Support User Manuals

Cisco Systems 7401ASR Network Router User Manual

Open as PDF

of 155

4-6

Cisco 7401ASR Installation and Configuration Guide

OL-5419-01 B0

Chapter 4 Configuring the VPN Acceleration Module

Configuration Tasks

Verifying the Configuration

Some configuration changes take effect only after subsequent security associations are negotiated. For

the new settings to take effect immediately, clear the existing security associations.

To clear (and reinitialize) IPSec security associations, use one of the commands in Table 4-2 in global

configuration mode:

The following steps provide information on verifying your configurations:

Step 1 Enter the show crypto ipsec transform-set command to view your transform set configuration:

Router# show crypto ipsec transform-set

Transform set combined-des-md5: {esp-des esp-md5-hmac}

will negotiate = {Tunnel,},

Transform set t1: {esp-des esp-md5-hmac}

will negotiate = {Tunnel,},

Transform set t100: {ah-sha-hmac}

will negotiate = {Transport,},

Transform set t2: {ah-sha-hmac}

will negotiate = {Tunnel,},

{esp-des}

will negotiate = {Tunnel,},

Step 2 Enter the show crypto map [interface interface | tag map-name] command to view your crypto map

configuration:

Router# show crypto map

Crypto Map: "router-alice" idb: Ethernet0 local address: 172.21.114.123

Crypto Map "router-alice" 10 ipsec-isakmp

Peer = 172.21.114.67

Extended IP access list 141

access-list 141 permit ip

source: addr = 172.21.114.123/0.0.0.0

dest: addr = 172.21.114.67/0.0.0.0

Current peer: 172.21.114.67

Security-association lifetime: 4608000 kilobytes/120 seconds

PFS (Y/N): N

Transform sets={t1,}

Step 3 Enter the show crypto ipsec sa [map map-name | address | identity | detail | interface] command to

view information about IPSec security associations.

Router# show crypto ipsec sa

interface: Ethernet0

Crypto map tag: router-alice, local addr. 172.21.114.123

local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)

Table 4-2 Commands to Clear IPSec Security Associations

Command Purpose

clear crypto sa

or

clear crypto sa peer {ip-address | peer-name}

or

clear crypto sa map map-name

or

clear crypto sa spi destination-address protocol

spi

Clear IPSec security associations (SAs).

Using the clear crypto sa command without

parameters clears out the full SA database, which

clears out active security sessions. You may also

specify the peer, map, or spi keywords to clear

out only a subset of the SA database.

previous next