Cisco Systems C7200 manual Step Command Purpose

Page 43

Chapter 4 Configuring the VSA

Configuration Tasks

To change a global lifetime for IPSec security associations, use one or more of the following commands:

Note The clear commands in Step 5 below are in EXEC or enable mode (see “Using the EXEC Command Interpreter” section on page 4-2for more details).

Step

Command

Purpose

 

 

 

Step 1

Router# enable

Enables privileged EXEC mode. Enter your password if

 

 

prompted.

 

 

 

Step 2

Router# configure terminal

Enters global configuration mode.

 

 

 

Step 3

Router(config)# crypto ipsec

Changes global lifetime values used when negotiating

 

security-association lifetime seconds seconds

IPSec security associations (SAs). To reset a lifetime to

 

 

the default value, use the no form of this command.

 

 

Specifies the number of seconds a security association

 

 

will live before expiring. The default is 3600 seconds (one

 

 

hour).

 

 

 

Step 4

Router(config)# crypto ipsec

Changes the global “traffic-volume” lifetime for IPSec

 

security-association lifetime kilobytes

SAs.

 

kilobytes

Specifies the volume of traffic (in kilobytes) that can pass

 

 

 

 

between IPSec peers using a given security association

 

 

before that security association expires. The default is

 

 

4,608,000 kilobytes.

 

 

 

Step 5

Router# clear crypto sa

(Optional) Clears existing security associations. This

 

or

causes any existing security associations to expire

 

immediately; future security associations will use the new

 

 

 

Router# clear crypto sa peer {ip-address

lifetimes. Otherwise, any existing security associations

 

peer-name}

will expire according to the previously configured

 

or

lifetimes.

 

Note Using the clear crypto sa command without

 

Router# clear crypto sa map map-name

 

parameters will clear out the full SA database,

 

 

 

or

which will clear out active security sessions. You

 

may also specify the peer, map, or spi keywords

 

Router# clear crypto sa spi destination-address

 

to clear out only a subset of the SA database. For

 

protocol spi

 

more information, see the clear crypto sa

 

 

 

 

command.

 

 

 

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

 

OL-9129-02

4-9

 

 

 

Page 42 Page 44
Image 43
Page 42 Page 44
Contents Text Part Number OL-9129-02 Corporate HeadquartersPage N T E N T S Preventing Electrostatic Discharge Damage 2 Creating Dynamic Crypto Maps 4 OL-9129-02 Audience PrefaceOrganization ObjectivesChapter Title Description Obtaining Documentation Related DocumentationCisco.com Cisco Product Security Overview Documentation FeedbackProduct Documentation DVD Ordering Documentation Product Alerts and Field Notices Reporting Security Problems in Cisco ProductsCisco Technical Support & Documentation Website Obtaining Technical AssistanceDefinitions of Service Request Severity Submitting a Service RequestObtaining Additional Publications and Information Xiv Data Encryption Overview OverviewVSA Overview VSA Module Front View Screws Handle Status LED lightHardware Required FeaturesThis section describes the VSA features, as listed in Table Feature Description/BenefitMIBs Supported Standards, MIBs, and RFCsPerformance StandardsEnabling/Disabling Scheme Command PurposeEnabling/Disabling the VSA Disabling the VSA during OperationCommand Description of VSA Behavior Condition System is ConfiguredLEDs Cisco 7204VXR Router ConnectorsSee -2for the VSA connectors Slot LocationsCisco 7204VXR Router Front View Port adapter VSA in I/O controller slot Port adapter leverCisco 7206VXR Front View Cisco 7206VXR RouterHardware and Software Requirements Required Tools and EquipmentPlatform Software RequirementsHardware Requirements RestrictionsSafety Warnings Safety GuidelinesOnline Insertion and Removal OIR Preventing Electrostatic Discharge Damage Electrical Equipment GuidelinesPreparing for Installation OL-9129-02 VSA circuit board is sensitive to ESD damage Handling the VSAThis section describes how to remove and install the VSA VSA Removal and InstallationRemoving and Installing the VSA VSA Removal and Installation OL-9129-02 Overview Configuration TasksConfiguring an IKE Policy Using the Exec Command InterpreterSignatures as the authentication method Key Management Protocol Isakmp policy configurationConfig-isakmp mode Optional Specifies the authentication method within an IKEDisabling VSA Optional Configuring a Transform SetDefining a Transform Set Transform type Description IPSec Protocols AH and ESP Crypto Transform Configuration ModeSelecting Appropriate Transforms Changing Existing Transforms Configuring IPSecEnsuring That Access Lists Are Compatible with IPSec Setting Global Lifetimes for IPSec Security AssociationsStep Command Purpose Creating Crypto Map Entries Creating Crypto Access ListsExits crypto-map configuration mode and return to Only one transform set can be specified when IKE isAuthenticator keys if the transform set includes an ESP authenticator algorithmCreating Dynamic Crypto Maps For this crypto access list Optional Accesses list number or name of anExtended access list. This access list determines If this is configured, the data flow identity proposedApplying Crypto Map Sets to Interfaces Monitoring and Maintaining IPSecRouter# show crypto isakmp policy Verifying IKE and IPSec ConfigurationsVerifying the Configuration Currentpeer 172.21.114.67 PERMIT, flags=originisacl This section provides the following configuration examples Configuration ExamplesConfiguring IKE Policies Example Configuring IPSec Configuration ExampleRouter a Configuration Basic IPSec Configuration IllustrationCrypto map is applied to an interface Transform set defines how the traffic will be protected Router B ConfigurationSpecify the parameters to be used during an IKE negotiation Router# show diag Troubleshooting TipsTunnel I/F Monitoring and Maintaining the VSA Using Deny Policies in Access ListsConfiguration Guidelines and Restrictions Monitor and Maintenance CommandsD E Set pfs command Sa command, clear crypto Entries, creatingSet session-key command Set transform-set command Handling VPN Acceleration Module see VAM 1 Features Handling Monitoring and maintaining 4 OverviewIN-4
Top Page Image Contents