Cisco IOS Security Command Reference, Release 12.3
Security Commands: reverse-route through show crypto isakmp sa
Download this chapter
Security Commands: reverse-route through show crypto isakmp saSecurity Commands: reverse-route through show crypto isakmp sa
Download the complete book
Book-level PDF: Cisco IOS Security Command Reference, Release 12.3 Book-level PDF: Cisco IOS Security Command Reference, Release 12.3 (PDF - 5 MB)
give_us_feedback

Table Of Contents

reverse-route

root

root CEP

root PROXY

root TFTP

rsakeypair

rsa-pubkey

security authentication failure rate

security passwords min-length

self-identity

serial-number (ca-trustpoint)

serial-number (pubkey)

server (RADIUS)

server (TACACS+)

server-private (RADIUS)

service password-encryption

set aggressive-mode client-endpoint

set aggressive-mode password

set isakmp-profile

set peer (IPSec)

set pfs

set security-association level per-host

set security-association lifetime

set session-key

set transform-set

show aaa attributes

show aaa cache filterserver

show aaa server-private

show aaa user

show accounting

show auto secure config

show crypto ca certificates

show crypto ca crls

show crypto ca roots

show crypto ca timers

show crypto ca trustpoints

show crypto dynamic-map

show crypto eng qos

show crypto engine accelerator logs

show crypto engine accelerator ring

show crypto engine accelerator sa-database

show crypto engine accelerator statistic

show crypto ipsec client ezvpn

show crypto ipsec sa

show crypto ipsec security-association lifetime

show crypto ipsec transform-set

show crypto isakmp key

show crypto isakmp policy

show crypto isakmp profile

show crypto isakmp sa


reverse-route

To create source proxy information for a crypto map entry, use the reverse-route command in crypto map configuration mode. To remove the source proxy information from a crypto map entry, use the no form of this command.

reverse-route [remote-peer [ip-address]]

no reverse-route [remote-peer [ip-address]]

Syntax Description

remote-peer

(Optional) Routes of public IP addresses and IP security (IPSec) tunnel destination addresses are inserted into the routing table.

ip-address

(Optional) IP address of the next hop destination.


Defaults

No default behavior or values.

Command Modes

Crypto map configuration

Command History

Release
Modification

12.1(9)E

This command was introduced.

12.2(8)T

This command was integrated into Cisco IOS Release 12.2(8)T.

12.2(11)T

This command was implemented on the Cisco AS5300 and Cisco AS5800 platforms.

12.2(13)T

The remote-peer keyword was added.

12.3

The ip-address argument was added.


Usage Guidelines

This command can be applied on a per-crypto basis.

Reverse route injection (RRI) provides a scaleable mechanism to dynamically learn and advertise the IP address and subnets that belong to a remote site that connects through an IP Security (IPSec) virtual private network (VPN) tunnel.

When enabled in an IPSec crypto map, RRI will learn all the subnets from any network that is defined in the crypto access control list (ACL) as the destination network. The learned routes are installed into the local routing table as static routes that point to the encrypted interface. When the IPSec tunnel is torn down, the associated static routes will be removed. These static routes may then be redistributed into other dynamic routing protocols so that they can be advertised to other parts of the network (usually done by redistributing RRI routes into dynamic routing protocols on the core side).

Examples

The following example shows how all remote VPN gateways connect to the router via 192.168.0.3: 

crypto map mymap 1 ipsec-isakmp

 set peer 10.1.1.1

 reverse-route

 set transform-set esp-3des-sha

 match address 102


Interface FastEthernet 0/0

 ip address 192.168.0.2 255.255.255.0

 standby name group1

 standby ip 192.168.0.3

 crypto map mymap redundancy group1


access-list 102 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255

Related Commands

Command
Description

crypto map (global IPSec)

Creates or modifies a crypto map entry and enters the crypto map configuration mode.

crypto map local-address

Specifies and names an identifying interface to be used by the crypto map for IPSec traffic.

show crypto map (IPSec)

Displays the crypto map configuration.


root

To obtain the certification authority (CA) certificate via TFTP, use the root command in ca-trustpoint configuration mode. To deconfigure the CA, use the no form of this command.

root tftp server-hostname filename

no root tftp server-hostname filename

Syntax Description

tftp

Defines the TFTP protocol to get the root certificate.

server-hostname filename

Specifies a name for the server and a name for the file that will store the trustpoint CA.


