Table Of Contents
reverse-route
root
root CEP
root PROXY
root TFTP
rsakeypair
rsa-pubkey
security authentication failure rate
security passwords min-length
self-identity
serial-number (ca-trustpoint)
serial-number (pubkey)
server (RADIUS)
server (TACACS+)
server-private (RADIUS)
service password-encryption
set aggressive-mode client-endpoint
set aggressive-mode password
set isakmp-profile
set peer (IPSec)
set pfs
set security-association level per-host
set security-association lifetime
set session-key
set transform-set
show aaa attributes
show aaa cache filterserver
show aaa server-private
show aaa user
show accounting
show auto secure config
show crypto ca certificates
show crypto ca crls
show crypto ca roots
show crypto ca timers
show crypto ca trustpoints
show crypto dynamic-map
show crypto eng qos
show crypto engine accelerator logs
show crypto engine accelerator ring
show crypto engine accelerator sa-database
show crypto engine accelerator statistic
show crypto ipsec client ezvpn
show crypto ipsec sa
show crypto ipsec security-association lifetime
show crypto ipsec transform-set
show crypto isakmp key
show crypto isakmp policy
show crypto isakmp profile
show crypto isakmp sa
reverse-route
To create source proxy information for a crypto map entry, use the reverse-route command in crypto map configuration mode. To remove the source proxy information from a crypto map entry, use the no form of this command.
reverse-route [remote-peer [ip-address]]
no reverse-route [remote-peer [ip-address]]
Syntax Description
remote-peer
|
(Optional) Routes of public IP addresses and IP security (IPSec) tunnel destination addresses are inserted into the routing table.
|
ip-address
|
(Optional) IP address of the next hop destination.
|
Defaults
No default behavior or values.
Command Modes
Crypto map configuration
Command History
Release
|
Modification
|
12.1(9)E
|
This command was introduced.
|
12.2(8)T
|
This command was integrated into Cisco IOS Release 12.2(8)T.
|
12.2(11)T
|
This command was implemented on the Cisco AS5300 and Cisco AS5800 platforms.
|
12.2(13)T
|
The remote-peer keyword was added.
|
12.3
|
The ip-address argument was added.
|
Usage Guidelines
This command can be applied on a per-crypto basis.
Reverse route injection (RRI) provides a scaleable mechanism to dynamically learn and advertise the IP address and subnets that belong to a remote site that connects through an IP Security (IPSec) virtual private network (VPN) tunnel.
When enabled in an IPSec crypto map, RRI will learn all the subnets from any network that is defined in the crypto access control list (ACL) as the destination network. The learned routes are installed into the local routing table as static routes that point to the encrypted interface. When the IPSec tunnel is torn down, the associated static routes will be removed. These static routes may then be redistributed into other dynamic routing protocols so that they can be advertised to other parts of the network (usually done by redistributing RRI routes into dynamic routing protocols on the core side).
Examples
The following example shows how all remote VPN gateways connect to the router via 192.168.0.3:
crypto map mymap 1 ipsec-isakmp
set transform-set esp-3des-sha
Interface FastEthernet 0/0
ip address 192.168.0.2 255.255.255.0
crypto map mymap redundancy group1
access-list 102 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255
Related Commands
Command
|
Description
|
crypto map (global IPSec)
|
Creates or modifies a crypto map entry and enters the crypto map configuration mode.
|
crypto map local-address
|
Specifies and names an identifying interface to be used by the crypto map for IPSec traffic.
|
show crypto map (IPSec)
|
Displays the crypto map configuration.
|
root
To obtain the certification authority (CA) certificate via TFTP, use the root command in ca-trustpoint configuration mode. To deconfigure the CA, use the no form of this command.
root tftp server-hostname filename
no root tftp server-hostname filename
Syntax Description
tftp
|
Defines the TFTP protocol to get the root certificate.
|
server-hostname filename
|
Specifies a name for the server and a name for the file that will store the trustpoint CA.
|
Defaults
A CA certificate is not configured.
Command Modes
Ca-trustpoint configuration
Command History
Release
|
Modification
|
12.2(8)T
|
This command was introduced.
|
Usage Guidelines
This command allows you to access the CA via the TFTP protocol, which is used to get the CA. You want to configure a CA certificate so that your router can verify certificates issued to peers. Thus, your router does not have to enroll with the CA that issued the certificates the peers.
Before you can configure this command, you must enable the crypto ca trustpoint command, which puts you in ca-trustpoint configuration mode.
Note
The crypto ca trustpoint command deprecates the crypto ca identity and crypto ca trusted-root commands and all related subcommands (all ca-identity and trusted-root configuration mode commands). If you enter a ca-identity or trusted-root subcommand, the configuration mode and command will be written back as ca-trustpoint.
Examples
The following example shows how to configure the CA certificate named "bar" using TFTP:
Related Commands
Command
|
Description
|
crypto ca trustpoint
|
Declares the CA that your router should use.
|
root CEP
The crypto ca trustpoint command deprecates the crypto ca trusted-root command and all related subcommands (all trusted-root configuration mode commands). If you enter a trusted-root subcommand, the configuration mode and command will be written back as ca-trustpoint.
root PROXY
The root PROXY command is replaced by the enrollment http-proxy command. See the enrollment http-proxy command for more information.
root TFTP
The root TFTP command is replaced by the root command. See the root command for more information.
rsakeypair
To specify which key pair to associate with the certificate, use the rsakeypair command in ca-trustpoint configuration mode.
rsakeypair key-label [key-size [encryption-key-size]]
Syntax Description
key-label
|
Name of the key pair, which is generated during enrollment if it does not already exist or if the auto-enroll regenerate command is configured.
|
key-size
|
(Optional) Size of the desired Rivest, Shamir, Adelman (RSA) key. If not specified, the existing key size is used.
|
encryption-key-size
|
(Optional) Size of the second key, which is used to request separate encryption, signature keys, and certificates.
|
Defaults
The fully qualified domain name (FQDN) key is used.
Command Modes
Ca-trustpoint configuration
Command History
Release
|
Modification
|
12.2(8)T
|
This command was introduced.
|
Usage Guidelines
When you regenerate a key pair, you are responsible for reenrolling the identities associated with the key pair. Use the rsakeypair command to refer back to the named key pair.
Examples
The following example is a sample trustpoint configuration that specifies the RSA key pair "exampleCAkeys":
crypto ca trustpoint exampleCAkeys
enroll url http://exampleCAkeys/certsrv/mscep/mscep.dll
rsakeypair exampleCAkeys 1024 1024
Related Commands
Command
|
Description
|
auto-enroll
|
Enables autoenrollment.
|
crl
|
Generates RSA key pairs.
|
crypto ca trustpoint
|
Declares the CA that your router should use.
|
rsa-pubkey
To define the Rivest, Shamir, and Adelman (RSA) manual key to be used for encryption or signature during Internet Key Exchange (IKE) authentication, use the rsa-pubkey command in keyring configuration mode. To remove the manual key that was defined, use the no form of this command.
rsa-pubkey{address address | name fqdn} [encryption | signature]
no rsa-pubkey {address address | name fqdn} [encryption | signature]
Syntax Description
address address
|
IP address of the remote peer.
|
name fqdn
|
Fully qualified domain name (FQDN) of the peer.
|
encryption
|
(Optional) The manual key is to be used for encryption.
|
signature
|
(Optional) The manual key is to be used for signature.
|
Defaults
No default behavior or values
Command Modes
Keyring configuration
Command History
Release
|
Modification
|
12.2(15)T
|
This command was introduced.
|
Usage Guidelines
Use this command to enter public key chain configuration mode. Use this command when you need to manually specify RSA public keys of other IP Security (IPSec) peers. You need to specify the keys of other peers when you configure RSA encrypted nonces as the authentication method in an IKE policy at your peer router.
Examples
The following example shows that the RSA public key of an IPSec peer has been specified:
Router(config)# crypto keyring vpnkeyring
Router(conf-keyring)# rsa-pubkey name host.vpn.com
Router(config-pubkey-key)# address 10.5.5.1
Router(config-pubkey)# key-string
Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973
Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5
Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8
Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB
Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B
Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21
Router(config-pubkey)# quit
Router(config-pubkey-key)# exit
Router(conf-keyring)# exit
security authentication failure rate
To configure the number of allowable unsuccessful login attempts, use the security authentication failure rate command in global configuration mode. To disable this functionality, use the no form of this command.
security authentication failure rate threshold-rate log
no security authentication failure rate threshold-rate log
Syntax Description
threshold-rate
|
Number of allowable unsuccessful login attempts. The valid value range for the threshold-rate argument is 2 to 1024. The default is 10.
|
log
|
Syslog authentication failures if the rate exceeds the threshold.
|
Defaults
The default number of failed login attempts before a 15-second delay is 10.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(1)
|
This command was introduced.
|
12.2(27)SBC
|
This command was integrated into Cisco IOS Release 12.2(27)SBC.
|
12.3(7)T
|
The range of the threshold-rate value was changed from 1 through 1024 to 2 through 1024.
|
Usage Guidelines
The security authentication failure rate command provides enhanced security access to the router by generating syslog messages after the number of unsuccessful login attempts exceeds the configured threshold rate. This command ensures that there are not any continuous failures to access the router.
Note
Previous to the Cisco IOS software release 12.3(7)T the threshold-rate value range was 1 through 1024. Unsuccessful login attempts will not be logged if a value of 1 is configured. As of Cisco ISO release 12.3(7)T, use a value between 2 and 1024.
Examples
The following example shows how to configure your router to generate a syslog message after eight failed login attempts:
security authentication failure rate 8 log
Related Commands
Command
|
Description
|
security passwords min-length
|
Ensures that all configured passwords are at least a specified length.
|
security passwords min-length
To ensure that all configured passwords are at least a specified length, use the security passwords min-length command in global configuration mode. To disable this functionality, use the no form of this command.
security passwords min-length length
no security passwords min-length length
Syntax Description
length
|
Minimum length of a configured password. The default is six characters.
|
Defaults
Six characters
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(1)
|
This command was introduced.
|
Usage Guidelines
The security passwords min-length command provides enhanced security access to the router by allowing you to specify a minimum password length, eliminating common passwords that are prevalent on most networks, such as "lab" and "cisco." This command affects user passwords, enable passwords and secrets, and line passwords. After this command is enabled, any password that is less than the specified length will fail.
Examples
The following example shows both how to specify a minimum password length of six characters and what happens when the password does not adhere to the minimum length:
security password min-length 6
% Password too short - must be at least 6 characters. Password not configured.
Related Commands
Command
|
Description
|
enable password
|
Sets a local password to control access to various privilege levels.
|
security authentication failure rate
|
Configures the number of allowable unsuccessful login attempts.
|
self-identity
To define the identity that the local Internet Key Exchange (IKE) uses to identify itself to the remote peer, use the self-identity command in ISAKMP profile configuration mode. To remove the Internet Security Association and Key Management Protocol (ISAKMP) identity that was defined for the IKE, use the no form of this command.
self-identity {address | fqdn | user-fqdn user-fqdn}
no self-identity {address | fqdn | user-fqdn user-fqdn}
Syntax Description
address
|
The IP address of the local endpoint.
|
fqdn
|
The fully qualified domain name (FQDN) of the host.
|
user-fqdn user-fqdn
|
The user FQDN that is sent to the remote endpoint.
|
Defaults
If no ISAKMP identity is defined in the ISAKMP profile configuration, global configuration is the default.
Command Modes
ISAKMP profile configuration
Command History
Release
|
Modification
|
12.2(15)T
|
This command was introduced.
|
Examples
The following example shows that the IKE identity is the user FQDN "user@vpn.com":
crypto isakmp profile vpnprofile
self-identity user-fqdn user@vpn.com
serial-number (ca-trustpoint)
To specify whether the router serial number should be included in the certificate request, use the serial-number command in ca-trustpoint configuration mode. To restore the default behavior, use the no form of this command.
serial-number [none]
no serial-number
Syntax Description
none
|
(Optional) Specifies that a serial number will not be included in the certificate request.
|
Defaults
Not configured. You will be prompted for the serial number during certificate enrollment.
Command Modes
Ca-trustpoint configuration
Command History
Release
|
Modification
|
12.2(8)T
|
This command was introduced.
|
Usage Guidelines
Before you can issue the serial-number command, you must enable the crypto ca trustpoint command, which declares the certification authority (CA) that your router should use and enters ca-trustpoint configuration mode.
Use this command to specify the router serial number in the certificate request, or use the none keyword to specify that a serial number should not be included in the certificate request.
Examples
The following example shows how to include the router serial number in the "root" certificate request:
crypto ca trustpoint root
enrollment url http://10.3.0.7:80
subject-name CN=jack, OU=PKI, O=Cisco Systems, C=US
The router will not prompt for the serial number during enrollment:
crypto ca trustpoint root
enrollment url http://10.3.0.7:80
Related Commands
Command
|
Description
|
crypto ca trustpoint
|
Declares the CA that your router should use.
|
serial-number (pubkey)
To define the serial number for the Rivest, Shamir, and Adelman (RSA) manual key to be used for encryption or signatures during Internet Key Exchange (IKE) authentication, use the serial-number command in pubkey configuration mode. To remove the manual key that was defined, use the no form of this command.
serial-number serial-number
no serial-number serial-number
Syntax Description
serial-number
|
Device serial number. The value is from 0 through infinity.
|
Defaults
No default behavior or values
Command Modes
Pubkey configuration
Command History
Release
|
Modification
|
12.2(15)T
|
This command was introduced.
|
Examples
The following example shows that the public key of an IP Security (IPSec) peer has been specified:
Router(config)# crypto keyring vpnkeyring
Router(conf-keyring)# rsa-pubkey name host.vpn.com
Router(config-pubkey-key)# address 10.5.5.1
Router(config-pubkey-key)# serial-number 1000000
Router(config-pubkey)# key-string
Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973
Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5
Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8
Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB
Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B
Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21
Router(config-pubkey)# quit
Router(config-pubkey-key)# exit
Router(conf-keyring)# exit
Related Commands
Command
|
Description
|
address
|
Specifies the IP address of the remote RSA public key of the remote peer that you will manually configure.
|
key-string (IKE)
|
Specifies the RSA public key of a remote peer.
|
server (RADIUS)
To configure the IP address of the RADIUS server for the group server, use the server command in server-group configuration mode. To remove the associated server from the authentication, authorization, and accounting (AAA) group server, use the no form of this command.
server ip-address [auth-port port-number] [acct-port port-number]
no server ip-address [auth-port port-number] [acct-port port-number]
Syntax Description
ip-address
|
IP address of the RADIUS server host.
|
auth-port port-number
|
(Optional) Specifies the User Datagram Protocol (UDP) destination port for authentication requests. The port-number argument specifies the port number for authentication requests. The host is not used for authentication if this value is set to 0.
|
acct-port port-number
|
(Optional) Specifies the UDP destination port for accounting requests. The port number argument specifies the port number for accounting requests. The host is not used for accounting services if this value is set to 0.
|
Defaults
If no port attributes are defined, the defaults are as follows:
•
Authentication port: 1645
•
Accounting port: 1646
Command Modes
Server-group configuration
Command History
Release
|
Modification
|
12.0(5)T
|
This command was introduced.
|
12.0(7)T
|
The following new keywords/arguments were added:
• auth-port port-number
• acct-port port-number
|
Usage Guidelines
Use the server command to associate a particular server with a defined group server. There are two different ways in which you can identify a server, depending on the way you want to offer AAA services. You can identify the server simply by using its IP address, or you can identify multiple host instances or entries using the optional auth-port and acct-port keywords.
When you use the optional keywords, the network access server identifies RADIUS security servers and host instances associated with a group server on the basis of their IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS host entries providing a specific AAA service. If two different host entries on the same RADIUS server are configured for the same service—for example, accounting—the second host entry configured acts as failover backup to the first one. Using this example, if the first host entry fails to provide accounting services, the network access server will try the second host entry configured on the same device for accounting services. (The RADIUS host entries will be tried in the order they are configured.)
Examples
Configuring Multiple Entries for the Same Server IP Address
The following example shows the network access server configured to recognize several RADIUS host entries with the same IP address. Two different host entries on the same RADIUS server are configured for the same services—authentication and accounting. The second host entry configured acts as fail-over backup to the first one. (The RADIUS host entries are tried in the order in which they are configured.)
! This command enables AAA.
! The next command configures default RADIUS parameters.
aaa authentication ppp default radius
! The next set of commands configures multiple host entries for the same IP address.
radius-server host 172.20.0.1 auth-port 1000 acct-port 1001
radius-server host 172.20.0.1 auth-port 2000 acct-port 2000
Configuring Multiple Entries Using AAA Group Servers
In this example, the network access server is configured to recognize two different RADIUS group servers. One of these groups, group1, has two different host entries on the same RADIUS server configured for the same services. The second host entry configured acts as failover backup to the first one.
! This command enables AAA.
! The next command configures default RADIUS parameters.
aaa authentication ppp default group group1
! The following commands define the group1 RADIUS group server and associates servers
! with it.
aaa group server radius group1
server 172.20.0.1 auth-port 1000 acct-port 1001
! The following commands define the group2 RADIUS group server and associates servers
! with it.
aaa group server radius group2
server 172.20.0.1 auth-port 2000 acct-port 2001
! The following set of commands configures the RADIUS attributes for each host entry
! associated with one of the defined group servers.
radius-server host 172.20.0.1 auth-port 1000 acct-port 1001
radius-server host 172.20.0.1 auth-port 1000 acct-port 1001
radius-server host 172.10.0.1 auth-port 1645 acct-port 1646
Related Commands
Command
|
Description
|
aaa group server
|
Groups different server hosts into distinct lists and distinct methods.
|
aaa new-model
|
Enables the AAA access control model.
|
radius-server host
|
Specifies a RADIUS server host.
|
server (TACACS+)
To configure the IP address of the TACACS+ server for the group server, use the server command in TACACS+ group server configuration mode. To remove the IP address of the RADIUS server, use the no form of this command.
server ip-address
no server ip-address
Syntax Description
ip-address
|
IP address of the selected server.
|
Defaults
No default behavior or values.
Command Modes
TACACS+ group server configuration
Command History
Release
|
Modification
|
12.0(5)T
|
This command was introduced.
|
Usage Guidelines
You must configure the aaa group server tacacs command before configuring this command.
Enter the server command to specify the IP address of the TACACS+ server. Also configure a matching tacacs-server host entry in the global list. If there is no response from the first host entry, the next host entry is tried.
Examples
The following example shows server host entries configured for the RADIUS server:
aaa authentication ppp default group g1
aaa group server tacacs+ g1
tacacs-server host 1.0.0.1
tacacs-server host 2.0.0.1
Related Commands
Command
|
Description
|
aaa new-model
|
Enables the AAA access control model.
|
aaa server group
|
Groups different server hosts into distinct lists and distinct methods.
|
tacacs-server host
|
Specifies a RADIUS server host.
|
server-private (RADIUS)
To configure the IP address of the private RADIUS server for the group server, use the server-private command in server-group configuration mode. To remove the associated private server from the authentication, authorization, and accounting (AAA) group server, use the no form of this command.
server-private ip-address [auth-port port-number | acct-port port-number] [non-standard]
[timeout seconds] [retransmit retries] [key string]
no server-private ip-address [auth-port port-number | acct-port port-number] [non-standard]
[timeout seconds] [retransmit retries] [key string]
Syntax Description
ip-address
|
IP address of the private RADIUS server host.
|
auth-port port-number
|
(Optional) User Datagram Protocol (UDP) destination port for authentication requests. The default value is 1645.
|
acct-port port-number
|
Optional) UDP destination port for accounting requests. The default value is 1646.
