-
Cisco IOS Security Command Reference, Release 12.3
-
Introduction
-
Security Commands: aaa accounting through access-template
-
Security Commands: accounting through crypto ca trustpoint
-
Security Commands: crypto dynamic-map through ctype
-
Security Commands: D through ip audit smtp spam
-
Security Commands: ip auth-proxy through ip tcp intercept
-
Security Commands: ip trigger-authentication through pool
-
Security Commands: ppp accounting through radius-server vsa send
-
Security Commands: reverse-route through show crypto isakmp sa
-
Security Commands: show crypto key mypubkey through wins
-
Table Of Contents
crypto ipsec client ezvpn (global)
crypto ipsec client ezvpn (interface)
crypto ipsec client ezvpn connect
crypto ipsec client ezvpn xauth
crypto ipsec df-bit (interface)
crypto ipsec fragmentation (global)
crypto ipsec fragmentation (interface)
crypto ipsec security-association idle-time
crypto ipsec security-association lifetime
crypto isakmp aggressive-mode disable
crypto isakmp client configuration address-pool local
crypto isakmp client configuration group
crypto map client authentication list
crypto map client configuration address
crypto map isakmp authorization list
crypto mib ipsec flowmib history failure size
crypto mib ipsec flowmib history tunnel size
crypto dynamic-map
To create a dynamic crypto map entry and enter the crypto map configuration command mode, use the crypto dynamic-map command in global configuration mode. To delete a dynamic crypto map set or entry, use the no form of this command.
crypto dynamic-map dynamic-map-name dynamic-seq-num
no crypto dynamic-map dynamic-map-name [dynamic-seq-num]
Syntax Description
dynamic-map-name
Specifies the name of the dynamic crypto map set.
dynamic-seq-num
Specifies the number of the dynamic crypto map entry.
Defaults
No dynamic crypto maps exist.
Command Modes
Global configuration.
Command History
Usage Guidelines
Use dynamic crypto maps to create policy templates that can be used when processing negotiation requests for new security associations from a remote IP Security peer, even if you do not know all of the crypto map parameters required to communicate with the remote peer (such as the peer's IP address). For example, if you do not know about all the IPSec remote peers in your network, a dynamic crypto map allows you to accept requests for new security associations from previously unknown peers. (However, these requests are not processed until the Internet Key Exchange authentication has completed successfully.)
When a router receives a negotiation request via IKE from another IPSec peer, the request is examined to see if it matches a crypto map entry. If the negotiation does not match any explicit crypto map entry, it will be rejected unless the crypto map set includes a reference to a dynamic crypto map.
The dynamic crypto map is a policy template; it will accept "wildcard" parameters for any parameters not explicitly stated in the dynamic crypto map entry. This allows you to set up IPSec security associations with a previously unknown IPSec peer. (The peer still must specify matching values for the "non-wildcard" IPSec security association negotiation parameters.)
If the router accepts the peer's request, at the point that it installs the new IPSec security associations it also installs a temporary crypto map entry. This entry is filled in with the results of the negotiation. At this point, the router performs normal processing, using this temporary crypto map entry as a normal entry, even requesting new security associations if the current ones are expiring (based upon the policy specified in the temporary crypto map entry). Once the flow expires (that is, all of the corresponding security associations expire), the temporary crypto map entry is removed.
Dynamic crypto map sets are not used for initiating IPSec security associations. However, they are used for determining whether or not traffic should be protected.
The only configuration required in a dynamic crypto map is the set transform-set command. All other configuration is optional.
Dynamic crypto map entries, like regular static crypto map entries, are grouped into sets. After you define a dynamic crypto map set (which commonly contains only one map entry) using this command, you include the dynamic crypto map set in an entry of the "parent" crypto map set using the crypto map (IPSec global configuration) command. The parent crypto map set is then applied to an interface.
You should make crypto map entries referencing dynamic maps the lowest priority map entries, so that negotiations for security associations will try to match the static crypto map entries first. Only after the negotiation request does not match any of the static map entries do you want it to be evaluated against the dynamic map.
To make a dynamic crypto map the lowest priority map entry, give the map entry referencing the dynamic crypto map the highest seq-num of all the map entries in a crypto map set.
For both static and dynamic crypto maps, if unprotected inbound traffic matches a permit statement in an access list, and the corresponding crypto map entry is tagged as "IPSec," then the traffic is dropped because it is not IPSec-protected. (This is because the security policy as specified by the crypto map entry states that this traffic must be IPSec-protected.)
For static crypto map entries, if outbound traffic matches a permit statement in an access list and the corresponding security association (SA) is not yet established, the router will initiate new SAs with the remote peer. In the case of dynamic crypto map entries, if no SA existed, the traffic would simply be dropped (because dynamic crypto maps are not used for initiating new SAs).
Note
Use care when using the any keyword in permit entries in dynamic crypto maps. If it is possible for the traffic covered by such a permit entry to include multicast or broadcast traffic, the access list should include deny entries for the appropriate address range. Access lists should also include deny entries for network and subnet broadcast traffic, and for any other traffic that should not be IPSec protected.
Examples
The following example configures an IPSec crypto map set.
Crypto map entry "mymap 30" references the dynamic crypto map set "mydynamicmap," which can be used to process inbound security association negotiation requests that do not match "mymap" entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in "mydynamicmap," for a flow "permitted" by the access list 103, IPSec will accept the request and set up security associations with the remote peer without previously knowing about the remote peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the remote peer.
The access list associated with "mydynamicmap 10" is also used as a filter. Inbound packets that match a permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec SA are also dropped.
crypto map mymap 10 ipsec-isakmpmatch address 101set transform-set my_t_set1set peer 10.0.0.1set peer 10.0.0.2crypto map mymap 20 ipsec-isakmpmatch address 102set transform-set my_t_set1 my_t_set2set peer 10.0.0.3crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap!crypto dynamic-map mydynamicmap 10match address 103set transform-set my_t_set1 my_t_set2 my_t_set3Related Commands
crypto engine accelerator
To enable the onboard hardware accelerator of the router for IP security (IPSec) encryption, use the crypto engine accelerator command in global configuration mode. To disable the use of the onboard hardware IPSec accelerator, and thereby perform IPSec encryption or decryption in software, use the no form of this command.
crypto engine accelerator
no crypto engine accelerator
Syntax Description
This command has no arguments or keywords.
Defaults
The hardware accelerator for IPSec encryption is enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
This command is not normally needed for typical operations because the onboard hardware accelerator of the router is enabled for IPSec encryption by default. The hardware accelerator should not be disabled except on instruction from Cisco Technical Assistance Center (TAC) personnel.
Examples
The following example shows how to disable the onboard hardware accelerator of the router for IPSec encryption. This is normally needed only after the accelerator has been disabled for testing or debugging purposes.
Router(config)# no crypto engine acceleratorWarning! all current connections will be torn down.Do you want to continue? [yes/no]:Related Commands
crypto identity
To configure the identity of the router with a given list of distinguished names (DNs) in the certificate of the router, use the crypto identity command in global configuration mode. To delete all identity information associated with a list of DNs, use the no form of this command.
crypto identity name
no crypto identity name
Syntax Description
Defaults
If this command is not enabled, the IP address is associated with the identity of the router.
Command Modes
Global configuration
Command History
Usage Guidelines
The crypto identity command allows you to configure the identity of a router with a given list of DNs. Thus, when used with the dn and fqdn commands, you can set restrictions in the router configuration that prevent peers with specific certificates, especially certificates with particular DNs, from having access to selected encrypted interfaces.
Note
Examples
The following example shows how to configure a DN-based crypto map:
! The following is an IPSec crypto map (part of IPSec configuration). It can be used only! by peers that have been authenticated by DN and if the certificate belongs to BigBiz.crypto map map-to-bigbiz 10 ipsec-isakmpset peer 172.21.114.196set transform-set my-transformsetmatch address 124identity to-bigbiz!crypto identity to-bigbizdn ou=BigBiz!!! This crypto map can be used only by peers that have been authenticated by hostname! and if the certificate belongs to little.com.crypto map map-to-little-com 10 ipsec-isakmpset peer 172.21.115.119set transform-set my-transformsetmatch address 125identity to-little-com!crypto identity to-little-comfqdn little.com!Related Commands
crypto ipsec client ezvpn (global)
To create a Cisco Easy VPN Remote configuration and enter the Cisco Easy VPN Remote configuration mode, use the crypto ipsec client ezvpn command in global configuration mode. To delete the Cisco Easy VPN Remote configuration, use the no form of this command.
crypto ipsec client ezvpn name
no crypto ipsec client ezvpn name
Note
Syntax Description
Defaults
Newly created Cisco Easy VPN Remote configurations default to the client mode.
Command Modes
Global configuration
Command History
Usage Guidelines
The crypto ipsec client ezvpn command creates a Cisco Easy VPN Remote configuration and then enters the Cisco Easy VPN Remote configuration mode, at which point you can enter the following subcommands:
•
–
–
•
•
•
•
–
After specifying the local address used to source tunnel traffic, the IP address can be obtained in two ways:
–
–
•
–
–
•
•
Note
After configuring the Cisco Easy VPN Remote configuration, use the exit command to exit the Cisco Easy VPN Remote configuration mode and return to global configuration mode.
Note
Examples
The following example shows a Cisco Easy VPN Remote configuration named "telecommuter-client" being created on a Cisco uBR905 or Cisco uBR925 cable access router and being assigned to cable interface 0:
Router# configure terminalRouter(config)# crypto ipsec client ezvpn telecommuter-clientRouter(config-crypto-ezvpn)# group telecommute-group key secret-telecommute-keyRouter(config-crypto-ezvpn)# peer telecommuter-serverRouter(config-crypto-ezvpn)# mode clientRouter(config-crypto-ezvpn)# exitRouter(config)# interface c0Router(config-if)# crypto ezvpn telecommuter-clientRouter(config-if)# exit
Note
The following example shows the Cisco Easy VPN Remote configuration named "telecommuter-client" being removed from the interface and then deleted:
Router# configure terminalRouter(config)# interface e1Router(config-if)# no crypto ipsec client ezvpn telecommuter-clientRouter(config-if)# exitRouter(config)# no crypto ipsec client ezvpn telecommuter-clientRelated Commands
crypto ipsec client ezvpn (interface)
Assigns a Cisco Easy VPN Remote configuration to an interface.
crypto ipsec client ezvpn (interface)
To assign a Cisco Easy VPN Remote configuration to an interface, specify whether the interface is outside or inside, and configure multiple outside and inside interfaces, use the crypto ipsec client ezvpn command in interface configuration mode. To remove the Cisco Easy VPN Remote configuration from the interface, use the no form of this command.
crypto ipsec client ezvpn name [outside | inside]
no crypto ipsec client ezvpn name [outside | inside]
Note
Syntax Description
Defaults
The default inside interface is the Ethernet interface on Cisco 800 series routers and Cisco uBR905 and Cisco uBR925 cable access routers.
