background image

4-13

VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide

OL-5979-03

Chapter 4      Configuring the SA-VAM2+

  Configuration Tasks

To add a dynamic crypto map set into a crypto map set, use the following command in global 
configuration mode:

Step 3

Router(config-crypto-m)# 

match address

 

access-list-id

(Optional) Accesses list number or name of an 
extended access list. This access list determines 
which traffic should be protected by IPSec and which 
traffic should not be protected by IPSec security in 
the context of this crypto map entry.

Note

Although access-lists are optional for 
dynamic crypto maps, they are highly 
recommended 

If this is configured, the data flow identity proposed 
by the IPSec peer must fall within a 

permit

 statement 

for this crypto access list.

If this is not configured, the router will accept any 
data flow identity proposed by the IPSec peer. 
However, if this is configured but the specified access 
list does not exist or is empty, the router will drop all 
packets. This is similar to static crypto maps because 
they also require that an access list be specified.

Care must be taken if the 

any

 keyword is used in the 

access list, because the access list is used for packet 
filtering as well as for negotiation.

Step 4

Router(config-crypto-m)# 

set peer

 {

hostname

 | 

ip-address

}

(Optional) Specifies a remote IPSec peer. Repeat for 
multiple remote peers.

This is rarely configured in dynamic crypto map 
entries. Dynamic crypto map entries are often used 
for unknown remote peers.

Step 5

Router(config-crypto-m)# 

set security-association 

lifetime seconds

 

seconds

and

Router (config-crypto-m)# 

set security-association 

lifetime kilobytes

 

kilobytes

(Optional) If you want the security associations for 
this crypto map to be negotiated using shorter IPSec 
security association lifetimes than the globally 
specified lifetimes, specify a key lifetime for the 
crypto map entry.

Step 6

Router(config-crypto-m)# 

set pfs

 [

group1

 | 

group2

]

(Optional) Specifies that IPSec should ask for perfect 
forward secrecy when requesting new security 
associations for this crypto map entry or should 
demand perfect forward secrecy in requests received 
from the IPSec peer.

Step 7

Router(config-crypto-m)# 

exit

Exits crypto-map configuration mode and return to 
global configuration mode.

Step 8

Repeat these steps to create additional crypto map entries as required.

Command

Purpose

Summary of Contents for SA-VAM - VPN Acceleration Module

Page 1: ...Configuration Guide Product Number SA VAM2 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE ALL STATEMENTS INFORMATION AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS Text Part Number ...

Page 2: ...evision or radio Move the equipment farther away from the television or radio Plug the equipment into an outlet that is on a different circuit from the television or radio That is make certain the equipment and the television or radio are on circuits controlled by different circuit breakers or fuses Modifications to this product not authorized by Cisco Systems Inc could void the FCC approval and n...

Page 3: ...uct Security Overview xi Reporting Security Problems in Cisco Products xii Obtaining Technical Assistance xii Cisco Technical Support Documentation Website xiii Submitting a Service Request xiii Definitions of Service Request Severity xiii Obtaining Additional Publications and Information xiv C H A P T E R 1 Overview 1 1 Data Encryption Overview 1 1 SA VAM2 Overview 1 3 Features 1 4 Performance 1 ...

Page 4: ...3 Electrical Equipment Guidelines 2 4 Preventing Electrostatic Discharge Damage 2 4 Compliance with U S Export Laws and Regulations Regarding Encryption 2 5 C H A P T E R 3 Removing and Installing the SA VAM2 3 1 Handling the SA VAM2 3 1 Online Insertion and Removal OIR 3 2 SA VAM2 3 2 Port Adapter Jacket Card 3 2 Warnings and Cautions 3 2 SA VAM2 Removal and Installation 3 2 Cisco 7200VXR Router ...

Page 5: ...lying Crypto Map Sets to Interfaces 4 14 Configuring Compression 4 14 Configure IKE Policy 4 14 Configure IKE Preshared Key 4 15 Configure ipsec transform set 4 15 Configure access list 4 15 Configure crypto map 4 16 Apply crypto map to the Interface 4 16 Monitoring and Maintaining IPSec 4 17 IPSec Configuration Example 4 17 Verifying IKE and IPSec Configurations 4 18 Verifying the Configuration 4...

