Table Of Contents

clear ip sdee

clear ip trigger-authentication

clear ip urlfilter cache

clear kerberos creds

clear radius local-server

clid

client authentication list

client configuration address

client configuration group

commands (view)

content-length

content-type-verification

copy ips-sdf

crl best-effort

crl optional

crl query

crypto ca authenticate

crypto ca cert validate

crypto ca certificate chain

crypto ca certificate map

crypto ca certificate query (ca-trustpoint)

crypto ca certificate query (global)

crypto ca crl request

crypto ca enroll

crypto ca export pem

crypto ca export pkcs12

crypto ca identity

crypto ca import

crypto ca import pem

crypto ca import pkcs12

crypto ca profile enrollment

crypto ca trusted-root

crypto ca trustpoint

crypto call admission limit

crypto dynamic-map

crypto engine accelerator

crypto engine aim

crypto engine em

crypto engine nm

crypto engine onboard

crypto engine slot

crypto identity

crypto ipsec client ezvpn (global)

crypto ipsec client ezvpn (interface)

crypto ipsec client ezvpn connect

crypto ipsec client ezvpn xauth

crypto ipsec df-bit (global)

crypto ipsec df-bit (interface)

crypto ipsec fragmentation (global)

crypto ipsec fragmentation (interface)

crypto ipsec nat-transparency

crypto ipsec optional

crypto ipsec optional retry

crypto ipsec profile

crypto ipsec security-association idle-time

crypto ipsec security-association lifetime

crypto ipsec security-association replay disable

crypto ipsec security-association replay window-size

crypto ipsec transform-set

crypto isakmp aggressive-mode disable

crypto isakmp client configuration address-pool local

crypto isakmp client configuration group

crypto isakmp enable

crypto isakmp identity

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive

crypto isakmp key

crypto isakmp nat keepalive

crypto isakmp peer

crypto isakmp policy

crypto isakmp profile

clear ip sdee

To clear Security Device Event Exchange (SDEE) events or subscriptions, use the clear ip sdee command in privileged EXEC mode.

clear ip sdee {events | subscriptions}

Syntax Description

events	Clears SDEE events from the event buffer.
subscriptions	Clears SDEE subscriptions.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(8)T	This command was introduced.

Usage Guidelines

Because subscriptions are properly closed by the Cisco IOS Intrusion Prevention System (IPS) client, this command is typically used only to help with error recovery.

Examples

The following example shows how to clear all open SDEE subscriptions on the router:

Router# clear ip sdee subscriptions

Related Commands

Command	Description
ip ips notify	Specifies the method of event notification.
ip sdee events	Sets the maximum number of SDEE events that can be stored in the event buffer.
ip sdee subscriptions	Sets the maximum number of SDEE subscriptions that can be open simultaneously.

clear ip trigger-authentication

To clear the list of remote hosts for which automated double authentication has been attempted, use the clear ip trigger-authentication command in privileged EXEC mode.

clear ip trigger-authentication

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

Use this command when troubleshooting automated double authentication. This command clears the entries in the list of remote hosts displayed by the show ip trigger-authentication command.

Examples

The following example clears the remote host table:

Router# show ip trigger-authentication

Trigger-authentication Host Table:

Remote Host          Time Stamp

172.21.127.114       2940514234

Router# clear ip trigger-authentication

Router# show ip trigger-authentication

Related Commands

Command	Description
show ip trigger-authentication	Displays the list of remote hosts for which automated double authentication has been attempted.

clear ip urlfilter cache

To clear the cache table, use the clear ip urlfilter cache command in user EXEC mode.

clear ip urlfilter cache {ip-address | all} [vrf vrf-name]

Syntax Description

ip-address	Clears the cache table of a specified server IP address.
all	Clears the cache table completely.
vrf vrf-name	(Optional) Clears the cache table only for the specified Virtual Routing and Forwarding (VRF) interface.

Command Modes

User EXEC

Command History

Release	Modification
12.2(11)YU	This command was introduced.
12.2(15)T	This command was integrated into Cisco IOS Release 12.2(15)T.
12.3(14)T	The vrf vrf-name keyword/argument pair was added.

Usage Guidelines

The cache table consists of the most recently requested IP addresses and the respective authorization status for each IP address.

Examples

The following example shows how to clear the cache table of IP address 172.18.139.21:

clear ip urlfilter cache 172.18.139.21

The following example shows how to clear the cache table of all IP addresses:

clear ip urlfilter cache all

The following example shows how to clear the cache table of all IP addresses in the vrf named bank.

clear ip urlfilter cache all vrf bank

Related Commands

Command	Description
ip urlfilter cache	Configures cache parameters.
show ip urlfilter cache	Displays the destination IP addresses that are cached into the cache table.

clear kerberos creds

To delete the contents of the credentials cache, use the clear kerberos creds command in privileged EXEC mode.

clear kerberos creds

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.1	This command was introduced.

Usage Guidelines

Credentials are deleted when this command is issued.

Cisco supports Kerberos 5.

Examples

The following example illustrates the clear kerberos creds command:

Router# show kerberos creds 

Default Principal: chet@cisco.com

Valid Starting          Expires                 Service Principal

18-Dec-1995 16:21:07    19-Dec-1995 00:22:24    krbtgt/CISCO.COM@CISCO.COM

Router# clear kerberos creds

Router# show kerberos creds 

No Kerberos credentials.

Related Commands

Command	Description
show kerberos creds	Displays the contents of your credentials cache.

clear radius local-server

To clear the display on the local server or to unblock a locked username, use the clear radius local-server command in privileged EXEC mode.

clear radius local-server {statistics | user username}

Syntax Description

statistics	Clears the display of statistical information.
user	Unblocks the locked username specified.
username	Locked username.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(11)JA	This command was introduced on Cisco Aironet Access Point 1100 and Cisco Aironet Access Point 1200.
12.3(11)T	This command was implemented on the following platforms: Cisco 2600XM, Cisco 2691, Cisco 2811, Cisco 2821, Cisco 2851, Cisco 3700, and Cisco 3800 series routers.