Command Modes
Interface configuration
Command History
Usage Guidelines
The crypto ipsec client ezvpn command assigns a Cisco Easy VPN Remote configuration to an interface, enabling the creation of a Virtual Private Network (VPN) connection over that interface to the specified VPN peer. If the Cisco Easy VPN Remote configuration is configured for the client mode of operation, this also automatically configures the router for network address translation (NAT) or port address translation (PAT) and for an associated access list.
In Cisco IOS Release 12.2(8)YJ, the crypto ipsec client ezvpn command was enhanced to allow you to configure multiple outside and inside interfaces. To configure multiple outside and inside interfaces, you must use the interface interface-name command to first define the type of interface on the IPSec client router.
•
•
•
The following Cisco IOS Release 12.2(4)YA restrictions apply to the crypto ipsec client ezvpn command:
•
•
For example, on Cisco uBR905 and Cisco uBR925 cable access routers, the outside interface is always the cable interface. On Cisco 1700 series routers, the FastEthernet interface defaults to being the inside interface, so attempting to use the crypto ipsec client ezvpn command on the FastEthernet interface displays an error message.
Note
Examples
The following example shows a Cisco Easy VPN Remote configuration named "telecommuter-client" being assigned to the cable interface on a Cisco uBR905/uBR925 cable access router:
Router# configure terminalRouter(config)# interface c0Router(config-if)# crypto ipsec client ezvpn telecommuter-clientRouter(config-if)# exitThe following example first shows an attempt to delete the Cisco Easy VPN Remote configuration named "telecommuter-client," but the configuration cannot be deleted because it is still assigned to an interface. The configuration is then removed from the interface and deleted.
Router# configure terminalRouter(config)# no crypto ipsec client ezvpn telecommuter-clientError: crypto map in use by interface; cannot deleteRouter(config)# interface e1Router(config-if)# no crypto ipsec client ezvpn telecommuter-clientRouter(config-if)# exitRouter(config)# no crypto ipsec client ezvpn telecommuter-clientRelated Commands
crypto ipsec client ezvpn (global)
Creates and modifies a Cisco Easy VPN Remote configuration.
crypto ipsec client ezvpn connect
To connect to a specified IP Security (IPSec) Virtual Private Network (VPN) tunnel in a manual configuration, use the crypto ipsec client ezvpn connect command in privileged EXEC mode. To disable the VPN tunnel, use the no form of this command.
crypto ipsec client ezvpn connect name
no crypto ipsec client ezvpn connect name
Syntax Description
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command is used with the connect [auto | manual] subcommand. After the manual setting is designated, the Cisco Easy VPN remote waits for a command or application program interface (API) call before attempting to establish the Cisco Easy VPN Remote connection.
If the configuration is manual, the tunnel is connected only after the crypto ipsec client ezvpn connect name command is entered in privileged EXEC mode and after the connect [auto | manual] subcommand is entered.
Examples
The following example shows how to connect an IPSec VPN tunnel named "ISP-tunnel" on a Cisco uBR905/uBR925 cable access router:
Router# crypto ipsec client ezvpn connect ISP-tunnelRelated Commands
crypto ipsec client ezvpn (global)
Creates and modifies a Cisco Easy VPN Remote configuration.
crypto ipsec client ezvpn xauth
To respond to a pending Virtual Private Network (VPN) authorization request, use the crypto ipsec client ezvpn xauth command in privileged EXEC mode.
crypto ipsec client ezvpn xauth name
Syntax Description
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
If the tunnel name is not specified, the authorization request is made on the active tunnel. If there is more than one active tunnel, the command fails with an error requesting that you specify the tunnel name.
When making a VPN connection, individual users might also be required to provide authorization information, such as a username or password. When the remote end requires this information, the router displays a message on the console of the router instructing the user to enter the crypto ipsec client ezvpn xauth command. The user then uses command-line interface (CLI) to enter this command and to provide the information requested by the prompts that follow after the command has been entered.
Note
Examples
The following example shows an example of the user being prompted to enter the crypto ipsec client ezvpn xauth command. The user then enters the requested information and continues.
Router#20:27:39: EZVPN: Pending XAuth Request, Please enter the following command:20:27:39: EZVPN: crypto ipsec client ezvpn xauthRouter# crypto ipsec client ezvpn xauthEnter Username and Password: useridPassword: ************Related Commands
crypto ipsec client ezvpn (interface)
Assigns a Cisco Easy VPN Remote configuration to an interface.
crypto ipsec df-bit (global)
To set the DF bit for the encapsulating header in tunnel mode to all interfaces, use the crypto ipsec df-bit command in global configuration mode.
crypto ipsec df-bit [clear | set | copy]
Syntax Description
Defaults
The default is copy.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the crypto ipsec df-bit command in global configuration mode to configure your router to specify the DF bit in an encapsulated header.
You may want use the clear setting for the DF bit when encapsulating tunnel mode IPSec traffic so you can send packets larger than the available maximum transmission unit (MTU) size or if you do not know what the available MTU size is.
If this command is enabled without a specified setting, the router will use the copy setting as the default.
Examples
The following example shows how to clear the DF bit on all interfaces:
crypto ipsec df-bit clearcrypto ipsec df-bit (interface)
To set the DF bit for the encapsulating header in tunnel mode to a specific interface, use the crypto ipsec df-bit command in interface configuration mode.
crypto ipsec df-bit [clear | set | copy]
Syntax Description
Defaults
The default is copy.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use the crypto ipsec df-bit command in interface configuration mode to configure your router to specify the DF bit in an encapsulated header. This command overrides any existing DF bit global settings.
You may want use the clear setting for the DF bit when encapsulating tunnel mode IPSec traffic so you can send packets larger than the available maximum transmission unit (MTU) size or if you do not know what the available MTU size is.
If this command is enabled without a specified setting, the router will use the copy setting as default.
Examples
In following example, the router is configured to globally clear the setting for the DF bit and copy the DF bit on the interface named Ethernet0. Thus, all interfaces except Ethernet0 will allow the router to send packets larger than the available MTU size; Ethernet0 will allow the router to fragment the packet.
crypto isakmp policy 1hash md5authentication pre-sharecrypto isakmp key Delaware address 192.168.10.66crypto isakmp key Key-What-Key address 192.168.11.19!!crypto ipsec transform-set BearMama ah-md5-hmac esp-descrypto ipsec df-bit clear!!crypto map armadillo 1 ipsec-isakmpset peer 192.168.10.66set transform-set BearMamamatch address 101!crypto map basilisk 1 ipsec-isakmpset peer 192.168.11.19set transform-set BearMamamatch address 102!!interface Ethernet0ip address 192.168.10.38 255.255.255.0ip broadcast-address 0.0.0.0media-type 10BaseTcrypto map armadillocrypto ipsec df-bit copy!interface Ethernet1ip address 192.168.11.75 255.255.255.0ip broadcast-address 0.0.0.0media-type 10BaseTcrypto map basilisk!interface Serial0no ip addressip broadcast-address 0.0.0.0no ip route-cacheno ip mroute-cachecrypto ipsec fragmentation (global)
To enable prefragmentation for IP Security (IPSec) Virtual Private Networks (VPNs) on a global basis, use the crypto ipsec fragmentation command in global configuration mode. To disable a manually configured command, use the no form of this command.
crypto ipsec fragmentation {before-encryption | after-encryption}
no crypto ipsec fragmentation {before-encryption | after-encryption}
Syntax Description
before-encryption
Enables prefragmentation for IPSec VPNs. The default is that prefragmentation is enabled.
after-encryption
Disables prefragmentation for IPSec VPNs.
Command Default
If you do not enter this command, prefragmentation is enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the before-encryption keyword to enable prefragmentation for IPSec VPNs; use the after-encryption keyword to disable prefragmentation for IPSec VPNs. This command allows an encrypting router to predetermine the encapsulated packet size from information available in transform sets, which are configured as part of the IPSec security association (SA). If it is predetermined that the packet will exceed the maximum transmission unit (MTU) of the output interface, the packet is fragmented before encryption.
Note
Examples
The following example shows how to globally enable prefragmentation for IPSec VPNs:
crypto ipsec fragmentation before-encryptioncrypto ipsec fragmentation (interface)
To enable prefragmentation for IP Security (IPSec) Virtual Private Networks (VPNs) on an interface, use the crypto ipsec fragmentation command in interface configuration mode. To disable a manually configured command, use the no form of this command.
crypto ipsec fragmentation {before-encryption | after-encryption}
no crypto ipsec fragmentation {before-encryption | after-encryption}
Syntax Description
before-encryption
Enables prefragmentation for IPSec VPNs.
after-encryption
Disables prefragmentation for IPSec VPNs.
Defaults
If no other prefragmentation for IPSec VPNs commands are in the configuration, the router will revert to the default global configuration.
Command Modes
Interface configuration
Command History
12.1(11b)E
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use the before-encryption keyword to enable prefragmentation for IPSec VPNs per interface; use the after-encryption keyword to disable prefragmentation for IPSec VPNs. This command allows an encrypting router to predetermine the encapsulated packet size from information available in transform sets, which are configured as part of the IPSec security association (SA). If it is predetermined that the packet will exceed the maximum transmission unit (MTU) of output interface, the packet is fragmented before encryption.
