Cisco C7200 - Manuals

viii C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Preface Objectives Warning IMPORTANT SAFETY INSTRUCTIONS This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved w...

ix C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Preface Related Documentation Related Documentation This section lists documentation related to your router and its functionality. Because we no longer ship the entire router documentation set automatically with each...

x C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Preface Documentation Feedback You can access the Cisco website at this URL: http://www.cisco.com You can access international Cisco websites at this URL: http://www.cisco.com/public/countries_languages.shtml Product ...

xi C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Preface Product Alerts and Field Notices A current list of security advisories, security notices, and security responses for Cisco products is available at this URL: http://www.cisco.com/go/psirt To see security advi...

xii C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Preface Obtaining Technical Assistance To access the Product Alert Tool, you must be a registered Cisco.com user. (To register as a Cisco.com user, go to this URL: http://tools.cisco.com/RPF/register/register.do ) R...

xiii C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Preface Obtaining Additional Publications and Information Submitting a Service Request Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests ar...

xiv C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Preface Obtaining Additional Publications and Information • The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief product overviews, key features, sample part numbers, and ab...

C H A P T E R 1-1 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 1 Overview This chapter describes the C7200 VSA (VPN Services Adapter) and contains the following sections: • Data Encryption Overview, page 1-1 • VSA Overview, page 1-2 • Hardware Required, page 1-4 •...

1-2 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 1 Overview VSA Overview • IKE—Internet Key Exchange (IKE) is a hybrid security protocol that implements Oakley and Skeme key exchanges inside the Internet Security Association and Key Management Protocol (IS...

1-4 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 1 Overview Hardware Required The VSA provides hardware-accelerated support for multiple encryption functions: • 128/192/256-bit Advanced Encryption Standard (AES) in hardware • Data Encryption Standard (DES)...

1-5 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 1 Overview Supported Standards, MIBs, and RFCs Performance Table 1-2 lists the performance information for the VSA. Supported Standards, MIBs, and RFCs This section describes the standards, Management Inform...

1-6 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 1 Overview Enabling/Disabling the VSA Enabling/Disabling the VSA This section includes the following topics: • Disabling the VSA during Operation, page 1-6 • Enabling/Disabling Scheme, page 1-6 The VSA crypt...

1-7 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 1 Overview LEDs LEDs The VSA has one LED, as shown in Figure 1-3 . Table 1-4 System is in Run-time Operation Condition System is Configured Inserting the VSA The VSA runs in power-off, but you need to perfor...

1-8 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 1 Overview Connectors Figure 1-3 VSA LED The following conditions must be met before the enabled LED goes on: • The VSA is correctly connected to the backplane and receiving power. • The system bus recognize...

C H A P T E R 2-1 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 2 Preparing for Installation This chapter describes the general equipment, safety, and site preparation requirements for installing the C7200 VSA (VPN Services Adapter). This chapter contains the follo...

2-2 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 2 Preparing for Installation Hardware and Software Requirements Software Requirements Table 2-1 lists the recommended minimum Cisco IOS software release required to use the VSA in supported router or switch ...

2-3 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 2 Preparing for Installation Online Insertion and Removal (OIR) • The VSA module does not support Online Insertion and Removal (OIR). See “Enabling/Disabling the VSA” section on page 1-6 for details. • Per p...

2-4 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 2 Preparing for Installation Safety Guidelines hazardous voltages and currents inside the chassis; they contain electromagnetic interference (EMI) that might disrupt other equipment; and they direct the flow...

C H A P T E R 3-1 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 3 Removing and Installing the VSA This chapter describes how to remove the C7200 VSA (VPN Services Adapter) from the supported platforms and how to install a new or replacement VSA. Before you begin in...

3-2 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 3 Removing and Installing the VSA Online Insertion and Removal (OIR) Online Insertion and Removal (OIR) The VSA plugs into the I/O controller slot of the Cisco 7200VXR series chassis. The VSA crypto card doe...

C H A P T E R 4-1 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 4 Configuring the VSA This chapter contains the information and procedures needed to configure the C7200-VSA (VPN Services Adapter). This chapter contains the following sections: • Overview, page 4-1 •...

4-2 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 4 Configuring the VSA Configuration Tasks • Disabling VSA (Optional), page 4-4 (optional) • Verifying IKE and IPSec Configurations, page 4-15 (optional) • Configuring IPSec Configuration Example, page 4-18 (...

