Chapter 4 Configuring the VSA

Configuration Tasks

 

Command

Purpose

 

 

 

Step 5

Router(config-crypto-m)# set security-association

(Optional) Specifies a security association lifetime

 

lifetime seconds seconds

for the crypto map entry.

 

and

Use this command if you want the security

 

Router (config-crypto-m)# set security-association

associations for this crypto map entry to be

 

negotiated using different IPSec security association

 

lifetime kilobytes kilobytes

 

lifetimes than the global lifetimes.

 

 

 

 

 

Step 6

Router(config-crypto-m)# set security-association

(Optional) Specifies that separate security

 

level per-host

associations should be established for each

 

 

source/destination host pair.

 

 

Without this command, a single IPSec “tunnel” could

 

 

carry traffic for multiple source hosts and multiple

 

 

destination hosts.

 

 

With this command, when the router requests new

 

 

security associations it will establish one set for

 

 

traffic between Host A and Host B, and a separate set

 

 

for traffic between Host A and Host C.

 

 

Use this command with care, as multiple streams

 

 

between given subnets can rapidly consume

 

 

resources.

 

 

 

Step 7

Router(config-crypto-m)# set pfs [group1 group2

(Optional) Specifies that IPSec should ask for perfect

 

group5]

forward secrecy when requesting new security

 

 

associations for this crypto map entry, or should

 

 

demand perfect forward secrecy (PFS) in requests

 

 

received from the IPSec peer.

 

 

 

Step 8

Router(config-crypto-m)# exit

Exits crypto-map configuration mode and returns to

 

 

global configuration mode.

 

 

 

Creating Dynamic Crypto Maps

Step 1

Step 2

A dynamic crypto map entry is a crypto map entry with some parameters not configured.The missing parameters are later dynamically configured (as the result of an IPSec negotiation). Dynamic crypto maps are only available for use by IKE.

Dynamic crypto map entries are grouped into sets. A set is a group of dynamic crypto map entries all with the same dynamic-map-name, each with a different dynamic-seq-num.

To create a dynamic crypto map entry, use the following commands starting in global configuration mode:

Command

Purpose

 

 

Router(config)# crypto dynamic-map dynamic-map-name

Creates a dynamic crypto map entry.

dynamic-seq-num

 

 

 

Router(config-crypto-m)# set transform-set

Specifies which transform sets are allowed for the

transform-set-name1

crypto map entry. List multiple transform sets in

[transform-set-name2...transform-set-name6]

order of priority (highest priority first).

 

 

This is the only configuration statement required in

 

dynamic crypto map entries.

 

 

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

4-12

OL-9129-02

 

 

Page 46
Image 46
Cisco Systems C7200 manual Creating Dynamic Crypto Maps