- Cisco IOS Security Command Reference, Release 12.1
Table Of Contents
Internet Key Exchange Security Protocol Commands
crypto isakmp client configuration address-pool local
crypto map client configuration address
show crypto key pubkey-chain rsa
Internet Key Exchange Security Protocol Commands
This chapter describes Internet Key Exchange Security Protocol (IKE) commands. The Internet Key Exchange (IKE) protocol is a key management protocol standard that is used in conjunction with the IPSec standard. IPSec is an IP security feature that provides robust authentication and encryption of IP packets.
IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard.
IKE is a hybrid protocol that implements the Oakley key exchange and Skeme key exchange inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. (ISAKMP, Oakley, and Skeme are security protocols implemented by IKE.)
For configuration information, refer to the chapter "Configuring Internet Key Exchange Security Protocol" in the Cisco IOS Security Configuration Guide.
address
To specify the IP address of the remote peer's RSA public key you will manually configure, use the address command in public key configuration mode. This command should only be used when the router has a single interface that processes IPSec.
address ip-address
Syntax Description
Defaults
No default behavior or values.
Command Modes
Public key configuration
Command History
Usage Guidelines
Use this command in conjunction with the named-key command to specify which IPSec peer's RSA public key you will manually configure next.
Examples
The following example manually specifies the RSA public keys of an IPSec peer:
myrouter(config)# crypto key pubkey-chain rsamyrouter(config-pubkey-chain)# named-key otherpeer.example.commyrouter(config-pubkey-key)# address 10.5.5.1myrouter(config-pubkey-key)# key-stringmyrouter(config-pubkey)# 005C300D 06092A86 4886F70D 01010105myrouter(config-pubkey)# 00034B00 30480241 00C5E23B 55D6AB22myrouter(config-pubkey)# 04AEF1BA A54028A6 9ACC01C5 129D99E4myrouter(config-pubkey)# 64CAB820 847EDAD9 DF0B4E4C 73A05DD2myrouter(config-pubkey)# BD62A8A9 FA603DD2 E2A8A6F8 98F76E28myrouter(config-pubkey)# D58AD221 B583D7A4 71020301 0001myrouter(config-pubkey)# quitmyrouter(config-pubkey-key)# exitmyrouter(config-pubkey-chain)# exitmyrouter(config)#Related Commands
addressed-key
To specify which peer's RSA public key you will manually configure, use the addressed-key command in public key chain configuration mode.
addressed-key key-address [encryption | signature]
Syntax Description
Defaults
If neither the encryption nor signature keywords are used, general purpose keys will be specified.
Command Modes
Public key chain configuration. This command invokes public key configuration mode.
Command History
Usage Guidelines
Use this command or the named-key command to specify which IPSec peer's RSA public key you will manually configure next.
Follow this command with the key string (IKE) command to specify the key.
If the IPSec remote peer generated general purpose RSA keys, do not use the encryption or signature keywords.
If the IPSec remote peer generated special usage keys, you must manually specify both keys: perform this command and the key-string command twice and use the encryption and signature keywords respectively.
Examples
The following example manually specifies the RSA public keys of two IPSec peers. The peer at 10.5.5.1 uses general purpose keys, and the other peer uses special usage keys.
myrouter(config)# crypto key pubkey-chain rsamyrouter(config-pubkey-chain)# named-key otherpeer.example.commyrouter(config-pubkey-key)# address 10.5.5.1myrouter(config-pubkey-key)# key-stringmyrouter(config-pubkey)# 005C300D 06092A86 4886F70D 01010105myrouter(config-pubkey)# 00034B00 30480241 00C5E23B 55D6AB22myrouter(config-pubkey)# 04AEF1BA A54028A6 9ACC01C5 129D99E4myrouter(config-pubkey)# 64CAB820 847EDAD9 DF0B4E4C 73A05DD2myrouter(config-pubkey)# BD62A8A9 FA603DD2 E2A8A6F8 98F76E28myrouter(config-pubkey)# D58AD221 B583D7A4 71020301 0001myrouter(config-pubkey)# quitmyrouter(config-pubkey-key)# exitmyrouter(config-pubkey-chain)# addressed-key 10.1.1.2 encryptionmyrouter(config-pubkey-key)# key-stringmyrouter(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973myrouter(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5myrouter(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8myrouter(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DBmyrouter(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045Bmyrouter(config-pubkey)# 90288A26 DBC64468 7789F76E EE21myrouter(config-pubkey)# quitmyrouter(config-pubkey-key)# exitmyrouter(config-pubkey-chain)# addressed-key 10.1.1.2 signaturemyrouter(config-pubkey-key)# key-stringmyrouter(config-pubkey)# 0738BC7A 2BC3E9F0 679B00FE 53987BCCmyrouter(config-pubkey)# 01030201 42DD06AF E228D24C 458AD228myrouter(config-pubkey)# 58BB5DDD F4836401 2A2D7163 219F882Emyrouter(config-pubkey)# 64CE69D4 B583748A 241BED0F 6E7F2F16myrouter(config-pubkey)# 0DE0986E DF02031F 4B0B0912 F68200C4myrouter(config-pubkey)# C625C389 0BFF3321 A2598935 C1B1myrouter(config-pubkey)# quitmyrouter(config-pubkey-key)# exitmyrouter(config-pubkey-chain)# exitmyrouter(config)#Related Commands
authentication (IKE policy)
To specify the authentication method within an IKE policy, use the authentication (IKE policy) command in ISAKMP policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. Use the no form of this command to reset the authentication method to the default value.
