C7200 VSA (VPN Services Adapter) Installation and Configuration Guide Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C ON T E N T S Preface vii Audience vii Warnings vii Objectives viii Organization viii Related Documentation ix Obtaining Documentation ix Cisco.
Contents Disabling the VSA during Operation Enabling/Disabling Scheme 1 - 6 LEDs 1-6 1-7 Connectors 1-8 Slot Locations 1 - 8 Cisco 7204VXR Router Cisco 7206VXR Router Preparing for Installation 1-8 1 - 10 2-1 Required Tools and Equipment 2-1 Hardware and Software Requirements Software Requirements 2 - 2 Hardware Requirements 2 - 2 Restrictions 2 - 2 Online Insertion and Removal (OIR) 2-1 2-3 Safety Guidelines 2 - 3 Safety Warnings 2 - 3 Electrical Equipment Guidelines 2 - 4 Preventing Electros
Contents Changing Existing Transforms 4 - 8 Transform Example 4 - 8 Configuring IPSec 4 - 8 Ensuring That Access Lists Are Compatible with IPSec 4 - 8 Setting Global Lifetimes for IPSec Security Associations 4 - 8 Creating Crypto Access Lists 4 - 10 Creating Crypto Map Entries 4 - 10 Creating Dynamic Crypto Maps 4 - 12 Applying Crypto Map Sets to Interfaces 4 - 14 Monitoring and Maintaining IPSec 4 - 14 Verifying IKE and IPSec Configurations 4 - 15 Verifying the Configuration 4 - 16 Configuration Examples
Contents C7200 VSA (VPN Services Adapter) Installation and Configuration Guide vi OL-9129-02
Preface This preface describes the objectives and organization of this document and explains how to find additional information on related products and services.
Preface Objectives Warning IMPORTANT SAFETY INSTRUCTIONS This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. To see translations of the warnings that appear in this publication, refer to the translated safety warnings that accompanied this device.
Preface Related Documentation Related Documentation This section lists documentation related to your router and its functionality. Because we no longer ship the entire router documentation set automatically with each system, this documentation is available online, or on the Documentation CD-ROM. Note Select translated documentation is available at http://www.cisco.com/ by selecting the topic ‘Select a Location / Language’ at the top of the page.
Preface Documentation Feedback You can access the Cisco website at this URL: http://www.cisco.com You can access international Cisco websites at this URL: http://www.cisco.com/public/countries_languages.shtml Product Documentation DVD The Product Documentation DVD is a library of technical product documentation on a portable medium. The DVD enables you to access installation, configuration, and command guides for Cisco hardware and software products.
Preface Product Alerts and Field Notices A current list of security advisories, security notices, and security responses for Cisco products is available at this URL: http://www.cisco.com/go/psirt To see security advisories, security notices, and security responses as they are updated in real time, you can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed. Information about how to subscribe to the PSIRT RSS feed is found at this URL: http://www.cisco.
Preface Obtaining Technical Assistance To access the Product Alert Tool, you must be a registered Cisco.com user. (To register as a Cisco.com user, go to this URL: http://tools.cisco.com/RPF/register/register.do) Registered users can access the tool at this URL: http://tools.cisco.com/Support/PAT/do/ViewMyProfiles.do?local=en Obtaining Technical Assistance Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco Technical Support & Documentation website on Cisco.
Preface Obtaining Additional Publications and Information Submitting a Service Request Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions.
Preface Obtaining Additional Publications and Information • The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief product overviews, key features, sample part numbers, and abbreviated technical specifications for many Cisco products that are sold through channel partners. It is updated twice a year and includes the latest Cisco channel product offerings. To order and find out more about the Cisco Product Quick Reference Guide, go to this URL: http://www.cisco.
C H A P T E R 1 Overview This chapter describes the C7200 VSA (VPN Services Adapter) and contains the following sections: • Data Encryption Overview, page 1-1 • VSA Overview, page 1-2 • Hardware Required, page 1-4 • Features, page 1-4 • Supported Standards, MIBs, and RFCs, page 1-5 • Enabling/Disabling the VSA, page 1-6 • LEDs, page 1-7 • Connectors, page 1-8 • Slot Locations, page 1-8 Data Encryption Overview This section describes data encryption, including the IPSec, IKE, and certific
Chapter 1 Overview VSA Overview • IKE—Internet Key Exchange (IKE) is a hybrid security protocol that implements Oakley and Skeme key exchanges inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. IKE can be used with IPSec and other protocols. IKE authenticates the IPSec peers, negotiates IPSec security associations, and establishes IPSec keys. IPSec can be configured with or without IKE.
