Cisco Systems C7200 manual Verifying the Configuration

Page 50

Chapter 4 Configuring the VSA

Configuration Tasks

Verifying the Configuration

Some configuration changes take effect only after subsequent security associations are negotiated. For the new settings to take effect immediately, clear the existing security associations.

To clear (and reinitialize) IPSec security associations, use one of the commands in Table 4-2in EXEC or enable mode (see “Using the EXEC Command Interpreter” section on page 4-2for more details):

Table 4-2 Commands to Clear IP Sec Security Associations

Command

Purpose

 

 

clear crypto sa

Clear IPSec security associations (SAs).

or

Using the clear crypto sa command without

clear crypto sa peer {ip-address

peer-name}

parameters clears out the full SA database, which

or

clears out active security sessions. You may also

clear crypto sa map map-name

specify the peer, map, or spi keywords to clear

or

out only a subset of the SA database.

clear crypto sa spi destination-address

 

protocol spi

 

 

 

The following steps provide information on verifying your configurations:

Step 1 Enter the show crypto ipsec transform-setcommand to view your transform set configuration:

Router# show crypto ipsec transform-set

Transform set combined-des-md5: {esp-des esp-md5-hmac} will negotiate = {Tunnel,},

Transform set t1: {esp-des esp-md5-hmac} will negotiate = {Tunnel,},

Transform set t100: {ah-sha-hmac} will negotiate = {Transport,},

Transform set t2: {ah-sha-hmac} will negotiate = {Tunnel,}, {esp-des}

will negotiate = {Tunnel,},

Step 2 Enter the show crypto map [interface interface tag map-name]command to view your crypto map configuration:

Router# show crypto map

Crypto Map: “router-alice” idb: Ethernet0 local address: 172.21.114.123

Crypto Map “router-alice” 10 ipsec-isakmp

Peer = 172.21.114.67

Extended IP access list 141

access-list 141 permit ip

source: addr = 172.21.114.123/0.0.0.0

dest: addr = 172.21.114.67/0.0.0.0 Current peer: 172.21.114.67

Security-association lifetime: 4608000 kilobytes/120 seconds

PFS (Y/N): N Transform sets={t1,}

Step 3 Enter the show crypto ipsec sa [map map-name address identity detail interface] command to

view information about IPSec security associations:

Router# show crypto ipsec sa

interface: Ethernet0

Crypto map tag: router-alice, local addr. 172.21.114.123

local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

4-16

OL-9129-02

 

 

Image 50
Contents Corporate Headquarters Text Part Number OL-9129-02Page N T E N T S Preventing Electrostatic Discharge Damage 2 Creating Dynamic Crypto Maps 4 OL-9129-02 Preface AudienceChapter Title Description ObjectivesOrganization Cisco.com Related DocumentationObtaining Documentation Product Documentation DVD Ordering Documentation Documentation FeedbackCisco Product Security Overview Reporting Security Problems in Cisco Products Product Alerts and Field NoticesObtaining Technical Assistance Cisco Technical Support & Documentation WebsiteObtaining Additional Publications and Information Submitting a Service RequestDefinitions of Service Request Severity Xiv Overview Data Encryption OverviewVSA Overview Screws Handle Status LED light VSA Module Front ViewFeature Description/Benefit FeaturesThis section describes the VSA features, as listed in Table Hardware RequiredStandards Supported Standards, MIBs, and RFCsPerformance MIBsDisabling the VSA during Operation Command PurposeEnabling/Disabling the VSA Enabling/Disabling SchemeLEDs Condition System is ConfiguredCommand Description of VSA Behavior Slot Locations ConnectorsSee -2for the VSA connectors Cisco 7204VXR RouterPort adapter VSA in I/O controller slot Port adapter lever Cisco 7204VXR Router Front ViewCisco 7206VXR Router Cisco 7206VXR Front ViewRequired Tools and Equipment Hardware and Software RequirementsRestrictions Software RequirementsHardware Requirements PlatformOnline Insertion and Removal OIR Safety GuidelinesSafety Warnings Electrical Equipment Guidelines Preventing Electrostatic Discharge DamagePreparing for Installation OL-9129-02 Handling the VSA VSA circuit board is sensitive to ESD damageVSA Removal and Installation This section describes how to remove and install the VSARemoving and Installing the VSA VSA Removal and Installation OL-9129-02 Configuration Tasks OverviewUsing the Exec Command Interpreter Configuring an IKE PolicyOptional Specifies the authentication method within an IKE Key Management Protocol Isakmp policy configurationConfig-isakmp mode Signatures as the authentication methodConfiguring a Transform Set Disabling VSA OptionalDefining a Transform Set Transform type Description Selecting Appropriate Transforms Crypto Transform Configuration ModeIPSec Protocols AH and ESP Setting Global Lifetimes for IPSec Security Associations Configuring IPSecEnsuring That Access Lists Are Compatible with IPSec Changing Existing TransformsStep Command Purpose Creating Crypto Access Lists Creating Crypto Map EntriesESP authenticator algorithm Only one transform set can be specified when IKE isAuthenticator keys if the transform set includes an Exits crypto-map configuration mode and return toCreating Dynamic Crypto Maps If this is configured, the data flow identity proposed Optional Accesses list number or name of anExtended access list. This access list determines For this crypto access listMonitoring and Maintaining IPSec Applying Crypto Map Sets to InterfacesVerifying IKE and IPSec Configurations Router# show crypto isakmp policyVerifying the Configuration Currentpeer 172.21.114.67 PERMIT, flags=originisacl Configuring IPSec Configuration Example Configuration ExamplesConfiguring IKE Policies Example This section provides the following configuration examplesCrypto map is applied to an interface Basic IPSec Configuration IllustrationRouter a Configuration Specify the parameters to be used during an IKE negotiation Router B ConfigurationTransform set defines how the traffic will be protected Troubleshooting Tips Router# show diagTunnel I/F Using Deny Policies in Access Lists Monitoring and Maintaining the VSAMonitor and Maintenance Commands Configuration Guidelines and RestrictionsD E Set session-key command Set transform-set command Sa command, clear crypto Entries, creatingSet pfs command Features Handling Monitoring and maintaining 4 Overview Handling VPN Acceleration Module see VAM 1IN-4