Manuals / Cisco Systems / Computer Equipment / Network Cables

Cisco Systems C7200 manual Basic IPSec Configuration Illustration, Router A Configuration, 4-19

Models: C7200

1 62

Download 62 pages 7.3 Kb

Page 53

Basic IPSec Configuration Illustration

Chapter 4 Configuring the VSA

Basic IPSec Configuration Illustration

The crypto map is applied to an interface:

interface Serial0 ip address 10.0.0.2

crypto map toRemoteSite

Note In this example, IKE must be enabled.

Basic IPSec Configuration Illustration

The following is an example of an IPSec configuration in which the security associations are established through IKE. In this example, an access list is used to restrict the packets that are encrypted and decrypted. In this example, all packets going from IP address 10.0.0.2 to IP address 10.2.2.2 are encrypted and decrypted and all packets going from IP address 10.2.2.2 to IP address 10.0.0.2 are encrypted and decrypted. Also, one IKE policy is created.

Figure 4-1 Basic IPSec Configuration

Only packets from 10.0.0.2 to 10.2.2.2 are encrypted and authenticated across the network.

Clear text	Encrypted text
10.0.0.2
10.0.0.3	10.2.2.3
Router A	Router B

10.0.0.1

All other packets are not encrypted

Clear text

Clear text

10.2.2.2

10.2.2.1

29728

Router A Configuration

Specify the parameters to be used during an IKE negotiation:

Update to 3DES/AES

crypto isakmp policy 15 encryption des

hash md5

authentication pre-share group 2

lifetime 5000

crypto isakmp key 1234567890 address 10.2.2.3 crypto isakmp identity address

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

	OL-9129-02	4-19

Image 53

Cisco Systems C7200 manual Basic IPSec Configuration Illustration, Router A Configuration, 4-19