Page 6: ...Contents vi VPN Acceleration Module 2 VAM2 Installation and Configuration Guide OL 5979 03 ...

Page 7: ...on page viii Related Documentation page ix Obtaining Documentation page x Documentation Feedback page xi Cisco Product Security Overview page xi Obtaining Technical Assistance page xii Obtaining Additional Publications and Information page xiv Revision History Document Version Date Notes OL 5979 01 December 2005 This version introduces the VPN Acceleration Module 2 VAM2 OL 5979 02 March 2006 This ...

Page 8: ...fer to the translated safety warnings that accompanied this device Note SAVE THESE INSTRUCTIONS Note This documentation is to be used in conjunction with the specific product installation guide that shipped with the product Please refer to the Installation Guide Configuration Guide or other enclosed additional documentation for further details Objectives This document contains instructions and pro...

Page 9: ...ftware configuration documentation set that corresponds to the software release installed on your Cisco hardware Access these documents at http www cisco com en US products sw iosswrel index html Note Select translated documentation is available at http www cisco com by selecting the topic Select a Location Language at the top of the page To determine the minimum Cisco IOS software requirements fo...

Page 10: ... OutputInterpreter home pl Cisco IOS Error Message Decoder http www cisco com cgi bin Support Errordecoder home pl Cisco Dynamic Configuration Tool http www cisco com en US ordering or13 or8 ordering_ordering_help_dynamic_configurati on_tool_launch html MIB Locator http tools cisco com ITDIT MIBS servlet index Additional tools include Tools Index http www cisco com en US partner products prod_tool...

Page 11: ...Nonregistered Cisco com users can order technical documentation from 8 00 a m to 5 00 p m 0800 to 1700 PDT by calling 1 866 463 3487 in the United States and Canada or elsewhere by calling 011 408 519 5055 You can also order documentation by e mail at tech doc store mkpl external cisco com or by fax at 1 408 519 5001 in the United States and Canada or elsewhere at 011 408 519 5001 Documentation Fe...

Page 12: ...e considered nonemergencies For Nonemergencies psirt cisco com In an emergency you can also reach PSIRT by telephone 1 877 228 7302 1 408 525 6532 Tip We encourage you to use Pretty Good Privacy PGP or a compatible product for example GnuPG to encrypt any sensitive information that you send to Cisco PSIRT can work with information that has been encrypted with PGP versions 2 x through 9 x Never use...

Page 13: ...ults show an illustration of your product with the serial number label location highlighted Locate the serial number label on your product and record the information before placing a service call Submitting a Service Request Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests S3 and S4 service requests are those in which your network is minimally impaire...

Page 14: ...ludes the latest Cisco offerings To order and find out more about the Cisco Product Quick Reference Guide go to this URL http www cisco com go guide Cisco Marketplace provides a variety of Cisco books reference guides documentation and logo merchandise Visit Cisco Marketplace the company store at this URL http www cisco com go marketplace Cisco Press publishes a wide range of general networking tr...

Page 15: ...com ipj Networking products offered by Cisco Systems as well as customer support services can be obtained at this URL http www cisco com en US products index html Networking Professionals Connection is an interactive website for networking professionals to share questions suggestions and information about networking products and technologies with Cisco experts and other networking professionals Jo...

Page 16: ...xvi VPN Acceleration Module 2 VAM2 Installation and Configuration Guide OL 5979 03 Preface Obtaining Additional Publications and Information ...

Page 17: ...ption chapter in the Security Configuration Guide and Security Command Reference publications IPSec is a network level open standards framework developed by the Internet Engineering Task Force IETF that provides secure transmission of sensitive information over unprotected networks such as the Internet IPSec includes data authentication antireplay services and data confidentiality services Cisco f...

Page 18: ...cryption Standard a next generation symmetric encryption algorithm used by the U S Government and organizations outside the U S MD5 HMAC variant MD5 is a hash algorithm HMAC is a keyed hash variant used to authenticate data SHA HMAC variant SHA is a hash algorithm HMAC is a keyed hash variant used to authenticate data RSA signatures and RSA encrypted nonces RSA is the public key cryptographic syst...

