- Configuring Security for VPNs with IPsec
- IPsec Virtual Tunnel Interface
- L2TP IPsec Support for NAT and PAT Windows Clients
- SafeNet IPsec VPN Client Support
- Ability to Disable Extended Authentication for Static IPsec Peers
- Crypto Conditional Debug Support
- VPN Acceleration Module
- Option to Disable Hardware Crypto EngineFailover to Software Crypto Engine
Ability to Disable Extended Authentication for Static IPsec Peers
The Ability to Disable Extended Authentication for Static IPsec Peers feature allows users to disable extended authentication (Xauth), preventing the routers from being prompted for Xauth information--username and password.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Overview
Without the ability to disable Xauth, a user cannot select which peer on the same crypto map should use Xauth. That is, if a user has router-to-router IP security (IPsec) on the same crypto map as a virtual private network (VPN)-client-to-Cisco-IOS IPsec, both peers are prompted for a username and password. In addition, a remote static peer (a Cisco IOS router) cannot establish an Internet Key Exchange (IKE) security association (SA) with the local Cisco IOS router. (Xauth is not an optional exchange, so if a peer does not respond to an Xauth request, the IKE SA is deleted.) Thus, the same interface cannot be used to terminate IPsec to VPN clients (that need Xauth) as well as other Cisco IOS routers (that cannot respond to Xauth) unless this feature is implemented.
Benefits
If VPN-client-to-Cisco-IOS IPsec and router-to-router IPsec exist on a single interface, the Ability to Disable Extended Authentication for Static IPsec Peers feature allows a user to disable Xauth while configuring the preshared key for router-to-router IPsec. Thus, the router will not prompt the peer for a username and password, which are transmitted when Xauth occurs for VPN-client-to-Cisco-IOS IPsec.
Restrictions
Xauth can be disabled only if preshared keys are used as the authentication mechanism for the given crypto map.
Related Documents
- "Configuring Internet Key Exchange for IPsec VPNs" chapter in the Cisco IOS Security Configuration Guide: Secure Connectivity
- "Configuring Security for VPNs with IPsec" chapter in the Cisco IOS Security Configuration Guide: Secure Connectivity
- Cisco IOS Security Command Reference
Supported Standards MIBs and RFCs
Standards
None
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
No new or modified RFCs are supported by this feature.
Prerequisites
Before you can disable Xauth for static IPsec peers, you must complete the following tasks:
- Enable authentication, authorization, and accounting (AAA).
![]() Note |
Configuring AAA is required only if the VPN-client-to-Cisco-IOS is using AAA authentication. |
- Configure an IPsec transform.
- Configure a static crypto map.
- Configure ISAKMP policy.
Configuration Tasks
See the following sections for configuration tasks for the Ability to Disable Extended Authentication for Static IPsec Peers feature. Each task in the list is identified as either required or optional.
Disabling Xauth for Static IPsec Peers
To disable Xauth for router-to-router IPsec, use the following command in global configuration mode:
Configuration Examples
Disabling Xauth for Static IPsec Peers Configuration
The following example shows how the local peer specifies the preshared key, designates the remote peer by its IP address, and disables Xauth:
crypto isakmp key sharedkeystring address 172.21.230.33 no-xauth
Feature Information for Ability to Disable Xauth for Static IPsec Peers
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
| Table 1 | Feature Information for Ability to Disable Xauth for Static IPsec Peers |
| Feature Name |
Releases |
Feature Information |
|---|---|---|
| Ability to Disable Extended Authentication for Static IPsec Peers |
12.2(4)T |
This feature allows users to disable Xauth, preventing the routers from being prompted for Xauth information. The following command was modified: crypto isakmp key. |
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

Feedback