Cisco 7100 Series Spezifikationen PDF herunterladen (Seite 91)

Extranet VPN Business Scenario 4-19

Configuring Crypto Maps

Verifying Crypto Map Entries

To verify the conﬁguration:

• Enter the show crypto map EXEC command to see the crypto map entries conﬁgured

on the router.

In the following example, peer 172.16.2.7 is the IP address of the remote IPSec peer.

“Extended IP access list 111” lists the access list associated with the crypto map.

“Current peer” indicates the current IPSec peer. “Security-association lifetime”

indicates the lifetime of the SA. “PFS N” indicates that IPSec will not negotiate perfect

forward secrecy when establishing new SAs for this crypto map. “Transform sets”

indicates the name of the transform set that can be used with the crypto map.

hq-sanjose# show crypto map

Crypto Map: “s4second” idb: Serial2/0 local address: 172.16.2.2

Crypto Map “s4second” 2 ipsec-isakmp

Peer = 172.16.2.7

Extended IP access list 111

access-list 111 permit ip

source: addr = 10.2.2.2/255.255.255.0

dest: addr = 10.1.5.3/255.255.255.0S

Current peer: 172.16.2.7

Security-association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={proposal4,}

-Display text omitted-

hq-sanjose(config-crypto-map)# set transform-set

proposal4

Specify which transform sets are

allowed for this crypto map entry. List

multiple transform sets in order of

priority (highest priority ﬁrst). This

example speciﬁes transform set

proposal4, which was conﬁgured in the

“Deﬁning Transform Sets and

Conﬁguring IPSec Tunnel Mode”

section on page 4-13.

hq-sanjose(config-crypto-map)# exit

hq-sanjose(config)#

Exit back to global conﬁguration mode.

Step Command Purpose

1 2 ... 86 87 88 89 90 91 92 93 94 95 96 ... 111 112

Keine Kommentare

Cisco 7100 Series Spezifikationen Seite 91