Table Of Contents

Internet Key Exchange Security Protocol Commands

access-restrict

acl

address

addressed-key

authentication (IKE policy)

clear crypto isakmp

client authentication list

client configuration address

crypto ca export pkcs12

crypto ca import pkcs12

crypto isakmp aggressive-mode disable

crypto isakmp client configuration address-pool local

crypto isakmp client configuration group

crypto isakmp enable

crypto isakmp identity

crypto isakmp keepalive

crypto isakmp key

crypto isakmp peer

crypto isakmp policy

crypto isakmp profile

crypto key generate rsa

crypto key pubkey-chain rsa

crypto keyring

crypto map client authentication list

crypto map client configuration address

crypto map isakmp authorization list

crypto map isakmp-profile

dns

domain (isakmp-group)

encryption (IKE policy)

group (IKE policy)

group-lock

hash (IKE policy)

initiate-mode

isakmp authorization list

keepalive (isakmp profile)

key (isakmp-group)

keyring

key-string (IKE)

lifetime (IKE policy)

match identity

named-key

no crypto xauth

pool (isakmp-group)

pre-shared-key

quit

rsa-pubkey

self-identity

serial-number

set aggressive-mode client-endpoint

set aggressive-mode password

set isakmp-profile

show crypto isakmp key

show crypto isakmp policy

show crypto isakmp profile

show crypto isakmp sa

show crypto key mypubkey rsa

show crypto key pubkey-chain rsa

vrf (isakmp profile)

wins

Internet Key Exchange Security Protocol Commands

---

This chapter describes Internet Key Exchange Security Protocol (IKE) commands. The IKE protocol is a key management protocol standard that is used in conjunction with the IPSec standard. IP Security is an IP security feature that provides robust authentication and encryption of IP packets.

IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard.

IKE is a hybrid protocol that implements the Oakley key exchange and Skeme key exchange inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. (ISAKMP, Oakley, and Skeme are security protocols implemented by IKE.)

For configuration information, refer to the chapter "Configuring Internet Key Exchange Security Protocol" in the Cisco IOS Security Configuration Guide.

access-restrict

To tie a particular Virtual Private Network (VPN) to a specific interface for access to the Cisco IOS gateway and the services it protects, use the access-restrict command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove the VPN, use the no form of this command.

access-restrict {interface-name}

no access-restrict {interface-name}

Syntax Description

interface-name

Interface to which the VPN should be tied.

Defaults

The VPN is not tied to a specific interface.

Command Modes

ISAKMP group configuration

Command History

Release	Modification
12.2(13)T	This command was introduced.

Usage Guidelines

It may be a requirement that particular customers or groups connect to the VPN gateway via a specific interface that uses a particular policy (as applied by the crypto map on that interface). If this is required, using the access-restrict command will result in validation that a VPN connection is connecting only via that interface (and hence, crypto map) to which it is allowed. If a violation is detected, the connection is terminated.

Multiple restricted interfaces may be defined per group.

Examples

The following example shows that the VPN is tied to ethernet 0.

crypto isakmp client configuration group cisco

 access-restrict ethernet 0

Related Commands

Command	Description
acl	Specifies which policy profile of a group will be defined.

acl

To configure split tunneling, use the acl command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove this command from your configuration and restore the default value, use the no form of this command.

acl number

no acl number

Syntax Description

number

Specifies a group of access control lists (ACLs) that represent protected subnets for split tunneling purposes.

Defaults

Split tunneling is not enabled; all data is sent via the Virtual Private Network (VPN) tunnel.

Command Modes

ISAKMP group configuration

Command History

Release	Modification
12.2(8)T	This command was introduced.

Usage Guidelines

Use the acl command to specify which groups of ACLs represent protected subnets for split tunneling. Split tunneling is the ability to have a secure tunnel to the central site and simultaneous clear text tunnels to the Internet.

Examples

The following example shows how to correctly apply split tunneling for the group name "cisco." In this example, all traffic sourced from the client and destined to the subnet 192.168.1.0 will be sent via the VPN tunnel.

crypto isakmp client configuration group cisco

  key cisco

  dns 2.2.2.2 2.3.2.3

  pool dog

  acl 199

!

access-list 199 permit ip 192.168.1.0 0.0.0.255 any

Related Commands

Command	Description
crypto isakmp client configuration group	Specifies which group's policy profile will be defined.

address

To specify the IP address of the Rivest, Shamir, and Adelman (RSA) public key of the remote peer that you will manually configure in the keyring, use the address command in rsa-pubkey configuration mode. To remove the IP address, use the no form of this command.

address ip-address

no address ip-address

Syntax Description

ip-address

IP address of the remote peer.

Defaults

No default behavior or values

Command Modes

Rsa-pubkey configuration

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

Before you can use this command, you must enter the rsa-pubkey command in the crypto keyring mode.

Examples

The following example specifies the RSA public key of an IP Security (IPSec) peer:

Router(config)# crypto keyring vpnkeyring

Router(conf-keyring)# rsa-pubkey name host.vpn.com

Router(config-pubkey-key)# address 10.5.5.1

Router(config-pubkey)# key-string

Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973

Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5

Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8

Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB

Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B

Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21

Router(config-pubkey)# quit

Router(config-pubkey-key)# exit

Router(conf-keyring)# exit

Related Commands

Command	Description
crypto keyring	Defines a crypto keyring to be used during IKE authentication.
key-string	Specifies the RSA public key of a remote peer.
rsa-pubkey	Defines the RSA manual key to be used for encryption or signatures during IKE authentication.

addressed-key

To specify which peer's RSA public key you will manually configure, use the addressed-key public key chain configuration command.

addressed-key key-address [encryption | signature]

Syntax Description

key-address	Specifies the IP address of the remote peer's RSA keys.
encryption	(Optional) Indicates that the RSA public key to be specified will be an encryption special usage key.
signature	(Optional) Indicates that the RSA public key to be specified will be a signature special usage key.

Defaults

If neither the encryption nor signature keywords are used, general purpose keys will be specified.

Command Modes

Public key chain configuration. This command invokes public key configuration mode.

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

Use this command or the named-key command to specify which IP Security peer's RSA public key you will manually configure next.

Follow this command with the key string command to specify the key.

If the IPSec remote peer generated general-purpose RSA keys, do not use the encryption or signature keywords.

If the IPSec remote peer generated special-usage keys, you must manually specify both keys: use this command and the key-string command twice and use the encryption and signature keywords respectively.

Examples

The following example manually specifies the RSA public keys of two IPSec peers. The peer at 10.5.5.1 uses general-purpose keys, and the other peer uses special-usage keys.

Router(config)# crypto key pubkey-chain rsa

Router(config-pubkey-chain)# named-key otherpeer.example.com

Router(config-pubkey-key)# address 10.5.5.1

Router(config-pubkey-key)# key-string

Router(config-pubkey)# 005C300D 06092A86 4886F70D 01010105

Router(config-pubkey)# 00034B00 30480241 00C5E23B 55D6AB22

Router(config-pubkey)# 04AEF1BA A54028A6 9ACC01C5 129D99E4

Router(config-pubkey)# 64CAB820 847EDAD9 DF0B4E4C 73A05DD2

Router(config-pubkey)# BD62A8A9 FA603DD2 E2A8A6F8 98F76E28

Router(config-pubkey)# D58AD221 B583D7A4 71020301 0001

Router(config-pubkey)# quit

Router(config-pubkey-key)# exit

Router(config-pubkey-chain)# addressed-key 10.1.1.2 encryption

Router(config-pubkey-key)# key-string

Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973

Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5

Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8

Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB

Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B

Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21

Router(config-pubkey)# quit

Router(config-pubkey-key)# exit

Router(config-pubkey-chain)# addressed-key 10.1.1.2 signature

Router(config-pubkey-key)# key-string

Router(config-pubkey)# 0738BC7A 2BC3E9F0 679B00FE 53987BCC

Router(config-pubkey)# 01030201 42DD06AF E228D24C 458AD228

Router(config-pubkey)# 58BB5DDD F4836401 2A2D7163 219F882E

Router(config-pubkey)# 64CE69D4 B583748A 241BED0F 6E7F2F16

Router(config-pubkey)# 0DE0986E DF02031F 4B0B0912 F68200C4

Router(config-pubkey)# C625C389 0BFF3321 A2598935 C1B1

Router(config-pubkey)# quit

Router(config-pubkey-key)# exit

Router(config-pubkey-chain)# exit

Router(config)#

Related Commands

Command	Description
crypto key pubkey-chain rsa	Enters public key configuration mode (to allow you to manually specify the RSA public keys of other devices).
key-string (IKE)	Specifies the RSA public key of a remote peer.
named-key	Specifies which peer RSA public key you will manually configure.
show crypto key pubkey-chain rsa	Displays peer RSA public keys stored on your router.

authentication (IKE policy)

To specify the authentication method within an Internet Key Exchange policy, use the authentication ISAKMP policy configuration command. IKE policies define a set of parameters to be used during IKE negotiation. To reset the authentication method to the default value, use the no form of this command.

authentication {rsa-sig | rsa-encr | pre-share}

no authentication

Syntax Description

rsa-sig	Specifies RSA signatures as the authentication method.
rsa-encr	Specifies RSA encrypted nonces as the authentication method.
pre-share	Specifies preshared keys as the authentication method.

Defaults

RSA signatures

Command Modes

ISAKMP policy configuration

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

Use this command to specify the authentication method to be used in an IKE policy.

If you specify RSA signatures, you must configure your peer routers to obtain certificates from a certification authority (CA).

If you specify RSA encrypted nonces, you must ensure that each peer has the other peer's RSA public keys. (See the crypto key pubkey-chain rsa, addressed-key, named-key, address, and commands.)

If you specify preshared keys, you must also separately configure these preshared keys. (See the crypto isakmp identity and crypto isakmp key commands.)

Examples

The following example configures an IKE policy with preshared keys as the authentication method (all other parameters are set to the defaults):

crypto isakmp policy 15

authentication pre-share

exit

Related Commands

Command	Description
crypto isakmp key	Configures a preshared authentication key.
crypto isakmp policy	Defines an IKE policy.
crypto key generate rsa	Generates RSA key pairs.
encryption (IKE policy)	Specifies the encryption algorithm within an IKE policy.
group (IKE policy)	Specifies the Diffie-Hellman group identifier within an IKE policy.
group-lock	Specifies the hash algorithm within an IKE policy.
lifetime (IKE policy)	Specifies the lifetime of an IKE SA.
show crypto isakmp policy	Displays the parameters for each IKE policy.

clear crypto isakmp

To clear active Internet Key Exchange connections, use the clear crypto isakmp EXEC configuration command.

clear crypto isakmp [connection-id]

Syntax Description

connection-id

(Optional) Specifies which connection to clear. If this argument is not used, all existing connections will be cleared.

Command Modes

EXEC

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

Use this command to clear active IKE connections.

---

Caution If the connection-id argument is not used, all existing IKE connections will be cleared when this command is issued.

---

Examples

The following example clears an IKE connection between two peers connected by interfaces 172.21.114.123 and 172.21.114.67:

Router# show crypto isakmp sa

    dst           src          state        conn-id   slot

172.21.114.123 172.21.114.67  QM_IDLE           1       0

155.0.0.2      155.0.0.1      QM_IDLE           8       0

Router# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)# clear crypto isakmp 1

Router(config)# exit

Router# show crypto isakmp sa

    dst           src          state        conn-id   slot

155.0.0.2      155.0.0.1      QM_IDLE           8       0

Router#

Related Commands

Command	Description
show crypto isakmp sa	Displays all current IKE SAs at a peer.

client authentication list

To configure Internet Key Exchange (IKE) extended authentication (Xauth) in an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the client authentication list command in isakmp profile configuration mode. To restore the default behavior, which is that Xauth is not enabled, use the no form of this command.

client authentication list list-name

no client authentication list list-name

Syntax Description

list-name

Character string used to name the list of authentication methods activated when a user logs in. The list name must match the list name that was defined during the authentication, authorization, and accounting (AAA) configuration.

Defaults

No default behaviors or values

Command Modes

Isakmp profile configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

Before configuring Xauth, you must set up an authentication list using AAA commands.

Examples

The following example shows that user authentication is configured. User authentication is a list of authentication methods called "xauthlist" in an ISAKMP profile called "vpnprofile."

crypto isakmp profile vpnprofile

 client authentication list xauthlist

Related Commands

Command	Description
aaa authentication login	Sets AAA authentication at login.

client configuration address

To configure Internet Key Exchange (IKE) configuration mode in the Internet Security Association and Key Management Protocol (ISAKMP) profile, use the client configuration address command in isakmp profile configuration mode. To disable IKE configuraton mode, use the no form of this command.

client configuration address {initiate | respond}

no client configuration address {initiate | respond}

Syntax Description

initiate	Router will attempt to set IP addresses for each peer.
respond	Router will accept requests for IP addresses from any requesting peer.

