Cisco Systems C7200 manual Monitoring and Maintaining the VSA, Using Deny Policies in Access Lists

Page 57

Chapter 4 Configuring the VSA

Monitoring and Maintaining the VSA

To see if the IKE/IPSec packets are being redirected to the VSA for IKE negotiation and IPSec encryption and decryption, enter the show crypto eli command. The following is sample output when Cisco IOS software redirects packets to the VSA:

Router# show crypto eli

Hardware Encryption : ACTIVE

Number of hardware crypto engines = 1

CryptoEngine VSA details: state =

Active

 

Capability

 

: DES, 3DES, AES,

RSA

 

IKE-Session

:

0

active,

5120

max, 0 failed

DH

:

0

active,

5120

max, 0

failed

IPSec-Session :

0

active, 10230

max, 0

failed

When the software crypto engine is active, the show crypto eli command yields no output.

When the Cisco IOS software agrees to redirect crypto traffic to the VSA, it prints a message similar to the following:

%ISA-6-INFO:Recognised crypto engine (0) at slot-0

...switching to hardware crypto engine

To disable the VSA, use the configuration mode no crypto engine accelerator <slot> command, as follows:

Router(config)# no crypto engine accelerator 0

...switching to SW crypto engine Router(config)#

*Feb 6 11:57:26.763: %VPN_HW-6-INFO_LOC: Crypto engine: slot 0 State changed to: Disabled

*Feb 6 11:57:26.779: %PA-3-DEACTIVATED: port adapter in bay [0] powered off.

*Feb 6 11:57:26.779: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF Router(config)#end

Monitoring and Maintaining the VSA

This section includes the following topics:

Using Deny Policies in Access Lists, page 4-23

Monitor and Maintenance Commands, page 4-24

Using Deny Policies in Access Lists

Specifying a deny address range in an access list results in “jump” behavior. When a denied address range is hit, it forces the search to “jump” to the beginning of the access list associated with the next sequence on a crypto map and continue the search. If you want to pass clear traffic on these addresses, you must insert a deny address range for each sequence on a crypto map. In turn, each permit list of addresses inherits all the deny address ranges specified in the access list. A deny address range causes the software to do a subtraction of the deny address range from a permit list, and creates multiple permit address ranges that need to be programmed in hardware. This behavior can cause repeated address ranges to be programmed in the hardware for a single deny address range, resulting in multiple permit address ranges in a single access list.

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

 

OL-9129-02

4-23

 

 

 

Page 56 Page 58
Image 57
Page 56 Page 58
Contents Text Part Number OL-9129-02 Corporate HeadquartersPage N T E N T S Preventing Electrostatic Discharge Damage 2 Creating Dynamic Crypto Maps 4 OL-9129-02 Audience PrefaceObjectives OrganizationChapter Title Description Related Documentation Obtaining DocumentationCisco.com Documentation Feedback Cisco Product Security OverviewProduct Documentation DVD Ordering Documentation Product Alerts and Field Notices Reporting Security Problems in Cisco ProductsCisco Technical Support & Documentation Website Obtaining Technical AssistanceSubmitting a Service Request Definitions of Service Request SeverityObtaining Additional Publications and Information Xiv Data Encryption Overview OverviewVSA Overview VSA Module Front View Screws Handle Status LED lightThis section describes the VSA features, as listed in Table FeaturesFeature Description/Benefit Hardware RequiredPerformance Supported Standards, MIBs, and RFCsStandards MIBsEnabling/Disabling the VSA Command PurposeDisabling the VSA during Operation Enabling/Disabling SchemeCondition System is Configured Command Description of VSA BehaviorLEDs See -2for the VSA connectors ConnectorsSlot Locations Cisco 7204VXR RouterCisco 7204VXR Router Front View Port adapter VSA in I/O controller slot Port adapter leverCisco 7206VXR Front View Cisco 7206VXR RouterHardware and Software Requirements Required Tools and EquipmentHardware Requirements Software RequirementsRestrictions PlatformSafety Guidelines Safety WarningsOnline Insertion and Removal OIR Preventing Electrostatic Discharge Damage Electrical Equipment GuidelinesPreparing for Installation OL-9129-02 VSA circuit board is sensitive to ESD damage Handling the VSAThis section describes how to remove and install the VSA VSA Removal and InstallationRemoving and Installing the VSA VSA Removal and Installation OL-9129-02 Overview Configuration TasksConfiguring an IKE Policy Using the Exec Command InterpreterConfig-isakmp mode Key Management Protocol Isakmp policy configurationOptional Specifies the authentication method within an IKE Signatures as the authentication methodDisabling VSA Optional Configuring a Transform SetDefining a Transform Set Transform type Description Crypto Transform Configuration Mode IPSec Protocols AH and ESPSelecting Appropriate Transforms Ensuring That Access Lists Are Compatible with IPSec Configuring IPSecSetting Global Lifetimes for IPSec Security Associations Changing Existing TransformsStep Command Purpose Creating Crypto Map Entries Creating Crypto Access ListsAuthenticator keys if the transform set includes an Only one transform set can be specified when IKE isESP authenticator algorithm Exits crypto-map configuration mode and return toCreating Dynamic Crypto Maps Extended access list. This access list determines Optional Accesses list number or name of anIf this is configured, the data flow identity proposed For this crypto access listApplying Crypto Map Sets to Interfaces Monitoring and Maintaining IPSecRouter# show crypto isakmp policy Verifying IKE and IPSec ConfigurationsVerifying the Configuration Currentpeer 172.21.114.67 PERMIT, flags=originisacl Configuring IKE Policies Example Configuration ExamplesConfiguring IPSec Configuration Example This section provides the following configuration examplesBasic IPSec Configuration Illustration Router a ConfigurationCrypto map is applied to an interface Router B Configuration Transform set defines how the traffic will be protectedSpecify the parameters to be used during an IKE negotiation Router# show diag Troubleshooting TipsTunnel I/F Monitoring and Maintaining the VSA Using Deny Policies in Access ListsConfiguration Guidelines and Restrictions Monitor and Maintenance CommandsD E Sa command, clear crypto Entries, creating Set pfs commandSet session-key command Set transform-set command Handling VPN Acceleration Module see VAM 1 Features Handling Monitoring and maintaining 4 OverviewIN-4
Top Page Image Contents