Examples
The following example shows how to enable prefragmentation for IPSec VPNs on an interface and then how to display the output of the show running configuration command:
Note
Router(config-if)# crypto ipsec fragmentation before-encryptionRouter(config-if)# exitRouter# show running-configcrypto isakmp policy 10authentication pre-sharecrypto isakmp key abcd123 address 209.165.202.130!crypto ipsec transform-set fooprime esp-3des esp-sha-hmac!crypto map bar 10 ipsec-isakmpset peer 209.165.202.130set transform-set fooprimematch address 102crypto ipsec nat-transparency
To enable security parameter index (SPI) matching or User Datagram Protocol (UDP) encapsulation between two Virtual Private Network (VPN) devices, use the crypto ipsec nat-transparency command on both devices in global configuration mode. To disable both SPI matching and UDP encapsulation, use the no form of this command with each keyword.
crypto ipsec nat-transparency {spi-matching | udp-encaps}
no crypto ipsec nat-transparency {spi-matching | udp-encaps}
Syntax Description
spi-matching
Enables SPI matching on both endpoints.
udp-encaps
Enables UDP encapsulation on both endpoints.
Defaults
When this command is entered, UDP encapsulation is enabled by default.
Command Modes
Global configuration
Command History
12.2(13)T
This command was introduced.
12.2(15)T
The command syntax was modified to add the spi-matching keyword.
Usage Guidelines
You can use this command to resolve issues that arise when Network Address Translation (NAT) is configured in an IP Security (IPsec)-aware network. This command has two mutually exclusive options:
•
•
When you enter the crypto ipsec nat-transparency command, UDP encapsulation is configured unless you either specifically disable it or configure SPI matching. You can disable both options, but doing so might cause problems if the device you are configuring uses NAT and is part of a VPN.
To disable SPI matching, configure UDP encapsulation or use the no form of this command with the keyword spi-matching. To disable UDP encapsulation, configure SPI matching or use the no form of this command with the keyword udp-encaps. To disable both SPI matching and UDP encapsulation, first disable UDP encapsulation, and then disable SPI matching. If you disable both options, the show running-config command displays: no crypto ipsec nat-transparency udp-encaps.
Examples
The following example enables SPI matching on the endpoint routers:
crypto ipsec nat-transparency spi-matchingRelated Commands
crypto ipsec optional
To enable IP Security (IPSec) passive mode, use the crypto ipsec optional command in global configuration mode. To disable IPSec passive mode, use the no form of this command.
crypto ipsec optional
no crypto ipsec optional
Syntax Description
This command has no arguments or keywords.
Defaults
IPSec passive mode is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the crypto ipsec optional command to implement an intermediate mode (IPSec passive mode) that allows a router to accept unencrypted and encrypted data. IPSec passive mode is valuable for users who wish to migrate existing networks to IPSec because all routers will continue to interact with routers that encrypt data (that is, that have been upgraded with IPSec) and also with routers that have yet to be upgraded.
After this feature is disabled, all active connections that are sending unencrypted packets are cleared, and a message that reminds the user to enter the write memory command is sent.
Note
Examples
The following example shows how to enable IPSec passive mode:
crypto map xauthmap 10 ipsec-isakmpset peer 209.165.202.145set transform-set xauthtransformmatch address 192!crypto ipsec optional!interface Ethernet1/0ip address 209.165.202.147 255.255.255.224crypto map xauthmap!access-list 192 permit ip host 209.165.202.147 host 209.165.202.145crypto ipsec optional retry
To adjust the amount of time that a packet can be routed in the clear (unencrypted), use the crypto ipsec optional retry command in global configuration mode. To return to the default setting (5 minutes), use the no form of this command.
crypto ipsec optional retry seconds
no crypto ipsec optional retry seconds
Syntax Description
seconds
Time a connection can exist before another attempt is made to establish an encrypted IP Security (IPSec) session. The default value is 5 minutes.
Defaults
5 minutes
Command Modes
Global configuration
Command History
Usage Guidelines
You must enable the crypto ipsec optional command, which enables IPSec passive mode, before you can use this command.
Examples
The following example shows how to enable IPSec passive mode:
crypto map xauthmap 10 ipsec-isakmpset peer 209.165.202.145set transform-set xauthtransformmatch address 192!crypto ipsec optionalcrypto ipsec optional retry 60!interface Ethernet1/0ip address 209.165.202.147 255.255.255.224crypto map xauthmap!access-list 192 permit ip host 209.165.202.147 host 209.165.202.145Related Commands
crypto ipsec profile
To define the IPSecurity (IPSec) parameters that are to be used for IPSec encryption between two IPSec routers, use the crypto ipsec profile command in global configuration mode. To delete an IPSec profile, use the no form of this command.
crypto ipsec profile name
no crypto ipsec profile name
Syntax Description
Defaults
An IPSec profile is not defined.
Command Modes
Global configuration
Command History
Usage Guidelines
An IPSec profile abstracts the IPSec policy settings into a single profile that can be used in other parts of the Cisco IOS configuration.
The IPSec profile shares most of the same commands with the crypto map configuration, but only a subset of the commands are valid in an IPSec profile. Only commands that pertain to an IPSec policy can be issued under an IPSec profile; you cannot specify the IPSec peer address or the access control list (ACL) to match the packets that are to be encrypted.
The following valid commands can be configured under an IPSec profile:
•
•
•
•
After enabling this command, the only parameter that must be defined under the profile is the transform set via the set transform-set command.
For more information on transform sets, refer to the section "Defining Transform Sets" in the chapter "Configuring IPSec Network Security" in the Cisco IOS Security Configuration Guide.
Examples
The following example shows how to configure a crypto map that uses an IPSec profile:
crypto ipsec transform-set cat-transforms esp-des esp-sha-hmacmode transport!crypto ipsec profile cat-profileset transform-set cat-transformsset pfs group2!crypto map foo 10 ipsec-isakmpset peer 10.13.7.67set profile foo-profilematch address 101Related Commands
crypto ipsec security-association idle-time
To configure the IP Security (IPSec) security association (SA) idle timer, use the crypto ipsec security-association idle-time command in global configuration mode or crypto map configuration mode. To inactivate the IPSec SA idle timer, use the no form of this command.
crypto ipsec security-association idle-time seconds
no crypto ipsec security-association idle-time
Syntax Description
seconds
Time, in seconds, that the idle timer will allow an inactive peer to maintain an SA. Valid values for the seconds argument range from 60 to 86400.
Defaults
IPSec SA idle timers are disabled.
Command Modes
Global configuration
Crypto map configurationCommand History
Usage Guidelines
Use the crypto ipsec security-association idle-time command to configure the IPSec SA idle timer. This timer controls the amount of time that an SA will be maintained for an idle peer.
Use the crypto ipsec security-association lifetime command to configure global lifetimes for IPSec SAs. There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. A security association expires after the first of these lifetimes is reached.
The IPSec SA idle timers are different from the global lifetimes for IPSec SAs. The expiration of the global lifetimes is independent of peer activity. The IPSec SA idle timer allows SAs associated with inactive peers to be deleted before the global lifetime has expired.
If the IPSec SA idle timers are not configured with the crypto ipsec security-association idle-time command, only the global lifetimes for IPSec SAs are applied. SAs are maintained until the global timers expire, regardless of peer activity.
Note
Examples
The following example configures the IPSec SA idle timer to drop SAs for inactive peers after 600 seconds:
crypto ipsec security-association idle-time 600Related Commands
clear crypto sa
Deletes IPSec SAs.
crypto ipsec security-association lifetime
Changes global lifetime values used when negotiating IPSec SAs.
crypto ipsec security-association lifetime
To change global lifetime values used when negotiating IPSec security associations, use the crypto ipsec security-association lifetime command in global configuration mode. To reset a lifetime to the default value, use the no form of this command.
crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}
no crypto ipsec security-association lifetime {seconds | kilobytes}
Syntax Description
Defaults
3600 seconds (one hour) and 4,608,000 kilobytes (10 megabits per second for one hour).
Command Modes
Global configuration
Command History
Usage Guidelines
IPSec security associations use shared secret keys. These keys and their security associations time out together.
Assuming that the particular crypto map entry does not have lifetime values configured, when the router requests new security associations during security association negotiation, it will specify its global lifetime value in the request to the peer; it will use this value as the lifetime of the new security associations. When the router receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations.
There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The security association expires after the first of these lifetimes is reached.
If you change a global lifetime, the change is only applied when the crypto map entry does not have a lifetime value specified. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command. Refer to the clear crypto sa command for more details.
To change the global timed lifetime, use the crypto ipsec security-association lifetime seconds form of the command. The timed lifetime causes the security association to time out after the specified number of seconds have passed.
To change the global traffic-volume lifetime, use the crypto ipsec security-association lifetime kilobytes form of the command. The traffic-volume lifetime causes the security association to time out after the specified amount of traffic (in kilobytes) has been protected by the security associations' key.
Shorter lifetimes can make it harder to mount a successful key recovery attack, since the attacker has less data encrypted under the same key to work with. However, shorter lifetimes require more CPU processing time for establishing new security associations.
The lifetime values are ignored for manually established security associations (security associations installed using an ipsec-manual crypto map entry).
How These Lifetimes Work
The security association (and corresponding keys) will expire according to whichever occurs sooner, either after the number of seconds has passed (specified by the seconds keyword) or after the amount of traffic in kilobytes has passed (specified by the kilobytes keyword).
A new security association is negotiated before the lifetime threshold of the existing security association is reached, to ensure that a new security association is ready for use when the old one expires. The new security association is negotiated either 30 seconds before the seconds lifetime expires or when the volume of traffic through the tunnel reaches 256 kilobytes less than the kilobytes lifetime (whichever occurs first).
If no traffic has passed through the tunnel during the entire life of the security association, a new security association is not negotiated when the lifetime expires. Instead, a new security association will be negotiated only when IPSec sees another packet that should be protected.
