Chapter 4 Configuring the VSA

Configuration Tasks

To view information about your IPSec configuration, use one or more of the following commands in EXEC mode:

Command

 

Purpose

 

 

 

Router# show crypto

ipsec transform-set

Displays your transform set configuration.

 

 

 

Router# show crypto

map [interface interface

Displays your crypto map configuration.

tag map-name]

 

 

 

 

 

Router# show crypto

ipsec sa [map map-name

Displays information about IPSec security associations.

address identity]

[detail]

 

 

 

 

Router# show crypto

dynamic-map [tag map-name]

Displays information about dynamic crypto maps.

 

 

 

Router# show crypto

ipsec security-association

Displays global security association lifetime values.

lifetime

 

 

 

 

 

Verifying IKE and IPSec Configurations

To view information about your IPSec configurations, use the show crypto ipsec transform-setEXEC command.

Note If a user enters an IPSec transform that the hardware (the IPSec peer) does not support, a warning message will be displayed in the show crypto ipsec transform-setcommand output.

The following sample output from the show crypto ipsec transform-setcommand displays a warning message after a user tries to configure an IPSec transform that the hardware does not support:

Router# show crypto ipsec transform-set

Transform set transform-1:{esp-256-aes esp-md5-hmac} will negotiate = {Tunnel, },

WARNING:encryption hardware does not support transform esp-aes 256 within IPSec transform transform-1

To view information about your IKE configurations, use show crypto isakmp policy EXEC command.

Note If a user enters an IKE encryption method that the hardware does not support, a warning message will be displayed in the show crypto isakmp policy output.

The following sample output from the show crypto isakmp policy command displays a warning message after a user tries to configure an IKE encryption method that the hardware does not support:

Router# show crypto isakmp policy

Protection suite of priority 1

encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).

WARNING:encryption hardware does not support the configured encryption method for ISAKMP policy 1

hash algorithm:

Secure Hash Standard

authentication method:

Pre-Shared Key

Diffie-Hellman group:

#1 (768 bit)

lifetime:

3600 seconds, no volume limit

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

 

OL-9129-02

4-15

 

 

 

Page 49
Image 49
Cisco Systems C7200 manual Verifying IKE and IPSec Configurations, Router# show crypto isakmp policy