-
Cisco IOS Security Command Reference, Release 12.2 T
-
Cisco IOS Firewall Intrusion Detection System Commands
-
Kerberos Commands
-
TACACS+ Commands
-
Lock-and-Key Commands
-
Port to Application Mapping Commands
-
Reflexive Access List Commands
-
Authorization Commands
-
Internet Key Exchange Security Protocol Commands
-
Authentication Proxy Commands
-
Authentication Commands
-
Accounting Commands
-
Secure Shell Commands
-
IP Security Options Commands
-
Passwords and Privileges Commands
-
Unicast Reverse Path Forwarding Commands
-
Certification Authority Interoperability Commands
-
IPSec Network Security Commands
-
TCP Intercept Commands
-
Context-Based Access Control Commands
-
RADIUS Commands
-
SR: Index
-
Table Of Contents
IPSec Network Security Commands
clear crypto engine accelerator counter
clear crypto ipsec client ezvpn
crypto ipsec client ezvpn (global)
crypto ipsec client ezvpn (interface)
crypto ipsec client ezvpn connect
crypto ipsec client ezvpn xauth
crypto ipsec df-bit (interface)
crypto ipsec fragmentation (interface)
crypto ipsec security-association lifetime
crypto ipsec security-association idle-time
crypto mib ipsec flowmib history failure size
crypto mib ipsec flowmib history tunnel size
set security-association level per-host
set security-association lifetime
show crypto engine accelerator logs
show crypto engine accelerator ring
show crypto engine accelerator sa-database
show crypto engine accelerator statistic
show crypto ipsec client ezvpn
show crypto ipsec security-association lifetime
show crypto ipsec transform-set
show crypto mib ipsec flowmib history failure size
show crypto mib ipsec flowmib history tunnel size
show crypto mib ipsec flowmib version
snmp-server enable traps ipsec
snmp-server enable traps isakmp
IPSec Network Security Commands
This chapter describes IP Security (IPSec) network security commands. IPSec provides security for transmission of sensitive information over unprotected networks such as the Internet. IPSec provides a robust security solution and is standards-based. IPSec provides data authentication and anti-replay services in addition to data confidentiality services.
For configuration information, refer to the chapter "Configuring IPSec Network Security" in the Cisco IOS Security Configuration Guide.
clear crypto engine accelerator counter
To reset the statistical and error counters of the hardware accelerator of the router to zero, use the clear crypto engine accelerator counter command in privileged EXEC mode.
clear crypto engine accelerator counter
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Examples
The following example shows the statistical and error counters of the router being cleared to zero:
Router# clear crypto engine accelerator counter
Related Commands
clear crypto ipsec client ezvpn
To reset the Cisco Easy VPN Remote state machine and bring down the Cisco Easy VPN Remote connection on all interfaces or on a given interface (tunnel), use the clear crypto ipsec client ezvpn command in privileged EXEC mode. If a tunnel name is specified, only the specified tunnel is cleared.
clear crypto ipsec client ezvpn [name]
Syntax Description
Defaults
If no tunnel name is specified, all active tunnels on the machine are cleared.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The clear crypto ipsec client ezvpn command resets the Cisco Easy VPN Remote state machine, bringing down the current Cisco Easy VPN Remote connection and bringing it back up on the interface. If you specify a tunnel name, only that tunnel is cleared. If no tunnel name is specified, all active tunnels on the machine are cleared.
If the Cisco Easy VPN Remote connection for a particular interface is configured for autoconnect, this command also initiates a new Cisco Easy VPN Remote connection.
Examples
The following example shows the Cisco Easy VPN Remote state machine being reset:
Router# clear crypto ipsec client ezvpnRelated Commands
clear crypto sa
To delete IP Security (IPSec) security associations (SAs), use the clear crypto sa command in EXEC mode.
clear crypto sa
clear crypto sa peer [vrf fvrf-name] address
clear crypto sa map map-name
clear crypto sa entry destination-address protocol spi
clear crypto sa counters
clear crypto sa [vrf ivrf-name]
Syntax Description
Defaults
If the peer, map, entry, or counters keywords are not used, all IPSec SAs are deleted.
Command Modes
EXEC
Command History
Usage Guidelines
This command clears (deletes) IPSec SAs.
If the SAs were established via Internet Key Exchange (IKE), they are deleted and future IPSec traffic will require new SAs to be negotiated. (When IKE is used, the IPSec SAs are established only when needed.)
If the SAs are manually established, the SAs are deleted and reinstalled. (When IKE is not used, the IPSec SAs are created as soon as the configuration is completed.)
If the peer, map, entry, or counters keywords are not used, all IPSec SAs will be deleted.
•
The peer keyword deletes any IPSec SAs for the specified peer.
•
•
If any of the above commands cause a particular SA to be deleted, all the "sibling" SAs—that were established during the same IKE negotiation—are deleted as well.
The counters keyword simply clears the traffic counters maintained for each SA; it does not clear the SAs themselves.
If you make configuration changes that affect SAs, these changes will not apply to existing SAs but to negotiations for subsequent SAs. You can use the clear crypto sa command to restart all SAs so that they will use the most current configuration settings. In the case of manually established SAs, if you make changes that affect SAs you must use the clear crypto sa command before the changes take effect.
If the router is processing active IPSec traffic, it is suggested that you only clear the portion of the SA database that is affected by the changes, to avoid causing active IPSec traffic to temporarily fail.
Note that this command only clears IPSec SAs; to clear IKE state, use the clear crypto isakmp command.
Examples
The following example clears (and reinitializes if appropriate) all IPSec SAs at the router:
clear crypto saThe following example clears (and reinitializes if appropriate) the inbound and outbound IPSec SAs established, along with the SA established for address 10.0.0.1 using the AH protocol with the SPI of 256:
clear crypto sa entry 10.0.0.1 AH 256The following example clears all the SAs for VRF VPN1:
clear crypto sa vrf vpn1Related Commands
crypto dynamic-map
To create a dynamic crypto map entry and enter the crypto map configuration command mode, use the crypto dynamic-map global configuration command. To delete a dynamic crypto map set or entry, use the no form of this command.
crypto dynamic-map dynamic-map-name dynamic-seq-num
no crypto dynamic-map dynamic-map-name [dynamic-seq-num]
Syntax Description
dynamic-map-name
Specifies the name of the dynamic crypto map set.
dynamic-seq-num
Specifies the number of the dynamic crypto map entry.
Defaults
No dynamic crypto maps exist.
Command Modes
Global configuration. Using this command puts you into crypto map configuration mode.
Command History
Usage Guidelines
Use dynamic crypto maps to create policy templates that can be used when processing negotiation requests for new security associations from a remote IP Security peer, even if you do not know all of the crypto map parameters required to communicate with the remote peer (such as the peer's IP address). For example, if you do not know about all the IPSec remote peers in your network, a dynamic crypto map allows you to accept requests for new security associations from previously unknown peers. (However, these requests are not processed until the Internet Key Exchange authentication has completed successfully.)
When a router receives a negotiation request via IKE from another IPSec peer, the request is examined to see if it matches a crypto map entry. If the negotiation does not match any explicit crypto map entry, it will be rejected unless the crypto map set includes a reference to a dynamic crypto map.
The dynamic crypto map is a policy template; it will accept "wildcard" parameters for any parameters not explicitly stated in the dynamic crypto map entry. This allows you to set up IPSec security associations with a previously unknown IPSec peer. (The peer still must specify matching values for the "non-wildcard" IPSec security association negotiation parameters.)
If the router accepts the peer's request, at the point that it installs the new IPSec security associations it also installs a temporary crypto map entry. This entry is filled in with the results of the negotiation. At this point, the router performs normal processing, using this temporary crypto map entry as a normal entry, even requesting new security associations if the current ones are expiring (based upon the policy specified in the temporary crypto map entry). Once the flow expires (that is, all of the corresponding security associations expire), the temporary crypto map entry is removed.
Dynamic crypto map sets are not used for initiating IPSec security associations. However, they are used for determining whether or not traffic should be protected.
The only configuration required in a dynamic crypto map is the set transform-set command. All other configuration is optional.
Dynamic crypto map entries, like regular static crypto map entries, are grouped into sets. After you define a dynamic crypto map set (which commonly contains only one map entry) using this command, you include the dynamic crypto map set in an entry of the "parent" crypto map set using the crypto map (IPSec global configuration) command. The parent crypto map set is then applied to an interface.
You should make crypto map entries referencing dynamic maps the lowest priority map entries, so that negotiations for security associations will try to match the static crypto map entries first. Only after the negotiation request does not match any of the static map entries do you want it to be evaluated against the dynamic map.
To make a dynamic crypto map the lowest priority map entry, give the map entry referencing the dynamic crypto map the highest seq-num of all the map entries in a crypto map set.
For both static and dynamic crypto maps, if unprotected inbound traffic matches a permit statement in an access list, and the corresponding crypto map entry is tagged as "IPSec," then the traffic is dropped because it is not IPSec-protected. (This is because the security policy as specified by the crypto map entry states that this traffic must be IPSec-protected.)
For static crypto map entries, if outbound traffic matches a permit statement in an access list and the corresponding security association (SA) is not yet established, the router will initiate new SAs with the remote peer. In the case of dynamic crypto map entries, if no SA existed, the traffic would simply be dropped (because dynamic crypto maps are not used for initiating new SAs).
Note
Examples
The following example configures an IPSec crypto map set.
Crypto map entry "mymap 30" references the dynamic crypto map set "mydynamicmap," which can be used to process inbound security association negotiation requests that do not match "mymap" entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in "mydynamicmap," for a flow "permitted" by the access list 103, IPSec will accept the request and set up security associations with the remote peer without previously knowing about the remote peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the remote peer.
The access list associated with "mydynamicmap 10" is also used as a filter. Inbound packets that match a permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec SA are also dropped.
crypto map mymap 10 ipsec-isakmpmatch address 101set transform-set my_t_set1set peer 10.0.0.1set peer 10.0.0.2crypto map mymap 20 ipsec-isakmpmatch address 102set transform-set my_t_set1 my_t_set2set peer 10.0.0.3crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap!crypto dynamic-map mydynamicmap 10match address 103set transform-set my_t_set1 my_t_set2 my_t_set3Related Commands
crypto engine accelerator
To enable the onboard hardware accelerator of the router for IP security (IPSec) encryption, use the crypto engine accelerator command in global configuration mode. To disable the use of the onboard hardware IPSec accelerator, and thereby perform IPSec encryption or decryption in software, use the no form of this command.
crypto engine accelerator
no crypto engine accelerator
Syntax Description
This command has no arguments or keywords.
Defaults
The hardware accelerator for IPSec encryption is enabled.
Command Modes
Global configuration mode
Command History
Usage Guidelines
This command is not normally needed for typical operations because the onboard hardware accelerator of the router is enabled for IPSec encryption by default. The hardware accelerator should not be disabled except on instruction from Cisco Technical Assistance Center (TAC) personnel.
Examples
The following example shows how to disable the onboard hardware accelerator of the router for IPSec encryption. This is normally needed only after the accelerator has been disabled for testing or debugging purposes.
Router(config)# no crypto engine acceleratorWarning! all current connections will be torn down.Do you want to continue? [yes/no]:Related Commands
crypto identity
To configure the identity of the router with a given list of distinguished names (DNs) in the certificate of the router, use the crypto identity command in global configuration mode. To delete all identity information associated with a list of DNs, use the no form of this command.
crypto identity name
no crypto identity name
Syntax Description
Defaults
If this command is not enabled, the IP address is associated with the identity of the router.
Command Modes
Global configuration
Command History
Usage Guidelines
The crypto identity command allows you to configure the identity of a router with a given list of DNs. Thus, when used with the dn and fqdn commands, you can set restrictions in the router configuration that prevent peers with specific certificates, especially certificates with particular DNs, from having access to selected encrypted interfaces.
Note
Examples
The following example shows how to configure a DN-based crypto map:
! The following is an IPSec crypto map (part of IPSec configuration). It can be used only! by peers that have been authenticated by DN and if the certificate belongs to BigBiz.crypto map map-to-bigbiz 10 ipsec-isakmpset peer 172.21.114.196set transform-set my-transformsetmatch address 124identity to-bigbiz!crypto identity to-bigbizdn ou=BigBiz!!! This crypto map can be used only by peers that have been authenticated by hostname! and if the certificate belongs to little.com.crypto map map-to-little-com 10 ipsec-isakmpset peer 172.21.115.119set transform-set my-transformsetmatch address 125identity to-little-com!crypto identity to-little-comfqdn little.com!Related Commands
crypto ipsec client ezvpn (global)
To create a Cisco Easy VPN Remote configuration and enter the Cisco Easy VPN Remote configuration mode, use the crypto ipsec client ezvpn command in global configuration mode. To delete the Cisco Easy VPN Remote configuration, use the no form of this command.
crypto ipsec client ezvpn name
no crypto ipsec client ezvpn name
Note
Syntax Description
Defaults
Newly created Cisco Easy VPN Remote configurations default to the client mode.