Examples
The following example shortens both lifetimes, because the administrator feels there is a higher risk that the keys could be compromised. The timed lifetime is shortened to 2700 seconds (45 minutes), and the traffic-volume lifetime is shortened to 2,304,000 kilobytes (10 megabits per second for one half hour).
crypto ipsec security-association lifetime seconds 2700crypto ipsec security-association lifetime kilobytes 2304000Related Commands
crypto ipsec transform-set
To define a transform set—an acceptable combination of security protocols and algorithms—use the crypto ipsec transform-set command in global configuration mode. To delete a transform set, use the no form of this command.
crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4]
no crypto ipsec transform-set transform-set-name
Syntax Description
transform-set-name
Name of the transform set to create (or modify).
transform1
transform2
transform3
transform4Type of transform. You may specify up to four "transforms": one Authentication Header (AH), one Encapsulating Security Payload (ESP) encryption, one ESP authentication, and one compression. These transforms define the IP Security (IPSec) security protocols and algorithms. Accepted transform values are described in Table 11.
Defaults
No default behavior or values
Command Modes
Global configuration.
This command invokes the crypto transform configuration mode.
Command History
11.3 T
This command was introduced.
12.2(13)T
The following transform options were added: esp-aes, esp-aes 192, and esp-aes 256.
Usage Guidelines
A transform set is an acceptable combination of security protocols, algorithms, and other settings to apply to IPSec protected traffic. During the IPSec security association (SA) negotiation, the peers agree to use a particular transform set when protecting a particular data flow.
You can configure multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry is used in the IPSec SA negotiation to protect the data flows specified by that crypto map entry's access list. During the negotiation, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and will be applied to the protected traffic as part of both peer's IPSec SAs.
When Internet Key Exchange (IKE) is not used to establish SAs, a single transform set must be used. The transform set is not negotiated.
Before a transform set can be included in a crypto map entry it must be defined using this command.
A transform set specifies one or two IPSec security protocols (either AH, ESP, or both) and specifies which algorithms to use with the selected security protocol. The AH and ESP IPSec security protocols are described in the section "IPSec Protocols: AH and ESP."
To define a transform set, you specify one to four "transforms"—each transform represents an IPSec security protocol (AH or ESP) plus the algorithm you want to use. When the particular transform set is used during negotiations for IPSec SAs, the entire transform set (the combination of protocols, algorithms, and other settings) must match a transform set at the remote peer.
In a transform set you could specify the AH protocol, the ESP protocol, or both. If you specify an ESP protocol in a transform set, you can specify just an ESP encryption transform or both an ESP encryption transform and an ESP authentication transform.
Table 11 lists the acceptable transform combination selections for the AH and ESP protocols.
Examples of acceptable transform combinations are as follows:
•
•
•
•
•
The parser will prevent you from entering invalid combinations; for example, once you specify an AH transform it will not allow you to specify another AH transform for the current transform set.
IPSec Protocols: AH and ESP
Both the AH and ESP protocols implement security services for IPSec.
AH provides data authentication and antireplay services.
ESP provides packet encryption and optional data authentication and antireplay services.
ESP encapsulates the protected data—either a full IP datagram (or only the payload)—with an ESP header and an ESP trailer. AH is embedded in the protected data; it inserts an AH header immediately after the outer IP header and before the inner IP datagram or payload. Traffic that originates and terminates at the IPSec peers can be sent in either tunnel or transport mode; all other traffic is sent in tunnel mode. Tunnel mode encapsulates and protects a full IP datagram, while transport mode encapsulates/protects the payload of an IP datagram. For more information about modes, see the mode (IPSec) command description.
Selecting Appropriate Transforms
The following tips may help you select transforms that are appropriate for your situation:
•
•
•
•
•
Note
•
Suggested transform combinations follow:
•
•
The Crypto Transform Configuration Mode
After you issue the crypto ipsec transform-set command, you are put into the crypto transform configuration mode. While in this mode, you can change the mode to tunnel or transport. (These are optional changes.) After you have made these changes, type exit to return to global configuration mode. For more information about these optional changes, see the match address (IPSec) and mode (IPSec) command descriptions.
Changing Existing Transforms
If one or more transforms are specified in the crypto ipsec transform-set command for an existing transform set, the specified transforms will replace the existing transforms for that transform set.
If you change a transform set definition, the change is only applied to crypto map entries that reference the transform set. The change will not be applied to existing SAs, but will be used in subsequent negotiations to establish new SAs. If you want the new settings to take effect sooner, you can clear all or part of the SA database by using the clear crypto sa command.
Examples
The following example defines two transform sets. The first transform set will be used with an IPSec peer that supports the newer ESP and AH protocols. The second transform set will be used with an IPSec peer that only supports the older transforms.
crypto ipsec transform-set newer esp-3des esp-sha-hmaccrypto ipsec transform-set older ah-rfc-1828 esp-rfc1829The following example is a sample warning message that is displayed when a user enters an IPSec transform that the hardware does not support:
crypto ipsec transform transform-1 esp-aes 256 esp-md5WARNING:encryption hardware does not support transformesp-aes 256 within IPSec transform transform-1Related Commands
crypto isakmp aggressive-mode disable
To block all Internet Security Association and Key Management Protocol (ISAKMP) aggressive mode requests to and from a device, use the crypto isakmp aggressive-mode disable command in global configuration mode. To disable the blocking, use the no form of this command.
crypto isakmp aggressive-mode disable
no crypto isakmp aggressive-mode disable
Syntax Description
This command has no arguments or keywords.
Defaults
If this command is not configured, Cisco IOS software will attempt to process all incoming ISAKMP aggressive mode security association (SA) connections. In addition, if the device has been configured with the crypto isakmp peer address and the set aggressive-mode password or set aggressive-mode client-endpoint commands, the device will initiate aggressive mode if this command is not configured.
Command Modes
Global configuration
Command History
12.3(1)
This command was introduced on all Cisco IOS platforms that support IP Security (IPSec).
Usage Guidelines
If you configure this command, all aggressive mode requests to the device and all aggressive mode requests made by the device are blocked, regardless of the ISAKMP authentication type (preshared keys or Rivest, Shamir, and Adelman [RSA] signatures).
If a request is made by or to the device for aggressive mode, the following syslog notification is sent:
Unable to initiate or respond to Aggressive Mode while disabled
Note
Examples
The following example shows that all aggressive mode requests to and from a device are blocked:
Router (config)# crypto isakmp aggressive-mode disablecrypto isakmp client configuration address-pool local
To configure the IP address local pool to reference Internet Key Exchange (IKE) on your router, use the crypto isakmp client configuration address-pool local command in global configuration mode. To restore the default value, use the no form of this command.
crypto isakmp client configuration address-pool local pool-name
no crypto isakmp client configuration address-pool local
Syntax Description
Defaults
IP address local pools do not reference IKE.
Command Modes
Global configuration
Command History
12.0(4)XE
This command was introduced.
12.0(7)T
This command was integrated into Cisco IOS release 12.0(7)T.
Examples
The following example references IP address local pools to IKE on your router, with "ire" as the pool-name:
crypto isakmp client configuration address-pool local ireRelated Commands
ip local pool
Configures a local pool of IP addresses to be used when a remote peer connects to a point-to-point interface.
crypto isakmp client configuration group
To specify which group's policy profile will be defined, use the crypto isakmp client configuration group command in global configuration mode. To remove this command and all associated subcommands from your configuration, use the no form of this command.
crypto isakmp client configuration group {group-name | default}
no crypto isakmp client configuration group {group-name | default}
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the crypto isakmp client configuration group command to specify group policy information that needs to be defined or changed. You may change the group policy on your router if you decide to connect to the client using a group identification that does not match the group-name argument.
After enabling this command, which puts you in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode, you can specify characteristics for the group policy using the following commands:
•
•
•
•
•
•
Examples
The following example shows how to define group policy information for Mode Configuration push. In this example, the first group name is "cisco" and the second group name is "default." Thus, the default policy will be enforced for all users who do not offer a group name that matches "cisco."
crypto isakmp client configuration group ciscokey ciscodns 2.2.2.2 2.2.2.3wins 6.6.6.6domain cisco.compool fredacl 199!crypto isakmp client configuration group defaultkey ciscodns 2.2.2.2 2.3.2.3pool fredacl 199Related Commands
crypto isakmp enable
To globally enable Internet Key Exchange (IKE) at your peer router, use the crypto isakmp enable command in global configuration mode. To disable IKE at the peer, use the no form of this command.
crypto isakmp enable
no crypto isakmp enable
Syntax Description
This command has no arguments or keywords.
Defaults
IKE is enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
IKE is enabled by default. IKE does not have to be enabled for individual interfaces, but is enabled globally for all interfaces at the router.
If you do not want IKE to be used in your IPSec implementation, you can disable IKE at all your IP Security peers. If you disable IKE at one peer, you must disable it at all your IPSec peers.
If you disable IKE, you will have to make these concessions at the peers:
•
•
•
•
•
Examples
The following example disables IKE at one peer. (The same command should be issued at all remote peers.)
no crypto isakmp enablecrypto isakmp identity
To define the identity used by the router when participating in the Internet Key Exchange (IKE) protocol, use the crypto isakmp identity command in global configuration mode. Set an Internet Security Association Key Management Protocol (ISAKMP) identity whenever you specify preshared keys. To reset the ISAKMP identity to the default value (address), use the no form of this command.
crypto isakmp identity {address | hostname}
no crypto isakmp identity
Syntax Description
Defaults
The IP address is used for the ISAKMP identity.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to specify an ISAKMP identity either by IP address or by host name.
The address keyword is typically used when there is only one interface (and therefore only one IP address) that will be used by the peer for IKE negotiations, and the IP address is known.
The hostname keyword should be used if there is more than one interface on the peer that might be used for IKE negotiations, or if the interface's IP address is unknown (such as with dynamically assigned IP addresses).
As a general rule, you should set all peers' identities in the same way, either by IP address or by host name.
Examples
The following example uses preshared keys at two peers and sets both their ISAKMP identities to IP address.
At the local peer (at 10.0.0.1) the ISAKMP identity is set and the preshared key is specified.
crypto isakmp identity addresscrypto isakmp key sharedkeystring address 192.168.1.33At the remote peer (at 192.168.1.33) the ISAKMP identity is set and the same preshared key is specified.
crypto isakmp identity addresscrypto isakmp key sharedkeystring address 10.0.0.1
Note
The following example uses preshared keys at two peers and sets both their ISAKMP identities to host name.