Contents

Corporate Headquarters C7200 VSA VPN Services Adapter Installation and Configuration GuideCisco Systems, Inc 170 West Tasman Drive San Jose, CA 800 553-NETS Fax 408Turn the television or radio antenna until the interference stops Definitions of Service Request Severity FeaturesC O N T E N T S PrefaceConfiguration Tasks 4 The Crypto Transform Configuration Mode 4Safety Warnings Removing and Installing the VSARouter A Configuration Verifying the Configuration 4Router B Configuration Troubleshooting TipsOL-9129-02 ContentsC7200 VSA VPN Services Adapter Installation and Configuration Guide Audience PrefaceWarnings Audience, page Warnings, page Objectives, page Organization, pageRemoving and Installing the VSA Preparing for InstallationConfiguring the VSA ObjectivesCisco.com Related DocumentationObtaining Documentation Cisco Product Security Overview Documentation FeedbackProduct Documentation DVD Ordering DocumentationFor emergencies only - security-alert@cisco.com Reporting Security Problems in Cisco ProductsProduct Alerts and Field Notices http//tools.cisco.com/RPF/register/register.do Obtaining Technical AssistanceCisco Technical Support & Documentation Website Definitions of Service Request Severity Submitting a Service RequestObtaining Additional Publications and Information xiiiThe Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief product overviews, key features, sample part numbers, and abbreviated technical specifications for many Cisco products that are sold through channel partners. It is updated twice a year and includes the latest Cisco channel product offerings. To order and find out more about the Cisco Product Quick Reference Guide, go to this URL Enabling/Disabling the VSA, page LEDs, page Connectors, page Hardware Required, page Features, pageOverview Data Encryption OverviewVSA Overview Screws Hardware Required FeaturesFeature Description/BenefitPerformance Supported Standards, MIBs, and RFCsStandards MIBsEnables the C7200 VSA after it has been Disables the C7200 VSAdisabled Enabling/Disabling the VSAno crypto engine slot accelerator 0 -See Table LEDsHw-module slot 0 shutdown -Not supported Slot Locations ConnectorsCisco 7204VXR Router Cisco 7204VXR Router, page Cisco 7206VXR Router, pageENABLED C7200 VSA VPN Services Adapter Installation and Configuration GuideFigure 1-4 Cisco 7204VXR Router - Front View Chapter 1 Overview Slot Locations1-10 Cisco 7206VXR RouterC7200 VSA VPN Services Adapter Installation and Configuration Guide Figure 1-5 Cisco 7206VXR - Front ViewOnline Insertion and Removal OIR, page Safety Guidelines, page Preparing for InstallationRequired Tools and Equipment Hardware and Software RequirementsHardware Requirements Software RequirementsRestrictions PlatformSafety Warnings Safety GuidelinesSafety Warnings, page Electrical Equipment Guidelines, page Online Insertion and Removal OIRPreventing Electrostatic Discharge Damage Electrical Equipment GuidelinesCompliance with U.S. Export Laws and Regulations Regarding Encryption Compliance with U.S. Export Laws and Regulations Regarding EncryptionC7200 VSA VPN Services Adapter Installation and Configuration Guide Chapter 2 Preparing for InstallationCompliance with U.S. Export Laws and Regulations Regarding Encryption OL-9129-02Warnings and Cautions, page VSA Removal and Installation, page Removing and Installing the VSAHandling the VSA Handling the VSA, page Online Insertion and Removal OIR, pageWarnings and Cautions VSA Removal and InstallationThe safety cover is an integral part of the product. Do not operate the unit without the safety cover installed. Operating the unit without the cover in place will invalidate the safety approvals and pose a risk of fire and electrical hazards Online Insertion and Removal OIRStep 3 Unscrew the screws holding the VSA in the slot VSA Removal and Installation Chapter 3 Removing and Installing the VSAC7200 VSA VPN Services Adapter Installation and Configuration Guide OL-9129-02Configuration Tasks Configuring the VSAOverview, page Configuration Tasks, page Configuration Examples, page Basic IPSec Configuration Illustration, pageConfiguring an IKE Policy Using the EXEC Command InterpreterVerifying IKE and IPSec Configurations, page 4-15 optional Configuring IPSec Configuration Example, page 4-18 optionalDefines an IKE policy and enters Internet Security Association Disables VSA Configuring a Transform SetVSA will be enabled after the next system rebootDefining a Transform Set The Crypto Transform Configuration Mode Changing Existing TransformsSelecting Appropriate Transforms Transform ExampleESP Authentication Transform Pick up to Authentication Transform is used, you mustah-md5-hmac ah-sha-hmacIPSec Protocols AH and ESP The Crypto Transform Configuration ModeSelecting Appropriate Transforms esp-aes and esp-sha-hmac ah-sha-hmac and esp-aes and esp-sha-hmacEnsuring That Access Lists Are Compatible with IPSec Configuring IPSecSetting Global Lifetimes for IPSec Security Associations Ensuring That Access Lists Are Compatible with IPSec requiredStep CommandPurpose Router# clear crypto sa spi destination-addressCreating Crypto Map Entries Creating Crypto Access Lists4-10 Routerconfig# ip access-list extended namespi cipher hex-key-string authenticator 4-11esp spi cipher hex-key-string authenticator Routerconfig-crypto-m# set session-key inbound ahCreating Dynamic Crypto Maps This is the only configuration statement required inCreates a dynamic crypto map entry Specifies which transform sets are allowed for thePurpose 4-13Command 4-14 Monitoring and Maintaining IPSecApplying Crypto Map Sets to Interfaces Displays your transform set configuration Verifying IKE and IPSec ConfigurationsDisplays your crypto map configuration Displays information about IPSec security associations4-16 Verifying the ConfigurationChapter 4 Configuring the VSA Configuration Tasks 4-17C7200 VSA VPN Services Adapter Installation and Configuration Guide OL-9129-02Configuring IKE Policies Example Configuration ExamplesConfiguring IPSec Configuration Example Configuring IKE Policies Example, page4-19 Basic IPSec Configuration IllustrationRouter A Configuration 4-20 Router B Configuration4-21 Troubleshooting TipsRouter# show diag Router# show crypto engine accelerator statisticC7200 VSA VPN Services Adapter Installation and Configuration Guide 4-22Chapter 4 Configuring the VSA Troubleshooting Tips Using Deny Policies in Access Lists, page Using Deny Policies in Access ListsMonitor and Maintenance Commands, page Monitoring and Maintaining the VSAConfiguration Guidelines and Restrictions Monitor and Maintenance CommandsDisplays integrated service adapter as part of the interfaces Verifies the VSA is currently processing crypto packetsIN-1 I N D Edefinition IN-2creating 4 IN-3 C7200 VSA VPN Services Adapter Installation and Configuration Guide IN-4Index OL-9129-02