Configuring crypto lists

Last Updated : Apr 10, 2018 |

About this task

A crypto list is an ordered list of ip-rules that control which traffic requires IPSec protection and which does not, based on IP groups (source and destination IP addresses and wildcard). A crypto list is activated on an interface. The Branch Gateway can have multiple crypto lists activated on different interfaces.

Important:

It is mandatory to create at least one crypto list.

Note:

You can configure up to 100 crypto lists.

Procedure

  1. Use the ip crypto-list command, followed by an index number from 901 to 999, to enter the context of a crypto list (and to create the list if it does not exist).

    For example:

    Gxxx-001# ip crypto-list 901
Gxxx-001(Crypto 901)#
  2. Specify the local IP address for the IPSec tunnels derived from this crypto list, using the local-address command.

    The local address can be either the IP address or the name of an IP interface of the device.

    Important:

    local-address is a mandatory command.

    Examples:

    Gxxx-001(Crypto 901)# local-address 192.168.49.1
Done!
    Gxxx-001(Crypto 901)# local-address FastEthernet 10/3
Done!
    Note:

    Specifying the interface as a name is one of the prerequisites for working with dynamic local peer IP addresses. For more information about working with dynamic local peer IP addresses, see Dynamic local peer IP.

  3. Specify the name of the crypto list using the name command.

    For example:

    Gxxx-001(Crypto 901)# name Public Network via ADSL
Done!
  4. Use the ip-rule command, followed by an index number from 1 to 1000, to enter the context of an ip-rule and to create the ip-rule if it does not exist.
    Important:

    It is mandatory to create at least one ip-rule.

    For example:

    Gxxx-001(Crypto 901)# ip-rule 10
Gxxx-001(Crypto 901/ip rule 10)#
  5. Configure ip-rule parameters as follows:

    • Use the description command to assign a description to the ip-rule.

    • To specify a range of source and destination IP addresses to which the rule applies, use the source-ip and destination-ip commands, followed by the IP range criteria. The IP range criteria can be one of the following:

      • single address. Type host, followed by an IP address, to set a single IP address to which the rule applies.

      • wildcard. Type host, followed by an IP address using wildcards, to set a range of IP addresses to which the rule applies.

      • All addresses. Type any to apply the rule to all IP addresses.

    • Use the no form of the appropriate command to return to the default value, any.

    • Define the action by specifying whether to protect traffic that matches the source and destination addresses, using one of the following commands:

      • no protect. Do not protect traffic that matches the source and destination addresses.

      • protect crypto map crypto-map-id. Protect traffic that matches the source and destination addresses. The specified crypto map specifies how to secure the traffic. For instructions on configuring crypto maps, see Configuring crypto maps.

        For example:

        Gxxx-001(Crypto 901/ip rule 10)# description vpn tunnel to uk main office
Done!
Gxxx-001(Crypto 901/ip rule 10)# source-ip 10.1.0.0 0.0.255.255
Done!
Gxxx-001(Crypto 901/ip rule 10)# destination-ip any
Done!
Gxxx-001(Crypto 901/ip rule 10)# protect crypto map 1
Done!

    • For rules whose action is no protect, you can fine-tune the definition of packets that match this rule by using the following commands. For a full description of the commands see Avaya CLI Reference. Note that this fine-tuning is not applicable for rules whose action is protect crypto map.

      • ip-protocol. Specify the IP protocol to match.

      • tcp. Specify the TCP settings to match.

      • udp. Specify the UDP settings to match.

      • icmp. Specify the ICMP protocol settings to match.

      • dscp. Specify the DSCP to match.

      • fragment. Specify whether this rule applies to non-initial fragments only.

  6. Exit ip-rule context with the exit command.

    For example:

    Gxxx-001(Crypto 901/ip rule 10)# exit
Gxxx-001(Crypto 901)#
  7. Repeat Steps 4 to 6 for every ip-rule you wish to define in the crypto list.
  8. Exit crypto list context with the exit command.

    For example:

    Gxxx-001(Crypto 901)# exit
Gxxx-001#
Related information
Site-to-site IPSec VPN
Deactivating crypto lists to modify IPSec VPN parameters
Changing parameters of a crypto list.