4-8
VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide
OL-5979-03
Chapter 4 Configuring the SA-VAM2+
Configuration Tasks
If you change a transform set definition, the change is only applied to crypto map entries that reference
the transform set. The change will not be applied to existing SAs, but will be used in subsequent
negotiations to establish new SAs. If you want the new settings to take effect sooner, you can clear all
or part of the SA database by using the
clear crypto sa
command.
Transform Example
The following example defines two transform sets. The first transform set will be used with an IPSec
peer that supports the newer ESP and AH protocols. The second transform set will be used with an IPSec
peer that only supports the older transforms.
crypto ipsec transform-set newer esp-3des esp-sha-hmac
crypto ipsec transform-set older ah-rfc-1828 esp-rfc1829
Configuring IPSec
This section includes the following topics:
•
Ensuring That Access Lists Are Compatible with IPSec
(required)
•
Setting Global Lifetimes for IPSec Security Associations
(required)
•
Creating Crypto Access Lists
(required)
•
Creating Crypto Map Entries
(required)
•
Creating Dynamic Crypto Maps
(required)
•
Applying Crypto Map Sets to Interfaces
(required)
•
Verifying the Configuration
(optional)
For IPSec configuration examples, refer to the
“IPSec Configuration Example” section on page 4-17
.
See the “Configuring IPSec Network Security” of the
Cisco IOS Security Configuration Guide
for more
information on configuring IPSec.
Ensuring That Access Lists Are Compatible with IPSec
IKE uses UDP port 500. The IPSec Encapsulating Security Payload (ESP) and Authentication Header
(AH) protocols use protocol numbers 50 and 51. Ensure that your interface access lists are configured
so that protocol numbers 50, 51, and UDP port 500 traffic are not blocked at interfaces used by IPSec.
In some cases you might need to add a statement to your access lists to explicitly permit this traffic.
Setting Global Lifetimes for IPSec Security Associations
You can change the global lifetime values which are used when negotiating new IPSec security
associations. (These global lifetime values can be overridden for a particular crypto map entry).
These lifetimes only apply to security associations established via IKE. Manually established security
associations do not expire.
To change a global lifetime for IPSec security associations, use one or more of the following commands
in global configuration mode: