crypto map

To create or modify a crypto map entry and enter the crypto map configuration mode, use the crypto map global configuration command. To delete a crypto map entry or set, use the no form of this command.

Syntax

crypto map <map-name> <index> ipsec-isakmp
no crypto map <map-name> <index> ipsec-isakmp

Command	Description
map-name	Name that identifies the crypto map set
index	Uniquely number assigned to a crypto map entry

This command puts you into the config-crypto-map command mode:

(config-crypto-map)# set peer <peer-ip>
(config-crypto-map)# set transform-set <set-name> 
(config-crypto-map)# set pfs {group1|group2|group5|same} 
(config-crypto-map)# set security-association lifetime seconds <#>
(config-crypto-map)# match address <acl-name>
(config-crypto-map)# set tunnel start-action-mode {active|triggered|passive}

Command

Description

set peer <peer-ip>

Specifies an IPSec peer (IP address in dotted-decimal notation or an FQDN) in a crypto map entry.

set transform-set <set-name>

Specifies which transform sets can be used with the crypto map entry. The set-name will be compare with all transform-sets prefix

set pfs <group1|group2| group5|same>

Specifies that IPSec should ask for PFS when requesting new SAs for this crypto map entry, or that IPSec requires PFS when receiving requests for new SAs:

■

group1 - Diffie-Hellman group 1

■

group2 - Diffie-Hellman group 2

■

group5 - Diffie-Hellman group 5

■

same - Same Diffie-Hellman group as phase 1

set security-association lifetime seconds <#>

Specifies the lifetime of an IPSec SA.

set tunnel start-action-mode {active|triggered|passive}

Specifies the IPSec tunnel establishment mode:

■

active – (default) Once configured, the device immediately initiates establishment of an IPSec tunnel with the remote peer

■

trigger – the device initiates establishment of an IPSec tunnel with the remote peer only if the device needs to send traffic through the tunnel (or the remote peer initiates it)

■

passive – the device establishes an IPSec tunnel only if the remote peer initiates it

Using the trigger or passive mode prevents both peers from initiating the tunnel simultaneously.

match address <acl-name>

Specifies an extended access list for a crypto map entry.

Only the first entry in the access list will be considered.

Default

IPSec SA lifetime default is 28800 seconds.

Command Mode

crypto map defined in enabled configuration mode.

Example

This example demonstrates how to configure a crypto map:

(config data)# crypto map mymap 1 ipsec-isakmp
(config-crypto-map)# set peer 1.2.3.4
(config-crypto-map)# set transform-set myset
(config-crypto-map)# set security-association lifetime seconds 28000
(config-crypto-map)# match address 101
(config-crypto-map)# set tunnel start-action-mode triggered