Filter
Top Products
4-8
C7200 VSA (VPN Services Adapter) Installation and Configuration Guide
OL-9129-02
Chapter 4 Configuring the VSA
Configuration Tasks
Changing Existing Transforms
If one or more transforms are specified in the crypto ipsec transform-set command for an existing
transform set, the specified transforms will replace the existing transforms for that transform set.
If you change a transform set definition, the change is only applied to crypto map entries that reference
the transform set. The change will not be applied to existing SAs, but will be used in subsequent
negotiations to establish new SAs. If you want the new settings to take effect sooner, you can clear all
or part of the SA database by using the clear crypto sa command.
Transform Example
The following example defines two transform sets. The first transform set will be used with an IPSec
peer that supports the newer ESP and AH protocols. The second transform set will be used with an IPSec
peer that only supports the older transforms.
crypto ipsec transform-set newer esp-3des esp-sha-hmac
crypto ipsec transform-set older ah-rfc-1828 esp-rfc1829
Configuring IPSec
This section includes the following topics:
• Ensuring That Access Lists Are Compatible with IPSec (required)
• Setting Global Lifetimes for IPSec Security Associations (required)
• Creating Crypto Access Lists (required)
• Creating Crypto Map Entries (required)
• Creating Dynamic Crypto Maps (required)
• Applying Crypto Map Sets to Interfaces (required)
• Verifying the Configuration (optional)
For IPSec configuration examples, refer to the “Configuring IPSec Configuration Example” section on
page 4-18.
See the “Configuring IPSec Network Security” of the Cisco IOS Security Configuration Guide for more
information on configuring IPSec.
Ensuring That Access Lists Are Compatible with IPSec
IKE uses UDP port 500. The IPSec Encapsulating Security Payload (ESP) and Authentication Header
(AH) protocols use protocol numbers 50 and 51. Ensure that your interface access lists are configured
so that protocol numbers 50, 51, and UDP port 500 traffic are not blocked at interfaces used by IPSec.
In some cases you might need to add a statement to your access lists to explicitly permit this traffic.
Setting Global Lifetimes for IPSec Security Associations
You can change the global lifetime values which are used when negotiating new IPSec security
associations. (These global lifetime values can be overridden for a particular crypto map entry).
These lifetimes only apply to security associations established via IKE. Manually established security
associations do not expire.