Chapter 1 Overview VSA Overview Note The C7200 VSA is only supported on the Cisco 7200VXR with the NPE-G2 processor. The VSA features hardware acceleration for Advanced Encryption Standard (AES), Data Encryption Standard (DES), and Triple DES (3DES), providing increased performance for site-to-site and remote-access IPSec VPN services. The Cisco C7200 VSA solution provides quality of service (QoS), multicast and multiprotocol traffic, and broad support of integrated LAN/WAN media.
Chapter 1 Overview Hardware Required 1 2 Host IO Bus and PCI-X Bus Power supply The VSA provides hardware-accelerated support for multiple encryption functions: • 128/192/256-bit Advanced Encryption Standard (AES) in hardware • Data Encryption Standard (DES) standard mode with 56-bit key: Cipher Block Chaining (CBC) • Performance to 900 Mbps encrypted throughput with 300 byte packets and 1000 tunnels • 5000 tunnels for DES/3DES/AES • Secure Hash Algorithm1 (SHA-1) and Message Digest 5 (MD5)
Chapter 1 Overview Supported Standards, MIBs, and RFCs 2. Number of tunnels supported varies based on the total system memory installed. 3. On the NPE-G2, the minimum memory requirement is 1 GB of memory. Performance Table 1-2 lists the performance information for the VSA. Table 1-2 Performance for VSA Cisco Router Throughput1 2 Description Cisco 7200VXR series routers with the NPE-G2 processor Performance to 900 Mbps encrypted throughput Cisco IOS release: 12.
Chapter 1 Overview Enabling/Disabling the VSA Enabling/Disabling the VSA This section includes the following topics: • Disabling the VSA during Operation, page 1-6 • Enabling/Disabling Scheme, page 1-6 The VSA crypto card does not support OIR. The VSA boots up only during system initialization. The VSA will not work if it is inserted after the system is up and running. The VSA can be shut down by a disabling CLI command. The VSA is ready for removal after the disabling CLI command is executed.
Chapter 1 Overview LEDs Table 1-4 System is in Run-time Operation Condition System is Configured Inserting the VSA The VSA runs in power-off, but you need to perform a system reload or a reset to bring the VSA up. CLI Enabling VSA Not supported. CLI Disabling VSA Hw-module slot 0 shutdown—Not supported. [no] crypto engine [slot | accelerator] 0—See Table 1-5 Removing VSA Table 1-5 You must enter a disabling CLI (see Table 1-5) before removing the card to avoid damaging the hardware.
Chapter 1 Overview Connectors Figure 1-3 VSA LED 148995 C7200-VSA LED Table 1-6 VSA LED Color State Function No color Off Indicates that the VSA is disabled. Green On Indicates the VSA is powered up and enabled for operation. Amber On Indicates VSA is booting or has encountered errors. Yellow Powering Up Indicates that the VSA is powering up, but software initialization has not started yet.
Chapter 1 Overview Slot Locations Figure 1-4 Cisco 7204VXR Router - Front View 1 2 Cisco 7200 SERIES XVR 4 RJ4 5 LIN K MII 1 EN 2 3 AB LE D FAST ETHERNET 0 3 1 2 TX RX 4 TX 3 RX TX TX RX 2 RX 1 TX RX 0 7 6 5 4 3 2 1 0 EN EN ETHERNET-10BFL SERIAL-EIA/TIA-232 153565 0 C7200-VSA 3 1 Port adapter 2 Port adapter lever 3 VSA in I/O controller slot C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 1-9
Chapter 1 Overview Slot Locations Cisco 7206VXR Router The VSA is supported in the I/O controller port on the Cisco 7206VXR router (see 4 in Figure 1-5).
C H A P T E R 2 Preparing for Installation This chapter describes the general equipment, safety, and site preparation requirements for installing the C7200 VSA (VPN Services Adapter). This chapter contains the following sections: • Required Tools and Equipment, page 2-1 • Hardware and Software Requirements, page 2-1 • Online Insertion and Removal (OIR), page 2-3 • Safety Guidelines, page 2-3 • Compliance with U.S.