Page 19: ...N media The SA VAM2 can be installed directly in the port adapter slots see Figure 1 5 of the Cisco 7000VXR series routers and the Cisco 7301 router Alternatively you can install the SA VAM2 into a Port Adapter Jacket Card product ID C7200 JC PA that is inserted in the I O controller slot of a Cisco 7200VXR router with an NPE G1 or NPE G2 processor for additional bandwidth see Figure 1 2 The SA VA...

Page 20: ...uters and up to 392 Mbps using 3DES on the Cisco 7301 router Note The number of IPSec tunnels depends on packet size Number of IPSec protected tunnels2 2 Number of tunnels supported varies based on the total system memory installed Up to 5000 tunnels3 Number of tunnels per second Up to 50 Hardware based encryption Data protection IPSec DES 3DES AES IPv6 IPSec Authentication RSA and Diffie Hellman ...

Page 21: ... 700Mhz single SA VAM2 512MB system memory Cisco IOS release NPE G2 c7200p adventerprisek9 mz 124 4 XD1 7200VXR 1 6 GHz single VAM2 1024 MB system memory 3DES SHA preshared with no IKE keepalive configured Up to 222 Mbps Cisco IOS release NPE G1 c7200 jk9o3s mz 124 4 T1 7200VXR 700Mhz single SA VAM2 512MB system memory Cisco IOS release NPE G2 c7200p adventerprisek9 mz 124 4 XD1 7200VXR 1 6 GHz si...

Page 22: ...2401 2411 2451 Cisco 7200VXR with NPE 400 Up to 248 Mbps Cisco IOS release c7200 jk9o3s mz 124 4 T1 7200VXR NPE400 SA VAM2 512MB system memory 3DES SHA preshared with no IKE keepalive configured Up to 251 Mbps Cisco IOS release c7200 jk9o3s mz 124 4 T1 17200VXR NPE400 single SA VAM2 512MB system memory AES SHA preshared with no IKE keepalive configured Cisco 7200VXR with NPE 225 Up to 191 Mbps Cis...

Page 23: ...2 within the Port Adapter Jacket Card does support OIR You must have the chassis powered off to install or remove the Port Adapter Jacket Card See the Port Adapter Jacket Card Installation Guide for more information about the Port Adapter Jacket Card LEDs This section includes information about the LEDs for the SA VAM2 and the Port Adapter Jacket Card See the Port Adapter Jacket Card Installation ...

Page 24: ...ure 1 4 Port Adapter Jacket Card Faceplate Cables Connectors and Pinouts There are no interfaces on the SA VAM2 so there are no cables connectors or pinouts 2 BOOT Amber On Indicates the SA VAM2 is operating 3 ERROR Amber On Indicates an encryption error has occurred This LED is normally off Table 1 3 SA VAM2 LEDs LED Label Color State Function 1 Captive installation screw 4 Handle 2 ENABLE LED 5 ...

Page 25: ...gure 1 5 for the input output controller and ports for the Cisco 7200VXR routers Figure 1 5 Cisco 7200VXR Slot Numbering Cisco 7301 Router See Figure 1 6 for the port numbering for the Cisco 7301 router Note The Cisco 7301 router supports a single SA VAM2 or port adapter 1 Port adapter 5 MII and RJ 45 Fast Ethernet ports 2 Port adapter latch 6 Auxiliary port 3 I O controller 7 Console port 4 PC ca...

Page 26: ...lot guides 2 Port adapter SA VAM2 4 Ground for ESD wrist strap banana jack 80268 ALARM RJ45 EN LINK TX RX GBIC GIGABIT ETHERNE T 0 2 RJ45 EN LINK TX RX GBIC GIGABIT ETHERNE T 0 0 RJ45 EN LINK TX RX GBIC GIGABIT ETHERNE T 0 1 CISCO 7301 SLOT 1 CONSOLE AUX COMPACT FLASH STATUS 100 240V 2A 50 60 Hz 24V 9A 48 60V 5A 1 ENABLE D RXCEL LS RXCAR RIER RXAL AR M ATM 2 4 3 B A ...

Page 27: ...following tools and parts to install a SA VAM2 If you need additional equipment contact a service representative for ordering information SA VAM2 Number 2 Phillips screwdriver Your own electrostatic discharge ESD prevention equipment or the disposable grounding wrist strap included with all upgrade kits field replaceable units FRUs and spares Antistatic mat Antistatic container Grounding wrist str...

Page 28: ...r more efficient performance we recommend 512 MB of memory The SA VAM2 utilizes a specific number of bandwidth points in functioning which affect performance For more information on bandwidth requirements see the Cisco 7200 Series Port Adapter Hardware Configuration Guidelines Table 2 1 SA VAM2 Software Requirements Platform Recommended Minimum Cisco IOS Release1 1 The Cisco IOS Release 12 2 14 SU...

Page 29: ...section provides safety guidelines that you should follow when working with any equipment that connects to electrical power or telephone wiring This section includes the following topics Safety Warnings and Guidelines page 2 3 Electrical Equipment Guidelines page 2 4 Preventing Electrostatic Discharge Damage page 2 4 Safety Warnings and Guidelines Safety warnings appear throughout this publication...

Page 30: ...tal carrier helps to protect the board from ESD use a preventive antistatic strap during handling Following are guidelines for preventing ESD damage Always use an ESD wrist or ankle strap and ensure that it makes good skin contact Connect the equipment end of the strap to an unfinished chassis surface When installing a component use any available ejector levers or captive installation screws to pr...

Page 31: ...with the Export Administration Regulations as administered by the U S Department of Commerce Bureau of Export Administration See http www bxa doc gov for more information Certain strong encryption items can be exported outside the United States depending upon the destination end user and end use See http www cisco com wwl export encrypt html for more information about Cisco eligible products desti...

Page 32: ...2 6 VPN Acceleration Module 2 VAM2 Installation and Configuration Guide OL 5979 03 Chapter 2 Preparing for Installation Compliance with U S Export Laws and Regulations Regarding Encryption ...

Page 33: ... chapter contains the following sections Handling the SA VAM2 page 3 1 Online Insertion and Removal OIR page 3 2 Warnings and Cautions page 3 2 SA VAM2 Removal and Installation page 3 2 Note To ensure proper airflow in the router and compliance with EMI prevention standards an empty port adapter slot must have a blank port adapter part number 800 00455 01 installed in it The SA VAM2 circuit board ...

Page 34: ... modules Warning Blank faceplates and cover panels serve three important functions they prevent exposure to hazardous voltages and currents inside the chassis they contain electromagnetic interference EMI that might disrupt other equipment and they direct the flow of cooling air through the chassis Do not operate the system unless all cards faceplates front covers and rear covers are in place The ...

Page 35: ...ports the Port Adapter Jacket Card with a SA VAM2 installed in it The NPE G1 or NPE G2 with a third dedicated peripheral component interconnect PCI bus provides additional bandwidth to the chassis Use the following information to install a SA VAM2 into an installed Port Adapter Jacket Card For information on installing the Port Adapter Jacket Card into a Cisco 7200VXR router see the Port Adapter J...

Page 36: ...t the SA VAM2 in the Cisco 7200VXR series routers Step 1 Turn the power switch to the off position and then remove the power cable Optional on Cisco 7200VXR series routers see Caution above Step 2 Attach an ESD wrist strap between you and an unpainted chassis surface Step 3 Place the SA VAM2 retaining lever in the unlocked position See Figure 3 4 1 Port adapter lock lever 2 ETHERNET 10BFL E N R X ...

Page 37: ...ter slot make certain that the carrier is positioned correctly as shown in the cutaway in Figure 3 5 Figure 3 5 Sliding the SA VAM2 into the Port Adapter Slot Cisco 7206VXR Shown 1 Unlocked position 2 Locked position 84755 2 0 4 1 3 5 6 FAST SERIAL EN TD TC RD RC LB CD TD TC RD RC LB CD TD TC RD RC LB CD TD TC RD RC LB CD TOKEN RING 0 1 2 3 Cisco 7200 Series CP U RE SE T E N A B LE D M II EN R J4 ...

