Filter
Top Products
4-12
C7200 VSA (VPN Services Adapter) Installation and Configuration Guide
OL-9129-02
Chapter 4 Configuring the VSA
Configuration Tasks
Creating Dynamic Crypto Maps
A dynamic crypto map entry is a crypto map entry with some parameters not configured.The missing
parameters are later dynamically configured (as the result of an IPSec negotiation). Dynamic crypto
maps are only available for use by IKE.
Dynamic crypto map entries are grouped into sets. A set is a group of dynamic crypto map entries all
with the same dynamic-map-name, each with a different dynamic-seq-num.
To create a dynamic crypto map entry, use the following commands starting in global configuration
mode:
Step 5
Router(config-crypto-m)# set security-association
lifetime seconds
seconds
and
Router (config-crypto-m)# set security-association
lifetime kilobytes
kilobytes
(Optional) Specifies a security association lifetime
for the crypto map entry.
Use this command if you want the security
associations for this crypto map entry to be
negotiated using different IPSec security association
lifetimes than the global lifetimes.
Step 6
Router(config-crypto-m)# set security-association
level per-host
(Optional) Specifies that separate security
associations should be established for each
source/destination host pair.
Without this command, a single IPSec “tunnel” could
carry traffic for multiple source hosts and multiple
destination hosts.
With this command, when the router requests new
security associations it will establish one set for
traffic between Host A and Host B, and a separate set
for traffic between Host A and Host C.
Use this command with care, as multiple streams
between given subnets can rapidly consume
resources.
Step 7
Router(config-crypto-m)# set pfs [group1 | group2 |
group5]
(Optional) Specifies that IPSec should ask for perfect
forward secrecy when requesting new security
associations for this crypto map entry, or should
demand perfect forward secrecy (PFS) in requests
received from the IPSec peer.
Step 8
Router(config-crypto-m)# exit
Exits crypto-map configuration mode and returns to
global configuration mode.
Command Purpose
Command Purpose
Step 1
Router(config)# crypto dynamic-map
dynamic-map-name
dynamic-seq-num
Creates a dynamic crypto map entry.
Step 2
Router(config-crypto-m)# set transform-set
transform-set-name1
[
transform-set-name2...transform-set-name6
]
Specifies which transform sets are allowed for the
crypto map entry. List multiple transform sets in
order of priority (highest priority first).
This is the only configuration statement required in
dynamic crypto map entries.