Cisco Cisco Packet Data Gateway (PDG) Fehlerbehebungsanleitung
IP Security
▀ IPSec Terminology
▄ Cisco ASR 5000 Series Enhanced Feature Configuration Guide
OL-22982-01
Crypto Map
Crypto Maps define the tunnel policies that determine how IPSec is implemented for subscriber data packets.
There are three types of crypto maps supported by the system. They are:
Manual crypto maps
ISAKMP crypto maps
Dynamic crypto maps
Manual Crypto Maps
These are static tunnels that use pre-configured information (including security keys) for establishment. Because they
rely on statically configured information, once created, the tunnels never expire; they exist until their configuration is
deleted.
rely on statically configured information, once created, the tunnels never expire; they exist until their configuration is
deleted.
Manual crypto maps define the peer security gateway to establish a tunnel with, the security keys to use to establish the
tunnel, and the IPSec SA to be used to protect data sent/received over the tunnel. Additionally, manual crypto maps are
applied to specific system interfaces.
tunnel, and the IPSec SA to be used to protect data sent/received over the tunnel. Additionally, manual crypto maps are
applied to specific system interfaces.
Important:
Because manual crypto map configurations require the use of static security keys (associations), they
are not as secure as crypto maps that rely on dynamically configured keys. Therefore, it is recommended that they only
be configured and used for testing purposes.
be configured and used for testing purposes.
ISAKMP Crypto Maps
These tunnels are similar to manual crypto maps in that they require some statically configured information such as the
IP address of a peer security gateway and that they are applied to specific system interfaces.
IP address of a peer security gateway and that they are applied to specific system interfaces.
However, ISAKMP crypto maps offer greater security because they rely on dynamically generated security associations
through the use of the Internet Key Exchange (IKE) protocol.
through the use of the Internet Key Exchange (IKE) protocol.
When ISAKMP crypto maps are used, the system uses the pre-shared key configured for map as part of the Diffie-
Hellman (D-H) exchange with the peer security gateway to initiate Phase 1 of the establishment process. Once the
exchange is complete, the system and the security gateway dynamically negotiate IKE SAs to complete Phase 1. In
Phase 2, the two peers dynamically negotiate the IPSec SAs used to determine how data traversing the tunnel will be
protected.
Hellman (D-H) exchange with the peer security gateway to initiate Phase 1 of the establishment process. Once the
exchange is complete, the system and the security gateway dynamically negotiate IKE SAs to complete Phase 1. In
Phase 2, the two peers dynamically negotiate the IPSec SAs used to determine how data traversing the tunnel will be
protected.
Dynamic Crypto Maps
These tunnels are used for protecting L2TP-encapsulated data between the system and an LNS/security gateway or
Mobile IP data between an FA service configured on one system and an HA service configured on another.
Mobile IP data between an FA service configured on one system and an HA service configured on another.