Table of Contents
Advertisement
Chapter 30
Configuring IPsec Network Security
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m .
Crypto Map Entries
Once you have created the crypto ACLs and transform sets, you can create crypto map entries that
combine the various parts of the IPsec SA, including the following:
•
•
•
•
•
•
Crypto map entries with the same crypto map name (but different map sequence numbers) are grouped
into a crypto map set.
When you apply a crypto map set to an interface, the following events occur:
•
•
If a crypto map entry sees outbound IP traffic that requires protection, an SA is negotiated with the
remote peer according to the parameters included in the crypto map entry.
The policy derived from the crypto map entries is used during the negotiation of SAs. If the local switch
initiates the negotiation, it will use the policy specified in the crypto map entries to create the offer to be
sent to the specified IPsec peer. If the IPsec peer initiates the negotiation, the local switch checks the
policy from the crypto map entries and decide whether to accept or reject the peer's request (offer).
For IPsec to succeed between two IPsec peers, both peers' crypto map entries must contain compatible
configuration statements.
SA Establishment Between Peers
When two peers try to establish an SA, they must each have at least one crypto map entry that is
compatible with one of the other peer's crypto map entries.
For two crypto map entries to be compatible, they must at least meet the following criteria:
•
•
•
•
When a packet matches a permit entry in a particular ACL, the corresponding crypto map entry is tagged,
and connections are established.
OL-6973-03, Cisco MDS SAN-OS Release 2.x
The traffic to be protected by IPsec (per the crypto ACL). A crypto map set can contain multiple
entries, each with a different ACL.
The granularity of the flow to be protected by a set of SAs.
The IPsec-protected traffic destination (who the remote IPsec peer is).
The local address to be used for the IPsec traffic (applying to an interface).
The IPsec security to be applied to this traffic (selecting from a list of one or more transform sets).
Other parameters to define an IPsec SA.
A Security Policy Database (SPD) is created for that interface.
All IP traffic passing through the interface is evaluated against the SPD.
The crypto map entries must contain compatible crypto ACLs (for example, mirror image ACLs). If
the responding peer entry is in the local crypto, the ACL must be permitted by the peer's crypto ACL.
The crypto map entries must each identify the other peer or must have auto peer configured.
If you create more than one crypto map entry for a given interface, use the
entry to rank the map entries: the lower the
the crypto map set, traffic is evaluated against higher priority map entries first.
The crypto map entries must have at least one transform set in common where IKE negotiations are
carried out and SAs are established. During the IPsec SA negotiation, the peers agree to use a
particular transform set when protecting a particular data flow.
, the higher the priority. At the interface that has
seq-num
Cisco MDS 9000 Family Configuration Guide
Configuring IPsec
of each map
seq-num
30-17
Advertisement
Table of Contents
