crypto map Arguments and Options
Argument/Option Description
map-name You can apply multiple crypto maps on a single Security Appliance. It
is a good idea to assign a name that allows you to keep track of which
crypto map goes with which access list. The easiest way to do this is
to use the same name or number for both components.
seq-num Because you can add multiple crypto maps to the Security Appliance,
you must give each a sequence number so that the system can process
each in the correct order. The lower the number, the higher the
priority.
ipsec-isakmp Indicates that the Security Appliance uses IKE to negotiate the SA.
This is the recommended configuration.
ipsec-manual Indicates that the SA is configured manually and that IKE is not used
to negotiate it. This is not the recommended configuration because it
is difficult to ensure that both peers are configured correctly and
because a manual session does not expire (no renegotiation of the
keys).
set session-key Manually specifies the session keys within the crypto map entry.
inbound Manual IPSec requires that session keys be configured directionally.
You must specify both inbound and outbound session keys.
outbound Manual IPSec requires that session keys be configured directionally.
You must specify both inbound and outbound session keys.
match address Identifies the access list for the IPSec SA.
acl-name The name of the access list that indicates that the traffic should be
encrypted.
set peer Specifies the SA peer using either of the following two arguments.
hostname Identifies the SA peer’s host name and any backup gateways.
ip-address Identifies the SA peer’s IP address(es) and any backup gateways.
interface Identifies the interface that is to be used for the local SA peer address.
if-name The interface name.
set pfs Initiates PFS, which provides an additional layer of security to the SA
negotiation and renegotiation. It requires that a new Diffie-Hellman
exchange occur every time a key negotiation takes place. This causes
the key exchange to use a new key for every negotiation rather than
renegotiating based on a key that is currently being used. This process
increases the processor load on both peers.