Configuring Crypto Maps

The command syntax for creating a crypto map is

 Router(config)# crypto map  map-name seq-num  ipsec-isakmp Router(config-crypto-map)# match address {100-199  name  } Router(config-crypto-map)# set peer {  ip_address   hostname  } Router(config-crypto-map)# set transform-set  name  Router(config-crypto-map)# set security-association lifetime 

The ipsec-isakmp keyword tells the router that IKE will be used to automatically establish the IPSec SA. The map-name is simply a name that you make up; it has significance only to the local router.

More important is the seq-num . Sequence numbers determine the priority of the crypto map and can range from 1 to 65,535. The lower the sequence number, 1 being the lowest , the higher the crypto map priority.

Sequence numbers also provide another critical function. Because you can apply only one crypto map to an interface, the only way to configure multiple crypto map entries is to use different sequence numbers. It is important to remember that all crypto map entries with the same name are considered a single crypto map even if the entries have different sequence numbers.

An example might help clear things up. We will configure a crypto map named NASHVILLE with a sequence number of 25. We will use the crypto ACL created earlier, numbered 101 . The transform set was named EXAMCRAM2 . Finally, the remote IPSec peer's public interface IP address is 30.200.200.2 .

Figure 9.10 displays the configuration to implement the detailed requirements.

Notice that the match address command in crypto map configuration mode actually specifies the crypto ACL that will be used.