Examples

The following example unblocks the locked username "smith":

Router# clear radius local-server user smith

Related Commands

Command	Description
block count	Configures the parameters for locking out members of a group to help protect against unauthorized attacks.
debug radius local-server	Displays the debug information for the local server.
group	Enters user group configuration mode and configures shared setting for a user group.
nas	Adds an access point or router to the list of devices that use the local authentication server.
radius-server host	Specifies the remote RADIUS server host.
radius-server local	Enables the access point or router to be a local authentication server and enters into configuration mode for the authenticator.
reauthentication time	Specifies the time (in seconds) after which access points or wireless-aware routers must reauthenticate the members of a group.
show radius local-server statistics	Displays statistics for a local network access server.
ssid	Specifies up to 20 SSIDs to be used by a user group.
user	Authorizes a user to authenticate using the local authentication server.
vlan	Specifies a VLAN to be used by members of a user group.

clid

To preauthenticate calls on the basis of the Calling Line Identification (CLID) number, use the clid command in AAA preauthentication configuration mode. To remove the clid command from your configuration, use the no form of this command.

clid [if-avail | required] [accept-stop] [password password]

no clid [if-avail | required] [accept-stop] [password password]

Syntax Description

if-avail	(Optional) Implies that if the switch provides the data, RADIUS must be reachable and must accept the string in order for preauthentication to pass. If the switch does not provide the data, preauthentication passes.
required	(Optional) Implies that the switch must provide the associated data, that RADIUS must be reachable, and that RADIUS must accept the string in order for preauthentication to pass. If these three conditions are not met, preauthentication fails.
accept-stop	(Optional) Prevents subsequent preauthentication elements such as ctype or dnis from being tried once preauthentication has succeeded for a call element.
password password	(Optional) Defines the password for the preauthentication element.

Defaults

The if-avail and required keywords are mutually exclusive. If the if-avail keyword is not configured, the preauthentication setting defaults to required.

The default password string is cisco.

Command Modes

AAA preauthentication configuration

Command History

Release	Modification
12.1(2)T	This command was introduced.

Usage Guidelines

You may configure more than one of the authentication, authorization and accounting (AAA) preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you configure dnis, then clid, then ctype, in this order, then this is the order of the conditions considered in the preauthentication process.

In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server.

Examples

The following example specifies that incoming calls be preauthenticated on the basis of the CLID number:

aaa preauth

 group radius

 clid required

Related Commands

Command	Description
ctype	Preauthenticates calls on the basis of the call type.
dnis (RADIUS)	Preauthenticates calls on the basis of the DNIS number.
dnis bypass (AAA preauthentication configuration)	Specifies a group of DNIS numbers that will be bypassed for preauthentication.
group (RADIUS)	Specifies the AAA RADIUS server group to use for preauthentication.

client authentication list

To configure Internet Key Exchange (IKE) extended authentication (Xauth) in an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the client authentication list command in ISAKMP profile configuration mode. To restore the default behavior, which is that Xauth is not enabled, use the no form of this command.

client authentication list list-name

no client authentication list list-name

Syntax Description

list-name

Character string used to name the list of authentication methods activated when a user logs in. The list name must match the list name that was defined during the authentication, authorization, and accounting (AAA) configuration.

Defaults

No default behaviors or values

Command Modes

ISAKMP profile configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

Before configuring Xauth, you must set up an authentication list using AAA commands.

Xauth can be enabled on a profile basis if it has been disabled globally.

Examples

The following example shows that user authentication is configured. User authentication is a list of authentication methods called "xauthlist" in an ISAKMP profile called "vpnprofile."

crypto isakmp profile vpnprofile

 client authentication list xauthlist

The following example shows that Xauth has been disabled globally and enabled for the profiles "vpn-login" and "isakmpauth":

no crypto xauth FastEthernet0/0

!

crypto isakmp policy 1

 encr 3des

 group 2

!

crypto isakmp policy 10

 encr 3des

 authentication pre-share

 group 2

crypto isakmp client configuration group HRZ

crypto isakmp client configuration group vpngroup

 key cisco123

 pool vpnpool

crypto isakmp profile cert_sig

   match identity group HRZ

   isakmp authorization list isakmpauth

   client configuration address respond

   client configuration group HRZ

crypto isakmp profile nocerts

   match identity group vpngroup

   client authentication list vpn-login

   isakmp authorization list isakmpauth

   client configuration address respond

Related Commands

Command	Description
aaa authentication login	Sets AAA authentication at login.

client configuration address

To configure Internet Key Exchange (IKE) configuration mode in the Internet Security Association and Key Management Protocol (ISAKMP) profile, use the client configuration address command in ISAKMP profile configuration mode. To disable IKE configuraton mode, use the no form of this command.

client configuration address {initiate | respond}

no client configuration address {initiate | respond}

Syntax Description

initiate	Router will attempt to set IP addresses for each peer.
respond	Router will accept requests for IP addresses from any requesting peer.

Defaults

IKE configuration is not enabled.

Command Modes

ISAKMP profile configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

Before you can use this command, you must enter the crypto isakmp profile command.

Examples

The following example shows that IKE mode is configured to either initiate or respond in an ISAKMP profile called "vpnprofile":

crypto isakmp profile vpnprofile

 client configuration address initiate

 client configuration address respond

Related Commands

Command	Description
crypto isakmp profile	Defines an ISAKMP profile.

client configuration group

To associate a group with the peer that has been assigned an Internet Security Association Key Management Protocol (ISAKMP) profile, use the client configuration group command in crypto ISAKMP profile configuration mode. To disable this option, use the no form of this command.

client configuration group group-name

no client configuration group group-name

Syntax Description

group-name

Name of the group to be associated with the peer.

Defaults

No default behavior or values

Command Modes

Crypto ISAKMP profile configuration

Command History

Release	Modification
12.3(8)T	This command was introduced.

Usage Guidelines

The client configuration group command is used after the crypto map has been configured and the ISAKMP profiles have been assigned to them.

Examples

The following example shows that the group "some_group" is to be associated with the peer:

crypto isakmp profile id_profile 

   ca trust-point 2315

   match identity host domain cisco.com

   client configuration group some_group

Related Commands

Command	Description
match certificate (ISAKMP)	Assigns an ISAKMP profile to a peer on the basis of the contents of arbitrary fields in the certificate.

commands (view)

To add commands or an interface to a command-line interface (CLI) view, use the commands command in view configuration mode. To delete a command or an interface from a CLI view, use the no form of this command.

Syntax for Adding and Deleting Commands to a View

commands parser-mode {include | include-exclusive | exclude} [all] [command]

no commands parser-mode {include | include-exclusive | exclude} [all] [command]

Syntax for Adding and Deleting Interfaces to a View

commands parser-mode {include | include-exclusive} [all] [interface interface-name] [command]

no commands parser-mode {include | include-exclusive} [all] [interface interface-name] [command]

Syntax Description

parser-mode	Mode in which the specified command exists. See Table 15 in the "Usage Guidelines" section for a list of available options for this argument.
include	Adds a specified command or a specified interface to the view and allows the same command or interface to be added to an additional view.
include-exclusive	Adds a specified command or a specified interface to the view and excludes the same command or interface from being added to all other views.
exclude	Denies access to commands in the specified parser mode. Note This keyword is available only for command-based views.
all	(Optional) A "wildcard" that allows every command in a specified configuration mode that begins with the same keyword or every subinterface within a specified interface to be part of the view.
interface interface-name	(Optional) Interface that is added to the view.
command	(Optional) Command that is added to the view. Note If no commands are specified, all commands within the specified parser mode are included or excluded, as appropriate.

Defaults

If this command is not enabled, a view will not have adequate information to deny or allow access to users.

Command Modes

View configuration

Command History

Release	Modification
12.3(7)T	This command was introduced.
12.3(11)T	The exclude keyword and the interface interface-name option were added.

Usage Guidelines

If a network administrator does not enter a specific command (via the command argument) or interface (via the interface interface-name option), users are granted access (via the include or include-exclusive keywords) or denied access (via the exclude keyword) to all commands within the specified parser-mode.

parser-mode Options

Table 15 shows some of the keyword options for the parser-mode argument in the commands command. The available mode keywords vary depending on your hardware and software version. To see a list of available mode options on your system, use the commands ? command.

Table 15 Keyword Options for the parser-mode Argument

Command	Description
accept-dialin	VPDN group accept dialin configuration mode
accept-dialout	VPDN group accept dialout configuration mode
address-family	Address Family configuration mode
alps-ascu	ALPS ASCU configuration mode
alps-circuit	ALPS circuit configuration mode
atm-bm-config	ATM bundle member configuration mode
atm-bundle-config	ATM bundle configuration mode
atm-vc-config	ATM virtual circuit configuration mode
atmsig_e164_table_mode	ATMSIG E164 Table
cascustom	Channel-associated signalling (cas) custom configuration mode
config-rtr-http	RTR HTTP raw request Configuration
configure	Global configuration mode
controller	Controller configuration mode
crypto-map	Crypto map config mode
crypto-transform	Crypto transform config modeCrypto transform configuration mode
dhcp	DHCP pool configuration mode
dspfarm	DSP farm configuration mode
exec	EXEC mode
flow-cache	Flow aggregation cache configuration mode
gateway	Gateway configuration mode
interface	Interface configuration mode
interface-dlci	Frame Relay DLCI configuration mode
ipenacl	IP named extended access-list configuration mode
ipsnacl	IP named simple access-list configuration mode
ip-vrf	Configure IP VRF parameters
lane	ATM Lan Emulation Lecs Configuration Table
line	Line configuration mode
map-class	Map class configuration mode
map-list	Map list configuration mode
mpoa-client	MPOA Client
mpoa-server	MPOA Server
null-interface	Null interface configuration mode
preaut	AAA Preauth definitions
request-dialin	VPDN group request dialin configuration mode
request-dialout	VPDN group request dialout configuration mode
route-map	Route map configuration mode
router	Router configuration mode
rsvp_policy_local	RSVP local policy configuration mode
rtr	RTR Entry Configuration
sg-radius	RADIUS server group definition
sg-tacacs+	TACACS+ server group
sip-ua	SIP UA configuration mode
subscriber-policy	Subscriber policy configuration mode
tcl	Tcl mode
tdm-conn	TDM connection configuration mode
template	Template configuration mode
translation-rule	Translation Rule configuration mode
vc-class	VC class configuration mode
voiceclass	Voice Class configuration mode
voiceport	Voice configuration mode
voipdialpeer	Dial Peer configuration mode
vpdn-group	VPDN group configuration mode

Examples

The following example shows how to add the privileged EXEC command show version to both CLI views "first" and "second." Because the include keyword was issued, the show version command can be added to both views.

Router(config)# parser view first

Router(config-view)# password 5 secret

Router(config-view)# commands exec include show version

!

Router(config)# parser view second

Router(config-view)# password 5 myview

Router(config-view)# commands exec include show version

The following example shows how to allow users in the view "first" to execute all commands that start with the word "show" except the show interfaces command, which is excluded by the view "second":

Router(config)# parser view first

Router(config-view)# password 5 secret

Router(config-view)# commands exec include all show 

!

Router(config)# parser view second

Router(config-view)# password 5 myview

Router(config-view)# commands exec include-exclusive show interfaces

Related Commands

Command	Description
parser view	Creates or changes a CLI view and enters view configuration mode.
password 5	Associates a CLI view or a superview with a password.

content-length

To permit or deny HTTP traffic through the firewall on the basis of message size, use the content-length command in appfw-policy-http configuration mode. To remove message-size limitations from your configuration, use the no form of this command.

content-length {min bytes max bytes | min bytes | max bytes} action {reset | allow} [alarm]

no content-length {min bytes max bytes | min bytes | max bytes} action {reset | allow} [alarm]

Syntax Description

min bytes	Minimum content length, in bytes, allowed per message. Number of bytes range: 0 to 65535.
max bytes	Maximum content length, in bytes, allowed per message. Number of bytes range: 0 to 65535.
action	Messages whose size do not meet the minimum or exceed the maximum number of bytes are subject to the specified action (reset or allow).
reset	Sends a TCP reset notification to the client or server if the HTTP message fails the mode inspection.
allow	Forwards the packet through the firewall.
alarm	(Optional) Generates system logging (syslog) messages for the given action.

