Filter
Top Products
4-11
C7200 VSA (VPN Services Adapter) Installation and Configuration Guide
OL-9129-02
Chapter 4 Configuring the VSA
Configuration Tasks
To create crypto map entries that will use IKE to establish the security associations, use the following
commands starting in global configuration mode:
Step 4
Router(config-crypto-m)# set transform-set
transform-set-name
Specifies which transform set should be used.
This must be the same transform set that is specified
in the corresponding crypto map entry on the remote
peer .
(Only one transform set can be specified when IKE is
not used.)
Step 5
Router(config-crypto-m)# set session-key inbound ah
spi hex-key-string
and
Router(config-crypto-m)# set session-key outbound ah
spi hex-key-string
Sets the AH Security Parameter Indexes (SPIs) and
keys to apply to inbound and outbound protected
traffic if the specified transform set includes the AH
protocol.
(This manually specifies the AH security association
to be used with protected traffic.)
Step 6
Router(config-crypto-m)# set session-key inbound esp
spi
cipher
hex-key-string
[authenticator
hex-key-string
]
and
Router(config-crypto-m)# set session-key outbound
esp
spi
cipher
hex-key-string
[authenticator
hex-key-string
]
Sets the ESP Security Parameter Indexes (SPIs) and
keys to apply to inbound and outbound protected
traffic if the specified transform set includes the ESP
protocol. Specifies the cipher keys if the transform
set includes an ESP cipher algorithm. Specifies the
authenticator keys if the transform set includes an
ESP authenticator algorithm.
(This manually specifies the ESP security association
to be used with protected traffic.)
Step 7
Router(config-crypto-m)# exit
Exits crypto-map configuration mode and return to
global configuration mode.
Command Purpose
Command Purpose
Step 1
Router(config)# crypto map
map-name seq-num
ipsec-isakmp
Names the crypto map entry to create (or modify).
This command puts you into the crypto map
configuration mode.
Step 2
Router(config-crypto-m)# match address
access-list-id
Names an extended access list. This access list
determines which traffic should be protected by
IPSec and which traffic should not be protected by
IPSec security in the context of this crypto map entry.
Step 3
Router(config-crypto-m)# set peer {
hostname
|
ip-address
}
Specifies a remote IPSec peer. This is the peer to
which IPSec protected traffic can be forwarded.
Repeat for multiple remote peers.
Step 4
Router(config-crypto-m)# set transform-set
transform-set-name1
[
transform-set-name2...transform-set-name6
]
Specifies which transform sets are allowed for this
crypto map entry. List multiple transform sets in
order of priority (highest priority first).