• Home

  • Documents

  • CryptoMaps - cisco.com...Crypto map Type : ISAKMP IKE Mode : MAIN IKE pre-shared key : 3fd32rf09svc...
8
Crypto Maps This chapter describes the various types of IPsec crypto maps supported under StarOS. A crypto map is a software configuration entity that performs two primary functions: • Selects data flows that need security processing. • Defines the policy for these flows and the crypto peer to which that traffic needs to go. A crypto map is applied to an interface. The concept of a crypto map was introduced in classic crypto but was expanded for IPSec. A match ip pool command in a crypto group is not supported within crypto maps on the ASR 5500. Important Guidelines are provided for configuring the following types of crypto maps: ISAKMP Crypto Map Configuration, on page 1 Dynamic Crypto Map Configuration, on page 3 Manual Crypto Map Configuration, on page 4 Crypto Map and Interface Association, on page 6 ISAKMP Crypto Map Configuration This section provides instructions for configuring ISAKMP crypto maps. This section provides the minimum instruction set for configuring ISAKMP crypto maps on the system. For more information on commands that configure additional parameters and options, refer to the Context Configuration Mode Commands and Crypto Map ISAKMP Configuration Mode chapters in the Command Line Interface Reference. Important To configure the ISAKMP crypto maps for IPSec: Step 1 Configure ISAKMP crypto map by applying the example configuration in Configuring ISAKMP Crypto Maps, on page 2. Crypto Maps 1

CryptoMaps - cisco.com...Crypto map Type : ISAKMP IKE Mode : MAIN IKE pre-shared key : 3fd32rf09svc Perfect Forward Secrecy : Group2 Hard Lifetime : 28800 seconds 4608000 kilobytes

  • Upload
    others

  • View
    3

  • Download
    0

Embed Size (px)

Citation preview

  • Crypto Maps

    This chapter describes the various types of IPsec crypto maps supported under StarOS.

    A crypto map is a software configuration entity that performs two primary functions:

    • Selects data flows that need security processing.

    • Defines the policy for these flows and the crypto peer to which that traffic needs to go.

    A crypto map is applied to an interface. The concept of a crypto map was introduced in classic crypto but wasexpanded for IPSec.

    A match ip pool command in a crypto group is not supported within crypto maps on the ASR 5500.Important

    Guidelines are provided for configuring the following types of crypto maps:

    • ISAKMP Crypto Map Configuration, on page 1• Dynamic Crypto Map Configuration, on page 3• Manual Crypto Map Configuration, on page 4• Crypto Map and Interface Association, on page 6

    ISAKMP Crypto Map ConfigurationThis section provides instructions for configuring ISAKMP crypto maps.

    This section provides the minimum instruction set for configuring ISAKMP crypto maps on the system. Formore information on commands that configure additional parameters and options, refer to the ContextConfiguration Mode Commands and Crypto Map ISAKMP Configuration Mode chapters in the CommandLine Interface Reference.

    Important

    To configure the ISAKMP crypto maps for IPSec:

    Step 1 Configure ISAKMP crypto map by applying the example configuration in Configuring ISAKMP Crypto Maps, on page2.

    Crypto Maps1

  • Step 2 Verify your ISAKMP cryptomap configuration by following the steps in Verifying the ISAKMPCryptoMapConfiguration,on page 2.

    Step 3 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec modecommand save configuration. For additional information on how to verify and save configuration files, refer to theSystem Administration Guide and the Command Line Interface Reference.

    Configuring ISAKMP Crypto MapsUse the following example to create the ISAKMP crypto map:

    configurecontext ctxt_name

    crypto map map_name ipsec-isakmpset peer agw_addressset isakmp preshared-key isakmp_keyset mode { aggressive | main }set pfs { group1 | group2 | group5 }set transform-set transform_namematch address acl_name [ preference ]match crypto-group group_name { primary | secondary }end

    Notes:

    • ctxt_name is the system context in which you wish to create and configure the ISAKMP crypto maps.

    • map_name is name by which the ISAKMP crypto map will be recognized by the system.

