Cisco Systems C7200 manual Transform type Description

Page 40

Chapter 4 Configuring the VSA

Configuration Tasks

Table 4-1shows allowed transform combinations for the AH and ESP protocols.

Table 4-1 Allowed Transform Combinations

Transform type

Transform

Description

 

 

 

AH Transform (Pick up to one.)

ah-md5-hmac

AH with the MD5 (Message Digest 5)

 

 

(HMAC variant) authentication algorithm

 

ah-sha-hmac

AH with the SHA (Secure Hash Algorithm)

 

 

(HMAC variant) authentication algorithm

 

 

 

ESP Encryption Transform (Note: If an ESP

esp-aes

ESP with the 128-bit Advanced Encryption

Authentication Transform is used, you must

 

Standard (AES) encryption algorithm

pick one.)

esp-aes 128

ESP with the 128-bit AES encryption algorithm

 

 

esp-aes 192

ESP with the 192-bit AES encryption algorithm

 

esp-aes 256

ESP with the 256-bit AES encryption algorithm

 

esp-des

ESP with the 56-bit Data Encryption Standard

 

 

 

 

(DES) encryption algorithm

 

esp-3des

ESP with the 168-bit DES encryption algorithm

 

 

(3DES or Triple DES)

 

esp-null

Null encryption algorithm

 

 

 

ESP Authentication Transform (Pick up to

esp-md5-hmac

ESP with the MD5 (HMAC variant)

one.)

 

authentication algorithm

 

esp-sha-hmac

ESP with the SHA (HMAC variant)

 

 

authentication algorithm

 

 

 

Examples of acceptable transform combinations are as follows:

ah-md5-hmac

esp-des

esp-3des and esp-md5-hmac

ah-sha-hmac and esp-des and esp-sha-hmac

The parser will prevent you from entering invalid combinations; for example, once you specify an AH transform it will not allow you to specify another AH transform for the current transform set.

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

4-6

OL-9129-02

 

 

Page 39 Page 41
Image 40
Page 39 Page 41
Contents Corporate Headquarters Text Part Number OL-9129-02Page N T E N T S Preventing Electrostatic Discharge Damage 2 Creating Dynamic Crypto Maps 4 OL-9129-02 Preface AudienceOrganization ObjectivesChapter Title Description Obtaining Documentation Related DocumentationCisco.com Cisco Product Security Overview Documentation FeedbackProduct Documentation DVD Ordering Documentation Reporting Security Problems in Cisco Products Product Alerts and Field NoticesObtaining Technical Assistance Cisco Technical Support & Documentation WebsiteDefinitions of Service Request Severity Submitting a Service RequestObtaining Additional Publications and Information Xiv Overview Data Encryption OverviewVSA Overview Screws Handle Status LED light VSA Module Front ViewFeatures This section describes the VSA features, as listed in TableFeature Description/Benefit Hardware RequiredSupported Standards, MIBs, and RFCs PerformanceStandards MIBsCommand Purpose Enabling/Disabling the VSADisabling the VSA during Operation Enabling/Disabling SchemeCommand Description of VSA Behavior Condition System is ConfiguredLEDs Connectors See -2for the VSA connectorsSlot Locations Cisco 7204VXR RouterPort adapter VSA in I/O controller slot Port adapter lever Cisco 7204VXR Router Front ViewCisco 7206VXR Router Cisco 7206VXR Front ViewRequired Tools and Equipment Hardware and Software RequirementsSoftware Requirements Hardware RequirementsRestrictions PlatformSafety Warnings Safety GuidelinesOnline Insertion and Removal OIR Electrical Equipment Guidelines Preventing Electrostatic Discharge DamagePreparing for Installation OL-9129-02 Handling the VSA VSA circuit board is sensitive to ESD damageVSA Removal and Installation This section describes how to remove and install the VSARemoving and Installing the VSA VSA Removal and Installation OL-9129-02 Configuration Tasks OverviewUsing the Exec Command Interpreter Configuring an IKE PolicyKey Management Protocol Isakmp policy configuration Config-isakmp modeOptional Specifies the authentication method within an IKE Signatures as the authentication methodConfiguring a Transform Set Disabling VSA OptionalDefining a Transform Set Transform type Description IPSec Protocols AH and ESP Crypto Transform Configuration ModeSelecting Appropriate Transforms Configuring IPSec Ensuring That Access Lists Are Compatible with IPSecSetting Global Lifetimes for IPSec Security Associations Changing Existing TransformsStep Command Purpose Creating Crypto Access Lists Creating Crypto Map EntriesOnly one transform set can be specified when IKE is Authenticator keys if the transform set includes anESP authenticator algorithm Exits crypto-map configuration mode and return toCreating Dynamic Crypto Maps Optional Accesses list number or name of an Extended access list. This access list determinesIf this is configured, the data flow identity proposed For this crypto access listMonitoring and Maintaining IPSec Applying Crypto Map Sets to InterfacesVerifying IKE and IPSec Configurations Router# show crypto isakmp policyVerifying the Configuration Currentpeer 172.21.114.67 PERMIT, flags=originisacl Configuration Examples Configuring IKE Policies ExampleConfiguring IPSec Configuration Example This section provides the following configuration examplesRouter a Configuration Basic IPSec Configuration IllustrationCrypto map is applied to an interface Transform set defines how the traffic will be protected Router B ConfigurationSpecify the parameters to be used during an IKE negotiation Troubleshooting Tips Router# show diagTunnel I/F Using Deny Policies in Access Lists Monitoring and Maintaining the VSAMonitor and Maintenance Commands Configuration Guidelines and RestrictionsD E Set pfs command Sa command, clear crypto Entries, creatingSet session-key command Set transform-set command Features Handling Monitoring and maintaining 4 Overview Handling VPN Acceleration Module see VAM 1IN-4
Top Page Image Contents