Keeping Your Cisco VPN Secure - Page 3

By Cisco Press | Posted Oct 23, 2001
Page 3 of 4   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

crypto ipsec Command
You have also seen the crypto ipsec command used within the configurations. There are two major forms of this command, the crypto ipsec transform-set and the crypto ipsec security-association lifetime forms. Both of these can be removed with the no form of the command. These commands are explained in Table 4-7.

Table 4-7: crypto ipsec Commands
Crypto CommandDescription
crypto ipsec set security-association lifetime seconds seconds | kilobytes kilobytes If the keyword seconds is used, the seconds parameter specifies how many seconds before an SA will remain active without renegotiation. The default is 28,800 seconds, which is 8 hours. If the keyword kilobytes is used, the kilobytes parameter specifies how many kilobytes of data can pass between peers before a renegotiation must occur. The default value is 4,608,000 KB, which is approximately 4.5 GB.
crypto ipsec transform-set transform-setname This command defines the transform sets that can be used with the map entry. There can be up to a total of six transform-set-names used within a single line. The transform set attempts to establish an SA in the order that the sets are specified.

Now that you have seen the syntax and uses of the crypto map and crypto ipsec commands, look again at the sample configurations.

You tell the PIX that your crypto map is named mymap with a map number of 10 and that IKE should not be used. This is done with the following line:

 crypto map mymap 10 ipsec-manual
Next, you define the name of the transform with the following:
 crypto map mymap 10 set transform-set myset
The transform set is defined with the following line:
 crypto ipsec transform-set myset ah-md5-hmac esp-des
You previously created an access list 20 and permitted packets originating from the remote sites network. You then set the PIX to look at access list 20. If the packets are traveling to or from an address within this access list, they will be encrypted.
 crypto map mymap 10 match address 20
Set the other end of the IPSec tunnel to terminate at 172.30.1.2, which is the outside interface of the branch offices PIX:
 crypto map mymap 10 set peer 172.30.1.2
Set up the inbound and outbound session keys:
 crypto map mymap 10 set session-key inbound ah 400
     aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 crypto map mymap 10 set session-key outbound ah 300
     bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
 crypto map mymap 10 set session-key inbound esp 400 cipher
     cccccccccccccccccccccccccccccccc
 crypto map mymap 10 set session-key outbound esp 300 cipher
     dddddddddddddddddddddddddddddddd
Associate the crypto map with the outside interface.
 crypto map mymap interface outside

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter