Internet Key Exchange Security Protocol Commands
Available Languages
Table Of Contents
Internet Key Exchange Security Protocol Commands
crypto isakmp client configuration address-pool local
crypto map client authentication list
crypto map client configuration address
crypto map isakmp authorization list
show crypto key pubkey-chain rsa
Internet Key Exchange Security Protocol Commands
This chapter describes Internet Key Exchange Security Protocol (IKE) commands. The IKE protocol is a key management protocol standard that is used in conjunction with the IPSec standard. IP Security is an IP security feature that provides robust authentication and encryption of IP packets.
IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard.
IKE is a hybrid protocol that implements the Oakley key exchange and Skeme key exchange inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. (ISAKMP, Oakley, and Skeme are security protocols implemented by IKE.)
For configuration information, refer to the chapter "Configuring Internet Key Exchange Security Protocol" in the Cisco IOS Security Configuration Guide.
address
To specify the IP address of the remote peer's RSA public key you will manually configure, use the address public key configuration command.
address ip-address
Syntax Description
Defaults
No default behavior or values.
Command Modes
Public key configuration
Command History
Usage Guidelines
Use this command in conjunction with the named-key command to specify which IP Security peer's RSA public key you will manually configure next. This command should only be used when the router has a single interface that processes IPSec.
Examples
The following example manually specifies the RSA public keys of an IPSec peer:
Router(config)# crypto key pubkey-chain rsaRouter(config-pubkey-chain)# named-key otherpeer.example.comRouter(config-pubkey-key)# address 10.5.5.1Router(config-pubkey-key)# key-stringRouter(config-pubkey)# 005C300D 06092A86 4886F70D 01010105Router(config-pubkey)# 00034B00 30480241 00C5E23B 55D6AB22Router(config-pubkey)# 04AEF1BA A54028A6 9ACC01C5 129D99E4Router(config-pubkey)# 64CAB820 847EDAD9 DF0B4E4C 73A05DD2Router(config-pubkey)# BD62A8A9 FA603DD2 E2A8A6F8 98F76E28Router(config-pubkey)# D58AD221 B583D7A4 71020301 0001Router(config-pubkey)# quitRouter(config-pubkey-key)# exitRouter(config-pubkey-chain)# exitRouter(config)#Related Commands
addressed-key
To specify which peer's RSA public key you will manually configure, use the addressed-key public key chain configuration command.
addressed-key key-address [encryption | signature]
Syntax Description
Defaults
If neither the encryption nor signature keywords are used, general purpose keys will be specified.
Command Modes
Public key chain configuration. This command invokes public key configuration mode.
Command History
Usage Guidelines
Use this command or the named-key command to specify which IP Security peer's RSA public key you will manually configure next.
Follow this command with the key string command to specify the key.
If the IPSec remote peer generated general-purpose RSA keys, do not use the encryption or signature keywords.
If the IPSec remote peer generated special-usage keys, you must manually specify both keys: use this command and the key-string command twice and use the encryption and signature keywords respectively.
Examples
The following example manually specifies the RSA public keys of two IPSec peers. The peer at 10.5.5.1 uses general-purpose keys, and the other peer uses special-usage keys.
Router(config)# crypto key pubkey-chain rsaRouter(config-pubkey-chain)# named-key otherpeer.example.comRouter(config-pubkey-key)# address 10.5.5.1Router(config-pubkey-key)# key-stringRouter(config-pubkey)# 005C300D 06092A86 4886F70D 01010105Router(config-pubkey)# 00034B00 30480241 00C5E23B 55D6AB22Router(config-pubkey)# 04AEF1BA A54028A6 9ACC01C5 129D99E4Router(config-pubkey)# 64CAB820 847EDAD9 DF0B4E4C 73A05DD2Router(config-pubkey)# BD62A8A9 FA603DD2 E2A8A6F8 98F76E28Router(config-pubkey)# D58AD221 B583D7A4 71020301 0001Router(config-pubkey)# quitRouter(config-pubkey-key)# exitRouter(config-pubkey-chain)# addressed-key 10.1.1.2 encryptionRouter(config-pubkey-key)# key-stringRouter(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DBRouter(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045BRouter(config-pubkey)# 90288A26 DBC64468 7789F76E EE21Router(config-pubkey)# quitRouter(config-pubkey-key)# exitRouter(config-pubkey-chain)# addressed-key 10.1.1.2 signatureRouter(config-pubkey-key)# key-stringRouter(config-pubkey)# 0738BC7A 2BC3E9F0 679B00FE 53987BCCRouter(config-pubkey)# 01030201 42DD06AF E228D24C 458AD228Router(config-pubkey)# 58BB5DDD F4836401 2A2D7163 219F882ERouter(config-pubkey)# 64CE69D4 B583748A 241BED0F 6E7F2F16Router(config-pubkey)# 0DE0986E DF02031F 4B0B0912 F68200C4Router(config-pubkey)# C625C389 0BFF3321 A2598935 C1B1Router(config-pubkey)# quitRouter(config-pubkey-key)# exitRouter(config-pubkey-chain)# exitRouter(config)#Related Commands
authentication (IKE policy)
To specify the authentication method within an Internet Key Exchange policy, use the authentication ISAKMP policy configuration command. IKE policies define a set of parameters to be used during IKE negotiation. To reset the authentication method to the default value, use the no form of this command.
authentication {rsa-sig | rsa-encr | pre-share}
no authentication
Syntax Description
rsa-sig
Specifies RSA signatures as the authentication method.
rsa-encr
Specifies RSA encrypted nonces as the authentication method.
pre-share
Specifies preshared keys as the authentication method.
Defaults
RSA signatures
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
Use this command to specify the authentication method to be used in an IKE policy.
If you specify RSA signatures, you must configure your peer routers to obtain certificates from a certification authority (CA).
If you specify RSA encrypted nonces, you must ensure that each peer has the other peer's RSA public keys. (See the crypto key pubkey-chain rsa, addressed-key, named-key, address, and commands.)
If you specify preshared keys, you must also separately configure these preshared keys. (See the crypto isakmp identity and crypto isakmp key commands.)
Examples
The following example configures an IKE policy with preshared keys as the authentication method (all other parameters are set to the defaults):
crypto isakmp policy 15authentication pre-shareexitRelated Commands
clear crypto isakmp
To clear active Internet Key Exchange connections, use the clear crypto isakmp EXEC configuration command.
clear crypto isakmp [connection-id]
Syntax Description
connection-id
(Optional) Specifies which connection to clear. If this argument is not used, all existing connections will be cleared.
Command Modes
EXEC
Command History
Usage Guidelines
Use this command to clear active IKE connections.
CautionIf the connection-id argument is not used, all existing IKE connections will be cleared when this command is issued.
Examples
The following example clears an IKE connection between two peers connected by interfaces 172.21.114.123 and 172.21.114.67:
Router# show crypto isakmp sadst src state conn-id slot172.21.114.123 172.21.114.67 QM_IDLE 1 0155.0.0.2 155.0.0.1 QM_IDLE 8 0Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# clear crypto isakmp 1Router(config)# exitRouter# show crypto isakmp sadst src state conn-id slot155.0.0.2 155.0.0.1 QM_IDLE 8 0Router#Related Commands
crypto isakmp client configuration address-pool local
To configure the IP address local pool to reference Internet Key Exchange on your router, use the crypto isakmp client configuration address-pool local global configuration command. To restore the default value, use the no form of this command.
crypto isakmp client configuration address-pool local pool-name
no crypto isakmp client configuration address-pool local
Syntax Description
Defaults
IP address local pools do not reference IKE.
Command Modes
Global configuration
Command History
12.0(4)XE
This command was introduced.
12.0(7)T
This command was integrated into Cisco IOS release 12.0(7)T.
Examples
The following example references IP address local pools to IKE on your router, with "ire" as the pool-name:
crypto isakmp client configuration address-pool local ireRelated Commands
ip local pool
Configures a local pool of IP addresses to be used when a remote peer connects to a point-to-point interface.
crypto isakmp enable
To globally enable Internet Key Exchange at your peer router, use the crypto isakmp enable global configuration command. To disable IKE at the peer, use the no form of this command.
crypto isakmp enable
no crypto isakmp enable
Syntax Description
This command has no arguments or keywords.
Defaults
IKE is enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
IKE is enabled by default. IKE does not have to be enabled for individual interfaces, but is enabled globally for all interfaces at the router.
If you do not want IKE to be used in your IPSec implementation, you can disable IKE at all your IP Security peers. If you disable IKE at one peer, you must disable it at all your IPSec peers.
If you disable IKE, you will have to make these concessions at the peers:
•
•
•
•
•
Examples
The following example disables IKE at one peer. (The same command should be issued at all remote peers.)
no crypto isakmp enablecrypto isakmp identity
To define the identity used by the router when participating in the Internet Key Exchange protocol, use the crypto isakmp identity global configuration command. Set an Internet Security Association Key Management Protocol identity whenever you specify preshared keys. To reset the ISAKMP identity to the default value (address), use the no form of this command.
crypto isakmp identity {address | hostname}
no crypto isakmp identity
Syntax Description
Defaults
The IP address is used for the ISAKMP identity.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to specify an ISAKMP identity either by IP address or by host name.
The address keyword is typically used when there is only one interface (and therefore only one IP address) that will be used by the peer for IKE negotiations, and the IP address is known.
The hostname keyword should be used if there is more than one interface on the peer that might be used for IKE negotiations, or if the interface's IP address is unknown (such as with dynamically assigned IP addresses).
As a general rule, you should set all peers' identities in the same way, either by IP address or by host name.
Examples
The following example uses preshared keys at two peers and sets both their ISAKMP identities to IP address.
At the local peer (at 10.0.0.1) the ISAKMP identity is set and the preshared key is specified.
crypto isakmp identity addresscrypto isakmp key sharedkeystring address 192.168.1.33At the remote peer (at 192.168.1.33) the ISAKMP identity is set and the same preshared key is specified.
crypto isakmp identity addresscrypto isakmp key sharedkeystring address 10.0.0.1
Note
The following example uses preshared keys at two peers and sets both their ISAKMP identities to hostname.
At the local peer the ISAKMP identity is set and the preshared key is specified.
crypto isakmp identity hostnamecrypto isakmp key sharedkeystring hostname RemoteRouter.example.comip host RemoteRouter.example.com 192.168.0.1At the remote peer the ISAKMP identity is set and the same preshared key is specified.
crypto isakmp identity hostnamecrypto isakmp key sharedkeystring hostname LocalRouter.example.comip host LocalRouter.example.com 10.0.0.1 10.0.0.2In the above example, host names are used for the peers' identities because the local peer has two interfaces that might be used during an IKE negotiation.
In the above example the IP addresses are also mapped to the host names; this mapping is not necessary if the routers' host names are already mapped in DNS.
Related Commands
Specifies the authentication method within an IKE policy.
Configures a preshared authentication key.
crypto isakmp keepalive
To send Internet Key Exchange (IKE) keepalive messages from one router to another router, use the crypto isakmp keepalive command in global configuration mode. To disable keepalives, use the no form of this command.
crypto isakmp keepalive secs
no crypto isakmp keepalive secs
Syntax Description
Defaults
This command is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
The crypto isakmp keepalive command is used to send IKE keepalives, which detect the continued connectivity of an IKE security association (SA), between two peer points.
Examples
The following example shows how to configure keepalive messages to be sent every 40 seconds:
crypto isakmp keepalive 40
crypto isakmp key
To configure a preshared authentication key, use the crypto isakmp key global configuration command. You must configure this key whenever you specify preshared keys in an Internet Key Exchange policy. To delete a preshared authentication key, use the no form of this command.
crypto isakmp key keystring address peer-address [mask]
crypto isakmp key keystring hostname peer-hostname
no crypto isakmp key keystring address peer-address
no crypto isakmp key keystring hostname peer-hostname
Syntax Description
Defaults
There is no default preshared authentication key.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to configure preshared authentication keys. You must perform this command at both peers.
If an IKE policy includes preshared keys as the authentication method, these preshared keys must be configured at both peers—otherwise the policy cannot be used (the policy will not be submitted for matching by the IKE process). The crypto isakmp key command is the second task required to configure the preshared keys at the peers. (The first task is accomplished with the crypto isakmp identity command.)
Use the address keyword if the remote peer ISAKMP identity was set with its IP address.
Use the hostname keyword if the remote ISAKMP identity was set with its host name.
With the address keyword, you can also use the mask argument to indicate the remote peer ISAKMP identity will be established using the preshared key only. If the mask argument is used, preshared keys are no longer restricted between two users.
Note
With the hostname keyword, you might also have to map the host name of the remote peer to all IP addresses of the remote peer interfaces that could be used during the IKE negotiation. (This is done with the ip host command.) You must map the host name to IP address unless this mapping is already done in a Domain Name System (DNS) server.
Examples
In the following example, the remote peer "RemoteRouter" specifies an ISAKMP identity by address:
crypto isakmp identity addressIn the following example, the local peer "LocalRouter" also specifies an ISAKMP identity, but by host name:
crypto isakmp identity hostnameNow, the preshared key must be specified at each peer.
In the following example, the local peer specifies the preshared key and designates the remote peer by its IP address and a mask:
crypto isakmp key sharedkeystring address 172.21.230.33 255.255.255.255In the following example, the remote peer specifies the same preshared key and designates the local peer by its host name:
crypto isakmp key sharedkeystring hostname LocalRouter.example.comThe remote peer also maps multiple IP addresses to the same host name for the local peer because the local peer has two interfaces which both might be used during an IKE negotiation with the local peer. These two interfaces' IP addresses (10.0.0.1 and 10.0.0.2) are both mapped to the remote peer's host name.
ip host LocalRouter.example.com 10.0.0.1 10.0.0.2(This mapping would not have been necessary if LocalRouter.example.com was already mapped in DNS.)
