sd23r9skd0fi3as.
|
|
•
|
Authentication key is sfd23408imi9yn.
|
[ no ] set transform-set transform_name
set transform-set transform_name
System transform sets contain the IPSec policy definitions for crypto maps. Refer to the crypto ipsec transform-set command for information on creating transform sets.
Important: Transform sets must be configured prior to configuring session key information for the crypto map.The following command associates a transform set named esp_tset with the crypto map:
