The latest network routers, software, management tools and information for enterprise IT administrators.

Keeping Your Cisco VPN Secure - Page 3

By Cisco Press

Page 3 of 4 | Back to Page 1

crypto ipsec Command
You have also seen the crypto ipsec command used within the configurations. There are two major forms of this command, the crypto ipsec transform-set and the crypto ipsec security-association lifetime forms. Both of these can be removed with the no form of the command. These commands are explained in Table 4-7.

Table 4-7: crypto ipsec Commands

Crypto Command	Description
crypto ipsec set security-association lifetime seconds seconds \| kilobytes kilobytes	If the keyword seconds is used, the seconds parameter specifies how many seconds before an SA will remain active without renegotiation. The default is 28,800 seconds, which is 8 hours. If the keyword kilobytes is used, the kilobytes parameter specifies how many kilobytes of data can pass between peers before a renegotiation must occur. The default value is 4,608,000 KB, which is approximately 4.5 GB.
crypto ipsec transform-set transform-setname	This command defines the transform sets that can be used with the map entry. There can be up to a total of six transform-set-names used within a single line. The transform set attempts to establish an SA in the order that the sets are specified.

Now that you have seen the syntax and uses of the crypto map and crypto ipsec commands, look again at the sample configurations.

You tell the PIX that your crypto map is named mymap with a map number of 10 and that IKE should not be used. This is done with the following line:

 crypto map mymap 10 ipsec-manual

Next, you define the name of the transform with the following:

 crypto map mymap 10 set transform-set myset

The transform set is defined with the following line:

 crypto ipsec transform-set myset ah-md5-hmac esp-des

You previously created an access list 20 and permitted packets originating from the remote sites network. You then set the PIX to look at access list 20. If the packets are traveling to or from an address within this access list, they will be encrypted.

 crypto map mymap 10 match address 20

Set the other end of the IPSec tunnel to terminate at 172.30.1.2, which is the outside interface of the branch offices PIX:

 crypto map mymap 10 set peer 172.30.1.2

Set up the inbound and outbound session keys:

 crypto map mymap 10 set session-key inbound ah 400
     aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 crypto map mymap 10 set session-key outbound ah 300
     bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
 crypto map mymap 10 set session-key inbound esp 400 cipher
     cccccccccccccccccccccccccccccccc
 crypto map mymap 10 set session-key outbound esp 300 cipher
     dddddddddddddddddddddddddddddddd

Associate the crypto map with the outside interface.

 crypto map mymap interface outside

This article was originally published on Oct 23, 2001

jfreund@internet.com

Get the Latest Scoop with Networking Update Newsletter

Thanks for your registration, follow us on our social networks to keep up-to-date