In this example, a remote peer specifies its ISAKMP identity by address, and the local peer specifies its ISAKMP identity by host name. Depending on the circumstances in your network, both peers could specify their ISAKMP identity by address, or both by host name.
Related Commands
crypto isakmp policy
To define an Internet Key Exchange policy, use the crypto isakmp policy global configuration command. IKE policies define a set of parameters to be used during the IKE negotiation. To delete an IKE policy, use the no form of this command.
crypto isakmp policy priority
no crypto isakmp policy
Syntax Description
priority
Uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10,000, with 1 being the highest priority and 10,000 the lowest.
Defaults
There is a default policy, which always has the lowest priority. This default policy contains default values for the encryption, hash, authentication, Diffie-Hellman group, and lifetime parameters. (The parameter defaults are listed below in the Usage Guidelines section.)
When you create an IKE policy, if you do not specify a value for a particular parameter, the default for that parameter will be used.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to specify the parameters to be used during an IKE negotiation. (These parameters are used to create the IKE security association [SA].)
This command invokes the Internet Security Association Key Management Protocol policy configuration (config-isakmp) command mode. While in the ISAKMP policy configuration command mode, the following commands are available to specify the parameters in the policy:
•
•
•
•
•
If you do not specify one of these commands for a policy, the default value will be used for that parameter.
To exit the config-isakmp command mode, type exit.
You can configure multiple IKE policies on each peer participating in IPSec. When the IKE negotiation begins, it tries to find a common policy configured on both peers, starting with the highest priority policies as specified on the remote peer.
Examples
The following example configures two policies for the peer:
crypto isakmp policy 15hash md5authentication rsa-siggroup 2lifetime 5000crypto isakmp policy 20authentication pre-sharelifetime 10000The above configuration results in the following policies:
Router# show crypto isakmp policyProtection suite priority 15encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Message Digest 5authentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman Group: #2 (1024 bit)lifetime: 5000 seconds, no volume limitProtection suite priority 20encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: preshared KeyDiffie-Hellman Group: #1 (768 bit)lifetime: 10000 seconds, no volume limitDefault protection suiteencryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman Group: #1 (768 bit)lifetime: 86400 seconds, no volume limitRelated Commands
crypto key generate rsa
To generate Rivest, Shamir, and Adelman (RSA) key pairs, use the crypto key generate rsa command in global configuration mode.
crypto key generate rsa {general-keys | usage-keys} [label key-label] [exportable] [modulus modulus-size]
Syntax Description
Defaults
RSA key pairs do not exist.
Command Modes
Global configuration
Command History
11.3
This command was introduced.
12.2(8)T
The key-pair-label argument was added.
12.2(15)T
The exportable keywords was added.
Usage Guidelines
Use this command to generate RSA key pairs for your Cisco device (such as a router).
RSA keys are generated in pairs—one public RSA key and one private RSA key.
If your router already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.
Note
This command is not saved in the router configuration; however, the RSA keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device) the next time the configuration is written to NVRAM.
Note
There are two mutually exclusive types of RSA key pairs: special-usage keys and general-purpose keys. When you generate RSA key pairs, you will be prompted to select either special-usage keys or general-purpose keys.
Special-Usage Keys
If you generate special-usage keys, two pairs of RSA keys will be generated. One pair will be used with any Internet Key Exchange (IKE) policy that specifies RSA signatures as the authentication method, and the other pair will be used with any IKE policy that specifies RSA encrypted keys as the authentication method.
A certification authority (CA) is used only with IKE policies specifying RSA signatures, not with IKE policies specifying RSA-encrypted nonces. (However, you could specify more than one IKE policy and have RSA signatures specified in one policy and RSA-encrypted nonces in another policy.)
If you plan to have both types of RSA authentication methods in your IKE policies, you may prefer to generate special-usage keys. With special-usage keys, each key is not unnecessarily exposed. (Without special-usage keys, one key is used for both authentication methods, increasing the exposure of that key.)
General-Purpose Keys
If you generate general-purpose keys, only one pair of RSA keys will be generated. This pair will be used with IKE policies specifying either RSA signatures or RSA encrypted keys. Therefore, a general-purpose key pair might get used more frequently than a special-usage key pair.
Named Key Pairs
If you generate a named key pair using the key-pair-label argument, you must also specify the usage-keys keyword or the general-keys keyword. Named key pairs allow you to have multiple RSA key pairs, enabling the Cisco IOS software to maintain a different key pair for each identity certificate.