|
non-standard
|
(Optional) RADIUS server is using vendor-proprietary RADIUS attributes.
|
timeout seconds
|
(Optional) Time interval (in seconds) that the router waits for the RADIUS server to reply before retransmitting. This setting overrides the global value of the radius-server timeout command. If no timeout value is specified, the global value is used.
|
retransmit retries
|
(Optional) Number of times a RADIUS request is resent to a server, if that server is not responding or responding slowly. This setting overrides the global setting of the radius-server retransmit command.
|
key string
|
(Optional) Authentication and encryption key used between the router and the RADIUS daemon running on the RADIUS server. This key overrides the global setting of the radius-server key command. If no key string is specified, the global value is used.
|
Defaults
If server-private parameters are not specified, global configurations will be used; if global configurations are not specified, default values will be used.
Command Modes
Server-group configuration
Command History
Release
|
Modification
|
12.2(1)DX
|
This command was introduced on the Cisco 7200 series and Cisco 7401ASR.
|
12.2(2)DD
|
This command was integrated into Cisco IOS Release 12.2(2)DD.
|
12.2(4)B
|
This command was integrated into Cisco IOS Release 12.2(4)B.
|
12.2(13)T
|
This command was integrated into Cisco IOS Release 12.2(13)T.
|
Usage Guidelines
Use the server-private command to associate a particular private server with a defined server group. To prevent possible overlapping of private addresses between Virtual Route Forwardings (VRFs), private servers (servers with private addresses) can be defined within the server group and remain hidden from other groups, while the servers in the global pool (default "radius" server group) can still be referred to by IP addresses and port numbers. Thus, the list of servers in server groups includes references to the hosts in the global configuration and the definitions of private servers.
Examples
The following example shows how to define the sg_water RADIUS group server and associate private servers with it:
aaa group server radius sg_water
server-private 10.1.1.1 timeout 5 retransmit 3 key coke
server-private 10.2.2.2 timeout 5 retransmit 3 key coke
Related Commands
Command
|
Description
|
aaa group server
|
Groups different server hosts into distinct lists and distinct methods.
|
aaa new-model
|
Enables the AAA access control model.
|
radius-server host
|
Specifies a RADIUS server host.
|
service password-encryption
To encrypt passwords, use the service password-encryption command in global configuration mode. To restore the default, use the no form of this command.
service password-encryption
no service password-encryption
Syntax Description
This command has no arguments or keywords.
Defaults
No encryption
Command Modes
Global configuration
Command History
Release
|
Modification
|
10.0
|
This command was introduced.
|
Usage Guidelines
The actual encryption process occurs when the current configuration is written or when a password is configured. Password encryption is applied to all passwords, including username passwords, authentication key passwords, the privileged command password, console and virtual terminal line access passwords, and Border Gateway Protocol neighbor passwords. This command is primarily useful for keeping unauthorized individuals from viewing your password in your configuration file.
When password encryption is enabled, the encrypted form of the passwords is displayed when a more system:running-config command is entered.
Caution 
This command does not provide a high level of network security. If you use this command, you should also take additional network security measures.
Note
You cannot recover a lost encrypted password. You must clear NVRAM and set a new password.
Examples
The following example causes password encryption to take place:
service password-encryption
Related Commands
Command
|
Description
|
enable password
|
Sets a local password to control access to various privilege levels.
|
key-string (authentication)
|
Specifies the authentication string for a key.
|
neighbor password
|
Enables MD5 authentication on a TCP connection between two BGP peers.
|
set aggressive-mode client-endpoint
To specify the Tunnel-Client-Endpoint attribute within an Internet Security Association Key Management Protocol (ISAKMP) peer configuration, use the set aggressive-mode client-endpoint command in ISAKMP policy configuration mode. To remove this attribute from your configuration, use the no form of this command.
set aggressive-mode client-endpoint client-endpoint
no set aggressive-mode client-endpoint client-endpoint
Syntax Description
client-endpoint
|
One of the following identification types of the initiator end of the tunnel:
• ID_IPV4 (IPV4 address)
• ID_FQDN (fully qualified domain name, for example "foo.cisco.com")
• ID_USER_FQDN (e-mail address)
The ID type is translated to the corresponding ID type in Internet Key Exchange (IKE).
|
Defaults
The Tunnel-Client-Endpoint attribute is not defined.
