Cisco Systems C7200 Optional Accesses list number or name of an, Context of this crypto map entry

Page 47

Chapter 4 Configuring the VSA

Configuration Tasks

 

Command

Purpose

 

 

 

Step 3

Router(config-crypto-m)# match address

(Optional) Accesses list number or name of an

 

access-list-id

extended access list. This access list determines

 

 

which traffic should be protected by IPSec and which

 

 

traffic should not be protected by IPSec security in

 

 

the context of this crypto map entry.

 

 

Note Although access-lists are optional for

 

 

dynamic crypto maps, they are highly

 

 

recommended.

 

 

If this is configured, the data flow identity proposed

 

 

by the IPSec peer must fall within a permit statement

 

 

for this crypto access list.

 

 

If this is not configured, the router will accept any

 

 

data flow identity proposed by the IPSec peer.

 

 

However, if this is configured but the specified

 

 

access list does not exist or is empty, the router will

 

 

drop all packets. This is similar to static crypto maps

 

 

because they also require that an access list be

 

 

specified.

 

 

Care must be taken if the any keyword is used in the

 

 

access list, because the access list is used for packet

 

 

filtering as well as for negotiation.

 

 

 

Step 4

Router(config-crypto-m)# set peer {hostname

(Optional) Specifies a remote IPSec peer. Repeat for

 

ip-address}

multiple remote peers.

 

 

This is rarely configured in dynamic crypto map

 

 

entries. Dynamic crypto map entries are often used

 

 

for unknown remote peers.

 

 

 

Step 5

Router(config-crypto-m)# set security-association

(Optional) If you want the security associations for

 

lifetime seconds seconds

this crypto map to be negotiated using shorter IPSec

 

and

security association lifetimes than the globally

 

specified lifetimes, specify a key lifetime for the

 

 

 

Router (config-crypto-m)# set security-association

crypto map entry.

 

lifetime kilobytes kilobytes

 

 

 

 

Step 6

Router(config-crypto-m)# set pfs [group1 group2

(Optional) Specifies that IPSec should ask for perfect

 

group5]

forward secrecy when requesting new security

 

 

associations for this crypto map entry or should

 

 

demand perfect forward secrecy in requests received

 

 

from the IPSec peer.

 

 

 

Step 7

Router(config-crypto-m)# exit

Exits crypto-map configuration mode and returns to

 

 

global configuration mode.

 

 

 

Step 8

Repeat these steps to create additional crypto map entries as required.

 

 

 

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

 

OL-9129-02

4-13

 

 

 

Image 47
Contents Text Part Number OL-9129-02 Corporate HeadquartersPage N T E N T S Preventing Electrostatic Discharge Damage 2 Creating Dynamic Crypto Maps 4 OL-9129-02 Audience PrefaceChapter Title Description ObjectivesOrganization Cisco.com Related DocumentationObtaining Documentation Product Documentation DVD Ordering Documentation Documentation FeedbackCisco Product Security Overview Product Alerts and Field Notices Reporting Security Problems in Cisco ProductsCisco Technical Support & Documentation Website Obtaining Technical AssistanceObtaining Additional Publications and Information Submitting a Service RequestDefinitions of Service Request Severity Xiv Data Encryption Overview OverviewVSA Overview VSA Module Front View Screws Handle Status LED lightHardware Required FeaturesThis section describes the VSA features, as listed in Table Feature Description/BenefitMIBs Supported Standards, MIBs, and RFCsPerformance StandardsEnabling/Disabling Scheme Command PurposeEnabling/Disabling the VSA Disabling the VSA during OperationLEDs Condition System is ConfiguredCommand Description of VSA Behavior Cisco 7204VXR Router ConnectorsSee -2for the VSA connectors Slot LocationsCisco 7204VXR Router Front View Port adapter VSA in I/O controller slot Port adapter leverCisco 7206VXR Front View Cisco 7206VXR RouterHardware and Software Requirements Required Tools and EquipmentPlatform Software RequirementsHardware Requirements RestrictionsOnline Insertion and Removal OIR Safety GuidelinesSafety Warnings Preventing Electrostatic Discharge Damage Electrical Equipment GuidelinesPreparing for Installation OL-9129-02 VSA circuit board is sensitive to ESD damage Handling the VSAThis section describes how to remove and install the VSA VSA Removal and InstallationRemoving and Installing the VSA VSA Removal and Installation OL-9129-02 Overview Configuration TasksConfiguring an IKE Policy Using the Exec Command InterpreterSignatures as the authentication method Key Management Protocol Isakmp policy configurationConfig-isakmp mode Optional Specifies the authentication method within an IKEDisabling VSA Optional Configuring a Transform SetDefining a Transform Set Transform type Description Selecting Appropriate Transforms Crypto Transform Configuration ModeIPSec Protocols AH and ESP Changing Existing Transforms Configuring IPSecEnsuring That Access Lists Are Compatible with IPSec Setting Global Lifetimes for IPSec Security AssociationsStep Command Purpose Creating Crypto Map Entries Creating Crypto Access ListsExits crypto-map configuration mode and return to Only one transform set can be specified when IKE isAuthenticator keys if the transform set includes an ESP authenticator algorithmCreating Dynamic Crypto Maps For this crypto access list Optional Accesses list number or name of anExtended access list. This access list determines If this is configured, the data flow identity proposedApplying Crypto Map Sets to Interfaces Monitoring and Maintaining IPSecRouter# show crypto isakmp policy Verifying IKE and IPSec ConfigurationsVerifying the Configuration Currentpeer 172.21.114.67 PERMIT, flags=originisacl This section provides the following configuration examples Configuration ExamplesConfiguring IKE Policies Example Configuring IPSec Configuration ExampleCrypto map is applied to an interface Basic IPSec Configuration IllustrationRouter a Configuration Specify the parameters to be used during an IKE negotiation Router B ConfigurationTransform set defines how the traffic will be protected Router# show diag Troubleshooting TipsTunnel I/F Monitoring and Maintaining the VSA Using Deny Policies in Access ListsConfiguration Guidelines and Restrictions Monitor and Maintenance CommandsD E Set session-key command Set transform-set command Sa command, clear crypto Entries, creatingSet pfs command Handling VPN Acceleration Module see VAM 1 Features Handling Monitoring and maintaining 4 OverviewIN-4