exit hq-sanjose(config)# Exit back to global configuration mode. 3-24

3-24
Cisco IOS VPN Configuration Guide
OL-8336-01
Chapter 3 Site-to-Site and Extranet VPN Business Scenarios
Step 3—Configuring Encryption and IPSec
Verifying Transform Sets and IPSec Tunnel Mode
To verify the configuration:
•
Enter the 
show crypto ipsec transform-set 
EXEC command to see the type of transform set 
configured on the router.
hq-sanjose# 
show crypto ipsec transform-set
Transform set proposal4: { ah-sha-hmac }
will negotiate = { Tunnel, },
{ esp-des esp-sha-hmac }
will negotiate = { Tunnel, },
-Display text omitted-
Configuring Crypto Maps
Remote devices need to be managed through a VPN from the central site when operating on a centralized 
IT model. VPN devices support numerous configuration options to determine the tunnel endpoint and, 
depending on the method chosen, these options may impact the manageability of the network. Refer to 
the 
“Dynamic versus Static Crypto Maps” section on page 2-5
for a discussion of when to use static or 
dynamic crypto maps.
To be the most effective in managing remote devices, you must use static cryptographic maps at the site 
where your management applications are located. Dynamic cryptographic maps can be used at the 
headend for ease of configuration. Dynamic maps, however, accept only incoming IKE requests, and 
because dynamic maps cannot initiate an IKE request, it is not always guaranteed that a tunnel exists 
between the remote device and the headend site. Static cryptographic map configuration includes the 
static IP addresses of the remote peers. Thus, remote sites must use static IP addresses to support remote 
management.
For IPSec to succeed between two IPSec peers, both peer crypto map entries must contain compatible 
configuration statements.
When two peers try to establish a security association (SA), they must each have at least one crypto map 
entry that is compatible with one of the other peer crypto map entries. For two crypto map entries to be 
compatible, they must meet the following minimum criteria:
•
The crypto map entries must contain compatible crypto access lists (for example, mirror image 
access lists). In the case where the responding peer is using dynamic crypto maps, the entries in the 
local crypto access list must be “permitted” by the peer crypto access list.

Download 2,05 Mb.

Do'stlaringiz bilan baham: