Chapter 4 Configuring the VSA

Configuration Tasks

To add a dynamic crypto map set into a crypto map set, use the following command in global configuration mode:

Command

Purpose

 

 

Router(config)# crypto map map-nameseq-num

Adds a dynamic crypto map set to a static crypto

ipsec-isakmp dynamic dynamic-map-name

map set.

 

 

Applying Crypto Map Sets to Interfaces

Apply a crypto map set to each interface through which IPSec traffic will flow. Crypto maps instruct the router to evaluate the interface traffic against the crypto map set and use the specified policy during connection or security association negotiation on behalf of traffic to be protected by crypto.

To apply a crypto map set to an interface, use the following command in interface configuration mode:

Command

Purpose

 

 

Router(config-if)# crypto map map-name

Applies a crypto map set to an interface.

 

 

To specify redundant interfaces and name an identifying interface, use the following command in global configuration mode:

Command

Purpose

 

 

Router(config)# crypto map map-name

Permits redundant interfaces to share the same

local-address interface-id

crypto map, using the same local identity.

 

 

Monitoring and Maintaining IPSec

To clear (and reinitialize) IPSec security associations, use one of the following commands in EXEC or enable mode (see “Using the EXEC Command Interpreter” section on page 4-2for more details):

Command

Purpose

 

 

Router# clear crypto sa

Clears IPSec security associations.

or

Note Using the clear crypto sa command without parameters

will clear out the full SA database, which will clear out

Router# clear crypto sa counters

active security sessions. You may also specify the peer,

 

or

map, or spi keywords to clear out only a subset of the SA

database. For more information, see the clear crypto sa

Router# clear crypto sa peer {ip-address

command.

peer-name}

 

or

 

Router# clear crypto sa map map-name

 

or

 

Router# clear crypto sa spi destination-address

 

protocol spi

 

 

 

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

4-14

OL-9129-02

 

 

Page 48
Image 48
Cisco Systems C7200 manual Monitoring and Maintaining IPSec, Applying Crypto Map Sets to Interfaces