Cisco Systems SA-ISA, SM-ISM manual Command Purpose

Page 46

Chapter 4 Configuring the ISA and ISM

Verifying Configuration

To clear (and reinitialize) IPSec security associations, use one of the following commands in global configuration mode:

Command

Purpose

 

 

clear crypto sa

Clear IPSec security associations (SAs).

or

Using the clear crypto sa command without

clear crypto sa peer {ip-addresspeer-name}

parameters clears out the full SA database,

which clears out active security sessions. You

or

may also specify the peer, map, or spi keywords

clear crypto sa map map-name

to clear out only a subset of the SA database.

 

or

 

clear crypto sa spi destination-address

 

protocol spi

 

 

 

To view information about your IPSec configuration, use one or more of the following commands in EXEC mode:

Command

Purpose

 

 

show crypto ipsec transform-set

View your transform set configuration.

 

 

show crypto map [interface interface tag

View your crypto map configuration.

map-name]

 

 

 

show crypto ipsec sa [map map-nameaddress

View information about IPSec security

identity detail interface]

associations.

 

 

show crypto dynamic-map [tag map-name]

View information about dynamic crypto maps.

 

 

show crypto ipsec

View global security association lifetime values.

security-association-lifetime

 

 

 

The following is sample output for the show crypto ipsec transform-setcommand. This command shows the type of transform set configured on the router.

Router# show crypto ipsec transform-set

Transform set combined-des-md5: {esp-des esp-md5-hmac}

will negotiate

=

{Tunnel,},

Transform set t1:

{esp-des esp-md5-hmac}

will negotiate

=

{Tunnel,},

Transform set t100:

{ah-sha-hmac}

will negotiate

=

{Transport,},

Transform set t2:

{ah-sha-hmac}

will negotiate

=

{Tunnel,},

{esp-des}

 

 

will negotiate

=

{Tunnel,},

The following is sample output for the show crypto map command. Peer 172.21.114.67 is the IP address of the remote IPSec peer. Extended IP access list 141 lists the access list associated with the crypto map. Current peer indicates the current IPSec peer. Security-association lifetime indicates the lifetime of the security association. PFS N indicates that IPSec does not negotiate perfect forward secrecy when establishing new security associations for this crypto map. Transform sets indicates the name of the transform set that can be used with the crypto map.

Router# show crypto map

Crypto Map: “router-alice” idb: Ethernet0 local address: 172.21.114.123

Crypto Map “router-alice” 10 ipsec-isakmp

 

Integrated Services Adapter and Integrated Services Module Installation and Configuration

4-10

OL-3575-01 B0

Page 45 Page 47
Image 46
Page 45 Page 47
Contents Corporate Headquarters Text Part Number OL-3575-01 B0Copyright 1999- 2003 Cisco Systems, Inc All rights reserved N T E N T S Configuring the ISA and ISM Preface ObjectivesInstallation Warning AudienceSection Title Description Document OrganizationDocument Conventions Boldface fontItalic screen font Indicates a comment lineTerms and Acronyms ViiRelated Documentation ViiiCisco 7100 series routers Obtaining Documentation Cisco.comOrdering Documentation Documentation CD-ROMDocumentation Feedback Obtaining Technical Assistance Technical Assistance CenterObtaining Additional Publications and Information Cisco TAC Escalation CenterXiv Overview ISA and ISM OverviewData Encryption Overview Features Feature DescriptionPort Adapter Slot Locations on the Supported Platforms Cisco 7100 Series Routers Slot NumberingCisco 7200 Series Routers Slot Numbering Port adapter in slot ISM in slotLEDs LEDsBoot LED Label Color State FunctionOL-3575-01 B0 Preparing for Installation Required Tools and EquipmentPlatform Recommended Minimum Cisco IOS Release Encryption mppe command Safety GuidelinesSafety Warnings ISA and ISA ISA with VAMPreparing for Installation Safety Guidelines Electrical Equipment Guidelines Preventing Electrostatic Discharge DamageOL-3575-01 B0 Removing and Installing the ISA and the ISM Handling the ISA or the ISMOnline Insertion and Removal Handling the ISMRemoving and Installing the ISA and the ISM ISA or ISM Removal and Installation Cisco 7100 Series-Removing and Installing the ISM StepCisco 7200 Series-Removing and Installing the ISA GuideConfiguring the ISA and ISM OverviewEnables Mppe encryption Using the Exec Command InterpreterEnter controller configuration mode on Enabling MppeIdentify the policy to create, and enter Configuring IKEConfig-isakmp command mode Specify the encryption algorithmConfiguring IPSec Creating Crypto Access ListsDefining a Transform Set Step Command Purpose Creating Crypto Maps Access list determines which traffic is Crypto map configuration modeSpecify an extended access list. This Exit crypto map configuration modeApplying Crypto Maps to Interfaces Verifying ConfigurationExit interface configuration mode Apply a crypto map set to an interfaceCommand Purpose Router# show crypto ipsec sa interface Ethernet0 Configuring the ISA and ISM IPSec Example IPSec ExampleRouter B Configuration OL-3575-01 B0 D E IN-2
Top Page Image Contents