At the local peer the ISAKMP identity is set and the preshared key is specified.
crypto isakmp identity hostnamecrypto isakmp key sharedkeystring hostname RemoteRouter.example.comip host RemoteRouter.example.com 192.168.0.1At the remote peer the ISAKMP identity is set and the same preshared key is specified.
crypto isakmp identity hostnamecrypto isakmp key sharedkeystring hostname LocalRouter.example.comip host LocalRouter.example.com 10.0.0.1 10.0.0.2In the above example, host names are used for the peers' identities because the local peer has two interfaces that might be used during an IKE negotiation.
In the above example the IP addresses are also mapped to the host names; this mapping is not necessary if the routers' host names are already mapped in DNS.
Related Commands
crypto ipsec security-association lifetime
Specifies the authentication method within an IKE policy.
crypto isakmp key
Configures a preshared authentication key.
crypto isakmp keepalive
To allow the gateway to send dead peer detection (DPD) messages to the peer, use the crypto isakmp keepalive command in global configuration mode. To disable keepalives, use the no form of this command.
crypto isakmp keepalive secs [retries]
no crypto isakmp keepalive secs [retries]
Syntax Description
Defaults
No DPD messages are sent.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the crypto isakmp keepalive command to enable the gateway to send DPD messages to the peer. DPD is a keepalives scheme that allows the router to query the liveliness of its Internet Key Exchange (IKE) peer.
Note
Examples
The following example shows how to configure DPD messages to be sent every 60 seconds and every 5 seconds between retries if the peer does not respond:
crypto isakmp keepalive 60 5crypto isakmp key
To configure a preshared authentication key, use the crypto isakmp key command in global configuration mode. To delete a preshared authentication key, use the no form of this command.
crypto isakmp key key-string address peer-address [mask] [no-xauth]
no crypto isakmp key key-string address peer-address
Syntax Description
Defaults
There is no default preshared authentication key.
Command Modes
Global configuration
Command History
11.3 T
This command was introduced.
12.1(1)T
The mask argument was added.
12.2(4)T
The no-xauth keyword was added.
Usage Guidelines
You must use this command to configure a key whenever you specify preshared keys in an Internet Key Exchange (IKE) policy; you must enable this command at both peers.
If an IKE policy includes preshared keys as the authentication method, these preshared keys must be configured at both peers—otherwise the policy cannot be used (the policy will not be submitted for matching by the IKE process). The crypto isakmp key command is the second task required to configure the preshared keys at the peers. (The first task is accomplished using the crypto isakmp identity command.)
Use the address keyword if the remote peer ISAKMP identity was set with its IP address.
With the address keyword, you can also use the mask argument to indicate the remote peer ISAKMP identity will be established using the preshared key only. If the mask argument is used, preshared keys are no longer restricted between two users.
Note
Preshared keys no longer work when the hostname keyword is sent as the identity; thus, the hostname keyword as the identity in preshared key authentication is no longer supported. According to the way preshared key authentication is designed in IKE main mode, the preshared keys must be based on the IP address of the peers. Although a user can still send the hostname as identity in preshared key authentication, the key is searched on the IP address of the peer; if the key is not found (based on the IP address), the negotiation will fail.
If crypto isakmp identity hostname is configured as identity, the preshared key must be configured with the peer's IP address for the process to work.
Use the no-xauth keyword to prevent the router from prompting the peer for Xauth information (username and password). This keyword disables Xauth for static IPSec peers. The no-xauth keyword should be enabled when configuring the preshared key for router-to-router IPSec—not VPN-client-to-Cisco IOS IPSec.
Examples
In the following example, the remote peer "RemoteRouter" specifies an ISAKMP identity by address:
crypto isakmp identity addressNow, the preshared key must be specified at each peer.
In the following example, the local peer specifies the preshared key and designates the remote peer by its IP address and a mask:
crypto isakmp key sharedkeystring address 172.21.230.33 255.255.255.255Related Commands
crypto isakmp nat keepalive
To allow an IP Security (IPSec) node to send Network Address Translation (NAT) keepalive packets, use the crypto isakmp nat keepalive command in global configuration mode. To disable NAT keepalive packets, use the no form of this command.
crypto isakmp nat keepalive seconds
no crypto isakmp nat keepalive
Syntax Description
Defaults
NAT keepalive packets are not sent.
Command Modes
Global configuration
Command History
Usage Guidelines
The crypto isakmp nat keepalive command allows users to keep the dynamic NAT mapping alive during a connection between two peers. A NAT keepalive beat is sent if IPSec does not send or receive a packet within a specified time period.
If this command is enabled, users should ensure that the idle value is shorter than than the NAT mapping expiration time.
Examples
The following example shows how to enable NAT keepalives to be sent every 20 seconds:
crypto isakmp policy 1authentication pre-sharecrypto isakmp key 1234 address 209.165.202.130crypto isakmp nat keepalive 20!crypto ipsec transform-set t2 esp-des esp-sha-hmacno crypto engine accelerator!crypto map test2 10 ipsec-isakmpset peer 209.165.202.130set transform-set t2match address 101crypto isakmp peer
To enable an IP Security (IPSec) peer for Internet Key Exchange (IKE) querying of authentication, authorization, and accounting (AAA) for tunnel attributes in aggressive mode, use the crypto isakmp peer command in global configuration mode. To disable this functionality, use the no form of this command.
crypto isakmp peer {ip-address ip-address | fqdn fqdn} {vrf fvrf-name}
no crypto isakmp peer {ip-address ip-address | fqdn fqdn} {vrf fvrf-name}
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
12.2(8)T
This command was introduced.
12.2(15)T
The vrf keyword and fvrf-name argument were added.
Usage Guidelines
After enabling this command, you can use the set aggressive-mode client-endpoint and set aggressive-mode password commands to specify RADIUS tunnel attributes in the Internet Security Association and Key Management Protocol (ISAKMP) peer policy for IPSec peers.
Instead of keeping your preshared keys on the hub router, you can scale your preshared keys by storing and retrieving them from an AAA server. The preshared keys are stored in the AAA server as Internet Engineering Task Force (IETF) RADIUS tunnel attributes and are retrieved when a user tries to "speak" to the hub router. The hub router retrieves the preshared key from the AAA server and the spokes (the users) initiate aggressive mode to the hub by using the preshared key that is specified in the ISAKMP peer policy as a RADIUS tunnel attribute.
Examples
The following example shows how to initiate aggressive mode using RADIUS tunnel attributes:
crypto isakmp peer ip-address 209.165.200.230 vrf vpn1set aggressive-mode client-endpoint user-fqdn user@cisco.comset aggressive-mode password cisco123Related Commands
crypto isakmp policy
To define an Internet Key Exchange (IKE) policy, use the crypto isakmp policy command in global configuration mode. IKE policies define a set of parameters to be used during the IKE negotiation. To delete an IKE policy, use the no form of this command.
crypto isakmp policy priority
no crypto isakmp policy
Syntax Description
priority
Uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10,000, with 1 being the highest priority and 10,000 the lowest.
Defaults
If you do not configure any IKE policies, your router will use the default policy, which is always set to the lowest priority and which contains the default value of each parameter.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to specify the parameters to be used during an IKE negotiation. (These parameters are used to create the IKE security association [SA].)
This command invokes the Internet Security Association Key Management Protocol (ISAKMP) policy configuration (config-isakmp) command mode. While in the ISAKMP policy configuration command mode, some of the commands for which you can specify parameters are as follows:
•
•
•
•
•
If you do not specify any given parameter, the default value will be used for that parameter.
To exit the config-isakmp command mode, type exit.
You can configure multiple IKE policies on each peer participating in IPSec. When the IKE negotiation begins, it tries to find a common policy configured on both peers, starting with the highest priority policies as specified on the remote peer.
Examples
The following example configures two policies for the peer:
crypto isakmp policy 15hash md5authentication rsa-siggroup 2lifetime 5000crypto isakmp policy 20authentication pre-sharelifetime 10000The above configuration results in the following policies:
Router# show crypto isakmp policyProtection suite priority 15encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Message Digest 5authentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman Group: #2 (1024 bit)lifetime: 5000 seconds, no volume limitProtection suite priority 20encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: preshared KeyDiffie-Hellman Group: #1 (768 bit)lifetime: 10000 seconds, no volume limitDefault protection suiteencryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman Group: #1 (768 bit)lifetime: 86400 seconds, no volume limitRelated Commands
crypto isakmp profile
To define an Internet Security Association and Key Management Protocol (ISAKMP) profile and to audit IP Security (IPSec) user sessions, use the crypto isakmp profile command in global configuration mode. To delete a crypto ISAKMP profile, use the no form of this command.
crypto isakmp profile profile-name [accounting aaalist]
no crypto isakmp profile profile-name [accounting aaalist]
Syntax Description
profile-name
Name of the user profile. To associate a user profile with the RADIUS server, the user profile name must be identified.
accounting aaalist
(Optional) Name of a client accounting list.
Defaults
No default behaviors or values
Command Modes
Global configuration
Command History
Usage Guidelines
Defining an ISAKMP Profile
An ISAKMP profile can be viewed as a repository of Phase 1 and Phase 1.5 commands for a set of peers. The Phase 1 configuration includes commands to configure such things as keepalive, identity matching, and the authorization list. The Phase 1.5 configuration includes commands to configure such things as extended authentication (Xauth) and mode configuration.
The peers are mapped to an ISAKMP profile when their identities are matched (as given in the identification [ID] payload of the Internet Key Exchange [IKE]) against the identities defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid. Also, there must be at least one match identity command defined in the ISAKMP profile for it to be complete.
Auditing IPSec User Sessions
Use this command to audit multiple user sessions that are terminating on the IPSec gateway.
