Name: Cisco ASR 1002
Brand: Cisco
Rating: 5 (1 reviews)

To Next Page

To Previous Page

Page 35 of 72

4.6.2 IPsec Transforms and Lifetimes

Regardless of the IKE version selected, the TOE must be configured with the proper transform

for IPsec ESP encryption and integrity as well as IPsec lifetimes.

TOE-common-criteria(config)# crypto ipsec transform-set example esp-aes 128 esp-

sha-hmac

Note that this configures IPsec ESP to use HMAC-SHA-1 and AES-CBC-128. To

change this to the other allowed algorithms the following options can replace

‘esp-aes 128’ in the command above:

Encryption Algorithm

Command

AES-CBC-256

esp-aes 256

AES-GCM-128

esp-gcm 128

AES-GCM-256

esp-gcm 256

Note: The size of the key selected here must be less than or equal to the key size

selected for the IKE encryption setting in 4.6.1.1 and 4.6.1.2 above. If AES-

CBC-128 was selected there for use with IKE encryption, then only AES-CBC-

128 or AES-GCM-128 may be selected here.

TOE-common-criteria(config-crypto)#mode tunnel

This configures tunnel mode for IPsec. Tunnel is the default, but by explicitly

specifying tunnel mode, the router will request tunnel mode and will accept only

tunnel mode.

TOE-common-criteria(config-crypto)#mode transport

This configures transport mode for IPsec.

TOE-common-criteria (config)#crypto ipsec security-association lifetime seconds

28800

The default time value for Phase 2 SAs is 1 hour. There is no configuration

required for this setting since the default is acceptable, however to change the

setting to 8 hours as claimed in the Security Target the crypto ipsec security-

association lifetime command can be used as specified above.

TOE-common-criteria (config)#crypto ipsec security-association lifetime kilobytes

100000

This configures a lifetime of 100 MB of traffic for Phase 2 SAs. The default

amount for this setting is 2560KB, which is the minimum configurable value for

this command. The maximum configurable value for this command is 4GB.

Additional information regarding configuration of IPsec can be found in [10]. The IPSEC

commands are dispersed within the Security Command References.

• This functionality is available to the Privileged Administrator. Configuration of VPN

settings is restricted to the privileged administrator.

Other manuals for Cisco ASR 1002

Replacing120 pages

Hardware Installation Guide702 pages

Quick Start Guide36 pages

Questions and Answers:

Need help?

Do you have a question about the Cisco ASR 1002 and is the answer not in the manual?

Cisco ASR 1002 Specifications

General

Ethernet LAN	Yes
Cabling technology	10/100/1000Base-T(X)
Networking standards	IEEE 802.3
Ethernet LAN data rates	10, 100, 1000 Mbit/s
Ethernet interface type	Gigabit Ethernet
DHCP client	-
Supported network protocols	BGP, GRE, OSPF, DVMRP, EIGRP, IS-IS, IGMPv3, PIM-SM, PIM-SSM
Ethernet LAN (RJ-45) ports	4
Security algorithms	SSH
VPN tunnels quantity	8000
Safety	UL60950-1 CSA, C22.2 No. 60950-1-03, EN 60950-1, IEC 60950-1, AS/NZS 60950.1
Certification	FCC 47CFR15 Class A AS/NZS CISPR 22 CISPR 22 Class A EN55022 Class A ICES-003 Class A VCCI Class A CNS-13438 Class A EN61000-3-2 EN61000-3-3
Internal memory	4096 MB
AC input voltage	85 - 264 V
Power source type	AC
AC input frequency	50 - 60 Hz
Power consumption (typical)	560 W
Operating altitude	0 - 3048 m
Storage temperature (T-T)	0 - 50 °C
Operating temperature (T-T)	0 - 40 °C
Storage relative humidity (H-H)	5 - 95 %
Operating relative humidity (H-H)	5 - 90 %
Product color	Gray
Rack capacity	2U