Page 38: ...igure 3 4 Caution To ensure the proper flow of cooling air across the internal components make sure a blank service adapter filler is installed in any unoccupied port adapter slots part number 800 20675 01 Step 8 If you powered off the router a Reattach the power cable and place the cable through any cable support brackets b Power on the router by turning the power switch to the on position Cisco ...

Page 39: ...ank port adapter pull the blank port adapter completely out of the chassis slot Caution The SA VAM2 must slide into the slot guides 3 close to the chassis lid Do not allow the SA VAM2 components to come in contact with the system board or the SA VAM2 could be damaged Step 4 To insert the SA VAM2 carefully align the SA VAM2 carrier in the slot guides 3 then carefully slide the SA VAM2 all the way i...

Page 40: ...3 8 VPN Acceleration Module 2 VAM2 Installation and Configuration Guide OL 5979 03 Chapter 3 Removing and Installing the SA VAM2 SA VAM2 Removal and Installation ...

Page 41: ...NPE G2 processor If you have previously configured IPSec on the router and you install a SA VAM2 the SA VAM2 automatically performs encryption services If you install a second SA VAM2 both SA VAM2 s should be automatically enabled Note The Cisco 7301 router supports a single SA VAM2 When installing two SA VAM2 s on the Cisco 7200VXR series routers per packet load balancing is not supported With du...

Page 42: ...lly you can configure certification authority CA interoperability refer to the Configuring Certification Authority Interoperability chapter in the Security Configuration Guide Using the EXEC Command Interpreter You modify the configuration of your router through the software command interpreter called the EXEC also called enable mode You must enter the privileged level of the EXEC command interpre...

Page 43: ...licy priority Defines an IKE policy and enters Internet Security Association Key Management Protocol ISAKMP policy configuration config isakmp mode Step 2 Router config isakmp encryption des 3des aes aes 128 aes 192 aes 256 Specifies the encryption algorithm within an IKE policy des Specifies 56 bit DES as the encryption algorithm 3des Specifies 168 bit DES as the encryption algorithm aes Specifie...

Page 44: ...y association SA negotiation the peers agree to use a particular transform set when protecting a particular data flow Step 4 Router config isakmp lifetime seconds Optional Specifies the lifetime of an IKE security association SA seconds Number of seconds that each SA should exist before expiring Use an integer from 60 to 86 400 seconds Note If this command is not enabled the default value 86 400 s...

Page 45: ...ort Optional Changes the mode associated with the transform set The mode setting is only applicable to traffic whose source and destination addresses are the IPSec peer addresses it is ignored for all other traffic All other traffic is in tunnel mode only Step 3 end Exits the crypto transform configuration mode to enabled mode Step 4 clear crypto sa or clear crypto sa peer ip address peer name or ...

Page 46: ...y services ESP Encryption Transform Note If an ESP Authentication Transform is used you must pick one esp aes esp aes 128 esp aes 192 esp aes 256 esp des esp 3des esp null ESP with the 128 bit Advanced Encryption Standard AES encryption algorithm ESP with the 128 bit AES encryption algorithm ESP with the 192 bit AES encryption algorithm ESP with the 256 bit AES encryption algorithm ESP with the 56...

Page 47: ...orm to provide authentication services for the transform set If you want data authentication either using ESP or AH you can choose from the MD5 or SHA HMAC keyed hash variants authentication algorithms The SHA algorithm is generally considered stronger than MD5 but is slightly slower Note that some transforms might not be supported by the IPSec peer Note If a user enters an IPSec transform that th...

Page 48: ...to Map Entries required Creating Dynamic Crypto Maps required Applying Crypto Map Sets to Interfaces required Verifying the Configuration optional For IPSec configuration examples refer to the IPSec Configuration Example section on page 4 17 See the Configuring IPSec Network Security of the Cisco IOS Security Configuration Guide for more information on configuring IPSec Ensuring That Access Lists ...