Modulus Length
When you generate RSA keys, you will be prompted to enter a modulus length. A longer modulus could offer stronger security but takes longer to generate (see Table 24 for sample times) and takes longer to use. (The Cisco IOS software does not support a modulus greater than 2048 bits.) A length of less than 512 is normally not recommended. (In certain situations, the shorter modulus may not function properly with IKE, so Cisco recommends using a minimum modulus of 1024.)
Examples
The following example generates special-usage RSA keys:
Router(config)# crypto key generate rsa usage-keysThe name for the keys will be: myrouter.example.comChoose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[512]? <return>Generating RSA keys.... [OK].Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[512]? <return>Generating RSA keys.... [OK].The following example generates general-purpose RSA keys:
Note
Router(config)# crypto key generate rsaThe name for the keys will be: myrouter.example.comChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[512]? <return>Generating RSA keys.... [OK].The following example generates the general-purpose RSA key pair "exampleCAkeys":
crypto key generate rsa general-purpose exampleCAkeyscrypto ca trustpoint exampleCAkeysenroll url http://exampleCAkeys/certsrv/mscep/mscep.dllrsakeypair exampleCAkeys 1024 1024Related Commands
crypto key pubkey-chain rsa
To enter public key configuration mode (so you can manually specify other devices' RSA public keys), use the crypto key pubkey-chain rsa global configuration command.
crypto key pubkey-chain rsa
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to enter public key chain configuration mode. Use this command when you need to manually specify other IPSec peers' RSA public keys. You need to specify other peers' keys when you configure RSA encrypted nonces as the authentication method in an Internet Key Exchange policy at your peer router.
Examples
The following example specifies the RSA public keys of two other IPSec peers. The remote peers use their IP address as their identity.
Router(config)# crypto key pubkey-chain rsaRouter(config-pubkey-chain)# addressed-key 10.5.5.1Router(config-pubkey-key)# key-stringRouter(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DBRouter(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045BRouter(config-pubkey)# 90288A26 DBC64468 7789F76E EE21Router(config-pubkey)# quitRouter(config-pubkey-key)# exitRouter(config-pubkey-chain)# addressed-key 10.1.1.2Router(config-pubkey-key)# key-stringRouter(config-pubkey)# 0738BC7A 2BC3E9F0 679B00FE 53987BCCRouter(config-pubkey)# 01030201 42DD06AF E228D24C 458AD228Router(config-pubkey)# 58BB5DDD F4836401 2A2D7163 219F882ERouter(config-pubkey)# 64CE69D4 B583748A 241BED0F 6E7F2F16Router(config-pubkey)# 0DE0986E DF02031F 4B0B0912 F68200C4Router(config-pubkey)# C625C389 0BFF3321 A2598935 C1B1Router(config-pubkey)# quitRouter(config-pubkey-key)# exitRouter(config-pubkey-chain)# exitRouter(config)#Related Commands
crypto map client authentication list
To configure Internet Key Exchange extended authentication (Xauth) on your router, use the crypto map client authentication list global configuration command. To restore the default value, use the no form of this command.
crypto map map-name client authentication list list-name
no crypto map map-name client authentication list list-name
Syntax Description
Defaults
Xauth is not enabled.
Command Modes
Global configuration mode
Command History
Usage Guidelines
Before configuring Xauth, you should complete the following tasks:
•
•
•
•
After enabling Xauth, you should apply the crypto map on which Xauth is configured to the router interface.
Examples
The following example configures user authentication (a list of authentication methods called xauthlist) on an existing static crypto map called xauthmap:
crypto map xauthmap client authentication list xauthlistThe following example configures user authentication (a list of authentication methods called xauthlist) on a dynamic crypto map called xauthdynamic that has been applied to a static crypto map called xauthmap:
crypto map xauthmap client authentication list xauthlistcrypto map xauthmap 10 ipsec-isakmp dynamic xauthdynamicRelated Commands
crypto map client configuration address
To configure IKE Mode Configuration on your router, use the crypto map client configuration address global configuration command. To disable IKE Mode Configuration, use the no form of this command.
crypto map tag client configuration address [initiate | respond]
no crypto map tag client configuration address
Syntax Description
Defaults
IKE Mode Configuration is not enabled.
Command Modes
Global configuration.
Command History
12.0(4)XE
This command was introduced.
12.0(7)T
This command was implemented in Cisco IOS release 12.0(7)T.
Usage Guidelines
At the time of this publication, this feature is an IETF draft with limited support. Therefore this feature was not designed to enable the configuration mode for every IKE connection by default.