Command Modes
ISAKMP policy configuration
Command History
Release
|
Modification
|
12.2(8)T
|
This command was introduced.
|
Usage Guidelines
Before you can use this command, you must enable the crypto isakmp peer command.
To initiate an IKE aggressive mode negotiation and specify the RADIUS Tunnel-Client-Endpoint attribute, the set aggressive-mode client-endpoint command, along with the set aggressive-mode password command, must be configured in the ISAKMP peer policy. The Tunnel-Client-Endpoint attribute will be communicated to the server by encoding it in the appropriate IKE identity payload.
Examples
The following example shows how to initiate aggressive mode using RADIUS tunnel attributes:
crypto isakmp peer address 4.4.4.1
set aggressive-mode client-endpoint user-fqdn user@cisco.com
set aggressive-mode password cisco123
Related Commands
Command
|
Description
|
crypto isakmp peer
|
Enables an IPSec peer for IKE querying of AAA for tunnel attributes in aggressive mode.
|
set aggressive-mode password
|
Specifies the Tunnel-Password attribute within an ISAKMP peer configuration.
|
set aggressive-mode password
To specify the Tunnel-Password attribute within an Internet Security Association Key Management Protocol (ISAKMP) peer configuration, use the set aggressive-mode password command in ISAKMP policy configuration mode. To remove this attribute from your configuration, use the no form of this command.
set aggressive-mode password password
no set aggressive-mode password password
Syntax Description
password
|
Password that is used to authenticate the peer to a remote server. The tunnel password is used as the Internet Key Exchange (IKE) preshared key.
|
Defaults
The Tunnel-Password attribute is not defined.
Command Modes
ISAKMP policy configuration
Command History
Release
|
Modification
|
12.2(8)T
|
This command was introduced.
|
Usage Guidelines
Before you can use this command, you must enable the crypto isakmp peer command.
To initiate an IKE aggressive mode negotiation, the set aggressive-mode password command, along with the set aggressive-mode client-endpoint command, must be configured in the ISAKMP peer policy. The Tunnel-Password attribute will be used as the IKE preshared key for the aggressive mode negotiation.
Examples
The following example shows how to initiate aggressive mode using RADIUS tunnel attributes:
crypto isakmp peer address 4.4.4.1
set aggressive-mode client-endpoint user-fqdn user@cisco.com
set aggressive-mode password cisco123
Related Commands
Command
|
Description
|
crypto isakmp peer
|
Enables an IPSec peer for IKE querying of AAA for tunnel attributes in aggressive mode.
|
set aggressive-mode client-endpoint
|
Specifies the Tunnel-Client-Endpoint attribute within an ISAKMP peer configuration
|
set isakmp-profile
To set the Internet Security Association and Key Management Protocol (ISAKMP) profile name, use the set isakmp-profile command in crypto map configuration mode. To remove the ISAKMP profile name, use the no form of this command.
set isakmp-profile profile-name
no set isakmp-profile profile-name
Syntax Description
profile-name
|
Name of the ISAKMP profile.
|
Defaults
If the ISAKMP profile is not specified in the crypto map entry, the default is to the ISAKMP profile that is on the head. If there is no ISAKMP profile on the head, the default is "none."
Command Modes
Crypto map configuration
Command History
Release
|
Modification
|
12.2(15)T
|
This command was introduced.
|
Usage Guidelines
This command describes the ISAKMP profile to use when you start the Internet Key Exchange (IKE) exchange.
Before configuring an ISAKMP profile on a crypto map, you should set up the ISAKMP profile.