Defaults

A CA certificate is not configured.

Command Modes

Ca-trustpoint configuration

Command History

Release
Modification

12.2(8)T

This command was introduced.


Usage Guidelines

This command allows you to access the CA via the TFTP protocol, which is used to get the CA. You want to configure a CA certificate so that your router can verify certificates issued to peers. Thus, your router does not have to enroll with the CA that issued the certificates the peers.

Before you can configure this command, you must enable the crypto ca trustpoint command, which puts you in ca-trustpoint configuration mode.

Note The crypto ca trustpoint command deprecates the crypto ca identity and crypto ca trusted-root commands and all related subcommands (all ca-identity and trusted-root configuration mode commands). If you enter a ca-identity or trusted-root subcommand, the configuration mode and command will be written back as ca-trustpoint.

Examples

The following example shows how to configure the CA certificate named "bar" using TFTP: 

crypto ca trustpoint bar

 root tftp xxx fff

 crl optional

Related Commands

Command
Description

crypto ca trustpoint

Declares the CA that your router should use.


root CEP

The crypto ca trustpoint command deprecates the crypto ca trusted-root command and all related subcommands (all trusted-root configuration mode commands). If you enter a trusted-root subcommand, the configuration mode and command will be written back as ca-trustpoint.

root PROXY

The root PROXY command is replaced by the enrollment http-proxy command. See the enrollment http-proxy command for more information.

root TFTP

The root TFTP command is replaced by the root command. See the root command for more information.

rsakeypair

To specify which key pair to associate with the certificate, use the rsakeypair command in ca-trustpoint configuration mode.

rsakeypair key-label [key-size [encryption-key-size]]

Syntax Description

key-label

Name of the key pair, which is generated during enrollment if it does not already exist or if the auto-enroll regenerate command is configured.

key-size

(Optional) Size of the desired Rivest, Shamir, Adelman (RSA) key. If not specified, the existing key size is used.

encryption-key-size

(Optional) Size of the second key, which is used to request separate encryption, signature keys, and certificates.


Defaults

The fully qualified domain name (FQDN) key is used.

Command Modes

Ca-trustpoint configuration

Command History

Release
Modification

12.2(8)T

This command was introduced.


Usage Guidelines

When you regenerate a key pair, you are responsible for reenrolling the identities associated with the key pair. Use the rsakeypair command to refer back to the named key pair.

Examples

The following example is a sample trustpoint configuration that specifies the RSA key pair "exampleCAkeys": 

crypto ca trustpoint exampleCAkeys

 enroll url http://exampleCAkeys/certsrv/mscep/mscep.dll

 rsakeypair exampleCAkeys 1024 1024

Related Commands

Command
Description

auto-enroll

Enables autoenrollment.

crl

Generates RSA key pairs.

crypto ca trustpoint

Declares the CA that your router should use.


rsa-pubkey

To define the Rivest, Shamir, and Adelman (RSA) manual key to be used for encryption or signature during Internet Key Exchange (IKE) authentication, use the rsa-pubkey command in keyring configuration mode. To remove the manual key that was defined, use the no form of this command.

rsa-pubkey{address address | name fqdn} [encryption | signature]

no rsa-pubkey {address address | name fqdn} [encryption | signature]

Syntax Description

address address

IP address of the remote peer.

name fqdn

Fully qualified domain name (FQDN) of the peer.

encryption

(Optional) The manual key is to be used for encryption.

signature

(Optional) The manual key is to be used for signature.