Examples
The following examples configure IKE Mode Configuration on your router:
crypto map dyn client configuration address initiatecrypto map dyn client configuration address respondRelated Commands
crypto map (global)
Creates or modifies a crypto map entry and enters the crypto map configuration mode
crypto map isakmp authorization list
To enable Internet Key Exchange (IKE) querying of authentication, authorization, and accounting (AAA) for tunnel attributes in aggressive mode, use the crypto map isakmp authorization list global configuration command. To restore the default value, use the no form of this command.
crypto map map-name isakmp authorization list list-name
no crypto map map-name isakmp authorization list list-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the crypto map client authorization list command to enable key lookup from a AAA server.
Preshared keys deployed in a large-scale Virtual Private Network (VPN) without a certification authority, with dynamic IP addresses, are accessed during aggression mode of IKE negotiation through a AAA server. Thus, users have their own key, which is stored on an external AAA server. This allows for central management of the user database, linking it to an existing database, in addition to allowing every user to have their own unique, more secure pre-shared key.
Before configuring the crypto map client authorization list command, you should perform the following tasks:
•
•
•
•
After enabling the crypto map client authorization list command, you should apply the previously defined crypto map to the interface.
Examples
The following example shows how to configure the crypto map client authorization list command:
crypto map ikessaaamap isakmp authorization list ikessaaalistcrypto map ikessaaamap 10 ipsec-isakmp dynamic ikessaaadynRelated Commands
encryption (IKE policy)
To specify the encryption algorithm within an Internet Key Exchange policy, use the encryption ISAKMP policy configuration command. IKE policies define a set of parameters to be used during IKE negotiation. To reset the encryption algorithm to the default value, use the no form of this command.
encryption {des | 3des}
no encryption
Syntax Description
des
Specifies 56-bit DES-CBC as the encryption algorithm.
3des
Specifies 168-bit DES (3DES) as the encryption algorithm.
Defaults
The 56-bit DES-CBC encryption algorithm.
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
Use this command to specify the encryption algorithm to be used in an IKE policy.
Examples
The following example configures an IKE policy with the 3DES encryption algorithm (all other parameters are set to the defaults):
crypto isakmp policyencryption 3desexitRelated Commands
group (IKE policy)
To specify the Diffie-Hellman group identifier within an Internet Key Exchange policy, use the group ISAKMP policy configuration command. IKE policies define a set of parameters to be used during IKE negotiation. To reset the Diffie-Hellman group identifier to the default value, use the no form of this command.
group {1 | 2}
no group
Syntax Description
Defaults
768-bit Diffie-Hellman (group 1)
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
Use this command to specify the Diffie-Hellman group to be used in an IKE policy.
Examples
The following example configures an IKE policy with the 1024-bit Diffie-Hellman group (all other parameters are set to the defaults):
crypto isakmp policy 15group 2exitRelated Commands
hash (IKE policy)
To specify the hash algorithm within an Internet Key Exchange policy, use the hash ISAKMP policy configuration command. IKE policies define a set of parameters to be used during IKE negotiation. To reset the hash algorithm to the default SHA-1 hash algorithm, use the no form of this command.
hash {sha | md5}
no hash
Syntax Description
sha
Specifies SHA-1 (HMAC variant) as the hash algorithm.
md5
Specifies MD5 (HMAC variant) as the hash algorithm.
Defaults
The SHA-1 hash algorithm
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
Use this command to specify the hash algorithm to be used in an IKE policy.
Examples
The following example configures an IKE policy with the MD5 hash algorithm (all other parameters are set to the defaults):
crypto isakmp policy 15hash md5exitRelated Commands
key-string (IKE)
To manually specify a remote peer's RSA public key, use the key-string public key configuration command.
key-string key-string
Syntax Description
key-string
Enter the key in hexadecimal format. While entering the key data you can press Return to continue entering data.
Defaults
No default behavior or values.
Command Modes
Public key configuration
Command History
Usage Guidelines
Use this command to manually specify the RSA public key of an IP Security peer. Before using this command, you must identify the remote peer using either the addressed-key or named-key command.
If possible, to avoid mistakes, you should cut and paste the key data (instead of attempting to type in the data).
To complete the command, you must return to the global configuration mode by typing quit at the config-pubkey prompt.
Examples
The following example manually specifies the RSA public keys of an IPSec peer:
Router(config)# crypto key pubkey-chain rsaRouter(config-pubkey-chain)# named-key otherpeer.example.comRouter(config-pubkey-key)# address 10.5.5.1Router(config-pubkey-key)# key-stringRouter(config-pubkey)# 005C300D 06092A86 4886F70D 01010105Router(config-pubkey)# 00034B00 30480241 00C5E23B 55D6AB22Router(config-pubkey)# 04AEF1BA A54028A6 9ACC01C5 129D99E4Router(config-pubkey)# 64CAB820 847EDAD9 DF0B4E4C 73A05DD2Router(config-pubkey)# BD62A8A9 FA603DD2 E2A8A6F8 98F76E28Router(config-pubkey)# D58AD221 B583D7A4 71020301 0001Router(config-pubkey)# quitRouter(config-pubkey-key)# exitRouter(config-pubkey-chain)# exitRouter(config)#Related Commands
lifetime (IKE policy)
To specify the lifetime of an Internet Key Exchange security association (SA), use the lifetime Internet Security Association Key Management Protocol policy configuration command. To reset the SA lifetime to the default value, use the no form of this command.
lifetime seconds
no lifetime
Syntax Description
seconds
Number of many seconds for each each SA should exist before expiring. Use an integer from 60 to 86,400 seconds.
Defaults
86,400 seconds (one day)
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
Use this command to specify how long an IKE SA exists before expiring.
When IKE begins negotiations, the first thing it does is agree upon the security parameters for its own session. The agreed-upon parameters are then referenced by an SA at each peer. The SA is retained by each peer until the SA's lifetime expires. Before an SA expires, it can be reused by subsequent IKE negotiations, which can save time when setting up new IPSec SAs. Before an SA expires, it can be reused by subsequent IKE negotiations, which can save time when setting up new IPSec SAs. New IPSec SAs are negotiated before current IPSec SAs expire.
So, to save setup time for IPSec, configure a longer IKE SA lifetime. However, shorter lifetimes limit the exposure to attackers of this SA. The longer an SA is used, the more encrypted traffic can be gathered by an attacker and possibly used in an attack.
Note that when your local peer initiates an IKE negotiation between itself and a remote peer, an IKE policy can be selected only if the lifetime of the remote peer's policy is longer than or equal to the lifetime of the local peer's policy. Then, if the lifetimes are not equal, the shorter lifetime will be selected. To restate this behavior: If the two peer's policies' lifetimes are not the same, the initiating peer's lifetime must be shorter and the responding peer's lifetime must be longer, and the shorter lifetime will be used.
Examples
The following example configures an IKE policy with a security association lifetime of 600 seconds (10 minutes), and all other parameters are set to the defaults:
crypto isakmp policy 15lifetime 600exitRelated Commands
named-key
To specify which peer's RSA public key you will manually configure, use the named-key public key chain configuration command. This command should only be used when the router has a single interface that processes IP Security.
named-key key-name [encryption | signature]
Syntax Description
Defaults
If neither the encryption nor the signature keyword is used, general-purpose keys will be specified.
Command Modes
Public key chain configuration. This command invokes public key configuration mode.
Command History
Usage Guidelines
Use this command or the addressed-key command to specify which IPSec peer's RSA public key you will manually configure next.
Follow this command with the key-string command to specify the key.
If you use the named-key command, you also need to use the address public key configuration command to specify the IP address of the peer.
If the IPSec remote peer generated general purpose RSA keys, do not use the encryption or signature keyword.
If the IPSec remote peer generated special usage keys, you must manually specify both keys: perform this command and the key-string command twice and use the encryption and signature keywords in turn.
Examples
The following example manually specifies the RSA public keys of two IPSec peers. The peer at 10.5.5.1 uses general-purpose keys, and the other peer uses special-purpose keys.
crypto key pubkey-chain rsanamed-key otherpeer.example.comaddress 10.5.5.1key-string005C300D 06092A86 4886F70D 0101010500034B00 30480241 00C5E23B 55D6AB2204AEF1BA A54028A6 9ACC01C5 129D99E464CAB820 847EDAD9 DF0B4E4C 73A05DD2BD62A8A9 FA603DD2 E2A8A6F8 98F76E28D58AD221 B583D7A4 71020301 0001quitexitaddressed-key 10.1.1.2 encryptionkey-string00302017 4A7D385B 1234EF29 335FC9732DD50A37 C4F4B0FD 9DADE748 429618D518242BA3 2EDFBDD3 4296142A DDF7D3D808407685 2F2190A0 0B43F1BD 9A8A26DB07953829 791FCDE9 A98420F0 6A82045B90288A26 DBC64468 7789F76E EE21quitexitaddressed-key 10.1.1.2 signaturekey-string0738BC7A 2BC3E9F0 679B00FE 098533AB01030201 42DD06AF E228D24C 458AD22858BB5DDD F4836401 2A2D7163 219F882E64CE69D4 B583748A 241BED0F 6E7F2F160DE0986E DF02031F 4B0B0912 F68200C4C625C389 0BFF3321 A2598935 C1B1quitexitexitRelated Commands
show crypto isakmp policy
To view the parameters for each Internet Key Exchange policy, use the show crypto isakmp policy EXEC command.
