Filter
Top Products
Command Reference Guide Crypto Map Manual Command Set
61200510L1-35E Copyright © 2005 ADTRAN 1243
Usage Examples
The following example shows setting up an access list (called NewList) and then assigning the new list to
a crypto map (called NewMap):
(config)#ip access-list extended NewList
Configuring New Extended ACL "NewList"
(config-ext-nacl)#exit
(config)#crypto map NewMap 10 ipsec-manual
(config-crypto-map)#match address NewList
Technology Review
A crypto map entry is a single policy that describes how certain traffic is to be secured. There are two types
of crypto map entries: ipsec-manual and ipsec-ike. Each entry is given an index, which is used to sort the
ordered list.
When a nonsecured packet arrives on an interface, the crypto map set associated with that interface is
processed in order. If a crypto map entry matches the nonsecured traffic, the traffic is discarded.
When a packet is to be transmitted on an interface, the crypto map set associated with that interface is
processed in order. The first crypto map entry that matches the packet will be used to secure the packet. If
a suitable SA exists, that is used for transmission. Otherwise, IKE is used to establish an SA with the peer.
If no SA exists, and the crypto map entry is “respond only,” the packet is discarded.
When a secured packet arrives on an interface, its SPI is used to look up an SA. If an SA does not exist, or
if the packet fails any of the security checks (bad authentication, traffic does not match SA selectors, etc.),
it is discarded. If all checks pass, the packet is forwarded normally.