Manuals / Cisco Systems / Computer Equipment / Network Cables

Cisco Systems C7200 manual Defines an IKE policy and enters Internet Security Association

Models: C7200

1 62

Download 62 pages 7.3 Kb

Page 37

Defines an IKE policy and enters Internet Security Association

Chapter 4 Configuring the VSA

Configuration Tasks

To configure an IKE policy, use the following commands beginning in global configuration mode:

	Command	Purpose

Step 1	Router(config)# crypto isakmp policy	Defines an IKE policy and enters Internet Security Association
	priority	Key Management Protocol (ISAKMP) policy configuration
		(config-isakmp) mode.

Step 2	Router(config-isakmp)# encryption {des	Specifies the encryption algorithm within an IKE policy.
	3des aes aes 128 aes 192 aes 256}	• des—Specifies 56-bit DES as the encryption algorithm.
		• des—Specifies 56-bit DES as the encryption algorithm.
		• 3des—Specifies 168-bit DES as the encryption algorithm.
		• aes—Specifies 128-bit AES as the encryption algorithm.
		• aes 128—Specifies 128-bit AES as the encryption algorithm.
		• aes 192—Specifies 192-bit AES as the encryption algorithm.
		• aes 256—Specifies 256-bit AES as the encryption algorithm.

Step 3	Router(config-isakmp)# authentication	(Optional) Specifies the authentication method within an IKE
	{rsa-sig rsa-encr pre-share}	policy.
		• rsa-sig—Specifies Rivest, Shamir, and Adelman (RSA)
		signatures as the authentication method.
		• rsa-encr—Specifies RSA encrypted nonces as the
		authentication method.
		• pre-share—Specifies preshared keys as the authentication
		method.
		Note If this command is not enabled, the default value (rsa-sig)
		will be used.

Step 4	Router(config-isakmp)# lifetime seconds	(Optional) Specifies the lifetime of an IKE security association
		(SA).
		seconds—Number of seconds that each SA should exist before
		expiring. Use an integer from 60 to 86,400 seconds.
		Note If this command is not enabled, the default value (86,400
		seconds [one day]) will be used.

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

	OL-9129-02	4-3

Image 37

Cisco Systems C7200 manual Defines an IKE policy and enters Internet Security Association

Contents

Corporate Headquarters C7200 VSA VPN Services Adapter Installation and Configuration GuideCisco Systems, Inc 170 West Tasman Drive San Jose, CA 800 553-NETS Fax 408Turn the television or radio antenna until the interference stops Definitions of Service Request Severity FeaturesC O N T E N T S PrefaceConfiguration Tasks 4 The Crypto Transform Configuration Mode 4Safety Warnings Removing and Installing the VSARouter A Configuration Verifying the Configuration 4Router B Configuration Troubleshooting TipsC7200 VSA VPN Services Adapter Installation and Configuration Guide ContentsOL-9129-02 Audience PrefaceWarnings Audience, page Warnings, page Objectives, page Organization, pageRemoving and Installing the VSA Preparing for InstallationConfiguring the VSA ObjectivesObtaining Documentation Related DocumentationCisco.com Cisco Product Security Overview Documentation FeedbackProduct Documentation DVD Ordering DocumentationProduct Alerts and Field Notices Reporting Security Problems in Cisco ProductsFor emergencies only - security-alert@cisco.com Cisco Technical Support & Documentation Website Obtaining Technical Assistancehttp//tools.cisco.com/RPF/register/register.do Definitions of Service Request Severity Submitting a Service RequestObtaining Additional Publications and Information xiiiThe Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief product overviews, key features, sample part numbers, and abbreviated technical specifications for many Cisco products that are sold through channel partners. It is updated twice a year and includes the latest Cisco channel product offerings. To order and find out more about the Cisco Product Quick Reference Guide, go to this URL Enabling/Disabling the VSA, page LEDs, page Connectors, page Hardware Required, page Features, pageOverview Data Encryption OverviewVSA Overview Screws Hardware Required FeaturesFeature Description/BenefitPerformance Supported Standards, MIBs, and RFCsStandards MIBsEnables the C7200 VSA after it has been Disables the C7200 VSAdisabled Enabling/Disabling the VSAHw-module slot 0 shutdown -Not supported LEDsno crypto engine slot accelerator 0 -See Table Slot Locations ConnectorsCisco 7204VXR Router Cisco 7204VXR Router, page Cisco 7206VXR Router, pageENABLED C7200 VSA VPN Services Adapter Installation and Configuration GuideFigure 1-4 Cisco 7204VXR Router - Front View Chapter 1 Overview Slot Locations1-10 Cisco 7206VXR RouterC7200 VSA VPN Services Adapter Installation and Configuration Guide Figure 1-5 Cisco 7206VXR - Front ViewOnline Insertion and Removal OIR, page Safety Guidelines, page Preparing for InstallationRequired Tools and Equipment Hardware and Software RequirementsHardware Requirements Software RequirementsRestrictions PlatformSafety Warnings Safety GuidelinesSafety Warnings, page Electrical Equipment Guidelines, page Online Insertion and Removal OIRPreventing Electrostatic Discharge Damage Electrical Equipment GuidelinesCompliance with U.S. Export Laws and Regulations Regarding Encryption Compliance with U.S. Export Laws and Regulations Regarding EncryptionC7200 VSA VPN Services Adapter Installation and Configuration Guide Chapter 2 Preparing for InstallationCompliance with U.S. Export Laws and Regulations Regarding Encryption OL-9129-02Warnings and Cautions, page VSA Removal and Installation, page Removing and Installing the VSAHandling the VSA Handling the VSA, page Online Insertion and Removal OIR, pageWarnings and Cautions VSA Removal and InstallationThe safety cover is an integral part of the product. Do not operate the unit without the safety cover installed. Operating the unit without the cover in place will invalidate the safety approvals and pose a risk of fire and electrical hazards Online Insertion and Removal OIRStep 3 Unscrew the screws holding the VSA in the slot VSA Removal and Installation Chapter 3 Removing and Installing the VSAC7200 VSA VPN Services Adapter Installation and Configuration Guide OL-9129-02Configuration Tasks Configuring the VSAOverview, page Configuration Tasks, page Configuration Examples, page Basic IPSec Configuration Illustration, pageConfiguring an IKE Policy Using the EXEC Command InterpreterVerifying IKE and IPSec Configurations, page 4-15 optional Configuring IPSec Configuration Example, page 4-18 optionalDefines an IKE policy and enters Internet Security Association Disables VSA Configuring a Transform SetVSA will be enabled after the next system rebootDefining a Transform Set The Crypto Transform Configuration Mode Changing Existing TransformsSelecting Appropriate Transforms Transform ExampleESP Authentication Transform Pick up to Authentication Transform is used, you mustah-md5-hmac ah-sha-hmacIPSec Protocols AH and ESP The Crypto Transform Configuration ModeSelecting Appropriate Transforms esp-aes and esp-sha-hmac ah-sha-hmac and esp-aes and esp-sha-hmacEnsuring That Access Lists Are Compatible with IPSec Configuring IPSecSetting Global Lifetimes for IPSec Security Associations Ensuring That Access Lists Are Compatible with IPSec requiredStep CommandPurpose Router# clear crypto sa spi destination-addressCreating Crypto Map Entries Creating Crypto Access Lists4-10 Routerconfig# ip access-list extended namespi cipher hex-key-string authenticator 4-11esp spi cipher hex-key-string authenticator Routerconfig-crypto-m# set session-key inbound ahCreating Dynamic Crypto Maps This is the only configuration statement required inCreates a dynamic crypto map entry Specifies which transform sets are allowed for theCommand 4-13Purpose Applying Crypto Map Sets to Interfaces Monitoring and Maintaining IPSec4-14 Displays your transform set configuration Verifying IKE and IPSec ConfigurationsDisplays your crypto map configuration Displays information about IPSec security associations4-16 Verifying the ConfigurationChapter 4 Configuring the VSA Configuration Tasks 4-17C7200 VSA VPN Services Adapter Installation and Configuration Guide OL-9129-02Configuring IKE Policies Example Configuration ExamplesConfiguring IPSec Configuration Example Configuring IKE Policies Example, pageRouter A Configuration Basic IPSec Configuration Illustration4-19 4-20 Router B Configuration4-21 Troubleshooting TipsRouter# show diag Router# show crypto engine accelerator statisticChapter 4 Configuring the VSA Troubleshooting Tips 4-22C7200 VSA VPN Services Adapter Installation and Configuration Guide Using Deny Policies in Access Lists, page Using Deny Policies in Access ListsMonitor and Maintenance Commands, page Monitoring and Maintaining the VSAConfiguration Guidelines and Restrictions Monitor and Maintenance CommandsDisplays integrated service adapter as part of the interfaces Verifies the VSA is currently processing crypto packetsIN-1 I N D Ecreating 4 IN-2definition IN-3 C7200 VSA VPN Services Adapter Installation and Configuration Guide IN-4Index OL-9129-02