Note
Examples
The following example shows how to define an ISAKMP profile and match the peer identities:
crypto isakmp profile vpnprofilematch identity address 10.76.11.53The following accounting example shows that an ISAKMP profile is configured:
aaa new-model!!aaa authentication login cisco-client group radiusaaa authorization network cisco-client group radiusaaa accounting network acc start-stop broadcast group radiusaaa session-id common!crypto isakmp profile ciscovrf ciscomatch identity group cclientclient authentication list cisco-clientisakmp authorization list cisco-clientclient configuration address respondaccounting acc!crypto dynamic-map dynamic 1set transform-set aswanset isakmp-profile ciscoreverse-route!!radius-server host 172.1.1.4 auth-port 1645 acct-port 1646radius-server key nsiteRelated Commands
crypto key generate rsa
To generate Rivest, Shamir, and Adelman (RSA) key pairs, use the crypto key generate rsa command in global configuration mode.
crypto key generate rsa [general-keys | usage-keys | signature | encryption] [label key-label] [exportable] [modulus modulus-size] [storage devicename:] [on devicename:]
Syntax Description
Command Default
RSA key pairs do not exist.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to generate RSA key pairs for your Cisco device (such as a router).
RSA keys are generated in pairs—one public RSA key and one private RSA key.
If your router already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.
Note
Note
This command is not saved in the router configuration; however, the RSA keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device) the next time the configuration is written to NVRAM.
Note
There are two mutually exclusive types of RSA key pairs: special-usage keys and general-purpose keys. When you generate RSA key pairs, you will be prompted to select either special-usage keys or general-purpose keys.
Special-Usage Keys
If you generate special-usage keys, two pairs of RSA keys will be generated. One pair will be used with any Internet Key Exchange (IKE) policy that specifies RSA signatures as the authentication method, and the other pair will be used with any IKE policy that specifies RSA encrypted keys as the authentication method.
A certification authority (CA) is used only with IKE policies specifying RSA signatures, not with IKE policies specifying RSA-encrypted nonces. (However, you could specify more than one IKE policy and have RSA signatures specified in one policy and RSA-encrypted nonces in another policy.)
If you plan to have both types of RSA authentication methods in your IKE policies, you may prefer to generate special-usage keys. With special-usage keys, each key is not unnecessarily exposed. (Without special-usage keys, one key is used for both authentication methods, increasing the exposure of that key.)
General-Purpose Keys
If you generate general-purpose keys, only one pair of RSA keys will be generated. This pair will be used with IKE policies specifying either RSA signatures or RSA encrypted keys. Therefore, a general-purpose key pair might get used more frequently than a special-usage key pair.
Named Key Pairs
If you generate a named key pair using the key-pair-label argument, you must also specify the usage-keys keyword or the general-keys keyword. Named key pairs allow you to have multiple RSA key pairs, enabling the Cisco IOS software to maintain a different key pair for each identity certificate.
Modulus Length
When you generate RSA keys, you will be prompted to enter a modulus length. The longer the modulus, the stronger the security. However a longer modules takes longer to generate (see Table 12 for sample times) and takes longer to use.
Cisco IOS software does not support a modulus greater than 4096 bits. A length of less than 512 bits is normally not recommended. In certain situations, the shorter modulus may not function properly with IKE, so we recommend using a minimum modulus of 1024 bits.
Note
The largest private RSA key modulus is 2048 bits. Therefore, the largest RSA private key a router may generate or import is 2048 bits.
The recommended modulus for a CA is 2048 bits; the recommended modulus for a client is 1024 bits.
Specifying a Storage Location for RSA Keys
When you issue the crypto key generate rsa command with the storage devicename: keyword and argument, the RSA keys will be stored on the specified device. This location will supersede any crypto key storage command settings.
Specifying a Device for RSA Key Generation
As of Cisco IOS Release 12.4(11)T and later releases, you may specify the device where RSA keys are generated. Devices supported include NVRAM, local disks, and USB tokens. If your router has a USB token configured and available, the USB token can be used as cryptographic device in addition to a storage device. Using a USB token as a cryptographic device allows RSA operations such as key generation, signing, and authentication of credentials to be performed on the token. The private key never leaves the USB token and is not exportable. The public key is exportable.
RSA keys may be generated on a configured and available USB token, by the use of the on devicename: keyword and argument. Keys that reside on a USB token are saved to persistent token storage when they are generated. The number of keys that can be generated on a USB token is limited by the space available. If you attempt to generate keys on a USB token and it is full you will receive the following message:
% Error in generating keys:no available resourcesKey deletion will remove the keys stored on the token from persistent storage immediately. (Keys that do not reside on a token are saved to or deleted from non-token storage locations when the write memory or similar command is issued.)
For information on configuring a USB token, see "Storing PKI Credentials" chapter in the Cisco IOS Security Configuration Guide, Release 12.4T. For information on using on-token RSA credentials, see "Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment chapter in the Cisco IOS Security Configuration Guide, Release 12.4T.
Examples
The following example generates a general usage 1024-bit RSA key pair on a USB token with the label "ms2" with crypto engine debugging messages shown:
Router(config)# crypto key generate rsa on usbtoken0 label ms2 modulus 1024The name for the keys will be: ms2% The key modulus size is 1024 bits% Generating 1024 bit RSA keys, keys will be on-token, non-exportable...Jan 7 02:41:40.895: crypto_engine: Generate public/private keypair [OK]Jan 7 02:44:09.623: crypto_engine: Create signatureJan 7 02:44:10.467: crypto_engine: Verify signatureJan 7 02:44:10.467: CryptoEngine0: CRYPTO_ISA_RSA_CREATE_PUBKEY(hw)(ipsec)Jan 7 02:44:10.467: CryptoEngine0: CRYPTO_ISA_RSA_PUB_DECRYPT(hw)(ipsec)Now, the on-token keys labeled "ms2" may be used for enrollment.
The following example generates special-usage RSA keys:
Router(config)# crypto key generate rsa usage-keysThe name for the keys will be: myrouter.example.comChoose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[512]? <return>Generating RSA keys.... [OK].Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[512]? <return>Generating RSA keys.... [OK].The following example generates general-purpose RSA keys:
Note
Router(config)# crypto key generate rsa general-keysThe name for the keys will be: myrouter.example.comChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[512]? <return>Generating RSA keys.... [OK].The following example generates the general purpose RSA key pair "exampleCAkeys":
crypto key generate rsa general-keys exampleCAkeyscrypto ca trustpoint exampleCAkeysenroll url http://exampleCAkeys/certsrv/mscep/mscep.dllrsakeypair exampleCAkeys 1024 1024The following example specifies the RSA key storage location of "usbtoken0:" for "tokenkey1":
crypto key generate rsa general-keys label tokenkey1 storage usbtoken0:
Related Commands
crypto key pubkey-chain rsa
To enter public key configuration mode (so you can manually specify other devices' RSA public keys), use the crypto key pubkey-chain rsa command in global configuration mode.
crypto key pubkey-chain rsa
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to enter public key chain configuration mode. Use this command when you need to manually specify other IPSec peers' RSA public keys. You need to specify other peers' keys when you configure RSA encrypted nonces as the authentication method in an Internet Key Exchange policy at your peer router.
Examples
The following example specifies the RSA public keys of two other IPSec peers. The remote peers use their IP address as their identity.
Router(config)# crypto key pubkey-chain rsaRouter(config-pubkey-chain)# addressed-key 10.5.5.1Router(config-pubkey-key)# key-stringRouter(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DBRouter(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045BRouter(config-pubkey)# 90288A26 DBC64468 7789F76E EE21Router(config-pubkey)# quitRouter(config-pubkey-key)# exitRouter(config-pubkey-chain)# addressed-key 10.1.1.2Router(config-pubkey-key)# key-stringRouter(config-pubkey)# 0738BC7A 2BC3E9F0 679B00FE 53987BCCRouter(config-pubkey)# 01030201 42DD06AF E228D24C 458AD228Router(config-pubkey)# 58BB5DDD F4836401 2A2D7163 219F882ERouter(config-pubkey)# 64CE69D4 B583748A 241BED0F 6E7F2F16Router(config-pubkey)# 0DE0986E DF02031F 4B0B0912 F68200C4Router(config-pubkey)# C625C389 0BFF3321 A2598935 C1B1Router(config-pubkey)# quitRouter(config-pubkey-key)# exitRouter(config-pubkey-chain)# exitRouter(config)#Related Commands
crypto key zeroize rsa
To delete all RSA keys from your router, use the crypto key zeroize rsa command in global configuration mode.
crypto key zeroize rsa [key-pair-label]
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
11.3 T
This command was introduced.
12.2(8)T
The key-pair-label argument was added.
Usage Guidelines
This command deletes all Rivest, Shamir, and Adelman (RSA) keys that were previously generated by your router unless you include the key-pair-label argument, which will delete only the specified RSA key pair. If you issue this command, you must also perform two additional tasks for each trustpoint that is associated with the key pair that was deleted:
•
•
Note
This command is not saved to the configuration.
Examples
The following example deletes the general-purpose RSA key pair that was previously generated for the router. After deleting the RSA key pair, the administrator contacts the CA administrator and requests that the certificate of the router be revoked. The administrator then deletes the certificate of the router from the configuration.
crypto key zeroize rsacrypto ca certificate chainno certificateRelated Commands
crypto keyring
To define a crypto keyring to be used during Internet Key Exchange (IKE) authentication, use the crypto keyring command in global configuration mode. To remove the keyring, use the no form of this command.
crypto keyring keyring-name [vrf fvrf-name]
no crypto keyring keyring-name [vrf fvrf-name]
Syntax Description
Defaults
All the Internet Security Association and Key Management Protocol (ISAKMP) keys that were defined in the global configuration are part of the default global keyring.
Command Modes
Global configuration
Command History
Usage Guidelines
A keyring is a repository of preshared and Rivest, Shamir, and Adelman (RSA) public keys. The keyring is used in the isakmp profile configuration mode. The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile.
Examples
The following example shows that a keyring and its usage have been defined:
crypto keyring vpnkeyspre-shared-key address 10.72.23.11 key vpnsecretcrypto isakmp profile vpnprofilekeyring vpnkeyscrypto map (global IPSec)
To enter crypto map configuration mode and create or modify a crypto map entry, to create a crypto profile that provides a template for configuration of dynamically created crypto maps, or to configure a client accounting list, use the crypto map command in global configuration mode. To delete a crypto map entry, profile, or set, use the no form of this command.
crypto map map-name seq-num [ipsec-manual]
crypto map map-name seq-num [ipsec-isakmp] [dynamic dynamic-map-name] [discover] [profile profile-name]
crypto map map-name [client-accounting-list aaalist]
no crypto map map-name seq-num
Note
Syntax Description
Defaults
No crypto maps exist.
