Chapter 4 Configuring the VSA

Configuration Tasks

To change a global lifetime for IPSec security associations, use one or more of the following commands:

Note The clear commands in Step 5 below are in EXEC or enable mode (see “Using the EXEC Command Interpreter” section on page 4-2for more details).

Step

Command

Purpose

 

 

 

Step 1

Router# enable

Enables privileged EXEC mode. Enter your password if

 

 

prompted.

 

 

 

Step 2

Router# configure terminal

Enters global configuration mode.

 

 

 

Step 3

Router(config)# crypto ipsec

Changes global lifetime values used when negotiating

 

security-association lifetime seconds seconds

IPSec security associations (SAs). To reset a lifetime to

 

 

the default value, use the no form of this command.

 

 

Specifies the number of seconds a security association

 

 

will live before expiring. The default is 3600 seconds (one

 

 

hour).

 

 

 

Step 4

Router(config)# crypto ipsec

Changes the global “traffic-volume” lifetime for IPSec

 

security-association lifetime kilobytes

SAs.

 

kilobytes

Specifies the volume of traffic (in kilobytes) that can pass

 

 

 

 

between IPSec peers using a given security association

 

 

before that security association expires. The default is

 

 

4,608,000 kilobytes.

 

 

 

Step 5

Router# clear crypto sa

(Optional) Clears existing security associations. This

 

or

causes any existing security associations to expire

 

immediately; future security associations will use the new

 

 

 

Router# clear crypto sa peer {ip-address

lifetimes. Otherwise, any existing security associations

 

peer-name}

will expire according to the previously configured

 

or

lifetimes.

 

Note Using the clear crypto sa command without

 

Router# clear crypto sa map map-name

 

parameters will clear out the full SA database,

 

 

 

or

which will clear out active security sessions. You

 

may also specify the peer, map, or spi keywords

 

Router# clear crypto sa spi destination-address

 

to clear out only a subset of the SA database. For

 

protocol spi

 

more information, see the clear crypto sa

 

 

 

 

command.

 

 

 

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

 

OL-9129-02

4-9

 

 

 

Page 43
Image 43
Cisco Systems C7200 manual Step Command Purpose