Cisco Systems C7200 Verifying IKE and IPSec Configurations, Router# show crypto isakmp policy

Page 49

Chapter 4 Configuring the VSA

Configuration Tasks

To view information about your IPSec configuration, use one or more of the following commands in EXEC mode:

Command

 

Purpose

 

 

 

Router# show crypto

ipsec transform-set

Displays your transform set configuration.

 

 

 

Router# show crypto

map [interface interface

Displays your crypto map configuration.

tag map-name]

 

 

 

 

 

Router# show crypto

ipsec sa [map map-name

Displays information about IPSec security associations.

address identity]

[detail]

 

 

 

 

Router# show crypto

dynamic-map [tag map-name]

Displays information about dynamic crypto maps.

 

 

 

Router# show crypto

ipsec security-association

Displays global security association lifetime values.

lifetime

 

 

 

 

 

Verifying IKE and IPSec Configurations

To view information about your IPSec configurations, use the show crypto ipsec transform-setEXEC command.

Note If a user enters an IPSec transform that the hardware (the IPSec peer) does not support, a warning message will be displayed in the show crypto ipsec transform-setcommand output.

The following sample output from the show crypto ipsec transform-setcommand displays a warning message after a user tries to configure an IPSec transform that the hardware does not support:

Router# show crypto ipsec transform-set

Transform set transform-1:{esp-256-aes esp-md5-hmac} will negotiate = {Tunnel, },

WARNING:encryption hardware does not support transform esp-aes 256 within IPSec transform transform-1

To view information about your IKE configurations, use show crypto isakmp policy EXEC command.

Note If a user enters an IKE encryption method that the hardware does not support, a warning message will be displayed in the show crypto isakmp policy output.

The following sample output from the show crypto isakmp policy command displays a warning message after a user tries to configure an IKE encryption method that the hardware does not support:

Router# show crypto isakmp policy

Protection suite of priority 1

encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).

WARNING:encryption hardware does not support the configured encryption method for ISAKMP policy 1

hash algorithm:

Secure Hash Standard

authentication method:

Pre-Shared Key

Diffie-Hellman group:

#1 (768 bit)

lifetime:

3600 seconds, no volume limit

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

 

OL-9129-02

4-15

 

 

 

Image 49
Contents Text Part Number OL-9129-02 Corporate HeadquartersPage N T E N T S Preventing Electrostatic Discharge Damage 2 Creating Dynamic Crypto Maps 4 OL-9129-02 Audience PrefaceOrganization ObjectivesChapter Title Description Obtaining Documentation Related DocumentationCisco.com Cisco Product Security Overview Documentation FeedbackProduct Documentation DVD Ordering Documentation Product Alerts and Field Notices Reporting Security Problems in Cisco ProductsCisco Technical Support & Documentation Website Obtaining Technical AssistanceDefinitions of Service Request Severity Submitting a Service RequestObtaining Additional Publications and Information Xiv Data Encryption Overview OverviewVSA Overview VSA Module Front View Screws Handle Status LED lightThis section describes the VSA features, as listed in Table FeaturesFeature Description/Benefit Hardware RequiredPerformance Supported Standards, MIBs, and RFCsStandards MIBsEnabling/Disabling the VSA Command PurposeDisabling the VSA during Operation Enabling/Disabling SchemeCommand Description of VSA Behavior Condition System is ConfiguredLEDs See -2for the VSA connectors ConnectorsSlot Locations Cisco 7204VXR RouterCisco 7204VXR Router Front View Port adapter VSA in I/O controller slot Port adapter leverCisco 7206VXR Front View Cisco 7206VXR RouterHardware and Software Requirements Required Tools and EquipmentHardware Requirements Software RequirementsRestrictions PlatformSafety Warnings Safety GuidelinesOnline Insertion and Removal OIR Preventing Electrostatic Discharge Damage Electrical Equipment GuidelinesPreparing for Installation OL-9129-02 VSA circuit board is sensitive to ESD damage Handling the VSAThis section describes how to remove and install the VSA VSA Removal and InstallationRemoving and Installing the VSA VSA Removal and Installation OL-9129-02 Overview Configuration TasksConfiguring an IKE Policy Using the Exec Command InterpreterConfig-isakmp mode Key Management Protocol Isakmp policy configurationOptional Specifies the authentication method within an IKE Signatures as the authentication methodDisabling VSA Optional Configuring a Transform SetDefining a Transform Set Transform type Description IPSec Protocols AH and ESP Crypto Transform Configuration ModeSelecting Appropriate Transforms Ensuring That Access Lists Are Compatible with IPSec Configuring IPSecSetting Global Lifetimes for IPSec Security Associations Changing Existing TransformsStep Command Purpose Creating Crypto Map Entries Creating Crypto Access ListsAuthenticator keys if the transform set includes an Only one transform set can be specified when IKE isESP authenticator algorithm Exits crypto-map configuration mode and return toCreating Dynamic Crypto Maps Extended access list. This access list determines Optional Accesses list number or name of anIf this is configured, the data flow identity proposed For this crypto access listApplying Crypto Map Sets to Interfaces Monitoring and Maintaining IPSecRouter# show crypto isakmp policy Verifying IKE and IPSec ConfigurationsVerifying the Configuration Currentpeer 172.21.114.67 PERMIT, flags=originisacl Configuring IKE Policies Example Configuration ExamplesConfiguring IPSec Configuration Example This section provides the following configuration examplesRouter a Configuration Basic IPSec Configuration IllustrationCrypto map is applied to an interface Transform set defines how the traffic will be protected Router B ConfigurationSpecify the parameters to be used during an IKE negotiation Router# show diag Troubleshooting TipsTunnel I/F Monitoring and Maintaining the VSA Using Deny Policies in Access ListsConfiguration Guidelines and Restrictions Monitor and Maintenance CommandsD E Set pfs command Sa command, clear crypto Entries, creatingSet session-key command Set transform-set command Handling VPN Acceleration Module see VAM 1 Features Handling Monitoring and maintaining 4 OverviewIN-4