Step 6 hq-sanjose(config-crypto-map)# exit

3-26
Cisco IOS VPN Configuration Guide
OL-8336-01
Chapter 3 Site-to-Site and Extranet VPN Business Scenarios
Step 3—Configuring Encryption and IPSec
Verifying Crypto Map Entries
To verify the configuration:
•
Enter the 
show crypto map 
EXEC command to see the crypto map entries configured on the router. 
In the following example, peer 172.23.2.7 is the IP address of the remote IPSec peer. “Extended IP 
access list 111” lists the access list associated with the crypto map. “Current peer” indicates the 
current IPSec peer. “Security-association lifetime” indicates the lifetime of the SA. 
“PFS N” indicates that IPSec will not negotiate perfect forward secrecy when establishing new SAs 
for this crypto map. “Transform sets” indicates the name of the transform set that can be used with 
the crypto map.
Step 2
hq-sanjose(config)#
set transform-set
transform-set-name1
[
transform-set-name2...transform-set-name6
]
Specifies which transform sets are allowed for the crypto 
map entry. List multiple transform sets in order of priority 
(highest priority first).
This is the only configuration statement required in 
dynamic crypto map entries.
Step 3
hq-sanjose(config-crypto-map)#
match address
access-list-id
(Optional) Accesses list number or name of an extended 
access list. This access list determines which traffic should 
be protected by IPSec and which traffic should not be 
protected by IPSec security in the context of this crypto 
map entry.
Note
Although access-lists are optional for dynamic 
crypto maps, they are highly recommended.
If the access list is configured, the data flow identity 
proposed by the IPSec peer must fall within a permit 
statement for this crypto access list.
If the access list is not configured, the router will accept any 
data flow identity proposed by the IPSec peer. However, if 
this is configured but the specified access list does not exist 
or is empty, the router will drop all packets. This is similar 
to static crypto maps because they also require that an 
access list be specified.
Care must be taken if the any keyword is used in the access 
list, because the access list is used for packet filtering as well 
as for negotiation.

Download 2,05 Mb.

Do'stlaringiz bilan baham: