Firewalls - crypto map

crypto map

Create, modify, view or delete a crypto map entry. Also used to delete a crypto map set. (Configuration mode.)
[no] crypto map map-name client [token] authentication aaa-server-name [no] crypto map map-name client configuration address initiate | respond [no] crypto map map-name interface interface-name show crypto map [interface interface-name | tag map-name] clear crypto map map-name [no] crypto map map-name seq-num ipsec-isakmp | ipsec-manual [dynamic dynamic-map-name] [no] crypto map map-name seq-num match address acl_name [no] crypto map map-name seq-num set peer hostname | ip-address [no] crypto map map-name seq-num set pfs [group1 | group2] [no] crypto map map-name seq-num set security-association lifetime secs| Kb Kb [no] crypto map map-name set session-key inbound | outbound ah spi hex-key-string [no] crypto map map-name set session-key inbound | outbound esp spi cipher hex-key-string [authenticator hex-key-string] [no] crypto map map-name seq-num set transform-set transform-set-name1 [transform-set-name6]

Syntax Description

map map-name The name of the crypto map set.

aaa-server-name The name of the AAA server that will authenticate the user during IKE authentication. The two AAA server options available are TACACS+ and RADIUS.

token Indicate a token-based server for user authentication is used.

initiate Indicate that the firewall will attempt to set IP addresses for each peer.

respond Indicate that the firewall will accept requests for IP addresses from any requesting peer.

interface interface-name Specify the identifying interface to be used by the firewall to identify itself to peers.
If IKE is enabled, and you are using a certification authority (CA) to obtain certificates, this should be the interface with the address specified in the CA certificates.

tag map-name (Optional) Show the crypto map set with the specified map name.

seq-num The number you assign to the crypto map entry.

ipsec-isakmp Indicate that IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.

ipsec-manual Indicate that IKE will not be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.

dynamic (Optional) Specify that this crypto map entry is to reference a pre-existing dynamic crypto map.

dynamic-map-name (Optional) Specify the name of the dynamic crypto map set to be used as the policy template.

acl_name Identify the named encryption access list. This name should match the name argument of the named encryption access list being matched.

match address Specify an access list for a crypto map entry.

set peer Specify an IPSec peer in a crypto map entry.

hostname Specify a peer by its host name. This is the peer's host name concatenated with its domain name. For example, myhost.example.com.

ip-address Specify a peer by its IP address.

set pfs Specify that IPSec should ask for perfect forward secrecy (PFS).
With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs. (This exchange requires additional processing time.)

group1 Specify that IPSec should use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.

group2 Specify that IPSec should use the 1024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.

set security-association lifetime Set the lifetime a security association will last in either secs or Kb. For use with either secs or kilobyte keywords.

secssecs Specify the number of secs a security association will live before it expires. The default is 28,800 secs (eight hours).

Kb Kb Specify the volume of traffic (in Kb) that can pass between peers using a given security association before that security association expires.
The default is 4,608,000 Kb.

set session-key Manually specify the IPSec session keys within a crypto map entry.

inbound Set the inbound IPSec session key.
(You must set both inbound and outbound keys.)

outbound Set the outbound IPSec session key.
(You must set both inbound and outbound keys.)

ah Set the IPSec session key for the AH protocol. Specify ah when the crypto map entry's transform set includes an AH transform.
AH protocol provides authentication via MD5-HMAC and SHA-HMAC.

spi Specify the security parameter index (SPI), a number that is used to uniquely identify a security association. The SPI is an arbitrary number you assign in the range of 256 to 4,294,967,295 (a hexidecimal value of FFFF FFFF).
You can assign the same SPI to both directions and both protocols. However, not all peers have the same flexibility in SPI assignment. For a given destination address/protocol combination, unique SPI values must be used. The destination address is that of the firewall if inbound, the peer if outbound.

hex-key-string Specify the session key; enter in hexadecimal format. This is an arbitrary hexadecimal string of 16, 32, or 40 digits. If the crypto map's transform set includes the following:

DES algorithm, specify at least 16 hexadecimal digits per key.
MD5 algorithm, specify at least 32 hexadecimal digits per key.
SHA algorithm, specify 40 hexadecimal digits per key.

Longer key sizes are simply hashed to the appropriate length.

esp Set the IPSec session key for the ESP protocol. Specify esp when the crypto map entry's transform set includes an ESP transform.
ESP protocol provides both authentication and/or confidentiality. Authentication is done via MD5-HMAC, SHA-HMAC and NULL. Confidentiality is done via DES, 3DES, and NULL.

cipher Indicate that the key string to use with the ESP encryption transform.

authenticator (Optional) Indicate that the key string is to be used with the ESP authentication transform. This argument is required only when the crypto map entry's transform set includes an ESP authentication transform.

set transform-set Specify which transform sets can be used with the crypto map entry.

transform-set-name The name of the transform set.
For an ipsec-manual crypto map entry, you can specify only one transform set. For an ipsec-isakmp or dynamic crypto map entry, you can specify up to six transform sets.

transform1
transform2
transform3 Specify up to three transforms. Transforms define the IPSec security protocol(s) and algorithm(s). Each transform represents an IPSec security protocol (ESP, AH, or both) plus the algorithm you want to use.

crypto map client authentication

Enables Xauth, which prompts for a TACACS+/RADIUS username and password during IKE authentication. To use this command, an AAA server needs to be already running. If the Xauth fails, the IPSec security association will not be established and the IKE security association will be deleted.
The Xauth feature is not enabled by default. To restore the default value run:
no crypto map client authentication

Be sure to specify the same AAA server name within the crypto map client authentication command statement as was specified in the aaa-server command statement.
The crypto map client token authentication command enables the firewall to interoperate with a VPN client that is set up to use a token-based server for user authentication. The keyword token tells the firewall that the AAA server uses a token-card system and to prompt the user for username and password during IKE authentication. Use the no crypto map client token authentication command to restore the default value.
The remote user must be running one of the following:

VPN Client version 3.0

Cisco VPN 3000 Client, version 2.5 or later

Cisco Secure VPN Client, version 1.1 or later

Examples

The following example shows how the crypto map client authentication command is used. This example sets up the IPSec rules for VPN encryption IPSec. The ip, nat, aaa-server command statements establish the context for the IPSec-related commands.

ip address inside 10.0.0.1 255.255.255.0
ip address outside 168.20.1.5 255.255.255.0
dealer 10.1.2.1-10.1.2.254
nat (inside) 0 access-list 80
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 10.0.0.2 secret123
crypto ipsec transform-set pc esp-des esp-md5-hmac
crypto dynamic-map cisco 4 set transform-set pc
crypto map partner-map 20 ipsec-isakmp dynamic cisco
crypto map partner-map client configuration address initiate
crypto map partner-map client authentication TACACS+
crypto map partner-map interface outside
isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0
isakmp client configuration address-pool local dealer outside
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400

The following example shows how the crypto map client token authentication command is used. This example sets up the IPSec rules for VPN encryption IPSec. The ip, nat, aaa-server command statements establish the context for the IPSec-related commands.

ip address inside 10.0.0.1 255.255.255.0
ip address outside 168.20.1.5 255.255.255.0
ip local pool dealer 10.1.2.1-10.1.2.254
nat (inside) 0 access-list 80
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.0.0.2 secret123
crypto ipsec transform-set pc esp-des esp-md5-hmac
crypto dynamic-map cisco 4 set transform-set pc
crypto map partner-map 20 ipsec-isakmp dynamic cisco
crypto map partner-map client configuration address initiate
crypto map partner-map client token authentication RADIUS
crypto map partner-map interface outside
isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0
isakmp client configuration address-pool local dealer outside
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400

crypto map client configuration address

Use the crypto map client configuration address command to configure IKE Mode Configuration on the firewall. The IKE Mode Configuration allows the firewall to download an IP address to the remote peer (client) as part of an IKE negotiation. With crypto map client configuration address command, you define the crypto map(s) that should attempt to configure the peer.
Use the no crypto map client configuration address command to restore the default value. The IKE Mode Configuration is not enabled by default.
The keyword initiate indicates that the firewall will attempt to set IP addresses for each peer. The respond keyword indicates that the firewall will accept requests for IP addresses from any requesting peer.
If you use IKE Mode Configuration on the firewall, the routers handling the IPSec traffic must also support IKE Mode Configuration. The following examples show how to configure IKE Mode Configuration on the firewall:
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond

