Overview, Configuration Tasks | Cisco Systems C7200 manual

C H A P T E R 4

Configuring the VSA

This chapter contains the information and procedures needed to configure the C7200-VSA (VPN Services Adapter). This chapter contains the following sections:

•Overview, page 4-1

•Configuration Tasks, page 4-1

•Configuration Examples, page 4-18

•Basic IPSec Configuration Illustration, page 4-19

•Troubleshooting Tips, page 4-21

•Monitoring and Maintaining the VSA, page 4-23

Overview

The VSA in the I/O controller slot provides encryption services for the I/O controller port in the Cisco 7204VXR or Cisco 7206VXR router with a NPE-G2 processor. If you have previously configured IPSec on the router and you install a VSA, the VSA automatically performs encryption services.

Note The Cisco 7204VXR and the 7206VXR routers support a single VSA.

There are no interfaces to configure on the VSA.

This section only contains basic configuration information for enabling encryption and IPSec tunneling services. Refer to the “IP Security and Encryption” part of the Security Configuration Guide and the Security Command Reference guide for detailed configuration information on IPSec, IKE, and CA.

Configuration Tasks

On power up, the VSA is fully functional and does not require any configuration commands. However, for the VSA to provide encryption services, you must complete the steps in the following sections:

•Using the EXEC Command Interpreter, page 4-2(required)

•Configuring an IKE Policy, page 4-2(required)

•Configuring a Transform Set, page 4-4(required)

•Configuring IPSec, page 4-8(required)

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

	OL-9129-02	4-1

Image 35

Cisco Systems C7200 manual Overview, Configuration Tasks

Contents

Text Part Number OL-9129-02 Corporate HeadquartersPage N T E N T S Preventing Electrostatic Discharge Damage 2 Creating Dynamic Crypto Maps 4 OL-9129-02 Audience Preface Chapter Title Description ObjectivesOrganization Cisco.com Related DocumentationObtaining Documentation Product Documentation DVD Ordering Documentation Documentation FeedbackCisco Product Security Overview Product Alerts and Field Notices Reporting Security Problems in Cisco Products Cisco Technical Support & Documentation Website Obtaining Technical Assistance Obtaining Additional Publications and Information Submitting a Service RequestDefinitions of Service Request Severity Xiv Data Encryption Overview Overview VSA Overview VSA Module Front View Screws Handle Status LED light Hardware Required FeaturesThis section describes the VSA features, as listed in Table Feature Description/Benefit MIBs Supported Standards, MIBs, and RFCsPerformance Standards Enabling/Disabling Scheme Command PurposeEnabling/Disabling the VSA Disabling the VSA during Operation LEDs Condition System is ConfiguredCommand Description of VSA Behavior Cisco 7204VXR Router ConnectorsSee -2for the VSA connectors Slot Locations Cisco 7204VXR Router Front View Port adapter VSA in I/O controller slot Port adapter lever Cisco 7206VXR Front View Cisco 7206VXR Router Hardware and Software Requirements Required Tools and Equipment Platform Software RequirementsHardware Requirements Restrictions Online Insertion and Removal OIR Safety GuidelinesSafety Warnings Preventing Electrostatic Discharge Damage Electrical Equipment Guidelines Preparing for Installation OL-9129-02 VSA circuit board is sensitive to ESD damage Handling the VSA This section describes how to remove and install the VSA VSA Removal and Installation Removing and Installing the VSA VSA Removal and Installation OL-9129-02 Overview Configuration Tasks Configuring an IKE Policy Using the Exec Command Interpreter Signatures as the authentication method Key Management Protocol Isakmp policy configurationConfig-isakmp mode Optional Specifies the authentication method within an IKE Disabling VSA Optional Configuring a Transform Set Defining a Transform Set Transform type Description Selecting Appropriate Transforms Crypto Transform Configuration ModeIPSec Protocols AH and ESP Changing Existing Transforms Configuring IPSecEnsuring That Access Lists Are Compatible with IPSec Setting Global Lifetimes for IPSec Security Associations Step Command Purpose Creating Crypto Map Entries Creating Crypto Access Lists Exits crypto-map configuration mode and return to Only one transform set can be specified when IKE isAuthenticator keys if the transform set includes an ESP authenticator algorithm Creating Dynamic Crypto Maps For this crypto access list Optional Accesses list number or name of anExtended access list. This access list determines If this is configured, the data flow identity proposed Applying Crypto Map Sets to Interfaces Monitoring and Maintaining IPSec Router# show crypto isakmp policy Verifying IKE and IPSec Configurations Verifying the Configuration Currentpeer 172.21.114.67 PERMIT, flags=originisacl This section provides the following configuration examples Configuration ExamplesConfiguring IKE Policies Example Configuring IPSec Configuration Example Crypto map is applied to an interface Basic IPSec Configuration IllustrationRouter a Configuration Specify the parameters to be used during an IKE negotiation Router B ConfigurationTransform set defines how the traffic will be protected Router# show diag Troubleshooting Tips Tunnel I/F Monitoring and Maintaining the VSA Using Deny Policies in Access Lists Configuration Guidelines and Restrictions Monitor and Maintenance Commands D E Set session-key command Set transform-set command Sa command, clear crypto Entries, creatingSet pfs command Handling VPN Acceleration Module see VAM 1 Features Handling Monitoring and maintaining 4 Overview IN-4