Cisco Systems C7200 manual Creating Dynamic Crypto Maps

Page 46

Chapter 4 Configuring the VSA

Configuration Tasks

 

Command

Purpose

 

 

 

Step 5

Router(config-crypto-m)# set security-association

(Optional) Specifies a security association lifetime

 

lifetime seconds seconds

for the crypto map entry.

 

and

Use this command if you want the security

 

Router (config-crypto-m)# set security-association

associations for this crypto map entry to be

 

negotiated using different IPSec security association

 

lifetime kilobytes kilobytes

 

lifetimes than the global lifetimes.

 

 

 

 

 

Step 6

Router(config-crypto-m)# set security-association

(Optional) Specifies that separate security

 

level per-host

associations should be established for each

 

 

source/destination host pair.

 

 

Without this command, a single IPSec “tunnel” could

 

 

carry traffic for multiple source hosts and multiple

 

 

destination hosts.

 

 

With this command, when the router requests new

 

 

security associations it will establish one set for

 

 

traffic between Host A and Host B, and a separate set

 

 

for traffic between Host A and Host C.

 

 

Use this command with care, as multiple streams

 

 

between given subnets can rapidly consume

 

 

resources.

 

 

 

Step 7

Router(config-crypto-m)# set pfs [group1 group2

(Optional) Specifies that IPSec should ask for perfect

 

group5]

forward secrecy when requesting new security

 

 

associations for this crypto map entry, or should

 

 

demand perfect forward secrecy (PFS) in requests

 

 

received from the IPSec peer.

 

 

 

Step 8

Router(config-crypto-m)# exit

Exits crypto-map configuration mode and returns to

 

 

global configuration mode.

 

 

 

Creating Dynamic Crypto Maps

Step 1

Step 2

A dynamic crypto map entry is a crypto map entry with some parameters not configured.The missing parameters are later dynamically configured (as the result of an IPSec negotiation). Dynamic crypto maps are only available for use by IKE.

Dynamic crypto map entries are grouped into sets. A set is a group of dynamic crypto map entries all with the same dynamic-map-name, each with a different dynamic-seq-num.

To create a dynamic crypto map entry, use the following commands starting in global configuration mode:

Command

Purpose

 

 

Router(config)# crypto dynamic-map dynamic-map-name

Creates a dynamic crypto map entry.

dynamic-seq-num

 

 

 

Router(config-crypto-m)# set transform-set

Specifies which transform sets are allowed for the

transform-set-name1

crypto map entry. List multiple transform sets in

[transform-set-name2...transform-set-name6]

order of priority (highest priority first).

 

 

This is the only configuration statement required in

 

dynamic crypto map entries.

 

 

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

4-12

OL-9129-02

 

 

Page 45 Page 47
Image 46
Page 45 Page 47
Contents Corporate Headquarters Text Part Number OL-9129-02Page N T E N T S Preventing Electrostatic Discharge Damage 2 Creating Dynamic Crypto Maps 4 OL-9129-02 Preface AudienceOrganization ObjectivesChapter Title Description Obtaining Documentation Related DocumentationCisco.com Cisco Product Security Overview Documentation FeedbackProduct Documentation DVD Ordering Documentation Reporting Security Problems in Cisco Products Product Alerts and Field NoticesObtaining Technical Assistance Cisco Technical Support & Documentation WebsiteDefinitions of Service Request Severity Submitting a Service RequestObtaining Additional Publications and Information Xiv Overview Data Encryption OverviewVSA Overview Screws Handle Status LED light VSA Module Front ViewFeature Description/Benefit FeaturesThis section describes the VSA features, as listed in Table Hardware RequiredStandards Supported Standards, MIBs, and RFCsPerformance MIBsDisabling the VSA during Operation Command PurposeEnabling/Disabling the VSA Enabling/Disabling SchemeCommand Description of VSA Behavior Condition System is ConfiguredLEDs Slot Locations ConnectorsSee -2for the VSA connectors Cisco 7204VXR RouterPort adapter VSA in I/O controller slot Port adapter lever Cisco 7204VXR Router Front ViewCisco 7206VXR Router Cisco 7206VXR Front ViewRequired Tools and Equipment Hardware and Software RequirementsRestrictions Software RequirementsHardware Requirements PlatformSafety Warnings Safety GuidelinesOnline Insertion and Removal OIR Electrical Equipment Guidelines Preventing Electrostatic Discharge DamagePreparing for Installation OL-9129-02 Handling the VSA VSA circuit board is sensitive to ESD damageVSA Removal and Installation This section describes how to remove and install the VSARemoving and Installing the VSA VSA Removal and Installation OL-9129-02 Configuration Tasks OverviewUsing the Exec Command Interpreter Configuring an IKE PolicyOptional Specifies the authentication method within an IKE Key Management Protocol Isakmp policy configurationConfig-isakmp mode Signatures as the authentication methodConfiguring a Transform Set Disabling VSA OptionalDefining a Transform Set Transform type Description IPSec Protocols AH and ESP Crypto Transform Configuration ModeSelecting Appropriate Transforms Setting Global Lifetimes for IPSec Security Associations Configuring IPSecEnsuring That Access Lists Are Compatible with IPSec Changing Existing TransformsStep Command Purpose Creating Crypto Access Lists Creating Crypto Map EntriesESP authenticator algorithm Only one transform set can be specified when IKE isAuthenticator keys if the transform set includes an Exits crypto-map configuration mode and return toCreating Dynamic Crypto Maps If this is configured, the data flow identity proposed Optional Accesses list number or name of anExtended access list. This access list determines For this crypto access listMonitoring and Maintaining IPSec Applying Crypto Map Sets to InterfacesVerifying IKE and IPSec Configurations Router# show crypto isakmp policyVerifying the Configuration Currentpeer 172.21.114.67 PERMIT, flags=originisacl Configuring IPSec Configuration Example Configuration ExamplesConfiguring IKE Policies Example This section provides the following configuration examplesRouter a Configuration Basic IPSec Configuration IllustrationCrypto map is applied to an interface Transform set defines how the traffic will be protected Router B ConfigurationSpecify the parameters to be used during an IKE negotiation Troubleshooting Tips Router# show diagTunnel I/F Using Deny Policies in Access Lists Monitoring and Maintaining the VSAMonitor and Maintenance Commands Configuration Guidelines and RestrictionsD E Set pfs command Sa command, clear crypto Entries, creatingSet session-key command Set transform-set command Features Handling Monitoring and maintaining 4 Overview Handling VPN Acceleration Module see VAM 1IN-4
Top Page Image Contents