    • acl_name is name of the pre-configured Access Control List (ACL). It is used for configurations notimplementing the IPSec Tunnel Failover feature and match the crypto map to a previously defined cryptoACL. This is an optional parameter.

    • group_name is name of the Crypto group configured in the same context. It is used for configurationsemploying the IPSec Tunnel Failover feature. This is an optional parameter. For more information, referto the Redundant IPSec Tunnel Fail-Over chapter of this guide.

    • For more information on parameters, refer to the Crypto Map ISAKMP Configuration Mode Commandschapter in the Command Line Interface Reference.

    Verifying the ISAKMP Crypto Map ConfigurationEnter the following Exec mode command for the appropriate context to display and verify your ISAKMPcrypto map:

    show crypto map [ tag map_name | type ipsec-isakmp ]

    This command produces an output similar to that displayed below that displays the configuration of a cryptomap named test_map2.Map Name : test_map2========================================Payload :

    crypto_acl2: permit tcp host 10.10.2.12 neq 35 any

    Crypto Maps2

    Crypto MapsConfiguring ISAKMP Crypto Maps

  • Crypto map Type : ISAKMPIKE Mode : MAINIKE pre-shared key : 3fd32rf09svcPerfect Forward Secrecy : Group2Hard Lifetime :

    28800 seconds4608000 kilobytes

    Number of Transforms: 1Transform : test1

    AH : noneESP: md5 3des-cbcEncaps mode: TUNNEL

    Local Gateway: Not SetRemote Gateway: 192.168.1.1

    Modification(s) to an existing ISAKMP crypto map configuration will not take effect until the related securityassociation has been cleared. Refer to the clear crypto security-association command located in the ExecMode Commands chapter of the Command Line Interface Reference for more information.

    Caution

    Dynamic Crypto Map ConfigurationThis section provides instructions for configuring dynamic crypto maps. Dynamic crypto maps should onlybe configured in support of L2TP or Mobile IP applications.

    This section provides the minimum instruction set for configuring dynamic crypto maps on the system. Formore information on commands that configure additional parameters and options, refer to the ContextConfiguration Mode Commands and Crypto Map Dynamic Configuration Mode Commands chapters in theCommand Line Interface Reference.

    Important

    To configure the dynamic crypto maps for IPSec:

    Step 1 Configure dynamic crypto maps by applying the example configuration in Configuring Dynamic Crypto Maps, on page3.

    Step 2 Verify your dynamic crypto map configuration by following the steps in Verifying the Dynamic CryptoMap Configuration,on page 4.

    Step 3 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec modecommand save configuration. For additional information on how to verify and save configuration files, refer to theSystem Administration Guide and the Command Line Interface Reference.

    Configuring Dynamic Crypto MapsUse the following example to create the dynamic crypto map on your system:

    configurecontext ctxt_name

    crypto map map_name ipsec-dynamic

    Crypto Maps3

    Crypto MapsDynamic Crypto Map Configuration

  • set pfs { group1 | group2 | group5 }set transform-set transform_nameend

    Notes:

    • ctxt_name is the system context in which you wish to create and configure the dynamic crypto maps.

    • map_name is name by which the dynamic crypto map will be recognized by the system.

    • For more information on parameters, refer to the Crypto Map Dynamic Configuration Mode Commandschapter in the Command Line Interface Reference.

    Verifying the Dynamic Crypto Map ConfigurationEnter the following Exec mode command for the appropriate context to display and verify your dynamiccrypto map configuration:

    show crypto map [ tag map_name | map-type ipsec-dynamic ]

    This command produces an output similar to that displayed below using the configuration of a dynamic cryptomap named test_map3.Map Name : test_map3========================================Crypto map Type : ISAKMP (Dynamic)IKE Mode : MAINIKE pre-shared key :Perfect Forward Secrecy : Group2Hard Lifetime :

    28800 seconds4608000 kilobytes

    Transform : test1AH : noneESP: md5 3des-cbcEncaps mode: TUNNEL

    Local Gateway: Not SetRemote Gateway: Not Set

    Modification(s) to an existing dynamic crypto map configuration will not take effect until the related securityassociation has been cleared. Refer to the clear crypto security-association command located in the ExecMode Commands chapter of the Command Line Interface Reference for more information.

