Chapter 4 Configuring the ISA and ISM

Configuring IPSec

If you change a transform set definition, the change is only applied to crypto map entries that reference the transform set. The change is not applied to existing security associations but is used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command.

To define a transform set, use the following commands, starting in global configuration mode:

Step

Command

Purpose

 

 

 

1.

crypto ipsec transform-set

Define a transform set and enter crypto

 

transform-set-name transform1

transform configuration mode.

 

[transform2 [transform3]]

Complex rules define which entries you can

 

 

 

 

use for the transform arguments. These rules

 

 

are explained in the command description for

 

 

the crypto ipsec transform-set command,

 

 

and Table 4-1 on page 4-7provides a list of

 

 

allowed transform combinations.

 

 

 

2.

mode [tunnel transport]

Change the mode associated with the

 

 

transform set. The mode setting is applicable

 

 

only to traffic whose source and destination

 

 

addresses are the IPSec peer addresses; it is

 

 

ignored for all other traffic. (All other traffic

 

 

is in tunnel mode only.)

 

 

 

3.

end

Exit the crypto transform configuration mode

 

 

to enabled mode.

 

 

 

4.

clear crypto sa

This step clears existing IPSec security

 

or

associations so that any changes to a

 

transform set take effect on subsequently

 

clear crypto sa peer {ip-address

 

established security associations (SAs).

 

peer-name}

(Manually established SAs are reestablished

 

or

immediately.)

 

 

 

clear crypto sa map map-name

Using the clear crypto sa command without

 

parameters clears out the full SA database,

 

or

 

which clears out active security sessions. You

 

 

 

clear crypto sa spi destination-address

may also specify the peer, map, or entry

 

protocol spi

keywords to clear out only a subset of the SA

 

 

database.

 

 

 

Integrated Services Adapter and Integrated Services Module Installation and Configuration

4-6

OL-3575-01 B0

 

 

Page 42
Image 42
Cisco Systems SA-ISA, SM-ISM manual Step Command Purpose