Defaults

If this command is not enabled, message size is not considered when permitting or denying HTTP messages.

Command Modes

appfw-policy-http configuration

Command History

Release	Modification
12.3(14)T	This command was introduced.

Usage Guidelines

All messages exceeding the specified content-length range, will be subjected to the configured action (reset or allow).

Examples

The following example, which shows how to define the HTTP application firewall policy "mypolicy," will not permit HTTP messages longer than 1 byte. This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface.

! Define the HTTP policy.

appfw policy-name mypolicy

 application http

  strict-http action allow alarm

  content-length max 1 action allow alarm

  content-type-verification match-req-resp action allow alarm

  max-header-length request 1 response 1 action allow alarm

  max-uri-length 1 action allow alarm

  port-misuse default action allow alarm

  request-method rfc default action allow alarm

  request-method extension default action allow alarm

  transfer-encoding type default action allow alarm

!

!

! Apply the policy to an inspection rule. 

ip inspect name firewall appfw mypolicy

ip inspect name firewall http

!

!

! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.

interface FastEthernet0/0

 ip inspect firewall in

!

!

content-type-verification

To permit or deny HTTP traffic through the firewall on the basis of content message type, use the content-type-verification command in appfw-policy-http configuration mode. To disable this inspection parameter, use the no form of this command.

content-type-verification [match-req-resp] action {reset | allow} [alarm]

no content-type-verification [match-req-resp] action {reset | allow} [alarm]

Syntax Description

match-req-resp	(Optional) Verifies the content type of the HTTP response against the accept field of the HTTP request.
action	Messages that match the specified content type are subject to the specified action (reset or allow).
reset	Sends a TCP reset notification to the client or server if the HTTP message fails the mode inspection.
allow	Forwards the packet through the firewall.
alarm	(Optional) Generates system logging (syslog) messages for the given action.

Defaults

If this command is not issued, all traffic will be allowed.

Command Modes

appfw-policy-http configuration

Command History

Release	Modification
12.3(14)T	This command was introduced.

Usage Guidelines

After the content-type-verification command is issued, all HTTP messages are subjected to the following inspections:

•Verify that the content type of the message header is listed as a supported content type. (See Table 16.)

•Verify that the content type of the header matches the content of the message data or entity body portion of the message.

Table 16 contains a list of supported content types.

Table 16 Supported Content Types

Supported Content Types
audio/*
audio/basic
audio/midi
audio/mpeg
audio/x-adpcm
audio/x-aiff
audio/x-ogg
audio/x-wav
application/msword
application/octet-stream
application/pdf
application/postscript
application/vnd.ms-excel
application/vnd.ms-powerpoint
application/x-gzip
application/x-java-arching
application/x-java-xm
application/zip
image/*
image/cgf
image/gif
image/jpeg
image/png
image/tiff
image/x-3ds
image/x-bitmap
image/x-niff
image/x-portable-bitmap
image/x-portable-greymap
image/x-xpm
text/*
text/css
text/html
text/plain
text/richtext
text/sgml
text/xmcd
text/xml
video/*
video/-flc
video/mpeg
video/quicktime
video/sgi
video/x-avi
video/x-fli
video/x-mng
video/x-msvideo

Examples

The following example shows how to define the HTTP application firewall policy "mypolicy." This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface.

! Define the HTTP policy.

appfw policy-name mypolicy

 application http

  strict-http action allow alarm

  content-length max 1 action allow alarm

  content-type-verification match-req-resp action allow alarm

  max-header-length request 1 response 1 action allow alarm

  max-uri-length 1 action allow alarm

  port-misuse default action allow alarm

  request-method rfc default action allow alarm

  request-method extension default action allow alarm

  transfer-encoding type default action allow alarm

!

!

! Apply the policy to an inspection rule. 

ip inspect name firewall appfw mypolicy

ip inspect name firewall http

!

!

! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.

interface FastEthernet0/0

 ip inspect firewall in

!

!

copy ips-sdf

To load or save the signature definition file (SDF) in the router, use the copy ips-sdf command in EXEC mode.

Syntax for Loading the SDF

copy [/erase] url ips-sdf

Syntax for Saving the SDF

copy ips-sdf url

Syntax Description

/erase

(Optional) Erases the current SDF in the router before loading the new SDF. Note This option is typically available only on platforms with limited memory.

url

Description for the url argument is one of the following options: •If you want to load the SDF in the router, the url argument specifies the location in which to search for the SDF. •If you are saving the SDF, the url argument represents the location in which the SDF is saved after it has been generated. Regardless of what option the URL is used for, available URL locations are as follows: •local flash, such as flash:sig.xml •FTP server, such as ftp://myuser:mypass@ftp_server.sig.xml •rcp, such as rcp://myuser@rcp_server/sig.xml •TFTP server, such as tftp://tftp_server/sig.xml

Command Modes

EXEC

Command History

Release	Modification
12.3(8)T	This command was introduced.

Usage Guidelines

Loading Signatures From the SDF

Issue the copy url ips-sdf command to load the SDF in the router from the location specified via the url argument. When the new SDF is loaded, it is merged with the SDF that is already loaded in the router, unless the /erase keyword is issued, which overwrites the current SDF with the new SDF.

Cisco IOS Intrusion Prevention System (IPS) will attempt to retrieve the SDF from each specified location in the order in which they were configured in the startup configuration. If Cisco IOS IPS cannot retrieve the signatures from any of the specified locations, the built-in signatures will be used.

If the no ip ips sdf built-in command is used, Cisco IOS IPS will fail to load. IPS will then rely on the configuration of the ip ips fail command to either fail open or fail closed.

---

Note For Cisco IOS Release 12.3(8)T, the SDF should be loaded directly from Flash.

---

After the signatures are loaded in the router, the signature engines are built. Only after the signature engines are built can Cisco IOS IPS beginning scanning traffic.

---

Note Whenever signatures are replaced or merged, the router is suspended while the signature engines for the newly added or merged signatures are being built. The router prompt will be available again after the engines are built.

Depending on your platform and how many signatures are being loaded, building the engine can take up to several minutes. It is recommended that you enable logging messages to monitor the engine building status.

---

The ip sdf ips location command can also be used to load the SDF. However, unlike the copy ips-sdf command, this command does not force and immediately load the signatures. Signatures are not loaded until the router reboots or IPS is initially applied to an interface (via the ip ips command).

Saving a Generated or Merges SDF

Issue the copy ips-sdf url command to save a newly created SDF file to a specified location. The next time the router is reloaded, IPS can refer to the SDF from the saved location by including the ip ips sdf location command in the configuration.

---

Tip It is recommended that you save the SDF back out to Flash. Also, you should save the file to a different name than the original attack-drop.sdf file; otherwise, you risk loosing the original file.

---

Examples

The following example shows how to configure the router to load and merge the attack-drop.sdf file with the default signatures. After you have merged the two files, it is recommended to copy the newly merged signatures to a separate file. The router can then be reloaded (via the reload command) or reinitalized to so as to recognize the newly merged file (as shown the following example)

!

ip ips name MYIPS

!

interface GigabitEthernet0/1

 ip address 10.1.1.16 255.255.255.0

 ip ips MYIPS in

 duplex full

 speed 100

 media-type rj45

 no negotiation auto

!

!

! Merge the flash-based SDF (attack-drop.sdf) with the built-in signatures.

copy disk2:attack-drop.sdf ips-sdf

! Save the newly merged signatures to a separate file.

copy ips-sdf disk2:my-signatures.sdf

!

! Configure the router to use the new file, my-signatures.sdf 

configure terminal

ip ips sdf location disk2:my-signatures.sdf

! Reinitialize the IPS by removing the IPS rule set and reapplying the rule set.

interface gig 0/1

 no ip ips MYIPS in

!

*Apr 8 14:05:38.243:%IPS-2-DISABLED:IPS removed from all interfaces - IPS disabled

!

 ip ips MYIPS in

!

 exit

Related Commands

Command	Description
ip ips sdf location	Specifies the location in which the router should load the SDF.

crl best-effort

---

Note Effective with Cisco IOS Release 12.3(2)T, this command was replaced by the revocation-check command.

---

To download the certificate revocation list (CRL) but accept certificates if the CRL is not available, use the crl best-effort command in ca-identity configuration mode. To return to the default behavior in which CRL checking is mandatory before your router can accept a certificate, use the no form of this command.

Syntax Description

This command has no arguments or keywords.

Defaults

If this command is not configured, CRL checking is mandatory before your router can accept a certificate. That is, if CRL downloading is attempted and it fails, the certificate will be considered invalid and will be rejected.

Command Modes

Ca-identity configuration

Command History

Release	Modification
12.2(8)T	This command was introduced.
12.3(2)T	This command was replaced by the revocation-check command.

Usage Guidelines

When your router receives a certificate from a peer, it will search its memory for the appropriate CRL. If the appropriate CRL is in the router memory, the CRL will be used. Otherwise, the router will download the CRL from either the certificate authority (CA) or from a CRL distribution point (CDP) as designated in the certificate of the peer. Your router will then check the CRL to ensure that the certificate that the peer sent has not been revoked. (If the certificate appears on the CRL, your router will not accept the certificate and will not authenticate the peer.)

When a CA system uses multiple CRLs, the certificate of the peer will indicate which CRL applies in its CDP extension and should be downloaded by your router.

If your router does not have the applicable CRL in memory and is unable to obtain one, your router will reject the certificate of the peer—unless you include the crl best-effort command in your configuration. When the crl best-effort command is configured, your router will try to obtain a CRL, but if it cannot obtain a CRL, it will treat the certificate of the peer as not revoked.

When your router receives additional certificates from peers, the router will continue to attempt to download the appropriate CRL if it was previously unsuccessful. The crl best-effort command specifies only that when the router cannot obtain the CRL, the router will not be forced to reject the certificate of a peer.

Examples

The following configuration example declares a CA and permits your router to accept certificates when CRLs are not obtainable:

crypto ca identity myid

enrollment url http://mycaserver

crl best-effort

Related Commands

Command	Description
crypto ca identity	Declares the CA your router should use.

crl optional

---

Note Effective with Cisco IOS Release 12.3(2)T, this command was replaced by the revocation-check command.

---

To allow the certificates of other peers to be accepted without trying to obtain the appropriate CRL, use the crl optional command in ca-identity configuration mode. To return to the default behavior in which CRL checking is mandatory before your router can accept a certificate, use the no form of this command.

crl optional

no crl optional

Syntax Description

This command has no arguments or keywords.

Defaults

The router must have and check the appropriate CRL before accepting the certificate of another IP Security peer.

Command Modes

Ca-identity configuration

Command History

Release	Modification
11.3 T	This command was introduced.
12.3(2)T	This command was replaced by the revocation-check command.

Usage Guidelines

When your router receives a certificate from a peer, it will search its memory for the appropriate CRL. If the router finds the appropriate CRL, that CRL will be used. Otherwise, the router will download the CRL from either the certificate authority (CA) or from a CRL distribution point (CDP) as designated in the certificate of the peer. Your router will then check the CRL to ensure that the certificate that the peer sent has not been revoked. (If the certificate appears on the CRL, your router will not accept the certificate and will not authenticate the peer.) To instruct the router not to download the CRL and treat the certificate as not revoked, use the crl optional command.

---

Note If the CRL already exists in the memory (for example, by using the crypto ca crl request command to manually download the CRL), the CRL will still be checked even if the crl optional command is configured.

---

Examples

The following example declares a CA and permits your router to accept certificates without trying to obtain a CRL. This example also specifies a nonstandard retry period and retry count.

crypto ca identity myca

 enrollment url http://ca_server

 enrollment retry-period 20

 enrollment retry-count 100

 crl optional

Related Commands

Command	Description
crypto ca identity	Declares the CA your router should use.

crl query

If you have to query the certificate revocation list (CRL) to ensure that the certificate of the peer has not been revoked and you have to provide the Lightweight Directory Access Protocol (LDAP) server information, use the crl query command in ca-trustpoint configuration mode. To return to the default behavior, assuming that the CRL distribution point (CDP) has a complete LDAP URL, use no form of this command.

crl query ldap://hostname:[port]

no crl query ldap://hostname:[port]

Syntax Description

ldap://hostname	Query is made to the hostname of the LDAP server that serves the CRL for the certification authority (CA) server (for example, ldap://myldap.cisco.com).
:port	(Optional) Port number of the LDAP server (for example, ldap://myldap.cisco.com:3899).

