Cisco Systems C7200 manual Specifies which transform set should be used, Peer, Not used, Protocol

Page 45

Chapter 4 Configuring the VSA

Configuration Tasks

 

Command

Purpose

 

 

 

Step 4

Router(config-crypto-m)# set transform-set

Specifies which transform set should be used.

 

transform-set-name

This must be the same transform set that is specified

 

 

 

 

in the corresponding crypto map entry on the remote

 

 

peer .

 

 

(Only one transform set can be specified when IKE is

 

 

not used.)

 

 

 

Step 5

Router(config-crypto-m)#set session-key inbound ah

Sets the AH Security Parameter Indexes (SPIs) and

 

spi hex-key-string

keys to apply to inbound and outbound protected

 

 

traffic if the specified transform set includes the AH

 

and

protocol.

 

Router(config-crypto-m)#set session-key outbound ah

(This manually specifies the AH security association

 

spi hex-key-string

to be used with protected traffic.)

 

 

 

Step 6

Router(config-crypto-m)#set session-key inbound esp

Sets the ESP Security Parameter Indexes (SPIs) and

 

spi cipher hex-key-string[authenticator

keys to apply to inbound and outbound protected

 

hex-key-string]

traffic if the specified transform set includes the ESP

 

 

 

and

protocol. Specifies the cipher keys if the transform

 

set includes an ESP cipher algorithm. Specifies the

 

Router(config-crypto-m)# set session-key outbound

 

authenticator keys if the transform set includes an

 

esp spi cipher hex-key-string[authenticator

 

ESP authenticator algorithm.

 

hex-key-string]

 

 

 

 

(This manually specifies the ESP security association

 

 

to be used with protected traffic.)

 

 

 

Step 7

Router(config-crypto-m)# exit

Exits crypto-map configuration mode and return to

 

 

global configuration mode.

 

 

 

To create crypto map entries that will use IKE to establish the security associations, use the following commands starting in global configuration mode:

 

Command

Purpose

 

 

 

Step 1

Router(config)# crypto map map-nameseq-num

Names the crypto map entry to create (or modify).

 

ipsec-isakmp

This command puts you into the crypto map

 

 

 

 

configuration mode.

 

 

 

Step 2

Router(config-crypto-m)# match address

Names an extended access list. This access list

 

access-list-id

determines which traffic should be protected by

 

 

IPSec and which traffic should not be protected by

 

 

IPSec security in the context of this crypto map entry.

 

 

 

Step 3

Router(config-crypto-m)# set peer {hostname

Specifies a remote IPSec peer. This is the peer to

 

ip-address}

which IPSec protected traffic can be forwarded.

 

 

Repeat for multiple remote peers.

 

 

 

Step 4

Router(config-crypto-m)# set transform-set

Specifies which transform sets are allowed for this

 

transform-set-name1

crypto map entry. List multiple transform sets in

 

[transform-set-name2...transform-set-name6]

order of priority (highest priority first).

 

 

 

 

 

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

 

OL-9129-02

4-11

 

 

 

Image 45
Contents Text Part Number OL-9129-02 Corporate HeadquartersPage N T E N T S Preventing Electrostatic Discharge Damage 2 Creating Dynamic Crypto Maps 4 OL-9129-02 Audience PrefaceObjectives OrganizationChapter Title Description Related Documentation Obtaining DocumentationCisco.com Documentation Feedback Cisco Product Security OverviewProduct Documentation DVD Ordering Documentation Product Alerts and Field Notices Reporting Security Problems in Cisco ProductsCisco Technical Support & Documentation Website Obtaining Technical AssistanceSubmitting a Service Request Definitions of Service Request SeverityObtaining Additional Publications and Information Xiv Data Encryption Overview OverviewVSA Overview VSA Module Front View Screws Handle Status LED lightThis section describes the VSA features, as listed in Table FeaturesFeature Description/Benefit Hardware RequiredPerformance Supported Standards, MIBs, and RFCsStandards MIBsEnabling/Disabling the VSA Command PurposeDisabling the VSA during Operation Enabling/Disabling SchemeCondition System is Configured Command Description of VSA BehaviorLEDs See -2for the VSA connectors ConnectorsSlot Locations Cisco 7204VXR RouterCisco 7204VXR Router Front View Port adapter VSA in I/O controller slot Port adapter leverCisco 7206VXR Front View Cisco 7206VXR RouterHardware and Software Requirements Required Tools and EquipmentHardware Requirements Software RequirementsRestrictions PlatformSafety Guidelines Safety WarningsOnline Insertion and Removal OIR Preventing Electrostatic Discharge Damage Electrical Equipment GuidelinesPreparing for Installation OL-9129-02 VSA circuit board is sensitive to ESD damage Handling the VSAThis section describes how to remove and install the VSA VSA Removal and InstallationRemoving and Installing the VSA VSA Removal and Installation OL-9129-02 Overview Configuration TasksConfiguring an IKE Policy Using the Exec Command InterpreterConfig-isakmp mode Key Management Protocol Isakmp policy configurationOptional Specifies the authentication method within an IKE Signatures as the authentication methodDisabling VSA Optional Configuring a Transform SetDefining a Transform Set Transform type Description Crypto Transform Configuration Mode IPSec Protocols AH and ESPSelecting Appropriate Transforms Ensuring That Access Lists Are Compatible with IPSec Configuring IPSecSetting Global Lifetimes for IPSec Security Associations Changing Existing TransformsStep Command Purpose Creating Crypto Map Entries Creating Crypto Access ListsAuthenticator keys if the transform set includes an Only one transform set can be specified when IKE isESP authenticator algorithm Exits crypto-map configuration mode and return toCreating Dynamic Crypto Maps Extended access list. This access list determines Optional Accesses list number or name of anIf this is configured, the data flow identity proposed For this crypto access listApplying Crypto Map Sets to Interfaces Monitoring and Maintaining IPSecRouter# show crypto isakmp policy Verifying IKE and IPSec ConfigurationsVerifying the Configuration Currentpeer 172.21.114.67 PERMIT, flags=originisacl Configuring IKE Policies Example Configuration ExamplesConfiguring IPSec Configuration Example This section provides the following configuration examplesBasic IPSec Configuration Illustration Router a ConfigurationCrypto map is applied to an interface Router B Configuration Transform set defines how the traffic will be protectedSpecify the parameters to be used during an IKE negotiation Router# show diag Troubleshooting TipsTunnel I/F Monitoring and Maintaining the VSA Using Deny Policies in Access ListsConfiguration Guidelines and Restrictions Monitor and Maintenance CommandsD E Sa command, clear crypto Entries, creating Set pfs commandSet session-key command Set transform-set command Handling VPN Acceleration Module see VAM 1 Features Handling Monitoring and maintaining 4 OverviewIN-4