authentication {rsa-sig | rsa-encr | pre-share}
no authentication
Syntax Description
rsa-sig
Specifies RSA signatures as the authentication method.
rsa-encr
Specifies RSA encrypted nonces as the authentication method.
pre-share
Specifies preshared keys as the authentication method.
Defaults
RSA signatures
Command Modes
ISAKMP policy configuration (config-isakmp)
Command History
Usage Guidelines
Use this command to specify the authentication method to be used in an IKE policy.
If you specify RSA signatures, you must configure your peer routers to obtain certificates from a certification authority (CA).
If you specify RSA encrypted nonces, you must ensure that each peer has the other peer's RSA public keys. (See the crypto key pubkey-chain rsa, addressed-key, named-key, address, and key-string (IKE) commands.)
If you specify preshared keys, you must also separately configure these preshared keys. (See the crypto isakmp identity and crypto isakmp key commands.)
Examples
The following example configures an IKE policy with preshared keys as the authentication method (all other parameters are set to the defaults):
MyPeerRouter(config)# crypto isakmp policy 15MyPeerRouter(config-isakmp)# authentication pre-shareMyPeerRouter(config-isakmp)# exitMyPeerRouter(config)#Related Commands
clear crypto isakmp
To clear active IKE connections, use the clear crypto isakmp command in EXEC configuration mode.
clear crypto isakmp [connection-id]
Syntax Description
connection-id
(Optional) Specifies which connection to clear. If this argument is not used, all existing connections will be cleared.
Command Modes
EXEC
Command History
Usage Guidelines
Use this command to clear active IKE connections.
If the connection-id argument is not used, all existing IKE connections will be cleared when this command is issued.
Examples
The following example clears an IKE connection between two peers connected by interfaces 172.21.114.123 and 172.21.114.67:
MyPeerRouter# show crypto isakmp sadst src state conn-id slot172.21.114.123 172.21.114.67 QM_IDLE 1 0155.0.0.2 155.0.0.1 QM_IDLE 8 0MyPeerRouter# configure terminalEnter configuration commands, one per line. End with CNTL/Z.MyPeerRouter(config)# clear crypto isakmp 1MyPeerRouter(config)# exitMyPeerRouter# show crypto isakmp sadst src state conn-id slot155.0.0.2 155.0.0.1 QM_IDLE 8 0MyPeerRouter#Related Commands
crypto isakmp client configuration address-pool local
To configure the IP address local pool to reference IKE on your router, use the crypto isakmp client configuration address-pool local command in global configuration mode. Use the no form of this command to restore the default value.
crypto isakmp client configuration address-pool local pool-name
no crypto isakmp client configuration address-pool local
Syntax Description
Defaults
IP address local pools do not reference IKE.
Command Modes
Global configuration.
Command History
Examples
The following example references IP address local pools to IKE on your router, with "ire" as the pool-name:
crypto isakmp client configuration address-pool local ireRelated Commands
ip local pool
Configures a local pool of IP addresses to be used when a remote peer connects to a point-to-point interface.
crypto isakmp enable
To globally enable IKE at your peer router, use the crypto isakmp enable command in global configuration mode. Use the no form of this command to disable IKE at the peer.
crypto isakmp enable
no crypto isakmp enable
Syntax Description
This command has no arguments or keywords.
Defaults
IKE is enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
IKE is enabled by default. IKE does not have to be enabled for individual interfaces, but is enabled globally for all interfaces at the router.
If you do not want IKE to be used in your IPSec implementation, you can disable IKE at all your IPSec peers. If you disable IKE at one peer you must disable it at all your IPSec peers.
If you disable IKE, you will have to make these concessions at the peers:
•
You must manually specify all the IPSec security associations (SAs) in the crypto maps at the peers. (Crypto map configuration is described in the chapter "Configuring IPSec Network Security" in the Cisco IOS Security Configuration Guide.)
•
•
•
•
Examples
The following example disables IKE at one peer. (The same command should be issued at all remote peers.)
no crypto isakmp enablecrypto isakmp identity
To define the identity the router uses when participating in the IKE protocol, use the crypto isakmp identity command in global configuration mode. Set an ISAKMP identity whenever you specify preshared keys. Use the no form of this command to reset the ISAKMP identity to the default value (address).
crypto isakmp identity {address | hostname}
no crypto isakmp identity
Syntax Description
Defaults
The IP address is used for the ISAKMP identity.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to specify an ISAKMP identity either by IP address or by host name.
The address keyword is typically used when there is only one interface (and therefore only one IP address) that will be used by the peer for IKE negotiations, and the IP address is known.
The hostname keyword should be used if there is more than one interface on the peer that might be used for IKE negotiations, or if the interface's IP address is unknown (such as with dynamically assigned IP addresses).
As a general rule, you should set all peers' identities in the same way, either by IP address or by host name.
Examples
The following example uses preshared keys at two peers and sets both their ISAKMP identities to IP address.
At the local peer (at 10.0.0.1) the ISAKMP identity is set and the preshared key is specified.
crypto isakmp identity addresscrypto isakmp key sharedkeystring address 192.168.1.33At the remote peer (at 192.168.1.33) the ISAKMP identity is set and the same preshared key is specified.
crypto isakmp identity addresscrypto isakmp key sharedkeystring address 10.0.0.1
Note
The following example uses preshared keys at two peers and sets both their ISAKMP identities to hostname.
At the local peer the ISAKMP identity is set and the preshared key is specified.
crypto isakmp identity hostnamecrypto isakmp key sharedkeystring hostname RemoteRouter.example.comip host RemoteRouter.example.com 192.168.0.1At the remote peer the ISAKMP identity is set and the same preshared key is specified.
crypto isakmp identity hostnamecrypto isakmp key sharedkeystring hostname LocalRouter.example.comip host LocalRouter.example.com 10.0.0.1 10.0.0.2In the above example, host names are used for the peers' identities because the local peer has two interfaces that might be used during an IKE negotiation.
In the above example the IP addresses are also mapped to the host names; this mapping is not necessary if the routers' host names are already mapped in DNS.
Related Commands
Specifies the authentication method within an IKE policy.
Configures a preshared authentication key.
crypto isakmp keepalive
To send Internet Key Exchange (IKE) keepalive messages from one router to another router, use the crypto isakmp keepalive command in global configuration mode. To disable keepalives, use the no form of this command.
crypto isakmp keepalive secs
no crypto isakmp keepalive secs
Syntax Description
Defaults
This command is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
The crypto isakmp keepalive command is used to send IKE keepalives, which detect the continued connectivity of an IKE security association (SA), between two peer points.
Examples
The following example shows how to configure keepalive messages to be sent every 40 seconds:
crypto isakmp keepalive 40
crypto isakmp key
To configure a preshared authentication key, use the crypto isakmp key command in global configuration mode. You must configure this key whenever you specify preshared keys in an IKE policy. Use the no form of this command to delete a preshared authentication key.
crypto isakmp key keystring address peer-address
crypto isakmp key keystring hostname peer-hostname
no crypto isakmp key keystring address peer-address
no crypto isakmp key keystring hostname peer-hostname
Syntax Description
Defaults
There is no default preshared authentication key.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to configure preshared authentication keys. You must perform this command at both peers.
If an IKE policy includes preshared keys as the authentication method, these preshared keys must be configured at both peers—otherwise the policy cannot be used (the policy will not be submitted for matching by the IKE process). The crypto isakmp key command is the second task required to configure the preshared keys at the peers. (The first task is accomplished with the crypto isakmp identity command.)
Use the address keyword if the remote peer ISAKMP identity was set with its IP address.
Use the hostname keyword if the remote ISAKMP identity was set with its host name.
