Chapter 4 Configuring the VSA
Configuration Tasks
| Command | Purpose |
|
|
|
Step 3 | (Optional) Accesses list number or name of an | |
| extended access list. This access list determines | |
|
| which traffic should be protected by IPSec and which |
|
| traffic should not be protected by IPSec security in |
|
| the context of this crypto map entry. |
|
| Note Although |
|
| dynamic crypto maps, they are highly |
|
| recommended. |
|
| If this is configured, the data flow identity proposed |
|
| by the IPSec peer must fall within a permit statement |
|
| for this crypto access list. |
|
| If this is not configured, the router will accept any |
|
| data flow identity proposed by the IPSec peer. |
|
| However, if this is configured but the specified |
|
| access list does not exist or is empty, the router will |
|
| drop all packets. This is similar to static crypto maps |
|
| because they also require that an access list be |
|
| specified. |
|
| Care must be taken if the any keyword is used in the |
|
| access list, because the access list is used for packet |
|
| filtering as well as for negotiation. |
|
|
|
Step 4 | (Optional) Specifies a remote IPSec peer. Repeat for | |
| multiple remote peers. | |
|
| This is rarely configured in dynamic crypto map |
|
| entries. Dynamic crypto map entries are often used |
|
| for unknown remote peers. |
|
|
|
Step 5 | (Optional) If you want the security associations for | |
| lifetime seconds seconds | this crypto map to be negotiated using shorter IPSec |
| and | security association lifetimes than the globally |
| specified lifetimes, specify a key lifetime for the | |
|
| |
| Router | crypto map entry. |
| lifetime kilobytes kilobytes |
|
|
|
|
Step 6 | (Optional) Specifies that IPSec should ask for perfect | |
| group5] | forward secrecy when requesting new security |
|
| associations for this crypto map entry or should |
|
| demand perfect forward secrecy in requests received |
|
| from the IPSec peer. |
|
|
|
Step 7 | Exits | |
|
| global configuration mode. |
|
|
|
Step 8 | Repeat these steps to create additional crypto map entries as required. | |
|
|
|
C7200 VSA (VPN Services Adapter) Installation and Configuration Guide
|
| ||
|
|