crypto map interface

Apply a previously defined crypto map set to an interface.
Use this command to assign a crypto map set to any active firewall interface. The firewall supports IPSec termination on any and all active interfaces. You must assign a crypto map set to an interface before that interface can provide IPSec services.
Only one crypto map set can be assigned to an interface. If multiple crypto map entries have the same map-name but a different seq-num, they are considered to be part of the same set and will all be applied to the interface. The crypto map entry with the lowest seq-num is considered the highest priority and will be evaluated first. A single crypto map set can contain a combination of ipsec-isakmp and ipsec-manual crypto map entries.
The use of the crypto map interface command re-initializes the security association database causing any currently established security associations to be deleted.
The following example assigns the crypto map set "mymap" to the outside interface. When show-traffic passes through the interfaces, the traffic will be evaluated against all the crypto map entries in the "mymap" set. When outbound traffic matches an access list in one of the "mymap" crypto map entries, a security association (if IPSec) will be established per that crypto map entry's configuration (if no security association or connection already exists).
crypto map mymap interface outside

The following is sample output for the show crypto map command:
show crypto map Crypto Map: "firewall-alice" pif: outside local address: 172.21.114.123 Crypto Map "firewall-alice" 10 ipsec-isakmp Peer = 172.21.114.67 access-list 141 permit ip host 172.21.114.123 host 172.21.114.67 Current peer: 172.21.114.67 Security-association lifetime: 4608000 Kb/120 secs PFS (Y/N): N Transform sets={ t1, }

The following configuration was in effect when the preceding show crypto map command was issued:

crypto map firewall-alice 10 ipsec-isakmp
crypto map firewall-alice 10 set peer 172.21.114.67
crypto map firewall-alice 10 set transform-set t1
crypto map firewall-alice 10 match address 141

The following is sample output for the show crypto map command when manually established security associations are used:
show crypto map Crypto Map "multi-peer" 20 ipsec-manual Peer = 172.21.114.67 access-list 120 permit ip host 1.1.1.1 host 1.1.1.2 Current peer: 172.21.114.67 Transform sets={ t2, } Inbound esp spi: 0, cipher key: , auth_key: , Inbound ah spi: 256, key: 010203040506070809010203040506070809010203040506070809, Outbound esp spi: 0 cipher key: , auth key: , Outbound ah spi: 256, key: 010203040506070809010203040506070809010203040506070809,

The following configuration was in effect when the preceding show crypto map command was issued:
crypto map multi-peer 20 ipsec-manual crypto map multi-peer 20 set peer 172.21.114.67 crypto map multi-peer 20 set session-key inbound ah 256 010203040506070809010203040506070809010203040506070809 crypto map multi-peer 20 set session-key outbound ah 256 010203040506070809010203040506070809010203040506070809 crypto map multi-peer 20 set transform-set t2 crypto map multi-peer 20 match address 120

crypto map [ ipsec-manual | ipsec-isakmp ]

Crypto maps use transform sets to classify and filter traffic between two peers.
Here is the minimum required crypto map configuration:

crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap set transform-set my_t_set1
crypto map mymap set peer 10.0.0.1

A crypto map sets contain crypto maps different seq-num but the same map-name. Therefore, for a given interface, you could have certain traffic forwarded to one peer with specified security applied to that traffic, and other traffic forwarded to the same or a different peer with different IPSec security applied. To accomplish this you would create two crypto map entries, each with the same map-name, but each with a different seq-num.
The number you assign to the seq-num argument should not be arbitrary. This number is used to rank multiple crypto map entries within a crypto map set. Within a crypto map set, a crypto map entry with a lower seq-num is evaluated before a map entry with a higher seq-num; that is, the map entry with the lower number has a higher priority.
The following example shows the minimum required crypto map configuration when the security associations are manually established:

crypto transform-set someset ah-md5-hmac esp-des
crypto map mymap 10 ipsec-manual
crypto map mymap 10 match address 102
crypto map mymap 10 set transform-set someset
crypto map mymap 10 set peer 10.0.0.5
crypto map mymap 10 set session-key inbound ah 256 98765432109876549876543210987654
crypto map mymap 10 set session-key outbound ah 256 fedcbafedcbafedcfedcbafedcbafedc
crypto map mymap 10 set session-key inbound esp 256 cipher 0123456789012345
crypto map mymap 10 set session-key outbound esp 256 cipher abcdefabcdefabcd

