Keeping Your Cisco VPN Secure - Page 2
crypto map Commands
The crypto map command is used extensively with IPSec. This section examines the forms of this command in Table 4-6 before examining exactly what has to be configured in the examples. The crypto map commands first parameter is always the mapname. The mapname parameter is an arbitrary name assigned to distinguish one map from another. Table 4-6 assumes that crypto map mapname precedes the command. As with most commands, the no form of a command removes the configuration.
|client authentication aaa-server||This is the name of a AAA server that authenticates the user during Internet Key Exchange (IKE) negotiations.|
|client configuration address initiate||This forces the PIX to attempt to set the IP address for each peer.|
|client configuration address respond||This forces the PIX to attempt to accept requests from any requesting peer.|
|interface interfacename||This specifies the interface, as defined by the nameif command, that the PIX will use to identify peers. When IKE is enabled and a certificate authority (CA) is used to obtain certificates, this must be the interface specified within the CA certificate.|
|seq-num ipsec-isakmp | ipsec-manual [dynamic dynamic-map-name]||The seq-num (sequence number) is the number assigned to the map entry. The seq-num is used in a number of forms of the crypto map command. ipsecisakmp indicates that IKE is used to establish the security association (SA). ipsec-manual indicates that IKE should not be used. dynamic dynamic-map-name is an optional keyword and parameter. The keyword dynamic indicates that the present crypto map entry references a preexisting dynamic crypto map. The parameter dynamic-map-name is the name of the preexisting map.|
|seq-num match address acl_name||Traffic destined for the IP addresses with a permit statement within the access list defined by acl_name will be encrypted.|
|seq-num set peer hostname | ipaddress||This specifies the peer for this SA. A host name might be specified if the names command has been used. Otherwise an IP address is used.|
|seq-num set pfs [group1 | group2]||Specifies that IPSec will ask for Perfect Forward Secret (PFS). group1 and group2 are optionally used to specify whether a 768-bit Diffie-Hillman prime modulus group (group1) or a 1024-bit Diffie-Hillman prime modulus group (group2) will be used on new exchanges.|
|seq-num set session-key inbound | outbound ah spi hex-key-string|
This sets the session keys within a crypto map entry. Using the keyword inbound specifies that the following key-string is for inbound traffic. Specifying the keyword outbound specifies that the key-string is for outbound traffic. One peers outbound key string must match the other peers inbound key string and vice versa.
The spi parameter is used to specify the Security Parameter Index (SPI). The SPI is an arbitrarily assigned number ranging from 256 to more than 4 billion (OxFFFFFFFF).
The hex-key-string is an arbitrary hexadecimal session key. The length of this key is determined by the transform set in use. DES uses 16 digits, MD5 uses 32, and SHA uses 40 digits.
|seq-num set session-key inbound | outbound esp spi cipher hex-keystring [authenticator hex-key-string]||
This is very similar to the previous command, except that it is used with encapsulating security payload (ESP) instead of authentication header (AH). The keyword esp specifies that the ESP protocol will be used.
The keyword cipher indicates that the following hex-key-string is to be used with the ESP encryption transform.
The optional authenticator string is used with the ESP authentication transform.