Cisco Systems C7200 Monitoring and Maintaining IPSec, Applying Crypto Map Sets to Interfaces

Page 48

Chapter 4 Configuring the VSA

Configuration Tasks

To add a dynamic crypto map set into a crypto map set, use the following command in global configuration mode:

Command

Purpose

 

 

Router(config)# crypto map map-nameseq-num

Adds a dynamic crypto map set to a static crypto

ipsec-isakmp dynamic dynamic-map-name

map set.

 

 

Applying Crypto Map Sets to Interfaces

Apply a crypto map set to each interface through which IPSec traffic will flow. Crypto maps instruct the router to evaluate the interface traffic against the crypto map set and use the specified policy during connection or security association negotiation on behalf of traffic to be protected by crypto.

To apply a crypto map set to an interface, use the following command in interface configuration mode:

Command

Purpose

 

 

Router(config-if)# crypto map map-name

Applies a crypto map set to an interface.

 

 

To specify redundant interfaces and name an identifying interface, use the following command in global configuration mode:

Command

Purpose

 

 

Router(config)# crypto map map-name

Permits redundant interfaces to share the same

local-address interface-id

crypto map, using the same local identity.

 

 

Monitoring and Maintaining IPSec

To clear (and reinitialize) IPSec security associations, use one of the following commands in EXEC or enable mode (see “Using the EXEC Command Interpreter” section on page 4-2for more details):

Command

Purpose

 

 

Router# clear crypto sa

Clears IPSec security associations.

or

Note Using the clear crypto sa command without parameters

will clear out the full SA database, which will clear out

Router# clear crypto sa counters

active security sessions. You may also specify the peer,

 

or

map, or spi keywords to clear out only a subset of the SA

database. For more information, see the clear crypto sa

Router# clear crypto sa peer {ip-address

command.

peer-name}

 

or

 

Router# clear crypto sa map map-name

 

or

 

Router# clear crypto sa spi destination-address

 

protocol spi

 

 

 

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

4-14

OL-9129-02

 

 

Page 47 Page 49
Image 48
Page 47 Page 49
Contents Corporate Headquarters Text Part Number OL-9129-02Page N T E N T S Preventing Electrostatic Discharge Damage 2 Creating Dynamic Crypto Maps 4 OL-9129-02 Preface AudienceObjectives OrganizationChapter Title Description Related Documentation Obtaining DocumentationCisco.com Documentation Feedback Cisco Product Security OverviewProduct Documentation DVD Ordering Documentation Reporting Security Problems in Cisco Products Product Alerts and Field NoticesObtaining Technical Assistance Cisco Technical Support & Documentation WebsiteSubmitting a Service Request Definitions of Service Request SeverityObtaining Additional Publications and Information Xiv Overview Data Encryption OverviewVSA Overview Screws Handle Status LED light VSA Module Front ViewFeatures This section describes the VSA features, as listed in TableFeature Description/Benefit Hardware RequiredSupported Standards, MIBs, and RFCs PerformanceStandards MIBsCommand Purpose Enabling/Disabling the VSADisabling the VSA during Operation Enabling/Disabling SchemeCondition System is Configured Command Description of VSA BehaviorLEDs Connectors See -2for the VSA connectorsSlot Locations Cisco 7204VXR RouterPort adapter VSA in I/O controller slot Port adapter lever Cisco 7204VXR Router Front ViewCisco 7206VXR Router Cisco 7206VXR Front ViewRequired Tools and Equipment Hardware and Software RequirementsSoftware Requirements Hardware RequirementsRestrictions PlatformSafety Guidelines Safety WarningsOnline Insertion and Removal OIR Electrical Equipment Guidelines Preventing Electrostatic Discharge DamagePreparing for Installation OL-9129-02 Handling the VSA VSA circuit board is sensitive to ESD damageVSA Removal and Installation This section describes how to remove and install the VSARemoving and Installing the VSA VSA Removal and Installation OL-9129-02 Configuration Tasks OverviewUsing the Exec Command Interpreter Configuring an IKE PolicyKey Management Protocol Isakmp policy configuration Config-isakmp modeOptional Specifies the authentication method within an IKE Signatures as the authentication methodConfiguring a Transform Set Disabling VSA OptionalDefining a Transform Set Transform type Description Crypto Transform Configuration Mode IPSec Protocols AH and ESPSelecting Appropriate Transforms Configuring IPSec Ensuring That Access Lists Are Compatible with IPSecSetting Global Lifetimes for IPSec Security Associations Changing Existing TransformsStep Command Purpose Creating Crypto Access Lists Creating Crypto Map EntriesOnly one transform set can be specified when IKE is Authenticator keys if the transform set includes anESP authenticator algorithm Exits crypto-map configuration mode and return toCreating Dynamic Crypto Maps Optional Accesses list number or name of an Extended access list. This access list determinesIf this is configured, the data flow identity proposed For this crypto access listMonitoring and Maintaining IPSec Applying Crypto Map Sets to InterfacesVerifying IKE and IPSec Configurations Router# show crypto isakmp policyVerifying the Configuration Currentpeer 172.21.114.67 PERMIT, flags=originisacl Configuration Examples Configuring IKE Policies ExampleConfiguring IPSec Configuration Example This section provides the following configuration examplesBasic IPSec Configuration Illustration Router a ConfigurationCrypto map is applied to an interface Router B Configuration Transform set defines how the traffic will be protectedSpecify the parameters to be used during an IKE negotiation Troubleshooting Tips Router# show diagTunnel I/F Using Deny Policies in Access Lists Monitoring and Maintaining the VSAMonitor and Maintenance Commands Configuration Guidelines and RestrictionsD E Sa command, clear crypto Entries, creating Set pfs commandSet session-key command Set transform-set command Features Handling Monitoring and maintaining 4 Overview Handling VPN Acceleration Module see VAM 1IN-4
Top Page Image Contents