Cisco Cisco ASR 5700
Context Configuration Mode Commands A-D
▀ crypto map
▄ Command Line Interface Reference, StarOS Release 17
2342
Usage
Crypto Maps define the policies that determine how IPSec is implemented for subscriber data packets. There
are several types of crypto maps supported by the system. They are:
are several types of crypto maps supported by the system. They are:
Manual crypto maps: These are static tunnels that use pre-configured information (including security
keys) for establishment. Because they rely on statically configured information, once created, the
tunnels never expire; they exist until their configuration is deleted.
tunnels never expire; they exist until their configuration is deleted.
Important:
Because manual crypto map configurations require the use of static security keys (associations), they
are not as secure as crypto maps that rely on dynamically configured keys. Therefore, it is recommended that they only
be configured and used for testing purposes.
be configured and used for testing purposes.
IKEv1 crypto maps: These tunnels are similar to manual crypto maps in that they require some
statically configured information such as the IP address of a peer security gateway and that they are
applied to specific system interfaces. However, IKEv1 crypto maps offer greater security because
they rely on dynamically generated security associations through the use of the Internet Key
Exchange (IKE) protocol.
applied to specific system interfaces. However, IKEv1 crypto maps offer greater security because
they rely on dynamically generated security associations through the use of the Internet Key
Exchange (IKE) protocol.
IKEv2-IPv6 cryptomaps: Refer to the Lawful Intercept Configuration Guide for a description of this
parameter.
Dynamic crypto maps: These tunnels are used for protecting L2TP-encapsulated data between the
system and an LNS/security gateway or Mobile IP data between an FA service configured on one
system and an HA service configured on another.
system and an HA service configured on another.
Important:
The crypto map type (dynamic, IKEv1, IKEv2-IPv6, or manual) is specified when the map is first
created using this command.
Example
Create a dynamic crypto map named
map1
and enter the Crypto Map Dynamic Configuration Mode by
entering the following command:
crypto map map1 ipsec-dynamic