Beruflich Dokumente
Kultur Dokumente
Step 2: Configure the IPsec Transform Set and Lifetimes (IKE phase 2)
You can also change the IPsec security association lifetimes from its default which is 3600
seconds or 4,608,000
kilobytes, whichever comes first.
R1(config)# crypto ipsec security-association lifetime seconds 1800
R3(config)# crypto ipsec security-association lifetime seconds 1800
Now that most of the encryption settings are in place, define extended access lists to tell the
router which traffic to
encrypt. A packet that is denied by one of these access lists will not be dropped; it will be sent
unencrypted.
R1(config)# access-list 101 permit tcp 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 23
R3(config)# access-list 101 permit tcp 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255 eq 23
Usually, it is very important that the two lists be mirror images of each other. The source
address in one list must be
the destination address in the other and vice versa.
A crypto map is a mapping that associates traffic matching an access list (like the one we
created earlier) to a peer
and various IKE and IPsec settings (transform set). Crypto maps can have multiple map
statements, so you can have
traffic that matches a certain access list being encrypted and sent to one IPsec peer, and have
other traffic that
matches a different access list being encrypted towards a different peer.