Defaults

IKE configuration is not enabled.

Command Modes

Isakmp profile configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

Before you can use this command, you must enter the crypto isakmp profile command.

Examples

The following example shows that IKE mode is configured to either initiate or respond in an ISAKMP profile called "vpnprofile":

crypto isakmp profile vpnprofile

 client configuration address initiate

 client configuration address respond

Related Commands

Command	Description
crypto isakmp profile	Defines an ISAKMP profile.

crypto ca export pkcs12

To export Rivest, Shamir, and Adelman (RSA) keys within a PKCS12 file at a specified location, use the crypto ca export pkcs12 command in global configuration mode.

crypto ca export trustpointname pkcs12 destination url passphrase

Syntax Description

trustpointname	Name of the trustpoint who issues the certificate that a user is going to export. When you export the PKCS12 file, the trustpoint name is the RSA key name.
pkcs12	Specifies the PKCS12 file to be exported.
destination url	Location of the PKCS12 file to which a user wants to import the RSA key pair.
passphrase	Passphrase that is used to encrypt the PKCS12 file for export.

Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

The crypto ca export pkcs12 command creates a PKCS 12 file that contains an RSA key pair. The PKCS12 file, along with a certificate authority (CA), is exported to the location that you specify with the destination URL. If you decide not to import the file to another router, you must delete the file.

Security Measures

Keep the PKCS12 file stored in a secure place with restricted access.

An RSA keypair is more secure than a passphrase because the private key in the key pair is not known by multiple parties. When you export an RSA key pair to a PKCS#12 file, the RSA key pair now is only as secure as the passphrase.

To create a good passphrase, be sure to include numbers, as well as both lowercase and uppercase letters. Avoid publicizing the passphrase by mentioning it in e-mail or cell phone communications because the information could be accessed by an unauthorized user.

Examples

The following example exports an RSA key pair with a trustpoint name "mytp" to a Flash file:

Router(config)# crypto ca export mytp pkcs12 flash:myexport

Related Commands

Command	Description
crypto ca import pkcs12	Imports RSA keys.

crypto ca import pkcs12

To import Rivest, Shamir, and Adelman (RSA) keys, use the crypto ca import pkcs12 command in global configuration mode.

crypto ca import trustpointname pkcs12 source url passphrase

Syntax Description

trustpointname	Name of the trustpoint who issues the certificate that a user is going to export or import. When importing, the trustpoint name will become the RSA key name.
pkcs12	Specifies the PKCS12 file to be imported.
source url	The location of the PKCS12 file to which a user wants to export the RSA key pair.
passphrase	Passphrase that must be entered to undo encryption when the RSA keys are imported.

Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

When you enter the cyrpto ca import pkcs12 command, a ke pair and a trustpoint are generated. If you then decide you want to remove the key pair and trustpoint that were generated, enter the crypto key zeroize rsa command to zeroize the key pair and enter the no crypto ca trustpoint command to remove the trustpoint.

---

Note After you import RSA keys to a target router, you cannot export those keys from the target router to another router.

---

Examples

In the following example, an RSA key pair that has been associated with the trustpoint "forward" is to be imported:

Router(config)# crypto ca import forward pkcs12 flash:myexport mycompany

Related Commands

Command	Description
crypto ca export pkcs12	Exports RSA keys.
crypto ca trustpoint	Declares the CA that your router should use.
crypto key zeroize rsa	Deletes all RSA keys from your router.

crypto isakmp aggressive-mode disable

To block all Internet Security Association and Key Management Protocol (ISAKMP) aggressive mode requests to and from a device, use the crypto isakmp aggressive-mode disable command in global configuration mode. To disable the blocking, use the no form of this command.

crypto isakmp aggressive-mode disable

no crypto isakmp aggressive-mode disable

Syntax Description

This command has no arguments or keywords.

Defaults

If this command is not configured, Cisco IOS software will attempt to process all incoming ISAKMP aggressive mode security association (SA) connections. In addition, if the device has been configured with the crypto isakmp peer address and the set aggressive-mode password or set aggressive-mode client-endpoint commands, the device will initiate aggressive mode if this command is not configured.

Command Modes

Global configuration

Command History

Release	Modification
12.3(1)	This command was introduced on all Cisco IOS platforms that support IP Security (IPSec).

Usage Guidelines

If you configure this command, all aggressive mode requests to the device and all aggressive mode requests made by the device are blocked, regardless of the ISAKMP authentication type (preshared keys or Rivest, Shamir, and Adelman [RSA] signatures).

If a request is made by or to the device for aggressive mode, the following syslog notification is sent:

Unable to initiate or respond to Aggressive Mode while disabled

---

Note This command will prevent Easy Virtual Private Network (Easy VPN) clients from connecting if they are using preshared keys because Easy VPN clients (hardware and software) use aggressive mode.

---

Examples

The following example shows that all aggressive mode requests to and from a device are blocked:

Router (config)# crypto isakmp aggressive-mode disable

crypto isakmp client configuration address-pool local

To configure the IP address local pool to reference Internet Key Exchange on your router, use the crypto isakmp client configuration address-pool local global configuration command. To restore the default value, use the no form of this command.

crypto isakmp client configuration address-pool local pool-name

no crypto isakmp client configuration address-pool local

Syntax Description

pool-name

Specifies the name of a local address pool.

Defaults

IP address local pools do not reference IKE.

Command Modes

Global configuration

Command History

Release	Modification
12.0(4)XE	This command was introduced.
12.0(7)T	This command was integrated into Cisco IOS release 12.0(7)T.

Examples

The following example references IP address local pools to IKE on your router, with "ire" as the pool-name:

crypto isakmp client configuration address-pool local ire

Related Commands

Command	Description
ip local pool	Configures a local pool of IP addresses to be used when a remote peer connects to a point-to-point interface.

crypto isakmp client configuration group

To specify which group's policy profile will be defined, use the crypto isakmp client configuration group command in global configuration mode. To remove this command and all associated subcommands from your configuration, use the no form of this command.

crypto isakmp client configuration group {group-name | default}

no crypto isakmp client configuration group {group-name | default}

Syntax Description

group-name	Group definition that identifies which policy is enforced for users.
default	Policy that is enforced for all users who do not offer a group name that matches a group-name argument. The default keyword can only be configured locally.

Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release	Modification
12.2(8)T	This command was introduced.

Usage Guidelines

Use the crypto isakmp client configuration group command to specify group policy information that needs to be defined or changed. You may change the group policy on your router if you decide to connect to the client using a group identification that does not match the group-name argument.

After enabling this command, which puts you in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode, you can specify characteristics for the group policy using the following commands:

•access-restrict—Specifies a group of access control lists (ACLs) that represent protected subnets for split tunneling purposes.

•dns—Specifies the primary and secondary Domain Name Service (DNS) servers for the group.

•domain (isakmp-group)—Specifies group domain membership.

•key (isakmp-group)—Specifies the Internet Key Exchange (IKE) preshared key when defining group policy information for Mode Configuration push.

•pool (isakmp-group)—Refers to the IP local pool address used to allocate internal IP addresses to clients.

•set aggressive-mode client-endpoint—Specifies the primary and secondary Windows Internet Naming Service (WINS) servers for the group.

Examples

The following example shows how to define group policy information for Mode Configuration push. In this example, the first group name is "cisco" and the second group name is "default." Thus, the default policy will be enforced for all users who do not offer a group name that matches "cisco."

crypto isakmp client configuration group cisco

 key cisco

 dns 2.2.2.2 2.2.2.3

 wins 6.6.6.6

 domain cisco.com

 pool fred

 acl 199

!

crypto isakmp client configuration group default

 key cisco

 dns 2.2.2.2 2.3.2.3

 pool fred

 acl 199

Related Commands

Command	Description
access-restrict	Configures split tunneling.
dns	Specifies the primary and secondary DNS servers.
domain (isakmp-group)	Specifies the DNS domain to which a group belongs.
key (isakmp-group)	Specifies the IKE preshared key for group policy attribute definition.
pool (isakmp-group)	Defines a local pool address.
set aggressive-mode client-endpoint	Specifies the primary and secondary WINS servers.

crypto isakmp enable

To globally enable Internet Key Exchange at your peer router, use the crypto isakmp enable global configuration command. To disable IKE at the peer, use the no form of this command.

crypto isakmp enable

no crypto isakmp enable

Syntax Description

This command has no arguments or keywords.

Defaults

IKE is enabled.

Command Modes

Global configuration

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

IKE is enabled by default. IKE does not have to be enabled for individual interfaces, but is enabled globally for all interfaces at the router.

If you do not want IKE to be used in your IPSec implementation, you can disable IKE at all your IP Security peers. If you disable IKE at one peer, you must disable it at all your IPSec peers.

If you disable IKE, you will have to make these concessions at the peers:

•You must manually specify all the IPSec security associations (SAs) in the crypto maps at the peers. (Crypto map configuration is described in the chapter "Configuring IPSec Network Security" in the Cisco IOS Security Configuration Guide.)

•The IPSec SAs of the peers will never time out for a given IPSec session.

•During IPSec sessions between the peers, the encryption keys will never change.

•Anti-replay services will not be available between the peers.

•Certification authority (CA) support cannot be used.

Examples

The following example disables IKE at one peer. (The same command should be issued at all remote peers.)

no crypto isakmp enable

crypto isakmp identity

To define the identity used by the router when participating in the Internet Key Exchange protocol, use the crypto isakmp identity global configuration command. Set an Internet Security Association Key Management Protocol identity whenever you specify preshared keys. To reset the ISAKMP identity to the default value (address), use the no form of this command.

crypto isakmp identity {address | hostname}

no crypto isakmp identity

Syntax Description

address	Sets the ISAKMP identity to the IP address of the interface that is used to communicate to the remote peer during IKE negotiations.
hostname	Sets the ISAKMP identity to the host name concatenated with the domain name (for example, myhost.example.com).

Defaults

The IP address is used for the ISAKMP identity.

Command Modes

Global configuration

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

Use this command to specify an ISAKMP identity either by IP address or by host name.

The address keyword is typically used when there is only one interface (and therefore only one IP address) that will be used by the peer for IKE negotiations, and the IP address is known.

The hostname keyword should be used if there is more than one interface on the peer that might be used for IKE negotiations, or if the interface's IP address is unknown (such as with dynamically assigned IP addresses).

As a general rule, you should set all peers' identities in the same way, either by IP address or by host name.

Examples

The following example uses preshared keys at two peers and sets both their ISAKMP identities to IP address.

At the local peer (at 10.0.0.1) the ISAKMP identity is set and the preshared key is specified.

crypto isakmp identity address

crypto isakmp key sharedkeystring address 192.168.1.33

At the remote peer (at 192.168.1.33) the ISAKMP identity is set and the same preshared key is specified.

crypto isakmp identity address

crypto isakmp key sharedkeystring address 10.0.0.1

---

Note In the preceding example if the crypto isakmp identity command had not been performed, the ISAKMP identities would have still been set to IP address, the default identity.

---

The following example uses preshared keys at two peers and sets both their ISAKMP identities to hostname.

At the local peer the ISAKMP identity is set and the preshared key is specified.

crypto isakmp identity hostname

crypto isakmp key sharedkeystring hostname RemoteRouter.example.com

ip host RemoteRouter.example.com 192.168.0.1

At the remote peer the ISAKMP identity is set and the same preshared key is specified.

crypto isakmp identity hostname

crypto isakmp key sharedkeystring hostname LocalRouter.example.com

ip host LocalRouter.example.com 10.0.0.1 10.0.0.2

In the above example, host names are used for the peers' identities because the local peer has two interfaces that might be used during an IKE negotiation.

In the above example the IP addresses are also mapped to the host names; this mapping is not necessary if the routers' host names are already mapped in DNS.

Related Commands

Command	Description
authentication (IKE policy)	Specifies the authentication method within an IKE policy.
crypto isakmp key	Configures a preshared authentication key.

crypto isakmp keepalive

To allow the gateway to send dead peer detection (DPD) messages to the peer, use the crypto isakmp keepalive command in global configuration mode. To disable keepalives, use the no form of this command.

crypto isakmp keepalive secs [retries]

no crypto isakmp keepalive secs [retries]

Syntax Description

seconds	Number of seconds between DPD messages; the range is from 10 to 3600 seconds. Note If you do not specify a time interval, you will receive an error message.
retries	(Optional) Number of seconds between DPD retries if the DPD message fails; the range is from 2 to 60 seconds. If unspecified, the default is 2 seconds.

