Optional Accesses list number or name of an

Chapter 4 Configuring the VSA

Configuration Tasks

	Command	Purpose

Step 3	Router(config-crypto-m)# match address	(Optional) Accesses list number or name of an
	access-list-id	extended access list. This access list determines
		which traffic should be protected by IPSec and which
		traffic should not be protected by IPSec security in
		the context of this crypto map entry.
		Note Although access-lists are optional for
		dynamic crypto maps, they are highly
		recommended.
		If this is configured, the data flow identity proposed
		by the IPSec peer must fall within a permit statement
		for this crypto access list.
		If this is not configured, the router will accept any
		data flow identity proposed by the IPSec peer.
		However, if this is configured but the specified
		access list does not exist or is empty, the router will
		drop all packets. This is similar to static crypto maps
		because they also require that an access list be
		specified.
		Care must be taken if the any keyword is used in the
		access list, because the access list is used for packet
		filtering as well as for negotiation.

Step 4	Router(config-crypto-m)# set peer {hostname	(Optional) Specifies a remote IPSec peer. Repeat for
	ip-address}	multiple remote peers.
		This is rarely configured in dynamic crypto map
		entries. Dynamic crypto map entries are often used
		for unknown remote peers.

Step 5	Router(config-crypto-m)# set security-association	(Optional) If you want the security associations for
	lifetime seconds seconds	this crypto map to be negotiated using shorter IPSec
	and	security association lifetimes than the globally
	and	specified lifetimes, specify a key lifetime for the
		specified lifetimes, specify a key lifetime for the
	Router (config-crypto-m)# set security-association	crypto map entry.
	lifetime kilobytes kilobytes

Step 6	Router(config-crypto-m)# set pfs [group1 group2	(Optional) Specifies that IPSec should ask for perfect
	group5]	forward secrecy when requesting new security
		associations for this crypto map entry or should
		demand perfect forward secrecy in requests received
		from the IPSec peer.

Step 7	Router(config-crypto-m)# exit	Exits crypto-map configuration mode and returns to
		global configuration mode.

Step 8	Repeat these steps to create additional crypto map entries as required.

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

	OL-9129-02	4-13

Cisco Systems C7200 Optional Accesses list number or name of an, Context of this crypto map entry

Models: C7200

Command

(Optional) Accesses list number or name of an

extended access list. This access list determines

which traffic should be protected by IPSec and which

traffic should not be protected by IPSec security in

the context of this crypto map entry.

dynamic crypto maps, they are highly

recommended.

If this is configured, the data flow identity proposed

by the IPSec peer must fall within a permit statement

for this crypto access list.

If this is not configured, the router will accept any

data flow identity proposed by the IPSec peer.

However, if this is configured but the specified

access list does not exist or is empty, the router will

drop all packets. This is similar to static crypto maps

because they also require that an access list be

specified.

Care must be taken if the any keyword is used in the

access list, because the access list is used for packet

filtering as well as for negotiation.

(Optional) Specifies a remote IPSec peer. Repeat for

multiple remote peers.

This is rarely configured in dynamic crypto map

entries. Dynamic crypto map entries are often used

for unknown remote peers.

(Optional) If you want the security associations for

this crypto map to be negotiated using shorter IPSec

security association lifetimes than the globally

specified lifetimes, specify a key lifetime for the

crypto map entry.

associations for this crypto map entry or should

demand perfect forward secrecy in requests received

from the IPSec peer.

global configuration mode.