Configuration Examples | Cisco Systems C7200 specification

Chapter 4 Configuring the VSA

Configuration Examples

Configuration Examples

This section provides the following configuration examples:

•Configuring IKE Policies Example, page 4-18

•Configuring IPSec Configuration Example, page 4-18

•Basic IPSec Configuration Illustration, page 4-19

Configuring IKE Policies Example

In the following example, two IKE policies are created, with policy 15 as the highest priority, policy 20 as the next priority, and the existing default priority as the lowest priority. It also creates a preshared key to be used with policy 20 with the remote peer whose IP address is 192.168.224.33.

crypto isakmp policy 15 encryption 3des

hash md5 authentication rsa-sig group 2

lifetime 5000

crypto isakmp policy 20 authentication pre-share lifetime 10000

crypto isakmp key 1234567890 address 192.168.224.33

Configuring IPSec Configuration Example

The following example shows a minimal IPSec configuration where the security associations will be established via IKE:

An IPSec access list defines which traffic to protect:

access-list 101 permit ip 10.0.0.0 0.0.0.255 10.2.2.0 0.0.0.255

A transform set defines how the traffic will be protected. In this example, transform set “myset1” uses DES encryption and SHA for data packet authentication:

crypto ipsec transform-set myset1 esp-des esp-sha

Another transform set example is “myset2,” which uses Triple DES encryptions and MD5 (HMAC variant) for data packet authentication:

crypto ipsec transform-set myset2 esp-3des esp-md5-hmac

A crypto map joins together the IPSec access list and transform set and specifies where the protected traffic is sent (the remote IPSec peer):

crypto map toRemoteSite 10 ipsec-isakmp match address 101

set transform-set myset2 set peer 10.2.2.5

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

4-18	OL-9129-02

Image 52

Cisco Systems C7200 Configuration Examples, Configuring IKE Policies Example, Configuring IPSec Configuration Example

Contents

Corporate Headquarters Text Part Number OL-9129-02Page N T E N T S Preventing Electrostatic Discharge Damage 2 Creating Dynamic Crypto Maps 4 OL-9129-02 Preface Audience Organization ObjectivesChapter Title Description Obtaining Documentation Related DocumentationCisco.com Cisco Product Security Overview Documentation FeedbackProduct Documentation DVD Ordering Documentation Reporting Security Problems in Cisco Products Product Alerts and Field Notices Obtaining Technical Assistance Cisco Technical Support & Documentation Website Definitions of Service Request Severity Submitting a Service RequestObtaining Additional Publications and Information Xiv Overview Data Encryption Overview VSA Overview Screws Handle Status LED light VSA Module Front View Features This section describes the VSA features, as listed in TableFeature Description/Benefit Hardware Required Supported Standards, MIBs, and RFCs PerformanceStandards MIBs Command Purpose Enabling/Disabling the VSADisabling the VSA during Operation Enabling/Disabling Scheme Command Description of VSA Behavior Condition System is ConfiguredLEDs Connectors See -2for the VSA connectorsSlot Locations Cisco 7204VXR Router Port adapter VSA in I/O controller slot Port adapter lever Cisco 7204VXR Router Front View Cisco 7206VXR Router Cisco 7206VXR Front View Required Tools and Equipment Hardware and Software Requirements Software Requirements Hardware RequirementsRestrictions Platform Safety Warnings Safety GuidelinesOnline Insertion and Removal OIR Electrical Equipment Guidelines Preventing Electrostatic Discharge Damage Preparing for Installation OL-9129-02 Handling the VSA VSA circuit board is sensitive to ESD damage VSA Removal and Installation This section describes how to remove and install the VSA Removing and Installing the VSA VSA Removal and Installation OL-9129-02 Configuration Tasks Overview Using the Exec Command Interpreter Configuring an IKE Policy Key Management Protocol Isakmp policy configuration Config-isakmp modeOptional Specifies the authentication method within an IKE Signatures as the authentication method Configuring a Transform Set Disabling VSA Optional Defining a Transform Set Transform type Description IPSec Protocols AH and ESP Crypto Transform Configuration ModeSelecting Appropriate Transforms Configuring IPSec Ensuring That Access Lists Are Compatible with IPSecSetting Global Lifetimes for IPSec Security Associations Changing Existing Transforms Step Command Purpose Creating Crypto Access Lists Creating Crypto Map Entries Only one transform set can be specified when IKE is Authenticator keys if the transform set includes anESP authenticator algorithm Exits crypto-map configuration mode and return to Creating Dynamic Crypto Maps Optional Accesses list number or name of an Extended access list. This access list determinesIf this is configured, the data flow identity proposed For this crypto access list Monitoring and Maintaining IPSec Applying Crypto Map Sets to Interfaces Verifying IKE and IPSec Configurations Router# show crypto isakmp policy Verifying the Configuration Currentpeer 172.21.114.67 PERMIT, flags=originisacl Configuration Examples Configuring IKE Policies ExampleConfiguring IPSec Configuration Example This section provides the following configuration examples Router a Configuration Basic IPSec Configuration IllustrationCrypto map is applied to an interface Transform set defines how the traffic will be protected Router B ConfigurationSpecify the parameters to be used during an IKE negotiation Troubleshooting Tips Router# show diag Tunnel I/F Using Deny Policies in Access Lists Monitoring and Maintaining the VSA Monitor and Maintenance Commands Configuration Guidelines and Restrictions D E Set pfs command Sa command, clear crypto Entries, creatingSet session-key command Set transform-set command Features Handling Monitoring and maintaining 4 Overview Handling VPN Acceleration Module see VAM 1 IN-4