    Caution

    Manual Crypto Map ConfigurationThis section provides the minimum instruction set for configuring manual crypto maps on the system. Formore information on commands that configure additional parameters and options, refer to the ContextConfiguration Mode Commands and Crypto Map Manual Configuration Mode Commands chapters in theCommand Line Interface Reference.

    To configure the manual crypto maps for IPSec:

    Crypto Maps4

    Crypto MapsVerifying the Dynamic Crypto Map Configuration

  • Step 1 Configure manual crypto map by applying the example configuration in Configuring Manual Crypto Maps, on page 5.Step 2 Verify your manual crypto map configuration by following the steps in Verifying the Manual Crypto Map Configuration,

    on page 5.Step 3 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode

    command save configuration. For additional information on how to verify and save configuration files, refer to theSystem Administration Guide and the Command Line Interface Reference.

    Because manual crypto map configurations require the use of static security keys (associations), they are notas secure as crypto maps that rely on dynamically configured keys. Therefore, it is recommended that they onlybe configured and used for testing purposes.

    Important

    Configuring Manual Crypto MapsUse the following example to create the manual crypto map on your system:

    configurecontext ctxt_name

    crypto map map_name ipsec-manualset peer agw_addressmatch address acl_name [ preference ]set transform-set transform_nameset session-key { inbound | outbound } { ah ah_spi [ encrypted ]

    key ah_key | esp esp_spi [ encrypted ] cipher encryption_key [ encrypted ]authenticator auth_key }

    end

    Notes:

    • ctxt_name is the system context in which you wish to create and configure the manual crypto maps.

    • map_name is name by which the manual crypto map will be recognized by the system.

    • acl_name is name of the pre-configured ACL. It is used for configurations not implementing the IPSecTunnel Failover feature and match the crypto map to a previously defined crypto ACL. This is an optionalparameter.

    • The length of the configured key must match the configured algorithm.

    • group_name is name of the crypto group configured in the same context. It is used for configurationsusing the IPSec Tunnel Failover feature. This is an optional parameter.

    • For more information on parameters, refer to the Crypto Map Manual Configuration Mode Commandschapter in the Command Line Interface Reference.

    Verifying the Manual Crypto Map ConfigurationEnter the following Exec mode command for the appropriate context to display and verify your manual cryptomap configuration:

    Crypto Maps5

    Crypto MapsConfiguring Manual Crypto Maps

  • show crypto map [ tag map_name | map-type ipsec-manual ]

    This command produces an output similar to that displayed below that displays the configuration of a cryptomap named test_map.Map Name : test_map========================================Payload :

    crypto_acl1: permit tcp host 1.2.3.4 gt 30 anyCrypto map Type : manual(static)Transform : test1

    Encaps mode: TUNNELTransmit Flow

    Protocol : ESPSPI : 0x102 (258)Hmac : md5, key: 23d32d23cs89Cipher : 3des-cbc, key: 1234asd3c3d

    Receive FlowProtocol : ESPSPI : 0x101 (257) Hmac : md5, key: 008j90u3rjpCipher : 3des-cbc, key: sdfsdfasdf342d32

    Local Gateway: Not SetRemote Gateway: 192.168.1.40

    Modification(s) to an existing manual crypto map configuration will not take effect until the related securityassociation has been cleared. Refer to the clear crypto security-association command located in the ExecMode Commands chapter of the Command Line Interface Reference for more information.

    Caution

    Crypto Map and Interface AssociationThis section provides instructions for applying manual or ISAKMP crypto maps to interfaces configuredunder StarOS.

    Dynamic crypto maps should not be applied to interfaces.Important

    This section provides the minimum instruction set for applyingmanual or ISAKMP crypto maps to an interfaceon the system. For more information on commands that configure additional parameters and options, refer tothe Command Line Interface Reference.