Chapter 2 Preparing for Installation Hardware and Software Requirements Software Requirements Table 2-1 lists the recommended minimum Cisco IOS software release required to use the VSA in supported router or switch platforms. Use the show version command to display the system software version that is currently loaded and running. Table 2-1 VSA Software Requirements Platform Recommended Minimum Cisco IOS Release Cisco 7204VXR Cisco 7206VXR 12.
Chapter 2 Preparing for Installation Online Insertion and Removal (OIR) • The VSA module does not support Online Insertion and Removal (OIR). See “Enabling/Disabling the VSA” section on page 1-6 for details. • Per packet count details for crypto map ACL are not displayed when the show access-list command is entered. Use other counters, such as the output from the show crypto ipsec sa and show crypto engine accelerator statistics 0 commands, to determine if the VSA is processing the packets.
Chapter 2 Preparing for Installation Safety Guidelines hazardous voltages and currents inside the chassis; they contain electromagnetic interference (EMI) that might disrupt other equipment; and they direct the flow of cooling air through the chassis. Do not operate the system unless all cards, faceplates, front covers, and rear covers are in place.
Chapter 2 Preparing for Installation Compliance with U.S. Export Laws and Regulations Regarding Encryption Compliance with U.S. Export Laws and Regulations Regarding Encryption This product performs encryption and is regulated for export by the U.S. government. Persons exporting any item out of the United States by either physical or electronic means must comply with the Export Administration Regulations as administered by the U.S. Department of Commerce, Bureau of Export Administration. See http://www.
Chapter 2 Preparing for Installation Compliance with U.S.
C H A P T E R 3 Removing and Installing the VSA This chapter describes how to remove the C7200 VSA (VPN Services Adapter) from the supported platforms and how to install a new or replacement VSA. Before you begin installation, read Chapter 2, “Preparing for Installation” for a list of parts and tools required for installation.
Chapter 3 Removing and Installing the VSA Online Insertion and Removal (OIR) Online Insertion and Removal (OIR) The VSA plugs into the I/O controller slot of the Cisco 7200VXR series chassis. The VSA crypto card does not support OIR. The VSA boots up only during system initialization. The VSA will not work if it is inserted after the system is up and running. The VSA can be shut down by a disabling CLI command (see “Enabling/Disabling the VSA” section on page 1-6).
Chapter 3 Removing and Installing the VSA VSA Removal and Installation Follow these steps to remove and insert the VSA in the Cisco 7200VXR series routers: Step 1 Turn the power switch to the off position and then remove the power cable. (Optional on Cisco 7200VXR series routers; see Warnings and Cautions, page 3-2, above.) Step 2 Attach an ESD wrist strap between you and an unpainted chassis surface. Step 3 Unscrew the screws holding the VSA in the slot.
Chapter 3 Removing and Installing the VSA VSA Removal and Installation C7200 VSA (VPN Services Adapter) Installation and Configuration Guide 3-4 OL-9129-02
C H A P T E R 4 Configuring the VSA This chapter contains the information and procedures needed to configure the C7200-VSA (VPN Services Adapter).
Chapter 4 Configuring the VSA Configuration Tasks Note • Disabling VSA (Optional), page 4-4 (optional) • Verifying IKE and IPSec Configurations, page 4-15 (optional) • Configuring IPSec Configuration Example, page 4-18 (optional) You can configure a static crypto map, create a dynamic crypto map, or add a dynamic crypto map into a static crypto map. Refer to the configuration examples and tech notes located online at: http://www.cisco.
Chapter 4 Configuring the VSA Configuration Tasks To configure an IKE policy, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# crypto isakmp policy priority Defines an IKE policy and enters Internet Security Association Key Management Protocol (ISAKMP) policy configuration (config-isakmp) mode. Step 2 Router(config-isakmp)# encryption {des | 3des | aes | aes 128 | aes 192 | aes 256} Specifies the encryption algorithm within an IKE policy.
Chapter 4 Configuring the VSA Configuration Tasks Step 5 Command Purpose Router(config-isakmp)# hash {sha | md5} (Optional) Specifies the hash algorithm within an IKE policy. • sha—Specifies SHA-1 (HMAC variant) as the hash algorithm. • md5—Specifies MD5 (HMAC variant) as the hash algorithm. Note Step 6 Router(config-isakmp)# group {1 | 2 | 5} If this command is not enabled, the default value (sha) will be used.
