Chapter 4 Configuring the VSA
Configuration Tasks
To add a dynamic crypto map set into a crypto map set, use the following command in global configuration mode:
Command | Purpose |
|
|
Router(config)# crypto map | Adds a dynamic crypto map set to a static crypto |
map set. | |
|
|
Applying Crypto Map Sets to Interfaces
Apply a crypto map set to each interface through which IPSec traffic will flow. Crypto maps instruct the router to evaluate the interface traffic against the crypto map set and use the specified policy during connection or security association negotiation on behalf of traffic to be protected by crypto.
To apply a crypto map set to an interface, use the following command in interface configuration mode:
Command | Purpose |
|
|
Applies a crypto map set to an interface. | |
|
|
To specify redundant interfaces and name an identifying interface, use the following command in global configuration mode:
Command | Purpose |
|
|
Router(config)# crypto map | Permits redundant interfaces to share the same |
crypto map, using the same local identity. | |
|
|
Monitoring and Maintaining IPSec
To clear (and reinitialize) IPSec security associations, use one of the following commands in EXEC or enable mode (see “Using the EXEC Command Interpreter” section on page
Command | Purpose | |
|
| |
Router# clear crypto sa | Clears IPSec security associations. | |
or | Note Using the clear crypto sa command without parameters | |
will clear out the full SA database, which will clear out | ||
Router# clear crypto sa counters | ||
active security sessions. You may also specify the peer, | ||
| ||
or | map, or spi keywords to clear out only a subset of the SA | |
database. For more information, see the clear crypto sa | ||
Router# clear crypto sa peer | ||
command. | ||
| ||
or |
| |
Router# clear crypto sa map |
| |
or |
| |
Router# clear crypto sa spi |
| |
protocol spi |
| |
|
|
C7200 VSA (VPN Services Adapter) Installation and Configuration Guide
|
| |
|