Command Modes
Global configuration
Command History
Usage Guidelines
The crypto ipsec client ezvpn command creates a Cisco Easy VPN Remote configuration and then enters the Cisco Easy VPN Remote configuration mode, at which point you can enter the following subcommands:
•
–
–
•
•
•
•
–
After specifying the local address used to source tunnel traffic, the IP address can be obtained in two ways:
–
–
•
–
–
•
•
Note
After configuring the Cisco Easy VPN Remote configuration, use the exit command to exit the Cisco Easy VPN Remote configuration mode and return to global configuration mode.
Note
Examples
The following example shows a Cisco Easy VPN Remote configuration named "telecommuter-client" being created on a Cisco uBR905 or Cisco uBR925 cable access router and being assigned to cable interface 0:
Router# configure terminalRouter(config)# crypto ipsec client ezvpn telecommuter-clientRouter(config-crypto-ezvpn)# group telecommute-group key secret-telecommute-keyRouter(config-crypto-ezvpn)# peer telecommuter-serverRouter(config-crypto-ezvpn)# mode clientRouter(config-crypto-ezvpn)# exitRouter(config)# interface c0Router(config-if)# crypto ezvpn telecommuter-clientRouter(config-if)# exit
Note
The following example shows the Cisco Easy VPN Remote configuration named "telecommuter-client" being removed from the interface and then deleted:
Router# configure terminalRouter(config)# interface e1Router(config-if)# no crypto ipsec client ezvpn telecommuter-clientRouter(config-if)# exitRouter(config)# no crypto ipsec client ezvpn telecommuter-clientRelated Commands
crypto ipsec client ezvpn (interface)
Assigns a Cisco Easy VPN Remote configuration to an interface.
crypto ipsec client ezvpn (interface)
To assign a Cisco Easy VPN Remote configuration to an interface, specify whether the interface is outside or inside, and configure multiple outside and inside interfaces, use the crypto ipsec client ezvpn command in interface configuration mode. To remove the Cisco Easy VPN Remote configuration from the interface, use the no form of this command.
crypto ipsec client ezvpn name [outside | inside]
no crypto ipsec client ezvpn name [outside | inside]
Note
Syntax Description
Defaults
The default inside interface is the Ethernet interface on Cisco 800 series routers and Cisco uBR905 and Cisco uBR925 cable access routers.
Command Modes
Interface configuration
Command History
Usage Guidelines
The crypto ipsec client ezvpn command assigns a Cisco Easy VPN Remote configuration to an interface, enabling the creation of a Virtual Private Network (VPN) connection over that interface to the specified VPN peer. If the Cisco Easy VPN Remote configuration is configured for the client mode of operation, this also automatically configures the router for network address translation (NAT) or port address translation (PAT) and for an associated access list.
In Cisco IOS Release 12.2(8)YJ, the crypto ipsec client ezvpn command was enhanced to allow you to configure multiple outside and inside interfaces. To configure multiple outside and inside interfaces, you must use the interface interface-name command to first define the type of interface on the IPSec client router.
•
•
•
The following Cisco IOS Release 12.2(4)YA restrictions apply to the crypto ipsec client ezvpn command:
•
•
For example, on Cisco uBR905 and Cisco uBR925 cable access routers, the outside interface is always the cable interface. On Cisco 1700 series routers, the FastEthernet interface defaults to being the inside interface, so attempting to use the crypto ipsec client ezvpn command on the FastEthernet interface displays an error message.
Note
Examples
The following example shows a Cisco Easy VPN Remote configuration named "telecommuter-client" being assigned to the cable interface on a Cisco uBR905/uBR925 cable access router:
Router# configure terminalRouter(config)# interface c0Router(config-if)# crypto ipsec client ezvpn telecommuter-clientRouter(config-if)# exitThe following example first shows an attempt to delete the Cisco Easy VPN Remote configuration named "telecommuter-client," but the configuration cannot be deleted because it is still assigned to an interface. The configuration is then removed from the interface and deleted.
Router# configure terminalRouter(config)# no crypto ipsec client ezvpn telecommuter-clientError: crypto map in use by interface; cannot deleteRouter(config)# interface e1Router(config-if)# no crypto ipsec client ezvpn telecommuter-clientRouter(config-if)# exitRouter(config)# no crypto ipsec client ezvpn telecommuter-clientRelated Commands
crypto ipsec client ezvpn (global)
Creates and modifies a Cisco Easy VPN Remote configuration.
crypto ipsec client ezvpn connect
To connect to a specified IP Security (IPSec) Virtual Private Network (VPN) tunnel in a manual configuration, use the crypto ipsec client ezvpn connect command in privileged EXEC mode. To disable the VPN tunnel, use the no form of this command.
crypto ipsec client ezvpn connect name
no crypto ipsec client ezvpn connect name
Syntax Description
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command is used with the connect [auto | manual] subcommand. After the manual setting is designated, the Cisco Easy VPN Client waits for a command or application program interface (API) call before attempting to establish the Cisco Easy VPN Remote connection.
If the configuration is manual, the tunnel is connected only after the crypto ipsec client ezvpn connect name command is entered in privileged EXEC mode and after the connect [auto | manual] subcommand is entered.
Examples
The following example shows how to connect an IPSec VPN tunnel named "ISP-tunnel" on a Cisco uBR905/uBR925 cable access router:
Router# crypto ipsec client ezvpn connect ISP-tunnelRelated Commands
crypto ipsec client ezvpn (global)
Creates and modifies a Cisco Easy VPN Remote configuration.
crypto ipsec client ezvpn xauth
To respond to a pending Virtual Private Network (VPN) authorization request, use the crypto ipsec client ezvpn xauth command in privileged EXEC mode.
crypto ipsec client ezvpn xauth name
Syntax Description
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
If the tunnel name is not specified, the authorization request is made on the active tunnel. If there is more than one active tunnel, the command fails with an error requesting that you specify the tunnel name.
When making a VPN connection, individual users might also be required to provide authorization information, such as a username or password. When the remote end requires this information, the router displays a message on the console of the router instructing the user to enter the crypto ipsec client ezvpn xauth command. The user then uses command-line interface (CLI) to enter this command and to provide the information requested by the prompts that follow after the command has been entered.
Note
Examples
The following example shows an example of the user being prompted to enter the crypto ipsec client ezvpn xauth command. The user then enters the requested information and continues.
Router#20:27:39: EZVPN: Pending XAuth Request, Please enter the following command:20:27:39: EZVPN: crypto ipsec client ezvpn xauthRouter# crypto ipsec client ezvpn xauthEnter Username and Password: useridPassword: ************Related Commands
crypto ipsec client ezvpn (interface)
Assigns a Cisco Easy VPN Remote configuration to an interface.
crypto ipsec df-bit (global)
To set the DF bit for the encapsulating header in tunnel mode to all interfaces, use the crypto ipsec df-bit command in global configuration mode.
crypto ipsec df-bit {clear | set | copy}
Syntax Description
Defaults
This command is disabled by default.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the crypto ipsec df-bit command in global configuration mode to configure your router to specify the DF bit in an encapsulated header.
You may want use the clear setting for the DF bit when encapsulating tunnel mode IPSec traffic so you can send packets larger than the available maximum transmission unit (MTU) size or if you do not know what the available MTU size is.
If this command is enabled without a specified setting, the router will use the copy setting as default.
Examples
The following example shows how to clear the DF bit on all interfaces:
crypto ipsec df-bit clearcrypto ipsec df-bit (interface)
To set the DF bit for the encapsulating header in tunnel mode to a specific interface, use the crypto ipsec df-bit command in interface configuration mode.
crypto ipsec df-bit {clear | set | copy}
Syntax Description
Defaults
This command is disabled by default.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use the crypto ipsec df-bit command in interface configuration mode to configure your router to specify the DF bit in an encapsulated header. This command overrides any existing DF bit global settings.
You may want use the clear setting for the DF bit when encapsulating tunnel mode IPSec traffic so you can send packets larger than the available maximum transmission unit (MTU) size or if you do not know what the available MTU size is.
If this command is enabled without a specified setting, the router will use the copy setting as default.
Examples
In following example, the router is configured to globally clear the setting for the DF bit and copy the DF bit on the interface named Ethernet0. Thus, all interfaces except Ethernet0 will allow the router to send packets larger than the available MTU size; Ethernet0 will allow the router to fragment the packet.
crypto isakmp policy 1hash md5authentication pre-sharecrypto isakmp key Delaware address 192.168.10.66crypto isakmp key Key-What-Key address 192.168.11.19!!crypto ipsec transform-set BearMama ah-md5-hmac esp-descrypto ipsec df-bit clear!!crypto map armadillo 1 ipsec-isakmpset peer 192.168.10.66set transform-set BearMamamatch address 101!crypto map basilisk 1 ipsec-isakmpset peer 192.168.11.19set transform-set BearMamamatch address 102!!interface Ethernet0ip address 192.168.10.38 255.255.255.0ip broadcast-address 0.0.0.0media-type 10BaseTcrypto map armadillocrypto ipsec df-bit copy!interface Ethernet1ip address 192.168.11.75 255.255.255.0ip broadcast-address 0.0.0.0media-type 10BaseTcrypto map basilisk!interface Serial0no ip addressip broadcast-address 0.0.0.0no ip route-cacheno ip mroute-cachecrypto ipsec fragmentation
To enable prefragmentation for IP Security (IPSec) Virtual Private Networks (VPNs) on a global basis, use the crypto ipsec fragmentation command in global configuration mode. To disable a manually configured command, use the no form of this command.
crypto ipsec fragmentation {before-encryption | after-encryption}
no crypto ipsec fragmentation {before-encryption | after-encryption}
Syntax Description
before-encryption
Enables prefragmentation for Ipsec VPNs.
after-encryption
Disables prefragmentation for Ipsec VPNs.
Defaults
If no other prefragmentation for IPSec VPNs commands are in the configuration, the router will revert to the default global configuration.
Command Modes
Global configuration
Command History
12.1(11b)E
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use the before-encryption keyword to enable prefragmentation for IPSec VPNs; use the after-encryption keyword to disable prefragmentation for IPSec VPNs. This command allows an encrypting router to predetermine the encapsulated packet size from information available in transform sets, which are configured as part of the IPSec security association (SA). If it is predetermined that the packet will exceed the maximum transmission unit (MTU) of the output interface, the packet is fragmented before encryption.
Note
Examples
The following example shows how to globally enable prefragmentation for IPSec VPNs:
crypto ipsec fragmentation before-encryptioncrypto ipsec fragmentation (interface)
To enable prefragmentation for IP Security (IPSec) Virtual Private Networks (VPNs) on an interface, use the crypto ipsec fragmentation command in interface configuration mode. To disable a manually configured command, use the no form of this command.
crypto ipsec fragmentation {before-encryption | after-encryption}
no crypto ipsec fragmentation {before-encryption | after-encryption}
Syntax Description
before-encryption
(Optional) Enables prefragmentation for IPSec VPNs.
after-encryption
(Optional) Disables prefragmentation for IPSec VPNs.
Defaults
If no other prefragmentation for IPSec VPNs commands are in the configuration, the router will revert to the default global configuration.
Command Modes
Interface configuration
Command History
12.1(11b)E
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use the before-encryption keyword to enable prefragmentation for IPSec VPNs per interface; use the after-encryption keyword to disable prefragmentation for IPSec VPNs. This command allows an encrypting router to predetermine the encapsulated packet size from information available in transform sets, which are configured as part of the IPSec security association (SA). If it is predetermined that the packet will exceed the maximum transmission unit (MTU) of output interface, the packet is fragmented before encryption.
Examples
The following example shows how to enable prefragmentation for IPSec VPNs on an interface and then how to display the output of the show running configuration command:
Note
Router(config-if)# crypto ipsec fragmentation before-encryptionRouter(config-if)# exitRouter# show running-configcrypto isakmp policy 10authentication pre-sharecrypto isakmp key abcd123 address 25.0.0.7!crypto ipsec transform-set fooprime esp-3des esp-sha-hmac!crypto map bar 10 ipsec-isakmpset peer 25.0.0.7set transform-set fooprimematch address 102crypto ipsec optional
To enable IP Security (IPSec) passive mode, use the crypto ipsec optional command in global configuration mode. To disable IPSec passive mode, use the no form of this command.
crypto ipsec optional
no crypto ipsec optional
Syntax Description
This command has no arguments or keywords.