Examples
The following example shows that an ISAKMP profile has been configured on a crypto map:
crypto map vpnmap 10 ipsec-isakmp
set isakmp-profile vpnprofile
Related Commands
Command
|
Description
|
crypto ipsec transform-set
|
Defines a transform set, which is an acceptable combination of security protocols and algorithms.
|
crypto map (global)
|
Creates or modifies a crypto map entry.
|
set peer (IPSec)
To specify an IP Security peer in a crypto map entry, use the set peer command in crypto map configuration mode. To remove an IPSec peer from a crypto map entry, use the no form of this command.
set peer {host-name | ip-address}
no set peer {host-name | ip-address}
Syntax Description
host-name
|
Specifies the IPSec peer by its host name. This is the peer's host name concatenated with its domain name (for example, myhost.example.com).
|
ip-address
|
Specifies the IPSec peer by its IP address.
|
Defaults
No peer is defined by default.
Command Modes
Crypto map configuration
Command History
Release
|
Modification
|
11.2
|
This command was introduced.
|
Usage Guidelines
Use this command to specify an IPSec peer for a crypto map.
This command is required for all static crypto maps. If you are defining a dynamic crypto map (with the crypto dynamic-map command), this command is not required, and in most cases is not used (because, in general, the peer is unknown).
For ipsec-isakmp crypto map entries, you can specify multiple peers by repeating this command. The peer that packets are actually sent to is determined by the last peer that the router heard from (received either traffic or a negotiation request from) for a given data flow. If the attempt fails with the first peer, Internet Key Exchange tries the next peer on the crypto map list.
For ipsec-manual crypto entries, you can specify only one IPSec peer per crypto map. If you want to change the peer, you must first delete the old peer and then specify the new peer.
You can specify the remote IPSec peer by its host name only if the host name is mapped to the peer's IP address in a Domain Name Server or if you manually map the host name to the IP address with the ip host command.
Examples
The following example shows a crypto map configuration when IKE will be used to establish the security associations. In this example, a security association could be set up to either the IPSec peer at 10.0.0.1 or the peer at 10.0.0.2.
crypto map mymap 10 ipsec-isakmp
set transform-set my_t_set1
Related Commands
Command
|
Description
|
crypto dynamic-map
|
Creates a dynamic crypto map entry and enters the crypto map configuration command mode.
|
crypto map (global IPSec)
|
Creates or modifies a crypto map entry and enters the crypto map configuration mode.
|
crypto map (interface IPSec)
|
Applies a previously defined crypto map set to an interface.
|
crypto map local-address
|
Specifies and names an identifying interface to be used by the crypto map for IPSec traffic.
|
match address (IPSec)
|
Specifies an extended access list for a crypto map entry.
|
set pfs
|
Specifies that IPSec should ask for PFS when requesting new security associations for this crypto map entry, or that IPSec requires PFS when receiving requests for new security associations.
|
set security-association level per-host
|
Specifies that separate IPSec security associations should be requested for each source/destination host pair.
|
set security-association lifetime
|
Overrides (for a particular crypto map entry) the global lifetime value, which is used when negotiating IPSec security associations.
|
set session-key
|
Specifies the IPSec session keys within a crypto map entry.
|
set transform-set
|
Specifies which transform sets can be used with the crypto map entry.
|
show crypto map (IPSec)
|
Displays the crypto map configuration.
|
set pfs
To specify that IP Security (IPSec) should ask for perfect forward secrecy (PFS) when requesting new security associations for this crypto map entry, or that IPSec requires PFS when receiving requests for new security associations, use the set pfs command in crypto map configuration mode. To specify that IPSec should not request PFS, use the no form of this command.
set pfs [group1 | group2]
no set pfs
Syntax Description
group1
|
(Optional) Specifies that IPSec should use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.
|
group2
|
(Optional) Specifies that IPSec should use the 1024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.
|
Defaults
By default, PFS is not requested. If no group is specified with this command, group1 is used as the default.
Command Modes
Crypto map configuration
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
Usage Guidelines
This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries.
During negotiation, this command causes IPSec to request PFS when requesting new security associations for the crypto map entry. The default (group1) is sent if the set pfs statement does not specify a group. If the peer initiates the negotiation and the local co