Chapter 4 Configuring the VSA

Configuration Tasks

Step 5

Step 6

Command

Purpose

 

 

Router(config-isakmp)# hash {sha md5}

(Optional) Specifies the hash algorithm within an IKE policy.

 

sha—Specifies SHA-1 (HMAC variant) as the hash

 

algorithm.

 

md5—Specifies MD5 (HMAC variant) as the hash

 

algorithm.

 

Note If this command is not enabled, the default value (sha)

 

will be used.

 

 

Router(config-isakmp)# group {1 2 5}

(Optional) Specifies the Diffie-Hellman (DH) group identifier

 

within an IKE policy.

 

1—Specifies the 768-bit DH group.

 

2—Specifies the 1024-bit DH group.

 

5—Specifies the 1536-bit DH group.

 

Note If this command is not enabled, the default value (768-bit)

 

will be used.

 

 

For detailed information on creating IKE policies, refer to the “Configuring Internet Key Exchange Security Protocol” chapter in the Security Configuration Guide publication.

Disabling VSA (Optional)

The VSA is enabled by default.

To disable the VSA, use the following commands, starting in global configuration mode:

 

Command

Purpose

 

 

 

Step 7

no crypto engine [slot accelerator] 0

Disables VSA.

 

Note The VSA can only be inserted in slot 0.

 

 

 

 

Step 8

crypto engine [slot accelerator] 0

VSA will be enabled after the next

 

 

system reboot.

 

 

 

 

 

 

This completes the procedure for disabling and preparing to enable VSA after the next system reboot.

Configuring a Transform Set

See the Advanced Encryption Standard (AES) feature module for more information on configuring a transform set.

This section includes the following topics:

Defining a Transform Set

IPSec Protocols: AH and ESP

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

4-4

OL-9129-02

 

 

Page 38
Image 38
Cisco Systems C7200 manual Disabling VSA Optional, Configuring a Transform Set