Peer discovery is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to create a new crypto map entry, to create a crypto map profile, or to modify an existing crypto map entry or profile.
After a crypto map entry has been created, you cannot change the parameters specified at the global configuration level because these parameters determine which of the configuration commands are valid at the crypto map level. For example, after a map entry has been created using the ipsec-isakmp keyword, you cannot change it to the option specified by the ipsec-manual keyword; you must delete and reenter the map entry.
After you define crypto map entries, you can assign the crypto map set to interfaces using the crypto map (interface IPSec) command.
Crypto Map Functions
Crypto maps provide two functions: filtering and classifying traffic to be protected and defining the policy to be applied to that traffic. The first use affects the flow of traffic on an interface; the second affects the negotiation performed (via IKE) on behalf of that traffic.
IPSec crypto maps define the following:
•
•
•
•
Multiple Crypto Map Entries with the Same Map Name Form a Crypto Map Set
A crypto map set is a collection of crypto map entries, each with a different seq-num argument but the same map-name argument. Therefore, for a given interface, you could have certain traffic forwarded to one IPSec peer with specified security applied to that traffic and other traffic forwarded to the same or a different IPSec peer with different IPSec security applied. To accomplish differential forwarding you would create two crypto maps, each with the same map-name argument, but each with a different seq-num argument. Crypto profiles must have unique names within a crypto map set.
Sequence Numbers
The number you assign to the seq-num argument should not be arbitrary. This number is used to rank multiple crypto map entries within a crypto map set. Within a crypto map set, a crypto map entry with a lower seq-num is evaluated before a map entry with a higher seq-num; that is, the map entry with the lower number has a higher priority.
For example, consider a crypto map set that contains three crypto map entries: mymap 10, mymap 20, and mymap 30. The crypto map set named "mymap" is applied to serial interface 0. When traffic passes through serial interface 0, the traffic is evaluated first for mymap 10. If the traffic matches any access list permit statement entry in the extended access list in mymap 10, the traffic will be processed according to the information defined in mymap 10 (including establishing IPSec SAs when necessary). If the traffic does not match the mymap 10 access list, the traffic will be evaluated for mymap 20, and then mymap 30, until the traffic matches a permit entry in a map entry. (If the traffic does not match a permit entry in any crypto map entry, it will be forwarded without any IPSec security.)
Dynamic Crypto Maps
Refer to the "Usage Guidelines" section of the crypto dynamic-map command for a discussion on dynamic crypto maps.
Crypto map entries that reference dynamic map sets should be the lowest priority map entries, allowing inbound SA negotiation requests to try to match the static maps first. Only after the request does not match any of the static maps, do you want it to be evaluated against the dynamic map set.
To make a crypto map entry referencing a dynamic crypto map set the lowest priority map entry, give the map entry the highest seq-num of all the map entries in a crypto map set.
Create dynamic crypto map entries using the crypto dynamic-map command. After you create a dynamic crypto map set, add the dynamic crypto map set to a static crypto map set with the crypto map (global IPSec) command using the dynamic keyword.
TED
TED is an enhancement to the IPSec feature. Defining a dynamic crypto map allows you to dynamically determine an IPSec peer; however, only the receiving router has this ability. With TED, the initiating router can dynamically determine an IPSec peer for secure IPSec communications.
Dynamic TED helps to simplify IPSec configuration on the individual routers within a large network. Each node has a simple configuration that defines the local network that the router is protecting and the IPSec transforms that are required.
Note
Crypto Map Profiles
Crypto map profiles are created using the profile profile-name keyword and argument combination. Crypto map profiles are used as configuration templates for dynamically creating crypto maps on demand for use with the Layer 2 Transport Protocol (L2TP) Security feature. The relevant SAs the crypto map profile will be cloned and used to protect IP traffic on the L2TP tunnel.
Note
Examples
The following example shows the minimum required crypto map configuration when IKE will be used to establish the SAs:
crypto map mymap 10 ipsec-isakmpmatch address 101set transform-set my_t_set1set peer 10.0.0.1The following example shows the minimum required crypto map configuration when the SAs are manually established:
crypto transform-set someset ah-md5-hmac esp-descrypto map mymap 10 ipsec-manualmatch address 102set transform-set somesetset peer 10.0.0.5set session-key inbound ah 256 98765432109876549876543210987654set session-key outbound ah 256 fedcbafedcbafedcfedcbafedcbafedcset session-key inbound esp 256 cipher 0123456789012345set session-key outbound esp 256 cipher abcdefabcdefabcdThe following example configures an IPSec crypto map set that includes a reference to a dynamic crypto map set.
Crypto map "mymap 10" allows SAs to be established between the router and either (or both) of two remote IPSec peers for traffic matching access list 101. Crypto map "mymap 20" allows either of two transform sets to be negotiated with the remote peer for traffic matching access list 102.
Crypto map entry "mymap 30" references the dynamic crypto map set "mydynamicmap," which can be used to process inbound SA negotiation requests that do not match "mymap" entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in "mydynamicmap," for a flow permitted by the access list 103, IPSec will accept the request and set up SAs with the remote peer without previously knowing about the remote peer. If the request is accepted, the resulting SAs (and temporary crypto map entry) are established according to the settings specified by the remote peer.
The access list associated with "mydynamicmap 10" is also used as a filter. Inbound packets that match any access list permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec SA are also dropped.
crypto map mymap 10 ipsec-isakmpmatch address 101set transform-set my_t_set1set peer 10.0.0.1set peer 10.0.0.2crypto map mymap 20 ipsec-isakmpmatch address 102set transform-set my_t_set1 my_t_set2set peer 10.0.0.3crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap!crypto dynamic-map mydynamicmap 10match address 103set transform-set my_t_set1 my_t_set2 my_t_set3The following example configures TED on a Cisco router:
crypto map testtag 10 ipsec-isakmp dynamic dmap discoverThe following example configures a crypto profile to be used as a template for dynamically created crypto maps when IPSec is used to protect an L2TP tunnel:
crypto map l2tpsec 10 ipsec-isakmp profile l2tpRelated Commands
crypto map (interface IPSec)
To apply a previously defined crypto map set to an interface, use the crypto map command in interface configuration mode. To remove the crypto map set from the interface, use the no form of this command.
crypto map map-name [redundancy standby-group-name[stateful]]
no crypto map [map-name] [redundancy standby-group-name [stateful]]
Syntax Description
Defaults
No crypto maps are assigned to interfaces.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use this command to assign a crypto map set to an interface. You must assign a crypto map set to an interface before that interface can provide IPSec services. Only one crypto map set can be assigned to an interface. If multiple crypto map entries have the same map name but a different sequence number, they are considered to be part of the same set and will all be applied to the interface. The crypto map entry that has the lowest sequence number is considered the highest priority and will be evaluated first. A single crypto map set can contain a combination of ipsec-isakmp and ipsec-manual crypto map entries.
Note
The standby name must be configured on all devices in the standby group, and the standby address must be configured on at least one member of the group. If the standby name is removed from the router, the IPSec security associations (SAs) will be deleted. If the standby name is added again, regardless of whether the same name or a different name is used, the crypto map (using the redundancy option) will have to be reapplied to the interface.
Note
The stateful keyword enables stateful failover of IKE and IPSec sessions. Stateful Switchover (SSO) must also be configured for IPSec stateful failover to operate correctly.
Examples
The following example shows how all remote Virtual Private Network (VPN) gateways connect to the router via 192.168.0.3:
crypto map mymap 1 ipsec-isakmpset peer 10.1.1.1reverse-routeset transform-set esp-3des-shamatch address 102Interface FastEthernet 0/0ip address 192.168.0.2 255.255.255.0standby name group1standby ip 192.168.0.3crypto map mymap redundancy group1access-list 102 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255The crypto map on the interface binds this standby address as the local tunnel endpoint for all instances of "mymap" and, at the same time, ensures that stateless HSRP failover is facilitated between an active and standby device that belongs to the same standby group, "group1."
Reverse route injection (RRI) is also enabled to provide the ability for only the active device in the HSRP group to be advertising itself to inside devices as the next hop VPN gateway to the remote proxies. If a failover occurs, routes are deleted on the former active device and created on the new active device.
The following example shows how to configure IPSec stateful failover on the crypto map "to-peer-outside":
crypto map to-peer-outside 10 ipsec-isakmpset peer 209.165.200.225set transform-set trans1match address peer-outsideinterface Ethernet0/0ip address 209.165.201.1 255.255.255.224standby 1 ip 209.165.201.3standby 1 preemptstandby 1 name HA-outstandby 1 track Ethernet1/0crypto map to-peer-outside redundancy HA-out statefulRelated Commands
crypto map client authentication list
To configure Internet Key Exchange extended authentication (Xauth) on your router, use the crypto map client authentication list command in global configuration mode. To restore the default value, use the no form of this command.
crypto map map-name client authentication list list-name
no crypto map map-name client authentication list list-name
Syntax Description
Defaults
Xauth is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Before configuring Xauth, you should complete the following tasks:
•
•
•
•
After enabling Xauth, you should apply the crypto map on which Xauth is configured to the router interface.
Examples
The following example configures user authentication (a list of authentication methods called xauthlist) on an existing static crypto map called xauthmap:
crypto map xauthmap client authentication list xauthlistThe following example configures user authentication (a list of authentication methods called xauthlist) on a dynamic crypto map called xauthdynamic that has been applied to a static crypto map called xauthmap:
crypto map xauthmap client authentication list xauthlistcrypto map xauthmap 10 ipsec-isakmp dynamic xauthdynamicRelated Commands
crypto map client configuration address
To configure IKE Mode Configuration on your router, use the crypto map client configuration address command in global configuration mode. To disable IKE Mode Configuration, use the no form of this command.
crypto map tag client configuration address [initiate | respond]
no crypto map tag client configuration address
Syntax Description
Defaults
IKE Mode Configuration is not enabled.
