Keeping Your Cisco VPN Secure - Page 3
By Cisco Press | Posted Oct 23, 2001
Page 3 of 4 | Back to Page 1
crypto ipsec Command
You have also seen the crypto ipsec command used within the configurations. There are two major forms of this command, the crypto ipsec transform-set and the crypto ipsec security-association lifetime forms. Both of these can be removed with the no form of the command. These commands are explained in Table 4-7.
| Crypto Command | Description |
| crypto ipsec set security-association lifetime seconds seconds | kilobytes kilobytes | If the keyword seconds is used, the seconds parameter specifies how many seconds before an SA will remain active without renegotiation. The default is 28,800 seconds, which is 8 hours. If the keyword kilobytes is used, the kilobytes parameter specifies how many kilobytes of data can pass between peers before a renegotiation must occur. The default value is 4,608,000 KB, which is approximately 4.5 GB. |
| crypto ipsec transform-set transform-setname | This command defines the transform sets that can be used with the map entry. There can be up to a total of six transform-set-names used within a single line. The transform set attempts to establish an SA in the order that the sets are specified. |
Now that you have seen the syntax and uses of the crypto map and crypto ipsec commands, look again at the sample configurations.
You tell the PIX that your crypto map is named mymap with a map number of 10 and that IKE should not be used. This is done with the following line:
crypto map mymap 10 ipsec-manualNext, you define the name of the transform with the following:
crypto map mymap 10 set transform-set mysetThe transform set is defined with the following line:
crypto ipsec transform-set myset ah-md5-hmac esp-desYou previously created an access list 20 and permitted packets originating from the remote sites network. You then set the PIX to look at access list 20. If the packets are traveling to or from an address within this access list, they will be encrypted.
crypto map mymap 10 match address 20Set the other end of the IPSec tunnel to terminate at 172.30.1.2, which is the outside interface of the branch offices PIX:
crypto map mymap 10 set peer 172.30.1.2Set up the inbound and outbound session keys:
crypto map mymap 10 set session-key inbound ah 400
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
crypto map mymap 10 set session-key outbound ah 300
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
crypto map mymap 10 set session-key inbound esp 400 cipher
cccccccccccccccccccccccccccccccc
crypto map mymap 10 set session-key outbound esp 300 cipher
dddddddddddddddddddddddddddddddd
Associate the crypto map with the outside interface.
crypto map mymap interface outside
jfreund@internet.com