Defaults

No DPD messages are sent.

Command Modes

Global configuration

Command History

Release	Modification
12.2(8)T	This command was introduced.

Usage Guidelines

Use the crypto isakmp keepalive command to enable the gateway to send DPD messages to the peer. DPD is a keepalives scheme that allows the router to query the liveliness of its Internet Key Exchange (IKE) peer.

---

Note When the crypto isakmp keepalive command is configured, the Cisco IOS software negotiates the use of Cisco IOS keepalives or DPD, depending on which protocol the peer supports.

---

Examples

The following example shows how to configure DPD messages to be sent every 60 seconds and every 5 seconds between retries if the peer does not respond:

crypto isakmp keepalive 60 5

crypto isakmp key

To configure a preshared authentication key, use the crypto isakmp key command in global configuration mode. To delete a preshared authentication key, use the no form of this command.

crypto isakmp key keystring address peer-address [mask] [no-xauth]

no crypto isakmp key keystring address peer-address

Syntax Description

keystring	Specifies the preshared key. Use any combination of alphanumeric characters up to 128 bytes. This preshared key must be identical at both peers.
address	Use this keyword if the remote peer Internet Security Association Key Management Protocol (ISAKMP) identity was set with its IP address.
peer-address	Specifies the IP address of the remote peer.
mask	(Optional) Specifies the subnet address of the remote peer. (The argument can be used only if the remote peer ISAKMP identity was set with its IP address.)
no-xauth	(Optional) Use this keyword if router-to-router IP Security (IPSec) is on the same crypto map as a Virtual Private Network (VPN)-client-to-Cisco-IOS IPSec. This keyword prevents the router from prompting the peer for extended authentication (Xauth) information (username and password).

Defaults

There is no default preshared authentication key.

Command Modes

Global configuration

Command History

Release	Modification
11.3 T	This command was introduced.
12.1(1)T	The mask argument was added.
12.2(4)T	The no-xauth keyword was added.

Usage Guidelines

You must use this command to configure a key whenever you specify preshared keys in an Internet Key Exchange (IKE) policy; you must enable this command at both peers.

If an IKE policy includes preshared keys as the authentication method, these preshared keys must be configured at both peers—otherwise the policy cannot be used (the policy will not be submitted for matching by the IKE process). The crypto isakmp key command is the second task required to configure the preshared keys at the peers. (The first task is accomplished using the crypto isakmp identity command.)

Use the address keyword if the remote peer ISAKMP identity was set with its IP address.

With the address keyword, you can also use the mask argument to indicate the remote peer ISAKMP identity will be established using the preshared key only. If the mask argument is used, preshared keys are no longer restricted between two users.

---

Note If you specify mask, you must use a subnet address. (The subnet address 0.0.0.0 is not recommended because it encourages group preshared keys, which allow all peers to have the same group key, thereby reducing the security of your user authentication.)

---

Preshared keys no longer work when the hostname keyword is sent as the identity; thus, the hostname keyword as the identity in preshared key authentication is no longer supported. According to the way preshared key authentication is designed in IKE main mode, the preshared keys must be based on the IP address of the peers. Although a user can still send the hostname as identity in preshared key authentication, the key is searched on the IP address of the peer; if the key is not found (based on the IP address), the negotiation will fail.

If crypto isakmp identity hostname is configured as identity, the preshared key must be configured with the peer's IP address for the process to work.

Use the no-xauth keyword to prevent the router from prompting the peer for Xauth information (username and password). This keyword disables Xauth for static IPSec peers. The no-xauth keyword should be enabled when configuring the preshared key for router-to-router IPSec—not VPN-client-to-Cisco-IOS IPSec.

Examples

In the following example, the remote peer "RemoteRouter" specifies an ISAKMP identity by address:

crypto isakmp identity address

Now, the preshared key must be specified at each peer.

In the following example, the local peer specifies the preshared key and designates the remote peer by its IP address and a mask:

crypto isakmp key sharedkeystring address 172.21.230.33  255.255.255.255

Related Commands

Command	Description
authentication (IKE policy)	Specifies the authentication method within an IKE policy.
crypto isakmp identity	Defines the identity the router uses when participating in the IKE protocol.
ip host	Defines a static host name-to-address mapping in the host cache.

crypto isakmp peer

To enable an IP Security (IPSec) peer for Internet Key Exchange (IKE) querying of authentication, authorization, and accounting (AAA) for tunnel attributes in aggressive mode, use the crypto isakmp peer command in global configuration mode. To disable this functionality, use the no form of this command.

crypto isakmp peer {ip-address ip-address | fqdn fqdn} {vrf fvrf-name}

no crypto isakmp peer {ip-address ip-address | fqdn fqdn} {vrf fvrf-name}

Syntax Description

ip-address ip-address	IP address of the peer router.
fqdn fqdn	Fully qualified domain name (FQDN) of the peer router.
vrf fvrf-name	Virtual routing and forwarding (VRF) routing table through which the peer is reachable.

Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release	Modification
12.2(8)T	This command was introduced.
12.2(15)T	The vrf keyword and fvrf-name argument were added.

Usage Guidelines

After enabling this command, you can use the set aggressive-mode client-endpoint and set aggressive-mode password commands to specify RADIUS tunnel attributes in the Internet Security Association and Key Management Protocol (ISAKMP) peer policy for IPSec peers.

Instead of keeping your preshared keys on the hub router, you can scale your preshared keys by storing and retrieving them from an AAA server. The preshared keys are stored in the AAA server as Internet Engineering Task Force (IETF) RADIUS tunnel attributes and are retrieved when a user tries to "speak" to the hub router. The hub router retrieves the preshared key from the AAA server and the spokes (the users) initiate aggressive mode to the hub by using the preshared key that is specified in the ISAKMP peer policy as a RADIUS tunnel attribute.

Examples

The following example shows how to initiate aggressive mode using RADIUS tunnel attributes:

crypto isakmp peer ip-address 4.4.4.1 vrf vpn1

 set aggressive-mode client-endpoint user-fqdn user@cisco.com

 set aggressive-mode password cisco123

Related Commands

Command	Description
crypto map isakmp authorization list	Enables IKE querying of AAA for tunnel attributes in aggressive mode.
set aggressive-mode client-endpoint	Specifies the Tunnel-Client-Endpoint attribute within an ISAKMP peer configuration.
set aggressive-mode password	Specifies the Tunnel-Password attribute within an ISAKMP peer configuration.

crypto isakmp policy

To define an Internet Key Exchange policy, use the crypto isakmp policy global configuration command. IKE policies define a set of parameters to be used during the IKE negotiation. To delete an IKE policy, use the no form of this command.

crypto isakmp policy priority

no crypto isakmp policy

Syntax Description

priority

Uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10,000, with 1 being the highest priority and 10,000 the lowest.

Defaults

There is a default policy, which always has the lowest priority. This default policy contains default values for the encryption, hash, authentication, Diffie-Hellman group, and lifetime parameters. (The parameter defaults are listed below in the Usage Guidelines section.)

When you create an IKE policy, if you do not specify a value for a particular parameter, the default for that parameter will be used.

Command Modes

Global configuration

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

Use this command to specify the parameters to be used during an IKE negotiation. (These parameters are used to create the IKE security association [SA].)

This command invokes the Internet Security Association Key Management Protocol policy configuration (config-isakmp) command mode. While in the ISAKMP policy configuration command mode, the following commands are available to specify the parameters in the policy:

•encryption (IKE policy); default = 56-bit DES-CBC

•group-lock; default = SHA-1

•authentication (IKE policy); default = RSA signatures

•group (IKE policy); default = 768-bit Diffie-Hellman

•lifetime (IKE policy); default = 86,400 seconds (one day)

If you do not specify one of these commands for a policy, the default value will be used for that parameter.

To exit the config-isakmp command mode, type exit.

You can configure multiple IKE policies on each peer participating in IPSec. When the IKE negotiation begins, it tries to find a common policy configured on both peers, starting with the highest priority policies as specified on the remote peer.

Examples

The following example configures two policies for the peer:

crypto isakmp policy 15

 hash md5

 authentication rsa-sig

 group 2

 lifetime 5000

crypto isakmp policy 20

 authentication pre-share

 lifetime 10000

The above configuration results in the following policies:

Router# show crypto isakmp policy

Protection suite priority 15

	encryption algorithm:	DES - Data Encryption Standard (56 bit keys)

	hash algorithm:	Message Digest 5

	authentication method:	Rivest-Shamir-Adleman Signature

	Diffie-Hellman Group:	#2 (1024 bit)

	lifetime:	5000 seconds, no volume limit

Protection suite priority 20

	encryption algorithm:	DES - Data Encryption Standard (56 bit keys)

	hash algorithm:	Secure Hash Standard

	authentication method:	preshared Key

	Diffie-Hellman Group:	#1 (768 bit)

	lifetime:	10000 seconds, no volume limit

Default protection suite

	encryption algorithm:	DES - Data Encryption Standard (56 bit keys)

	hash algorithm:	Secure Hash Standard

	authentication method:	Rivest-Shamir-Adleman Signature

	Diffie-Hellman Group:	#1 (768 bit)

	lifetime:	86400 seconds, no volume limit

Related Commands

Command	Description
authentication (IKE policy)	Specifies the authentication method within an IKE policy.
encryption (IKE policy)	Specifies the encryption algorithm within an IKE policy.
group (IKE policy)	Specifies the Diffie-Hellman group identifier within an IKE policy.
group-lock	Specifies the hash algorithm within an IKE policy.
lifetime (IKE policy)	Specifies the lifetime of an IKE SA.
show crypto isakmp policy	Displays the parameters for each IKE policy.

crypto isakmp profile

To define an Internet Security Association and Key Management Protocol (ISAKMP) profile and to audit IP Security (IPSec) user sessions, use the crypto isakmp profile command in global configuration mode. To delete a crypto ISAKMP profile, use the no form of this command.

crypto isakmp profile profile-name [accounting aaalist]

no crypto isakmp profile profile-name [accounting aaalist]

Syntax Description

profile-name	Name of the user profile. To associate a user profile with the RADIUS server, the user profile name must be identified.
accounting aaalist	(Optional) Name of a client accounting list.

Defaults

No default behaviors or values

Command Modes

Global configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

Defining an ISAKMP Profile

An ISAKMP profile can be viewed as a repository of Phase 1 and Phase 1.5 commands for a set of peers. The Phase 1 configuration includes commands to configure such things as keepalive, identity matching, and the authorization list. The Phase 1.5 configuration includes commands to configure such things as extended authentication (Xauth) and mode configuration.

The peers are mapped to an ISAKMP profile when their identities are matched (as given in the identification [ID] payload of the Internet Key Exchange [IKE]) against the identities defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid. Also, there must be at least one match identity command defined in the ISAKMP profile for it to be complete.

Auditing IPSec User Sessions

Use this command to audit multiple user sessions that are terminating on the IPSec gateway.

---

Note The crypto isakmp profile command and the crypto map (global IPSec) command are mutually exclusive. If a profile is present (the crypto isakmp profile command has been used), with no accounting configured but with the global command present (the crypto isakmp profile command without the accounting keyword), accounting will occur using the attributes in the global command.

---

Examples

The following example shows how to define an ISAKMP profile and match the peer identities:

crypto isakmp profile vpnprofile

 match identity address 10.76.11.53

The following accounting example shows that an ISAKMP profile is configured:

aaa new-model

!

!

aaa authentication login cisco-client group radius

aaa authorization network cisco-client group radius 

aaa accounting network acc start-stop broadcast group radius

aaa session-id common

!

crypto isakmp profile cisco

vrf cisco

match identity group cclient

   client authentication list cisco-client

   isakmp authorization list cisco-client

   client configuration address respond

   accounting acc

!

crypto dynamic-map dynamic 1

 set transform-set aswan 

 set isakmp-profile cisco

 reverse-route

!

!

radius-server host 172.1.1.4 auth-port 1645 acct-port 1646

radius-server key nsite

Related Commands

Command	Description
crypto map (global IPSec)	Enters crypto map configuration mode and creates or modifies a crypto map entry, creates a crypto profile that provides a template for configuration of dynamically created crypto maps, or configures a client accounting list.
debug crypto isakmp	Displays messages about IKE events.
match identity	Matches an identity from a peer in an ISAKMP profile.

crypto key generate rsa

To generate Rivest, Shamir, and Adelman (RSA) key pairs, use the crypto key generate rsa command in global configuration mode.

crypto key generate rsa [general-keys | usage-keys | signature | encryption] [label key-label] [exportable] [modulus modulus-size] [storage devicename:] [on devicename:]

Syntax Description

general-keys	(Optional) Specifies that a general-purpose key pair will be generated, which is the default.
usage-keys	(Optional) Specifies that two RSA special-usage key pairs, one encryption pair and one signature pair, will be generated.
signature	(Optional) Specifies that the RSA public key generated will be a signature special usage key.
encryption	(Optional) Specifies that the RSA public key generated will be an encryption special usage key.
label key-label	(Optional) Name that is used for an RSA key pair when they are being exported. If a key label is not specified, the fully qualified domain name (FQDN) of the router is used.
exportable	(Optional) Specifies that the RSA key pair can be exported to another Cisco device, such as a router.
modulus modulus-size	(Optional) Specifies the IP size of the key modulus. By default, the modulus of a CA key is 1024 bits. The recommended modulus for a CA key is 2048 bits. The range of a CA key modulus is from 350 to 2048 bits. If you do not enter the modulus keyword and specify a key size, you will be prompted.
storage devicename:	(Optional) Specifies the key storage location. The name of the storage device is followed by a colon (:).
on devicename:	(Optional) Specifies that the RSA key pair will be created on the specified device, including a USB token, local disk, or NVRAM. The name of the device is followed by a colon (:). Keys created on a USB token have a maximum size of 1024 bits.

Command Default

RSA key pairs do not exist.

Command Modes

Global configuration

Command History

Release	Modification
11.3	This command was introduced.
12.2(8)T	The key-label argument was added.
12.2(15)T	The exportable keyword was added.
12.2(18)SXD	This command was integrated into Cisco IOS Release 12.2(18)SXD.
12.4(4)T	The storage keyword and devicename: argument were added.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.4(11)T	The storage keyword and devicename: argument were implemented on the Cisco 7200VXR NPE-G2 platform. The signature, encryption and on keywords and devicename: argument were added.

Usage Guidelines

Use this command to generate RSA key pairs for your Cisco device (such as a router).

RSA keys are generated in pairs—one public RSA key and one private RSA key.

If your router already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.

---

Note Before issuing this command, ensure that your router has a hostname and IP domain name configured (with the hostname and ip domain-name commands). You will be unable to complete the crypto key generate rsa command without a hostname and IP domain name. (This situation is not true when you only generate a named key pair.)

---

---

Note Secure Shell (SSH) may generate an additional RSA key pair if you generate a key pair on a router having no RSA keys. The additional key pair is used only by SSH and will have a name such as {router_FQDN}.server. For example, if a router name is "router1.cisco.com," the key name is "router1.cisco.com.server."

---

This command is not saved in the router configuration; however, the RSA keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device) the next time the configuration is written to NVRAM.

---

Note If the configuration is not saved to NVRAM, the generated keys are lost on the next reload of the router.

---

There are two mutually exclusive types of RSA key pairs: special-usage keys and general-purpose keys. When you generate RSA key pairs, you will be prompted to select either special-usage keys or general-purpose keys.

Special-Usage Keys

If you generate special-usage keys, two pairs of RSA keys will be generated. One pair will be used with any Internet Key Exchange (IKE) policy that specifies RSA signatures as the authentication method, and the other pair will be used with any IKE policy that specifies RSA encrypted keys as the authentication method.

A certification authority (CA) is used only with IKE policies specifying RSA signatures, not with IKE policies specifying RSA-encrypted nonces. (However, you could specify more than one IKE policy and have RSA signatures specified in one policy and RSA-encrypted nonces in another policy.)

If you plan to have both types of RSA authentication methods in your IKE policies, you may prefer to generate special-usage keys. With special-usage keys, each key is not unnecessarily exposed. (Without special-usage keys, one key is used for both authentication methods, increasing the exposure of that key.)

General-Purpose Keys

If you generate general-purpose keys, only one pair of RSA keys will be generated. This pair will be used with IKE policies specifying either RSA signatures or RSA encrypted keys. Therefore, a general-purpose key pair might get used more frequently than a special-usage key pair.

Named Key Pairs

If you generate a named key pair using the key-pair-label argument, you must also specify the usage-keys keyword or the general-keys keyword. Named key pairs allow you to have multiple RSA key pairs, enabling the Cisco IOS software to maintain a different key pair for each identity certificate.

Modulus Length

When you generate RSA keys, you will be prompted to enter a modulus length. The longer the modulus, the stronger the security. However a longer modules takes longer to generate (see Table 1 for sample times) and takes longer to use.

Cisco IOS software does not support a modulus greater than 4096 bits. A length of less than 512 bits is normally not recommended. In certain situations, the shorter modulus may not function properly with IKE, so we recommend using a minimum modulus of 1024 bits.

---

Note As of Cisco IOS Release 12.4(11)T, peer public RSA key modulus values up to 4096 bits are automatically supported.

The largest private RSA key modulus is 2048 bits. Therefore, the largest RSA private key a router may generate or import is 2048 bits.

The recommended modulus for a CA is 2048 bits; the recommended modulus for a client is 1024 bits.

---

Table 29 Sample Times by Modulus Length to Generate RSA Keys

Router	360 bits	512 bits	1024 bits	2048 bits (maximum)
Cisco 2500	11 seconds	20 seconds	4 minutes, 38 seconds	more than 1 hour
Cisco 4700	less than 1 second	1 second	4 seconds	50 seconds

Specifying a Storage Location for RSA Keys

When you issue the crypto key generate rsa command with the storage devicename: keyword and argument, the RSA keys will be stored on the specified device. This location will supersede any crypto key storage command settings.

Specifying a Device for RSA Key Generation

As of Cisco IOS Release 12.4(11)T and later releases, you may specify the device where RSA keys are generated. Devices supported include NVRAM, local disks, and USB tokens. If your router has a USB token configured and available, the USB token can be used as cryptographic device in addition to a storage device. Using a USB token as a cryptographic device allows RSA operations such as key generation, signing, and authentication of credentials to be performed on the token. The private key never leaves the USB token and is not exportable. The public key is exportable.

RSA keys may be generated on a configured and available USB token, by the use of the on devicename: keyword and argument. Keys that reside on a USB token are saved to persistent token storage when they are generated. The number of keys that can be generated on a USB token is limited by the space available. If you attempt to generate keys on a USB token and it is full you will receive the following message:

% Error in generating keys:no available resources 

Key deletion will remove the keys stored on the token from persistent storage immediately. (Keys that do not reside on a token are saved to or deleted from non-token storage locations when the write memory or similar command is issued.)

For information on configuring a USB token, see "Storing PKI Credentials" chapter in the Cisco IOS Security Configuration Guide, Release 12.4T. For information on using on-token RSA credentials, see "Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment chapter in the Cisco IOS Security Configuration Guide, Release 12.4T.

Examples

The following example generates a general usage 1024-bit RSA key pair on a USB token with the label "ms2" with crypto engine debugging messages shown:

Router(config)# crypto key generate rsa on usbtoken0 label ms2 modulus 1024

The name for the keys will be: ms2 

% The key modulus size is 1024 bits 

% Generating 1024 bit RSA keys, keys will be on-token, non-exportable... 

Jan 7 02:41:40.895: crypto_engine: Generate public/private keypair [OK] 

Jan 7 02:44:09.623: crypto_engine: Create signature 

Jan 7 02:44:10.467: crypto_engine: Verify signature 

Jan 7 02:44:10.467: CryptoEngine0: CRYPTO_ISA_RSA_CREATE_PUBKEY(hw)(ipsec) 

Jan 7 02:44:10.467: CryptoEngine0: CRYPTO_ISA_RSA_PUB_DECRYPT(hw)(ipsec) 

Now, the on-token keys labeled "ms2" may be used for enrollment.

The following example generates special-usage RSA keys:

Router(config)# crypto key generate rsa usage-keys

The name for the keys will be: myrouter.example.com

Choose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. 
Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus[512]? <return>

Generating RSA keys.... [OK].

Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys. 
Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus[512]? <return>

Generating RSA keys.... [OK].

The following example generates general-purpose RSA keys:

---

Note You cannot generate both special-usage and general-purpose keys; you can generate only one or the other.

---

Router(config)# crypto key generate rsa general-keys

The name for the keys will be: myrouter.example.com

Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose 
Keys. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus[512]? <return>

Generating RSA keys.... [OK].

The following example generates the general purpose RSA key pair "exampleCAkeys":

crypto key generate rsa general-keys exampleCAkeys

crypto ca trustpoint exampleCAkeys

 enroll url http://exampleCAkeys/certsrv/mscep/mscep.dll

 rsakeypair exampleCAkeys 1024 1024

The following example specifies the RSA key storage location of "usbtoken0:" for "tokenkey1":

crypto key generate rsa general-keys label tokenkey1 storage usbtoken0:

Related Commands

Command	Description
crypto key storage	Sets the default storage location for RSA key pairs.
debug crypto engine	Displays debug messages about crypto engines.
hostname	Specifies or modifies the hostname for the network server.
ip domain-name	Defines a default domain name to complete unqualified hostnames (names without a dotted-decimal domain name).
show crypto key mypubkey rsa	Displays the RSA public keys of your router.
show crypto pki certificates	Displays information about your PKI certificate, certification authority, and any registration authority certificates.

crypto key pubkey-chain rsa

To enter public key configuration mode (so you can manually specify other devices' RSA public keys), use the crypto key pubkey-chain rsa global configuration command.

crypto key pubkey-chain rsa

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

Use this command to enter public key chain configuration mode. Use this command when you need to manually specify other IPSec peers' RSA public keys. You need to specify other peers' keys when you configure RSA encrypted nonces as the authentication method in an Internet Key Exchange policy at your peer router.

Examples

The following example specifies the RSA public keys of two other IPSec peers. The remote peers use their IP address as their identity.

Router(config)# crypto key pubkey-chain rsa

Router(config-pubkey-chain)# addressed-key 10.5.5.1

Router(config-pubkey-key)# key-string

Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973

Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5

Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8

Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB

Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B

Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21

Router(config-pubkey)# quit

Router(config-pubkey-key)# exit

Router(config-pubkey-chain)# addressed-key 10.1.1.2

Router(config-pubkey-key)# key-string

Router(config-pubkey)# 0738BC7A 2BC3E9F0 679B00FE 53987BCC

Router(config-pubkey)# 01030201 42DD06AF E228D24C 458AD228

Router(config-pubkey)# 58BB5DDD F4836401 2A2D7163 219F882E

Router(config-pubkey)# 64CE69D4 B583748A 241BED0F 6E7F2F16

Router(config-pubkey)# 0DE0986E DF02031F 4B0B0912 F68200C4

Router(config-pubkey)# C625C389 0BFF3321 A2598935 C1B1

Router(config-pubkey)# quit

Router(config-pubkey-key)# exit

Router(config-pubkey-chain)# exit

Router(config)#

Related Commands

Command	Description
address	Specifies the IP address of the remote RSA public key of the remote peer you will manually configure.
addressed-key	Specifies the RSA public key of the peer you will manually configure.
key-string (IKE)	Specifies the RSA public key of a remote peer.
named-key	Specifies which peer RSA public key you will manually configure.
show crypto key pubkey-chain rsa	Displays peer RSA public keys stored on your router.

crypto keyring

To define a crypto keyring to be used during Internet Key Exchange (IKE) authentication, use the crypto keyring command in global configuration mode. To remove the keyring, use the no form of this command.

crypto keyring keyring-name [vrf fvrf-name]

no crypto keyring keyring-name [vrf fvrf-name]

Syntax Description

keyring-name	Name of the crypto keyring.
vrf fvrf-name	(Optional) Front door virtual routing and forwarding (FVRF) name to which the keyring will be referenced. The fvrf-name must match the FVRF name that was defined during virtual routing and forwarding (VRF) configuration.

Defaults

All the Internet Security Association and Key Management Protocol (ISAKMP) keys that were defined in the global configuration are part of the default global keyring.

Command Modes

Global configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

A keyring is a repository of preshared and Rivest, Shamir, and Adelman (RSA) public keys. The keyring is used in the isakmp profile configuration mode. The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile.

Examples

The following example shows that a keyring and its usage have been defined:

crypto keyring vpnkeys

  pre-shared-key address 10.72.23.11 key vpnsecret

crypto isakmp profile vpnprofile

  keyring vpnkeys

crypto map client authentication list

To configure Internet Key Exchange extended authentication (Xauth) on your router, use the crypto map client authentication list global configuration command. To restore the default value, use the no form of this command.

crypto map map-name client authentication list list-name

no crypto map map-name client authentication list list-name

Syntax Description

map-name	The name you assign to the crypto map set.
list-name	Character string used to name the list of authentication methods activated when a user logs in. The list-name must match the list-name defined during AAA configuration.

Defaults

Xauth is not enabled.

Command Modes

Global configuration mode

Command History

Release	Modification
12.1(1)T	This command was introduced.

Usage Guidelines

Before configuring Xauth, you should complete the following tasks:

•Set up an authentication list using AAA commands

•Configure an IP Security transform

•Configure a crypto map

•Configure Internet Security Association Key Management Protocol policy

After enabling Xauth, you should apply the crypto map on which Xauth is configured to the router interface.

Examples

The following example configures user authentication (a list of authentication methods called xauthlist) on an existing static crypto map called xauthmap:

crypto map xauthmap client authentication list xauthlist

The following example configures user authentication (a list of authentication methods called xauthlist) on a dynamic crypto map called xauthdynamic that has been applied to a static crypto map called xauthmap:

crypto map xauthmap client authentication list xauthlist

crypto map xauthmap 10 ipsec-isakmp dynamic xauthdynamic

Related Commands

Command	Description
aaa authentication login	Sets AAA authentication at login.
crypto ipsec transform-set	Defines a transform set, which is an acceptable combination of security protocols and algorithms, and enters crypto transform configuration mode.
crypto isakmp key	Configures a preshared authentication key.
crypto isakmp policy	Defines an IKE policy, and enters ISAKMP policy configuration mode.
crypto map (global configuration)	Creates or modify a crypto map entry, and enters the crypto map configuration mode.
interface	Enters the interface configuration mode.

crypto map client configuration address

To configure IKE Mode Configuration on your router, use the crypto map client configuration address global configuration command. To disable IKE Mode Configuration, use the no form of this command.

crypto map tag client configuration address [initiate | respond]

no crypto map tag client configuration address

Syntax Description

tag	The name that identifies the crypto map.
initiate	(Optional) A keyword that indicates the router will attempt to set IP addresses for each peer.
respond	(Optional) A keyword that indicates the router will accept requests for IP addresses from any requesting peer.

Defaults

IKE Mode Configuration is not enabled.

Command Modes

Global configuration.

Command History

Release	Modification
12.0(4)XE	This command was introduced.
12.0(7)T	This command was implemented in Cisco IOS release 12.0(7)T.

Usage Guidelines

At the time of this publication, this feature is an IETF draft with limited support. Therefore this feature was not designed to enable the configuration mode for every IKE connection by default.

Examples

The following examples configure IKE Mode Configuration on your router:

crypto map dyn client configuration address initiate

crypto map dyn client configuration address respond

Related Commands

Command	Description
crypto map (global)	Creates or modifies a crypto map entry and enters the crypto map configuration mode

crypto map isakmp authorization list

To enable Internet Key Exchange (IKE) querying of authentication, authorization, and accounting (AAA) for tunnel attributes in aggressive mode, use the crypto map isakmp authorization list global configuration command. To restore the default value, use the no form of this command.

crypto map map-name isakmp authorization list list-name

no crypto map map-name isakmp authorization list list-name

Syntax Description

map-name	Name you assign to the crypto map set.
list-name	Character string used to name the list of authorization methods activated when a user logs in. The list name must match the list name defined during AAA configuration.

Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release	Modification
12.1(1)T	This command was introduced

Usage Guidelines

Use the crypto map client authorization list command to enable key lookup from a AAA server.

Preshared keys deployed in a large-scale Virtual Private Network (VPN) without a certification authority, with dynamic IP addresses, are accessed during aggression mode of IKE negotiation through a AAA server. Thus, users have their own key, which is stored on an external AAA server. This allows for central management of the user database, linking it to an existing database, in addition to allowing every user to have their own unique, more secure pre-shared key.

Before configuring the crypto map client authorization list command, you should perform the following tasks:

•Set up an authorization list using AAA commands.

•Configure an IPSec transform.

•Configure a crypto map.

•Configure an Internet Security Association Key Management Protocol policy using IPSec and IKE commands.

After enabling the crypto map client authorization list command, you should apply the previously defined crypto map to the interface.

Examples

The following example shows how to configure the crypto map client authorization list command:

crypto map ikessaaamap isakmp authorization list ikessaaalist

crypto map ikessaaamap 10 ipsec-isakmp dynamic ikessaaadyn

Related Commands

Command	Description
aaa authorization	Sets parameters that restrict a user's network access.
crypto ipsec transform-set	Defines a transform set, which is an acceptable combination of security protocols and algorithms, and enters crypto transform configuration mode.
crypto map (global configuration)	Creates or modifies a crypto map entry and enters the crypto map configuration mode
crypto isakmp policy	Defines an IKE policy and enters ISAKMP policy configuration mode.
crypto isakmp key	Configures a preshared authentication key.
interface	Enters interface configuration mode.

crypto map isakmp-profile

To configure an Internet Security Association and Key Management Protocol (ISAKMP) profile on a crypto map, use the crypto map isakmp-profile command in global configuration mode. To restore the default values on the crypto map, use the no form of this command.

crypto map map-name isakmp-profile isakmp-profile-name

no crypto map map-name isakmp-profile isakmp-profile-name

Syntax Description

map-name	Name assigned to the crypto map set.
isakmp-profile-name	Character string used to name the ISAKMP profile that is used during an Internet Key Exchange (IKE) Phase 1 and Phase 1.5 exchange. The isakmp-profile-name must match the ISAKMP profile name that was defined during the ISAKMP profile configuration.

Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

This command describes the ISAKMP profile to use to start the IKE exchange. Before configuring this command, you must set up the ISAKMP profile.

Examples

The following example shows that an ISAKMP profile is configured on a crypto map:

crypto map vpnmap isakmp-profile vpnprofile

Related Commands

Command	Description
crypto ipsec transform-set	Defines a transform set—an acceptable combination of security protocols and algorithms.
crypto map (global)	Creates or modifies a crypto map entry.

dns

To specify the primary and secondary Domain Name Service (DNS) servers, use the dns command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove this command from your configuration, use the no form of this command.

dns primary-server secondary-server

no dns primary-server secondary-server

Syntax Description

primary-server	Name of the primary DNS server.
secondary-server	Name of the secondary DNS server.

Defaults

A DNS server is not specified.

Command Modes

ISAKMP group configuration

Command History

Release	Modification
12.2(8)T	This command was introduced.

Usage Guidelines

Use the dns command to specify the primary and secondary DNS servers for the group.

You must enable the crypto isakmp client configuration group command, which specifies group policy information that needs to be defined or changed, before enabling the dns command.

Examples

The following example shows how to define a primary and secondary DNS server for the default group name:

crypto isakmp client configuration group default

  key cisco

  dns 2.2.2.2 2.3.2.3

  pool dog

  acl 199

Related Commands

Command	Description
crypto isakmp client configuration group	Specifies which group's policy profile will be defined.
domain (isakmp-group)	Specifies the DNS domain to which a group belongs.

domain (isakmp-group)

To specify the Domain Name Service (DNS) domain to which a group belongs, use the domain command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove this command from your configuration, use the no form of this command.

domain name

no domain name

Syntax Description

name	Name of the DNS domain.

Defaults

A DNS domain is not specified.

Command Modes

ISAKMP group configuration

Command History

Release	Modification
12.2(8)T	This command was introduced.

Usage Guidelines

Use the domain command to specify group domain membership.

You must enable the crypto isakmp client configuration group command, which specifies group policy information that needs to be defined or changed, before enabling the domain command.

Examples

The following example shows that members of the group "cisco" also belong to the domain "cisco.com":

crypto isakmp client configuration group cisco

  key cisco

  dns 2.2.2.2 2.3.2.3

  pool dog

  acl 199

  domain cisco.com

Related Commands

Command	Description
crypto isakmp client configuration group	Specifies which group's policy profile will be defined.
dns	Specifies the primary and secondary DNS servers.

encryption (IKE policy)

To specify the encryption algorithm within an Internet Key Exchange (IKE) policy, use the encryption command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the encryption algorithm to the default value, use the no form of this command.

encryption {des | 3des | aes | aes 192 | aes 256}

no encryption

Syntax Description

des	56-bit Data Encryption Standard (DES)-CBC as the encryption algorithm.
3des	168-bit DES (3DES) as the encryption algorithm.
aes	128-bit Advanced Encryption Standard (AES) as the encryption algorithim.
aes 192	192-bit AES as the encryption algorithim.
aes 256	256-bit AES as the encryption algorithim.

Defaults

The 56-bit DES-CBC encryption algorithm

Command Modes

ISAKMP policy configuration

Command History

Release	Modification
11.3 T	This command was introduced.
12.0(2)T	The 3des option was added.
12.2(13)T	The following keywords were added: aes, aes 192, and aes 256.

Usage Guidelines

Use this command to specify the encryption algorithm to be used in an IKE policy.

If a user enters an IKE encryption method that the hardware does not support, a warning message will be displayed immediately after the encryption command is entered.

Examples

The following example configures an IKE policy with the 3DES encryption algorithm (all other parameters are set to the defaults):

crypto isakmp policy

encryption 3des

exit

The following example is a sample warning message that is displayed when a user enters an IKE encryption method that the hardware does not support:

encryption aes 256

WARNING:encryption hardware does not support the configured

encryption method for ISAKMP policy 1

Related Commands

Command	Description
authentication (IKE policy)	Specifies the authentication method within an IKE policy.
crypto isakmp policy	Defines an IKE policy.
group (IKE policy)	Specifies the DH group identifier within an IKE policy.
hash (IKE policy)	Specifies the hash algorithm within an IKE policy.
lifetime (IKE policy)	Specifies the lifetime of an IKE SA.
show crypto isakmp policy	Displays the parameters for each IKE policy.

group (IKE policy)

To specify the Diffie-Hellman group identifier within an Internet Key Exchange policy, use the group ISAKMP policy configuration command. IKE policies define a set of parameters to be used during IKE negotiation. To reset the Diffie-Hellman group identifier to the default value, use the no form of this command.

group {1 | 2}

no group

Syntax Description

1	Specifies the 768-bit Diffie-Hellman group.
2	Specifies the 1024-bit Diffie-Hellman group.

Defaults

768-bit Diffie-Hellman (group 1)

Command Modes

ISAKMP policy configuration

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

Use this command to specify the Diffie-Hellman group to be used in an IKE policy.

Examples

The following example configures an IKE policy with the 1024-bit Diffie-Hellman group (all other parameters are set to the defaults):

crypto isakmp policy 15

group 2

exit

Related Commands

Command	Description
authentication (IKE policy)	Specifies the authentication method within an IKE policy.
crypto isakmp policy	Defines an IKE policy.
encryption (IKE policy)	Specifies the encryption algorithm within an IKE policy.
group-lock	Specifies the hash algorithm within an IKE policy.
lifetime (IKE policy)	Specifies the lifetime of an IKE SA.
show crypto isakmp policy	Displays the parameters for each IKE policy.

group-lock

To allow you to enter your extended authentication (Xauth) username, including the group name, when preshared key authentication is used with Internet Key Exchange (IKE), use the group-lock command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove the group lock, use the no form of this command.

group-lock

no group-lock

Syntax Description

This command has no arguments or keywords.

Defaults

Group lock is not configured.

Command Modes

ISAKMP group configuration

Command History

Release	Modification
12.2(13)T	This command was introduced.

Usage Guidelines

When the group-lock command is enabled, you may enter your Xauth username as name/group, name\group, name@group, or name%group. The group specified after the delimiter is then compared against the group identifier that is sent during IKE aggressive mode. The groups must match or the connection is rejected.

Examples

The following example shows that group lock is configured:

crypto isakmp client configuration group cisco

  group-lock

Related Commands

Command	Description
acl	Specifies which policy profile of a group will be defined.

hash (IKE policy)

To specify the hash algorithm within an Internet Key Exchange policy, use the hash ISAKMP policy configuration command. IKE policies define a set of parameters to be used during IKE negotiation. To reset the hash algorithm to the default SHA-1 hash algorithm, use the no form of this command.

hash {sha | md5}

no hash

Syntax Description

sha	Specifies SHA-1 (HMAC variant) as the hash algorithm.
md5	Specifies MD5 (HMAC variant) as the hash algorithm.

Defaults

The SHA-1 hash algorithm

Command Modes

ISAKMP policy configuration

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

Use this command to specify the hash algorithm to be used in an IKE policy.

Examples

The following example configures an IKE policy with the MD5 hash algorithm (all other parameters are set to the defaults):

crypto isakmp policy 15

hash md5

exit

Related Commands

Command	Description
authentication (IKE policy)	Specifies the authentication method within an IKE policy.
crypto isakmp policy	Defines an IKE policy.
encryption (IKE policy)	Specifies the encryption algorithm within an IKE policy.
group (IKE policy)	Specifies the Diffie-Hellman group identifier within an IKE policy.
lifetime (IKE policy)	Specifies the lifetime of an IKE SA.
show crypto isakmp policy	Displays the parameters for each IKE policy.

initiate-mode

To configure the Phase 1 mode of an Internet Key Exchange (IKE), use the initiate-mode command in isakmp profile configuration mode. To remove the mode that was configured, use the no form of this command.

initiate-mode aggressive

no initiate-mode aggressive

Syntax Description

aggressive

Aggressive mode is initiated.

