Options
Why crypto map?
notgoing2fail
Member Posts: 1,138
in CCNP
Part of my philosophy for understanding the "Cisco way" is to try to gain a true understanding of what the commands mean.
I'm currently reading up on VPN's. Actually I'm just about done with this chapter but there's something that bothers me.
The purpose of IKE phase 1 is that you are basically creating a policy to be matched up with the other peer.
For IKE phase 2, you are basically creating a crypto map which then gets applied to the interface and must match the peer as well.....
But this is what bothers me. For IKE phase 1, you are basically compiling a list of items to create a policy.
For IKE phase 2 you're doing the same thing for the crypto map.
So why is it called crypto map? Why can't it be simple to the fact that for IKE phase 1, you're creating a policy to be matched up.
For IKE phase 2, you're also creating a policy to be matched up?
IKE phase 1 = one policy (let's call it policy 10)
IKE phase 2 = one policy (let's call it policy 5)
When you apply the IKE phase 2 policy on the interface, it could be: crypto policy 5
I'm not going to argue with Cisco, since I'm sure Juniper has to follow these rules too. Probably RFC....
But to stop rambling, why crypto map and not just crypto policy?
Wouldn't it be easier to just say that each phase needs a policy configured?
I'm currently reading up on VPN's. Actually I'm just about done with this chapter but there's something that bothers me.
The purpose of IKE phase 1 is that you are basically creating a policy to be matched up with the other peer.
For IKE phase 2, you are basically creating a crypto map which then gets applied to the interface and must match the peer as well.....
But this is what bothers me. For IKE phase 1, you are basically compiling a list of items to create a policy.
For IKE phase 2 you're doing the same thing for the crypto map.
So why is it called crypto map? Why can't it be simple to the fact that for IKE phase 1, you're creating a policy to be matched up.
For IKE phase 2, you're also creating a policy to be matched up?
IKE phase 1 = one policy (let's call it policy 10)
IKE phase 2 = one policy (let's call it policy 5)
When you apply the IKE phase 2 policy on the interface, it could be: crypto policy 5
I'm not going to argue with Cisco, since I'm sure Juniper has to follow these rules too. Probably RFC....
But to stop rambling, why crypto map and not just crypto policy?
Wouldn't it be easier to just say that each phase needs a policy configured?