Configuring crypto maps

Last Updated : Apr 10, 2018 |

About this task

A crypto map points to a transform-set and to a peer that in turn points to an ISAKMP policy. If you defined a peer-group, the crypto map can point to the peer-group. The transform-set and ISAKMP policy define how to secure the traffic that matches the ip-rule that points to this crypto map.

Important:

It is mandatory to create at least one crypto map.

Note:

You can configure up to 100 crypto maps.

Procedure

  1. Use the crypto map command, followed by an index number from 1 to 50, to enter the context of a crypto map and to create the crypto map if it does not exist.

    For example:

    Gxxx-001# crypto map 1
Gxxx-001(config-crypto:1)#
  2. Use the description command to enter a description for the crypto map.

    For example:

    Gxxx-001(config-crypto:1)# description vpn lincroft branch
Done!
  3. Do one of the following commands:

    • Specify the remote peer, using the set peer command. For example:

      Gxxx-001(config-crypto:1)# set peer 149.49.60.60
Done!

    • Specify a peer-group, using the set peer-group command. For example:

      Gxxx-001(config-crypto:1)# set peer-group NY-VPN-group
Done!
    Important:

    Specify either set peer or set peer-group, but not both.

  4. Specify the specific transform-set to which this crypto map points, using the set transform-set command.
    Important:

    set transform-set is a mandatory command.

    For example:

    Gxxx-001(config-crypto:1)# set transform-set ts1
Done!
  5. Set the static DSCP value in the DS field of the tunneled packet by using the set dscp command, followed by a value from 0 to 63.

    The default setting is no set dscp that specifies that the DSCP is copied from the DS field of the original packet.

    For example:

    Gxxx-001(config-crypto:1)# set dscp 38
Done!
  6. Specify whether to enable continuous-channel IPSec (IKE phase 2) with the continuous-channel command.

    The default setting is no continuous-channel that disables continuous-channel IPSec. For more information on continuous-channel see Continuous channel.

    For example:

    Gxxx-001(config-crypto:1)# continuous-channel
Done!
  7. Exit crypto map context with the exit command.

    For example:

    Gxxx-001(config-crypto:1)# exit
Gxxx-001#
Related information
Site-to-site IPSec VPN