Hi Everybody

Please consider the folowing configuration of ipsec tunnel mode

R2(config)# crypto isakmp policy 1

R2(config-isakmp)# encr 3des

R2(config-isakmp)# hash md5

R2(config-isakmp)# authentication pre-share

R2(config-isakmp)# group 2

R2(config-isakmp)# lifetime 86400

R2(config)# crypto isakmp key firewallcx address 1.1.1.1

R2(config)# ip access-list extended VPN-TRAFFIC

R2(config-ext-nacl)# permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

R2(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac

R2(config)# crypto map CMAP 10 ipsec-isakmp

R2(config-crypto-map)# set peer 1.1.1.1

R2(config-crypto-map)# set transform-set TS

R2(config-crypto-map)# match address VPN-TRAFFIC

R2(config)# interface FastEthernet0/1

R2(config- if)# crypto map CMAP

Let say R2 has a packet with src ip 199.199.199.1 dst ip 200.200.200.2.  R2 looks up its routing table and decides to forward it out of f0/1.

At this point, R2 finds " crypto map CMAP" under f0/1

What will R2 do next?  will R2   perform the command " match address VPN-traffic" first configured under cryptomap CMAP or will R2 form the tunnel first because R2 encounters the  command "crypto map CMAP 10 ipsec-isakmp" first ?   If R2 forms the tunnel first because it encounters the "crypto map CMAP 10 ipsec-isakmp first" , it is not very efficient because  R2 forms the tunnel and later finds the packet is not matched by " match address VPN-traffic"  and tears down the tunnel.

I just want to confirm my understanding.

Thanks and have a great day.