Manuals / Cisco Systems / Computer Equipment / Network Cables

Cisco Systems C7200 manual Configuring the VSA, Overview, Configuration Tasks, C H A P T E R

Models: C7200

1 62

Download 62 pages 7.3 Kb

Page 35

Configuring the VSA

C H A P T E R 4

Configuring the VSA

This chapter contains the information and procedures needed to configure the C7200-VSA (VPN Services Adapter). This chapter contains the following sections:

•Overview, page 4-1

•Configuration Tasks, page 4-1

•Configuration Examples, page 4-18

•Basic IPSec Configuration Illustration, page 4-19

•Troubleshooting Tips, page 4-21

•Monitoring and Maintaining the VSA, page 4-23

Overview

The VSA in the I/O controller slot provides encryption services for the I/O controller port in the Cisco 7204VXR or Cisco 7206VXR router with a NPE-G2 processor. If you have previously configured IPSec on the router and you install a VSA, the VSA automatically performs encryption services.

Note The Cisco 7204VXR and the 7206VXR routers support a single VSA.

There are no interfaces to configure on the VSA.

This section only contains basic configuration information for enabling encryption and IPSec tunneling services. Refer to the “IP Security and Encryption” part of the Security Configuration Guide and the Security Command Reference guide for detailed configuration information on IPSec, IKE, and CA.

Configuration Tasks

On power up, the VSA is fully functional and does not require any configuration commands. However, for the VSA to provide encryption services, you must complete the steps in the following sections:

•Using the EXEC Command Interpreter, page 4-2(required)

•Configuring an IKE Policy, page 4-2(required)

•Configuring a Transform Set, page 4-4(required)

•Configuring IPSec, page 4-8(required)

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

	OL-9129-02	4-1

Image 35

Cisco Systems C7200 manual Configuring the VSA, Overview, Configuration Tasks, Basic IPSec Configuration Illustration, page

