Cisco Systems SA-ISA, SM-ISM manual Step Command Purpose

Page 42

Chapter 4 Configuring the ISA and ISM

Configuring IPSec

If you change a transform set definition, the change is only applied to crypto map entries that reference the transform set. The change is not applied to existing security associations but is used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command.

To define a transform set, use the following commands, starting in global configuration mode:

Step

Command

Purpose

 

 

 

1.

crypto ipsec transform-set

Define a transform set and enter crypto

 

transform-set-name transform1

transform configuration mode.

 

[transform2 [transform3]]

Complex rules define which entries you can

 

 

 

 

use for the transform arguments. These rules

 

 

are explained in the command description for

 

 

the crypto ipsec transform-set command,

 

 

and Table 4-1 on page 4-7provides a list of

 

 

allowed transform combinations.

 

 

 

2.

mode [tunnel transport]

Change the mode associated with the

 

 

transform set. The mode setting is applicable

 

 

only to traffic whose source and destination

 

 

addresses are the IPSec peer addresses; it is

 

 

ignored for all other traffic. (All other traffic

 

 

is in tunnel mode only.)

 

 

 

3.

end

Exit the crypto transform configuration mode

 

 

to enabled mode.

 

 

 

4.

clear crypto sa

This step clears existing IPSec security

 

or

associations so that any changes to a

 

transform set take effect on subsequently

 

clear crypto sa peer {ip-address

 

established security associations (SAs).

 

peer-name}

(Manually established SAs are reestablished

 

or

immediately.)

 

 

 

clear crypto sa map map-name

Using the clear crypto sa command without

 

parameters clears out the full SA database,

 

or

 

which clears out active security sessions. You

 

 

 

clear crypto sa spi destination-address

may also specify the peer, map, or entry

 

protocol spi

keywords to clear out only a subset of the SA

 

 

database.

 

 

 

Integrated Services Adapter and Integrated Services Module Installation and Configuration

4-6

OL-3575-01 B0

 

 

Page 41 Page 43
Image 42
Page 41 Page 43
Contents Corporate Headquarters Text Part Number OL-3575-01 B0Copyright 1999- 2003 Cisco Systems, Inc All rights reserved N T E N T S Configuring the ISA and ISM Preface ObjectivesInstallation Warning AudienceSection Title Description Document OrganizationDocument Conventions Boldface fontItalic screen font Indicates a comment lineTerms and Acronyms ViiRelated Documentation ViiiCisco 7100 series routers Obtaining Documentation Cisco.comDocumentation CD-ROM Ordering DocumentationDocumentation Feedback Obtaining Technical Assistance Technical Assistance CenterObtaining Additional Publications and Information Cisco TAC Escalation CenterXiv Overview ISA and ISM OverviewData Encryption Overview Features Feature DescriptionPort Adapter Slot Locations on the Supported Platforms Cisco 7100 Series Routers Slot NumberingCisco 7200 Series Routers Slot Numbering Port adapter in slot ISM in slotLEDs LEDsBoot LED Label Color State FunctionOL-3575-01 B0 Preparing for Installation Required Tools and EquipmentPlatform Recommended Minimum Cisco IOS Release Encryption mppe command Safety GuidelinesSafety Warnings ISA and ISA ISA with VAMPreparing for Installation Safety Guidelines Electrical Equipment Guidelines Preventing Electrostatic Discharge DamageOL-3575-01 B0 Removing and Installing the ISA and the ISM Handling the ISA or the ISMOnline Insertion and Removal Handling the ISMRemoving and Installing the ISA and the ISM ISA or ISM Removal and Installation Cisco 7100 Series-Removing and Installing the ISM StepCisco 7200 Series-Removing and Installing the ISA GuideConfiguring the ISA and ISM OverviewEnables Mppe encryption Using the Exec Command InterpreterEnter controller configuration mode on Enabling MppeIdentify the policy to create, and enter Configuring IKEConfig-isakmp command mode Specify the encryption algorithmConfiguring IPSec Creating Crypto Access ListsDefining a Transform Set Step Command Purpose Creating Crypto Maps Access list determines which traffic is Crypto map configuration modeSpecify an extended access list. This Exit crypto map configuration modeApplying Crypto Maps to Interfaces Verifying ConfigurationExit interface configuration mode Apply a crypto map set to an interfaceCommand Purpose Router# show crypto ipsec sa interface Ethernet0 Configuring the ISA and ISM IPSec Example IPSec ExampleRouter B Configuration OL-3575-01 B0 D E IN-2
Top Page Image Contents