Defaults

Not enabled. If crl query ldap://hostname:[port] is not enabled, the router assumes that the CDP that is embedded in the certificate is a complete URL (for example, ldap:myldap.cisco.com/CN=myCA,O=Cisco) and uses it to download the CRL.

If the port number is not configured, the default LDAP server port 389 will be used.

Command Modes

Ca-trustpoint configuration

Command History

Release	Modification
12.1(1)T	This command was introduced.
12.2(8)T	This command replaced the query url command.

Usage Guidelines

When Cisco IOS software tries to verify a peer certificate (for example, during Internet Key Exchange [IKE] or Secure Sockets Layer [SSL] handshake), it queries the CRL to ensure that the certificate has not been revoked. To locate the CRL, it first looks for the CDP extension in the certificate. If the extension exists, it is used to download the CRL. Otherwise, the Simple Certificate Enrollment Protocol (SCEP) GetCRL mechanism is used to query the CRL from the CA server directly (some CA servers do not support this method).

Cisco IOS software supports three types of CDP:

•HTTP URL (Example1: http://10.10.10.10:81/myca.crl)

•LDAP URL (Example 2: ldap://10.10.10.10:3899/CN=myca, O=cisco or Example 3: ldap:///CN=myca, O=cisco)

•LDAP/X.500 DN (Example 4: CN=myca, O=cisco)

To locate the CRL, a complete URL needs to be formed. As a result, Example 3 and Example 4 still require the hostname and the port number. The ldap://hostname:[port} keywords and arguments are used to provide this information.

---

Note The crypto ca trustpoint command replaces the crypto ca identity and crypto ca trusted-root commands and all related subcommands (all ca-identity and trusted-root configuration mode commands). If you enter a ca-identity or trusted-root subcommand, the configuration mode and command will be written back as ca-trustpoint.

---

Examples

The following example shows how to configure your router to query the CRL with the LDAP URL that is published by the CA named "bar":

crypto ca trustpoint mytp

 enrollment url http://bar.cisco.com

 crl query ldap://bar.cisco.com:3899

Related Commands

Command	Description
crypto ca trustpoint	Declares the CA that your router should use.
revocation-check	Checks the revocation status of a certificate.

crypto ca authenticate

---

Note This command was replaced by the crypto pki authenticate command effective with Cisco IOS Release 12.3(7)T.

---

To authenticate the certification authority (by getting the certificate of the CA), use the crypto ca authenticate command in global configuration mode.

crypto ca authenticate name

Syntax Description

name	Specifies the name of the CA. This is the same name used when the CA was declared with the crypto ca identity command.

Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

This command is required when you initially configure CA support at your router.

This command authenticates the CA to your router by obtaining the self-signed certificate of the CA that contains the public key of the CA. Because the CA signs its own certificate, you should manually authenticate the public key of the CA by contacting the CA administrator when you perform this command.

If you are using RA mode (using the enrollment mode ra command) when you issue the crypto ca authenticate command, then registration authority signing and encryption certificates will be returned from the CA as well as the CA certificate.

This command is not saved to the router configuration. However. the public keys embedded in the received CA (and RA) certificates are saved to the configuration as part of the RSA public key record (called the "RSA public key chain").

---

Note If the CA does not respond by a timeout period after this command is issued, the terminal control will be returned so it will not be tied up. If this happens, you must re-enter the command. Cisco IOS software will not recognize CA certificate expiration dates set for beyond the year 2049. If the validity period of the CA certificate is set to expire after the year 2049, the following error message will be displayed when authentication with the CA server is attempted:

error retrieving certificate :incomplete chain

If you receive an error message similar to this one, check the expiration date of your CA certificate. If the expiration date of your CA certificate is set after the year 2049, you must reduce the expiration date by a year or more.

---

Examples

In the following example, the router requests the certificate of the CA. The CA sends its certificate and the router prompts the administrator to verify the certificate of the CA by checking the CA certificate's fingerprint. The CA administrator can also view the CA certificate's fingerprint, so you should compare what the CA administrator sees to what the router displays on the screen. If the fingerprint on the router's screen matches the fingerprint viewed by the CA administrator, you should accept the certificate as valid.

Router(config)# crypto ca authenticate myca

Certificate has the following attributes:

Fingerprint: 0123 4567 89AB CDEF 0123

Do you accept this certificate? [yes/no] y#

Related Commands

Command	Description
debug crypto pki transactions	Displays debug messages for the trace of interaction (message type) between the CA and the router.
show crypto pki certificates	Displays information about your certificate, the certificate of the CA, and any RA certificates.

crypto ca cert validate

---

Note This command was replaced by the crypto pki cert validate command effective with Cisco IOS Release 12.3(8)T.

---

To determine if a trustpoint has been successfully authenticated, a certificate has been requested and granted, and if the certificate is currently valid, use the crypto ca cert validate command in global configuration mode.

crypto ca cert validate trustpoint

Syntax Description

trustpoint

The trustpoint to be validated.

Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release	Modification
12.3(8)T	This command was introduced.

Usage Guidelines

The crypto ca cert validate command validates the router's own certificate for a given trustpoint. Use this command as a sanity check after enrollment to verify that the trustpoint is properly authenticated, a certificate has been requested and granted for the trustpoint, and that the certificate is currently valid. A certificate is valid if it is signed by the trustpoint certification authority (CA), not expired, and so on.

Examples

The following examples show the possible output from the crypto ca cert validate command:

Router(config)# crypto ca cert validate ka

Validation Failed: trustpoint not found for ka

Router(config)# crypto ca cert validate ka

Validation Failed: can't get local certificate chain

Router(config)# crypto ca cert validate ka

Certificate chain has 2 certificates.

Certificate chain for ka is valid

Router(config)# crypto ca cert validate ka

Certificate chain has 2 certificates.

Validation Error: no certs on chain

Router(config)# crypto ca cert validate ka

Certificate chain has 2 certificates.

