Chapter 4 Configuring the VSA

Configuration Tasks

 

Command

Purpose

 

 

 

Step 3

Router(config-crypto-m)# match address

(Optional) Accesses list number or name of an

 

access-list-id

extended access list. This access list determines

 

 

which traffic should be protected by IPSec and which

 

 

traffic should not be protected by IPSec security in

 

 

the context of this crypto map entry.

 

 

Note Although access-lists are optional for

 

 

dynamic crypto maps, they are highly

 

 

recommended.

 

 

If this is configured, the data flow identity proposed

 

 

by the IPSec peer must fall within a permit statement

 

 

for this crypto access list.

 

 

If this is not configured, the router will accept any

 

 

data flow identity proposed by the IPSec peer.

 

 

However, if this is configured but the specified

 

 

access list does not exist or is empty, the router will

 

 

drop all packets. This is similar to static crypto maps

 

 

because they also require that an access list be

 

 

specified.

 

 

Care must be taken if the any keyword is used in the

 

 

access list, because the access list is used for packet

 

 

filtering as well as for negotiation.

 

 

 

Step 4

Router(config-crypto-m)# set peer {hostname

(Optional) Specifies a remote IPSec peer. Repeat for

 

ip-address}

multiple remote peers.

 

 

This is rarely configured in dynamic crypto map

 

 

entries. Dynamic crypto map entries are often used

 

 

for unknown remote peers.

 

 

 

Step 5

Router(config-crypto-m)# set security-association

(Optional) If you want the security associations for

 

lifetime seconds seconds

this crypto map to be negotiated using shorter IPSec

 

and

security association lifetimes than the globally

 

specified lifetimes, specify a key lifetime for the

 

 

 

Router (config-crypto-m)# set security-association

crypto map entry.

 

lifetime kilobytes kilobytes

 

 

 

 

Step 6

Router(config-crypto-m)# set pfs [group1 group2

(Optional) Specifies that IPSec should ask for perfect

 

group5]

forward secrecy when requesting new security

 

 

associations for this crypto map entry or should

 

 

demand perfect forward secrecy in requests received

 

 

from the IPSec peer.

 

 

 

Step 7

Router(config-crypto-m)# exit

Exits crypto-map configuration mode and returns to

 

 

global configuration mode.

 

 

 

Step 8

Repeat these steps to create additional crypto map entries as required.

 

 

 

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

 

OL-9129-02

4-13

 

 

 

Page 47
Image 47
Cisco Systems C7200 manual Optional Accesses list number or name of an, Extended access list. This access list determines