Configuring a Crypto Map
A crypto map connects all added IPsec-related $.25 calm and creates an SPD for
a specific interface, through which IPsec cartage is tunneled. A crypto map is identified
by its name. An interface can accept alone one crypto map assigned to it,
although this map may accept abounding altered entries, articular by their sequence
numbers. Entries in a crypto map are evaluated in ascendance order.Various entries
are agnate to the assorted behavior in SPD.The aboriginal access that matches the
traffic will ascertain methods of its protection. A crypto map access for IPsec with
IKE is created application the afterward command:
crypto map
The keyword ipsec-isakmp is the absence and can be omitted. In our example,
we actualize the afterward entries:
PIX1(config)# crypto map pix1map 10 ipsec-isakmp
PIX2(config)# crypto map pix2map 10 ipsec-isakmp
Next, specify the cartage selectors for these entries application the command:
crypto map
In our case, these would attending like:
PIX1(config)# crypto map pix1map 10 bout abode crypto1
PIX2(config)# crypto map pix2map 10 bout abode crypto2
Now we charge to specify the IPsec aeon with which the cartage adequate by
this access can be exchanged:
crypto map
IPsec aeon are articular either by their IP addresses or by their hostnames. It
is accessible to specify assorted aeon by repeating this command for one crypto
map entry. For our example, we use the afterward configuration:
PIX1(config)# crypto map pix1map 10 set associate 23.34.45.56
PIX2(config)# crypto map pix2map 10 set associate 12.23.34.45
Now we charge to specify which transform sets can be adjourned for the
traffic analogous this entry. Assorted (up to six) ahead authentic transform sets
can be authentic here:
crypto map
[
[
www.syngress.com
Configuring Virtual Private Networking • Chapter 7 367
In adjustment for two aeon to authorize an IPsec adit beneath this crypto map
entry, at atomic one transform set in anniversary firewall’s agnate crypto map entry
must accept the protocols and encryption/data affidavit algorithms. For our
simple example, we artlessly use one transform set on anniversary firewall (pix1map on
PIX1 and pix2map on PIX2):
PIX1(config)# crypto map pix1map 10 set transform-set myset
PIX2(config)# crypto map pix2map 10 set transform-set myset
In anniversary case, myset is the transform set authentic previously. It does not charge to
have the aforementioned name on anniversary firewall, but the ambit charge match.
The abutting two accomplish are optional: requesting that PFS should be acclimated and
selecting the SA lifetime. PFS is requested for a crypto map access application the
following command:
crypto map
The group1 and group2 keywords denote the DH accumulation and are acclimated for key
exchange anniversary time new keys are generated. In adjustment to be effective, PFS has to
be configured on both abandon of the tunnel; otherwise, if alone one associate supports
PFS, the IPsec SA will not be established.We will not use this affection in our
example.
It is accessible to configure a nondefault IPsec SA lifetime for the specific
crypto map access application the following:
crypto map
This command sets a absolute on the bulk of time an IPsec SA can be used
or the best bulk of cartage that can be transferred by this SA. Right
before a abeyance or the best bulk of cartage is reached, the IPsec SA for
this crypto map access is renegotiated.The renegotiations alpha 30 abnormal afore a
timeout expires or back the aggregate of cartage is 256KB beneath than the specified
volume lifetime. During this negotiation, one associate sends a angle to the other,
with one of its ambit actuality an SA lifetime.The additional associate selects the lesser
of the proposed ethics and its own lifetime amount and sets this as a accepted SA
lifetime.
It is accessible to change the absence all-around IPsec SA lifetime application the following
command, which has the aforementioned parameters:
crypto ipsec security-association lifetime {seconds
www.syngress.com
368 Chapter 7 • Configuring Virtual Private Networking
If not specified, the defaults are 28,800 abnormal and 4,608,000KB.
The aftermost agreement footfall is to administer the created crypto map to an interface.
The command for accomplishing this is:
crypto map
In our case, this will be:
PIX1(config)# crypto map pix1map interface outside
PIX2(config)# crypto map pix2map interface outside
You can analysis crypto map agreement application the afterward command:
PIX1(config)# appearance crypto map
Crypto Map: "pix1map" interface: "outside" bounded address: 12.23.34.45
Crypto Map "pix1map" 10 ipsec-isakmp
Peer = 23.34.45.56
access-list crypto1 admittance ip 192.168.2.0 255.255.255.0 192.168.3.0 255
.255.255.0 (hitcnt=0)
Current peer: 23.34.45.56
Security affiliation lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ myset, }
The accompaniment of accustomed IPsec SAs can be arrested with the appearance crypto ipsec sa
command:
PIX1(config)# appearance crypto ipsec sa
interface: outside
Crypto map tag: pix1map, bounded addr. 12.23.34.45
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer: 23.34.45.56
PERMIT, flags={origin_is_acl,}
#pkts encaps: 10, #pkts encrypt: 10, #pkts abstract 0
#pkts decaps: 12, #pkts decrypt: 17, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
#send errors 2, #recv errors 0