Filter
Top Products
4-5
C7200 VSA (VPN Services Adapter) Installation and Configuration Guide
OL-9129-02
Chapter 4 Configuring the VSA
Configuration Tasks
• Selecting Appropriate Transforms
• The Crypto Transform Configuration Mode
• Changing Existing Transforms
• Transform Example
A transform set is an acceptable combination of security protocols, algorithms, and other settings to
apply to IPSec protected traffic. During the IPSec security association (SA) negotiation, the peers agree
to use a particular transform set when protecting a particular data flow.
Defining a Transform Set
A transform set is a combination of security protocols and algorithms. During the IPSec security
association negotiation, peers agree to use a specific transform set to protect a particular data flow.
To define a transform set, use the following commands, starting in global configuration mode:
Note The clear commands in Step 4 below are in EXEC or enable mode (see “Using the EXEC Command
Interpreter” section on page 4-2 for more details).
Command Purpose
Step 1
Router(config)# crypto ipsec
transform-set
transform-set-name
transform1
[
transform2
[
transform3
]]
Defines a transform set and enters crypto transform configuration
mode.
• transform-set-name—Specifies the name of the transform set
to create (or modify).
• transform1 [transform2 [transform3]
[transform4]]—Defines the IPSec security protocols and
algorithms. Accepted transform values are described in
Table 4-1.
Step 2
Router(cfg-crypto-tran)# mode [tunnel |
transport]
(Optional) Changes the mode associated with the transform set.
The mode setting is only applicable to traffic whose source and
destination addresses are the IPSec peer addresses; it is ignored
for all other traffic. (All other traffic is in tunnel mode only.)
Step 3
end
Exits the crypto transform configuration mode to enabled mode.
Step 4
Router# clear crypto sa
or
Router# clear crypto sa peer {
ip-address
|
peer-name
}
or
Router# clear crypto sa map
map-name
or
Router# clear crypto sa spi
destination-address protocol spi
Clears existing IPSec security associations so that any changes to
a transform set take effect on subsequently established security
associations (SAs). (Manually established SAs are reestablished
immediately.)
Using the clear crypto sa command without parameters clears
out the full SA database, which clears out active security sessions.
You may also specify the peer, map, or spi keywords to clear out
only a subset of the SA database.