Defaults

No default behavior or values

Command Modes

Keyring configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

Use this command to enter public key chain configuration mode. Use this command when you need to manually specify RSA public keys of other IP Security (IPSec) peers. You need to specify the keys of other peers when you configure RSA encrypted nonces as the authentication method in an IKE policy at your peer router.

Examples

The following example shows that the RSA public key of an IPSec peer has been specified: 

Router(config)# crypto keyring vpnkeyring

Router(conf-keyring)# rsa-pubkey name host.vpn.com

Router(config-pubkey-key)# address 10.5.5.1

Router(config-pubkey)# key-string

Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973

Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5

Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8

Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB

Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B

Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21

Router(config-pubkey)# quit

Router(config-pubkey-key)# exit

Router(conf-keyring)# exit

security authentication failure rate

To configure the number of allowable unsuccessful login attempts, use the security authentication failure rate command in global configuration mode. To disable this functionality, use the no form of this command.

security authentication failure rate threshold-rate log

no security authentication failure rate threshold-rate log

Syntax Description

threshold-rate

Number of allowable unsuccessful login attempts. The valid value range for the threshold-rate argument is 2 to 1024. The default is 10.

log

Syslog authentication failures if the rate exceeds the threshold.


Defaults

The default number of failed login attempts before a 15-second delay is 10.

Command Modes

Global configuration

Command History

Release
Modification

12.3(1)

This command was introduced.

12.2(27)SBC

This command was integrated into Cisco IOS Release 12.2(27)SBC.

12.3(7)T

The range of the threshold-rate value was changed from 1 through 1024 to 2 through 1024.


Usage Guidelines

The security authentication failure rate command provides enhanced security access to the router by generating syslog messages after the number of unsuccessful login attempts exceeds the configured threshold rate. This command ensures that there are not any continuous failures to access the router.

Note Previous to the Cisco IOS software release 12.3(7)T the threshold-rate value range was 1 through 1024. Unsuccessful login attempts will not be logged if a value of 1 is configured. As of Cisco ISO release 12.3(7)T, use a value between 2 and 1024.

Examples

The following example shows how to configure your router to generate a syslog message after eight failed login attempts: 

security authentication failure rate 8 log

Related Commands

Command
Description

security passwords min-length

Ensures that all configured passwords are at least a specified length.


security passwords min-length

To ensure that all configured passwords are at least a specified length, use the security passwords min-length command in global configuration mode. To disable this functionality, use the no form of this command.

security passwords min-length length

no security passwords min-length length

Syntax Description

length

Minimum length of a configured password. The default is six characters.


Defaults

Six characters

Command Modes

Global configuration

Command History

Release
Modification

12.3(1)

This command was introduced.


Usage Guidelines

The security passwords min-length command provides enhanced security access to the router by allowing you to specify a minimum password length, eliminating common passwords that are prevalent on most networks, such as "lab" and "cisco." This command affects user passwords, enable passwords and secrets, and line passwords. After this command is enabled, any password that is less than the specified length will fail.

Examples

The following example shows both how to specify a minimum password length of six characters and what happens when the password does not adhere to the minimum length: 

security password min-length 6

enable password lab

% Password too short - must be at least 6 characters. Password not configured.

Related Commands

Command
Description

enable password

Sets a local password to control access to various privilege levels.

security authentication failure rate

Configures the number of allowable unsuccessful login attempts.


self-identity

To define the identity that the local Internet Key Exchange (IKE) uses to identify itself to the remote peer, use the self-identity command in ISAKMP profile configuration mode. To remove the Internet Security Association and Key Management Protocol (ISAKMP) identity that was defined for the IKE, use the no form of this command.

self-identity {address | fqdn | user-fqdn user-fqdn}

no self-identity {address | fqdn | user-fqdn user-fqdn}

Syntax Description

address

The IP address of the local endpoint.

fqdn

The fully qualified domain name (FQDN) of the host.

user-fqdn user-fqdn

The user FQDN that is sent to the remote endpoint.


Defaults

If no ISAKMP identity is defined in the ISAKMP profile configuration, global configuration is the default.

Command Modes

ISAKMP profile configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Examples

The following example shows that the IKE identity is the user FQDN "user@vpn.com": 

crypto isakmp profile vpnprofile

 self-identity user-fqdn user@vpn.com

serial-number (ca-trustpoint)

To specify whether the router serial number should be included in the certificate request, use the serial-number command in ca-trustpoint configuration mode. To restore the default behavior, use the no form of this command.

serial-number [none]

no serial-number

Syntax Description

none

(Optional) Specifies that a serial number will not be included in the certificate request.


Defaults

Not configured. You will be prompted for the serial number during certificate enrollment.

Command Modes

Ca-trustpoint configuration

Command History

Release
Modification

12.2(8)T

This command was introduced.


Usage Guidelines

Before you can issue the serial-number command, you must enable the crypto ca trustpoint command, which declares the certification authority (CA) that your router should use and enters ca-trustpoint configuration mode.

Use this command to specify the router serial number in the certificate request, or use the none keyword to specify that a serial number should not be included in the certificate request.

Examples

The following example shows how to include the router serial number in the "root" certificate request: 

crypto ca trustpoint root

 enrollment url http://10.3.0.7:80

 ip-address none

 fqdn none

 serial-number none

 subject-name CN=jack, OU=PKI, O=Cisco Systems, C=US

The router will not prompt for the serial number during enrollment: 

crypto ca trustpoint root

 enrollment url http://10.3.0.7:80

 serial-number

Related Commands

Command
Description

crypto ca trustpoint

Declares the CA that your router should use.


serial-number (pubkey)

To define the serial number for the Rivest, Shamir, and Adelman (RSA) manual key to be used for encryption or signatures during Internet Key Exchange (IKE) authentication, use the serial-number command in pubkey configuration mode. To remove the manual key that was defined, use the no form of this command.

serial-number serial-number

no serial-number serial-number

Syntax Description

serial-number

Device serial number. The value is from 0 through infinity.


Defaults

No default behavior or values

Command Modes

Pubkey configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Examples

The following example shows that the public key of an IP Security (IPSec) peer has been specified: 

Router(config)# crypto keyring vpnkeyring

Router(conf-keyring)# rsa-pubkey name host.vpn.com

Router(config-pubkey-key)# address 10.5.5.1

Router(config-pubkey-key)# serial-number 1000000

Router(config-pubkey)# key-string

Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973

Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5

Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8

Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB

Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B

Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21

Router(config-pubkey)# quit

Router(config-pubkey-key)# exit

Router(conf-keyring)# exit

Related Commands

Command
Description

address

Specifies the IP address of the remote RSA public key of the remote peer that you will manually configure.

key-string (IKE)

Specifies the RSA public key of a remote peer.


server (RADIUS)

To configure the IP address of the RADIUS server for the group server, use the server command in server-group configuration mode. To remove the associated server from the authentication, authorization, and accounting (AAA) group server, use the no form of this command.

server ip-address [auth-port port-number] [acct-port port-number]

no server ip-address [auth-port port-number] [acct-port port-number]

Syntax Description

ip-address

IP address of the RADIUS server host.

auth-port port-number

(Optional) Specifies the User Datagram Protocol (UDP) destination port for authentication requests. The port-number argument specifies the port number for authentication requests. The host is not used for authentication if this value is set to 0.

acct-port port-number

(Optional) Specifies the UDP destination port for accounting requests. The port number argument specifies the port number for accounting requests. The host is not used for accounting services if this value is set to 0.


Defaults

If no port attributes are defined, the defaults are as follows:

Authentication port: 1645

Accounting port: 1646

Command Modes

Server-group configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.

12.0(7)T

The following new keywords/arguments were added:

auth-port port-number

acct-port port-number


Usage Guidelines

Use the server command to associate a particular server with a defined group server. There are two different ways in which you can identify a server, depending on the way you want to offer AAA services. You can identify the server simply by using its IP address, or you can identify multiple host instances or entries using the optional auth-port and acct-port keywords.

When you use the optional keywords, the network access server identifies RADIUS security servers and host instances associated with a group server on the basis of their IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS host entries providing a specific AAA service. If two different host entries on the same RADIUS server are configured for the same service—for example, accounting—the second host entry configured acts as failover backup to the first one. Using this example, if the first host entry fails to provide accounting services, the network access server will try the second host entry configured on the same device for accounting services. (The RADIUS host entries will be tried in the order they are configured.)

Examples

Configuring Multiple Entries for the Same Server IP Address

The following example shows the network access server configured to recognize several RADIUS host entries with the same IP address. Two different host entries on the same RADIUS server are configured for the same services—authentication and accounting. The second host entry configured acts as fail-over backup to the first one. (The RADIUS host entries are tried in the order in which they are configured.) 

! This command enables AAA.

aaa new-model

! The next command configures default RADIUS parameters.

aaa authentication ppp default radius

! The next set of commands configures multiple host entries for the same IP address.

radius-server host 172.20.0.1 auth-port 1000 acct-port 1001

radius-server host 172.20.0.1 auth-port 2000 acct-port 2000

Configuring Multiple Entries Using AAA Group Servers

In this example, the network access server is configured to recognize two different RADIUS group servers. One of these groups, group1, has two different host entries on the same RADIUS server configured for the same services. The second host entry configured acts as failover backup to the first one. 

! This command enables AAA.

aaa new-model

! The next command configures default RADIUS parameters.

aaa authentication ppp default group group1

! The following commands define the group1 RADIUS group server and associates servers 
! with it. 
aaa group server radius group1

   server 172.20.0.1 auth-port 1000 acct-port 1001

! The following commands define the group2 RADIUS group server and associates servers 
! with it. 
aaa group server radius group2

   server 172.20.0.1 auth-port 2000 acct-port 2001

! The following set of commands configures the RADIUS attributes for each host entry 
! associated with one of the defined group servers.

radius-server host 172.20.0.1 auth-port 1000 acct-port 1001

radius-server host 172.20.0.1 auth-port 1000 acct-port 1001

radius-server host 172.10.0.1 auth-port 1645 acct-port 1646

Related Commands

Command
Description

aaa group server

Groups different server hosts into distinct lists and distinct methods.

aaa new-model

Enables the AAA access control model.

radius-server host

Specifies a RADIUS server host.


server (TACACS+)

To configure the IP address of the TACACS+ server for the group server, use the server command in TACACS+ group server configuration mode. To remove the IP address of the RADIUS server, use the no form of this command.

server ip-address

no server ip-address

Syntax Description

ip-address

IP address of the selected server.


Defaults

No default behavior or values.

Command Modes

TACACS+ group server configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.


Usage Guidelines

You must configure the aaa group server tacacs command before configuring this command.

Enter the server command to specify the IP address of the TACACS+ server. Also configure a matching tacacs-server host entry in the global list. If there is no response from the first host entry, the next host entry is tried.

Examples

The following example shows server host entries configured for the RADIUS server: 

aaa new-model

aaa authentication ppp default group g1

aaa group server tacacs+ g1

 server 1.0.0.1

 server 2.0.0.1

tacacs-server host 1.0.0.1 

tacacs-server host 2.0.0.1

Related Commands

Command
Description

aaa new-model

Enables the AAA access control model.

aaa server group

Groups different server hosts into distinct lists and distinct methods.

tacacs-server host

Specifies a RADIUS server host.


server-private (RADIUS)

To configure the IP address of the private RADIUS server for the group server, use the server-private command in server-group configuration mode. To remove the associated private server from the authentication, authorization, and accounting (AAA) group server, use the no form of this command.

