800 553-NETS Fax 408
C7200 VSA VPN Services Adapter Installation and Configuration Guide
Corporate Headquarters
Cisco Systems, Inc 170 West Tasman Drive San Jose, CA
Turn the television or radio antenna until the interference stops
Preface
Features
Definitions of Service Request Severity
C O N T E N T S
Removing and Installing the VSA
The Crypto Transform Configuration Mode 4
Configuration Tasks 4
Safety Warnings
Troubleshooting Tips
Verifying the Configuration 4
Router A Configuration
Router B Configuration
Contents
C7200 VSA VPN Services Adapter Installation and Configuration Guide
OL-9129-02
Audience, page Warnings, page Objectives, page Organization, page
Preface
Audience
Warnings
Objectives
Preparing for Installation
Removing and Installing the VSA
Configuring the VSA
Related Documentation
Obtaining Documentation
Cisco.com
Ordering Documentation
Documentation Feedback
Cisco Product Security Overview
Product Documentation DVD
Reporting Security Problems in Cisco Products
Product Alerts and Field Notices
For emergencies only - security-alert@cisco.com
Obtaining Technical Assistance
Cisco Technical Support & Documentation Website
http//tools.cisco.com/RPF/register/register.do
xiii
Submitting a Service Request
Definitions of Service Request Severity
Obtaining Additional Publications and Information
The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief product overviews, key features, sample part numbers, and abbreviated technical specifications for many Cisco products that are sold through channel partners. It is updated twice a year and includes the latest Cisco channel product offerings. To order and find out more about the Cisco Product Quick Reference Guide, go to this URL
Data Encryption Overview
Hardware Required, page Features, page
Enabling/Disabling the VSA, page LEDs, page Connectors, page
Overview
VSA Overview
Screws
Description/Benefit
Features
Hardware Required
Feature
MIBs
Supported Standards, MIBs, and RFCs
Performance
Standards
Enabling/Disabling the VSA
Disables the C7200 VSA
Enables the C7200 VSA after it has been
disabled
LEDs
Hw-module slot 0 shutdown -Not supported
no crypto engine slot accelerator 0 -See Table
Cisco 7204VXR Router, page Cisco 7206VXR Router, page
Connectors
Slot Locations
Cisco 7204VXR Router
Chapter 1 Overview Slot Locations
C7200 VSA VPN Services Adapter Installation and Configuration Guide
ENABLED
Figure 1-4 Cisco 7204VXR Router - Front View
Figure 1-5 Cisco 7206VXR - Front View
Cisco 7206VXR Router
1-10
C7200 VSA VPN Services Adapter Installation and Configuration Guide
Hardware and Software Requirements
Preparing for Installation
Online Insertion and Removal OIR, page Safety Guidelines, page
Required Tools and Equipment
Platform
Software Requirements
Hardware Requirements
Restrictions
Online Insertion and Removal OIR
Safety Guidelines
Safety Warnings
Safety Warnings, page Electrical Equipment Guidelines, page
Preventing Electrostatic Discharge Damage
Electrical Equipment Guidelines
Compliance with U.S. Export Laws and Regulations Regarding Encryption
Compliance with U.S. Export Laws and Regulations Regarding Encryption
OL-9129-02
Chapter 2 Preparing for Installation
C7200 VSA VPN Services Adapter Installation and Configuration Guide
Compliance with U.S. Export Laws and Regulations Regarding Encryption
Handling the VSA, page Online Insertion and Removal OIR, page
Removing and Installing the VSA
Warnings and Cautions, page VSA Removal and Installation, page
Handling the VSA
Online Insertion and Removal OIR
VSA Removal and Installation
Warnings and Cautions
The safety cover is an integral part of the product. Do not operate the unit without the safety cover installed. Operating the unit without the cover in place will invalidate the safety approvals and pose a risk of fire and electrical hazards
Step 3 Unscrew the screws holding the VSA in the slot
OL-9129-02
Chapter 3 Removing and Installing the VSA
VSA Removal and Installation
C7200 VSA VPN Services Adapter Installation and Configuration Guide
Basic IPSec Configuration Illustration, page
Configuring the VSA
Configuration Tasks
Overview, page Configuration Tasks, page Configuration Examples, page
Configuring IPSec Configuration Example, page 4-18 optional
Using the EXEC Command Interpreter
Configuring an IKE Policy
Verifying IKE and IPSec Configurations, page 4-15 optional
Defines an IKE policy and enters Internet Security Association
system reboot
Configuring a Transform Set
Disables VSA
VSA will be enabled after the next
Transform Example
The Crypto Transform Configuration Mode Changing Existing Transforms
Defining a Transform Set
Selecting Appropriate Transforms
ah-sha-hmac
Authentication Transform is used, you must
ESP Authentication Transform Pick up to
ah-md5-hmac
esp-aes and esp-sha-hmac ah-sha-hmac and esp-aes and esp-sha-hmac
The Crypto Transform Configuration Mode
IPSec Protocols AH and ESP
Selecting Appropriate Transforms
Ensuring That Access Lists Are Compatible with IPSec required
Configuring IPSec
Ensuring That Access Lists Are Compatible with IPSec
Setting Global Lifetimes for IPSec Security Associations
Router# clear crypto sa spi destination-address
Command
Step
Purpose
Routerconfig# ip access-list extended name
Creating Crypto Access Lists
Creating Crypto Map Entries
4-10
Routerconfig-crypto-m# set session-key inbound ah
4-11
spi cipher hex-key-string authenticator
esp spi cipher hex-key-string authenticator
Specifies which transform sets are allowed for the
This is the only configuration statement required in
Creating Dynamic Crypto Maps
Creates a dynamic crypto map entry
4-13
Command
Purpose
Monitoring and Maintaining IPSec
Applying Crypto Map Sets to Interfaces
4-14
Displays information about IPSec security associations
Verifying IKE and IPSec Configurations
Displays your transform set configuration
Displays your crypto map configuration
4-16
Verifying the Configuration
OL-9129-02
4-17
Chapter 4 Configuring the VSA Configuration Tasks
C7200 VSA VPN Services Adapter Installation and Configuration Guide
Configuring IKE Policies Example, page
Configuration Examples
Configuring IKE Policies Example
Configuring IPSec Configuration Example
Basic IPSec Configuration Illustration
Router A Configuration
4-19
4-20
Router B Configuration
Router# show crypto engine accelerator statistic
Troubleshooting Tips
4-21
Router# show diag
4-22
Chapter 4 Configuring the VSA Troubleshooting Tips
C7200 VSA VPN Services Adapter Installation and Configuration Guide
Monitoring and Maintaining the VSA
Using Deny Policies in Access Lists
Using Deny Policies in Access Lists, page
Monitor and Maintenance Commands, page
Verifies the VSA is currently processing crypto packets
Monitor and Maintenance Commands
Configuration Guidelines and Restrictions
Displays integrated service adapter as part of the interfaces
IN-1
I N D E
IN-2
creating 4
definition
IN-3
OL-9129-02
IN-4
C7200 VSA VPN Services Adapter Installation and Configuration Guide
Index