Chapter 4 Configuring the VSA Configuration Tasks • Selecting Appropriate Transforms • The Crypto Transform Configuration Mode • Changing Existing Transforms • Transform Example A transform set is an acceptable combination of security protocols, algorithms, and other settings to apply to IPSec protected traffic. During the IPSec security association (SA) negotiation, the peers agree to use a particular transform set when protecting a particular data flow.
Chapter 4 Configuring the VSA Configuration Tasks Table 4-1shows allowed transform combinations for the AH and ESP protocols. Table 4-1 Allowed Transform Combinations Transform type Transform Description AH Transform (Pick up to one.
Chapter 4 Configuring the VSA Configuration Tasks IPSec Protocols: AH and ESP Both the AH and ESP protocols implement security services for IPSec. AH provides data authentication and antireplay services. ESP provides packet encryption and optional data authentication and antireplay services. ESP encapsulates the protected data—either a full IP datagram (or only the payload)—with an ESP header and an ESP trailer.
Chapter 4 Configuring the VSA Configuration Tasks Changing Existing Transforms If one or more transforms are specified in the crypto ipsec transform-set command for an existing transform set, the specified transforms will replace the existing transforms for that transform set. If you change a transform set definition, the change is only applied to crypto map entries that reference the transform set.
Chapter 4 Configuring the VSA Configuration Tasks To change a global lifetime for IPSec security associations, use one or more of the following commands: Note The clear commands in Step 5 below are in EXEC or enable mode (see “Using the EXEC Command Interpreter” section on page 4-2 for more details). Step Command Purpose Step 1 Router# enable Enables privileged EXEC mode. Enter your password if prompted. Step 2 Router# configure terminal Enters global configuration mode.
Chapter 4 Configuring the VSA Configuration Tasks Creating Crypto Access Lists Crypto access lists define which IP traffic will be protected by encryption. (These access lists are not the same as regular access lists, which determine what traffic to forward or block at an interface.) For example, access lists can be created to protect all IP traffic between Subnet A and Subnet Y or Telnet traffic between Host A and Host B.
Chapter 4 Configuring the VSA Configuration Tasks Step 4 Command Purpose Router(config-crypto-m)# set transform-set transform-set-name Specifies which transform set should be used. This must be the same transform set that is specified in the corresponding crypto map entry on the remote peer . (Only one transform set can be specified when IKE is not used.
Chapter 4 Configuring the VSA Configuration Tasks Step 5 Command Purpose Router(config-crypto-m)# set security-association lifetime seconds seconds (Optional) Specifies a security association lifetime for the crypto map entry. and Use this command if you want the security associations for this crypto map entry to be negotiated using different IPSec security association lifetimes than the global lifetimes.
Chapter 4 Configuring the VSA Configuration Tasks Step 3 Command Purpose Router(config-crypto-m)# match address access-list-id (Optional) Accesses list number or name of an extended access list. This access list determines which traffic should be protected by IPSec and which traffic should not be protected by IPSec security in the context of this crypto map entry. Note Although access-lists are optional for dynamic crypto maps, they are highly recommended.
Chapter 4 Configuring the VSA Configuration Tasks To add a dynamic crypto map set into a crypto map set, use the following command in global configuration mode: Command Purpose Router(config)# crypto map map-name seq-num ipsec-isakmp dynamic dynamic-map-name Adds a dynamic crypto map set to a static crypto map set. Applying Crypto Map Sets to Interfaces Apply a crypto map set to each interface through which IPSec traffic will flow.
Chapter 4 Configuring the VSA Configuration Tasks To view information about your IPSec configuration, use one or more of the following commands in EXEC mode: Command Purpose Router# show crypto ipsec transform-set Displays your transform set configuration. Router# show crypto map [interface interface | tag map-name] Displays your crypto map configuration. Router# show crypto ipsec sa [map map-name | address | identity] [detail] Displays information about IPSec security associations.
Chapter 4 Configuring the VSA Configuration Tasks Verifying the Configuration Some configuration changes take effect only after subsequent security associations are negotiated. For the new settings to take effect immediately, clear the existing security associations.
Chapter 4 Configuring the VSA Configuration Tasks remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0) current_peer: 172.21.114.67 PERMIT, flags={origin_is_acl,} #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10 #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10 #send errors 10, #recv errors 0 local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.
