From: John Galt Kupec (jkupec2@xxxxxxxxxx)
Date: Wed Aug 23 2000 - 09:21:55 GMT-3
Simon Baxter wrote:
> Dynamic crypto maps are not used to setup new ipsec sas', but are referenced
> by static crypto maps.
>
> Dynamic crypto maps are for incoming ipsec connection requests, not
> outgoing?
Could be both now that Tunnel Endpoint Discovery is available.
>
> Does this mean in the static map (that references the dynamic one) you don't
> need to specify the remote-peer or match address, as this will be filled in
> when the remote attempts to establish with the local?
Sounds good to me.
Here's a snip from a working example. This is from a router running
12.x, and is using a wildcard pre-shared key and TED (Tunnel Endpoint
Discovery) which means that, in addition to a _receiving_ router
dynamically determining an IPSec peer, an _initiating_ router can
dynamically determine an IPSec peer. This is by virtue of the
"discover" keyword on the crypto map statement.
crypto isakmp policy 1
authentication pre-share
group 2
! Wildcard pre-shared key:
crypto isakmp key KeyToTheHighway address 0.0.0.0
crypto isakmp identity hostname
!
crypto ipsec transform-set set1 esp-des esp-sha-hmac
!
crypto dynamic-map vpn-dynamic 10
set transform-set set1
match address 159
!
crypto map vpn local-address Loopback99
crypto map vpn 10 ipsec-isakmp dynamic vpn-dynamic discover
!
interface Loopback99
ip address 192.168.241.1 255.255.255.0
!
access-list 159 permit ip 192.168.251.0 0.0.0.255 192.168.6.0 0.0.0.255
-- John Galt Kupec Mentor Technologies Group, Inc. jkupec@mentortech.com http://www.mentortech.com ----------------------------------------------------------------------
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:24:29 GMT-3