Cisco Systems 7401ASR Defining Transform Sets

4-4

Cisco 7401ASR Installation and Configuration Guide

OL-5419-01 B0

Chapter4 Configuring the VPN Acceleration Module

Configuration Tasks

Defining Transform Sets

A transform set is a combination of security protocols and algorithms. During the IPSec security

association negotiation, peers agree to use a specific transform set to protect a particular data flow.

To define a transform set, use the following commands, starting in global configuration mode:

Table 4 -1 shows allowed transform combinations.

Command Purpose

Step1 crypto ipsec transform-set

transform-set-name transform1 [transform2

[transform3]]

Defines a transform set and enters crypto

transform configuration mode.

Note Complex rules define which entries

you can use for the transform

arguments. These rules are explained

in the command description for the

crypto ipsec transform-set

command, and Table 4 -1 provides a

list of allowed transform

combinations.

Step2 mode [tunnel | transport] Changes the mode associated with the

transform set. The mode setting is applicable

only to traffic whose source and destination

addresses are the IPSec peer addresses; it is

ignored for all other traffic. (All other traffic

is in tunnel mode only.)

Step3 end Exits the cryptotransform configuration

mode to enabled mode.

Step4 clear crypto sa

or

clear crypto sa peer {ip-address |

peer-name}

or

clear crypto sa map map-name

or

clear crypto sa spi destination-address

protocol spi

Clears existing IPSec security associations so

that any changes to a transform set take effect

on subsequently established security

associations (SAs). (Manually established

SAs are reestablished immediately.)

Using the clear crypto sa command without

parameters clears out the full SA database,

which clears out active security sessions. You

may also specify the peer, map, or entry

keywords to clear out only a subset of the SA

database.

Table4-1 Allowed Transform Combinations

AH Transform1ESP Encryption Transform1ESP Authentication Transform2

Transform Description Transform Description Transform Description

ah-md5-hmac AH with MD5

(HMACvariant)

authentication

algorithm

esp-3des ESP with 168-bit Triple

DES encryption

algorithm

esp-md5-hmac ESP with MD5

(HMAC varian t)

