C7200 VSA VPN Services Adapter Installation and Configuration Guide
Corporate Headquarters
Cisco Systems, Inc 170 West Tasman Drive San Jose, CA
800 553-NETS Fax 408
Turn the television or radio antenna until the interference stops
Features
Definitions of Service Request Severity
C O N T E N T S
Preface
The Crypto Transform Configuration Mode 4
Configuration Tasks 4
Safety Warnings
Removing and Installing the VSA
Verifying the Configuration 4
Router A Configuration
Router B Configuration
Troubleshooting Tips
OL-9129-02
Contents
C7200 VSA VPN Services Adapter Installation and Configuration Guide
Preface
Audience
Warnings
Audience, page Warnings, page Objectives, page Organization, page
Preparing for Installation
Removing and Installing the VSA
Configuring the VSA
Objectives
Cisco.com
Related Documentation
Obtaining Documentation
Documentation Feedback
Cisco Product Security Overview
Product Documentation DVD
Ordering Documentation
For emergencies only - security-alert@cisco.com
Reporting Security Problems in Cisco Products
Product Alerts and Field Notices
http//tools.cisco.com/RPF/register/register.do
Obtaining Technical Assistance
Cisco Technical Support & Documentation Website
Submitting a Service Request
Definitions of Service Request Severity
Obtaining Additional Publications and Information
xiii
The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief product overviews, key features, sample part numbers, and abbreviated technical specifications for many Cisco products that are sold through channel partners. It is updated twice a year and includes the latest Cisco channel product offerings. To order and find out more about the Cisco Product Quick Reference Guide, go to this URL
Hardware Required, page Features, page
Enabling/Disabling the VSA, page LEDs, page Connectors, page
Overview
Data Encryption Overview
VSA Overview
Screws
Features
Hardware Required
Feature
Description/Benefit
Supported Standards, MIBs, and RFCs
Performance
Standards
MIBs
Disables the C7200 VSA
Enables the C7200 VSA after it has been
disabled
Enabling/Disabling the VSA
no crypto engine slot accelerator 0 -See Table
LEDs
Hw-module slot 0 shutdown -Not supported
Connectors
Slot Locations
Cisco 7204VXR Router
Cisco 7204VXR Router, page Cisco 7206VXR Router, page
C7200 VSA VPN Services Adapter Installation and Configuration Guide
ENABLED
Figure 1-4 Cisco 7204VXR Router - Front View
Chapter 1 Overview Slot Locations
Cisco 7206VXR Router
1-10
C7200 VSA VPN Services Adapter Installation and Configuration Guide
Figure 1-5 Cisco 7206VXR - Front View
Preparing for Installation
Online Insertion and Removal OIR, page Safety Guidelines, page
Required Tools and Equipment
Hardware and Software Requirements
Software Requirements
Hardware Requirements
Restrictions
Platform
Safety Guidelines
Safety Warnings
Safety Warnings, page Electrical Equipment Guidelines, page
Online Insertion and Removal OIR
Electrical Equipment Guidelines
Preventing Electrostatic Discharge Damage
Compliance with U.S. Export Laws and Regulations Regarding Encryption
Compliance with U.S. Export Laws and Regulations Regarding Encryption
Chapter 2 Preparing for Installation
C7200 VSA VPN Services Adapter Installation and Configuration Guide
Compliance with U.S. Export Laws and Regulations Regarding Encryption
OL-9129-02
Removing and Installing the VSA
Warnings and Cautions, page VSA Removal and Installation, page
Handling the VSA
Handling the VSA, page Online Insertion and Removal OIR, page
VSA Removal and Installation
Warnings and Cautions
The safety cover is an integral part of the product. Do not operate the unit without the safety cover installed. Operating the unit without the cover in place will invalidate the safety approvals and pose a risk of fire and electrical hazards
Online Insertion and Removal OIR
Step 3 Unscrew the screws holding the VSA in the slot
Chapter 3 Removing and Installing the VSA
VSA Removal and Installation
C7200 VSA VPN Services Adapter Installation and Configuration Guide
OL-9129-02
Configuring the VSA
Configuration Tasks
Overview, page Configuration Tasks, page Configuration Examples, page
Basic IPSec Configuration Illustration, page
Using the EXEC Command Interpreter
Configuring an IKE Policy
Verifying IKE and IPSec Configurations, page 4-15 optional
Configuring IPSec Configuration Example, page 4-18 optional
Defines an IKE policy and enters Internet Security Association
Configuring a Transform Set
Disables VSA
VSA will be enabled after the next
system reboot
The Crypto Transform Configuration Mode Changing Existing Transforms
Defining a Transform Set
Selecting Appropriate Transforms
Transform Example
Authentication Transform is used, you must
ESP Authentication Transform Pick up to
ah-md5-hmac
ah-sha-hmac
The Crypto Transform Configuration Mode
IPSec Protocols AH and ESP
Selecting Appropriate Transforms
esp-aes and esp-sha-hmac ah-sha-hmac and esp-aes and esp-sha-hmac
Configuring IPSec
Ensuring That Access Lists Are Compatible with IPSec
Setting Global Lifetimes for IPSec Security Associations
Ensuring That Access Lists Are Compatible with IPSec required
Command
Step
Purpose
Router# clear crypto sa spi destination-address
Creating Crypto Access Lists
Creating Crypto Map Entries
4-10
Routerconfig# ip access-list extended name
4-11
spi cipher hex-key-string authenticator
esp spi cipher hex-key-string authenticator
Routerconfig-crypto-m# set session-key inbound ah
This is the only configuration statement required in
Creating Dynamic Crypto Maps
Creates a dynamic crypto map entry
Specifies which transform sets are allowed for the
Purpose
4-13
Command
4-14
Monitoring and Maintaining IPSec
Applying Crypto Map Sets to Interfaces
Verifying IKE and IPSec Configurations
Displays your transform set configuration
Displays your crypto map configuration
Displays information about IPSec security associations
Verifying the Configuration
4-16
4-17
Chapter 4 Configuring the VSA Configuration Tasks
C7200 VSA VPN Services Adapter Installation and Configuration Guide
OL-9129-02
Configuration Examples
Configuring IKE Policies Example
Configuring IPSec Configuration Example
Configuring IKE Policies Example, page
4-19
Basic IPSec Configuration Illustration
Router A Configuration
Router B Configuration
4-20
Troubleshooting Tips
4-21
Router# show diag
Router# show crypto engine accelerator statistic
C7200 VSA VPN Services Adapter Installation and Configuration Guide
4-22
Chapter 4 Configuring the VSA Troubleshooting Tips
Using Deny Policies in Access Lists
Using Deny Policies in Access Lists, page
Monitor and Maintenance Commands, page
Monitoring and Maintaining the VSA
Monitor and Maintenance Commands
Configuration Guidelines and Restrictions
Displays integrated service adapter as part of the interfaces
Verifies the VSA is currently processing crypto packets
I N D E
IN-1
definition
IN-2
creating 4
IN-3
IN-4
C7200 VSA VPN Services Adapter Installation and Configuration Guide
Index
OL-9129-02