server-private ip-address [auth-port port-number | acct-port port-number] [non-standard] [timeout seconds] [retransmit retries] [key string]

no server-private ip-address [auth-port port-number | acct-port port-number] [non-standard] [timeout seconds] [retransmit retries] [key string]

Syntax Description

ip-address

IP address of the private RADIUS server host.

auth-port port-number

(Optional) User Datagram Protocol (UDP) destination port for authentication requests. The default value is 1645.

acct-port port-number

Optional) UDP destination port for accounting requests. The default value is 1646.

non-standard

(Optional) RADIUS server is using vendor-proprietary RADIUS attributes.

timeout seconds

(Optional) Time interval (in seconds) that the router waits for the RADIUS server to reply before retransmitting. This setting overrides the global value of the radius-server timeout command. If no timeout value is specified, the global value is used.

retransmit retries

(Optional) Number of times a RADIUS request is resent to a server, if that server is not responding or responding slowly. This setting overrides the global setting of the radius-server retransmit command.

key string

(Optional) Authentication and encryption key used between the router and the RADIUS daemon running on the RADIUS server. This key overrides the global setting of the radius-server key command. If no key string is specified, the global value is used.


Defaults

If server-private parameters are not specified, global configurations will be used; if global configurations are not specified, default values will be used.

Command Modes

Server-group configuration

Command History

Release
Modification

12.2(1)DX

This command was introduced on the Cisco 7200 series and Cisco 7401ASR.

12.2(2)DD

This command was integrated into Cisco IOS Release 12.2(2)DD.

12.2(4)B

This command was integrated into Cisco IOS Release 12.2(4)B.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.


Usage Guidelines

Use the server-private command to associate a particular private server with a defined server group. To prevent possible overlapping of private addresses between Virtual Route Forwardings (VRFs), private servers (servers with private addresses) can be defined within the server group and remain hidden from other groups, while the servers in the global pool (default "radius" server group) can still be referred to by IP addresses and port numbers. Thus, the list of servers in server groups includes references to the hosts in the global configuration and the definitions of private servers.

Examples

The following example shows how to define the sg_water RADIUS group server and associate private servers with it: 

aaa group server radius sg_water

 server-private 10.1.1.1 timeout 5 retransmit 3 key coke

 server-private 10.2.2.2 timeout 5 retransmit 3 key coke

Related Commands

Command
Description

aaa group server

Groups different server hosts into distinct lists and distinct methods.

aaa new-model

Enables the AAA access control model.

radius-server host

Specifies a RADIUS server host.


service password-encryption

To encrypt passwords, use the service password-encryption command in global configuration mode. To restore the default, use the no form of this command.

service password-encryption

no service password-encryption

Syntax Description

This command has no arguments or keywords.

Defaults

No encryption

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

The actual encryption process occurs when the current configuration is written or when a password is configured. Password encryption is applied to all passwords, including username passwords, authentication key passwords, the privileged command password, console and virtual terminal line access passwords, and Border Gateway Protocol neighbor passwords. This command is primarily useful for keeping unauthorized individuals from viewing your password in your configuration file.

When password encryption is enabled, the encrypted form of the passwords is displayed when a more system:running-config command is entered.

Caution This command does not provide a high level of network security. If you use this command, you should also take additional network security measures.

Note You cannot recover a lost encrypted password. You must clear NVRAM and set a new password.

Examples

The following example causes password encryption to take place: 

service password-encryption

Related Commands

Command
Description

enable password

Sets a local password to control access to various privilege levels.

key-string (authentication)

Specifies the authentication string for a key.

neighbor password

Enables MD5 authentication on a TCP connection between two BGP peers.


set aggressive-mode client-endpoint

To specify the Tunnel-Client-Endpoint attribute within an Internet Security Association Key Management Protocol (ISAKMP) peer configuration, use the set aggressive-mode client-endpoint command in ISAKMP policy configuration mode. To remove this attribute from your configuration, use the no form of this command.

set aggressive-mode client-endpoint client-endpoint

no set aggressive-mode client-endpoint client-endpoint

Syntax Description

client-endpoint

One of the following identification types of the initiator end of the tunnel:

ID_IPV4 (IPV4 address)

ID_FQDN (fully qualified domain name, for example "foo.cisco.com")

ID_USER_FQDN (e-mail address)

The ID type is translated to the corresponding ID type in Internet Key Exchange (IKE).


Defaults

The Tunnel-Client-Endpoint attribute is not defined.

Command Modes

ISAKMP policy configuration

Command History

Release
Modification

12.2(8)T

This command was introduced.


Usage Guidelines

Before you can use this command, you must enable the crypto isakmp peer command.

To initiate an IKE aggressive mode negotiation and specify the RADIUS Tunnel-Client-Endpoint attribute, the set aggressive-mode client-endpoint command, along with the set aggressive-mode password command, must be configured in the ISAKMP peer policy. The Tunnel-Client-Endpoint attribute will be communicated to the server by encoding it in the appropriate IKE identity payload.

Examples

The following example shows how to initiate aggressive mode using RADIUS tunnel attributes: 

crypto isakmp peer address 4.4.4.1

 set aggressive-mode client-endpoint user-fqdn user@cisco.com

 set aggressive-mode password cisco123

Related Commands

Command
Description

crypto isakmp peer

Enables an IPSec peer for IKE querying of AAA for tunnel attributes in aggressive mode.

set aggressive-mode password

Specifies the Tunnel-Password attribute within an ISAKMP peer configuration.


set aggressive-mode password

To specify the Tunnel-Password attribute within an Internet Security Association Key Management Protocol (ISAKMP) peer configuration, use the set aggressive-mode password command in ISAKMP policy configuration mode. To remove this attribute from your configuration, use the no form of this command.

set aggressive-mode password password

no set aggressive-mode password password

Syntax Description

password

Password that is used to authenticate the peer to a remote server. The tunnel password is used as the Internet Key Exchange (IKE) preshared key.


Defaults

The Tunnel-Password attribute is not defined.

Command Modes

ISAKMP policy configuration

Command History

Release
Modification

12.2(8)T

This command was introduced.


Usage Guidelines

Before you can use this command, you must enable the crypto isakmp peer command.

To initiate an IKE aggressive mode negotiation, the set aggressive-mode password command, along with the set aggressive-mode client-endpoint command, must be configured in the ISAKMP peer policy. The Tunnel-Password attribute will be used as the IKE preshared key for the aggressive mode negotiation.

Examples

The following example shows how to initiate aggressive mode using RADIUS tunnel attributes: 

crypto isakmp peer address 4.4.4.1

 set aggressive-mode client-endpoint user-fqdn user@cisco.com

 set aggressive-mode password cisco123

Related Commands

Command
Description

crypto isakmp peer

Enables an IPSec peer for IKE querying of AAA for tunnel attributes in aggressive mode.

set aggressive-mode client-endpoint

Specifies the Tunnel-Client-Endpoint attribute within an ISAKMP peer configuration


set isakmp-profile

To set the Internet Security Association and Key Management Protocol (ISAKMP) profile name, use the set isakmp-profile command in crypto map configuration mode. To remove the ISAKMP profile name, use the no form of this command.

set isakmp-profile profile-name

no set isakmp-profile profile-name

Syntax Description

profile-name

Name of the ISAKMP profile.


Defaults

If the ISAKMP profile is not specified in the crypto map entry, the default is to the ISAKMP profile that is on the head. If there is no ISAKMP profile on the head, the default is "none."

Command Modes

Crypto map configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

This command describes the ISAKMP profile to use when you start the Internet Key Exchange (IKE) exchange.

Before configuring an ISAKMP profile on a crypto map, you should set up the ISAKMP profile.