Defaults
IPSec passive mode is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the crypto ipsec optional command to implement an intermediate mode (IPSec passive mode) that allows a router to accept unencrypted and encrypted data. IPSec passive mode is valuable for users who wish to migrate existing networks to IPSec because all routers will continue to interact with routers that encrypt data (that is, that have been upgraded with IPSec) and also with routers that have yet to be upgraded.
After this feature is disabled, all active connections that are sending unencrypted packets are cleared, and a message that reminds the user to enter the write memory command is sent.
Note
Examples
The following example shows how to enable IPSec passive mode:
crypto map xauthmap 10 ipsec-isakmpset peer 209.165.202.145set transform-set xauthtransformmatch address 192!crypto ipsec optional!interface Ethernet1/0ip address 209.165.202.147 255.255.255.224crypto map xauthmap!access-list 192 permit ip host 209.165.202.147 host 209.165.202.145crypto ipsec optional retry
To adjust the amount of time that a packet can be routed in the clear (unencrypted), use the crypto ipsec optional retry command in global configuration mode. To return to the default setting (5 minutes), use the no form of this command.
crypto ipsec optional retry seconds
no crypto ipsec optional retry seconds
Syntax Description
seconds
Time a connection can exist before another attempt is made to establish an encrypted IP Security (IPSec) session. The default value is 5 minutes.
Defaults
5 minutes
Command Modes
Global configuration
Command History
Usage Guidelines
You must enable the crypto ipsec optional command, which enables IPSec passive mode, before you can use this command.
Examples
The following example shows how to enable IPSec passive mode:
crypto map xauthmap 10 ipsec-isakmpset peer 209.165.202.145set transform-set xauthtransformmatch address 192!crypto ipsec optionalcrypto ipsec optional retry 60!interface Ethernet1/0ip address 209.165.202.147 255.255.255.224crypto map xauthmap!access-list 192 permit ip host 209.165.202.147 host 209.165.202.145Related Commands
crypto ipsec profile
To define the IPSecurity (IPSec) parameters that are to be used for IPSec encryption between two IPSec routers, use the crypto ipsec profile command in global configuration mode. To delete an IPSec profile, use the no form of this command.
crypto ipsec profile name
no crypto ipsec profile name
Syntax Description
Defaults
An IPSec profile is not defined.
Command Modes
Global configuration
Command History
Usage Guidelines
An IPSec profile abstracts the IPSec policy settings into a single profile that can be used in other parts of the Cisco IOS configuration.
The IPSec profile shares most of the same commands with the crypto map configuration, but only a subset of the commands are valid in an IPSec profile. Only commands that pertain to an IPSec policy can be issued under an IPSec profile; you cannot specify the IPSec peer address or the access control list (ACL) to match the packets that are to be encrypted.
The following valid commands can be configured under an IPSec profile:
•
•
•
•
After enabling this command, the only parameter that must be defined under the profile is the transform set via the set transform-set command.
For more information on transform sets, refer to the section "Defining Transform Sets" in the chapter "Configuring IPSec Network Security" in the Cisco IOS Security Configuration Guide, Release 12.2.
Examples
The following example shows how to configure a crypto map that uses an IPSec profile:
crypto ipsec transform-set cat-transforms esp-des esp-sha-hmacmode transport!crypto ipsec profile cat-profileset transform-set cat-transformsset pfs group2!crypto map foo 10 ipsec-isakmpset peer 10.13.7.67set profile foo-profilematch address 101Related Commands
crypto ipsec security-association lifetime
To change global lifetime values used when negotiating IPSec security associations, use the crypto ipsec security-association lifetime global configuration command. To reset a lifetime to the default value, use the no form of this command.
crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}
no crypto ipsec security-association lifetime {seconds | kilobytes}
Syntax Description
Defaults
3600 seconds (one hour) and 4,608,000 kilobytes (10 megabits per second for one hour).
Command Modes
Global configuration
Command History
Usage Guidelines
IPSec security associations use shared secret keys. These keys and their security associations time out together.
Assuming that the particular crypto map entry does not have lifetime values configured, when the router requests new security associations during security association negotiation, it will specify its global lifetime value in the request to the peer; it will use this value as the lifetime of the new security associations. When the router receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations.
There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The security association expires after the first of these lifetimes is reached.
If you change a global lifetime, the change is only applied when the crypto map entry does not have a lifetime value specified. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command. Refer to the clear crypto sa command for more details.
To change the global timed lifetime, use the crypto ipsec security-association lifetime seconds form of the command. The timed lifetime causes the security association to time out after the specified number of seconds have passed.
To change the global traffic-volume lifetime, use the crypto ipsec security-association lifetime kilobytes form of the command. The traffic-volume lifetime causes the security association to time out after the specified amount of traffic (in kilobytes) has been protected by the security associations' key.
Shorter lifetimes can make it harder to mount a successful key recovery attack, since the attacker has less data encrypted under the same key to work with. However, shorter lifetimes require more CPU processing time for establishing new security associations.
The lifetime values are ignored for manually established security associations (security associations installed using an ipsec-manual crypto map entry).
How These Lifetimes Work
The security association (and corresponding keys) will expire according to whichever occurs sooner, either after the number of seconds has passed (specified by the seconds keyword) or after the amount of traffic in kilobytes has passed (specified by the kilobytes keyword).
A new security association is negotiated before the lifetime threshold of the existing security association is reached, to ensure that a new security association is ready for use when the old one expires. The new security association is negotiated either 30 seconds before the seconds lifetime expires or when the volume of traffic through the tunnel reaches 256 kilobytes less than the kilobytes lifetime (whichever occurs first).
If no traffic has passed through the tunnel during the entire life of the security association, a new security association is not negotiated when the lifetime expires. Instead, a new security association will be negotiated only when IPSec sees another packet that should be protected.
Examples
The following example shortens both lifetimes, because the administrator feels there is a higher risk that the keys could be compromised. The timed lifetime is shortened to 2,700 seconds (45 minutes), and the traffic-volume lifetime is shortened to 2,304,000 kilobytes (10 megabits per second for one half hour).
crypto ipsec security-association lifetime seconds 2700crypto ipsec security-association lifetime kilobytes 2304000Related Commands
crypto ipsec security-association idle-time
To configure the IP Security (IPSec) security association (SA) idle timer, use the crypto ipsec security-association idle-time command in global configuration mode or crypto map configuration mode. To inactivate the IPSec SA idle timer, use the no form of this command.
crypto ipsec security-association idle-time seconds
no crypto ipsec security-association idle-time
Syntax Description
seconds
Time, in seconds, that the idle timer will allow an inactive peer to maintain an SA. Valid values for the seconds argument range from 60 to 86400.
Defaults
IPSec SA idle timers are disabled.
Command Modes
Global configuration
Crypto map configurationCommand History
Usage Guidelines
Use the crypto ipsec security-association idle-time command to configure the IPSec SA idle timer. This timer controls the amount of time that an SA will be maintained for an idle peer.
Use the crypto ipsec security-association lifetime command to configure global lifetimes for IPSec SAs. There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. A security association expires after the first of these lifetimes is reached.
The IPSec SA idle timers are different from the global lifetimes for IPSec SAs. The expiration of the global lifetimes is independent of peer activity. The IPSec SA idle timer allows SAs associated with inactive peers to be deleted before the global lifetime has expired.
If the IPSec SA idle timers are not configured with the crypto ipsec security-association idle-time command, only the global lifetimes for IPSec SAs are applied. SAs are maintained until the global timers expire, regardless of peer activity.
Note
Examples
The following example configures the IPSec SA idle timer to drop SAs for inactive peers after 600 seconds:
crypto ipsec security-association idle-time 600Related Commands
clear crypto sa
Deletes IPSec SAs.
crypto ipsec security-association lifetime
Changes global lifetime values used when negotiating IPSec SAs.
crypto ipsec transform-set
To define a transform set—an acceptable combination of security protocols and algorithms—use the crypto ipsec transform-set command in global configuration mode. To delete a transform set, use the no form of this command.
crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4]
no crypto ipsec transform-set transform-set-name
Syntax Description
transform-set-name
Name of the transform set to create (or modify).
transform1
transform2
transform3
transform4Type of transform. You may specify up to four "transforms": one Authentication Header (AH), one Encapsulating Security Payload (ESP) encryption, one ESP authentication, and one compression. These transforms define the IP Security (IPSec) security protocols and algorithms. Accepted transform values are described in Table 24.
Defaults
No default behavior or values
Command Modes
Global configuration.
This command invokes the crypto transform configuration mode.
Command History
11.3 T
This command was introduced.
12.2(13)T
The following transform options were added: esp-aes, esp-aes 192, and esp-aes 256.
Usage Guidelines
A transform set is an acceptable combination of security protocols, algorithms, and other settings to apply to IPSec protected traffic. During the IPSec security association (SA) negotiation, the peers agree to use a particular transform set when protecting a particular data flow.
You can configure multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry is used in the IPSec SA negotiation to protect the data flows specified by that crypto map entry's access list. During the negotiation, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and will be applied to the protected traffic as part of both peer's IPSec SAs.
When Internet Key Exchange (IKE) is not used to establish SAs, a single transform set must be used. The transform set is not negotiated.
Before a transform set can be included in a crypto map entry it must be defined using this command.
A transform set specifies one or two IPSec security protocols (either AH, ESP, or both) and specifies which algorithms to use with the selected security protocol. The AH and ESP IPSec security protocols are described in the section "IPSec Protocols: AH and ESP."
To define a transform set, you specify one to four "transforms"—each transform represents an IPSec security protocol (AH or ESP) plus the algorithm you want to use. When the particular transform set is used during negotiations for IPSec SAs, the entire transform set (the combination of protocols, algorithms, and other settings) must match a transform set at the remote peer.
In a transform set you could specify the AH protocol, the ESP protocol, or both. If you specify an ESP protocol in a transform set, you can specify just an ESP encryption transform or both an ESP encryption transform and an ESP authentication transform.
Table 24 lists the acceptable transform combination selections for the AH and ESP protocols.
Examples of acceptable transform combinations are as follows:
•
•
•
•
•
The parser will prevent you from entering invalid combinations; for example, once you specify an AH transform it will not allow you to specify another AH transform for the current transform set.
IPSec Protocols: AH and ESP
Both the AH and ESP protocols implement security services for IPSec.
AH provides data authentication and antireplay services.
ESP provides packet encryption and optional data authentication and antireplay services.
ESP encapsulates the protected data—either a full IP datagram (or only the payload)—with an ESP header and an ESP trailer. AH is embedded in the protected data; it inserts an AH header immediately after the outer IP header and before the inner IP datagram or payload. Traffic that originates and terminates at the IPSec peers can be sent in either tunnel or transport mode; all other traffic is sent in tunnel mode. Tunnel mode encapsulates and protects a full IP datagram, while transport mode encapsulates/protects the payload of an IP datagram. For more information about modes, see the mode (IPSec) command description.
Selecting Appropriate Transforms
The following tips may help you select transforms that are appropriate for your situation:
•
•
•
•
•
Note
•
Suggested transform combinations follow:
•
•
The Crypto Transform Configuration Mode
After you issue the crypto ipsec transform-set command, you are put into the crypto transform configuration mode. While in this mode, you can change the mode to tunnel or transport. (These are optional changes.) After you have made these changes, type exit to return to global configuration mode. For more information about these optional changes, see the match address (IPSec) and mode (IPSec) command descriptions.
Changing Existing Transforms
If one or more transforms are specified in the crypto ipsec transform-set command for an existing transform set, the specified transforms will replace the existing transforms for that transform set.
If you change a transform set definition, the change is only applied to crypto map entries that reference the transform set. The change will not be applied to existing SAs, but will be used in subsequent negotiations to establish new SAs. If you want the new settings to take effect sooner, you can clear all or part of the SA database by using the clear crypto sa command.
Examples
The following example defines two transform sets. The first transform set will be used with an IPSec peer that supports the newer ESP and AH protocols. The second transform set will be used with an IPSec peer that only supports the older transforms.
crypto ipsec transform-set newer esp-3des esp-sha-hmaccrypto ipsec transform-set older ah-rfc-1828 esp-rfc1829The following example is a sample warning message that is displayed when a user enters an IPSec transform that the hardware does not support:
crypto ipsec transform transform-1 esp-aes 256 esp-md5WARNING:encryption hardware does not support transformesp-aes 256 within IPSec transform transform-1Related Commands
crypto isamkp nat keepalive
To allow an IP Security (IPSec) node to send Network Address Translation (NAT) keepalive packets, use the crypto isakmp nat keepalive command in global configuration mode. To disable NAT keepalive packets, use the no form of this command.
crypto isakmp nat keepalive seconds
no crypto isakmp nat keepalive
Syntax Description
Defaults
NAT keepalive packets are not sent.