Defaults

IKE initiates main mode.

Command Modes

Isakmp profile configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

Use this command if you want to initiate an IKE aggressive mode exchange instead of a main mode exchange.

Examples

The following example shows that aggressive mode has been configured:

crypto isakmp profile vpnprofile

 initiate-mode aggressive

isakmp authorization list

To configure an Internet Key Exchange (IKE) shared secret using the authentication, authorization, and accounting (AAA) server in an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the isakmp authorization list command in isakmp profile configuration mode. To disable the shared secret, use the no form of this command.

isakmp authorization list list-name

no isakmp authorization list list-name

Syntax Description

list-name

AAA authorization list used for configuration mode attributes or preshared keys for aggresive mode.

Defaults

No default behaviors or values

Command Modes

Isakmp profile configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

This command allows you to retrieve a shared secret from an AAA server.

Examples

The following example shows that an IKE shared secret is configured using an AAA server on a router:

crypto isakmp profile vpnprofile

 isakmp authorization list ikessaaalist

Related Commands

Command	Description
aaa authorization	Sets parameters that restrict user access to a network.

keepalive (isakmp profile)

To allow the gateway to send dead peer detection (DPD) messages to the peer, use the keepalive command in isakmp profile configuration mode. To return to the default, use the no form of this command.

keepalive seconds retry retry-seconds

no keepalive seconds retry retry-seconds

Syntax Description

seconds	Number of seconds between DPD messages. The range is from 10 to 3600 seconds.
retry retry-seconds	Number of seconds between retries if DPD message fails. The range is from 2 to 60 seconds.

Defaults

If this command is not configured, a DPD message is not sent to the client.

Command Modes

Isakmp profile configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

Use this command to enable the gateway (instead of the client) to send DPD messages to the client. Internet Key Exchange (IKE) DPD is a new keepalive scheme that sends messages to let the router know that the client is still connected.

Examples

The following example shows that DPD messages have been configured to be sent every 60 seconds and every 5 seconds between retries if the peer does not respond:

crypto isakmp profile vpnprofile

 keepalive 60 retry 5

key (isakmp-group)

To specify the Internet Key Exchange (IKE) preshared key for group policy attribute definition, use the key command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove a preshared key, use the no form of this command.

key name

no key name

Syntax Description

name	IKE preshared key that matches the password entered on the client. Note This value must match the "password" field that is defined in the Cisco VPN Client 3.x configuration GUI.

Defaults

No default behavior or values.

Command Modes

ISAKMP group configuration

Command History

Release	Modification
12.2(8)T	This command was introduced.

Usage Guidelines

Use the key command to specify the IKE preshared key when defining group policy information for Mode Configuration push. (This command follows the crypto isakmp client configuration group command.) You must configure this command if the client identifies itself to the router with a preshared key. (You do not have to enable this command if the client uses a certificate for identification.)

Examples

The following example shows how to specify the preshared key "cisco":

crypto isakmp client configuration group default

  key cisco

  dns 2.2.2.2 2.3.2.3

  pool dog

  acl 199

Related Commands

Command	Description
crypto isakmp client configuration group	Specifies which group's policy profile will be defined.

keyring

To configure a keyring with an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the keyring command in isakmp profile configuration mode. To remove the keyring from the ISAKMP profile, use the no form of this command.

keyring keyring-name

no keyring keyring-name

Syntax Description

keyring-name

The keyring name, which must match the keyring name that was defined in the global configuration.

Defaults

If this command is not used, the ISAKMP profile uses the keys defined in the global configuration.

Command Modes

Isakmp profile configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile. If no keyring is defined in the profile, the global keys that were defined in the global configuration are used.

Examples

The following example shows that "vpnkeyring" is configured as the keyring name:

crypto isakmp profile vpnprofile

  keyring vpnkeyring

key-string (IKE)

To specify the Rivest, Shamir, and Adelman (RSA) public key of the remote peer, use the key-string command in public key configuration mode. To remove the RSA public key, use the no form of this command.

key-string key-string

no key-string key-string

Syntax Description

key-string

Enter the key in hexadecimal format. While entering the key data, you can press Return to continue entering data.

Defaults

No default behavior or values

Command Modes

Public key configuration

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

Before using this command, you must enter the rsa-pubkey command in the crypto keyring mode.

If possible, to avoid mistakes, you should cut and paste the key data (instead of attempting to type in the data).

To complete the command, you must return to the global configuration mode by typing quit at the config-pubkey prompt.

Examples

The following example manually specifies the RSA public keys of an IP Security (IPSec) peer:

Router(config)# crypto keyring vpnkeyring

Router(conf-keyring)# rsa-pubkey name host.vpn.com

Router(config-pubkey-key)# address 10.5.5.1

Router(config-pubkey)# key-string

Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973

Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5

Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8

Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB

Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B

Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21

Router(config-pubkey)# quit

Router(config-pubkey-key)# exit

Router(conf-keyring)# exit

Related Commands

Command	Description
crypto keyring	Defines a crypto keyring.
rsa-pubkey	Defines the RSA public key to be used for encryption or signatures during IKE authentication.
show crypto keyring	Displays keyrings on your router.

lifetime (IKE policy)

To specify the lifetime of an Internet Key Exchange security association (SA), use the lifetime Internet Security Association Key Management Protocol policy configuration command. To reset the SA lifetime to the default value, use the no form of this command.

lifetime seconds

no lifetime

Syntax Description

seconds

Number of many seconds for each each SA should exist before expiring. Use an integer from 60 to 86,400 seconds.

Defaults

86,400 seconds (one day)

Command Modes

ISAKMP policy configuration

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

Use this command to specify how long an IKE SA exists before expiring.

When IKE begins negotiations, the first thing it does is agree upon the security parameters for its own session. The agreed-upon parameters are then referenced by an SA at each peer. The SA is retained by each peer until the SA's lifetime expires. Before an SA expires, it can be reused by subsequent IKE negotiations, which can save time when setting up new IPSec SAs. Before an SA expires, it can be reused by subsequent IKE negotiations, which can save time when setting up new IPSec SAs. New IPSec SAs are negotiated before current IPSec SAs expire.

So, to save setup time for IPSec, configure a longer IKE SA lifetime. However, shorter lifetimes limit the exposure to attackers of this SA. The longer an SA is used, the more encrypted traffic can be gathered by an attacker and possibly used in an attack.

Note that when your local peer initiates an IKE negotiation between itself and a remote peer, an IKE policy can be selected only if the lifetime of the remote peer's policy is shorter than or equal to the lifetime of the local peer's policy. Then, if the lifetimes are not equal, the shorter lifetime will be selected. To restate this behavior: If the two peer's policies' lifetimes are not the same, the initiating peer's lifetime must be longer and the responding peer's lifetime must be shorter, and the shorter lifetime will be used.

Examples

The following example configures an IKE policy with a security association lifetime of 600 seconds (10 minutes), and all other parameters are set to the defaults:

crypto isakmp policy 15

  lifetime 600

  exit

Related Commands

Command	Description
authentication (IKE policy)	Specifies the authentication method within an IKE policy.
crypto isakmp policy	Defines an IKE policy.
encryption (IKE policy)	Specifies the encryption algorithm within an IKE policy.
group (IKE policy)	Specifies the Diffie-Hellman group identifier within an IKE policy.
group-lock	Specifies the hash algorithm within an IKE policy.
show crypto isakmp policy	Displays the parameters for each IKE policy.

match identity

To match an identity from a peer in an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the match identity command in isakmp profile configuration mode. To remove the identity, use the no form of this command.

match identity {group group-name | address address [mask] [fvrf] | host host-name | host domain domain-name | user user-fqdn | user domain domain-name}

no match identity {group group-name | address address [mask] [fvrf] | host host-name | host domain domain-name | user user-fqdn | user domain domain-name}

Syntax Description

group group-name	A Unity group that matches identification (ID) type ID_KEY_ID. If Unity and main mode Rivest, Shamir, and Adelman (RSA) signatures are used, the group-name argument matches the Organizational Unit (OU) field of the Distinguished Name (DN).
address address [mask] [fvrf]	An identity that matches the identity of type ID_IPV4_ADDR. •mask—Use to match the range of the address. •fvrf—Use to match the address in the front door Virtual Route Forwarding (FVRF) Virtual Private Network (VPN) space.
host host-name	Identity that matches an identity of the type ID_FQDN.
host domain domain-name	Identity that matches an identity of the type ID_FQDN, whose fully qualified domain name (FQDN) ends with the domain name.
user user-fqdn	Identity that matches the FQDN.
user domain domain-name	Identity that matches the identities of the type ID_USER_FQDN. When the user domain keyword is present, all users having identities of the type ID_USER_FQDN and ending with "domain-name" will be matched.

Defaults

No default behavior or values

Command Modes

Isakmp profile configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

There must be at least one match identity command in an ISAKMP profile configuration. The peers are mapped to an ISAKMP profile when their identities are matched (as given in the ID payload of the Internet Key Exchange [IKE] exchange) against the identities that are defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid.

Examples

The following example shows that the match identity command is configured:

crypto isakmp profile vpnprofile

  match identity group vpngroup

  match identity address 10.53.11.1

  match identity host domain vpn.com

  match identity host server.vpn.com

named-key

To specify which peer's RSA public key you will manually configure, use the named-key public key chain configuration command. This command should only be used when the router has a single interface that processes IP Security.

named-key key-name [encryption | signature]

Syntax Description

key-name	Specifies the name of the remote peer's RSA keys. This is always the fully qualified domain name of the remote peer; for example, router.example.com.
encryption	(Optional) Indicates that the RSA public key to be specified will be an encryption special-usage key.
signature	(Optional) Indicates that the RSA public key to be specified will be a signature special-usage key.

Defaults

If neither the encryption nor the signature keyword is used, general-purpose keys will be specified.

Command Modes

Public key chain configuration. This command invokes public key configuration mode.

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

Use this command or the addressed-key command to specify which IPSec peer's RSA public key you will manually configure next.

Follow this command with the key-string command to specify the key.

If you use the named-key command, you also need to use the address public key configuration command to specify the IP address of the peer.

If the IPSec remote peer generated general purpose RSA keys, do not use the encryption or signature keyword.

If the IPSec remote peer generated special usage keys, you must manually specify both keys: perform this command and the key-string command twice and use the encryption and signature keywords in turn.

Examples

The following example manually specifies the RSA public keys of two IPSec peers. The peer at 10.5.5.1 uses general-purpose keys, and the other peer uses special-purpose keys.

crypto key pubkey-chain rsa

  named-key otherpeer.example.com

  address 10.5.5.1

  key-string

 005C300D 06092A86 4886F70D 01010105

 00034B00 30480241 00C5E23B 55D6AB22

 04AEF1BA A54028A6 9ACC01C5 129D99E4

 64CAB820 847EDAD9 DF0B4E4C 73A05DD2

 BD62A8A9 FA603DD2 E2A8A6F8 98F76E28

 D58AD221 B583D7A4 71020301 0001

 quit

 exit

  addressed-key 10.1.1.2 encryption

  key-string

 00302017 4A7D385B 1234EF29 335FC973

 2DD50A37 C4F4B0FD 9DADE748 429618D5

 18242BA3 2EDFBDD3 4296142A DDF7D3D8

 08407685 2F2190A0 0B43F1BD 9A8A26DB

 07953829 791FCDE9 A98420F0 6A82045B

 90288A26 DBC64468 7789F76E EE21

 quit

  exit

  addressed-key 10.1.1.2 signature

  key-string

 0738BC7A 2BC3E9F0 679B00FE 098533AB

 01030201 42DD06AF E228D24C 458AD228

 58BB5DDD F4836401 2A2D7163 219F882E

 64CE69D4 B583748A 241BED0F 6E7F2F16

 0DE0986E DF02031F 4B0B0912 F68200C4

 C625C389 0BFF3321 A2598935 C1B1

 quit

  exit

  exit

Related Commands

Command	Description
address	Specifies the IP address of the remote RSA public key of the remote peer you will manually configure.
addressed-key	Specifies the RSA public key of the peer you will manually configure.
crypto key pubkey-chain rsa	Enters public key configuration mode (to allow you to manually specify the RSA public keys of other devices).
key-string (IKE)	Specifies the RSA public key of a remote peer.
show crypto key pubkey-chain rsa	Displays peer RSA public keys stored on your router.

no crypto xauth

To ignore extended authentication (Xauth) during an Internet Key Exchange (IKE) Phase 1 negotiation, use the no crypto xauth command in global configuration mode. To consider Xauth proposals, use the crypto xauth command.

no crypto xauth interface

crypto xauth interface

Syntax Description

interface

Interface whose IP address is the local endpoint to which the remote peer will send IKE requests.