    Important

    To apply the crypto maps to an interface:

    Step 1 Configure a manual or ISAKMP crypto map.Step 2 Apply the desired crypto map to a system interface by following the steps in Applying a Crypto Map to an Interface, on

    page 7.Step 3 Verify your manual crypto map configuration by following the steps in Verifying the Interface Configuration with Crypto

    Map, on page 7.

    Crypto Maps6

    Crypto MapsCrypto Map and Interface Association

  • Step 4 Save your configuration to flash memory, an external memory device, and/or a network location using the Exec modecommand save configuration. For additional information on how to verify and save configuration files, refer to theSystem Administration Guide and the Command Line Interface Reference.

    Applying a Crypto Map to an InterfaceUse the following example to apply an existing crypto map to an interface on your system:

    configurecontext ctxt_name

    interface interface_namecrypto-map map_nameend

    Notes:

    • ctxt_name is the system context in which the interface is configured to apply crypto map.

    • interface_name is the name of a specific interface configured in the context to which the crypto map willbe applied.

    • map_name is name of the preconfigured ISAKMP or a manual crypto map.

    Verifying the Interface Configuration with Crypto MapEnter the following Exec mode command for the appropriate context to display and verify that your interfaceis configured properly:

    show configuration context ctxt_name | grep interface

    The interface configuration aspect of the display should look similar to that shown below. In this example aninterface named 20/6 was configured with a crypto map called isakmp_map1.interface 20/6ip address 192.168.4.10 255.255.255.0

    crypto-map isakmp_map1

    Crypto Maps7

    Crypto MapsApplying a Crypto Map to an Interface

  • Crypto Maps8

    Crypto MapsVerifying the Interface Configuration with Crypto Map

    Crypto MapsISAKMP Crypto Map ConfigurationConfiguring ISAKMP Crypto MapsVerifying the ISAKMP Crypto Map Configuration

    Dynamic Crypto Map ConfigurationConfiguring Dynamic Crypto MapsVerifying the Dynamic Crypto Map Configuration

    Manual Crypto Map ConfigurationConfiguring Manual Crypto MapsVerifying the Manual Crypto Map Configuration

    Crypto Map and Interface AssociationApplying a Crypto Map to an InterfaceVerifying the Interface Configuration with Crypto Map


Furacão Ike

Furacão Ike

News & Politics
Copyright © 2011 | KiloBytes Technologies, Mumbai - Leading SEO outsourcing Company in Mumbai, India.| Welcome to Kilobytes Technologies

Copyright © 2011 | KiloBytes Technologies, Mumbai - Leading SEO outsourcing Company in Mumbai, India.| Welcome to Kilobytes Technologies

Documents
Skripsi Ike PDF

Skripsi Ike PDF

Documents
Cuba Kilobytes of Discord

Cuba Kilobytes of Discord

Documents
Ike Designs

Ike Designs

Documents
Ike Pramastuti

Ike Pramastuti

Documents
Latinos Ike

Latinos Ike

News & Politics
Vietnam Ike

Vietnam Ike

Travel
GOVERNMENT OF ORISSA FINANCE DEPARTMENT * * * …finance.odisha.gov.in/notifications/2011/28800.pdf · GOVERNMENT OF ORISSA FINANCE DEPARTMENT * * * No.28800(5)/F., Dt.24.06.2011

GOVERNMENT OF ORISSA FINANCE DEPARTMENT * * * …finance.odisha.gov.in/notifications/2011/28800.pdf · GOVERNMENT OF ORISSA FINANCE DEPARTMENT * * * No.28800(5)/F., Dt.24.06.2011

Documents
Hurricane Ike

Hurricane Ike

Documents
PLS-CADD & PLS-POLE Integration with ikeGPS · IKE to PLS Integration Overview IKE 1. IKE Form 2. IKE Field 3. IKE Office 6/11/2019 Power Line Systems, Inc. 9 Power Line Reporting

PLS-CADD & PLS-POLE Integration with ikeGPS · IKE to PLS Integration Overview IKE 1. IKE Form 2. IKE Field 3. IKE Office 6/11/2019 Power Line Systems, Inc. 9 Power Line Reporting

