CHAPTER
Overview
This chapter describes the C7200 VSA (VPN Services Adapter) and contains the following sections:
• VSA Overview
• Hardware Required
• Supported Standards, MIBs, and RFCs
• Performance
• Enabling/Disabling the VSA
• LEDs
• Connectors
• Slot Locations
VSA Overview
The C7200 VSA (VPN Services Adapter) is a hardware acceleration module that provides IPSec encryption services for the Cisco 7200VXR series routers. The VSA offloads encryption processing from the main processor, improving overall system performance.

Key features include:
• IKE—Internet Key Exchange (IKE) is a hybrid security protocol that implements Oakley and Skeme key exchanges inside the Internet Security Association and Key Management Protocol (ISAKMP) framework.
Note: The C7200 VSA is only supported on the Cisco 7200VXR with the NPE-G2 processor.
Hardware Required
The VSA provides hardware-accelerated support for multiple encryption algorithms and protocols.
Supported Standards, MIBs, and RFCs
Performance
Table 1-2 lists the performance information for the VSA.
Enabling/Disabling the VSA
This section includes the following topics:
• Enabling/Disabling Scheme
LEDs
The VSA has one LED, as shown in Figure 1-3.
Figure 1-3 VSA LED
The following conditions must be met before the enabled LED goes on:
• The VSA is correctly connected to the backplane and receiving power.
Slot Locations
Figure 1-4 Cisco 7204VXR Router - Front View
Cisco 7206VXR Router
The VSA is supported in the I/O controller port on the Cisco 7206VXR router (see 4 in Figure 1-5).
CHAPTER 2
Preparing for Installation
This chapter describes the general equipment, safety, and site preparation requirements for installing the C7200 VSA (VPN Services Adapter). This chapter contains the following sections:
• Hardware and Software Requirements
• Online Insertion and Removal (OIR)
• Safety Guidelines
• Compliance with U.S. Export Laws and Regulations Regarding Encryption
Hardware and Software Requirements
Software Requirements
Table 2-1 lists the recommended minimum Cisco IOS software release required to use the VSA in supported router or switch platforms.
Online Insertion and Removal (OIR)
• The VSA module does not support Online Insertion and Removal (OIR). See "Enabling/Disabling the VSA" section on page 1-6 for details.
Safety Guidelines
Warning: This equipment contains hazardous voltages and currents inside the chassis; they contain electromagnetic interference (EMI) that might disrupt other equipment; and they direct the flow of cooling air through the chassis.
Compliance with U.S. Export Laws and Regulations Regarding Encryption
This product performs encryption and is regulated for export by the U.S. government.
2-6 C7200 VSA (VPN Service s Adapter) Insta llation a nd Configurat ion Guide OL-9129-02 Chapter 2 Prepar ing for Installation Complian ce with U.S . Export La ws and Regu lations Regarding En cryptio.
CHAPTER 3
Removing and Installing the VSA
This chapter describes how to remove the C7200 VSA (VPN Services Adapter) from the supported platforms and how to install a new or replacement VSA. This chapter contains the following sections:
• Online Insertion and Removal (OIR)
• VSA Removal and Installation
Online Insertion and Removal (OIR)
The VSA plugs into the I/O controller slot of the Cisco 7200 VXR series chassis.
VSA Removal and Installation
Follow these steps to remove and insert the VSA in the Cisco 7200VXR series routers:
Step 1: Turn the power switch to the off position and then remove the power cable.
3-4 C7200 VSA (VPN Service s Adapter) Insta llation a nd Configurat ion Guide OL-9129-02 Chapter 3 Removin g and Installing the VSA VSA Remova l and In stallati on.
CHAPTER 4
Configuring the VSA
This chapter contains the information and procedures needed to configure the C7200-VSA (VPN Services Adapter). This chapter contains the following sections:
• Configuration Tasks
• Configuration Examples
• Troubleshooting Tips
• Monitoring and Maintaining the VSA
Configuration Tasks
The following configuration tasks are covered:
• Disabling VSA (Optional), page 4-4 (optional)
Configuration Tasks
To configure an IKE policy, use the following commands:
For detailed information on creating IKE policies, refer to the "Configuring Internet Key Exchange Security Protocol" chapter in the Security Configuration Guide publication.
Configuration Tasks
• Selecting Appropriate Transforms
• The Crypto Transform Set
Table 4-1 shows allowed transform combinations for the AH and ESP protocols.
IPSec Protocols: AH and ESP
Both the AH and ESP protocols implement security services for IPSec. AH provides data authentication and antireplay services.
Changing Existing Transforms
If one or more transforms need to be changed in an existing transform set, the entire transform set must be deleted and recreated with the new transforms.
Transform Example
To change a global lifetime for IPSec security associations:
Creating Crypto Access Lists
Crypto access lists define which IP traffic will be protected by encryption.
To create crypto map entries that will use IKE to establish security associations:
Creating Dynamic Crypto Maps
A dynamic crypto map entry is a crypto map entry with some parameters not configured.
Step 3: Router(config-crypto-m)# match address access-list-id
(Optional) Access list number or name of an extended access list.
To add a dynamic crypto map set into a crypto map set:
To view information about your IPSec configuration:
Verifying the Configuration
Some configuration changes take effect only after subsequent security associations are negotiated.
remote ident (addr/mask/prot/port): (172.x.x.x/255.255.255.255/0/0)
Configuration Examples
This section provides the following configuration examples:
Basic IPSec Configuration Illustration
The crypto map is applied to an interface:
interface Serial0
ip address
crypto map toRemoteSite

Note: In this example, IKE must be enabled.
Note: In the preceding example, the transform set specifies ESP encryption with 3DES and ESP authentication with SHA.
Troubleshooting Tips
A crypto map joins the transform set and specifies where the protected traffic is sent (the remote IPSec peer):
crypto map toRemoteSite 10 ipsec-isakmp
match address 101
set peer 10.x.x.x
set transform-set my_t_set1
Decrypted PHY I/F:0x0000000000000000 TUNNEL I/F: 0x0000000000000000
Monitoring and Maintaining the VSA
To see if the IKE/IPSec packets are being redirected to the VSA for IKE negotiation and IPSec encryption and decryption, enter the show crypto eli command.
The crypto ipsec ipv4 deny-policy {jump | clear | drop} command helps you avoid this problem.