Page 49: ...umber of seconds a security association will live before expiring The default is 3600 seconds one hour Step 4 Router config crypto ipsec security association lifetime kilobytes kilobytes Changes the global traffic volume lifetime for IPSec SAs Specifies the volume of traffic in kilobytes that can pass between IPSec peers using a given security association before that security association expires T...

Page 50: ...ord 1 You specify conditions using an IP access list designated by either a number or a name The access list command designates a numbered extended access list the ip access list extended command designates a named access list Step 2 Add permit and deny statements as appropriate Adds permit or deny statements to access lists Step 3 End Exits the configuration command mode Command Purpose Step 1 Ro...

Page 51: ...ecurity association to be used with protected traffic Step 7 Router config crypto m exit Exits crypto map configuration mode and return to global configuration mode Command Purpose Command Purpose Step 1 Router config crypto map map name seq num ipsec isakmp Names the crypto map entry to create or modify This command puts you into the crypto map configuration mode Step 2 Router config crypto m mat...

Page 52: ...estination hosts With this command when the router requests new security associations it will establish one set for traffic between Host A and Host B and a separate set for traffic between Host A and Host C Use this command with care as multiple streams between given subnets can rapidly consume resources Step 7 Router config crypto m set pfs group1 group2 Optional Specifies that IPSec should ask f...

Page 53: ...st be specified Care must be taken if the any keyword is used in the access list because the access list is used for packet filtering as well as for negotiation Step 4 Router config crypto m set peer hostname ip address Optional Specifies a remote IPSec peer Repeat for multiple remote peers This is rarely configured in dynamic crypto map entries Dynamic crypto map entries are often used for unknow...

Page 54: ...gure IKE Policy required Configure IKE Preshared Key required Configure ipsec transform set required Configure access list required Configure crypto map required Apply crypto map to the Interface required For IPSec configuration examples refer to the Configuring Compression Example See the Configuring IPSec Network Security of the Cisco IOS Security Configuration Guide for more information on conf...

Page 55: ...p key keystring hostname peer hostname At the local peer Specify the shared key to be used with a particular remote peer If the remote peer specified their ISAKMP identity with an address use the address keyword in this step otherwise use the hostname keyword in this step Step 2 Router config crypto isakmp key_keystring address peer address or Router config crypto isakmp key_keystring hostname pee...

Page 56: ...bits to be ignored in the address value Command Purpose Step 1 Router config crypto map map name seq num ipsec isakmp Create the crypto map and enter crypto map configuration mode Step 2 Router config set peer hostname ip address Specify a remote IPSec peer This is the peer to which IPSec protected traffic can be forwarded Repeat for multiple remote peers Step 3 Router config set transform set tra...

Page 57: ...orm set myset1 esp des esp sha Command Purpose Router config clear crypto sa or Router config clear crypto sa counters or Router config clear crypto sa peer ip address peer name or Router config clear crypto sa map map name or Router config clear crypto sa entry destination address protocol spi Clears IPSec security associations Note Using the clear crypto sa command without parameters will clear ...

Page 58: ...ow crypto ipsec transform set output The following sample output from the show crypto ipsec transform set command displays a warning message after a user tries to configure an IPSec transform that the hardware does not support Router show crypto ipsec transform set Transform set transform 1 esp 256 aes esp md5 hmac will negotiate Tunnel WARNING encryption hardware does not support transform esp ae...

Page 59: ...l negotiate Tunnel esp des will negotiate Tunnel Step 2 Enter the show crypto map interface interface tag map name command to view your crypto map configuration Router show crypto map Crypto Map router alice idb Ethernet0 local address 172 21 114 123 Crypto Map router alice 10 ipsec isakmp Peer 172 21 114 67 Extended IP access list 141 access list 141 permit ip source addr 172 21 114 123 0 0 0 0 d...

Page 60: ...p md5 hmac in use settings Tunnel slot 0 conn id 27 crypto map router alice sa timing remaining key lifetime k sec 4607999 90 IV size 8 bytes replay detection support Y outbound ah sas interface Tunnel0 Crypto map tag router alice local addr 172 21 114 123 local ident addr mask prot port 172 21 114 123 255 255 255 255 0 0 remote ident addr mask prot port 172 21 114 67 255 255 255 255 0 0 current_p...