show crypto isakmp policy
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Examples
The following is sample output from the show crypto isakmp policy command, after two IKE policies have been configured (with priorities 15 and 20 respectively):
Router# show crypto isakmp policyProtection suite priority 15encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Message Digest 5authentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman Group: #2 (1024 bit)lifetime: 5000 seconds, no volume limitProtection suite priority 20encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: preshared KeyDiffie-Hellman Group: #1 (768 bit)lifetime: 10000 seconds, no volume limitDefault protection suiteencryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman Group: #1 (768 bit)lifetime: 86400 seconds, no volume limit
Note
Related Commands
show crypto isakmp sa
To view all current Internet Key Exchange security associations (SAs) at a peer, use the show crypto isakmp sa EXEC command.
show crypto isakmp sa
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Examples
The following is sample output from the show crypto isakmp sa command, after IKE negotiations have successfully completed between two peers:
Router# show crypto isakmp sadst src state conn-id slot172.21.114.123 172.21.114.67 QM_IDLE 1 0155.0.0.2 155.0.0.1 QM_IDLE 8 0Table 25 through Table 27 show the various states that may be displayed in the output of the show crypto isakmp sa command. When an Internet Security Association and Key Management Protocol SA exists, it will most likely be in its quiescent state (QM_IDLE). For long exchanges, some of the MM_xxx states may be observed.
Related Commands
show crypto key mypubkey rsa
To view the RSA public keys of your router, use the show crypto key mypubkey rsa EXEC command.
show crypto key mypubkey rsa
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Usage Guidelines
This command displays your router's RSA public keys.
Examples
The following is sample output from the show crypto key mypubkey rsa command. Special usage RSA keys were previously generated for this router using the crypto key generate rsa command.
% Key pair was generated at: 06:07:49 UTC Jan 13 1996Key name: myrouter.example.comUsage: Signature KeyKey Data:005C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B 55D6AB2204AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9 DF0B4E4C 73A05DD2BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4 71020301 0001% Key pair was generated at: 06:07:50 UTC Jan 13 1996Key name: myrouter.example.comUsage: Encryption KeyKey Data:00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D518242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21Related Commands
show crypto key pubkey-chain rsa
To view peers' RSA public keys stored on your router, use the show crypto key pubkey-chain rsa EXEC command.
show crypto key pubkey-chain rsa [name key-name | address key-address]
Syntax Description
name key-name
(Optional) The name of a particular public key to view.
address key-address
(Optional) The address of a particular public key to view.
Command Modes
EXEC
Command History
Usage Guidelines
This command shows RSA public keys stored on your router. This includes peers' RSA public keys manually configured at your router and keys received by your router via other means (such as by a certificate, if certification authority support is configured).
If a router reboots, any public key derived by certificates will be lost. This is because the router will ask for certificates again, at which time the public key will be derived again.
Use the name or address keywords to display details about a particular RSA public key stored on your router.
If no keywords are used, this command displays a list of all RSA public keys stored on your router.
Examples
The following is sample output from the show crypto key pubkey-chain rsa command:
Codes: M - Manually Configured, C - Extracted from certificateCode Usage IP-address NameM Signature 10.0.0.l myrouter.example.comM Encryption 10.0.0.1 myrouter.example.comC Signature 172.16.0.1 routerA.example.comC Encryption 172.16.0.1 routerA.example.comC General 192.168.10.3 routerB.domain1.comThis sample shows manually configured special usage RSA public keys for the peer "somerouter." This sample also shows three keys obtained from peers' certificates: special usage keys for peer "routerA" and a general purpose key for peer "routerB."
Certificate support is used in the above example; if certificate support was not in use, none of the peers' keys would show "C" in the code column, but would all have to be manually configured.
The following is sample output when you issue the command show crypto key pubkey rsa name somerouter.example.com:
Key name: somerouter.example.comKey address: 10.0.0.1Usage: Signature KeySource: ManualData:305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B 55D6AB2204AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9 DF0B4E4C 73A05DD2BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4 71020301 0001Key name: somerouter.example.comKey address: 10.0.0.1Usage: Encryption KeySource: ManualData:00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D518242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21
Note
The following is sample output when you issue the command show crypto key pubkey rsa address 192.168.10.3:
Key name: routerB.example.comKey address: 192.168.10.3Usage: General Purpose KeySource: CertificateData:0738BC7A 2BC3E9F0 679B00FE 53987BCC 01030201 42DD06AF E228D24C 458AD22858BB5DDD F4836401 2A2D7163 219F882E 64CE69D4 B583748A 241BED0F 6E7F2F160DE0986E DF02031F 4B0B0912 F68200C4 C625C389 0BFF3321 A2598935 C1B1The Source field in the above example indicates "Certificate," meaning that the keys were received by the router by way of the other router's certificate.
Feedback