With the hostname keyword, you might also need to map the remote peer's host name to all IP addresses of the remote peer interfaces that could be used during the IKE negotiation. (This is done with the ip host command.) You need to map the host name to IP address unless this mapping is already done in a DNS server.
Examples
In the following example, the remote peer "RemoteRouter" specifies an ISAKMP identity by address:
crypto isakmp identity addressIn the following example, the local peer "LocalRouter" also specifies an ISAKMP identity, but by host name:
crypto isakmp identity hostnameNow, the preshared key must be specified at each peer.
In the following example, the local peer specifies the preshared key and designates the remote peer by its IP address:
crypto isakmp key sharedkeystring address 192.168.1.33In the following example, the remote peer specifies the same preshared key and designates the local peer by its host name:
crypto isakmp key sharedkeystring hostname LocalRouter.example.comThe remote peer also maps multiple IP addresses to the same host name for the local peer because the local peer has two interfaces which both might be used during an IKE negotiation with the local peer. These two interfaces' IP addresses (10.0.0.1 and 10.0.0.2) are both mapped to the remote peer's host name.
ip host LocalRouter.example.com 10.0.0.1 10.0.0.2(This mapping would not have been necessary if LocalRouter.example.com was already mapped in DNS.)
In this example, a remote peer specifies its ISAKMP identity by address, and the local peer specifies its ISAKMP identity by host name. Depending on the circumstances in your network, both peers could specify their ISAKMP identity by address, or both by host name.
Related Commands
crypto isakmp policy
To define an IKE policy, use the crypto isakmp policy command in global configuration mode. IKE policies define a set of parameters to be used during the IKE negotiation. Use the no form of this command to delete an IKE policy.
crypto isakmp policy priority
no crypto isakmp policy
Syntax Description
priority
Uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10,000, with 1 being the highest priority and 10,000 the lowest.
Defaults
There is a default policy which is always the lowest priority. This default policy contains default values for the encryption, hash, authentication, Diffie-Hellman group, and lifetime parameters. (The parameter defaults are listed below in the Usage Guidelines section.)
When you create an IKE policy, if you do not specify a value for a particular parameter, the default for that parameter will be used.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to specify the parameters to be used during an IKE negotiation. (These parameters are used to create the IKE security association [SA].)
This command invokes the ISAKMP policy configuration (config-isakmp) command mode. While in the ISAKMP policy configuration command mode, the following commands are available to specify the parameters in the policy:
•
•
•
•
•
If you do not specify one of these commands for a policy, the default value will be used for that parameter.
To exit the config-isakmp command mode, type exit.
You can configure multiple IKE policies on each peer participating in IPSec. When the IKE negotiation begins, it tries to find a common policy configured on both peers, starting with the highest priority policies as specified on the remote peer.
Examples
The following example configures two policies for the peer:
crypto isakmp policy 15hash md5authentication rsa-siggroup 2lifetime 5000crypto isakmp policy 20authentication pre-sharelifetime 10000The above configuration results in the following policies:
MyPeerRouter# show crypto isakmp policyProtection suite priority 15encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Message Digest 5authentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman Group: #2 (1024 bit)lifetime: 5000 seconds, no volume limitProtection suite priority 20encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: preshared KeyDiffie-Hellman Group: #1 (768 bit)lifetime: 10000 seconds, no volume limitDefault protection suiteencryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman Group: #1 (768 bit)lifetime: 86400 seconds, no volume limitRelated Commands
crypto key generate rsa (IKE)
To generate RSA key pairs, use the crypto key generate rsa command in global configuration mode.
crypto key generate rsa [usage-keys]
Syntax Description
usage-keys
(Optional) Specifies that two RSA special usage key pairs should be generated (that is, one encryption pair and one signature pair), instead of one general purpose key pair.
Defaults
RSA key pairs do not exist. If the usage-keys keyword is not used, general purpose keys will be generated.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to generate RSA key pairs for your Cisco device (such as a router).
RSA keys are generated in pairs—one public RSA key and one private RSA key.
If your router already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.
Note
This command is not saved in the router configuration; however, the keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device).
There are two mutually-exclusive types of RSA key pairs: special usage keys and general purpose keys. When you generate RSA key pairs, you can indicate whether to generate special usage keys or general purpose keys.
Special Usage Keys
If you generate special usage keys, two pairs of RSA keys will be generated. One pair will be used with any IKE policy that specifies RSA signatures as the authentication method, and the other pair used with any IKE policy that specifies RSA encrypted nonces as the authentication method.
