Cisco Systems 7401ASR manual Configuring IPSec, Creating Crypto Access Lists

Chapter 4 Configuring the VPN Acceleration Module

Configuration Tasks

Configuring IPSec

After you have completed IKE configuration, configure IPSec at each participating IPSec peer. This section contains basic steps to configure IPSec and includes the tasks discussed in the following sections:

•Creating Crypto Access Lists, page 4-3

•Defining Transform Sets, page 4-4

•Creating Crypto Map Entries, page 4-5

•Verifying the Configuration, page 4-6

For detailed information on configuring IPSec, refer to the “Configuring IPSec Network Security” chapter in the Security Configuration Guide publication.

Creating Crypto Access Lists

Crypto access lists define which IP traffic will be protected by encryption.

Note IKE uses UDP port 500. The IPSec Encapsulation Security Protocol (ESP) and Authentication Header (AH) protocols use protocol numbers 50 and 51. Ensure that your interface access lists are configured so that protocol numbers 50, 51, and UDP port 500 traffic are not blocked at interfaces used by IPSec. In some cases you might need to add a statement to your access lists to explicitly permit this traffic.

To create crypto access lists, use the following commands in global configuration mode:

1.You specify conditions using anIP access list designated by either a number or a name. The access-listcommand designates a numbered extended access list; the ip access-list extended command designates a named access list.

For detailed information on configuring access lists, refer to the “Configuring IPSec Network Security”

chapter in the Security Configuration Guide publication.

Cisco 7401ASR Installation and Configuration Guide