Creating IKE Policies
-
IPsec and long keys (the “k9” subsystem) must be supported.
-
AES cannot encrypt IPsec and IKE traffic if an acceleration card is present.
enable
configure terminal
crypto isakmp policy 10
encryption aes 256
hash sha
authentication pre-share
group 14
end
Troubleshooting Tips
-
Clear (and reinitialize) IPsec SAs by using the clear crypto sa EXEC command.
Using the clear crypto sa command without parameters will clear out the full SA database, which will clear out active security sessions. You may also specify the peer , map , or entry keywords to clear out only a subset of the SA database. For more information, see the clear crypto sa command in the Cisco IOS Security Command Reference.
-
The default policy and default values for configured policies do not show up in the configuration when you issue the show running-config command. To display the default policy and any default values within configured policies, use the show crypto isakmp policy command.
-
Any IPsec transforms or IKE encryption methods that the current hardware does not support should be disabled; they are ignored whenever an attempt to negotiate with the peer is made.
If a user enters an IPsec transform or an IKE encryption method that the hardware does not support, a warning message will be generated. These warning messages are also generated at boot time. When an encrypted card is inserted, the current configuration is scanned. If any IPsec transforms or IKE encryption methods are found that are not supported by the hardware, a warning message will be generated.