Page 61: ...ryption 3des hash md5 authentication rsa sig group 2 lifetime 5000 crypto isakmp policy 20 authentication pre share lifetime 10000 crypto isakmp key 1234567890 address 192 168 224 33 Configuring IPSec Configuration Example The following example shows a minimal IPSec configuration where the security associations will be established via IKE An IPSec access list defines which traffic to protect acces...

Page 62: ...psec transform set proposal_01 esp 3des esp md5 hmac comp lzs To configure an access list access list 101 permit ip host 16 0 0 1 host 16 0 0 2 To configure a crypto map crypto map MAXCASE 10 ipsec isakmp set peer 16 0 0 2 set transform set proposal_01 match address 101 To apply crypto map to the interface interface FastEthernet1 0 crypto map MAXCASE Basic IPSec Configuration Illustration The foll...

Page 63: ...for the encryption algorithm parameter A transform set defines how the traffic will be protected crypto ipsec transform set auth1 ah md5 hmac esp des esp md5 hmac mode tunnel A crypto map joins the transform set and specifies where the protected traffic is sent the remote IPSec peer crypto map toRemoteSite 10 ipsec isakmp set peer 10 2 2 3 set transform set auth1 match address 101 The crypto map i...

Page 64: ...isakmp set peer 10 0 0 3 set transform set auth1 The crypto map is applied to an interface interface Serial0 ip address 10 2 2 3 crypto map toRemoteSite An IPSec access list defines which traffic to protect access list 101 permit ip host 10 2 2 2 host 10 0 0 2 access list 101 permit ip host 10 2 2 3 host 10 0 0 3 Troubleshooting Tips To verify that Cisco IOS software has recognized SA VAM2 enter t...

Page 65: ... 0 ppq rx errors 0 cmdq full errors 0 cmdq rx errors 0 no buffer 0 replay errors 0 dest overflow 0 authentication errors 0 Other error 0 RNG self test fail 0 DF Bit set 0 Hash Miscompare 0 Unwrappable object 0 Missing attribute 0 Invalid attrribute value 0 Bad Attribute 0 Verification Fail 0 Decrypt Failure 0 Invalid Packet 0 Invalid Key 0 Input Overrun 0 Input Underrun 0 Output buffer overrun 0 B...

Page 66: ...co IOS software agrees to redirect crypto traffic to the SA VAM2 it prints a message similar to the following ISA 6 INFO Recognised crypto engine 0 at slot 1 switching to hardware crypto engine To disable the SA VAM2 use the configuration mode no crypto engine accelerator slot command as follows Router config no crypto engine accelerator slot Router switching to software crypto engine Oct 2 20 00 ...

Page 67: ...IKE example 4 21 IPSec example 4 21 router A example 4 23 router B example 4 24 tasks 4 2 verifying 4 24 configuring IPSec example 4 21 crypto dynamic map command 4 12 crypto ipsec security association lifetime command 4 9 crypto map command 4 10 4 11 crypto sa command clear 4 19 crypto transform configuration mode enabling 4 7 D Data 1 1 data encryption overview 1 4 documentation other related ix...

Page 68: ...nd 2 1 match address command 4 11 4 13 MIBs 1 6 module VPN acceleration see VAM 1 1 P prevention ESD 2 4 R Required 2 1 required tools and equipment 2 1 requirements hardware 2 2 RFCs 1 6 S sa command clear crypto 4 19 safety guidelines 2 3 safety warnings 2 3 SAs security associations clearing 4 9 4 17 lifetimes global values configuring 4 8 set peer command 4 10 4 11 4 13 set pfs command 4 12 4 ...

Page 69: ...are compatability ix 2 2 standards supported 1 6 T This 2 1 tips troubleshooting 4 24 tools and equipment required 2 1 troubleshooting tips 4 24 V VAM features 1 4 handling 3 1 monitoring and maintaining 4 26 overview viii 4 1 software requirements 2 2 VPN Acceleration Module see VAM 1 1 W warnings safety 2 3 ...

Reviews: