Comment
Author: Admin | 2025-04-28
Crypto map using either of these two commands: crypto map map-name seq-num set ikev1 transform-set transform-set-name1 [transform-set-name2, …transform-set-name11] OR crypto map map-name seq-num set ikev2 ipsec-proposal proposal-name1 [proposal-name2, … proposal-name11 ] Proposal-name1 and proposal-name11 specifies one or more names of the IPsec proposals for IKEv2. Each crypto map entry supports up to 11 proposals. Example: In this example for IKEv1, when traffic matches ACL 101, the SA can use either myset1 (first priority) or myset2 (second priority) depending on which transform set matches the transform set of the peer. crypto map mymap 10 set ikev1 transform-set myset1 myset2 (Optional) For IKEv2, specify the mode for applying ESP encryption and authentication to the tunnel. This determines what part of the original IP packet has ESP applied. crypto map map-name seq-num set ikev2 mode [transport | tunnel | transport-require] Tunnel mode—(default) Encapsulation mode will be tunnel mode. Tunnel mode applies ESP encryption and authentication to the entire original IP packet (IP header and data), thus hiding the ultimate source and destination addresses.The entire original IP datagram is encrypted, and it becomes the payload in a new IP packet. This mode allows a network device, such as a router, to act as an IPsec proxy. That is, the router performs encryption on behalf of the hosts. The source router encrypts packets and forwards them along the IPsec tunnel. The destination router decrypts the original IP datagram and forwards it on to the destination system. The major advantage of tunnel mode is that the
Add Comment