Transform type Description | Cisco Systems C7200 manual

Chapter 4 Configuring the VSA

Configuration Tasks

Table 4-1shows allowed transform combinations for the AH and ESP protocols.

Table 4-1 Allowed Transform Combinations

Transform type	Transform	Description

AH Transform (Pick up to one.)	ah-md5-hmac	AH with the MD5 (Message Digest 5)
		(HMAC variant) authentication algorithm
	ah-sha-hmac	AH with the SHA (Secure Hash Algorithm)
		(HMAC variant) authentication algorithm

ESP Encryption Transform (Note: If an ESP	esp-aes	ESP with the 128-bit Advanced Encryption
Authentication Transform is used, you must		Standard (AES) encryption algorithm
pick one.)	esp-aes 128	ESP with the 128-bit AES encryption algorithm
	esp-aes 128	ESP with the 128-bit AES encryption algorithm
	esp-aes 192	ESP with the 192-bit AES encryption algorithm
	esp-aes 256	ESP with the 256-bit AES encryption algorithm
	esp-des	ESP with the 56-bit Data Encryption Standard
		ESP with the 56-bit Data Encryption Standard
		(DES) encryption algorithm
	esp-3des	ESP with the 168-bit DES encryption algorithm
		(3DES or Triple DES)
	esp-null	Null encryption algorithm

ESP Authentication Transform (Pick up to	esp-md5-hmac	ESP with the MD5 (HMAC variant)
one.)		authentication algorithm
	esp-sha-hmac	ESP with the SHA (HMAC variant)
		authentication algorithm

Examples of acceptable transform combinations are as follows:

•ah-md5-hmac

•esp-des

•esp-3des and esp-md5-hmac

•ah-sha-hmac and esp-des and esp-sha-hmac

The parser will prevent you from entering invalid combinations; for example, once you specify an AH transform it will not allow you to specify another AH transform for the current transform set.

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

4-6	OL-9129-02

Image 40

Cisco Systems C7200 manual Transform type Description

Contents

Corporate Headquarters Text Part Number OL-9129-02Page N T E N T S Preventing Electrostatic Discharge Damage 2 Creating Dynamic Crypto Maps 4 OL-9129-02 Preface Audience Organization ObjectivesChapter Title Description Obtaining Documentation Related DocumentationCisco.com Cisco Product Security Overview Documentation FeedbackProduct Documentation DVD Ordering Documentation Reporting Security Problems in Cisco Products Product Alerts and Field Notices Obtaining Technical Assistance Cisco Technical Support & Documentation Website Definitions of Service Request Severity Submitting a Service RequestObtaining Additional Publications and Information Xiv Overview Data Encryption Overview VSA Overview Screws Handle Status LED light VSA Module Front View Features This section describes the VSA features, as listed in TableFeature Description/Benefit Hardware Required Supported Standards, MIBs, and RFCs PerformanceStandards MIBs Command Purpose Enabling/Disabling the VSADisabling the VSA during Operation Enabling/Disabling Scheme Command Description of VSA Behavior Condition System is ConfiguredLEDs Connectors See -2for the VSA connectorsSlot Locations Cisco 7204VXR Router Port adapter VSA in I/O controller slot Port adapter lever Cisco 7204VXR Router Front View Cisco 7206VXR Router Cisco 7206VXR Front View Required Tools and Equipment Hardware and Software Requirements Software Requirements Hardware RequirementsRestrictions Platform Safety Warnings Safety GuidelinesOnline Insertion and Removal OIR Electrical Equipment Guidelines Preventing Electrostatic Discharge Damage Preparing for Installation OL-9129-02 Handling the VSA VSA circuit board is sensitive to ESD damage VSA Removal and Installation This section describes how to remove and install the VSA Removing and Installing the VSA VSA Removal and Installation OL-9129-02 Configuration Tasks Overview Using the Exec Command Interpreter Configuring an IKE Policy Key Management Protocol Isakmp policy configuration Config-isakmp modeOptional Specifies the authentication method within an IKE Signatures as the authentication method Configuring a Transform Set Disabling VSA Optional Defining a Transform Set Transform type Description IPSec Protocols AH and ESP Crypto Transform Configuration ModeSelecting Appropriate Transforms Configuring IPSec Ensuring That Access Lists Are Compatible with IPSecSetting Global Lifetimes for IPSec Security Associations Changing Existing Transforms Step Command Purpose Creating Crypto Access Lists Creating Crypto Map Entries Only one transform set can be specified when IKE is Authenticator keys if the transform set includes anESP authenticator algorithm Exits crypto-map configuration mode and return to Creating Dynamic Crypto Maps Optional Accesses list number or name of an Extended access list. This access list determinesIf this is configured, the data flow identity proposed For this crypto access list Monitoring and Maintaining IPSec Applying Crypto Map Sets to Interfaces Verifying IKE and IPSec Configurations Router# show crypto isakmp policy Verifying the Configuration Currentpeer 172.21.114.67 PERMIT, flags=originisacl Configuration Examples Configuring IKE Policies ExampleConfiguring IPSec Configuration Example This section provides the following configuration examples Router a Configuration Basic IPSec Configuration IllustrationCrypto map is applied to an interface Transform set defines how the traffic will be protected Router B ConfigurationSpecify the parameters to be used during an IKE negotiation Troubleshooting Tips Router# show diag Tunnel I/F Using Deny Policies in Access Lists Monitoring and Maintaining the VSA Monitor and Maintenance Commands Configuration Guidelines and Restrictions D E Set pfs command Sa command, clear crypto Entries, creatingSet session-key command Set transform-set command Features Handling Monitoring and maintaining 4 Overview Handling VPN Acceleration Module see VAM 1 IN-4