Corporate Headquarters
C7200 VSA VPN Services Adapter Installation and Configuration Guide
Cisco Systems, Inc 170 West Tasman Drive San Jose, CA
800 553-NETS Fax 408
Turn the television or radio antenna until the interference stops
Definitions of Service Request Severity
Features
C O N T E N T S
Preface
Configuration Tasks 4
The Crypto Transform Configuration Mode 4
Safety Warnings
Removing and Installing the VSA
Router A Configuration
Verifying the Configuration 4
Router B Configuration
Troubleshooting Tips
C7200 VSA VPN Services Adapter Installation and Configuration Guide
Contents
OL-9129-02
Audience
Preface
Warnings
Audience, page Warnings, page Objectives, page Organization, page
Removing and Installing the VSA
Preparing for Installation
Configuring the VSA
Objectives
Obtaining Documentation
Related Documentation
Cisco.com
Cisco Product Security Overview
Documentation Feedback
Product Documentation DVD
Ordering Documentation
Product Alerts and Field Notices
Reporting Security Problems in Cisco Products
For emergencies only - security-alert@cisco.com
Cisco Technical Support & Documentation Website
Obtaining Technical Assistance
http//tools.cisco.com/RPF/register/register.do
Definitions of Service Request Severity
Submitting a Service Request
Obtaining Additional Publications and Information
xiii
The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief product overviews, key features, sample part numbers, and abbreviated technical specifications for many Cisco products that are sold through channel partners. It is updated twice a year and includes the latest Cisco channel product offerings. To order and find out more about the Cisco Product Quick Reference Guide, go to this URL
Enabling/Disabling the VSA, page LEDs, page Connectors, page
Hardware Required, page Features, page
Overview
Data Encryption Overview
VSA Overview
Screws
Hardware Required
Features
Feature
Description/Benefit
Performance
Supported Standards, MIBs, and RFCs
Standards
MIBs
Enables the C7200 VSA after it has been
Disables the C7200 VSA
disabled
Enabling/Disabling the VSA
Hw-module slot 0 shutdown -Not supported
LEDs
no crypto engine slot accelerator 0 -See Table
Slot Locations
Connectors
Cisco 7204VXR Router
Cisco 7204VXR Router, page Cisco 7206VXR Router, page
ENABLED
C7200 VSA VPN Services Adapter Installation and Configuration Guide
Figure 1-4 Cisco 7204VXR Router - Front View
Chapter 1 Overview Slot Locations
1-10
Cisco 7206VXR Router
C7200 VSA VPN Services Adapter Installation and Configuration Guide
Figure 1-5 Cisco 7206VXR - Front View
Online Insertion and Removal OIR, page Safety Guidelines, page
Preparing for Installation
Required Tools and Equipment
Hardware and Software Requirements
Hardware Requirements
Software Requirements
Restrictions
Platform
Safety Warnings
Safety Guidelines
Safety Warnings, page Electrical Equipment Guidelines, page
Online Insertion and Removal OIR
Preventing Electrostatic Discharge Damage
Electrical Equipment Guidelines
Compliance with U.S. Export Laws and Regulations Regarding Encryption
Compliance with U.S. Export Laws and Regulations Regarding Encryption
C7200 VSA VPN Services Adapter Installation and Configuration Guide
Chapter 2 Preparing for Installation
Compliance with U.S. Export Laws and Regulations Regarding Encryption
OL-9129-02
Warnings and Cautions, page VSA Removal and Installation, page
Removing and Installing the VSA
Handling the VSA
Handling the VSA, page Online Insertion and Removal OIR, page
Warnings and Cautions
VSA Removal and Installation
The safety cover is an integral part of the product. Do not operate the unit without the safety cover installed. Operating the unit without the cover in place will invalidate the safety approvals and pose a risk of fire and electrical hazards
Online Insertion and Removal OIR
Step 3 Unscrew the screws holding the VSA in the slot
VSA Removal and Installation
Chapter 3 Removing and Installing the VSA
C7200 VSA VPN Services Adapter Installation and Configuration Guide
OL-9129-02
Configuration Tasks
Configuring the VSA
Overview, page Configuration Tasks, page Configuration Examples, page
Basic IPSec Configuration Illustration, page
Configuring an IKE Policy
Using the EXEC Command Interpreter
Verifying IKE and IPSec Configurations, page 4-15 optional
Configuring IPSec Configuration Example, page 4-18 optional
Defines an IKE policy and enters Internet Security Association
Disables VSA
Configuring a Transform Set
VSA will be enabled after the next
system reboot
Defining a Transform Set
The Crypto Transform Configuration Mode Changing Existing Transforms
Selecting Appropriate Transforms
Transform Example
ESP Authentication Transform Pick up to
Authentication Transform is used, you must
ah-md5-hmac
ah-sha-hmac
IPSec Protocols AH and ESP
The Crypto Transform Configuration Mode
Selecting Appropriate Transforms
esp-aes and esp-sha-hmac ah-sha-hmac and esp-aes and esp-sha-hmac
Ensuring That Access Lists Are Compatible with IPSec
Configuring IPSec
Setting Global Lifetimes for IPSec Security Associations
Ensuring That Access Lists Are Compatible with IPSec required
Step
Command
Purpose
Router# clear crypto sa spi destination-address
Creating Crypto Map Entries
Creating Crypto Access Lists
4-10
Routerconfig# ip access-list extended name
spi cipher hex-key-string authenticator
4-11
esp spi cipher hex-key-string authenticator
Routerconfig-crypto-m# set session-key inbound ah
Creating Dynamic Crypto Maps
This is the only configuration statement required in
Creates a dynamic crypto map entry
Specifies which transform sets are allowed for the
Command
4-13
Purpose
Applying Crypto Map Sets to Interfaces
Monitoring and Maintaining IPSec
4-14
Displays your transform set configuration
Verifying IKE and IPSec Configurations
Displays your crypto map configuration
Displays information about IPSec security associations
4-16
Verifying the Configuration
Chapter 4 Configuring the VSA Configuration Tasks
4-17
C7200 VSA VPN Services Adapter Installation and Configuration Guide
OL-9129-02
Configuring IKE Policies Example
Configuration Examples
Configuring IPSec Configuration Example
Configuring IKE Policies Example, page
Router A Configuration
Basic IPSec Configuration Illustration
4-19
4-20
Router B Configuration
4-21
Troubleshooting Tips
Router# show diag
Router# show crypto engine accelerator statistic
Chapter 4 Configuring the VSA Troubleshooting Tips
4-22
C7200 VSA VPN Services Adapter Installation and Configuration Guide
Using Deny Policies in Access Lists, page
Using Deny Policies in Access Lists
Monitor and Maintenance Commands, page
Monitoring and Maintaining the VSA
Configuration Guidelines and Restrictions
Monitor and Maintenance Commands
Displays integrated service adapter as part of the interfaces
Verifies the VSA is currently processing crypto packets
IN-1
I N D E
creating 4
IN-2
definition
IN-3
C7200 VSA VPN Services Adapter Installation and Configuration Guide
IN-4
Index
OL-9129-02