4-13
VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide
OL-5979-03
Chapter 4 Configuring the SA-VAM2+
Configuration Tasks
To add a dynamic crypto map set into a crypto map set, use the following command in global
configuration mode:
Step 3
Router(config-crypto-m)#
match address
access-list-id
(Optional) Accesses list number or name of an
extended access list. This access list determines
which traffic should be protected by IPSec and which
traffic should not be protected by IPSec security in
the context of this crypto map entry.
Note
Although access-lists are optional for
dynamic crypto maps, they are highly
recommended
If this is configured, the data flow identity proposed
by the IPSec peer must fall within a
permit
statement
for this crypto access list.
If this is not configured, the router will accept any
data flow identity proposed by the IPSec peer.
However, if this is configured but the specified access
list does not exist or is empty, the router will drop all
packets. This is similar to static crypto maps because
they also require that an access list be specified.
Care must be taken if the
any
keyword is used in the
access list, because the access list is used for packet
filtering as well as for negotiation.
Step 4
Router(config-crypto-m)#
set peer
{
hostname
|
ip-address
}
(Optional) Specifies a remote IPSec peer. Repeat for
multiple remote peers.
This is rarely configured in dynamic crypto map
entries. Dynamic crypto map entries are often used
for unknown remote peers.
Step 5
Router(config-crypto-m)#
set security-association
lifetime seconds
seconds
and
Router (config-crypto-m)#
set security-association
lifetime kilobytes
kilobytes
(Optional) If you want the security associations for
this crypto map to be negotiated using shorter IPSec
security association lifetimes than the globally
specified lifetimes, specify a key lifetime for the
crypto map entry.
Step 6
Router(config-crypto-m)#
set pfs
[
group1
|
group2
]
(Optional) Specifies that IPSec should ask for perfect
forward secrecy when requesting new security
associations for this crypto map entry or should
demand perfect forward secrecy in requests received
from the IPSec peer.
Step 7
Router(config-crypto-m)#
exit
Exits crypto-map configuration mode and return to
global configuration mode.
Step 8
Repeat these steps to create additional crypto map entries as required.
Command
Purpose