Chapter 4 Configuring the VSA

Configuration Tasks

Selecting Appropriate Transforms

The Crypto Transform Configuration Mode

Changing Existing Transforms

Transform Example

A transform set is an acceptable combination of security protocols, algorithms, and other settings to apply to IPSec protected traffic. During the IPSec security association (SA) negotiation, the peers agree to use a particular transform set when protecting a particular data flow.

Defining a Transform Set

A transform set is a combination of security protocols and algorithms. During the IPSec security association negotiation, peers agree to use a specific transform set to protect a particular data flow.

To define a transform set, use the following commands, starting in global configuration mode:

Note The clear commands in Step 4 below are in EXEC or enable mode (see “Using the EXEC Command Interpreter” section on page 4-2for more details).

 

Command

Purpose

 

 

 

Step 1

Router(config)# crypto ipsec

Defines a transform set and enters crypto transform configuration

 

transform-settransform-set-name

mode.

 

transform1 [transform2 [transform3]]

transform-set-name—Specifies the name of the transform set

 

 

 

 

to create (or modify).

 

 

transform1 [transform2 [transform3]

 

 

[transform4]]—Defines the IPSec security protocols and

 

 

algorithms. Accepted transform values are described in

 

 

Table 4-1.

 

 

 

Step 2

Router(cfg-crypto-tran)# mode [tunnel

(Optional) Changes the mode associated with the transform set.

 

transport]

The mode setting is only applicable to traffic whose source and

 

 

destination addresses are the IPSec peer addresses; it is ignored

 

 

for all other traffic. (All other traffic is in tunnel mode only.)

 

 

 

Step 3

end

Exits the crypto transform configuration mode to enabled mode.

 

 

 

Step 4

Router# clear crypto sa

Clears existing IPSec security associations so that any changes to

 

or

a transform set take effect on subsequently established security

 

Router# clear crypto sa peer {ip-address

associations (SAs). (Manually established SAs are reestablished

 

peer-name}

 

immediately.)

 

or

 

 

 

Router# clear crypto sa map map-name

Using the clear crypto sa command without parameters clears

 

or

 

out the full SA database, which clears out active security sessions.

 

Router# clear crypto sa spi

 

You may also specify the peer, map, or spi keywords to clear out

 

destination-address protocol spi

 

 

only a subset of the SA database.

 

 

 

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

 

OL-9129-02

4-5

 

 

 

Page 38 Page 40
Page 39
Image 39
Cisco Systems C7200 manual Defining a Transform Set
Page 38 Page 40
Top Page Image Contents