crypto map [name] [seq] ipsec-isakmp
Creates or modifies a crypto map entry for IPsec VPN configuration, defining the security policies and peer parameters for IKE and IPsec negotiations.
crypto map [name] [seq] ipsec-isakmpWhen to Use This Command
- Configuring a site-to-site VPN between two branch offices to securely transmit data over the internet.
- Setting up a remote access VPN for teleworkers to connect to the corporate network.
- Defining multiple crypto map entries with different sequence numbers to support multiple VPN peers or policies.
- Applying a crypto map to an interface to enable IPsec encryption on that interface.
Command Examples
Basic site-to-site VPN crypto map
crypto map CMAP 10 ipsec-isakmpcrypto map CMAP 10 ipsec-isakmp
description VPN to Branch Office
set peer 203.0.113.1
set transform-set AES256-SHA
match address 101The crypto map named 'CMAP' with sequence number 10 is created. The 'description' provides a human-readable note. 'set peer' specifies the remote VPN gateway IP. 'set transform-set' defines the encryption and authentication algorithms. 'match address' references an access list that identifies traffic to be encrypted.
Crypto map with multiple peers and PFS
crypto map VPN 20 ipsec-isakmpcrypto map VPN 20 ipsec-isakmp
set peer 198.51.100.1
set peer 198.51.100.2
set transform-set AES128-SHA
set pfs group14
match address 102This crypto map entry has two peers for redundancy. 'set pfs group14' enables Perfect Forward Secrecy using Diffie-Hellman group 14. The transform set uses AES-128 with SHA authentication. Access list 102 defines the interesting traffic.
Understanding the Output
The 'show crypto map' command displays all configured crypto maps. Each entry shows the map name, sequence number, and configuration details. Key fields include: 'description' (optional note), 'set peer' (remote VPN peer IP), 'set transform-set' (encryption and hash algorithms), 'match address' (access list for interesting traffic), and 'set pfs' (PFS group if configured). A good configuration shows all desired parameters present; missing fields like 'set peer' or 'match address' indicate incomplete setup. Watch for mismatched transform sets or peer IPs that could cause negotiation failures.
CCNA Exam Tips
CCNA exam tip: Crypto map sequence numbers determine the order of evaluation; lower numbers are processed first.
CCNA exam tip: The 'match address' access list must permit the traffic to be encrypted; deny entries are ignored for crypto.
CCNA exam tip: A crypto map must be applied to an interface using 'crypto map [name]' in interface configuration mode to activate IPsec.
CCNA exam tip: For dynamic crypto maps (used in remote access), use 'crypto dynamic-map' instead of 'crypto map'.
Common Mistakes
Mistake 1: Forgetting to apply the crypto map to an interface, resulting in no IPsec encryption despite configuration.
Mistake 2: Using an access list that does not match the actual traffic, causing VPN to not encrypt or to encrypt wrong traffic.
Mistake 3: Configuring mismatched transform sets or IKE policies between peers, leading to negotiation failures.
Related Commands
crypto ipsec transform-set [name] esp-aes esp-sha-hmac
Defines an IPsec transform set specifying the encryption and authentication algorithms to protect VPN traffic, used when configuring an IPsec VPN policy.
crypto isakmp policy [priority]
Creates or modifies an ISAKMP (IKE) policy for IPsec VPN negotiations, defining encryption, authentication, and key exchange parameters.
show crypto map
Displays the configured crypto map entries, including their match criteria, peer addresses, and transform sets, used to verify IPsec VPN policy configuration.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions