Disabling VSA Optional | Cisco Systems C7200 specs

Chapter 4 Configuring the VSA

Configuration Tasks

Step 5

Step 6

Command	Purpose

Router(config-isakmp)# hash {sha md5}	(Optional) Specifies the hash algorithm within an IKE policy.
	• sha—Specifies SHA-1 (HMAC variant) as the hash
	algorithm.
	• md5—Specifies MD5 (HMAC variant) as the hash
	algorithm.
	Note If this command is not enabled, the default value (sha)
	will be used.

Router(config-isakmp)# group {1 2 5}	(Optional) Specifies the Diffie-Hellman (DH) group identifier
	within an IKE policy.
	1—Specifies the 768-bit DH group.
	2—Specifies the 1024-bit DH group.
	5—Specifies the 1536-bit DH group.
	Note If this command is not enabled, the default value (768-bit)
	will be used.

For detailed information on creating IKE policies, refer to the “Configuring Internet Key Exchange Security Protocol” chapter in the Security Configuration Guide publication.

Disabling VSA (Optional)

The VSA is enabled by default.

To disable the VSA, use the following commands, starting in global configuration mode:

	Command	Purpose

Step 7	no crypto engine [slot accelerator] 0	Disables VSA.
	Note The VSA can only be inserted in slot 0.

Step 8	crypto engine [slot accelerator] 0	VSA will be enabled after the next
		system reboot.

This completes the procedure for disabling and preparing to enable VSA after the next system reboot.

Configuring a Transform Set

See the Advanced Encryption Standard (AES) feature module for more information on configuring a transform set.

This section includes the following topics:

•Defining a Transform Set

•IPSec Protocols: AH and ESP

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

4-4	OL-9129-02

Image 38

Cisco Systems C7200 manual Disabling VSA Optional, Configuring a Transform Set

Contents

Corporate Headquarters Text Part Number OL-9129-02Page N T E N T S Preventing Electrostatic Discharge Damage 2 Creating Dynamic Crypto Maps 4 OL-9129-02 Preface Audience Chapter Title Description ObjectivesOrganization Cisco.com Related DocumentationObtaining Documentation Product Documentation DVD Ordering Documentation Documentation FeedbackCisco Product Security Overview Reporting Security Problems in Cisco Products Product Alerts and Field Notices Obtaining Technical Assistance Cisco Technical Support & Documentation Website Obtaining Additional Publications and Information Submitting a Service RequestDefinitions of Service Request Severity Xiv Overview Data Encryption Overview VSA Overview Screws Handle Status LED light VSA Module Front View Feature Description/Benefit FeaturesThis section describes the VSA features, as listed in Table Hardware Required Standards Supported Standards, MIBs, and RFCsPerformance MIBs Disabling the VSA during Operation Command PurposeEnabling/Disabling the VSA Enabling/Disabling Scheme LEDs Condition System is ConfiguredCommand Description of VSA Behavior Slot Locations ConnectorsSee -2for the VSA connectors Cisco 7204VXR Router Port adapter VSA in I/O controller slot Port adapter lever Cisco 7204VXR Router Front View Cisco 7206VXR Router Cisco 7206VXR Front View Required Tools and Equipment Hardware and Software Requirements Restrictions Software RequirementsHardware Requirements Platform Online Insertion and Removal OIR Safety GuidelinesSafety Warnings Electrical Equipment Guidelines Preventing Electrostatic Discharge Damage Preparing for Installation OL-9129-02 Handling the VSA VSA circuit board is sensitive to ESD damage VSA Removal and Installation This section describes how to remove and install the VSA Removing and Installing the VSA VSA Removal and Installation OL-9129-02 Configuration Tasks Overview Using the Exec Command Interpreter Configuring an IKE Policy Optional Specifies the authentication method within an IKE Key Management Protocol Isakmp policy configurationConfig-isakmp mode Signatures as the authentication method Configuring a Transform Set Disabling VSA Optional Defining a Transform Set Transform type Description Selecting Appropriate Transforms Crypto Transform Configuration ModeIPSec Protocols AH and ESP Setting Global Lifetimes for IPSec Security Associations Configuring IPSecEnsuring That Access Lists Are Compatible with IPSec Changing Existing Transforms Step Command Purpose Creating Crypto Access Lists Creating Crypto Map Entries ESP authenticator algorithm Only one transform set can be specified when IKE isAuthenticator keys if the transform set includes an Exits crypto-map configuration mode and return to Creating Dynamic Crypto Maps If this is configured, the data flow identity proposed Optional Accesses list number or name of anExtended access list. This access list determines For this crypto access list Monitoring and Maintaining IPSec Applying Crypto Map Sets to Interfaces Verifying IKE and IPSec Configurations Router# show crypto isakmp policy Verifying the Configuration Currentpeer 172.21.114.67 PERMIT, flags=originisacl Configuring IPSec Configuration Example Configuration ExamplesConfiguring IKE Policies Example This section provides the following configuration examples Crypto map is applied to an interface Basic IPSec Configuration IllustrationRouter a Configuration Specify the parameters to be used during an IKE negotiation Router B ConfigurationTransform set defines how the traffic will be protected Troubleshooting Tips Router# show diag Tunnel I/F Using Deny Policies in Access Lists Monitoring and Maintaining the VSA Monitor and Maintenance Commands Configuration Guidelines and Restrictions D E Set session-key command Set transform-set command Sa command, clear crypto Entries, creatingSet pfs command Features Handling Monitoring and maintaining 4 Overview Handling VPN Acceleration Module see VAM 1 IN-4