Examples

The following example shows that an ISAKMP profile has been configured on a crypto map: 

crypto map vpnmap 10 ipsec-isakmp

 set isakmp-profile vpnprofile

Related Commands

Command
Description

crypto ipsec transform-set

Defines a transform set, which is an acceptable combination of security protocols and algorithms.

crypto map (global)

Creates or modifies a crypto map entry.


set peer (IPSec)

To specify an IP Security peer in a crypto map entry, use the set peer command in crypto map configuration mode. To remove an IPSec peer from a crypto map entry, use the no form of this command.

set peer {host-name | ip-address}

no set peer {host-name | ip-address}

Syntax Description

host-name

Specifies the IPSec peer by its host name. This is the peer's host name concatenated with its domain name (for example, myhost.example.com).

ip-address

Specifies the IPSec peer by its IP address.


Defaults

No peer is defined by default.

Command Modes

Crypto map configuration

Command History

Release
Modification

11.2

This command was introduced.


Usage Guidelines

Use this command to specify an IPSec peer for a crypto map.

This command is required for all static crypto maps. If you are defining a dynamic crypto map (with the crypto dynamic-map command), this command is not required, and in most cases is not used (because, in general, the peer is unknown).

For ipsec-isakmp crypto map entries, you can specify multiple peers by repeating this command. The peer that packets are actually sent to is determined by the last peer that the router heard from (received either traffic or a negotiation request from) for a given data flow. If the attempt fails with the first peer, Internet Key Exchange tries the next peer on the crypto map list.

For ipsec-manual crypto entries, you can specify only one IPSec peer per crypto map. If you want to change the peer, you must first delete the old peer and then specify the new peer.

You can specify the remote IPSec peer by its host name only if the host name is mapped to the peer's IP address in a Domain Name Server or if you manually map the host name to the IP address with the ip host command.

Examples

The following example shows a crypto map configuration when IKE will be used to establish the security associations. In this example, a security association could be set up to either the IPSec peer at 10.0.0.1 or the peer at 10.0.0.2. 

crypto map mymap 10 ipsec-isakmp

 match address 101

 set transform-set my_t_set1

 set peer 10.0.0.1

 set peer 10.0.0.2

Related Commands

Command
Description

crypto dynamic-map

Creates a dynamic crypto map entry and enters the crypto map configuration command mode.

crypto map (global IPSec)

Creates or modifies a crypto map entry and enters the crypto map configuration mode.

crypto map (interface IPSec)

Applies a previously defined crypto map set to an interface.

crypto map local-address

Specifies and names an identifying interface to be used by the crypto map for IPSec traffic.

match address (IPSec)

Specifies an extended access list for a crypto map entry.

set pfs

Specifies that IPSec should ask for PFS when requesting new security associations for this crypto map entry, or that IPSec requires PFS when receiving requests for new security associations.

set security-association level per-host

Specifies that separate IPSec security associations should be requested for each source/destination host pair.

set security-association lifetime

Overrides (for a particular crypto map entry) the global lifetime value, which is used when negotiating IPSec security associations.

set session-key

Specifies the IPSec session keys within a crypto map entry.

set transform-set

Specifies which transform sets can be used with the crypto map entry.

show crypto map (IPSec)

Displays the crypto map configuration.


set pfs

To specify that IP Security (IPSec) should ask for perfect forward secrecy (PFS) when requesting new security associations for this crypto map entry, or that IPSec requires PFS when receiving requests for new security associations, use the set pfs command in crypto map configuration mode. To specify that IPSec should not request PFS, use the no form of this command.

set pfs [group1 | group2]

no set pfs

Syntax Description

group1

(Optional) Specifies that IPSec should use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.

group2

(Optional) Specifies that IPSec should use the 1024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.


Defaults

By default, PFS is not requested. If no group is specified with this command, group1 is used as the default.

Command Modes

Crypto map configuration

Command History

Release
Modification

11.3 T

This command was introduced.


Usage Guidelines

This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries.

During negotiation, this command causes IPSec to request PFS when requesting new security associations for the crypto map entry. The default (group1) is sent if the set pfs statement does not specify a group. If the peer initiates the negotiation and the local co