Cisco Systems SM-ISM Manual De Usuario
4-9
Integrated Services Adapter and Integrated Services Module Installation and Configuration
OL-3575-01 B0
Chapter 4 Configuring the ISA and ISM
Applying Crypto Maps to Interfaces
Applying Crypto Maps to Interfaces
You need to apply a crypto map set to each interface through which IPSec traffic flows. Applying the
crypto map set to an interface instructs the router to evaluate all the interface’s traffic against the crypto
map set and to use the specified policy during connection or security association negotiation on behalf
of traffic to be protected by encryption.
crypto map set to an interface instructs the router to evaluate all the interface’s traffic against the crypto
map set and to use the specified policy during connection or security association negotiation on behalf
of traffic to be protected by encryption.
To apply a crypto map set to an interface, use the following commands, starting in global configuration
mode:
mode:
For redundancy, you could apply the same crypto map set to more than one interface. The default
behavior is as follows:
behavior is as follows:
•
Each interface has its own piece of the security association database.
•
The IP address of the local interface is used as the local address for IPSec traffic originating from
or destined to that interface.
or destined to that interface.
If you apply the same crypto map set to multiple interfaces for redundancy purposes, you need to specify
an identifying interface. This has the following effects:
an identifying interface. This has the following effects:
•
The per-interface portion of the IPSec security association database is established one time and
shared for traffic through all the interfaces that share the same crypto map.
shared for traffic through all the interfaces that share the same crypto map.
•
The IP address of the identifying interface is used as the local address for IPSec traffic originating
from or destined to those interfaces sharing the same crypto map set.
from or destined to those interfaces sharing the same crypto map set.
One suggestion is to use a loopback interface as the identifying interface.
To specify redundant interfaces and name an identifying interface, use the following command in global
configuration mode:
configuration mode:
crypto map map-name local-address interface-id
This command permits redundant interfaces to share the same crypto map, using the same local identity.
Verifying Configuration
Certain configuration changes only take effect when subsequent security associations are negotiated. If
you want the new settings to take immediate effect, you must clear the existing security associations so
that they are reestablished with the changed configuration. For manually established security
associations, you must clear and reinitialize the security associations, or the changes do not take effect.
If the router is actively processing IPSec traffic, it is desirable to clear only the portion of the security
association database that would be affected by the configuration changes (that is, clear only the security
associations established by a given crypto map set). Clearing the full security association database
should be reserved for large-scale changes or when the router is processing very little other IPSec traffic.
you want the new settings to take immediate effect, you must clear the existing security associations so
that they are reestablished with the changed configuration. For manually established security
associations, you must clear and reinitialize the security associations, or the changes do not take effect.
If the router is actively processing IPSec traffic, it is desirable to clear only the portion of the security
association database that would be affected by the configuration changes (that is, clear only the security
associations established by a given crypto map set). Clearing the full security association database
should be reserved for large-scale changes or when the router is processing very little other IPSec traffic.
Step
Command
Purpose
1.
interface type number
Specify an interface on which to apply the
crypto map and enter interface configuration
mode.
crypto map and enter interface configuration
mode.
2.
crypto map map-name
Apply a crypto map set to an interface.
3.
end
Exit interface configuration mode.