Validation Error: unspecified error

Related Commands

Command	Description
crypto pki trustpoint	Declares the certification authority that the router should use.
show crypto pki trustpoints	Displays the trustpoints that are configured in the router.

crypto ca certificate chain

---

Note This command was replaced by the crypto pki certificate chain command effective with Cisco IOS Release 12.3(7)T.

---

To enter the certificate chain configuration mode, use the crypto ca certificate chain command in global configuration mode. (You need to be in certificate chain configuration mode to delete certificates.)

crypto ca certificate chain name

Syntax Description

name	Specifies the name of the CA. Use the same name as when you declared the CA using the crypto pki trustpoint command.

Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

This command puts you into certificate chain configuration mode. When you are in certificate chain configuration mode, you can delete certificates using the certificate command.

Examples

The following example deletes the router's certificate. In this example, the router had a general-purpose RSA key pair with one corresponding certificate. The show command is used to determine the serial number of the certificate to be deleted.

Router# show crypto ca certificates

Certificate

  Subject Name

    Name: myrouter.example.com

    IP Address: 10.0.0.1

  Status: Available

  Certificate Serial Number: 0123456789ABCDEF0123456789ABCDEF

  Key Usage: General Purpose

CA Certificate

  Status: Available

  Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F

  Key Usage: Not Set

Router# configure terminal

Rrouter(config)# crypto ca certificate chain myca

Router(config-cert-chain)# no certificate 0123456789ABCDEF0123456789ABCDEF

% Are you sure you want to remove the certificate [yes/no]? yes

% Be sure to ask the CA administrator to revoke this certificate.

Router(config-cert-chain)# exit

Related Commands

Command	Description
certificate	Adds certificates manually.

crypto ca certificate map

---

Note This command was replaced by the crypto pki certificate map command effective with Cisco IOS Release 12.3(7)T.

---

To define certificate-based access control lists (ACLs), use the crypto ca certificate map command in ca-certificate-map configuration mode. To remove the certificate-based ACLs, use the no form of this command.

crypto ca certificate map label sequence-number

no crypto ca certificate map label sequence-number

Syntax Description

label	A user-specified label that is referenced within the crypto ca trustpoint command.
sequence-number	A number that orders the ACLs with the same label. ACLs with the same label are processed from lowest to highest sequence number. When an ACL is matched, processing stops with a successful result.

Defaults

No default behavior or value.

Command Modes

Ca-certificate-map configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

Issuing this command places the router in CA certificate map configuration mode where you can specify several certificate fields together with their matching criteria. The general form of these fields is as follows:

field-name match-criteria match-value

The field-name in the above example is one of the certificate fields. Field names are similar to the names used in the International Telecommunication Union Telecommunication Standardization Sector (ITU-T) X.509 standard. The name field is a special field that matches any subject name or related name field in the certificate, such as the alt-subject-name, subject-name, and unstructured-subject-name fields.

•alt-subject-name—Case-insensitive string.

•expires-on—Date field in the format dd mm yyyy hh:mm:ss or mmm dd yyyy hh:mm:ss.

•issuer-name—Case-insensitive string.

•name—Case-insensitive string.

•subject-name—Case-insensitive string.

•unstructured-subject-name—Case-insensitive string.

•valid-start—Date field in the format dd mm yyyy hh:mm:ss or mmm dd yyyy hh:mm:ss.

---

Note The time portion is optional in both the expires-on date and valid-start field and defaults to 00:00:00 if not specified. The time is interpreted according to the time zone offset configured for the router. The string utc can be appended to the date and time when they are configured as Universal Time, Coordinated (UTC) rather than local time.

---

The match-criteria in the example is one of the following logical operators:

•eq—equal (valid for name and date fields)

•ne—not equal (valid for name and date fields)

•co—contains (valid only for name fields)

•nc—does not contain (valid only for name fields)

•lt—less than (valid only for date fields)

•ge—greater than or equal to (valid only for date fields)

The match-value is a case-insensitive string or a date.

Examples

The following example shows how to configure a certificate-based ACL that will allow any certificate issued by Cisco Systems to an entity within the cisco.com domain. The label is Cisco, and the sequence is 10.

crypto ca certificate map Cisco 10

 issuer-name co Cisco Systems

 unstructured-subject-name co cisco.com

The following example accepts any certificate issued by Cisco Systems for an entity with DIAL or organizationUnit component ou=WAN. This certificate-based ACL consists of two separate ACLs tied together with the common label Group. Because the check for DIAL has a lower sequence number, it is performed first. Note that the string "DIAL" can occur anywhere in the subjectName field of the certificate, but the string WAN must be in the organizationUnit component.

crypto ca certificate map Group 10

 issuer-name co Cisco Systems

 subject-name co DIAL

crypto ca certificate map Group 20

 issuer-name co Cisco Systems

 subject-name co ou=WAN

Case is ignored in string comparisons; therefore, DIAL in the previous example will match dial, DIAL, Dial, and so on. Also note that the component identifiers (o=, ou=, cn=, and so on) are not required unless it is desirable that the string to be matched occurs in a specific component of the name. (Refer to the ITU-T security standards for more information about certificate fields and components such as ou=.)

If a component identifier is specified in the match string, the exact string, including the component identifier, must appear in the certificate. This requirement can present a problem if more than one component identifier is included in the match string. For example, "ou=WAN,o=Cisco Systems" will not match a certificate with the string "ou=WAN,ou=Engineering,o=Cisco Systems" because the "ou=Engineering" string separates the two desired component identifiers.

To match both "ou=WAN" and "o=Cisco Systems" in a certificate while ignoring other component identifiers, you could use this certificate map:

crypto ca certificate map Group 10

 subject-name co ou=WAN

 subject-name co o=Cisco

Any space character proceeding or following the equal sign (=) character in component identifiers is ignored. Therefore "o=Cisco" in the proceeding example will match "o = Cisco," "o= Cisco," "o =Cisco," and so on.

Related Commands

Command	Description
crypto pki trustpoint	Declares the CA that your router should use.

crypto ca certificate query (ca-trustpoint)

---

Note This command was replaced by the crypto pki certificate query (ca-trustpoint) command effective with Cisco IOS Release 12.3(7)T.

