Router B Configuration | Cisco Systems C7200 guide

Chapter 4 Configuring the VSA

Basic IPSec Configuration Illustration

Note In the preceding example, the encryption DES of policy 15 would not appear in the written configuration because this is the default value for the encryption algorithm parameter.

A transform set defines how the traffic will be protected:

crypto ipsec transform-set auth1 ah-md5-hmac esp-des esp-md5-hmac mode tunnel

Note In the preceding example, the mode tunnel would not appear in the written configuration because this is the default value for the transform-set.

A crypto map joins the transform set and specifies where the protected traffic is sent (the remote IPSec peer):

crypto map toRemoteSite 10 ipsec-isakmp match address 101

set peer 10.2.2.3

set transform-set auth1

The crypto map is applied to an interface:

interface Serial0

ip address 10.0.0.3

crypto map toRemoteSite

An IPSec access list defines which traffic to protect:

access-list 101 permit ip host 10.0.0.2 host 10.2.2.2

access-list 101 permit ip host 10.0.0.3 host 10.2.2.3

Router B Configuration

Specify the parameters to be used during an IKE negotiation:

crypto isakmp policy 15 encryption des

hash md5

authentication pre-share group 2

lifetime 5000

crypto isakmp key 1234567890 address 10.0.0.3 crypto isakmp identity address

A transform set defines how the traffic will be protected:

crypto ipsec transform-set auth1 ah-md5-hmac esp-des ah-md5-hmac mode tunnel

Note In the preceding example, the parameter “mode tunnel” would not appear in the written configuration because this is the default value for this configuration.

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

4-20	OL-9129-02

Image 54

Cisco Systems C7200 manual Router B Configuration, Transform set defines how the traffic will be protected

Contents

Corporate Headquarters Text Part Number OL-9129-02Page N T E N T S Preventing Electrostatic Discharge Damage 2 Creating Dynamic Crypto Maps 4 OL-9129-02 Preface Audience Objectives OrganizationChapter Title Description Related Documentation Obtaining DocumentationCisco.com Documentation Feedback Cisco Product Security OverviewProduct Documentation DVD Ordering Documentation Reporting Security Problems in Cisco Products Product Alerts and Field Notices Obtaining Technical Assistance Cisco Technical Support & Documentation Website Submitting a Service Request Definitions of Service Request SeverityObtaining Additional Publications and Information Xiv Overview Data Encryption Overview VSA Overview Screws Handle Status LED light VSA Module Front View Feature Description/Benefit FeaturesThis section describes the VSA features, as listed in Table Hardware Required Standards Supported Standards, MIBs, and RFCsPerformance MIBs Disabling the VSA during Operation Command PurposeEnabling/Disabling the VSA Enabling/Disabling Scheme Condition System is Configured Command Description of VSA BehaviorLEDs Slot Locations ConnectorsSee -2for the VSA connectors Cisco 7204VXR Router Port adapter VSA in I/O controller slot Port adapter lever Cisco 7204VXR Router Front View Cisco 7206VXR Router Cisco 7206VXR Front View Required Tools and Equipment Hardware and Software Requirements Restrictions Software RequirementsHardware Requirements Platform Safety Guidelines Safety WarningsOnline Insertion and Removal OIR Electrical Equipment Guidelines Preventing Electrostatic Discharge Damage Preparing for Installation OL-9129-02 Handling the VSA VSA circuit board is sensitive to ESD damage VSA Removal and Installation This section describes how to remove and install the VSA Removing and Installing the VSA VSA Removal and Installation OL-9129-02 Configuration Tasks Overview Using the Exec Command Interpreter Configuring an IKE Policy Optional Specifies the authentication method within an IKE Key Management Protocol Isakmp policy configurationConfig-isakmp mode Signatures as the authentication method Configuring a Transform Set Disabling VSA Optional Defining a Transform Set Transform type Description Crypto Transform Configuration Mode IPSec Protocols AH and ESPSelecting Appropriate Transforms Setting Global Lifetimes for IPSec Security Associations Configuring IPSecEnsuring That Access Lists Are Compatible with IPSec Changing Existing Transforms Step Command Purpose Creating Crypto Access Lists Creating Crypto Map Entries ESP authenticator algorithm Only one transform set can be specified when IKE isAuthenticator keys if the transform set includes an Exits crypto-map configuration mode and return to Creating Dynamic Crypto Maps If this is configured, the data flow identity proposed Optional Accesses list number or name of anExtended access list. This access list determines For this crypto access list Monitoring and Maintaining IPSec Applying Crypto Map Sets to Interfaces Verifying IKE and IPSec Configurations Router# show crypto isakmp policy Verifying the Configuration Currentpeer 172.21.114.67 PERMIT, flags=originisacl Configuring IPSec Configuration Example Configuration ExamplesConfiguring IKE Policies Example This section provides the following configuration examples Basic IPSec Configuration Illustration Router a ConfigurationCrypto map is applied to an interface Router B Configuration Transform set defines how the traffic will be protectedSpecify the parameters to be used during an IKE negotiation Troubleshooting Tips Router# show diag Tunnel I/F Using Deny Policies in Access Lists Monitoring and Maintaining the VSA Monitor and Maintenance Commands Configuration Guidelines and Restrictions D E Sa command, clear crypto Entries, creating Set pfs commandSet session-key command Set transform-set command Features Handling Monitoring and maintaining 4 Overview Handling VPN Acceleration Module see VAM 1 IN-4