Cisco Systems C7200 manual Key Management Protocol Isakmp policy configuration, Config-isakmp mode

Page 37

Chapter 4 Configuring the VSA

Configuration Tasks

To configure an IKE policy, use the following commands beginning in global configuration mode:

 

Command

Purpose

 

 

 

Step 1

Router(config)# crypto isakmp policy

Defines an IKE policy and enters Internet Security Association

 

priority

Key Management Protocol (ISAKMP) policy configuration

 

 

(config-isakmp) mode.

 

 

 

Step 2

Router(config-isakmp)# encryption {des

Specifies the encryption algorithm within an IKE policy.

 

3des aes aes 128 aes 192 aes 256}

des—Specifies 56-bit DES as the encryption algorithm.

 

 

 

 

3des—Specifies 168-bit DES as the encryption algorithm.

 

 

aes—Specifies 128-bit AES as the encryption algorithm.

 

 

aes 128—Specifies 128-bit AES as the encryption algorithm.

 

 

aes 192—Specifies 192-bit AES as the encryption algorithm.

 

 

aes 256—Specifies 256-bit AES as the encryption algorithm.

 

 

 

Step 3

Router(config-isakmp)# authentication

(Optional) Specifies the authentication method within an IKE

 

{rsa-sig rsa-encr pre-share}

policy.

 

 

rsa-sig—Specifies Rivest, Shamir, and Adelman (RSA)

 

 

signatures as the authentication method.

 

 

rsa-encr—Specifies RSA encrypted nonces as the

 

 

authentication method.

 

 

pre-share—Specifies preshared keys as the authentication

 

 

method.

 

 

Note If this command is not enabled, the default value (rsa-sig)

 

 

will be used.

 

 

 

Step 4

Router(config-isakmp)# lifetime seconds

(Optional) Specifies the lifetime of an IKE security association

 

 

(SA).

 

 

seconds—Number of seconds that each SA should exist before

 

 

expiring. Use an integer from 60 to 86,400 seconds.

 

 

Note If this command is not enabled, the default value (86,400

 

 

seconds [one day]) will be used.

 

 

 

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

 

OL-9129-02

4-3

 

 

 

Image 37
Contents Text Part Number OL-9129-02 Corporate HeadquartersPage N T E N T S Preventing Electrostatic Discharge Damage 2 Creating Dynamic Crypto Maps 4 OL-9129-02 Audience PrefaceOrganization ObjectivesChapter Title Description Obtaining Documentation Related DocumentationCisco.com Cisco Product Security Overview Documentation FeedbackProduct Documentation DVD Ordering Documentation Product Alerts and Field Notices Reporting Security Problems in Cisco ProductsCisco Technical Support & Documentation Website Obtaining Technical AssistanceDefinitions of Service Request Severity Submitting a Service RequestObtaining Additional Publications and Information Xiv Data Encryption Overview OverviewVSA Overview VSA Module Front View Screws Handle Status LED lightThis section describes the VSA features, as listed in Table FeaturesFeature Description/Benefit Hardware RequiredPerformance Supported Standards, MIBs, and RFCsStandards MIBsEnabling/Disabling the VSA Command PurposeDisabling the VSA during Operation Enabling/Disabling SchemeCommand Description of VSA Behavior Condition System is ConfiguredLEDs See -2for the VSA connectors ConnectorsSlot Locations Cisco 7204VXR RouterCisco 7204VXR Router Front View Port adapter VSA in I/O controller slot Port adapter leverCisco 7206VXR Front View Cisco 7206VXR RouterHardware and Software Requirements Required Tools and EquipmentHardware Requirements Software RequirementsRestrictions PlatformSafety Warnings Safety GuidelinesOnline Insertion and Removal OIR Preventing Electrostatic Discharge Damage Electrical Equipment GuidelinesPreparing for Installation OL-9129-02 VSA circuit board is sensitive to ESD damage Handling the VSAThis section describes how to remove and install the VSA VSA Removal and InstallationRemoving and Installing the VSA VSA Removal and Installation OL-9129-02 Overview Configuration TasksConfiguring an IKE Policy Using the Exec Command InterpreterConfig-isakmp mode Key Management Protocol Isakmp policy configurationOptional Specifies the authentication method within an IKE Signatures as the authentication methodDisabling VSA Optional Configuring a Transform SetDefining a Transform Set Transform type Description IPSec Protocols AH and ESP Crypto Transform Configuration ModeSelecting Appropriate Transforms Ensuring That Access Lists Are Compatible with IPSec Configuring IPSecSetting Global Lifetimes for IPSec Security Associations Changing Existing TransformsStep Command Purpose Creating Crypto Map Entries Creating Crypto Access ListsAuthenticator keys if the transform set includes an Only one transform set can be specified when IKE isESP authenticator algorithm Exits crypto-map configuration mode and return toCreating Dynamic Crypto Maps Extended access list. This access list determines Optional Accesses list number or name of anIf this is configured, the data flow identity proposed For this crypto access listApplying Crypto Map Sets to Interfaces Monitoring and Maintaining IPSecRouter# show crypto isakmp policy Verifying IKE and IPSec ConfigurationsVerifying the Configuration Currentpeer 172.21.114.67 PERMIT, flags=originisacl Configuring IKE Policies Example Configuration ExamplesConfiguring IPSec Configuration Example This section provides the following configuration examplesRouter a Configuration Basic IPSec Configuration IllustrationCrypto map is applied to an interface Transform set defines how the traffic will be protected Router B ConfigurationSpecify the parameters to be used during an IKE negotiation Router# show diag Troubleshooting TipsTunnel I/F Monitoring and Maintaining the VSA Using Deny Policies in Access ListsConfiguration Guidelines and Restrictions Monitor and Maintenance CommandsD E Set pfs command Sa command, clear crypto Entries, creatingSet session-key command Set transform-set command Handling VPN Acceleration Module see VAM 1 Features Handling Monitoring and maintaining 4 OverviewIN-4