Contents

800 553-NETS Fax 408 C7200 VSA VPN Services Adapter Installation and Configuration GuideCorporate Headquarters Cisco Systems, Inc 170 West Tasman Drive San Jose, CATurn the television or radio antenna until the interference stops Preface FeaturesDefinitions of Service Request Severity C O N T E N T SRemoving and Installing the VSA The Crypto Transform Configuration Mode 4Configuration Tasks 4 Safety WarningsTroubleshooting Tips Verifying the Configuration 4Router A Configuration Router B ConfigurationOL-9129-02 ContentsC7200 VSA VPN Services Adapter Installation and Configuration Guide Audience, page Warnings, page Objectives, page Organization, page PrefaceAudience WarningsObjectives Preparing for InstallationRemoving and Installing the VSA Configuring the VSACisco.com Related DocumentationObtaining Documentation Ordering Documentation Documentation FeedbackCisco Product Security Overview Product Documentation DVDFor emergencies only - security-alert@cisco.com Reporting Security Problems in Cisco ProductsProduct Alerts and Field Notices http//tools.cisco.com/RPF/register/register.do Obtaining Technical AssistanceCisco Technical Support & Documentation Website xiii Submitting a Service RequestDefinitions of Service Request Severity Obtaining Additional Publications and InformationThe Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief product overviews, key features, sample part numbers, and abbreviated technical specifications for many Cisco products that are sold through channel partners. It is updated twice a year and includes the latest Cisco channel product offerings. To order and find out more about the Cisco Product Quick Reference Guide, go to this URL Data Encryption Overview Hardware Required, page Features, pageEnabling/Disabling the VSA, page LEDs, page Connectors, page OverviewVSA Overview Screws Description/Benefit FeaturesHardware Required FeatureMIBs Supported Standards, MIBs, and RFCsPerformance StandardsEnabling/Disabling the VSA Disables the C7200 VSAEnables the C7200 VSA after it has been disabledno crypto engine slot accelerator 0 -See Table LEDsHw-module slot 0 shutdown -Not supported Cisco 7204VXR Router, page Cisco 7206VXR Router, page ConnectorsSlot Locations Cisco 7204VXR RouterChapter 1 Overview Slot Locations C7200 VSA VPN Services Adapter Installation and Configuration GuideENABLED Figure 1-4 Cisco 7204VXR Router - Front ViewFigure 1-5 Cisco 7206VXR - Front View Cisco 7206VXR Router1-10 C7200 VSA VPN Services Adapter Installation and Configuration GuideHardware and Software Requirements Preparing for InstallationOnline Insertion and Removal OIR, page Safety Guidelines, page Required Tools and EquipmentPlatform Software RequirementsHardware Requirements RestrictionsOnline Insertion and Removal OIR Safety GuidelinesSafety Warnings Safety Warnings, page Electrical Equipment Guidelines, pagePreventing Electrostatic Discharge Damage Electrical Equipment GuidelinesCompliance with U.S. Export Laws and Regulations Regarding Encryption Compliance with U.S. Export Laws and Regulations Regarding EncryptionOL-9129-02 Chapter 2 Preparing for InstallationC7200 VSA VPN Services Adapter Installation and Configuration Guide Compliance with U.S. Export Laws and Regulations Regarding EncryptionHandling the VSA, page Online Insertion and Removal OIR, page Removing and Installing the VSAWarnings and Cautions, page VSA Removal and Installation, page Handling the VSAOnline Insertion and Removal OIR VSA Removal and InstallationWarnings and Cautions The safety cover is an integral part of the product. Do not operate the unit without the safety cover installed. Operating the unit without the cover in place will invalidate the safety approvals and pose a risk of fire and electrical hazardsStep 3 Unscrew the screws holding the VSA in the slot OL-9129-02 Chapter 3 Removing and Installing the VSAVSA Removal and Installation C7200 VSA VPN Services Adapter Installation and Configuration GuideBasic IPSec Configuration Illustration, page Configuring the VSAConfiguration Tasks Overview, page Configuration Tasks, page Configuration Examples, pageConfiguring IPSec Configuration Example, page 4-18 optional Using the EXEC Command InterpreterConfiguring an IKE Policy Verifying IKE and IPSec Configurations, page 4-15 optionalDefines an IKE policy and enters Internet Security Association system reboot Configuring a Transform SetDisables VSA VSA will be enabled after the nextTransform Example The Crypto Transform Configuration Mode Changing Existing TransformsDefining a Transform Set Selecting Appropriate Transformsah-sha-hmac Authentication Transform is used, you mustESP Authentication Transform Pick up to ah-md5-hmacesp-aes and esp-sha-hmac ah-sha-hmac and esp-aes and esp-sha-hmac The Crypto Transform Configuration ModeIPSec Protocols AH and ESP Selecting Appropriate TransformsEnsuring That Access Lists Are Compatible with IPSec required Configuring IPSecEnsuring That Access Lists Are Compatible with IPSec Setting Global Lifetimes for IPSec Security AssociationsRouter# clear crypto sa spi destination-address CommandStep PurposeRouterconfig# ip access-list extended name Creating Crypto Access ListsCreating Crypto Map Entries 4-10Routerconfig-crypto-m# set session-key inbound ah 4-11spi cipher hex-key-string authenticator esp spi cipher hex-key-string authenticatorSpecifies which transform sets are allowed for the This is the only configuration statement required inCreating Dynamic Crypto Maps Creates a dynamic crypto map entryPurpose 4-13Command 4-14 Monitoring and Maintaining IPSecApplying Crypto Map Sets to Interfaces Displays information about IPSec security associations Verifying IKE and IPSec ConfigurationsDisplays your transform set configuration Displays your crypto map configuration4-16 Verifying the ConfigurationOL-9129-02 4-17Chapter 4 Configuring the VSA Configuration Tasks C7200 VSA VPN Services Adapter Installation and Configuration GuideConfiguring IKE Policies Example, page Configuration ExamplesConfiguring IKE Policies Example Configuring IPSec Configuration Example4-19 Basic IPSec Configuration IllustrationRouter A Configuration 4-20 Router B ConfigurationRouter# show crypto engine accelerator statistic Troubleshooting Tips4-21 Router# show diagC7200 VSA VPN Services Adapter Installation and Configuration Guide 4-22Chapter 4 Configuring the VSA Troubleshooting Tips Monitoring and Maintaining the VSA Using Deny Policies in Access ListsUsing Deny Policies in Access Lists, page Monitor and Maintenance Commands, pageVerifies the VSA is currently processing crypto packets Monitor and Maintenance CommandsConfiguration Guidelines and Restrictions Displays integrated service adapter as part of the interfacesIN-1 I N D Edefinition IN-2creating 4 IN-3 OL-9129-02 IN-4C7200 VSA VPN Services Adapter Installation and Configuration Guide Index