Chapter 4 Configuring the VSA

Configuration Examples

Configuration Examples

This section provides the following configuration examples:

Configuring IKE Policies Example, page 4-18

Configuring IPSec Configuration Example, page 4-18

Basic IPSec Configuration Illustration, page 4-19

Configuring IKE Policies Example

In the following example, two IKE policies are created, with policy 15 as the highest priority, policy 20 as the next priority, and the existing default priority as the lowest priority. It also creates a preshared key to be used with policy 20 with the remote peer whose IP address is 192.168.224.33.

crypto isakmp policy 15 encryption 3des

hash md5 authentication rsa-sig group 2

lifetime 5000

crypto isakmp policy 20 authentication pre-share lifetime 10000

crypto isakmp key 1234567890 address 192.168.224.33

Configuring IPSec Configuration Example

The following example shows a minimal IPSec configuration where the security associations will be established via IKE:

An IPSec access list defines which traffic to protect:

access-list 101 permit ip 10.0.0.0 0.0.0.255 10.2.2.0 0.0.0.255

A transform set defines how the traffic will be protected. In this example, transform set “myset1” uses DES encryption and SHA for data packet authentication:

crypto ipsec transform-set myset1 esp-des esp-sha

Another transform set example is “myset2,” which uses Triple DES encryptions and MD5 (HMAC variant) for data packet authentication:

crypto ipsec transform-set myset2 esp-3des esp-md5-hmac

A crypto map joins together the IPSec access list and transform set and specifies where the protected traffic is sent (the remote IPSec peer):

crypto map toRemoteSite 10 ipsec-isakmp match address 101

set transform-set myset2 set peer 10.2.2.5

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

4-18

OL-9129-02

 

 

Page 52
Image 52
Cisco Systems C7200 Configuration Examples, Configuring IKE Policies Example, Configuring IPSec Configuration Example