Command Modes
Global configuration
Command History
Usage Guidelines
The crypto isakmp nat keepalive command allows users to keep the dynamic NAT mapping alive during a connection between two peers. A NAT keepalive beat is sent if IPSec does not send or receive a packet within a specified time period.
If this command is enabled, users should ensure that the idle value is shorter than than the NAT mapping expiration time.
Examples
The following example shows how to enable NAT keepalives to be sent every 20 seconds:
crypto isakmp policy 1authentication pre-sharecrypto isakmp key 1234 address 56.0.0.1crypto isakmp nat keepalive 20!crypto ipsec transform-set t2 esp-des esp-sha-hmacno crypto engine accelerator!crypto map test2 10 ipsec-isakmpset peer 56.0.0.1set transform-set t2match address 101crypto map (global IPSec)
To enter crypto map configuration mode and create or modify a crypto map entry, to create a crypto profile that provides a template for configuration of dynamically created crypto maps, or to configure a client accounting list, use the crypto map command in global configuration mode. To delete a crypto map entry, profile, or set, use the no form of this command.
crypto map map-name seq-num [ipsec-manual]
crypto map map-name seq-num [ipsec-isakmp] [dynamic dynamic-map-name] [discover] [profile profile-name]
crypto map map-name [client-accounting-list aaalist]
no crypto map map-name seq-num
Note
Syntax Description
Defaults
No crypto maps exist.
Peer discovery is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to create a new crypto map entry, to create a crypto map profile, or to modify an existing crypto map entry or profile.
After a crypto map entry has been created, you cannot change the parameters specified at the global configuration level because these parameters determine which of the configuration commands are valid at the crypto map level. For example, after a map entry has been created using the ipsec-isakmp keyword, you cannot change it to the option specified by the ipsec-manual keyword; you must delete and reenter the map entry.
After you define crypto map entries, you can assign the crypto map set to interfaces using the crypto map (interface IPSec) command.
Crypto Map Functions
Crypto maps provide two functions: filtering and classifying traffic to be protected and defining the policy to be applied to that traffic. The first use affects the flow of traffic on an interface; the second affects the negotiation performed (via IKE) on behalf of that traffic.
IPSec crypto maps define the following:
•
•
•
•
Multiple Crypto Map Entries with the Same Map Name Form a Crypto Map Set
A crypto map set is a collection of crypto map entries, each with a different seq-num argument but the same map-name argument. Therefore, for a given interface, you could have certain traffic forwarded to one IPSec peer with specified security applied to that traffic and other traffic forwarded to the same or a different IPSec peer with different IPSec security applied. To accomplish differential forwarding you would create two crypto maps, each with the same map-name argument, but each with a different seq-num argument. Crypto profiles must have unique names within a crypto map set.
Sequence Numbers
The number you assign to the seq-num argument should not be arbitrary. This number is used to rank multiple crypto map entries within a crypto map set. Within a crypto map set, a crypto map entry with a lower seq-num is evaluated before a map entry with a higher seq-num; that is, the map entry with the lower number has a higher priority.
For example, consider a crypto map set that contains three crypto map entries: mymap 10, mymap 20, and mymap 30. The crypto map set named "mymap" is applied to serial interface 0. When traffic passes through serial interface 0, the traffic is evaluated first for mymap 10. If the traffic matches any access list permit statement entry in the extended access list in mymap 10, the traffic will be processed according to the information defined in mymap 10 (including establishing IPSec SAs when necessary). If the traffic does not match the mymap 10 access list, the traffic will be evaluated for mymap 20, and then mymap 30, until the traffic matches a permit entry in a map entry. (If the traffic does not match a permit entry in any crypto map entry, it will be forwarded without any IPSec security.)
Dynamic Crypto Maps
Refer to the "Usage Guidelines" section of the crypto dynamic-map command for a discussion on dynamic crypto maps.
Crypto map entries that reference dynamic map sets should be the lowest priority map entries, allowing inbound SA negotiation requests to try to match the static maps first. Only after the request does not match any of the static maps, do you want it to be evaluated against the dynamic map set.
To make a crypto map entry referencing a dynamic crypto map set the lowest priority map entry, give the map entry the highest seq-num of all the map entries in a crypto map set.
Create dynamic crypto map entries using the crypto dynamic-map command. After you create a dynamic crypto map set, add the dynamic crypto map set to a static crypto map set with the crypto map (global IPSec) command using the dynamic keyword.
TED
TED is an enhancement to the IPSec feature. Defining a dynamic crypto map allows you to dynamically determine an IPSec peer; however, only the receiving router has this ability. With TED, the initiating router can dynamically determine an IPSec peer for secure IPSec communications.
Dynamic TED helps to simplify IPSec configuration on the individual routers within a large network. Each node has a simple configuration that defines the local network that the router is protecting and the IPSec transforms that are required.
Note
Crypto Map Profiles
Crypto map profiles are created using the profile profile-name keyword and argument combination. Crypto map profiles are used as configuration templates for dynamically creating crypto maps on demand for use with the Layer 2 Transport Protocol (L2TP) Security feature. The relevant SAs the crypto map profile will be cloned and used to protect IP traffic on the L2TP tunnel.
Note
Examples
The following example shows the minimum required crypto map configuration when IKE will be used to establish the SAs:
crypto map mymap 10 ipsec-isakmpmatch address 101set transform-set my_t_set1set peer 10.0.0.1The following example shows the minimum required crypto map configuration when the SAs are manually established:
crypto transform-set someset ah-md5-hmac esp-descrypto map mymap 10 ipsec-manualmatch address 102set transform-set somesetset peer 10.0.0.5set session-key inbound ah 256 98765432109876549876543210987654set session-key outbound ah 256 fedcbafedcbafedcfedcbafedcbafedcset session-key inbound esp 256 cipher 0123456789012345set session-key outbound esp 256 cipher abcdefabcdefabcdThe following example configures an IPSec crypto map set that includes a reference to a dynamic crypto map set.
Crypto map "mymap 10" allows SAs to be established between the router and either (or both) of two remote IPSec peers for traffic matching access list 101. Crypto map "mymap 20" allows either of two transform sets to be negotiated with the remote peer for traffic matching access list 102.
Crypto map entry "mymap 30" references the dynamic crypto map set "mydynamicmap," which can be used to process inbound SA negotiation requests that do not match "mymap" entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in "mydynamicmap," for a flow permitted by the access list 103, IPSec will accept the request and set up SAs with the remote peer without previously knowing about the remote peer. If the request is accepted, the resulting SAs (and temporary crypto map entry) are established according to the settings specified by the remote peer.
The access list associated with "mydynamicmap 10" is also used as a filter. Inbound packets that match any access list permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec SA are also dropped.
crypto map mymap 10 ipsec-isakmpmatch address 101set transform-set my_t_set1set peer 10.0.0.1set peer 10.0.0.2crypto map mymap 20 ipsec-isakmpmatch address 102set transform-set my_t_set1 my_t_set2set peer 10.0.0.3crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap!crypto dynamic-map mydynamicmap 10match address 103set transform-set my_t_set1 my_t_set2 my_t_set3The following example configures TED on a Cisco router:
crypto map testtag 10 ipsec-isakmp dynamic dmap discoverThe following example configures a crypto profile to be used as a template for dynamically created crypto maps when IPSec is used to protect an L2TP tunnel:
crypto map l2tpsec 10 ipsec-isakmp profile l2tp
Related Commands
crypto map (interface IPSec)
To apply a previously defined crypto map set to an interface, use the crypto map command in interface configuration mode. To remove the crypto map set from the interface, use the no form of this command.
crypto map map-name [redundancy standby-name]
no crypto map map-name [redundancy standby-name]
Syntax Description
Defaults
No crypto maps are assigned to interfaces.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use this command to assign a crypto map set to an interface. You must assign a crypto map set to an interface before that interface can provide IPSec services. Only one crypto map set can be assigned to an interface. If multiple crypto map entries have the same map name but a different sequence number, they are considered to be part of the same set and will all be applied to the interface. The crypto map entry that has the lowest sequence number is considered the highest priority and will be evaluated first. A single crypto map set can contain a combination of cisco, ipsec-isakmp, and ipsec-manual crypto map entries.
The standby name needs to be configured on all devices in the standby group, and the standby address needs to configured on at least one member of the group. If the standby name is removed from the router, the IPSec security associations (SAs) will be deleted. If the standby name is added again, regardless of whether the same name or a different name is used, the crypto map (using the redundancy option) will have to be reapplied to the interface.
Examples
The following example shows how all remote Virtual Private Network (VPN) gateways connect to the router via 192.168.0.3:
crypto map mymap 1 ipsec-isakmpset peer 10.1.1.1reverse-routeset transform-set esp-3des-shamatch address 102Interface FastEthernet 0/0ip address 192.168.0.2 255.255.255.0standby name group1standby ip 192.168.0.3crypto map mymap redundancy group1access-list 102 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255The crypto map on the interface binds this standby address as the local tunnel endpoint for all instances of "mymap" and, at the same time, ensures that HSRP failover is facilitated between an active and standby device that belongs to the same standby group, "group1."
Note that reverse route injection (RRI) is also enabled to provide the ability for only the active device in the HSRP group to be advertising itself to inside devices as the next hop VPN gateway to the remote proxies. If a failover occurs, routes are deleted on the former active device and created on the new active device.
Related Commands
crypto map local-address
To specify and name an identifying interface to be used by the crypto map for IPSec traffic, use the crypto map local-address global configuration command. To remove this command from the configuration, use the no form of this command.
crypto map map-name local-address interface-id
no crypto map map-name local-address
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
If you apply the same crypto map to two interfaces and do not use this command, two separate security associations (with different local IP addresses) could be established to the same peer for similar traffic. If you are using the second interface as redundant to the first interface, it could be preferable to have a single security association (with a single local IP address) created for traffic sharing the two interfaces. Having a single security association decreases overhead and makes administration simpler.
This command allows a peer to establish a single security association (and use a single local IP address) that is shared by the two redundant interfaces.
If applying the same crypto map set to more than one interface, the default behavior is as follows:
•
•
However, if you use a local-address for that crypto map set, it has multiple effects:
•
•
One suggestion is to use a loopback interface as the referenced local address interface, because the loopback interface never goes down.
Examples
The following example assigns crypto map set "mymap" to the S0 interface and to the S1 interface. When traffic passes through either S0 or S1, the traffic will be evaluated against the all the crypto maps in the "mymap" set. When traffic through either interface matches an access list in one of the "mymap" crypto maps, a security association will be established. This same security association will then apply to both S0 and S1 traffic that matches the originally matched IPSec access list. The local address that IPSec will use on both interfaces will be the IP address of interface loopback0.
interface S0crypto map mymapinterface S1crypto map mymapcrypto map mymap local-address loopback0Related Commands
crypto mib ipsec flowmib history failure size
To change the size of the IP Security (IPSec) MIB failure history table, use the crypto mib ipsec flowmib history failure size command in global configuration mode.
crypto mib ipsec flowmib history failure size number
Syntax Description
Defaults
The default table size is 200.
Command Modes
Global configuration
Command History
12.1(4)E
This command was introduced.
12.2(4)T
This command was integrated into Cisco IOS Release 12.2 T.
Usage Guidelines
Use the crypto mib ipsec flowmib history failure size command to change the size of a failure history table. If you do not configure the size of a failure history table, the default of 200 will be implemented.
A failure history table stores the reason for tunnel failure and the time failure occurred. A failure history table can be used as a simple method to distinguish between a normal and an abnormal tunnel termination. That is, if a tunnel entry in the tunnel history table has no associated failure record, the tunnel must have terminated normally. However, every failure does not correspond to a tunnel. Supported setup failures are recorded in the failure table, but a history table is not associated because a tunnel was never set up.
Examples
In the following example the size of a failure history table is configured to be 140:
Router(config)# crypto mib ipsec flowmib history failure size 140Related Commands
crypto mib ipsec flowmib history tunnel size
To change the size of the IP Security (IPSec) tunnel history table, use the crypto mib ipsec flowmib history tunnel size command in global configuration mode.
crypto mib ipsec flowmib history tunnel size number
Syntax Description
Defaults
The default table size is 200.
Command Modes
Global configuration
Command History
12.1(4)E
This command was introduced.
12.2(4)T
This command was integrated into Cisco IOS Release 12.2 T.
Usage Guidelines
Use the crypto mib ipsec flowmib history tunnel size command to change the size of a tunnel history table. If you do not configure the size of a tunnel history table, the default of 200 will be implemented.
A tunnel history table stores the attribute and statistics records, which contain the attributes and the last snapshot of the traffic statistics of a given tunnel. A tunnel history table accompanies a failure table, so you can display the complete history of a given tunnel. However, a tunnel history table does not accompany every failure table because every failure does not correspond to a tunnel. Thus, supported setup failures are recorded in the failure table, but an associated history table is not recorded because a tunnel was never set up.
As an optimization, a tunnel endpoint table can be combined with a tunnel history table. However, if a tunnel endpoint table is combined, all three tables (the failure history table, tunnel history table, and the endpoint table) must remain the same size even though the MIB allows each table to be distinct.
Examples
In the following example, the size of the tunnel history table changed to 130:
Router(config)# crypto mib ipsec flowmib history tunnel size 130dn
To associate the identity of the router with the distinguished name (DN) in the certificate of the router, use the dn command in crypto identity configuration mode. To remove this command from your configuration, use the no form of this command.
dn name=string [, name=string]
no dn name=string [, name=string]
Syntax Description
name=string
Identity used to restrict access to peers with specific certificates. Optionally, you can associate more than one identity.
Defaults
If this command is not enabled, the router can communicate with any encrypted interface that is not restricted on its IP address.
Command Modes
Crypto identity configuration
Command History
Usage Guidelines
Use the dn command to associate the identity of the router, which is defined in the crypto identity command, with the DN that the peer used to authenticate itself. This command allows you set restrictions in the router configuration that prevent those peers with specific certificates, especially certificates with particular DNs, from having access to selected encrypted interfaces.
Note
An encrypting peer matches this list if it contains the attributes listed in any one line defined within the name=string.
Examples
The following example shows how to configure an IP Security (IPSec) crypto map that can be used only by peers that have been authenticated by the DN and if the certificate belongs to "BigBiz":
crypto map map-to-bigbiz 10 ipsec-isakmpset peer 172.21.114.196set transform-set my-transformsetmatch address 124identity to-bigbiz!crypto identity to-bigbizdn ou=BigBizRelated Commands
fqdn
To associate the identity of the router with the hostname that the peer used to authenticate itself, use the fqdn command in crypto identity configuration mode. To remove this command from your configuration, use the no form of this command.
fqdn name
no fqdn name
Syntax Description
Defaults
If this command is not enabled, the router can communicate with any encrypted interface that is not restricted on its IP address.
Command Modes
Crypto identity configuration
Command History
Usage Guidelines
Use the fqdn command to associate the identity of the router, which is defined in the crypto identity command, with the distinguished name (DN) in the certificate of the router. This command allows you set restrictions in the router configuration that prevent those peers with specific certificates, especially certificates with particular DNs, from having access to selected encrypted interfaces.
Note
Examples
The following example shows how to configure a crypto map that can be used only by peers that have been authenticated by hostname and if the certificate belongs to "little.com":
crypto map map-to-little-com 10 ipsec-isakmpset peer 172.21.115.119set transform-set my-transformsetmatch address 125identity to-little-com!crypto identity to-little-comfqdn little.comRelated Commands
identity
To set the identity to the crypto map, use the identity command in crypto map configuration mode.
identity name
Syntax Description
Defaults
If this command is not enabled, the encrypted connection does not have any restrictions other than the IP address of the encrypting peer.
Command Modes
Crypto map configuration
Command History
Usage Guidelines
Use the identity command to set the identity to the configured crypto maps. When this command is applied, only the hosts that match a configuration listed within the name argument can use that crypto map.
Examples
The following example shows how to configure two IP Security (IPSec) crypto maps and apply the identity to each crypto map. That is, the identity is set to "to-bigbiz" for the first crypto map and "to-little-com" for the second crypto map.
! The following is an IPSec crypto map (part of IPSec configuration). It can be used only! by peers that have been authenticated by DN and if the certificate belongs to BigBiz.crypto map map-to-bigbiz 10 ipsec-isakmpset peer 172.21.114.196set transform-set my-transformsetmatch address 124identity to-bigbiz!crypto identity to-bigbizdn ou=BigBiz!!! This crypto map can be used only by peers that have been authenticated by hostname! and if the certificate belongs to little.com.crypto map map-to-little-com 10 ipsec-isakmpset peer 172.21.115.119set transform-set my-transformsetmatch address 125identity to-little-com!crypto identity to-little-comfqdn little.com!Related Commands
ip http ezvpn
To enable the Cisco Easy VPN Remote web server interface, use the ip http ezvpn command in global configuration mode. To disable the Cisco Easy VPN Remote web interface, use the no form of this command.
ip http ezvpn
no ip http ezvpn
Syntax Description
This command has no keywords or arguments.
Defaults
The Cisco Easy VPN Remote web interface is disabled by default.
Command Modes
Global configuration
Command History
12.2(8)YJ
This command was introduced for the Cisco uBR905 and Cisco uBR925 cable access routers.
12.2(15)T
This command was integrated into Cisco IOS Release 12.2(15)T.
Usage Guidelines
This command enables the Cisco Easy VPN Remote web server, an onboard web server, that allows you to connect to an IP Security (IPSec) Easy Virtual Private Network (VPN) tunnel and to provide the required authentication information. This connection allows you to perform these functions without having to use the Cisco command-line interface (CLI).
Before using this command, you must first enable the Cisco web server that is onboard the cable access router by entering the ip http server command. Then use the ip http ezvpn command to enable the Cisco Easy VPN Remote web server. You can then access the web server by entering the IP address for the Ethernet interface of the router in your web browser.
Note
Examples
The following example shows how to enable the Cisco Easy VPN Remote web server interface:
Router# configure terminalRouter(config)# ip http serverRouter(config)# ip http ezvpnRouter(config)# exitRouter# copy running-config startup-configRelated Commands
match address (IPSec)
To specify an extended access list for a crypto map entry, use the match address crypto map configuration command. To remove the extended access list from a crypto map entry, use the no form of this command.
match address [access-list-id | name]
no match address [access-list-id | name]
Syntax Description
Defaults
No access lists are matched to the crypto map entry.
Command Modes
Crypto map configuration
Command History
Usage Guidelines
This command is required for all static crypto map entries. If you are defining a dynamic crypto map entry (with the crypto dynamic-map command), this command is not required but is strongly recommended.
Use this command to assign an extended access list to a crypto map entry. You also need to define this access list using the access-list or ip access-list extended commands.
The extended access list specified with this command will be used by IPSec to determine which traffic should be protected by crypto and which traffic does not need crypto protection. (Traffic that is permitted by the access list will be protected. Traffic that is denied by the access list will not be protected in the context of the corresponding crypto map entry.)
Note that the crypto access list is not used to determine whether to permit or deny traffic through the interface. An access list applied directly to the interface makes that determination.
The crypto access list specified by this command is used when evaluating both inbound and outbound traffic. Outbound traffic is evaluated against the crypto access lists specified by the interface's crypto map entries to determine if it should be protected by crypto and if so (if traffic matches a permit entry) which crypto policy applies. (If necessary, in the case of static IPSec crypto maps, new security associations are established using the data flow identity as specified in the permit entry; in the case of dynamic crypto map entries, if no SA exists, the packet is dropped.) After passing the regular access lists at the interface, inbound traffic is evaluated against the crypto access lists specified by the entries of the interface's crypto map set to determine if it should be protected by crypto and, if so, which crypto policy applies. (In the case of IPSec, unprotected traffic is discarded because it should have been protected by IPSec.)
In the case of IPSec, the access list is also used to identify the flow for which the IPSec security associations are established. In the outbound case, the permit entry is used as the data flow identity (in general), while in the inbound case the data flow identity specified by the peer must be "permitted" by the crypto access list.
Examples
The following example shows the minimum required crypto map configuration when IKE will be used to establish the security associations. (This example is for a static crypto map.)
crypto map mymap 10 ipsec-isakmpmatch address 101set transform-set my_t_set1set peer 10.0.0.1Related Commands
mode (IPSec)
To change the mode for a transform set, use the mode crypto transform configuration command. To reset the mode to the default value of tunnel mode, use the no form of the command.
mode [tunnel | transport]
no mode
Syntax Description
tunnel | transport
(Optional) Specifies the mode for a transform set: either tunnel or transport mode. If neither tunnel nor transport is specified, the default (tunnel mode) is assigned.
Defaults
Tunnel mode
Command Modes
Crypto transform configuration
Command History
Usage Guidelines
Use this command to change the mode specified for the transform. This setting is only used when the traffic to be protected has the same IP addresses as the IPSec peers (this traffic can be encapsulated either in tunnel or transport mode). This setting is ignored for all other traffic (all other traffic is encapsulated in tunnel mode).
If the traffic to be protected has the same IP address as the IP Security peers and transport mode is specified, during negotiation the router will request transport mode but will accept either transport or tunnel mode. If tunnel mode is specified, the router will request tunnel mode and will accept only tunnel mode.
After you define a transform set, you are put into the crypto transform configuration mode. While in this mode you can change the mode to either tunnel or transport. This change applies only to the transform set just defined.
If you do not change the mode when you first define the transform set, but later decide you want to change the mode for the transform set, you must re-enter the transform set (specifying the transform name and all its transforms) and then change the mode.
If you use this command to change the mode, the change will only affect the negotiation of subsequent IPSec security associations via crypto map entries which specify this transform set. (If you want the new settings to take effect sooner, you can clear all or part of the security association database. See the clear crypto sa command for more details.
Tunnel Mode
With tunnel mode, the entire original IP packet is protected (encrypted, authenticated, or both) and is encapsulated by the IPSec headers and trailers (an Encapsulation Security Protocol header and trailer, an Authentication Header, or both). Then a new IP header is prefixed to the packet, specifying the IPSec endpoints as the source and destination.
Tunnel mode can be used with any IP traffic. Tunnel mode must be used if IPSec is protecting traffic from hosts behind the IPSec peers. For example, tunnel mode is used with Virtual Private Networks (VPNs) where hosts on one protected network send packets to hosts on a different protected network via a pair of IPSec peers. With VPNs, the IPSec peers "tunnel" the protected traffic between the peers while the hosts on their protected networks are the session endpoints.
Transport Mode
With transport mode, only the payload (data) of the original IP packet is protected (encrypted, authenticated, or both). The payload is encapsulated by the IPSec headers and trailers (an ESP header and trailer, an AH header, or both). The original IP headers remain intact and are not protected by IPSec.
Use transport mode only when the IP traffic to be protected has IPSec peers as both the source and destination. For example, you could use transport mode to protect router management traffic. Specifying transport mode allows the router to negotiate with the remote peer whether to use transport or tunnel mode.
Examples
The following example defines a transform set and changes the mode to transport mode. The mode value only applies to IP traffic with the source and destination addresses at the local and remote IPSec peers.
crypto ipsec transform-set newer esp-des esp-sha-hmacmode transportexitRelated Commands
Defines a transform set—an acceptable combination of security protocols and algorithms.
reverse-route
To create source proxy information for a crypto map entry, use the reverse-route command in crypto map configuration mode. To remove the source proxy information from a crypto map entry, use the no form of this command.
reverse-route [remote-peer [ip-address]]
no reverse-route [remote-peer [ip-address]]
Syntax Description
Defaults
No default behavior or values.
Command Modes
Crypto map configuration
Command History
Usage Guidelines
This command can be applied on a per-crypto basis.
Reverse route injection (RRI) provides a scaleable mechanism to dynamically learn and advertise the IP address and subnets that belong to a remote site that connects through an IP Security (IPSec) virtual private network (VPN) tunnel.
When enabled in an IPSec crypto map, RRI will learn all the subnets from any network that is defined in the crypto access control list (ACL) as the destination network. The learned routes are installed into the local routing table as static routes that point to the encrypted interface. When the IPSec tunnel is torn down, the associated static routes will be removed. These static routes may then be redistributed into other dynamic routing protocols so that they can be advertised to other parts of the network (usually done by redistributing RRI routes into dynamic routing protocols on the core side).
Examples
The following example shows how all remote VPN gateways connect to the router via 192.168.0.3:
crypto map mymap 1 ipsec-isakmpset peer 10.1.1.1reverse-routeset transform-set esp-3des-shamatch address 102Interface FastEthernet 0/0ip address 192.168.0.2 255.255.255.0standby name group1standby ip 192.168.0.3crypto map mymap redundancy group1access-list 102 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255Related Commands
set peer (IPSec)
To specify an IP Security peer in a crypto map entry, use the set peer crypto map configuration command. To remove an IPSec peer from a crypto map entry, use the no form of this command.
set peer {hostname | ip-address}
no set peer {hostname | ip-address}
Syntax Description
Defaults
No peer is defined by default.
Command Modes
Crypto map configuration
Command History
Usage Guidelines
Use this command to specify an IPSec peer for a crypto map.
This command is required for all static crypto maps. If you are defining a dynamic crypto map (with the crypto dynamic-map command), this command is not required, and in most cases is not used (because, in general, the peer is unknown).
For ipsec-isakmp crypto map entries, you can specify multiple peers by repeating this command. The peer that packets are actually sent to is determined by the last peer that the router heard from (received either traffic or a negotiation request from) for a given data flow. If the attempt fails with the first peer, Internet Key Exchange tries the next peer on the crypto map list.
For ipsec-manual crypto entries, you can specify only one IPSec peer per crypto map. If you want to change the peer, you must first delete the old peer and then specify the new peer.
You can specify the remote IPSec peer by its host name only if the host name is mapped to the peer's IP address in a Domain Name Server or if you manually map the host name to the IP address with the ip host command.
Examples
The following example shows a crypto map configuration when IKE will be used to establish the security associations. In this example, a security association could be set up to either the IPSec peer at 10.0.0.1 or the peer at 10.0.0.2.
crypto map mymap 10 ipsec-isakmpmatch address 101set transform-set my_t_set1set peer 10.0.0.1set peer 10.0.0.2Related Commands
set pfs
To specify that IP Security should ask for perfect forward secrecy (PFS) when requesting new security associations for this crypto map entry, or that IPSec requires PFS when receiving requests for new security associations, use the set pfs crypto map configuration command. To specify that IPSec should not request PFS, use the no form of the command.
set pfs [group1 | group2]
no set pfs
Syntax Description
Defaults
By default, PFS is not requested. If no group is specified with this command, group1 is used as the default.
Command Modes
Crypto map configuration
Command History
Usage Guidelines
This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries.
During negotiation, this command causes IPSec to request PFS when requesting new security associations for the crypto map entry. The default (group1) is sent if the set pfs statement does not specify a group. If the peer initiates the negotiation and the local configuration specifies PFS, the remote peer must perform a PFS exchange or the negotiation will fail. If the local configuration does not specify a group, a default of group1 will be assumed, and an offer of either group1 or group2 will be accepted. If the local configuration specifies group2, that group must be part of the peer's offer or the negotiation will fail. If the local configuration does not specify PFS it will accept any offer of PFS from the peer.
PFS adds another level of security because if one key is ever cracked by an attacker then only the data sent with that key will be compromised. Without PFS, data sent with other keys could be also compromised.
With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs. (This exchange requires additional processing time.)
The 1024-bit Diffie-Hellman prime modulus group, group2, provides more security than group1, but requires more processing time than group1.
Examples
The following example specifies that PFS should be used whenever a new security association is negotiated for the crypto map "mymap 10":
crypto map mymap 10 ipsec-isakmpset pfs group2Related Commands
set security-association level per-host
To specify that separate IP Security security associations should be requested for each source/destination host pair, use the set security-association level per-host crypto map configuration command. To specify that one security association should be requested for each crypto map access list permit entry, use the no form of this command.
set security-association level per-host
no set security-association level per-host
Syntax Description
This command has no arguments or keywords.
Defaults
For a given crypto map, all traffic between two IPSec peers matching a single crypto map access list permit entry will share the same security association.
Command Modes
Crypto map configuration
Command History
Usage Guidelines
This command is only available for ipsec-isakmp crypto map entries and is not supported for dynamic crypto map entries.
When you use this command, you need to specify that a separate security association should be used for each source/destination host pair.
Normally, within a given crypto map, IPSec will attempt to request security associations at the granularity specified by the access list entry. For example, if the access list entry permits IP protocol traffic between subnet A and subnet B, IPSec will attempt to request security associations between subnet A and subnet B (for any IP protocol), and unless finer-grained security associations are established (by a peer request), all IPSec-protected traffic between these two subnets would use the same security association.
This command causes IPSec to request separate security associations for each source/destination host pair. In this case, each host pairing (where one host was in subnet A and the other host was in subnet B) would cause IPSec to request a separate security association.
With this command, one security association would be requested to protect traffic between host A and host B, and a different security association would be requested to protect traffic between host A and host C.
The access list entry can specify local and remote subnets, or it can specify a host-and-subnet combination. If the access list entry specifies protocols and ports, these values are applied when establishing the unique security associations.
Use this command with care, as multiple streams between given subnets can rapidly consume system resources.
Examples
The following example shows what happens with an access list entry of permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 and a per-host level:
•
•
•
Without the per-host level, any of the above packets will initiate a single security association request originated via permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255.
Related Commands
set security-association lifetime
To override (for a particular crypto map entry) the global lifetime value, which is used when negotiating IP Security security associations, use the set security-association lifetime crypto map configuration command. To reset a crypto map entry's lifetime value to the global value, use the no form of this command.
set security-association lifetime {seconds seconds | kilobytes kilobytes}
no set security-association lifetime {seconds | kilobytes}
Syntax Description
Defaults
The crypto map's security associations are negotiated according to the global lifetimes.
Command Modes
Crypto map configuration
Command History
Usage Guidelines
This command is available only for ipsec-isakmp crypto map entries and dynamic crypto map entries.
IPSec security associations use shared secret keys. These keys and their security associations time out together.
Assuming that the particular crypto map entry has lifetime values configured, when the router requests new security associations during security association negotiation, it will specify its crypto map lifetime value in the request to the peer; it will use this value as the lifetime of the new security associations. When the router receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations.
There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The session keys/security association expires after the first of these lifetimes is reached.
If you change a lifetime, the change will not be applied to existing security associations, but will be used in subsequent negotiations to establish security associations for data flows supported by this crypto map entry. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command. Refer to the clear crypto sa command for more detail.
To change the timed lifetime, use the set security-association lifetime seconds form of the command. The timed lifetime causes the keys and security association to time out after the specified number of seconds have passed.
To change the traffic-volume lifetime, use the set security-association lifetime kilobytes form of the command. The traffic-volume lifetime causes the key and security association to time out after the specified amount of traffic (in kilobytes) has been protected by the security association's key.
Shorter lifetimes can make it harder to mount a successful key recovery attack, because the attacker has less data encrypted under the same key to work with. However, shorter lifetimes need more CPU processing time.
The lifetime values are ignored for manually established security associations (security associations installed via an ipsec-manual crypto map entry).
How These Lifetimes Work
Assuming that the particular crypto map entry does not have lifetime values configured, when the router requests new security associations it will specify its global lifetime values in the request to the peer; it will use this value as the lifetime of the new security associations. When the router receives a negotiation request from the peer, it will use the smaller of either the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations.
The security association (and corresponding keys) will expire according to whichever occurs sooner, either after the seconds time out or after the kilobytes amount of traffic is passed.
A new security association is negotiated before the lifetime threshold of the existing security association is reached, to ensure that a new security association is ready for use when the old one expires. The new security association is negotiated either 30 seconds before the seconds lifetime expires or when the volume of traffic through the tunnel reaches 256 kilobytes less than the kilobytes lifetime (whichever occurs first).
If no traffic has passed through the tunnel during the entire life of the security association, a new security association is not negotiated when the lifetime expires. Instead, a new security association will be negotiated only when IPSec sees another packet that should be protected.
Examples
The following example shortens the timed lifetime for a particular crypto map entry, because there is a higher risk that the keys could be compromised for security associations belonging to the crypto map entry. The traffic-volume lifetime is not changed because there is not a high volume of traffic anticipated for these security associations. The timed lifetime is shortened to 2700 seconds (45 minutes).
crypto map mymap 10 ipsec-isakmpset security-association lifetime seconds 2700Related Commands
set session-key
To manually specify the IP Security session keys within a crypto map entry, use the set session-key crypto map configuration command. This command is only available for ipsec-manual crypto map entries. To remove IPSec session keys from a crypto map entry, use the no form of this command.
set session-key {inbound | outbound} ah spi hex-key-string
set session-key {inbound | outbound} esp spi cipher hex-key-string [authenticator hex-key-string]
no set session-key {inbound | outbound} ah
no set session-key {inbound | outbound} esp
Syntax Description
Defaults
No session keys are defined by default.
Command Modes
Crypto map configuration
Command History
Usage Guidelines
Use this command to define IPSec keys for security associations via ipsec-manual crypto map entries. (In the case of ipsec-isakmp crypto map entries, the security associations with their corresponding keys are automatically established via the IKE negotiation.)
If the crypto map's transform set includes an AH protocol, you must define IPSec keys for AH for both inbound and outbound traffic. If the crypto map's transform set includes an ESP encryption protocol, you must define IPSec keys for ESP encryption for both inbound and outbound traffic. If your transform set includes an ESP authentication protocol, you must define IPSec keys for ESP authentication for inbound and outbound traffic.
When you define multiple IPSec session keys within a single crypto map, you can assign the same security parameter index (SPI) number to all the keys. The SPI is used to identify the security association used with the crypto map. However, not all peers have the same flexibility in SPI assignment. You should coordinate SPI assignment with your peer's operator, making certain that the same SPI is not used more than once for the same destination address/protocol combination.
Security associations established via this command do not expire (unlike security associations established via IKE).
Session keys at one peer must match the session keys at the remote peer.
If you change a session key, the security association using the key will be deleted and reinitialized.
Examples
The following example shows a crypto map entry for manually established security associations. The transform set "t_set" includes only an AH protocol.
crypto ipsec transform-set t_set ah-sha-hmaccrypto map mymap 20 ipsec-manualmatch address 102set transform-set t_setset peer 10.0.0.21set session-key inbound ah 300 1111111111111111111111111111111111111111set session-key outbound ah 300 2222222222222222222222222222222222222222The following example shows a crypto map entry for manually established security associations. The transform set "someset" includes both an AH and an ESP protocol, so session keys are configured for both AH and ESP for both inbound and outbound traffic. The transform set includes both encryption and authentication ESP transforms, so session keys are created for both using the cipher and authenticator keywords.
crypto ipsec transform-set someset ah-sha-hmac esp-des esp-sha-hmaccrypto map mymap 10 ipsec-manualmatch address 101set transform-set somesetset peer 10.0.0.1set session-key inbound ah 300 9876543210987654321098765432109876543210set session-key outbound ah 300 fedcbafedcbafedcbafedcbafedcbafedcbafedcset session-key inbound esp 300 cipher 0123456789012345authenticator 0000111122223333444455556666777788889999set session-key outbound esp 300 cipher abcdefabcdefabcdauthenticator 9999888877776666555544443333222211110000Related Commands
set transform-set
To specify which transform sets can be used with the crypto map entry, use the set transform-set crypto map configuration command. To remove all transform sets from a crypto map entry, use the no form of this command.
set transform-set transform-set-name [transform-set-name2...transform-set-name6]
no set transform-set
Syntax Description
Defaults
No transform sets are included by default.
Command Modes
Crypto map configuration
Command History
Usage Guidelines
This command is required for all static and dynamic crypto map entries.
Use this command to specify which transform sets to include in a crypto map entry.
For an ipsec-isakmp crypto map entry, you can list multiple transform sets with this command. List the higher priority transform sets first.
If the local router initiates the negotiation, the transform sets are presented to the peer in the order specified in the crypto map entry. If the peer initiates the negotiation, the local router accepts the first transform set that matches one of the transform sets specified in the crypto map entry.
The first matching transform set that is found at both peers is used for the security association. If no match is found, IPSec will not establish a security association. The traffic will be dropped because there is no security association to protect the traffic.
For an ipsec-manual crypto map entry, you can specify only one transform set. If the transform set does not match the transform set at the remote peer's crypto map, the two peers will fail to correctly communicate because the peers are using different rules to process the traffic.
If you want to change the list of transform sets, re-specify the new list of transform sets to replace the old list. This change is only applied to crypto map entries that reference this transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command.
Any transform sets included in a crypto map must previously have been defined using the crypto ipsec transform-set command.
Examples
The following example defines two transform sets and specifies that they can both be used within a crypto map entry. (This example applies only when IKE is used to establish security associations. With crypto maps used for manually established security associations, only one transform set can be included in a given crypto map entry.)
crypto ipsec transform-set my_t_set1 esp-des esp-sha-hmaccrypto ipsec transform-set my_t_set2 ah-sha-hmac esp-des esp-sha-hmaccrypto map mymap 10 ipsec-isakmpmatch address 101set transform-set my_t_set1 my_t_set2set peer 10.0.0.1set peer 10.0.0.2In this example, when traffic matches access list 101, the security association can use either transform set "my_t_set1" (first priority) or "my_t_set2" (second priority) depending on which transform set matches the remote peer's transform sets.
show crypto dynamic-map
To view a dynamic crypto map set, use the show crypto dynamic-map command in EXEC mode.
show crypto dynamic-map [tag map-name]
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
Use the show crypto dynamic-map command to view a dynamic crypto map set.
