Cisco Systems C7200 manual Defining a Transform Set

Page 39

Chapter 4 Configuring the VSA

Configuration Tasks

Selecting Appropriate Transforms

The Crypto Transform Configuration Mode

Changing Existing Transforms

Transform Example

A transform set is an acceptable combination of security protocols, algorithms, and other settings to apply to IPSec protected traffic. During the IPSec security association (SA) negotiation, the peers agree to use a particular transform set when protecting a particular data flow.

Defining a Transform Set

A transform set is a combination of security protocols and algorithms. During the IPSec security association negotiation, peers agree to use a specific transform set to protect a particular data flow.

To define a transform set, use the following commands, starting in global configuration mode:

Note The clear commands in Step 4 below are in EXEC or enable mode (see “Using the EXEC Command Interpreter” section on page 4-2for more details).

 

Command

Purpose

 

 

 

Step 1

Router(config)# crypto ipsec

Defines a transform set and enters crypto transform configuration

 

transform-settransform-set-name

mode.

 

transform1 [transform2 [transform3]]

transform-set-name—Specifies the name of the transform set

 

 

 

 

to create (or modify).

 

 

transform1 [transform2 [transform3]

 

 

[transform4]]—Defines the IPSec security protocols and

 

 

algorithms. Accepted transform values are described in

 

 

Table 4-1.

 

 

 

Step 2

Router(cfg-crypto-tran)# mode [tunnel

(Optional) Changes the mode associated with the transform set.

 

transport]

The mode setting is only applicable to traffic whose source and

 

 

destination addresses are the IPSec peer addresses; it is ignored

 

 

for all other traffic. (All other traffic is in tunnel mode only.)

 

 

 

Step 3

end

Exits the crypto transform configuration mode to enabled mode.

 

 

 

Step 4

Router# clear crypto sa

Clears existing IPSec security associations so that any changes to

 

or

a transform set take effect on subsequently established security

 

Router# clear crypto sa peer {ip-address

associations (SAs). (Manually established SAs are reestablished

 

peer-name}

 

immediately.)

 

or

 

 

 

Router# clear crypto sa map map-name

Using the clear crypto sa command without parameters clears

 

or

 

out the full SA database, which clears out active security sessions.

 

Router# clear crypto sa spi

 

You may also specify the peer, map, or spi keywords to clear out

 

destination-address protocol spi

 

 

only a subset of the SA database.

 

 

 

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

 

OL-9129-02

4-5

 

 

 

Image 39
Contents Text Part Number OL-9129-02 Corporate HeadquartersPage N T E N T S Preventing Electrostatic Discharge Damage 2 Creating Dynamic Crypto Maps 4 OL-9129-02 Audience PrefaceObjectives OrganizationChapter Title Description Related Documentation Obtaining DocumentationCisco.com Documentation Feedback Cisco Product Security OverviewProduct Documentation DVD Ordering Documentation Product Alerts and Field Notices Reporting Security Problems in Cisco ProductsCisco Technical Support & Documentation Website Obtaining Technical AssistanceSubmitting a Service Request Definitions of Service Request SeverityObtaining Additional Publications and Information Xiv Data Encryption Overview OverviewVSA Overview VSA Module Front View Screws Handle Status LED lightHardware Required FeaturesThis section describes the VSA features, as listed in Table Feature Description/BenefitMIBs Supported Standards, MIBs, and RFCsPerformance StandardsEnabling/Disabling Scheme Command PurposeEnabling/Disabling the VSA Disabling the VSA during OperationCondition System is Configured Command Description of VSA BehaviorLEDs Cisco 7204VXR Router ConnectorsSee -2for the VSA connectors Slot LocationsCisco 7204VXR Router Front View Port adapter VSA in I/O controller slot Port adapter leverCisco 7206VXR Front View Cisco 7206VXR RouterHardware and Software Requirements Required Tools and EquipmentPlatform Software RequirementsHardware Requirements RestrictionsSafety Guidelines Safety WarningsOnline Insertion and Removal OIR Preventing Electrostatic Discharge Damage Electrical Equipment GuidelinesPreparing for Installation OL-9129-02 VSA circuit board is sensitive to ESD damage Handling the VSAThis section describes how to remove and install the VSA VSA Removal and InstallationRemoving and Installing the VSA VSA Removal and Installation OL-9129-02 Overview Configuration TasksConfiguring an IKE Policy Using the Exec Command InterpreterSignatures as the authentication method Key Management Protocol Isakmp policy configurationConfig-isakmp mode Optional Specifies the authentication method within an IKEDisabling VSA Optional Configuring a Transform SetDefining a Transform Set Transform type Description Crypto Transform Configuration Mode IPSec Protocols AH and ESPSelecting Appropriate Transforms Changing Existing Transforms Configuring IPSecEnsuring That Access Lists Are Compatible with IPSec Setting Global Lifetimes for IPSec Security AssociationsStep Command Purpose Creating Crypto Map Entries Creating Crypto Access ListsExits crypto-map configuration mode and return to Only one transform set can be specified when IKE isAuthenticator keys if the transform set includes an ESP authenticator algorithmCreating Dynamic Crypto Maps For this crypto access list Optional Accesses list number or name of anExtended access list. This access list determines If this is configured, the data flow identity proposedApplying Crypto Map Sets to Interfaces Monitoring and Maintaining IPSecRouter# show crypto isakmp policy Verifying IKE and IPSec ConfigurationsVerifying the Configuration Currentpeer 172.21.114.67 PERMIT, flags=originisacl This section provides the following configuration examples Configuration ExamplesConfiguring IKE Policies Example Configuring IPSec Configuration ExampleBasic IPSec Configuration Illustration Router a ConfigurationCrypto map is applied to an interface Router B Configuration Transform set defines how the traffic will be protectedSpecify the parameters to be used during an IKE negotiation Router# show diag Troubleshooting TipsTunnel I/F Monitoring and Maintaining the VSA Using Deny Policies in Access ListsConfiguration Guidelines and Restrictions Monitor and Maintenance CommandsD E Sa command, clear crypto Entries, creating Set pfs commandSet session-key command Set transform-set command Handling VPN Acceleration Module see VAM 1 Features Handling Monitoring and maintaining 4 OverviewIN-4