Defaults

No default behaviors or values

Command Modes

Global configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

The no version of this command was introduced to support Unity clients that do not require Xauth when using Internet Security Association and Key Management Protocol (ISAKMP) profiles.

Examples

The following example shows that Xauth proposals on Ethernet 1/1 are to be ignored:

no crypto xauth Ethernet1/1

pool (isakmp-group)

To define a local pool address, use the pool command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove a local pool from your configuration, use the no form of this command.

pool name

no pool name

Syntax Description

name	Name of the local pool address.

Defaults

No default behavior or values.

Command Modes

ISAKMP group configuration

Command History

Release	Modification
12.2(8)T	This command was introduced.

Usage Guidelines

Use the pool command to refer to an IP local pool address, which defines a range of addresses that will be used to allocate an internal IP address to a client. Although a user must define at least one pool name, a separate pool may be defined for each group policy.

---

Note This command must be defined and refer to a valid IP local pool address, or the client connection will fail.

---

Examples

The following example shows how to refer to the local pool address "dog":

crypto isakmp client configuration group cisco

  key cisco

  dns 2.2.2.2 2.3.2.3

  pool dog

  acl 199

!

ip local pool dog 10.1.1.1 10.1.1.254

Related Commands

Command	Description
crypto isakmp client configuration group	Specifies which group's policy profile will be defined.
ip local pool	Configures a local pool of IP addresses to be used when a remote peer connects to a point-to-point interface.

pre-shared-key

To define a preshared key to be used for Internet Key Exchange (IKE) authentication, use the pre-shared-key command in keyring configuration mode. To disable the preshared key, use the no form of this command.

pre-shared-key {address address [mask] | hostname hostname} key key

no pre-shared-key {address address [mask] | hostname hostname} key key

Syntax Description

address address [mask]	IP address of the remote peer or a subnet and mask. The mask argument is optional.
hostname hostname	Fully qualified domain name (FQDN) of the peer.
key key	Specifies the secret.

Defaults

No default behaviors or values

Command Modes

Keyring configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

Before configuring preshared keys, you must configure an Internet Security Association and Key Management Protocol (ISAKMP) profile.

Examples

The following example shows how to configure a preshared key using an IP address and host name:

crypto keyring vpnkeyring

 pre-shared-key address 10.72.23.11 key vpnkey

 pre-shared-key hostname www.vpn.com key vpnkey

quit

To exit from the key-string mode while defining the Rivest, Shamir, and Adelman (RSA) manual key to be used for encryption or signatures during Internet Key Exchange (IKE) authentication, use the quit command in public key configuration mode.

quit

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

Public key configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

Use this command to exit text mode while defining the RSA public key.

Examples

The following example shows that the RSA public key of an IP Security (IPSec) peer has been specified:

Router(config)# crypto keyring vpnkeyring

Router(conf-keyring)# rsa-pubkey name host.vpn.com

Router(config-pubkey-key)# address 10.5.5.1

Router(config-pubkey)# key-string

Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973

Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5

Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8

Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB

Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B

Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21

Router(config-pubkey)# quit

Router(config-pubkey-key)# exit

Router(conf-keyring)# exit

Related Commands

Command	Description
address	Specifies the IP address of the remote RSA public key of the remote peer that you will manually configure.
key-string (IKE)	Specifies the RSA public key of a remote peer.

rsa-pubkey

To define the Rivest, Shamir, and Adelman (RSA) manual key to be used for encryption or signature during Internet Key Exchange (IKE) authentication, use the rsa-pubkey command in keyring configuration mode. To remove the manual key that was defined, use the no form of this command.

rsa-pubkey{address address | name fqdn} [encryption | signature]

no rsa-pubkey {address address | name fqdn} [encryption | signature]

Syntax Description

address address	IP address of the remote peer.
name fqdn	Fully qualified domain name (FQDN) of the peer.
encryption	(Optional) The manual key is to be used for encryption.
signature	(Optional) The manual key is to be used for signature.

Defaults

No default behavior or values

Command Modes

Keyring configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

Use this command to enter public key chain configuration mode. Use this command when you need to manually specify RSA public keys of other IP Security (IPSec) peers. You need to specify the keys of other peers when you configure RSA encrypted nonces as the authentication method in an IKE policy at your peer router.

Examples

The following example shows that the RSA public key of an IPSec peer has been specified:

Router(config)# crypto keyring vpnkeyring

Router(conf-keyring)# rsa-pubkey name host.vpn.com

Router(config-pubkey-key)# address 10.5.5.1

Router(config-pubkey)# key-string

Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973

Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5

Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8

Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB

Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B

Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21

Router(config-pubkey)# quit

Router(config-pubkey-key)# exit

Router(conf-keyring)# exit

self-identity

To define the identity that the local Internet Key Exchange (IKE) uses to identify itself to the remote peer, use the self-identity command in isakmp profile configuration mode. To remove the Internet Security Association and Key Management Protocol (ISAKMP) identity that was defined for the IKE, use the no form of this command.

self-identity {address | fqdn | user-fqdn user-fqdn}

no self-identity {address | fqdn | user-fqdn user-fqdn}

Syntax Description

address	The IP address of the local endpoint.
fqdn	The fully qualified domain name (FQDN) of the host.
user-fqdn user-fqdn	The user FQDN that is sent to the remote endpoint.

Defaults

If no ISAKMP identity is defined in the ISAKMP profile configuration, global configuration is the default.

Command Modes

Isakmp profile configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Examples

The following example shows that the IKE identity is the user FQDN "user@vpn.com":

crypto isakmp profile vpnprofile

 self-identity user-fqdn user@vpn.com

serial-number

To define the serial number for the Rivest, Shamir, and Adelman (RSA) manual key to be used for encryption or signatures during Internet Key Exchange (IKE) authentication, use the serial-number command in pubkey configuration mode. To remove the manual key that was defined, use the no form of this command.

serial-number serial-number

no serial-number serial-number

Syntax Description

serial-number

Device serial number. The value is from 0 through infinity.

Defaults

No default behavior or values

Command Modes

Pubkey configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Examples

The following example shows that the public key of an IP Security (IPSec) peer has been specified:

Router(config)# crypto keyring vpnkeyring

Router(conf-keyring)# rsa-pubkey name host.vpn.com

Router(config-pubkey-key)# address 10.5.5.1

Router(config-pubkey-key)# serial-number 1000000

Router(config-pubkey)# key-string

Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973

Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5

Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8

Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB

Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B

Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21

Router(config-pubkey)# quit

Router(config-pubkey-key)# exit

Router(conf-keyring)# exit

Related Commands

Command	Description
address	Specifies the IP address of the remote RSA public key of the remote peer that you will manually configure.
key-string (IKE)	Specifies the RSA public key of a remote peer.

set aggressive-mode client-endpoint

To specify the Tunnel-Client-Endpoint attribute within an Internet Security Association Key Management Protocol (ISAKMP) peer configuration, use the set aggressive-mode client-endpoint command in ISAKMP policy configuration mode. To remove this attribute from your configuration, use the no form of this command.

set aggressive-mode client-endpoint client-endpoint

no set aggressive-mode client-endpoint client-endpoint

Syntax Description

client-endpoint

One of the following identification types of the initiator end of the tunnel: •ID_IPV4 (IPV4 address) •ID_FQDN (fully qualified domain name, for example "foo.cisco.com") •ID_USER_FQDN (e-mail address) The ID type is translated to the corresponding ID type in Internet Key Exchange (IKE).

Defaults

The Tunnel-Client-Endpoint attribute is not defined.

Command Modes

ISAKMP policy configuration

Command History

Release	Modification
12.2(8)T	This command was introduced.

Usage Guidelines

Before you can use this command, you must enable the crypto isakmp peer command.

To initiate an IKE aggressive mode negotiation and specify the RADIUS Tunnel-Client-Endpoint attribute, the set aggressive-mode client-endpoint command, along with the set aggressive-mode password command, must be configured in the ISAKMP peer policy. The Tunnel-Client-Endpoint attribute will be communicated to the server by encoding it in the appropriate IKE identity payload.

Examples

The following example shows how to initiate aggressive mode using RADIUS tunnel attributes:

crypto isakmp peer address 4.4.4.1

 set aggressive-mode client-endpoint user-fqdn user@cisco.com

 set aggressive-mode password cisco123

Related Commands

Command	Description
crypto isakmp peer	Enables an IPSec peer for IKE querying of AAA for tunnel attributes in aggressive mode.
set aggressive-mode password	Specifies the Tunnel-Password attribute within an ISAKMP peer configuration.

set aggressive-mode password

To specify the Tunnel-Password attribute within an Internet Security Association Key Management Protocol (ISAKMP) peer configuration, use the set aggressive-mode password command in ISAKMP policy configuration mode. To remove this attribute from your configuration, use the no form of this command.

set aggressive-mode password password

no set aggressive-mode password password

Syntax Description

password

Password that is used to authenticate the peer to a remote server. The tunnel password is used as the Internet Key Exchange (IKE) preshared key.

Defaults

The Tunnel-Password attribute is not defined.

Command Modes

ISAKMP policy configuration

Command History

Release	Modification
12.2(8)T	This command was introduced.

Usage Guidelines

Before you can use this command, you must enable the crypto isakmp peer command.

To initiate an IKE aggressive mode negotiation, the set aggressive-mode password command, along with the set aggressive-mode client-endpoint command, must be configured in the ISAKMP peer policy. The Tunnel-Password attribute will be used as the IKE preshared key for the aggressive mode negotiation.

Examples

The following example shows how to initiate aggressive mode using RADIUS tunnel attributes:

crypto isakmp peer address 4.4.4.1

 set aggressive-mode client-endpoint user-fqdn user@cisco.com

 set aggressive-mode password cisco123

Related Commands

Command	Description
crypto isakmp peer	Enables an IPSec peer for IKE querying of AAA for tunnel attributes in aggressive mode.
set aggressive-mode client-endpoint	Specifies the Tunnel-Client-Endpoint attribute within an ISAKMP peer configuration

set isakmp-profile

To set the Internet Security Association and Key Management Protocol (ISAKMP) profile name, use the set isakmp-profile command in crypto map configuration mode. To remove the ISAKMP profile name, use the no form of this command.

set isakmp-profile profile-name

no set isakmp-profile profile-name

Syntax Description

profile-name

Name of the ISAKMP profile.

Defaults

If the ISAKMP profile is not specified in the crypto map entry, the default is to the ISAKMP profile that is on the head. If there is no ISAKMP profile on the head, the default is "none."

Command Modes

Crypto map configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

This command describes the ISAKMP profile to use when you start the Internet Key Exchange (IKE) exchange.

Before configuring an ISAKMP profile on a crypto map, you should set up the ISAKMP profile.

Examples

The following example shows that an ISAKMP profile has been configured on a crypto map:

crypto map vpnmap 10 ipsec-isakmp

 set isakmp-profile vpnprofile

Related Commands

Command	Description
crypto ipsec transform-set	Defines a transform set, which is an acceptable combination of security protocols and algorithms.
crypto map (global)	Creates or modifies a crypto map entry.

show crypto isakmp key

To list the keyrings and their preshared keys, use the show crypto isakmp key command in EXEC mode.

show crypto isakmp key

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
12.2(15)T	This command was introduced.

Examples

The following is sample output for the show crypto isakmp key command:

Router# show crypto isakmp key

Hostname/Address       Preshared Key

vpn1                   : 172.61.1.1          vpn1

vpn2                   : 10.1.1.1            vpn2

The following configuration was in effect when the above show crypto isakmp key command was issued:

crypto keyring vpn1 

  pre-shared-key address 172.16.1.1 key vpn1

crypto keyring vpn2 

  pre-shared-key address 10.1.1.1 key vpn2

Table 30 describes significant fields in the show crypto isakmp key profile.

Table 30 show crypto isakmp key Field Descriptions

Field	Description
Hostname/Address	The preshared key host name or address.
Preshared Key	The preshared key.
keyring	Name of the crypto keyring. The global keys are listed in the default keyring.
VRF string	The virtual route forwarding (VRF) of the keyring. If the keyring does not have a VRF, an empty string is printed.

show crypto isakmp policy

To view the parameters for each Internet Key Exchange (IKE) policy, use the show crypto isakmp policy command in EXEC mode.

show crypto isakmp policy

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
11.3 T	This command was introduced.
12.2(13)T	The command output was expanded to include a warning message for users who try to configure an IKE encryption method that the hardware does not support.