Examples
The following is sample output for the show crypto dynamic-map command:
Router# show crypto dynamic-mapCrypto Map Template"vpn1" 1ISAKMP Profile: vpn1-raNo matching address list set.Security association lifetime: 4608000 kilobytes/3600 secondsPFS (Y/N): NTransform sets={vpn1,The following partial configuration was in effect when the above show crypto dynamic-map command was issued:
crypto dynamic-map vpn1 1set transform-set vpn1set isakmp-profile vpn1-rareverse-routeRelated Commands
show crypto engine accelerator logs
To display information about the last 32 CryptoGraphics eXtensions (CGX) Library packet processing commands and associated parameters sent from the VPN module driver to the VPN module hardware, use the show crypto engine accelerator logs command in privileged EXEC mode.
show crypto engine accelerator logs
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
12.1(1)XC
This command was introduced on the Cisco 1720 and Cisco 1750 platforms.
12.1(2)T
This command was integrated into Cisco IOS Release 12.1(2)T.
Usage Guidelines
Use this command when encrypted traffic is sent to the router and a problem with the encryption module is suspected. Use the debug crypto engine accelerator logs command to enable command logging before using this command.
Note
Examples
The following is sample output for the show crypto engine accelerator logs command:
Router# show crypto engine accelerator logsContents of packet log (current index = 20):tag = 0x5B02, cmd = 0x5000param[0] = 0x000E, param[1] = 0x57E8param[2] = 0x0008, param[3] = 0x0000param[4] = 0x0078, param[5] = 0x0004param[6] = 0x142C, param[7] = 0x142Cparam[8] = 0x0078, param[9] = 0x000Ctag = 0x5B03, cmd = 0x4100param[0] = 0x000E, param[1] = 0x583Cparam[2] = 0x0034, param[3] = 0x0040param[4] = 0x00B0, param[5] = 0x0004param[6] = 0x1400, param[7] = 0x1400param[8] = 0x0020, param[9] = 0x000Ctag = 0x5C00, cmd = 0x4100param[0] = 0x000E, param[1] = 0x57BCparam[2] = 0x0034, param[3] = 0x0040param[4] = 0x00B0, param[5] = 0x0004param[6] = 0x1400, param[7] = 0x1400param[8] = 0x0020, param[9] = 0x000C•
•
•
tag = 0x5A01, cmd = 0x4100param[0] = 0x000E, param[1] = 0x593Cparam[2] = 0x0034, param[3] = 0x0040param[4] = 0x00B0, param[5] = 0x0004param[6] = 0x1400, param[7] = 0x1400param[8] = 0x0020, param[9] = 0x000CContents of cgx log (current index = 12):cmd = 0x0074 ret = 0x0000param[0] = 0x0010, param[1] = 0x028Eparam[2] = 0x0039, param[3] = 0x0D1Eparam[4] = 0x0100, param[5] = 0x0000param[6] = 0x0000, param[7] = 0x0000param[8] = 0x0000, param[9] = 0x0000cmd = 0x0062 ret = 0x0000param[0] = 0x0035, param[1] = 0x1BE0param[2] = 0x0100, param[3] = 0x0222param[4] = 0x0258, param[5] = 0x0000param[6] = 0x0000, param[7] = 0x0000param[8] = 0x0000, param[9] = 0x0000cmd = 0x0063 ret = 0x0000param[0] = 0x0222, param[1] = 0x0258param[2] = 0x0000, param[3] = 0x0000param[4] = 0x0000, param[5] = 0x0000param[6] = 0x0000, param[7] = 0x020Aparam[8] = 0x002D, param[9] = 0x0000•
•
•
cmd = 0x0065 ret = 0x0000param[0] = 0x0222, param[1] = 0x0258param[2] = 0x0010, param[3] = 0x028Eparam[4] = 0x00A0, param[5] = 0x0008param[6] = 0x0001, param[7] = 0x0000param[8] = 0x0000, param[9] = 0x0000Related Commands
debug crypto engine acclerator logs
Enables logging of commands and associated parameters sent from the VPN module driver to the VPN module hardware using a debug flag.
show crypto engine accelerator ring
To display the contents and status of the control command, transmit packets, and receive packet rings used by the hardware accelerator crypto engine, use the show crypto engine accelerator ring command in privileged EXEC mode.
show crypto engine accelerator ring [control | packet | pool]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command displays the command ring information.
If there were valid data in any of the rings, the ring entry would be printed.
Examples
The following example shows the command ring information:
Router# show crypto engine accelerator ring packetPPQ RING:cmd ring:head = 10 tail =10result ring:head = 10 tail =10destination ring:head = 10 tail =10source ring:head = 10 tail =10free ring:head = 0 tail =25500000000 071A96C500000000 071A96C500000001 071A946500000001 071A946500000002 071A920500000002 071A9205...Related Commands
show crypto engine accelerator sa-database
To display active (in-use) entries in the platform-specific virtual private network (VPN) module database, use the show crypto engine accelerator sa-database command in privileged EXEC configuration mode.
show crypto engine accelerator sa-database
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
12.1(1)XC
This command was introduced on the Cisco 1720 and Cisco 1750 platforms.
12.1(2)T
This command was integrated into Cisco IOS Release 12.1(2)T.
Usage Guidelines
Use this command when encrypted traffic is sent to the router and a problem with the encryption module is suspected.
Note
Examples
The following is sample output for the show crypto engine accelerator sa-database command:
Router# show crypto engine accelerator sa-databaseFlow SummaryIndex Algorithms005 tunnel inbound esp-md5-hmac esp-des ah-sha-hmac006 tunnel outbound esp-md5-hmac esp-des ah-sha-hmac007 tunnel inbound esp-md5-hmac esp-des ah-sha-hmac008 tunnel outbound esp-md5-hmac esp-des ah-sha-hmac009 tunnel inbound esp-md5-hmac esp-des ah-sha-hmac010 tunnel outbound esp-md5-hmac esp-des ah-sha-hmacSA Summary:Index DH-Index Algorithms003 001(deleted) DES SHA004 002(deleted) DES SHADH SummaryIndex Group ConfigRelated Commands
debug crypto engine acclerator logs
Enables logging of commands and associated parameters sent from the VPN module driver to the VPN module hardware using a debug flag.
show crypto engine accelerator statistic
To display the statistics and error counters for the onboard hardware accelerator of the router for IP Security (IPSec) encryption, use the show crypto engine accelerator statistic command in privileged EXEC mode.
show crypto engine accelerator statistic
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
The following example displays compression statistics:
Router# show crypto engine accelerator statisticStatistics for Hardware VPN Module:ds: 8235C3D8 idb: 82359A64Statistics for Encryption Module:0 packets in 0 packets out0 packet overruns 0 output packets dropped0 packets decompressed 0 packets compressed0 compressed bytes in 0 encompassed bytes in0 packets bypass compression 0 packet abort compression0 packets fail compression4:1 compression ratio 2:1 overall compression ratio0 decompressed bytes out 0 compressed bytes out0 packets decrypted 0 packets encrypted0 bytes decrypted 0 bytes encrypted0 bytes before decrypt 0 bytes after encrypt0 paks/sec in 0 paks/sec out0 Kbits/sec decrypted 0 Kbits/sec encrypted0 packet overrunsrx_no_endp: 0 rx_hi_discards: 0 fw_failure: 0invalid_sa: 0 invalid_flow: 0 cgx_errors 0fw_qs_filled: 0 fw_resource_lock:0 lotx_full_err: 0null_ip_error: 0 pad_size_error: 0 out_bound_dh_acc: 0esp_auth_fail: 0 ah_auth_failure: 0 crypto_pad_error: 0ah_prot_absent: 0 ah_seq_failure: 0 ah_spi_failure: 0esp_prot_absent:0 esp_seq_fail: 0 esp_spi_failure: 0obound_sa_acc: 0 invalid_sa: 0 out_bound_sa_flow: 0invalid_dh: 0 bad_keygroup: 0 out_of_memory: 0no_sh_secret: 0 no_skeys: 0 invalid_cmd: 0dsp_coproc_err: 0 comp_unsupported:0 pak_too_big: 0null packets: 0pak_mp_length_spec_fault: 0tx_lo_queue_size_max 0 cmd_unimplemented: 0219 seconds since last clear of countersInterrupts: 4 Immed: 3 HiPri ints: 0LoPri ints: 0 POST Errs: 0 Alerts: 1Unk Cmds: 0 UnexpCmds: 0cgx_cmd_pending:0 packet_loop_max: 0 packet_loop_limit: 0Table 25 describes significant fields shown in the display.
The following sample output displays a typical output of the current statistics and error counters for the hardware accelerator of the router:
Router# show crypto engine accelerator statisticVirtual Private Network (VPN) Module in slot :0Statistics for Hardware VPN Module since the last clearof counters 1379 seconds ago167874 packets in 167874 packets out201596210 bytes in 201596059 bytes out121 paks/sec in 121 paks/sec out1169 Kbits/sec in 1169 Kbits/sec out0 packets decrypted 0 packets encrypted0 bytes before decrypt 0 bytes encrypted0 bytes decrypted 0 bytes after encrypt0 packets decompressed 0 packets compressed0 bytes before decomp 0 bytes before comp0 bytes after decomp 0 bytes after comp0 packets bypass decompr 0 packets bypass compres0 bytes bypass decompres 0 bytes bypass compressi0 packets not decompress 0 packets not compressed0 bytes not decompressed 0 bytes not compressed1.0:1 compression ratio 1.0:1 overall20 commands out 20 commands acknowledgedLast 5 minutes:46121 packets in 46121 packets out153 paks/sec in 153 paks/sec out1667834 Kbits/sec in 1667836 Kbits/sec out0 bytes decrypted 0 bytes encrypted0 Kbits/sec decrypted 0 Kbits/sec encrypted1.0:1 compression ratio 1.0:1 overallErrors:ppq full errors : 0 ppq rx errors : 0cmdq full errors : 0 cmdq rx errors : 0no buffer : 0 replay errors : 0dest overflow : 0 authentication errors : 0Out of memory : 0 Access denied : 0Out of handles : 0 Bad function code : 0Invalid parameter : 0 Bad handle value : 0Output buffer overrun : 0 Input Underrun : 0Input Overrun : 0 Invalid Key : 0Invalid Packet : 0 Decrypt Failure : 0Verification Fail : 0 Bad Attribute : 0Invalid attrribute val: 0 Missing attribute : 0Unwrappable object : 0 Hash Miscompare : 0DF Bit set : 0 RNG self test fail : 0Other error : 0sessions : 0Warnings:sessions_expired:0 packets_fragmented:0general: 0
Tip
Related Commands
show crypto ipsec client ezvpn
To display the Cisco Easy VPN Remote configuration, use the show crypto ipsec client ezvpn command in privileged EXEC mode.
show crypto ipsec client ezvpn
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
The following example shows a typical display from the show crypto ipsec client ezvpn command for an active Virtual Private Network (VPN) connection when the router is in client mode:
Router# show crypto ipsec client ezvpnTunnel name: hw1Inside interface list: FastEthernet0/0, Serial1/0,Outside interface: Serial0/0Current State: IPSEC_ACTIVELast Event: SOCKET_UPAddress: 192.1.1.89Mask: 255.255.255.0DNS Primary: 192.1.1.250DNS Secondary: 192.1.1.251NBMS/WINS Primary: 192.1.1.252NBMS/WINS Secondary: 192.1.1.253Default Domain: cisco.comThe following example shows a typical display from the show crypto ipsec client ezvpn command for an active VPN connection when the router is in network-extension mode:
Router# show crypto ipsec client ezvpnTunnel name: hw1Inside interface list: FastEthernet0/0, Serial1/0,Outside interface: Serial0/0Current State: IPSEC_ACTIVELast Event: SOCKET_UPAddress: 10.0.0.53Mask: 255.255.255.255Default Domain: cisco.comSplit Tunnel List: 1Address : 10.100.0.0Mask : 255.255.255.128Protocol : 0x0Source Port: 0Dest Port : 0The following example shows a typical display from the show crypto ipsec client ezvpn command for an inactive VPN connection:
Router# show crypto ipsec client ezvpnCurrent State: IDLELast Event: REMOVE INTERFACE CFGRouter#Table 26 describes significant fields shown by the show crypto ipsec client ezvpn command:
Related Commands
show crypto ipsec transform
Displays the specific configuration for one or all transformation sets.
show crypto ipsec sa
To view the settings used by current security associations (SAs), use the show crypto ipsec sa command in EXEC mode.
show crypto ipsec sa [map map-name | address | identity | interface interface | peer [vrf fvrf-name] address | vrf ivrf-name] [detail]
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
If no keyword is used, all SAs are displayed. They are sorted first by interface, and then by traffic flow (for example, source or destination address, mask, protocol, or port). Within a flow, the SAs are listed by protocol (ESP or AH) and direction (inbound or outbound).