Use the no crypto map command to delete a crypto map entry or set.
The crypto map command without a keyword creates an ipsec-isakmp entry by default.
After you define crypto map entries, use crypto map interface to assign the crypto map set to interfaces.

crypto map ipsec-isakmp dynamic

Specify that a given crypto map entry is to reference a pre-existing crypto dynamic-map dynamic crypto map
Give crypto map entries which reference dynamic map sets the lowest priority map entries so that inbound security association negotiation requests will try to match the static maps first. Only after the request does not match any of the static maps do you want it to be evaluated against the dynamic map set.
To make a crypto map entry that references a dynamic crypto map to be set to the lowest priority map entry, give the map entry the highest seq-num of all the map entries in a crypto map set.
The following example configures an IPSec crypto map set that includes a reference to a dynamic crypto map set.
Crypto map "mymap 10" allows security associations to be established between the firewall and either (or both) of two remote IPSec peers for traffic matching access list 101. Crypto map "mymap 20" allows either of two transform sets to be negotiated with the peer for traffic matching access list 102.
Crypto map entry "mymap 30" references the dynamic crypto map set "mydynamicmap," which can be used to process inbound security association negotiation requests that do not match "mymap" entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in "mydynamicmap" for a flow "permitted" by the access list 103, IPSec will accept the request and set up security associations with the peer without previously knowing about the peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the peer.
The access list associated with "mydynamicmap 10" is also used as a filter. Inbound packets that match a permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec security association are also dropped.
Example

crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set transform-set my_t_set1
crypto map mymap 10 set peer 10.0.0.1
crypto map mymap 10 set peer 10.0.0.2
crypto map mymap 20 ipsec-isakmp
crypto map mymap 10 match address 102
crypto map mymap 10 set transform-set my_t_set1 my_t_set2
crypto map mymap 10 set peer 10.0.0.3
crypto dynamic-map mydynamicmap 10
crypto dynamic-map mydynamicmap 10 match address 103
crypto dynamic-map mydynamicmap 10 set transform-set my_t_set1 my_t_set2 my_t_set3
crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap

crypto map match address

Assign an access list to a crypto map entry. Required for all static crypto map entries. Strongly recommended for dynamic crypto map entries. The access list is used determine which traffic should be protected.
The crypto access list created by this command is not used to determine whether to permit or deny traffic through the interface, an access list applied directly to the interface using the access-group command makes that determination, rather, it is used when evaluating inbound and outbound traffic.
Outbound traffic is evaluated to determine if it should be protected by crypto, and if so (if traffic matches a permit entry), which crypto policy applies. For static crypto maps, if no security association exists, a new one is established using the data flow identity specified in the permit entry. For dynamic crypto map entries, if no security association exists, a new security association is not established and the packet is dropped.
Inbound traffic is evaluated to determine if it should be protected by crypto and, if so, which crypto policy applies. In the case of IPSec, unprotected traffic is discarded.
The access list is also used to identify the flow for which the IPSec security associations are established. In the outbound case, the permit entry is used as the data flow identity (in general), while in the inbound case the data flow identity specified by the peer must be "permitted" by the crypto access list.
Here is the minimum required crypto map configuration when IKE is used to establish the security associations. This example is for a static crypto map.

crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set transform-set my_t_set1
crypto map mymap 10 set peer 10.0.0.1

Use no crypto map match address to remove the access list from a crypto map entry.

crypto map set peer

Specify an IPSec peer in a crypto map entry.
Required for all static crypto maps. If you are defining a dynamic crypto map this command is not required, and in most cases is not used because, in general, the peer is unknown.
For ipsec-isakmp crypto map entries, you can specify multiple peers by repeating this command. The peer that packets are actually sent to is determined by the last peer that the firewall received either traffic or a negotiation request from for a given data flow. If the attempt fails with the first peer, IKE tries the next peer on the crypto map list.
For ipsec-manual crypto entries, you can specify only one peer per crypto map. If you want to change the peer, first delete the old peer and then specify the new peer.
The following example shows a crypto map configuration when IKE will be used to establish the security associations. In this example, a security association could be set up to either the peer at 10.0.0.1 or the peer at 10.0.0.2.
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set transform-set my_t_set1
crypto map mymap 10 set peer 10.0.0.1 10.0.0.2