Chapter 4 Configuring the VSA Configuration Examples Configuration Examples This section provides the following configuration examples: • Configuring IKE Policies Example, page 4-18 • Configuring IPSec Configuration Example, page 4-18 • Basic IPSec Configuration Illustration, page 4-19 Configuring IKE Policies Example In the following example, two IKE policies are created, with policy 15 as the highest priority, policy 20 as the next priority, and the existing default priority as the lowest priorit
Chapter 4 Configuring the VSA Basic IPSec Configuration Illustration The crypto map is applied to an interface: interface Serial0 ip address 10.0.0.2 crypto map toRemoteSite Note In this example, IKE must be enabled. Basic IPSec Configuration Illustration The following is an example of an IPSec configuration in which the security associations are established through IKE. In this example, an access list is used to restrict the packets that are encrypted and decrypted.
Chapter 4 Configuring the VSA Basic IPSec Configuration Illustration Note In the preceding example, the encryption DES of policy 15 would not appear in the written configuration because this is the default value for the encryption algorithm parameter.
Chapter 4 Configuring the VSA Troubleshooting Tips A crypto map joins the transform set and specifies where the protected traffic is sent (the remote IPSec peer): crypto map toRemoteSite 10 ipsec-isakmp match address 101 set peer 10.0.0.3 set transform-set auth1 The crypto map is applied to an interface: interface Serial0 ip address 10.2.2.3 crypto map toRemoteSite An IPSec access list defines which traffic to protect: access-list 101 permit ip host 10.2.2.2 host 10.0.0.
Chapter 4 Configuring the VSA Troubleshooting Tips Decrypted PHY I/F:0x0000000000000000 TUNNEL I/F: 0x0000000000000000 SPI Error PHY I/F:0x0000000000000000 TUNNEL I/F: 0x0000000000000000 Pass clear PHY I/F:0x0000000000000000 TUNNEL I/F: 0x0000000000000000 SPD Drop: 0x0000000000000000 IKE Bypass: 0x0000000000000000 Outbound Traffic: Encry CEF: 0x0000000000000000 FS: 0x0000000000000000 PROC: 0x0000000000000000 Pass CEF: 0x0000000000000000 FS: 0x0000000000000000 PROC: 0x0000000000000000 ICMP Unreachable: 0x
Chapter 4 Configuring the VSA Monitoring and Maintaining the VSA To see if the IKE/IPSec packets are being redirected to the VSA for IKE negotiation and IPSec encryption and decryption, enter the show crypto eli command.
Chapter 4 Configuring the VSA Monitoring and Maintaining the VSA The crypto ipsec ipv4 deny-policy {jump | clear | drop} command helps you avoid this problem. The clear keyword allows a deny address range to be programmed in hardware, the deny addresses are then filtered out for encryption and decryption. When a deny address is hit, the search is stopped and traffic is allowed to pass in the clear (unencrypted) state. The drop keyword causes traffic to be dropped when a deny address is hit.
I N D EX crypto dynamic-map command A 4 - 12 crypto ipsec security-association lifetime command acceleration module, VPN (see VAM) access-list (encryption) command 1-1 4 - 10 crypto map command 4-9 4 - 10, 4 - 11 crypto sa command, clear 4 - 16 crypto transform configuration mode, enabling 4-7 B basic IPSec configuration illustration D 4 - 19 4 - 19 Data 1-1 documentation other related C cables, connectors, and pinouts cautions, warnings and 1-8 3-2 clear crypto sa command 4 - 14, 4
Index I O IKE online insertion and removal configuring 3-2 1 - 6, 4 - 2 configuring policies example insertion and removal, online interpreter, EXEC command 4 - 18 P 3-2 4-2 prevention, ESD 2-4 IPSec access lists 4-8 monitoring 4 - 16 R transform sets defining removal, online insertion and 4-5 Required IPSec (IPSec network security protocol) configuring creating 2-1 required tools and equipment 4 - 14 crypto access lists 3-2 2-1 requirements 4 - 10 hardware 4 - 10 RFCs 2-2
Index requirements 2-2 software and hardware compatability ix, 2 - 2 standards supported 1-5 T This 2-1 tools and equipment, required 2-1 V VAM handling 3-1 VPN Acceleration Module (see VAM) 1-1 VSA features handling 1-4 3-1 monitoring and maintaining overview 4 - 23 viii, 4 - 1 W warnings, safety 2-3 warnings and cautions 3-2 C7200 VSA (VPN Services Adapter) Installation and Configuration Guide OL-9129-02 IN-3
Index C7200 VSA (VPN Services Adapter) Installation and Configuration Guide IN-4 OL-9129-02
