Cisco Systems, Inc 170 West Tasman Drive San Jose, CA
C7200 VSA VPN Services Adapter Installation and Configuration Guide
Corporate Headquarters
800 553-NETS Fax 408
Turn the television or radio antenna until the interference stops
C O N T E N T S
Features
Definitions of Service Request Severity
Preface
Safety Warnings
The Crypto Transform Configuration Mode 4
Configuration Tasks 4
Removing and Installing the VSA
Router B Configuration
Verifying the Configuration 4
Router A Configuration
Troubleshooting Tips
C7200 VSA VPN Services Adapter Installation and Configuration Guide
Contents
OL-9129-02
Warnings
Preface
Audience
Audience, page Warnings, page Objectives, page Organization, page
Configuring the VSA
Preparing for Installation
Removing and Installing the VSA
Objectives
Obtaining Documentation
Related Documentation
Cisco.com
Product Documentation DVD
Documentation Feedback
Cisco Product Security Overview
Ordering Documentation
Product Alerts and Field Notices
Reporting Security Problems in Cisco Products
For emergencies only - security-alert@cisco.com
Cisco Technical Support & Documentation Website
Obtaining Technical Assistance
http//tools.cisco.com/RPF/register/register.do
Obtaining Additional Publications and Information
Submitting a Service Request
Definitions of Service Request Severity
xiii
The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief product overviews, key features, sample part numbers, and abbreviated technical specifications for many Cisco products that are sold through channel partners. It is updated twice a year and includes the latest Cisco channel product offerings. To order and find out more about the Cisco Product Quick Reference Guide, go to this URL
Overview
Hardware Required, page Features, page
Enabling/Disabling the VSA, page LEDs, page Connectors, page
Data Encryption Overview
VSA Overview
Screws
Feature
Features
Hardware Required
Description/Benefit
Standards
Supported Standards, MIBs, and RFCs
Performance
MIBs
disabled
Disables the C7200 VSA
Enables the C7200 VSA after it has been
Enabling/Disabling the VSA
Hw-module slot 0 shutdown -Not supported
LEDs
no crypto engine slot accelerator 0 -See Table
Cisco 7204VXR Router
Connectors
Slot Locations
Cisco 7204VXR Router, page Cisco 7206VXR Router, page
Figure 1-4 Cisco 7204VXR Router - Front View
C7200 VSA VPN Services Adapter Installation and Configuration Guide
ENABLED
Chapter 1 Overview Slot Locations
C7200 VSA VPN Services Adapter Installation and Configuration Guide
Cisco 7206VXR Router
1-10
Figure 1-5 Cisco 7206VXR - Front View
Required Tools and Equipment
Preparing for Installation
Online Insertion and Removal OIR, page Safety Guidelines, page
Hardware and Software Requirements
Restrictions
Software Requirements
Hardware Requirements
Platform
Safety Warnings, page Electrical Equipment Guidelines, page
Safety Guidelines
Safety Warnings
Online Insertion and Removal OIR
Electrical Equipment Guidelines
Preventing Electrostatic Discharge Damage
Compliance with U.S. Export Laws and Regulations Regarding Encryption
Compliance with U.S. Export Laws and Regulations Regarding Encryption
Compliance with U.S. Export Laws and Regulations Regarding Encryption
Chapter 2 Preparing for Installation
C7200 VSA VPN Services Adapter Installation and Configuration Guide
OL-9129-02
Handling the VSA
Removing and Installing the VSA
Warnings and Cautions, page VSA Removal and Installation, page
Handling the VSA, page Online Insertion and Removal OIR, page
The safety cover is an integral part of the product. Do not operate the unit without the safety cover installed. Operating the unit without the cover in place will invalidate the safety approvals and pose a risk of fire and electrical hazards
VSA Removal and Installation
Warnings and Cautions
Online Insertion and Removal OIR
Step 3 Unscrew the screws holding the VSA in the slot
C7200 VSA VPN Services Adapter Installation and Configuration Guide
Chapter 3 Removing and Installing the VSA
VSA Removal and Installation
OL-9129-02
Overview, page Configuration Tasks, page Configuration Examples, page
Configuring the VSA
Configuration Tasks
Basic IPSec Configuration Illustration, page
Verifying IKE and IPSec Configurations, page 4-15 optional
Using the EXEC Command Interpreter
Configuring an IKE Policy
Configuring IPSec Configuration Example, page 4-18 optional
Defines an IKE policy and enters Internet Security Association
VSA will be enabled after the next
Configuring a Transform Set
Disables VSA
system reboot
Selecting Appropriate Transforms
The Crypto Transform Configuration Mode Changing Existing Transforms
Defining a Transform Set
Transform Example
ah-md5-hmac
Authentication Transform is used, you must
ESP Authentication Transform Pick up to
ah-sha-hmac
Selecting Appropriate Transforms
The Crypto Transform Configuration Mode
IPSec Protocols AH and ESP
esp-aes and esp-sha-hmac ah-sha-hmac and esp-aes and esp-sha-hmac
Setting Global Lifetimes for IPSec Security Associations
Configuring IPSec
Ensuring That Access Lists Are Compatible with IPSec
Ensuring That Access Lists Are Compatible with IPSec required
Purpose
Command
Step
Router# clear crypto sa spi destination-address
4-10
Creating Crypto Access Lists
Creating Crypto Map Entries
Routerconfig# ip access-list extended name
esp spi cipher hex-key-string authenticator
4-11
spi cipher hex-key-string authenticator
Routerconfig-crypto-m# set session-key inbound ah
Creates a dynamic crypto map entry
This is the only configuration statement required in
Creating Dynamic Crypto Maps
Specifies which transform sets are allowed for the
Command
4-13
Purpose
Applying Crypto Map Sets to Interfaces
Monitoring and Maintaining IPSec
4-14
Displays your crypto map configuration
Verifying IKE and IPSec Configurations
Displays your transform set configuration
Displays information about IPSec security associations
Verifying the Configuration
4-16
C7200 VSA VPN Services Adapter Installation and Configuration Guide
4-17
Chapter 4 Configuring the VSA Configuration Tasks
OL-9129-02
Configuring IPSec Configuration Example
Configuration Examples
Configuring IKE Policies Example
Configuring IKE Policies Example, page
Router A Configuration
Basic IPSec Configuration Illustration
4-19
Router B Configuration
4-20
Router# show diag
Troubleshooting Tips
4-21
Router# show crypto engine accelerator statistic
Chapter 4 Configuring the VSA Troubleshooting Tips
4-22
C7200 VSA VPN Services Adapter Installation and Configuration Guide
Monitor and Maintenance Commands, page
Using Deny Policies in Access Lists
Using Deny Policies in Access Lists, page
Monitoring and Maintaining the VSA
Displays integrated service adapter as part of the interfaces
Monitor and Maintenance Commands
Configuration Guidelines and Restrictions
Verifies the VSA is currently processing crypto packets
I N D E
IN-1
creating 4
IN-2
definition
IN-3
Index
IN-4
C7200 VSA VPN Services Adapter Installation and Configuration Guide
OL-9129-02