Use the no crypto map set peer command to remove an IPSec peer from a crypto map entry.

crypto map set pfs

The crypto map set pfs command sets IPSec to ask for perfect forward secrecy (PFS) when requesting new security associations for this crypto map entry, or that IPSec requires PFS when receiving requests for new security associations. To specify that IPSec should not request PFS, use the no crypto map set pfs command. This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries.
By default, PFS is not requested.
With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs, which requires additional processing time. PFS adds another level of security because if one key is ever cracked by an attacker, only the data sent with that key will be compromised.
During negotiation, this command causes IPSec to request PFS when requesting new security associations for the crypto map entry. The default (group1) is sent if the set pfs statement does not specify a group.
If the peer initiates the negotiation and the local configuration specifies PFS, the peer must perform a PFS exchange or the negotiation will fail. If the local configuration does not specify a group, a default of group1 will be assumed, and an offer of either group1 or group2 will be accepted. If the local configuration specifies group2, that group must be part of the peer's offer or the negotiation will fail. If the local configuration does not specify PFS, it will accept any offer of PFS from the peer.
The 1024-bit Diffie-Hellman prime modulus group, group2, provides more security than group1, but requires more processing time than group1.
IKE negotiations with a remote peer may hang when a firewall has numerous tunnels that originate from the firewall and terminate on a single remote peer. This problem occurs when PFS is not enabled, and the local peer requests many simultaneous rekey requests. If this problem occurs, the IKE security association will not recover until it has timed out or until you manually clear it with clear [crypto] isakmp sa.
Firewall units configured with many tunnels to many peers or many clients sharing the same tunnel are not affected by this problem. If the configuration is affected, enable PFS with the crypto map mapname seqnum set pfs command.
This example specifies that PFS should be used whenever a new security association is negotiated for the crypto map "mymap 10":

crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 set pfs group2

crypto map set security-association lifetime

To override (for a particular crypto map entry) the global lifetime value, which is used when negotiating IPSec security associations, use the crypto map set security-association lifetime command. To reset a crypto map entry's lifetime value to the global value, use the no crypto map set security-association lifetime command.
The crypto map's security associations are negotiated according to the global lifetimes.
This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries.
IPSec security associations use shared secret keys. These keys and their security associations time out together.
Assuming that the particular crypto map entry has lifetime values configured, when the firewall requests new security associations during security association negotiation, it will specify its crypto map lifetime value in the request to the peer; it will use this value as the lifetime of the new security associations. When the firewall receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations.
There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The session keys/security association expires after the first of these lifetimes is reached.
If you change a lifetime, the change will not be applied to existing security associations, but will be used in subsequent negotiations to establish security associations for data flows supported by this crypto map entry. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear [crypto] ipsec sa command. See the clear [crypto] ipsec sa command for more details.
To change the timed lifetime, use the crypto map set security-association lifetime secs command. The timed lifetime causes the keys and security association to time out after the specified number of secs have passed.
To change the traffic-volume lifetime, use the crypto map set security-association lifetime Kb command. The traffic-volume lifetime causes the key and security association to time out after the specified amount of traffic (in Kb) has been protected by the security association's key.
Shorter lifetimes can make it harder to mount a successful key recovery attack, because the attacker has less data encrypted under the same key to work with.
However, shorter lifetimes require more CPU processing time.
The lifetime values are ignored for manually established security associations (security associations installed via an ipsec-manual crypto map entry).
This example shortens the timed lifetime for a particular crypto map entry, because there is a higher risk that the keys could be compromised for security associations belonging to the crypto map entry. The traffic-volume lifetime is not changed because there is not a high volume of traffic anticipated for these security associations. The timed lifetime is shortened to 2700 secs (45 minutes).
crypto map mymap 10 ipsec-isakmp set security-association lifetime secs 2700