4-3 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 4 Configuring the VSA Configuration Tasks To configure an IKE policy, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# crypto isakmp policy priority D...

4-4 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 4 Configuring the VSA Configuration Tasks For detailed information on creating IKE policies, refer to the “Configuring Internet Key Exchange Security Protocol” chapter in the Security Configuration Guide pub...

4-5 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 4 Configuring the VSA Configuration Tasks • Selecting Appropriate Transforms • The Crypto Transform Configuration Mode • Changing Existing Transforms • Transform Example A transform set is an acceptable comb...

4-6 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 4 Configuring the VSA Configuration Tasks Table 4-1 shows allowed transform combinations for the AH and ESP protocols. Examples of acceptable transform combinations are as follows: • ah-md5-hmac • esp-des • ...

4-7 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 4 Configuring the VSA Configuration Tasks IPSec Protocols: AH and ESP Both the AH and ESP protocols implement security services for IPSec. AH provides data authentication and antireplay services. ESP provide...

4-8 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 4 Configuring the VSA Configuration Tasks Changing Existing Transforms If one or more transforms are specified in the crypto ipsec transform-set command for an existing transform set, the specified transform...

4-9 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 4 Configuring the VSA Configuration Tasks To change a global lifetime for IPSec security associations, use one or more of the following commands: Note The clear commands in Step 5 below are in EXEC or enable...

4-10 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 4 Configuring the VSA Configuration Tasks Creating Crypto Access Lists Crypto access lists define which IP traffic will be protected by encryption. (These access lists are not the same as regular access lis...

4-12 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 4 Configuring the VSA Configuration Tasks Creating Dynamic Crypto Maps A dynamic crypto map entry is a crypto map entry with some parameters not configured.The missing parameters are later dynamically confi...

4-14 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 4 Configuring the VSA Configuration Tasks To add a dynamic crypto map set into a crypto map set, use the following command in global configuration mode: Applying Crypto Map Sets to Interfaces Apply a crypto...

4-15 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 4 Configuring the VSA Configuration Tasks To view information about your IPSec configuration, use one or more of the following commands in EXEC mode: Verifying IKE and IPSec Configurations To view informati...

4-16 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 4 Configuring the VSA Configuration Tasks Verifying the Configuration Some configuration changes take effect only after subsequent security associations are negotiated. For the new settings to take effect i...

4-17 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 4 Configuring the VSA Configuration Tasks remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0) current_peer: 172.21.114.67 PERMIT, flags={origin_is_acl,} #pkts encaps: 10, #pkts encrypt: ...

4-18 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 4 Configuring the VSA Configuration Examples Configuration Examples This section provides the following configuration examples: • Configuring IKE Policies Example, page 4-18 • Configuring IPSec Configuratio...

4-19 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 4 Configuring the VSA Basic IPSec Configuration Illustration The crypto map is applied to an interface: interface Serial0 ip address 10.0.0.2 crypto map toRemoteSite Note In this example, IKE must be enable...

4-20 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 4 Configuring the VSA Basic IPSec Configuration Illustration Note In the preceding example, the encryption DES of policy 15 would not appear in the written configuration because this is the default value fo...

4-21 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 4 Configuring the VSA Troubleshooting Tips A crypto map joins the transform set and specifies where the protected traffic is sent (the remote IPSec peer): crypto map toRemoteSite 10 ipsec-isakmp match addre...

4-23 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 4 Configuring the VSA Monitoring and Maintaining the VSA To see if the IKE/IPSec packets are being redirected to the VSA for IKE negotiation and IPSec encryption and decryption, enter the show crypto eli co...

4-24 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 Chapter 4 Configuring the VSA Monitoring and Maintaining the VSA The crypto ipsec ipv4 deny-policy {jump | clear | drop} command helps you avoid this problem. The clear keyword allows a deny address range to be pro...

IN-1 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 I N D E X A acceleration module, VPN (see VAM) 1 - 1 access-list (encryption) command 4 - 10 B basic IPSec configuration 4 - 19 illustration 4 - 19 C cables, connectors, and pinouts 1 - 8 cautions, warnings and 3 -...

Index IN-2 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 I IKE configuring 1 - 6, 4 - 2 configuring policies example 4 - 18 insertion and removal, online 3 - 2 interpreter, EXEC command 4 - 2 IPSec access lists 4 - 8 monitoring 4 - 16 transform sets defining 4 - 5 ...