authentication

algorithm

Contents

Main Page CONTENTS Page Page Page Page Page Preface Audience Organization Document Conventions Page xii Warning Definition xiii xiv Terms and Acronyms Page Related Documentation Obtaining Documentation Cisco.com Ordering Documentation Documentation Feedback Obtaining Technical Assistance Cisco Technical Support Website Submitting a Service Request Definitions of Service Request Severity Obtaining Additional Publications and Information Overview and Parts Installation Hardware Overview Front View LEDs Rear View System Board System Management Functions Checking the Shipping Container Contents Installation Checklist Installing the CompactFlash Disk, GBIC, and Port Adapter Installing and Removing the CompactFlash Disk Installing and Removing the Gigabit Interface Converter Page Installing and Removing a Port Adapter or Service Adapter Replacing the SDRAM DIMM Removing the Cover Removing and Installing the SDRAM DIMM Replacing the Cover Rack-Mounting, Tabletop Installation, and Cabling Preparing to Install the Cisco 7401ASR Router Tools and Parts Required Electrical Equipment Guidelines Safety Guidelines Preventing Electrostatic Discharge Damage Electrostatic Discharge Prevention Site Requirement Guidelines Installing the Router General Tabletop or Workbench Installation Rack-Mounting a Cisco 7401ASR Router Attaching the Chassis Rack-Mount and Cable-Management Bracke ts Installing Rack-Mount Brackets on the Front of the Chassis Attaching the Cable-Management Bracket Installing Rack-Mount Brackets on the Rear of the Chassis Installing the Chassis in the Rack Two-Post Rack Installation Four-Post Rack Installation Attaching a Chassis Ground Connection Page Connecting Port Adapter Cables Connecting I/O Cables Connecting Console and Auxiliary Port Cables 1 3 Connecting Native Gigabit Ethernet and Fast Ethernet/Ethernet Cables 4 5 Attaching the Fast Ethernet/Ethernet 10/100 Cables Intra-Building Lightning Protection Attaching the GBIC Interface Cables Attaching Multimode and Single-Mode Optical Fiber Cables Page Mode-Conditioning Patch Cord Description Page Attaching the Mode-Conditioning Patch Cord / / / / / / Attaching the Alarm Port Cable Using the Cable-Management Bracket Connecting Power Connecting AC-Input Power Connecting DC-Input Power Page Page Starting and Configuring Functional Overview Chassis Slot and Logical Interface Numbering Page MAC Address Online Insertion and Removal Environmental Monitoring and Reporting Functions Environmental Monitoring Reporting Functions Page 3-7 With a single 24V DC power supply installed: With a single 48V DC power supply installed: Fan Failures Checking Conditions Prior to System Startup Starting the System and Observing Initial Conditions Configuring a Cisco 7401ASR Router Performing a Basic Configuration Using AutoInstall Performing a Basic Configuration Using the Setup Facility Configuring Global Parameters Page Page Configuring the Native Gigabit Ethernet and Fast Ethernet/Ethernet Interfaces Changing the Media Type Debugging Resetting the Interface Clearing Counters Configuring Port Adapter Interfaces Configuring ATM Interfaces Configuring Fast Ethernet Interfaces Configuring Synchronous Serial Interfaces 3-19 Performing a Basic Configuration Using Global Configuration Mode Saving the Running Configuration to NVRAM Checking the Running Configuration Settings Performing Other Configuration Tasks Replacing or Recovering a Lost Password Overview of the Password Recovery Procedure Details of the Password Recovery Procedure Page Viewing Your System Configuration 3-26 Performing Complex Configurations Page Configuring the VPN Acceleration Module Overview Configuration Tasks Using the EXEC Command Interpreter Configuring IKE Configuring IPSec Creating Crypto Access Lists Defining Transform Sets Creating Crypto Map Entries Verifying the Configuration 4-7 Page Troubleshooting Troubleshooting Overview Problem Solving Using a Subsystems Approach Identifying Startup Problems Troubleshooting the Power Subsystem Troubleshooting the Cooling Subsystem Troubleshooting the I/O Subsystem Troubleshooting the Processor Subsystem Troubleshooting the Port Adapter or Service Adapter Upgrading the Boot Helper (Boot Loader) Image PXF Troubleshooting Information Page Page A Specifications System Specifications Software Requirements Processor Specifications Memory Specifications and Configurations Gigabit Ethernet GBIC Configurations and Port and Cabling Specifications GBIC Cabling and Connection Equipment GBIC-SX or WS-G5484 GBIC-LX/LH or WS-G5486 GBIC-ZX or WS-G5487 Fast Ethernet/Ethernet RJ-45 Port Pinouts 3 34 5 Console and Auxiliary Port Signals and Pinouts Alarm Port Lithium Battery Caution Page B PXF Information Using show Commands B-2 Using the show version Command B-3 Using the show c7400 Command Use the show c7400 command to obtain information about the router. Using the show pxf Commands B-4 show pxf interface show pxf feature ? Sample output for these commands follows. Using the show pxf accounting ? Command and Subcommands The following is an example of the show pxf accounting ? command with sample output: The following is an example of the show pxf accounting summary command with sample output: B-5 The following is an example of the show pxf accounting interface command with sample output: Using the show pxf crash Command The following is an example of the show pxf crash command with sample output: B-6 Using the show pxf info Command The following is an example of the show pxf info command with sample output: Using the show pxf interface Command Using the show pxf feature ? Command and Subcommands The following is an example of the feature-specific show pxf feature ? command with sample output: B-7 show pxf feature cef ? show pxf feature nat ? Router# show pxf feature nat entry Router# show pxf feature nat stat Page C Using the CompactFlash Disk Hardware and Software Requirements Tools and Parts Required Product Description Compatibility Requirements System Memory and Software Image Functions and Interactions Boot Environment Variables Sample Upgrade Process Working with a CompactFlash Disk Software Command Overview Using Software Commands Using the cd Command Using the show Command Using the pwd Command Using the dir Command Using the format Command Using the mkdir Command Using the rmdir Command Using the delete Command Enabling Booting from a CompactFlash Disk Making a CompactFlash Disk-Based Software Image the Bootable Software Image Page D Configuration Register Information Configuration Bit Meanings Bits 03 Bit 6 Bit 7 Bit 8 Bit 10 and Bit 14 Bit 11 and Bit 12 Bit 13 D-5 Displaying the Configuration Register While Running Cisco IOS Displaying the Configuration Register While Running ROM Monitor Setting the Configuration Register While Running Cisco IOS Setting the Configuration Register While Running ROM Monitor D-7 Page INDEX A B C Page D E F G H I K L M N O P R S T V W