crypto map set session-key

To manually specify the IPSec session keys within a crypto map entry, use the crypto map set session-key command. Use the no crypto map set session-key command to remove IPSec session keys from a crypto map entry. This command is only available for ipsec-manual crypto map entries.
If the crypto map's transform set includes an AH protocol, define IPSec keys for AH for both inbound and outbound traffic. If the crypto map's transform set includes an ESP encryption protocol, define IPSec keys for ESP encryption for both inbound and outbound traffic. If the crypto map's transform set includes an ESP authentication protocol, define IPSec keys for ESP authentication for inbound and outbound traffic.
When you define multiple IPSec session keys within a single crypto map, you can assign the same security parameter index (SPI) number to all the keys. The SPI is used to identify the security association used with the crypto map. However, not all peers have the same flexibility in SPI assignment.
You may have to coordinate SPI assignment with the peer's network administrator, making certain that the same SPI is not used more than once for the same destination address/protocol combination.
Security associations established using this command do not expire (unlike security associations established using IKE).
The firewall unit's session keys must match its peer's session keys.
If you change a session key, the security association using the key will be deleted and reinitialized.
The following example shows a crypto map entry for manually established security associations. The transform set "t_set" includes only an AH protocol.

crypto ipsec transform-set t_set ah-sha-hmac
crypto map mymap 20 ipsec-manual
crypto map mymap 20 match address 102
crypto map mymap 20 set transform-set t_set
crypto map mymap 20 set peer 10.0.0.21
crypto map mymap 20 set session-key inbound ah 300
1111111111111111111111111111111111111111
crypto map mymap 20 set session-key outbound ah 300
2222222222222222222222222222222222222222

The following example shows a crypto map entry for manually established security associations. The transform set "someset" includes both an AH and an ESP protocol, so session keys are configured for both AH and ESP for both inbound and outbound traffic. The transform set includes both encryption and authentication ESP transforms, so session keys are created for both using the cipher and authenticator keywords.

crypto ipsec transform-set someset ah-sha-hmac esp-des esp-sha-hmac
crypto map mymap 10 ipsec-manual
crypto map mymap 10 match address 101
crypto map mymap 10 set transform-set someset
crypto map mymap 10 set peer 10.0.0.1
crypto map mymap 10 set session-key inbound ah 300
9876543210987654321098765432109876543210
crypto map mymap 10 set session-key outbound ah 300
fedcbafedcbafedcbafedcbafedcbafedcbafedc
crypto map mymap 10 set session-key inbound esp 300 cipher 0123456789012345
authenticator 0000111122223333444455556666777788889999
crypto map mymap 10 set session-key outbound esp 300 cipher abcdefabcdefabcd
authenticator 9999888877776666555544443333222211110000

crypto map set transform-set

Specify which transform sets can be used with the crypto map entry. Required for all static and dynamic crypto map entries.
For an ipsec-isakmp crypto map entry, you can list up to six transform sets with this command. List the higher priority transform sets first.
If the local firewall initiates the negotiation, the transform sets are presented to the peer in the order specified in the crypto map command statement. If the peer initiates the negotiation, the local firewall accepts the first transform set that matches one of the transform sets specified in the crypto map entry.
The first matching transform set that is found at both peers is used for the security association. If no match is found, IPSec will not establish a security association. The traffic will be dropped because there is no security association to protect the traffic.
For an ipsec-manual crypto map command statement, you can specify only one transform set. If the transform set does not match the transform set at the remote peer's crypto map, the two peers will fail to correctly communicate because the peers are using different rules to process the traffic.
If you want to change the list of transform sets, respecify the new list of transform sets to replace the old list. This change is only applied to crypto map command statements that reference this transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear [crypto] ipsec sa command.
Any transform sets included in a crypto map command statement must previously have been defined using the crypto ipsec transform-set command.
The following example defines two transform sets and specifies that they can both be used within a crypto map entry. (This example applies only when IKE is used to establish security associations. With crypto maps used for manually established security associations, only one transform set can be included in a given crypto map command statement.)

crypto ipsec transform-set my_t_set1 esp-des esp-sha-hmac
crypto ipsec transform-set my_t_set2 ah-sha-hmac esp-des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set transform-set my_t_set1 my_t_set2
crypto map mymap set peer 10.0.0.1 10.0.0.2

In this example, when traffic matches access list 101 the security association can use either transform set "my_t_set1" (first priority) or "my_t_set2" (second priority), depending on which transform set matches the remote peer's transform sets.
Use the no crypto map set transform-set command to remove all transform sets from a crypto map entry.

