Support User Manuals

Cisco Systems C7200 Network Cables User Manual

Open as PDF

of 62

4-16

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

OL-9129-02

Chapter 4 Configuring the VSA

Configuration Tasks

Verifying the Configuration

Some configuration changes take effect only after subsequent security associations are negotiated. For

the new settings to take effect immediately, clear the existing security associations.

To clear (and reinitialize) IPSec security associations, use one of the commands in Table 4-2 in EXEC

or enable mode (see “Using the EXEC Command Interpreter” section on page 4-2 for more details):

The following steps provide information on verifying your configurations:

Step 1 Enter the show crypto ipsec transform-set command to view your transform set configuration:

Router# show crypto ipsec transform-set

Transform set combined-des-md5: {esp-des esp-md5-hmac}

will negotiate = {Tunnel,},

Transform set t1: {esp-des esp-md5-hmac}

will negotiate = {Tunnel,},

Transform set t100: {ah-sha-hmac}

will negotiate = {Transport,},

Transform set t2: {ah-sha-hmac}

will negotiate = {Tunnel,},

{esp-des}

will negotiate = {Tunnel,},

Step 2 Enter the show crypto map [interface interface | tag map-name] command to view your crypto map

configuration:

Router# show crypto map

Crypto Map: “router-alice” idb: Ethernet0 local address: 172.21.114.123

Crypto Map “router-alice” 10 ipsec-isakmp

Peer = 172.21.114.67

Extended IP access list 141

access-list 141 permit ip

source: addr = 172.21.114.123/0.0.0.0

dest: addr = 172.21.114.67/0.0.0.0

Current peer: 172.21.114.67

Security-association lifetime: 4608000 kilobytes/120 seconds

PFS (Y/N): N

Transform sets={t1,}

Step 3 Enter the show crypto ipsec sa [map map-name | address | identity | detail | interface] command to

view information about IPSec security associations:

Router# show crypto ipsec sa

interface: Ethernet0

Crypto map tag: router-alice, local addr. 172.21.114.123

local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)

Table 4-2 Commands to Clear IP Sec Security Associations

Command Purpose

clear crypto sa

or

clear crypto sa peer {

ip-address

|

peer-name

}

or

clear crypto sa map

map-name

or

clear crypto sa spi

destination-address

protocol spi

Clear IPSec security associations (SAs).

Using the clear crypto sa command without

parameters clears out the full SA database, which

clears out active security sessions. You may also

specify the peer, map, or spi keywords to clear

out only a subset of the SA database.

previous next