Command Modes
Global configuration
Command History
12.0(4)XE
This command was introduced.
12.0(7)T
This command was implemented in Cisco IOS release 12.0(7)T.
Usage Guidelines
At the time of this publication, this feature is an IETF draft with limited support. Therefore this feature was not designed to enable the configuration mode for every IKE connection by default.
Examples
The following examples configure IKE Mode Configuration on your router:
crypto map dyn client configuration address initiatecrypto map dyn client configuration address respondRelated Commands
crypto map (global)
Creates or modifies a crypto map entry and enters the crypto map configuration mode
crypto map isakmp authorization list
To enable Internet Key Exchange (IKE) querying of authentication, authorization, and accounting (AAA) for tunnel attributes in aggressive mode, use the crypto map isakmp authorization list command in global configuration mode. To restore the default value, use the no form of this command.
crypto map map-name isakmp authorization list list-name
no crypto map map-name isakmp authorization list list-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the crypto map client authorization list command to enable key lookup from a AAA server.
Preshared keys deployed in a large-scale Virtual Private Network (VPN) without a certification authority, with dynamic IP addresses, are accessed during aggression mode of IKE negotiation through a AAA server. Thus, users have their own key, which is stored on an external AAA server. This allows for central management of the user database, linking it to an existing database, in addition to allowing every user to have their own unique, more secure pre-shared key.
Before configuring the crypto map client authorization list command, you should perform the following tasks:
•
•
•
•
After enabling the crypto map client authorization list command, you should apply the previously defined crypto map to the interface.
Examples
The following example shows how to configure the crypto map client authorization list command:
crypto map ikessaaamap isakmp authorization list ikessaaalistcrypto map ikessaaamap 10 ipsec-isakmp dynamic ikessaaadynRelated Commands
crypto map isakmp-profile
To configure an Internet Security Association and Key Management Protocol (ISAKMP) profile on a crypto map, use the crypto map isakmp-profile command in global configuration mode. To restore the default values on the crypto map, use the no form of this command.
crypto map map-name isakmp-profile isakmp-profile-name
no crypto map map-name isakmp-profile isakmp-profile-name
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
This command describes the ISAKMP profile to use to start the IKE exchange. Before configuring this command, you must set up the ISAKMP profile.
Examples
The following example shows that an ISAKMP profile is configured on a crypto map:
crypto map vpnmap isakmp-profile vpnprofileRelated Commands
crypto ipsec transform-set
Defines a transform set—an acceptable combination of security protocols and algorithms.
crypto map (global)
Creates or modifies a crypto map entry.
crypto map local-address
To specify and name an identifying interface to be used by the crypto map for IPSec traffic, use the crypto map local-address command in global configuration mode. To remove this command from the configuration, use the no form of this command.
crypto map map-name local-address interface-id
no crypto map map-name local-address
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
If you apply the same crypto map to two interfaces and do not use this command, two separate security associations (with different local IP addresses) could be established to the same peer for similar traffic. If you are using the second interface as redundant to the first interface, it could be preferable to have a single security association (with a single local IP address) created for traffic sharing the two interfaces. Having a single security association decreases overhead and makes administration simpler.
This command allows a peer to establish a single security association (and use a single local IP address) that is shared by the two redundant interfaces.
If applying the same crypto map set to more than one interface, the default behavior is as follows:
•
•
However, if you use a local-address for that crypto map set, it has multiple effects:
•
•
One suggestion is to use a loopback interface as the referenced local address interface, because the loopback interface never goes down.
Examples
The following example assigns crypto map set "mymap" to the S0 interface and to the S1 interface. When traffic passes through either S0 or S1, the traffic will be evaluated against the all the crypto maps in the "mymap" set. When traffic through either interface matches an access list in one of the "mymap" crypto maps, a security association will be established. This same security association will then apply to both S0 and S1 traffic that matches the originally matched IPSec access list. The local address that IPSec will use on both interfaces will be the IP address of interface loopback0.
interface S0crypto map mymapinterface S1crypto map mymapcrypto map mymap local-address loopback0Related Commands
crypto map (interface IPSec)
Applies a previously defined crypto map set to an interface.
crypto mib ipsec flowmib history failure size
To change the size of the IP Security (IPSec) MIB failure history table, use the crypto mib ipsec flowmib history failure size command in global configuration mode.
crypto mib ipsec flowmib history failure size number
Syntax Description
Defaults
The default table size is 200.
Command Modes
Global configuration
Command History
12.1(4)E
This command was introduced.
12.2(4)T
This command was integrated into Cisco IOS Release 12.2 T.
Usage Guidelines
Use the crypto mib ipsec flowmib history failure size command to change the size of a failure history table. If you do not configure the size of a failure history table, the default of 200 will be implemented.
A failure history table stores the reason for tunnel failure and the time failure occurred. A failure history table can be used as a simple method to distinguish between a normal and an abnormal tunnel termination. That is, if a tunnel entry in the tunnel history table has no associated failure record, the tunnel must have terminated normally. However, every failure does not correspond to a tunnel. Supported setup failures are recorded in the failure table, but a history table is not associated because a tunnel was never set up.
Examples
In the following example, the size of a failure history table is configured to be 140:
Router(config)# crypto mib ipsec flowmib history failure size 140Related Commands
crypto mib ipsec flowmib history tunnel size
To change the size of the IP Security (IPSec) tunnel history table, use the crypto mib ipsec flowmib history tunnel size command in global configuration mode.
crypto mib ipsec flowmib history tunnel size number
Syntax Description
Defaults
The default table size is 200.
Command Modes
Global configuration
Command History
12.1(4)E
This command was introduced.
12.2(4)T
This command was integrated into Cisco IOS Release 12.2 T.
Usage Guidelines
Use the crypto mib ipsec flowmib history tunnel size command to change the size of a tunnel history table. If you do not configure the size of a tunnel history table, the default of 200 will be implemented.
A tunnel history table stores the attribute and statistics records, which contain the attributes and the last snapshot of the traffic statistics of a given tunnel. A tunnel history table accompanies a failure table, so you can display the complete history of a given tunnel. However, a tunnel history table does not accompany every failure table because every failure does not correspond to a tunnel. Thus, supported setup failures are recorded in the failure table, but an associated history table is not recorded because a tunnel was never set up.
As an optimization, a tunnel endpoint table can be combined with a tunnel history table. However, if a tunnel endpoint table is combined, all three tables (the failure history table, tunnel history table, and the endpoint table) must remain the same size even though the MIB allows each table to be distinct.
Examples
In the following example, the size of the tunnel history table changed to 130:
Router(config)# crypto mib ipsec flowmib history tunnel size 130crypto pki crl request
To request that a new certificate revocation list (CRL) be obtained immediately from the certification authority, use the crypto pki crl request command in global configuration mode.
crypto pki crl request name
Syntax Description
name
Specifies the name of the CA. This is the same name used when the CA was declared with the crypto pki trustpoint command.
Defaults
Normally, the router requests a new CRL when it is verifying a certificate and there is no CRL cached.
Command Modes
Global configuration
Command History
11.3 T
The crypto ca crl request command was introduced.
12.3(7)T
This command replaced the crypto ca crl request command.
Usage Guidelines
A CRL lists all the certificates of the network device that have been revoked. Revoked certificates will not be honored by your router; therefore, any IPSec device with a revoked certificate cannot exchange IP Security traffic with your router.
The first time your router receives a certificate from a peer, it will download a CRL from the CA. Your router then checks the CRL to make sure the certificate of the peer has not been revoked. (If the certificate appears on the CRL, it will not accept the certificate and will not authenticate the peer.)
A CRL can be reused with subsequent certificates until the CRL expires. If your router receives the certificate of a peer after the applicable CRL has expired, it will download the new CRL.
If your router has a CRL which has not yet expired, but you suspect that the contents of the CRL are out of date, use the crypto pki crl request command to request that the latest CRL be immediately downloaded to replace the old CRL.
This command is not saved to the configuration.
Note
Examples
The following example immediately downloads the latest CRL to your router:
crypto pki crl requestcrypto pki trustpoint
To declare the certification authority (CA) that your router should use, use the crypto pki trustpoint command in global configuration mode. To delete all identity information and certificates associated with the CA, use the no form of this command.
crypto pki trustpoint name
no crypto pki trustpoint name
Syntax Description
name
Creates a name for the CA. (If you previously declared the CA and just want to update its characteristics, specify the name you previously created.)
Defaults
Your router does not recognize any CAs until you declare a CA using this command.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the crypto pki trustpoint command to declare a CA, which can be a self-signed root CA or a subordinate CA. Issuing the crypto pki trustpoint command puts you in ca-trustpoint configuration mode.
You can specify characteristics for the trustpoint CA using the following subcommands:
•
•
•
•
•
•
•
The following example shows how to declare the CA named "ka" and specify enrollment and CRL parameters:
crypto pki trustpoint kaenrollment url http://kahului:80The following example shows a certificate-based access control list (ACL) with the label "Group" defined in a crypto ca certificate map command and included in the match certificate subcommand of the crypto pki trustpoint command:
crypto ca certificate map Group 10subject-name co ou=WANsubject-name co o=Cisco!crypto pki trustpoint pki1match certificate GroupRelated Commands
ctype
To preauthenticate calls on the basis of the call type, use the ctype command in AAA preauthentication configuration mode. To remove the ctype command from your configuration, use the no form of this command.
ctype [if-avail | required] [accept-stop] [password password] [digital | speech | v.110 | v.120]
no ctype [if-avail | required] [accept-stop] [password password] [digital | speech | v.110 | v.120]
Syntax Description
Defaults
The if-avail and required keywords are mutually exclusive. If the if-avail keyword is not configured, the preauthentication setting defaults to required.
The default password string is cisco.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
You may configure more than one of the AAA preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you configure dnis, then clid, then ctype, in this order, then this is the order of the conditions considered in the preauthentication process.
In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server.
Set up the RADIUS preauthentication profile with the call type string as the username and with the password that is defined in the ctype command as the password. Table 13 shows the call types that you may use in the preauthentication profile.
Examples
The following example specifies that incoming calls be preauthenticated on the basis of the call type:
aaa preauthgroup radiusctype requiredRelated Commands
