Brocade Mobility RFS Controller CLI Reference Guide (Supporting software release 5.5.0.0 and later) User Manual

608

Brocade Mobility RFS Controller CLI Reference Guide

53-1003098-01

7

This section explains crypto map commands in detail.

A crypto map entry is a single policy that describes how certain traffic is secured. There are two
types of crypto map entries: ipsec-manual and ipsec-ike. Each entry is given an index (used to sort
the ordered list).

IPSec VPN provides a secure tunnel between two networked peers. Administrators can define
which packets are sent within the tunnel, and how they're protected. When a tunneled peer sees a
sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its remote
peer destination.

Tunnels are sets of SA between two peers. SAs define the protocols and algorithms applied to
sensitive packets and specify the keying mechanisms used by tunneled peers. SAs are
unidirectional and exist in both the inbound and outbound direction. SAs are established per the
rules and conditions of defined security protocols (AH or ESP).

Internet Key Exchange (IKE) protocol is a key management protocol standard used in conjunction
with IPSec. IKE enhances IPSec by providing additional features, flexibility, and configuration
simplicity for the IPSec standard. IKE automatically negotiates IPSec SAs, and enables secure
communications without time consuming manual pre-configuration.

Use crypto maps to configure IPSec VPN SAs. Crypto maps combine the elements comprising IPSec
SAs. Crypto maps also include transform sets. A transform set is a combination of security
protocols, algorithms and other settings applied to IPSec protected traffic. One crypto map is
utilized for each IPsec peer, however for remote VPN deployments one crypto map is used for all
the remote IPsec peers.

Use the (config) instance to enter the crypto map configuration mode. To navigate to the
crypto-map configuration instance, use the following commands:

In the device-config mode:

<DEVICE>(config-device-<DEVICE-MAC>)#crypto map <CRYPTO-MAP-TAG> <1-1000>

[ipsec-isakmp {dynamic}|ipsec-manual]

In the profile-config mode:

<DEVICE>(config-profile-<PROFILE-NAME>)#crypto map <CRYPTO-MAP-TAG> <1-1000>

[ipsec-isakmp {dynamic}|ipsec-manual]

There are three different configurations defined for each listed crypto map: site-to-site manual
(ipsec-manual), site-to-site-auto tunnel (ipsec-isakmp), and remote VPN client (ipsec-isakmp
dynamic). With site-to-site deployments, an IPSEC tunnel is deployed between two gateways, each
at the edge of two different remote networks. With remote VPN, an access point located at remote
branch defines a tunnel with a security gateway. This facilitates the end points in the branch office
to communicate with the destination endpoints (behind the security gateway) in a secure manner.

Each crypto map entry is given an index (used to sort the ordered list).

rfs7000-37FABE(config-profile-default-rfs7000)#crypto map map1 1 ipsec-manual

rfs7000-37FABE(config-profile-default-rfs7000-cryptomap-map1#1)#?

Manual Crypto Map Configuration commands:

local-endpoint-ip Use this IP as local tunnel endpoint address, instead

of the interface IP (Advanced Configuration)

mode Set the tunnel mode

no Negate a command or set its defaults

peer Set peer

security-association Set security association parameters

session-key Set security session key parameters

use Set setting to use

clrscr Clears the display screen