map map-name	The name of the crypto map set.
aaa-server-name	The name of the AAA server that will authenticate the user during IKE authentication. The two AAA server options available are TACACS+ and RADIUS.
token	Indicate a token-based server for user authentication is used.
initiate	Indicate that the firewall will attempt to set IP addresses for each peer.
respond	Indicate that the firewall will accept requests for IP addresses from any requesting peer.
interface interface-name	Specify the identifying interface to be used by the firewall to identify itself to peers. If IKE is enabled, and you are using a certification authority (CA) to obtain certificates, this should be the interface with the address specified in the CA certificates.
tag map-name	(Optional) Show the crypto map set with the specified map name.
seq-num	The number you assign to the crypto map entry.
ipsec-isakmp	Indicate that IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.
ipsec-manual	Indicate that IKE will not be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.
dynamic	(Optional) Specify that this crypto map entry is to reference a pre-existing dynamic crypto map.
dynamic-map-name	(Optional) Specify the name of the dynamic crypto map set to be used as the policy template.
acl_name	Identify the named encryption access list. This name should match the name argument of the named encryption access list being matched.
match address	Specify an access list for a crypto map entry.
set peer	Specify an IPSec peer in a crypto map entry.
hostname	Specify a peer by its host name. This is the peer's host name concatenated with its domain name. For example, myhost.example.com.
ip-address	Specify a peer by its IP address.
set pfs	Specify that IPSec should ask for perfect forward secrecy (PFS). With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs. (This exchange requires additional processing time.)
group1	Specify that IPSec should use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.
group2	Specify that IPSec should use the 1024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.
set security-association lifetime	Set the lifetime a security association will last in either secs or Kb. For use with either secs or kilobyte keywords.
secssecs	Specify the number of secs a security association will live before it expires. The default is 28,800 secs (eight hours).
Kb Kb	Specify the volume of traffic (in Kb) that can pass between peers using a given security association before that security association expires. The default is 4,608,000 Kb.
set session-key	Manually specify the IPSec session keys within a crypto map entry.
inbound	Set the inbound IPSec session key. (You must set both inbound and outbound keys.)
outbound	Set the outbound IPSec session key. (You must set both inbound and outbound keys.)
ah	Set the IPSec session key for the AH protocol. Specify ah when the crypto map entry's transform set includes an AH transform. AH protocol provides authentication via MD5-HMAC and SHA-HMAC.
spi	Specify the security parameter index (SPI), a number that is used to uniquely identify a security association. The SPI is an arbitrary number you assign in the range of 256 to 4,294,967,295 (a hexidecimal value of FFFF FFFF). You can assign the same SPI to both directions and both protocols. However, not all peers have the same flexibility in SPI assignment. For a given destination address/protocol combination, unique SPI values must be used. The destination address is that of the firewall if inbound, the peer if outbound.
hex-key-string	Specify the session key; enter in hexadecimal format. This is an arbitrary hexadecimal string of 16, 32, or 40 digits. If the crypto map's transform set includes the following: DES algorithm, specify at least 16 hexadecimal digits per key. MD5 algorithm, specify at least 32 hexadecimal digits per key. SHA algorithm, specify 40 hexadecimal digits per key. Longer key sizes are simply hashed to the appropriate length.
esp	Set the IPSec session key for the ESP protocol. Specify esp when the crypto map entry's transform set includes an ESP transform. ESP protocol provides both authentication and/or confidentiality. Authentication is done via MD5-HMAC, SHA-HMAC and NULL. Confidentiality is done via DES, 3DES, and NULL.
cipher	Indicate that the key string to use with the ESP encryption transform.
authenticator	(Optional) Indicate that the key string is to be used with the ESP authentication transform. This argument is required only when the crypto map entry's transform set includes an ESP authentication transform.
set transform-set	Specify which transform sets can be used with the crypto map entry.
transform-set-name	The name of the transform set. For an ipsec-manual crypto map entry, you can specify only one transform set. For an ipsec-isakmp or dynamic crypto map entry, you can specify up to six transform sets.
transform1 transform2 transform3	Specify up to three transforms. Transforms define the IPSec security protocol(s) and algorithm(s). Each transform represents an IPSec security protocol (ESP, AH, or both) plus the algorithm you want to use.