Chapter 4 Configuring the VSA
Configuration Tasks
| Command | Purpose |
|
|
|
Step 5 | (Optional) Specifies a security association lifetime | |
| lifetime seconds seconds | for the crypto map entry. |
| and | Use this command if you want the security |
| Router | associations for this crypto map entry to be |
| negotiated using different IPSec security association | |
| lifetime kilobytes kilobytes | |
| lifetimes than the global lifetimes. | |
|
| |
|
|
|
Step 6 | (Optional) Specifies that separate security | |
| level | associations should be established for each |
|
| source/destination host pair. |
|
| Without this command, a single IPSec “tunnel” could |
|
| carry traffic for multiple source hosts and multiple |
|
| destination hosts. |
|
| With this command, when the router requests new |
|
| security associations it will establish one set for |
|
| traffic between Host A and Host B, and a separate set |
|
| for traffic between Host A and Host C. |
|
| Use this command with care, as multiple streams |
|
| between given subnets can rapidly consume |
|
| resources. |
|
|
|
Step 7 | (Optional) Specifies that IPSec should ask for perfect | |
| group5] | forward secrecy when requesting new security |
|
| associations for this crypto map entry, or should |
|
| demand perfect forward secrecy (PFS) in requests |
|
| received from the IPSec peer. |
|
|
|
Step 8 | Exits | |
|
| global configuration mode. |
|
|
|
Creating Dynamic Crypto Maps
Step 1
Step 2
A dynamic crypto map entry is a crypto map entry with some parameters not configured.The missing parameters are later dynamically configured (as the result of an IPSec negotiation). Dynamic crypto maps are only available for use by IKE.
Dynamic crypto map entries are grouped into sets. A set is a group of dynamic crypto map entries all with the same
To create a dynamic crypto map entry, use the following commands starting in global configuration mode:
Command | Purpose |
|
|
Router(config)# crypto | Creates a dynamic crypto map entry. |
| |
|
|
Specifies which transform sets are allowed for the | |
crypto map entry. List multiple transform sets in | |
order of priority (highest priority first). | |
| |
| This is the only configuration statement required in |
| dynamic crypto map entries. |
|
|
C7200 VSA (VPN Services Adapter) Installation and Configuration Guide
|
| |
|