2 Replies Latest reply: Sep 13, 2015 3:09 AM by tk79 RSS

    Difference between Crypto Map and Crypto IPsec Profile ?




      What is the difference in using Crypto map and Crypto IPsec profile ?


      What are the pros and cons while using each of them.


      Please explain.




        • 1. Re: Difference between Crypto Map and Crypto IPsec Profile ?
          CiscoLoco - CCIE# 50844

          You cannot use an IPSEC profile without having a crypto map.  Within the crypto map you can apply the ipsec profile.  You could do this if you multiple tunnels that obviously have different peer address and differnt "interesting traffic" acls but will use simliar other configurations like transform set and pfs value.


          For Ex


          Define the IPSEC Profile  -


          crypto ipsec profile TEST-Profile

          set transform-set 3DES-SHA

          set pfs group 2


          Then within you crypto maps you can apply the profile you just created


          crypto map TEST 10 ipsec-isakmp

          set peer

          match address 100

          set profile TEST-Profile


          crypto map TEST 20 ipsec-isakmp

          set peer

          match address 200

          set profile TEST-Profile

          • 2. Re: Difference between Crypto Map and Crypto IPsec Profile ?

            Sorry but that is incorrect. Crypto map is the legacy way of defining phase 2, whereas ipsec profile is a newer way of doing the same thing.

            IPSec profiles are used in VTI/GRE/DMVPN tunnels


            In a crypto map you define who (peer address), what traffic (ACL) and how (transform set). In a profile you define the above but not the ACL as this is already defined by the VTI/GRE/DMVP tunnels.


            A sample example where DMVPN is already configured and running, if i wanted to configure an IPSEC tunnel on the DMVP tunnel I would configure the below which as you can see doesnt require an IPSEC profile:

            1. Define Phase 1 and preshared key


            crypto isakmp policy 1

            encr aes

            hash sha256

            authentication pre-share

            group 5


            crypto isakmp key DMVPN address


            2. Define Phase 2
            crypto ipsec transform-set ESP-AES-256-SHA-512 esp-aes 256 esp-sha512-hmac
            mode transport
            crypto ipsec profile DMVPN_PROFILE
            set transform-set ESP-AES-256-SHA-512


            3. Bind profile to tunnel interface

            interface Tunnel0
            tunnel protection ipsec profile DMVPN_PROFILE