Examples

The following is sample output from the show crypto isakmp policy command, after two IKE policies have been configured (with priorities 15 and 20, respectively):

Router# show crypto isakmp policy

Protection suite priority 15

        encryption algorithm:    DES - Data Encryption Standard (56 bit keys)

        hash algorithm:  Message Digest 5

        authentication method:   Rivest-Shamir-Adleman Signature

        Diffie-Hellman Group:    #2 (1024 bit)

        lifetime:      5000 seconds, no volume limit

Protection suite priority 20

        encryption algorithm:    DES - Data Encryption Standard (56 bit keys)

        hash algorithm: Secure Hash Standard

        authentication method:   preshared Key

        Diffie-Hellman Group:    #1 (768 bit)

        lifetime:      10000 seconds, no volume limit

Default protection suite

        encryption algorithm:    DES - Data Encryption Standard (56 bit keys)

        hash algorithm: Secure Hash Standard

        authentication method:   Rivest-Shamir-Adleman Signature

        Diffie-Hellman Group:    #1 (768 bit)

        lifetime:      86400 seconds, no volume limit

---

Note Although the output shows "no volume limit" for the lifetimes, you can currently configure only a time lifetime (such as 86,400 seconds); volume limit lifetimes are not used.

---

The following sample output from the show crypto isakmp policy command displays a warning message after a user tries to configure an IKE encryption method that the hardware does not support:

Router# show crypto isakmp policy

Protection suite of priority 1

        encryption algorithm:  AES - Advanced Encryption Standard (256 bit keys).

WARNING:encryption hardware does not support the configured

encryption method for ISAKMP policy 1

        hash algorithm:        Secure Hash Standard

        authentication method: Pre-Shared Key

        Diffie-Hellman group:  #1 (768 bit)

        lifetime:              3600 seconds, no volume limit

Related Commands

Command	Description
authentication (IKE policy)	Specifies the authentication method within an IKE policy.
crypto isakmp policy	Defines an IKE policy.
encryption (IKE policy)	Specifies the encryption algorithm within an IKE policy.
group (IKE policy)	Specifies the DH group identifier within an IKE policy.
hash (IKE policy)	Specifies the hash algorithm within an IKE policy.
lifetime (IKE policy)	Specifies the lifetime of an IKE SA.

show crypto isakmp profile

To list all the Internet Security Association and Key Management Protocol (ISAKMP) profiles that are defined on a router, use the show crypto isakmp profile command in EXEC mode.

show crypto isakmp profile

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Command History

Release	Modification
12.2(15)T	This command was introduced.

Examples

The following is sample output for the show crypto isakmp profile command:

Router# show crypto isakmp profile

ISAKMP PROFILE vpn1-ra

   Identities matched are:

group vpn1-ra

   Identity presented is: ip-address

Table 31 describes significant fields in the display.

Table 31 show crypto isakmp profile Field Descriptions

Field	Description
ISAKMP PROFILE	Name of the ISAKMP profile.
Identities matched are:	Lists all identities that the ISAKMP profile will match.
Identity presented is:	The identity that the ISAKMP profile will present to the remote endpoint.

The following configuration was in effect when the above show crypto isakmp profile command was issued:

crypto isakmp profile vpn1-ra

   vrf vpn1

   self-identity address

   match identity group vpn1-ra

   client authentication list aaa-list

   isakmp authorization list aaa

   client configuration address initiate

   client configuration address respond

Related Commands

Command	Description
show crypto isakmp key	Lists the keyrings and their preshared keys.

show crypto isakmp sa

To view all current Internet Key Exchange (IKE) security associations (SAs) at a peer, use the show crypto isakmp sa command in EXEC mode.

show crypto isakmp sa

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
11.3 T	This command was introduced.

Examples

The following is sample output from the show crypto isakmp sa command after IKE negotiations have been successfully completed between two peers:

Router# show crypto isakmp sa

f_vrf/i_vrf    dst             src           state        conn-id    slot

      /vpn2    172.21.114.123  10.1.1.1      QM_IDLE           13       0

Table 32 through Table 35 show the various states that may be displayed in the output of the show crypto isakmp sa command. When an Internet Security Association and Key Management Protocol (ISAKMP) SA exists, it will most likely be in its quiescent state (QM_IDLE). For long exchanges, some of the MM_xxx states may be observed.

Table 32 States in Main Mode Exchange

State	Explanation
MM_NO_STATE	The ISAKMP SA has been created, but nothing else has happened yet. It is "larval" at this stage—there is no state.
MM_SA_SETUP	The peers have agreed on parameters for the ISAKMP SA.
MM_KEY_EXCH	The peers have exchanged Diffie-Hellman public keys and have generated a shared secret. The ISAKMP SA remains unauthenticated.
MM_KEY_AUTH	The ISAKMP SA has been authenticated. If the router initiated this exchange, this state transitions immediately to QM_IDLE, and a Quick Mode exchange begins.

Table 33 States in Aggressive Mode Exchange 

State	Explanation
AG_NO_STATE	The ISAKMP SA has been created, but nothing else has happened yet. It is "larval" at this stage—there is no state.
AG_INIT_EXCH	The peers have done the first exchange in aggressive mode, but the SA is not authenticated.
AG_AUTH	The ISAKMP SA has been authenticated. If the router initiated this exchange, this state transitions immediately to QM_IDLE, and a quick mode exchange begins.

Table 34 States in Quick Mode Exchange

State	Explanation
QM_IDLE	The ISAKMP SA is idle. It remains authenticated with its peer and may be used for subsequent quick mode exchanges. It is in a quiescent state.

Table 35 describes significant fields shown in the display.

Table 35 show crypto isakmp sa Field Descriptions

Field	Description
f_vrf/i_vrf	The front door virtual routing and forwarding (FVRF) and the inside VRF (IVRF) of the IKE SA. If the FVRF is global, the output shows f_vrf as an empty field.

Related Commands

Command	Description
crypto isakmp policy	Defines an IKE policy.
lifetime (IKE policy)	Specifies the lifetime of an IKE SA.

show crypto key mypubkey rsa

Toview the RSA public keys of your router, use the show crypto key mypubkey rsa EXEC command.

show crypto key mypubkey rsa

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

This command displays your router's RSA public keys.

Examples

The following is sample output from the show crypto key mypubkey rsa command. Special usage RSA keys were previously generated for this router using the crypto key generate rsa command.

% Key pair was generated at: 06:07:49 UTC Jan 13 1996

Key name: myrouter.example.com

 Usage: Signature Key

 Key Data:

  005C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B 55D6AB22 

  04AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9 DF0B4E4C 73A05DD2 

  BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4 71020301 0001

% Key pair was generated at: 06:07:50 UTC Jan 13 1996

Key name: myrouter.example.com

 Usage: Encryption Key

 Key Data:

  00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D5

  18242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB

  07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21

Related Commands

Command	Description
crypto key generate rsa	Generates RSA key pairs.

show crypto key pubkey-chain rsa

To view the RSA public keys of the peer that are stored on your router, use the show crypto key pubkey-chain rsa EXEC command.

show crypto key pubkey-chain rsa [name key-name | address key-address]

Syntax Description

name key-name	(Optional) The name of a particular public key to view.
address key-address	(Optional) The address of a particular public key to view.

Command Modes

EXEC

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

This command shows RSA public keys stored on your router. This includes peers' RSA public keys manually configured at your router and keys received by your router via other means (such as by a certificate, if certification authority support is configured).

If a router reboots, any public key derived by certificates will be lost. This is because the router will ask for certificates again, at which time the public key will be derived again.

Use the name or address keywords to display details about a particular RSA public key stored on your router.

If no keywords are used, this command displays a list of all RSA public keys stored on your router.

Examples

The following is sample output from the show crypto key pubkey-chain rsa command:

Codes: M - Manually Configured, C - Extracted from certificate

Code  Usage        IP-address     Name

M     Signature    10.0.0.l       myrouter.example.com

M     Encryption   10.0.0.1       myrouter.example.com

C     Signature    172.16.0.1     routerA.example.com

C     Encryption   172.16.0.1     routerA.example.com

C     General      192.168.10.3   routerB.domain1.com

This sample shows manually configured special usage RSA public keys for the peer "somerouter." This sample also shows three keys obtained from peers' certificates: special usage keys for peer "routerA" and a general purpose key for peer "routerB."

Certificate support is used in the above example; if certificate support was not in use, none of the peers' keys would show "C" in the code column, but would all have to be manually configured.

The following is sample output when you issue the command show crypto key pubkey rsa name somerouter.example.com:

Key name: somerouter.example.com

Key address: 10.0.0.1

 Usage: Signature Key

 Source: Manual

 Data:

  305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B 55D6AB22 

  04AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9 DF0B4E4C 73A05DD2 

  BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4 71020301 0001

Key name: somerouter.example.com

Key address: 10.0.0.1

 Usage: Encryption Key

 Source: Manual

 Data:

  00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D5

  18242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB

  07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21

---

Note The Source field in the above example indicates "Manual," meaning that the keys were manually configured on the router, not received in the peer's certificate.

---

The following is sample output when you issue the command show crypto key pubkey rsa address 192.168.10.3:

Key name: routerB.example.com

Key address: 192.168.10.3

 Usage: General Purpose Key

 Source: Certificate

 Data:

  0738BC7A 2BC3E9F0 679B00FE 53987BCC 01030201 42DD06AF E228D24C 458AD228

  58BB5DDD F4836401 2A2D7163 219F882E 64CE69D4 B583748A 241BED0F 6E7F2F16

  0DE0986E DF02031F 4B0B0912 F68200C4 C625C389 0BFF3321 A2598935 C1B1

The Source field in the above example indicates "Certificate," meaning that the keys were received by the router by way of the other router's certificate.

vrf (isakmp profile)

To define the virtual routing and forwarding (VRF) value to which the IP Security (IPSec) tunnel will be mapped, use the vrf command in isakmp profile configuration mode. To disable the VRF that was defined, use the no form of this command.

vrf ivrf

no vrf ivrf

Syntax Description

ivrf	VRF to which the IPSec tunnel wil be mapped.

Defaults

The VRF will be the same as the front door VRF (FVRF).

Command Modes

Isakmp profile configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

Use this command to map IPSec tunnels that terminate on a global interface to a specific Virtual Private Network (VPN).

If traffic from the router to a certification authority (CA) (for authentication, enrollment, or for obtaining a certificate revocation list [CRL]) or to a Lightweight Directory Access Protocol (LDAP) server (for obtaining a CRL) needs to be routed via a VRF, the vrf command must be added to the trustpoint. Otherwise, such traffic will use the default routing table.

If a profile does not specify one or more trustpoints, all trustpoints in the router will be used to attempt to validate the certificate of the peer (Internet Key Exchange [IKE] main mode or signature authentication). If one or more trustpoints are specified, only those trustpoints will be used.

Examples

The following example shows that two IPSec tunnels to VPN 1 and VPN 2 are terminated:

crypto isakmp profile vpn1

   vrf vpn1

   keyring vpn1

   match identity address 172.16.1.1 255.255.255.255

crypto isakmp profile vpn2

   vrf vpn2

   keyring vpn2

   match identity address 10.1.1.1 255.255.255.255

crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac

crypto ipsec transform-set vpn2 esp-3des esp-md5-hmac

!

crypto map crypmap 1 ipsec-isakmp

 set peer 172.16.1.1

 set transform-set vpn1

 set isakmp-profile vpn1

 match address 101

crypto map crypmap 3 ipsec-isakmp

 set peer 10.1.1.1

 set transform-set vpn2

 set isakmp-profile vpn2

 match address 102

!

!

interface Ethernet1/2

 ip address 172.26.1.1 255.255.255.0

 duplex half

 no keepalive

 no cdp enable

 crypto map crypmap

wins

To specify the primary and secondary Windows Internet Naming Service (WINS) servers, use the wins command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove this command from your configuration, use the no form of this command.

wins primary-server secondary-server

no wins primary-server secondary-server

Syntax Description

primary-server	Name of the primary WINS server.
secondary-server	Name of the secondary WINS server.

Defaults

No default behavior or values.

Command Modes

ISAKMP group configuration

Command History

Release	Modification
12.2(8)T	This command was introduced.

Usage Guidelines

You must enable the crypto isakmp client configuration group command, which specifies group policy information that needs to be defined or changed, before enabling the wins command.

Examples

The following example shows how to define a primary and secondary WINS server for the group "cisco":

crypto isakmp client configuration group cisco

  key cisco

  dns 2.2.2.2 2.3.2.3

  pool dog

  acl 199

  wins 1.1.1.2 1.1.1.3

Related Commands

Command	Description
crypto isakmp client configuration group	Specifies which group's policy profile will be defined.