Examples
The following is sample output for the show crypto ipsec sa command:
Router# show crypto ipsec sa vrf vpn2interface: Ethernet1/2Crypto map tag: ra, local addr. 172.16.1.1protected vrf: vpn2local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)remote ident (addr/mask/prot/port): (10.4.1.4/255.255.255.255/0/0)current_peer: 10.1.1.1:500PERMIT, flags={}#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0#pkts not decompressed: 0, #pkts decompress failed: 0#send errors 0, #recv errors 0local crypto endpt.: 172.16.1.1, remote crypto endpt.: 10.1.1.1path mtu 1500, media mtu 1500current outbound spi: 50110CF8inbound esp sas:spi: 0xA3E24AFD(2749516541)transform: esp-3des esp-md5-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 5127, flow_id: 7, crypto map: rasa timing: remaining key lifetime (k/sec): (4603517/3503)IV size: 8 bytesreplay detection support: Yinbound ah sas:inbound pcp sas:outbound esp sas:spi: 0x50110CF8(1343294712)transform: esp-3des esp-md5-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 5128, flow_id: 8, crypto map: rasa timing: remaining key lifetime (k/sec): (4603517/3502)IV size: 8 bytesreplay detection support: Youtbound ah sas:outbound pcp sas:The following configuration was in effect when the above show crypto ipsec sa vrf command was issued. The IPSec remote access tunnel was "UP" when this command was issued.
crypto dynamic-map vpn1 1set transform-set vpn1set isakmp-profile vpn1-rareverse-route!crypto dynamic-map vpn2 1set transform-set vpn2set isakmp-profile vpn2-rareverse-route!!crypto map ra 1 ipsec-isakmp dynamic vpn1crypto map ra 2 ipsec-isakmp dynamic vpn2show crypto ipsec security-association lifetime
To view the security-association lifetime value configured for a particular crypto map entry, use the show crypto ipsec security-association lifetime EXEC command.
show crypto ipsec security-association lifetime
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Examples
The following is sample output for the show crypto ipsec security-association lifetime command:
Router# show crypto ipsec security-association lifetimeSecurity-association lifetime: 4608000 kilobytes/120 secondsThe following configuration was in effect when the previous show crypto ipsec security-association lifetime command was issued:
crypto ipsec security-association lifetime seconds 120show crypto ipsec transform-set
To view the configured transform sets, use the show crypto ipsec transform-set command in EXEC mode.
show crypto ipsec transform-set [tag transform-set-name]
Syntax Description
tag transform-set-name
(Optional) Only the transform sets with the specified transform-set-name are displayed.
Command Modes
EXEC
Command History
Examples
The following is sample output for the show crypto ipsec transform-set command:
Router# show crypto ipsec transform-setTransform set combined-des-sha: {esp-des esp-sha-hmac}will negotiate = { Tunnel, },Transform set combined-des-md5: {esp-des esp-md5-hmac}will negotiate = { Tunnel, },Transform set t1: {esp-des esp-md5-hmac}will negotiate = {Tunnel,},Transform set t100: {ah-sha-hmac}will negotiate = {Transport,},Transform set t2: {ah-sha-hmac}will negotiate = {Tunnel,},{ esp-des }will negotiate = {Tunnel,},The following configuration was in effect when the previous show crypto ipsec transform-set command was issued:
crypto ipsec transform-set combined-des-sha esp-des esp-sha-hmaccrypto ipsec transform-set combined-des-md5 esp-des esp-md5-hmaccrypto ipsec transform-set t1 esp-des esp-md5-hmaccrypto ipsec transform-set t100 ah-sha-hmacmode transportcrypto ipsec transform-set t2 ah-sha-hmac esp-desThe following sample output from the show crypto ipsec transform-set command displays a warning message after a user tries to configure an IPSec transform that the hardware does not support:
Router# show crypto ipsec transform-setTransform set transform-1:{ esp-256-aes esp-md5-hmac }will negotiate = { Tunnel, },WARNING:encryption hardware does not support transformesp-aes 256 within IPSec transform transform-1show crypto map (IPSec)
To view the crypto map configuration, use the show crypto map command in EXEC mode.
show crypto map [interface interface | tag map-name]
Syntax Description
interface interface
(Optional) Displays only the crypto map set applied to the specified interface.
tag map-name
(Optional) Displays only the crypto map set with the specified map-name.
Command Modes
EXEC
Command History
Examples
The following is sample output for the show crypto map command:
Router# show crypto mapCrypto Map "crypmap" 1 ipsec-isakmpPeer = 172.1.1.1ISAKMP Profile: vpn1Extended IP access list 101access-list 101 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255access-list 101 permit ip host 192.168.1.1 host 10.2.1.1access-list 101 permit ip 10.3.0.0 0.0.255.255 10.2.0.0 0.0.255.255Current peer: 172.16.1.1Security association lifetime: 4608000 kilobytes/3600 secondsPFS (Y/N): NTransform sets={vpn1,The following configuration was in effect when the above show crypto map command was issued:
crypto map crypmap 1 ipsec-isakmpset peer 172.16.1.1set transform-set vpn1set isakmp-profile vpn1match address 101Table 27 describes significant fields in the display.
Table 27 show crypto map Field Descriptions
ISAKMP Profile
The Internet Security Association and Key Management Protocol (ISAKMP) profile that is configured on the crypto map entry.
show crypto mib ipsec flowmib history failure size
To display the size of the IP Security (IPSec) failure history table, use the show crypto mib ipsec flowmib history failure size command in privileged EXEC mode.
show crypto mib ipsec flowmib history failure size
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
12.1(4)E
This command was introduced.
12.2(4)T
This command was integrated into Cisco IOS Release 12.2 T.
Examples
The following is sample output from the show crypto mib ipsec flowmib history failure size command:
Router# show crypto mib ipsec flowmib history failure sizeIPSec Failure Window size: 140Related Commands
show crypto mib ipsec flowmib history tunnel size
To display the size of the IP Security (IPSec) tunnel history table, use the show crypto mib ipsec flowmib history tunnel size command in privileged EXEC mode.
show crypto mib ipsec flowmib history tunnel size
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
12.1(4)E
This command was introduced.
12.2(4)T
This command was integrated into Cisco IOS Release 12.2(4)T.
Examples
The following is sample output from the show crypto mib ipsec flowmib history tunnel size command:
Router# show crypto mib ipsec flowmib history tunnel sizeIPSec History Window Size: 130Related Commands
show crypto mib ipsec flowmib version
To display the IP Security (IPSec) MIB version used by the router, use the show crypto mib ipsec flowmib version command in privileged EXEC mode.
show crypto mib ipsec flowmib version
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
12.1(4)E
This command was introduced.
12.2(4)T
This command was integrated into Cisco IOS Release 12.2(4)T.
Usage Guidelines
Use the show crypto mib ipsec flowmib version command to display the MIB version used by the management applications to identify the feature set.
Note
Examples
The following is sample output from the show crypto mib ipsec flowmib version command:
Router# show crypto mib ipsec flowmib versionIPSec Flow MIB version: 1Related Commands
snmp-server enable traps ipsec
To enable the router to send IP Security (IPSec) Simple Network Management Protocol (SNMP) notifications, use the snmp-server enable traps ipsec command in global configuration mode. To disable IPSec SNMP notifications, use the no form of this command.
snmp-server enable traps ipsec [cryptomap [add | delete | attach | detach] | tunnel [start | stop] | too-many-sas]
no snmp-server enable traps ipsec [cryptomap [add | delete | attach | detach] | tunnel [start | stop] | too-many-sas]
Syntax Description
Defaults
SNMP notifications are disabled by default.
Command Modes
Global configuration
Command History
Usage Guidelines
SNMP notifications can be sent as traps or inform requests. This command enables both traps and inform requests.
A cryptomap is a table that maps an IPSec Phase-2 tunnel to the corresponding IPSec Policy element.
For a complete description of the notification types and additional MIB functions, refer to the CISCO-IP-SEC.my and CISCO-IPSEC-FLOW-MONITOR-MIB.my files, available on Cisco.com through:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
The snmp-server enable traps ipsec command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. To send SNMP notifications, you must configure at least one snmp-server host command.
Examples
In the following example, the router is configured to send IPSec MIB inform notifications to the host nms.cisco.com using the community string named "public":
snmp-server enable traps ipsecsnmp-server host nms.cisco.com informs public ipsecRelated Commands
snmp-server enable traps isakmp
To enable the router to send IP Security (IPSec) Internet Security Association and Key Exchange Protocol (ISAKMP) Simple Network Management Protocol (SNMP) notifications, use the snmp-server enable traps isakmp command in global configuration mode. To disable ISAKMP IPSec SNMP notifications, use the no form of this command.
snmp-server enable traps isakmp [policy {add | delete} | tunnel {start | stop}]
no snmp-server enable traps isakmp [policy {add | delete} | tunnel {start | stop}]
Syntax Description
Defaults
SNMP notifications are disabled by default.
If no keywords are specified, all available ISAKMP traps are enabled (or disabled if the no form is used).
Command Modes
Global configuration
Command History
Usage Guidelines
SNMP notifications can be sent as traps or inform requests. This command enables both ISAKMP trap and inform requests.
For a complete description of these notifications and additional MIB functions, refer to the CISCO-IPSEC-MIB.myand CISCO-IPSEC-FLOW-MONITOR-MIB.my files, available on Cisco.com through:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
The snmp-server enable traps isakmp command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. To send SNMP notifications, you must configure at least one snmp-server host command.
Examples
In the following example, the router is configured to send IPSec MIB inform notifications to the host nms.cisco.com using the community string named "public":
snmp-server enable traps isakmpsnmp-server host nms.cisco.com informs public ipsecRelated Commands
snmp-server host
Specifies the recipient of an SNMP notification operation.
snmp-server trap-source
Specifies the interface that an SNMP trap should originate from.
tunnel protection
To associate a tunnel interface with an IP Security (IPSec) profile, use the tunnel protection command in interface configuration mode. To disassociate a tunnel with an IPSec profile, use the no form of this command.
tunnel protection ipsec-profile name
no tunnel protection ipsec-profile name
Syntax Description
ipsec-profile
Generic routing encapsulation (GRE) tunnel encryption via IPSec.
name
Name of the IPSec profile. This value must match the name specified in the crypto ipsec profile command.
Defaults
This command is not enabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use the tunnel protection command to specify that IPSec encryption will be performed after the GRE has been added to the tunnel packet. The tunnel protection command can be used with multipoint GRE (mGRE) and point-to-point GRE (p-pGRE) tunnels. With p-pGRE tunnels, the tunnel destination address will be used as the IPSec peer address. With mGRE tunnels, multiple IPSec peers are possible; the corresponding Next Hop Resolution Protocol (NHRP) mapping nonbroadcast multiaccess (NBMA) destination addresses will be used as the IPSec peer addresses.
Note
Examples
The following example shows how to associate the IPSec profile "vpnprof" with a mGRE tunnel interface. In this example, the IPSec source peer address will be the IP address from interface Ethernet0. There is a static NHRP mapping for 10.0.0.3 --> 172.16.2.1, so for this NHRP mapping the IPSec destination peer address will be 172.16.2.1. The IPSec proxy will be as follows: permit gre host ethernet0-ip-address host 172.16.2.1. Other NHRP mappings (static or dynamic) will automatically create additional IPSec security associations (SAs) with the same source peer address and the destination peer address from the NHRP mapping. The IPSec proxy for these NHRP mappings will be as follows: permit gre host ethernet0-ip-address host NHRP-mapping-NBMA-address.
crypto ipsec profile vpnprofset transform-set trans2!interface Tunnel0bandwith 1000ip address 10.0.0.1 255.255.255.0! Ensures longer packets are fragmented before they are encrypted; otherwise, the ! receiving router would have to do the reassembly.ip mtu 1416ip nhrp authentication donttellip nhrp map multicast dynamicip nhrp network-id 99ip nhrp holdtime 300! Turns off split horizon on the mGRE tunnel interface; otherwise, EIGRP will not ! advertise routes that are learned via the mGRE interface back out that interface.no ip split-horizon eigrp 1no ip next-hop-self eigrp 1delay 1000! Sets IPSec peer address to Ethernet interface's public address.tunnel source Ethernet0tunnel mode gre multipoint! The following line must match on all nodes that want to use this mGRE tunnel.tunnel key 100000tunnel protection ipsec profile vpnprofThe following example shows how to associate the IPSec profile "vpnprof" with a p=pGRE tunnel interface. In this example, the IPSec source peer address will be the IP address from interface Ethernet0. The IPSec destination peer address will be 172.16.1.10 (via the tunnel destination address command). The IPSec proxy will be as follows: permit gre host ethernet0-ip-address host 172.16.1.10.
interface Tunnel1 ip address 10.0.1.1 255.255.255.252 ! Ensures longer packets are fragmented before they are encrypted; otherwise, the ! receiving router would have to do the reassembly. ip mtu 1420 tunnel source Ethernet0 tunnel destination 172.16.1.10 tunnel protection ipsec profile vpnprofRelated Commands
