Cisco Systems 7401ASR manual Verifying the Configuration

Chapter 4 Configuring the VPN Acceleration Module

Configuration Tasks

Verifying the Configuration

Some configuration changes take effect only after subsequent security associations are negotiated. For the new settings to take effect immediately, clear the existing security associations.

To clear (and reinitialize) IPSec security associations, use one of the commands in Table 4-2in global configuration mode:

Table 4-2 Commands to Clear IPSec Security Associations

The following steps provide information on verifying your configurations:

Step 1 Enter the show crypto ipsec transform-setcommand to view your transform set configuration:

Router# show crypto ipsec transform-set

Transform set combined-des-md5: {esp-des esp-md5-hmac} will negotiate = {Tunnel,},

Transform set t1: {esp-des esp-md5-hmac} will negotiate = {Tunnel,},

Transform set t100: {ah-sha-hmac} will negotiate = {Transport,},

Transform set t2: {ah-sha-hmac} will negotiate = {Tunnel,}, {esp-des}

will negotiate = {Tunnel,},

Step 2 Enter the show crypto map [interface interface tag map-name] command to view your crypto map configuration:

Router# show crypto map

Crypto Map: "router-alice" idb: Ethernet0 local address: 172.21.114.123

Crypto Map "router-alice" 10 ipsec-isakmp

Peer = 172.21.114.67

Extended IP access list 141

access-list 141 permit ip

source: addr = 172.21.114.123/0.0.0.0

dest: addr = 172.21.114.67/0.0.0.0 Current peer: 172.21.114.67

Security-association lifetime: 4608000 kilobytes/120 seconds

PFS (Y/N): N

Transform sets={t1,}

Step 3 Enter the show crypto ipsec sa [map map-name address identity detail interface] command to

view information about IPSec security associations.

Router# show crypto ipsec sa

interface: Ethernet0

Crypto map tag: router-alice, local addr. 172.21.114.123

local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)

Cisco 7401ASR Installation and Configuration Guide