If you plan to have both types of RSA authentication methods in your IKE policies, you might prefer to generate special usage keys. With special usage keys, each key is not unnecessarily exposed. (Without special usage keys, one key is used for both authentication methods, increasing that key's exposure.)
General Purpose Keys
If you generate general purpose keys, only one pair of RSA keys will be generated. This pair will be used with IKE policies specifying either RSA signatures or RSA encrypted nonces. Therefore, a general purpose key pair might get used more frequently than a special usage key pair.
Modulus Length
When you generate RSA keys, you will be prompted to enter a modulus length. A longer modulus could offer stronger security, but takes longer to generate (see Table 25 for sample times) and takes longer to use. Below 512 is normally not recommended. (In certain situations, the shorter modulus may not function properly with IKE, so Cisco recommends using a minimum modulus of 1024.)
Examples
The following example generates special usage RSA keys:
myrouter(config)# crypto key generate rsa usage-keysThe name for the keys will be: myrouter.example.comChoose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[512]? <return>Generating RSA keys.... [OK].Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[512]? <return>Generating RSA keys.... [OK].myrouter(config)#The following example generates general purpose RSA keys:
Note
myrouter(config)# crypto key generate rsaThe name for the keys will be: myrouter.example.comChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[512]? <return>Generating RSA keys.... [OK].myrouter(config)#Related Commands
crypto key pubkey-chain rsa
To enter public key configuration mode (so you can manually specify other devices' RSA public keys), use the crypto key pubkey-chain rsa command in global configuration mode.
crypto key pubkey-chain rsa
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Global configuration. This command invokes public key chain configuration mode.
Command History
Usage Guidelines
Use this command to enter public key chain configuration mode. Use this command when you need to manually specify other IPSec peers' RSA public keys. You need to specify other peers' keys when you configure RSA encrypted nonces as the authentication method in an IKE policy at your peer router.
Examples
The following example manually specifies the RSA public keys of two other IPSec peers. The remote peers use their IP address as their identity.
myrouter(config)# crypto key pubkey-chain rsamyrouter(config-pubkey-chain)# addressed-key 10.5.5.1myrouter(config-pubkey-key)# key-stringmyrouter(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973myrouter(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5myrouter(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8myrouter(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DBmyrouter(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045Bmyrouter(config-pubkey)# 90288A26 DBC64468 7789F76E EE21myrouter(config-pubkey)# quitmyrouter(config-pubkey-key)# exitmyrouter(config-pubkey-chain)# addressed-key 10.1.1.2myrouter(config-pubkey-key)# key-stringmyrouter(config-pubkey)# 0738BC7A 2BC3E9F0 679B00FE 53987BCCmyrouter(config-pubkey)# 01030201 42DD06AF E228D24C 458AD228myrouter(config-pubkey)# 58BB5DDD F4836401 2A2D7163 219F882Emyrouter(config-pubkey)# 64CE69D4 B583748A 241BED0F 6E7F2F16myrouter(config-pubkey)# 0DE0986E DF02031F 4B0B0912 F68200C4myrouter(config-pubkey)# C625C389 0BFF3321 A2598935 C1B1myrouter(config-pubkey)# quitmyrouter(config-pubkey-key)# exitmyrouter(config-pubkey-chain)# exitmyrouter(config)#Related Commands
crypto map client configuration address
To configure IKE Mode Configuration on your router, use the crypto map client-configuration address command in global configuration mode. Use the no form of this command to restore the default value.
crypto map tag client configuration address [initiate | respond ]
no crypto map tag client configuration address
Syntax Description
Defaults
IKE Mode Configuration is not enabled.
Command Modes
Global configuration.
Command History
Usage Guidelines
At the time of this publication, this feature is an IETF draft with limited support. Therefore this feature was not designed to enable the configuration mode for every IKE connection by default.
Examples
The following examples configure IKE Mode Configuration on your router:
crypto map dyn client configuration address initiatecrypto map dyn client configuration address respondRelated Commands
crypto map (global)
Creates or modifies a crypto map entry and enters the crypto map configuration mode
encryption (IKE policy)
To specify the encryption algorithm within an IKE policy, use the encryption (IKE policy) command in ISAKMP policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. Use the no form of this command to reset the encryption algorithm to the default value.
encryption {des | 3des}
no encryption
Syntax Description
des
Specifies 56-bit DES-CBC as the encryption algorithm.
3des
Specifies 168-bit DES (3DES) as the encryption algorithm.
Defaults
The 56-bit DES-CBC encryption algorithm.
Command Modes
ISAKMP policy configuration (config-isakmp)
Command History
Usage Guidelines
Use this command to specify the encryption algorithm to be used in an IKE policy.
Examples
The following example configures an IKE policy with the 3DES encryption algorithm (all other parameters are set to the defaults):
MyPeerRouter(config)# crypto isakmp policyMyPeerRouter(config-isakmp)# encryption 3desMyPeerRouter(config-isakmp)# exitMyPeerRouter(config)#Related Commands
group (IKE policy)
To specify the Diffie-Hellman group identifier within an IKE policy, use the group (IKE policy) command in ISAKMP policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. Use the no form of this command to reset the Diffie-Hellman group identifier to the default value.
group {1 | 2}
no group
Syntax Description
Defaults
768-bit Diffie-Hellman (group 1)
Command Modes
ISAKMP policy configuration (config-isakmp)
Command History
Usage Guidelines
Use this command to specify the Diffie-Hellman group to be used in an IKE policy.
Examples
The following example configures an IKE policy with the 1024-bit Diffie-Hellman group (all other parameters are set to the defaults):
MyPeerRouter(config)# crypto isakmp policy 15MyPeerRouter(config-isakmp)# group 2MyPeerRouter(config-isakmp)# exitMyPeerRouter(config)#Related Commands
hash (IKE policy)
To specify the hash algorithm within an IKE policy, use the hash (IKE policy) command in ISAKMP policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. Use the no form of this command to reset the hash algorithm to the default SHA-1 hash algorithm.
hash {sha | md5}
no hash
Syntax Description
sha
Specifies SHA-1 (HMAC variant) as the hash algorithm.
md5
Specifies MD5 (HMAC variant) as the hash algorithm.
Defaults
The SHA-1 hash algorithm.
Command Modes
ISAKMP policy configuration (config-isakmp)
Command History
Usage Guidelines
Use this command to specify the hash algorithm to be used in an IKE policy.
Examples
The following example configures an IKE policy with the MD5 hash algorithm (all other parameters are set to the defaults):
MyPeerRouter(config)# crypto isakmp policy 15MyPeerRouter(config-isakmp)# hash md5MyPeerRouter(config-isakmp)# exitMyPeerRouter(config)#Related Commands
key-string (IKE)
To manually specify a remote peer's RSA public key, use the key-string (IKE) command in public key configuration mode.
key-string key-string
Syntax Description
key-string
Enter the key in hexadecimal format. While entering the key data you can press the return key to continue entering data.
Defaults
No default behavior or values.
Command Modes
Public key configuration
Command History
Usage Guidelines
Use this command to manually specify the RSA public key of an IPSec peer. Before using this command you must identify the remote peer using either the addressed-key or named-key command.
If possible, to avoid mistakes, you should cut and paste the key data (instead of attempting to type in the data).
To complete the command, you must return to the global configuration mode by typing quit at the config-pubkey prompt.
Examples
The following example manually specifies the RSA public keys of an IPSec peer:
myrouter(config)# crypto key pubkey-chain rsamyrouter(config-pubkey-chain)# named-key otherpeer.example.commyrouter(config-pubkey-key)# address 10.5.5.1myrouter(config-pubkey-key)# key-stringmyrouter(config-pubkey)# 005C300D 06092A86 4886F70D 01010105myrouter(config-pubkey)# 00034B00 30480241 00C5E23B 55D6AB22myrouter(config-pubkey)# 04AEF1BA A54028A6 9ACC01C5 129D99E4myrouter(config-pubkey)# 64CAB820 847EDAD9 DF0B4E4C 73A05DD2myrouter(config-pubkey)# BD62A8A9 FA603DD2 E2A8A6F8 98F76E28myrouter(config-pubkey)# D58AD221 B583D7A4 71020301 0001myrouter(config-pubkey)# quitmyrouter(config-pubkey-key)# exitmyrouter(config-pubkey-chain)# exitmyrouter(config)#Related Commands
lifetime (IKE policy)
To specify the lifetime of an IKE security association (SA), use the lifetime (IKE policy) command in ISAKMP policy configuration mode. Use the no form of this command to reset the SA lifetime to the default value.
lifetime seconds
no lifetime
Syntax Description
seconds
Specifies how many seconds each SA should exist before expiring. Use an integer from 60 to 86,400 seconds.
Defaults
86,400 seconds (one day).
Command Modes
ISAKMP policy configuration (config-isakmp)
Command History
Usage Guidelines
Use this command to specify how long an IKE SA exists before expiring.
When IKE begins negotiations, the first thing it does is agree upon the security parameters for its own session. The agreed-upon parameters are then referenced by an SA at each peer. The SA is retained by each peer until the SA's lifetime expires. Before an SA expires, it can be reused by subsequent IKE negotiations, which can save time when setting up new IPSec SAs. Before an SA expires, it can be reused by subsequent IKE negotiations, which can save time when setting up new IPSec SAs. New IPSec SAs are negotiated before current IPSec SAs expire.
So, to save setup time for IPSec, configure a longer IKE SA lifetime. However, shorter lifetimes limit the exposure to attackers of this SA. The longer an SA is used, the more encrypted traffic can be gathered by an attacker and possibly used in an attack.
Note that when your local peer initiates an IKE negotiation between itself and a remote peer, an IKE policy can be selected only if the lifetime of the remote peer's policy is longer than or equal to the lifetime of the local peer's policy. Then, if the lifetimes are not equal, the shorter lifetime will be selected. To restate this behavior: If the two peer's policies' lifetimes are not the same, the initiating peer's lifetime must be shorter and the responding peer's lifetime must be longer, and the shorter lifetime will be used.
Examples
The following example configures an IKE policy with a security association lifetime of 600 seconds (10 minutes), and all other parameters are set to the defaults:
crypto isakmp policy 15lifetime 600exitRelated Commands
named-key
To specify which peer's RSA public key you will manually configure, use the named-key command in public key chain configuration mode. This command should only be used when the router has a single interface that processes IPSec.
named-key key-name [encryption | signature]
Syntax Description
Defaults
If neither the encryption nor signature keywords are used, general purpose keys will be specified.
Command Modes
Public key chain configuration. This command invokes public key configuration mode.
Command History
Usage Guidelines
Use this command or the addressed-key command to specify which IPSec peer's RSA public key you will manually configure next.
Follow this command with the key-string (IKE) command to specify the key.
If you use the named-key command you also need to use the address public key configuration command to specify the IP address of the peer.
If the IPSec remote peer generated general purpose RSA keys, do not use the encryption or signature keywords.
If the IPSec remote peer generated special usage keys, you must manually specify both keys: perform this command and the key-string command twice and use the encryption and signature keywords, respectively.
Examples
The following example manually specifies the RSA public keys of two IPSec peers. The peer at 10.5.5.1 uses general purpose keys, and the other peer uses special purpose keys.
crypto key pubkey-chain rsanamed-key otherpeer.example.comaddress 10.5.5.1key-string005C300D 06092A86 4886F70D 0101010500034B00 30480241 00C5E23B 55D6AB2204AEF1BA A54028A6 9ACC01C5 129D99E464CAB820 847EDAD9 DF0B4E4C 73A05DD2BD62A8A9 FA603DD2 E2A8A6F8 98F76E28D58AD221 B583D7A4 71020301 0001quitexitaddressed-key 10.1.1.2 encryptionkey-string00302017 4A7D385B 1234EF29 335FC9732DD50A37 C4F4B0FD 9DADE748 429618D518242BA3 2EDFBDD3 4296142A DDF7D3D808407685 2F2190A0 0B43F1BD 9A8A26DB07953829 791FCDE9 A98420F0 6A82045B90288A26 DBC64468 7789F76E EE21quitexitaddressed-key 10.1.1.2 signaturekey-string0738BC7A 2BC3E9F0 679B00FE 098533AB01030201 42DD06AF E228D24C 458AD22858BB5DDD F4836401 2A2D7163 219F882E64CE69D4 B583748A 241BED0F 6E7F2F160DE0986E DF02031F 4B0B0912 F68200C4C625C389 0BFF3321 A2598935 C1B1quitexitexitRelated Commands
show crypto isakmp policy
To view the parameters for each IKE policy, use the show crypto isakmp policy command in EXEC mode.
show crypto isakmp policy
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Examples
The following is sample output from the show crypto isakmp policy command, after two IKE policies have been configured (with priorities 15 and 20 respectively):
MyPeerRouter# show crypto isakmp policyProtection suite priority 15encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Message Digest 5authentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman Group: #2 (1024 bit)lifetime: 5000 seconds, no volume limitProtection suite priority 20encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: preshared KeyDiffie-Hellman Group: #1 (768 bit)lifetime: 10000 seconds, no volume limitDefault protection suiteencryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman Group: #1 (768 bit)lifetime: 86400 seconds, no volume limit
Note
Related Commands
show crypto isakmp sa
To view all current IKE security associations (SAs) at a peer, use the show crypto isakmp sa command in EXEC mode.
show crypto isakmp sa
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Examples
The following is sample output from the show crypto isakmp sa command, after IKE negotiations have successfully completed between two peers:
MyPeerRouter# show crypto isakmp sadst src state conn-id slot172.21.114.123 172.21.114.67 QM_IDLE 1 0155.0.0.2 155.0.0.1 QM_IDLE 8 0Table 26 through Table 28 show the various states that may be displayed in the output of the show crypto isakmp sa command. When an ISAKMP SA exists, it will most likely be in its quiescent state (QM_IDLE). For long exchanges, some of the MM_xxx states may be observed.
Related Commands
show crypto key mypubkey rsa
To view your router's RSA public key(s), use the show crypto key mypubkey rsa command in EXEC mode.
show crypto key mypubkey rsa
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Usage Guidelines
This command displays your router's RSA public key(s).
Examples
The following is sample output from the show crypto key mypubkey rsa command. Special usage RSA keys were previously generated for this router using the crypto key generate rsa (IKE) command.
% Key pair was generated at: 06:07:49 UTC Jan 13 1996Key name: myrouter.example.comUsage: Signature KeyKey Data:005C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B 55D6AB2204AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9 DF0B4E4C 73A05DD2BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4 71020301 0001% Key pair was generated at: 06:07:50 UTC Jan 13 1996Key name: myrouter.example.comUsage: Encryption KeyKey Data:00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D518242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21Related Commands
show crypto key pubkey-chain rsa
To view peers' RSA public keys stored on your router, use the show crypto key pubkey-chain rsa command in EXEC mode.
show crypto key pubkey-chain rsa [name key-name | address key-address]
Syntax Description
name key-name
(Optional) Specify the name of a particular public key to view.
address key-address
(Optional) Specify the address of a particular public key to view.
Command Modes
EXEC
Command History
Usage Guidelines
This command shows RSA public keys stored on your router. This includes peers' RSA public keys manually configured at your router and keys received by your router via other means (such as by a certificate, if CA support is configured).
If a router reboots, any public key derived by certificates will be lost. This is because the router will ask for certificates again, at which time the public key will be derived again.
Use the name or address keywords to display details about a particular RSA public key stored on your router.
If no keywords are used, this command displays a list of all RSA public keys stored on your router.
Examples
The following is sample output from the show crypto key pubkey-chain rsa command:
Codes: M - Manually Configured, C - Extracted from certificateCode Usage IP-address NameM Signature 10.0.0.l myrouter.example.comM Encryption 10.0.0.1 myrouter.example.comC Signature 172.16.0.1 routerA.example.comC Encryption 172.16.0.1 routerA.example.comC General 192.168.10.3 routerB.domain1.comThis sample shows manually configured special usage RSA public keys for the peer "somerouter." This sample also shows three keys obtained from peers' certificates: special usage keys for peer "routerA" and a general purpose key for peer "routerB."
Certificate support is used in the above example; if certificate support was not in use, none of the peers' keys would show "C" in the code column, but would all have to be manually configured.
The following is sample output when you issue the command show crypto key pubkey rsa name somerouter.example.com:
Key name: somerouter.example.comKey address: 10.0.0.1Usage: Signature KeySource: ManualData:305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B 55D6AB2204AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9 DF0B4E4C 73A05DD2BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4 71020301 0001Key name: somerouter.example.comKey address: 10.0.0.1Usage: Encryption KeySource: ManualData:00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D518242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21
Note
The following is sample output when you issue the command show crypto key pubkey rsa address 192.168.10.3:
Key name: routerB.example.comKey address: 192.168.10.3Usage: General Purpose KeySource: CertificateData:0738BC7A 2BC3E9F0 679B00FE 53987BCC 01030201 42DD06AF E228D24C 458AD22858BB5DDD F4836401 2A2D7163 219F882E 64CE69D4 B583748A 241BED0F 6E7F2F160DE0986E DF02031F 4B0B0912 F68200C4 C625C389 0BFF3321 A2598935 C1B1The Source field in the above example indicates "Certificate," meaning that the keys were received by the router by way of the other router's certificate.
