Chapter 4 Configuring the VSA

Configuration Tasks

Verifying the Configuration

Some configuration changes take effect only after subsequent security associations are negotiated. For the new settings to take effect immediately, clear the existing security associations.

To clear (and reinitialize) IPSec security associations, use one of the commands in Table 4-2in EXEC or enable mode (see “Using the EXEC Command Interpreter” section on page 4-2for more details):

Table 4-2 Commands to Clear IP Sec Security Associations

Command

Purpose

 

 

clear crypto sa

Clear IPSec security associations (SAs).

or

Using the clear crypto sa command without

clear crypto sa peer {ip-address

peer-name}

parameters clears out the full SA database, which

or

clears out active security sessions. You may also

clear crypto sa map map-name

specify the peer, map, or spi keywords to clear

or

out only a subset of the SA database.

clear crypto sa spi destination-address

 

protocol spi

 

 

 

The following steps provide information on verifying your configurations:

Step 1 Enter the show crypto ipsec transform-setcommand to view your transform set configuration:

Router# show crypto ipsec transform-set

Transform set combined-des-md5: {esp-des esp-md5-hmac} will negotiate = {Tunnel,},

Transform set t1: {esp-des esp-md5-hmac} will negotiate = {Tunnel,},

Transform set t100: {ah-sha-hmac} will negotiate = {Transport,},

Transform set t2: {ah-sha-hmac} will negotiate = {Tunnel,}, {esp-des}

will negotiate = {Tunnel,},

Step 2 Enter the show crypto map [interface interface tag map-name]command to view your crypto map configuration:

Router# show crypto map

Crypto Map: “router-alice” idb: Ethernet0 local address: 172.21.114.123

Crypto Map “router-alice” 10 ipsec-isakmp

Peer = 172.21.114.67

Extended IP access list 141

access-list 141 permit ip

source: addr = 172.21.114.123/0.0.0.0

dest: addr = 172.21.114.67/0.0.0.0 Current peer: 172.21.114.67

Security-association lifetime: 4608000 kilobytes/120 seconds

PFS (Y/N): N Transform sets={t1,}

Step 3 Enter the show crypto ipsec sa [map map-name address identity detail interface] command to

view information about IPSec security associations:

Router# show crypto ipsec sa

interface: Ethernet0

Crypto map tag: router-alice, local addr. 172.21.114.123

local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

4-16

OL-9129-02

 

 

Page 50
Image 50
Cisco Systems C7200 manual Verifying the Configuration