Filter
Top Products
4-6
Integrated Services Adapter and Integrated Services Module Installation and Configuration
OL-3575-01 B0
Chapter 4 Configuring the ISA and ISM
Configuring IPSec
If you change a transform set definition, the change is only applied to crypto map entries that reference
the transform set. The change is not applied to existing security associations but is used in subsequent
negotiations to establish new security associations. If you want the new settings to take effect sooner,
you can clear all or part of the security association database by using the clear crypto sa command.
To define a transform set, use the following commands, starting in global configuration mode:
Step Command Purpose
1. crypto ipsec transform-set
transform-set-name transform1
[transform2 [transform3]]
Define a transform set and enter crypto
transform configuration mode.
Complex rules define which entries you can
use for the transform arguments. These rules
are explained in the command description for
the crypto ipsec transform-set command,
and Table 4-1 on page 4-7 provides a list of
allowed transform combinations.
2. mode [tunnel | transport] Change the mode associated with the
transform set. The mode setting is applicable
only to traffic whose source and destination
addresses are the IPSec peer addresses; it is
ignored for all other traffic. (All other traffic
is in tunnel mode only.)
3. end Exit the crypto transform configuration mode
to enabled mode.
4. clear crypto sa
or
clear crypto sa peer {ip-address |
peer-name}
or
clear crypto sa map map-name
or
clear crypto sa spi destination-address
protocol spi
This step clears existing IPSec security
associations so that any changes to a
transform set take effect on subsequently
established security associations (SAs).
(Manually established SAs are reestablished
immediately.)
Using the clear crypto sa command without
parameters clears out the full SA database,
which clears out active security sessions. You
may also specify the peer, map, or entry
keywords to clear out only a subset of the SA
database.