Step Command Purpose | Cisco Systems SA-ISA, SM-ISM

Chapter 4 Configuring the ISA and ISM

Configuring IPSec

If you change a transform set definition, the change is only applied to crypto map entries that reference the transform set. The change is not applied to existing security associations but is used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command.

To define a transform set, use the following commands, starting in global configuration mode:

Step	Command	Purpose

1.	crypto ipsec transform-set	Define a transform set and enter crypto
	transform-set-name transform1	transform configuration mode.
	[transform2 [transform3]]	Complex rules define which entries you can
		Complex rules define which entries you can
		use for the transform arguments. These rules
		are explained in the command description for
		the crypto ipsec transform-set command,
		and Table 4-1 on page 4-7provides a list of
		allowed transform combinations.

2.	mode [tunnel transport]	Change the mode associated with the
		transform set. The mode setting is applicable
		only to traffic whose source and destination
		addresses are the IPSec peer addresses; it is
		ignored for all other traffic. (All other traffic
		is in tunnel mode only.)

3.	end	Exit the crypto transform configuration mode
		to enabled mode.

4.	clear crypto sa	This step clears existing IPSec security
	or	associations so that any changes to a
	or	transform set take effect on subsequently
	clear crypto sa peer {ip-address	transform set take effect on subsequently
	clear crypto sa peer {ip-address	established security associations (SAs).
	peer-name}	(Manually established SAs are reestablished
	or	immediately.)
	or
	clear crypto sa map map-name	Using the clear crypto sa command without
	clear crypto sa map map-name	parameters clears out the full SA database,
	or	parameters clears out the full SA database,
	or	which clears out active security sessions. You
		which clears out active security sessions. You
	clear crypto sa spi destination-address	may also specify the peer, map, or entry
	protocol spi	keywords to clear out only a subset of the SA
		database.

Integrated Services Adapter and Integrated Services Module Installation and Configuration

4-6	OL-3575-01 B0

Cisco Systems SA-ISA, SM-ISM manual Step Command Purpose

Models: SM-ISM SA-ISA

Step

Command

Purpose

crypto ipsec transform-set

[transform2 [transform3]]

mode [tunnel transport]

clear crypto sa

clear crypto sa peer {ip-address

clear crypto sa map map-name

clear crypto sa spi destination-address

protocol spi

database.

OL-3575-01 B0