Documents
Cartilla Yate Ike-Ike

Cartilla Yate Ike-Ike

Documents
Vocabulary PreReading Handout from August 19 · After reading Ike word in ils senlence Ike book, decide whick or Ike definilions lisled below besl Malckes Ike way Ike word is used

Vocabulary PreReading Handout from August 19 · After reading Ike word in ils senlence Ike book, decide whick or Ike definilions lisled below besl Malckes Ike way Ike word is used

Documents
Hurricane Ike Pics

Hurricane Ike Pics

Technology
How Big is an Exabyte? Table 1.1: How Big is an Exabyte? Kilobyte (KB) 1,000 bytes OR 10 3 bytes 2 Kilobytes: A Typewritten page. 100 Kilobytes: A low-resolution

How Big is an Exabyte? Table 1.1: How Big is an Exabyte? Kilobyte (KB) 1,000 bytes OR 10 3 bytes 2 Kilobytes: A Typewritten page. 100 Kilobytes: A low-resolution

Documents
versió preprint (887.4xmlui.dri2xhtml.METS-1.0.size-kilobytes)

versió preprint (887.4xmlui.dri2xhtml.METS-1.0.size-kilobytes)

Documents
The Hundred Kilobytes Kernel (HK2)

The Hundred Kilobytes Kernel (HK2)

Documents
Bits, Bytes Kilobytes, Megabytes Gigabytes, Terabytes Exabyte, Zettabyte e Yottabyte

Bits, Bytes Kilobytes, Megabytes Gigabytes, Terabytes Exabyte, Zettabyte e Yottabyte

Documents
Crossword Puzzle. Across # 1 1,024 _______= 1 megabyte ANSWER: Kilobytes

Crossword Puzzle. Across # 1 1,024 _______= 1 megabyte ANSWER: Kilobytes

Documents
File Sizes & Types. Size Matters Kilobytes (K) 1024 bytes = 1 kilobyte— a tiny trademark graphic or log might be a few kilobytes in size, whereas a full

File Sizes & Types. Size Matters Kilobytes (K) 1024 bytes = 1 kilobyte— a tiny trademark graphic or log might be a few kilobytes in size, whereas a full

Documents
Gisa2013 ike

Gisa2013 ike

Documents
Campagnolo Catalogs · VICTORY TRIOMPHE All All All o *All CROCE DAUNE Il ATHENA * / 110 bio c c c c c c Ike I . Ike I . Ike I . Ike I . Ike I . Ike I . Ike I . Ike I . Ike I . Ike

Campagnolo Catalogs · VICTORY TRIOMPHE All All All o *All CROCE DAUNE Il ATHENA * / 110 bio c c c c c c Ike I . Ike I . Ike I . Ike I . Ike I . Ike I . Ike I . Ike I . Ike I . Ike

Documents
`Ike aku, `ike mai, kokua aku September 2017...Recognize, Respond, Refer September 2017 `Ike aku, `ike mai, kokua aku kokua mai; pela iho la ka nohana `ohana. Translation: Recognize

`Ike aku, `ike mai, kokua aku September 2017...Recognize, Respond, Refer September 2017 `Ike aku, `ike mai, kokua aku kokua mai; pela iho la ka nohana `ohana. Translation: Recognize

Documents
Bits, kilobytes og sosialt engasjement

Bits, kilobytes og sosialt engasjement

Business
Ukulele Ike

Ukulele Ike

Documents
TA Ike ike

TA Ike ike

Documents
Application Notes for Site-to-Site VPN Tunnel using … security ike gateway Avaya-Phone-IKE dead-peer-detection threshold 2 set security ike gateway Avaya-Phone-IKE nat-keepalive

Application Notes for Site-to-Site VPN Tunnel using … security ike gateway Avaya-Phone-IKE dead-peer-detection threshold 2 set security ike gateway Avaya-Phone-IKE nat-keepalive

Documents
IKE Tutorial

IKE Tutorial

Documents
IKE Separation -

IKE Separation -

Documents
ike & Tina

ike & Tina

Documents