Cisco Systems SM-ISM, SA-ISA manual Defining a Transform Set

Page 41

Chapter 4 Configuring the ISA and ISM

Configuring IPSec

Later, you will associate the crypto access lists to particular interfaces when you configure and apply crypto map sets to the interfaces (following instructions in the section “Creating Crypto Maps” section on page 4-7).

Note IKE uses UDP port 500. The IPSec Encapsulation Security Protocol (ESP) and Authentication Header (AH) protocols use protocol numbers 50 and 51. Ensure that your interface access lists are configured so that protocol numbers 50, 51, and UDP port 500 traffic are not blocked at interfaces used by IPSec. In some cases you might need to add a statement to your access lists to explicitly permit this traffic.

To create crypto access lists, use the following commands in global configuration mode:

Step

Command

Purpose

 

 

 

1.

access-listaccess-list-number {deny

Specify conditions to determine which IP

 

permit} protocol source source-wildcard

packets are protected.1 (Enable or disable

 

destination destination-wildcard [log]

encryption for traffic that matches these

 

or

conditions.)

 

 

 

ip access-list extended name

We recommend that you configure “mirror

 

image” crypto access lists for use by IPSec

 

 

 

 

and that you avoid using the any keyword.

 

 

 

2.

Add permit and deny statements as

 

 

appropriate.

 

 

 

 

3.

end

Exit the configuration command mode.

 

 

 

1.You specify conditions using an IP access list designated by either a number or a name. The access-listcommand designates a numbered extended access list; the ip access-list extended command designates a named access list.

For detailed information on configuring access lists, refer to the “Configuring IPSec Network Security” chapter in the Security Configuration Guide publication. This chapter contains information on the following topics:

Crypto Access List Tips

Defining Mirror Image Crypto Access Lists at Each IPSec Peer

Using the any Keyword in Crypto Access Lists

Defining a Transform Set

A transform set represents a certain combination of security protocols and algorithms. During the IPSec security association negotiation, the peers agree to use a particular transform set for protecting a particular data flow.

You can specify multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry is used in the IPSec security association negotiation to protect the data flows specified by that crypto map entry’s access list.

During IPSec security association negotiations with IKE, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and is applied to the protected traffic as part of both peers’ IPSec security associations.

With manually established security associations, there is no negotiation with the peer, so both sides must specify the same transform set.

Integrated Services Adapter and Integrated Services Module Installation and Configuration

 

OL-3575-01 B0

4-5

 

 

 

Page 40 Page 42
Image 41
Page 40 Page 42
Contents Text Part Number OL-3575-01 B0 Corporate HeadquartersCopyright 1999- 2003 Cisco Systems, Inc All rights reserved N T E N T S Configuring the ISA and ISM Objectives PrefaceAudience Installation WarningDocument Conventions Document OrganizationSection Title Description Boldface fontIndicates a comment line Italic screen fontVii Terms and AcronymsViii Related DocumentationCisco 7100 series routers Cisco.com Obtaining DocumentationDocumentation Feedback Documentation CD-ROMOrdering Documentation Technical Assistance Center Obtaining Technical AssistanceCisco TAC Escalation Center Obtaining Additional Publications and InformationXiv ISA and ISM Overview OverviewData Encryption Overview Feature Description FeaturesCisco 7100 Series Routers Slot Numbering Port Adapter Slot Locations on the Supported PlatformsPort adapter in slot ISM in slot Cisco 7200 Series Routers Slot NumberingLEDs LEDsLED Label Color State Function BootOL-3575-01 B0 Required Tools and Equipment Preparing for InstallationPlatform Recommended Minimum Cisco IOS Release Safety Warnings Safety GuidelinesEncryption mppe command ISA and ISA ISA with VAMPreparing for Installation Safety Guidelines Preventing Electrostatic Discharge Damage Electrical Equipment GuidelinesOL-3575-01 B0 Handling the ISA or the ISM Removing and Installing the ISA and the ISMHandling the ISM Online Insertion and RemovalRemoving and Installing the ISA and the ISM ISA or ISM Removal and Installation Step Cisco 7100 Series-Removing and Installing the ISMGuide Cisco 7200 Series-Removing and Installing the ISAOverview Configuring the ISA and ISMEnter controller configuration mode on Using the Exec Command InterpreterEnables Mppe encryption Enabling MppeConfig-isakmp command mode Configuring IKEIdentify the policy to create, and enter Specify the encryption algorithmCreating Crypto Access Lists Configuring IPSecDefining a Transform Set Step Command Purpose Creating Crypto Maps Specify an extended access list. This Crypto map configuration modeAccess list determines which traffic is Exit crypto map configuration modeExit interface configuration mode Verifying ConfigurationApplying Crypto Maps to Interfaces Apply a crypto map set to an interfaceCommand Purpose Router# show crypto ipsec sa interface Ethernet0 IPSec Example Configuring the ISA and ISM IPSec ExampleRouter B Configuration OL-3575-01 B0 D E IN-2
Top Page Image Contents