---

To specify that certificates should not be stored locally but retrieved from a certification authority (CA) trustpoint, use the crypto ca certificate query command in ca-trustpoint configuration mode. To cause certificates to be stored locally per trustpoint, use the no form of this command.

crypto ca certificate query

no crypto ca certificate query

Syntax Description

This command has no arguments or keywords.

Defaults

CA trustpoints are stored locally in the router's NVRAM.

Command Modes

Ca-trustpoint configuration

Command History

Release	Modification
12.2(8)T	This command was introduced.

Usage Guidelines

Normally, certain certificates are stored locally in the router's NVRAM, and each certificate uses a moderate amount of memory. To save NVRAM space, you can use this command to put the router into query mode, preventing certificates from being stored locally; instead, they are retrieved from a specified CA trustpoint when needed. This will save NVRAM space but could result in a slight performance impact.

The crypto ca certificate query command is a subcommand for each trustpoint; thus, this command can be disabled on a per-trustpoint basis.

Before you can configure this command, you must enable the crypto pki trustpoint command, which puts you in ca-trustpoint configuration mode.

---

Note This command replaces the crypto ca certificate query command in global configuration mode. Although you can still enter the global configuration command, the configuration mode and command will be written back as ca-trustpoint.

---

Examples

The following example shows how to prevent certificates and certificate revocation lists (CRLs) from being stored locally on the router; instead, they are retrieved from the "ka" trustpoint when needed.

crypto ca trustpoint ka

 .

 .

 .

 crypto ca certificate query

Related Commands

Command	Description
crypto pki trustpoint	Declares the CA that your router should use.

crypto ca certificate query (global)

The crypto ca certificate query command in global configuration mode is replaced by the crypto ca certificate query command in ca-trustpoint configuration mode. See the crypto ca certificate query command for more information.

crypto ca crl request

---

Note Effective with Cisco IOS Release 12.3(7)T, this command was replaced by the crypto pki crl request command.

---

To request that a new certificate revocation list (CRL) be obtained immediately from the certification authority, use the crypto ca crl request command in global configuration mode.

crypto ca crl request name

Syntax Description

name	Specifies the name of the CA. This is the same name used when the CA was declared with the crypto pki trustpoint command.

Defaults

Normally, the router requests a new CRL when it is verifying a certificate and there is no CRL cached.

Command Modes

Global configuration

Command History

Release	Modification
11.3 T	This command was introduced.
12.3(7)T	This command was replaced by the crypto pki crl request command.

Usage Guidelines

A CRL lists all the certificates of the network device that have been revoked. Revoked certificates will not be honored by your router; therefore, any IPSec device with a revoked certificate cannot exchange IP Security traffic with your router.

The first time your router receives a certificate from a peer, it will download a CRL from the CA. Your router then checks the CRL to make sure the certificate of the peer has not been revoked. (If the certificate appears on the CRL, it will not accept the certificate and will not authenticate the peer.)

A CRL can be reused with subsequent certificates until the CRL expires. If your router receives the certificate of a peer after the applicable CRL has expired, it will download the new CRL.

If your router has a CRL which has not yet expired, but you suspect that the contents of the CRL are out of date, use the crypto ca crl request command to request that the latest CRL be immediately downloaded to replace the old CRL.

This command is not saved to the configuration.

---

Note This command should be used only after the trustpoint is enrolled.

---

Examples

The following example immediately downloads the latest CRL to your router:

crypto ca crl request

crypto ca enroll

---

Note This command was replaced by the crypto pki enroll command effective with Cisco IOS Release 12.3(7)T.

---

To obtain the certificate(s) of your router from the certification authority, use the crypto ca enroll command in global configuration mode. To delete a current enrollment request, use the no form of this command.

crypto ca enroll name

no crypto ca enroll name

Syntax Description

name	Specifies the name of the CA. Use the same name as when you declared the CA using the crypto pki trustpoint command.

Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

This command requests certificates from the CA for all of your router's RSA key pairs. This task is also known as enrolling with the CA. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when this command is issued.)

Your router needs a signed certificate from the CA for each RSA key pairs of your router; if you previously generated general purpose keys, this command will obtain the one certificate corresponding to the one general purpose RSA key pair. If you previously generated special usage keys, this command will obtain two certificates corresponding to each of the special usage RSA key pairs.

If you already have a certificate for your keys you will be unable to complete this command; instead, you will be prompted to remove the existing certificate first. (You can remove existing certificates with the no certificate command.)

The crypto ca enroll command is not saved in the router configuration.

---

Note If your router reboots after you issue the crypto ca enroll command but before you receive the certificate(s), you must reissue the command.

---

Responding to Prompts

When you issue the crypto ca enroll command, you are prompted a number of times.

First, you are prompted to create a challenge password. This password can be up to 80 characters in length. This password is necessary in the event that you ever need to revoke your router's certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.

---

Note This password is not stored anywhere, so you need to remember this password.

---

If you lose the password, the CA administrator may still be able to revoke the router's certificate but will require further manual authentication of the router administrator identity.

You are also prompted to indicate whether or not your router's serial number should be included in the obtained certificate. The serial number is not used by IP Security or Internet Key Exchange but may be used by the CA to either authenticate certificates or to later associate a certificate with a particular router. (Note that the serial number stored is the serial number of the internal board, not the one on the enclosure.) Ask your CA administrator if serial numbers should be included. If you are in doubt, include the serial number.

Normally, you would not include the IP address because the IP address binds the certificate more tightly to a specific entity. Also, if the router is moved, you would need to issue a new certificate. Finally, a router has multiple IP addresses, any of which might be used with IPSec.

If you indicate that the IP address should be included, you will then be prompted to specify the interface of the IP address. This interface should correspond to the interface that you apply your crypto map set to. If you apply crypto map sets to more than one interface, specify the interface that you name in the crypto map local-address command.

Examples

In the following example, a router with a general-purpose RSA key pair requests a certificate from the CA. When the router displays the certificate fingerprint, the administrator verifies this number by calling the CA administrator, who checks the number. The fingerprint is correct, so the router administrator accepts the certificate.

There can be a delay between when the router administrator sends the request and when the certificate is actually received by the router. The amount of delay depends on the CA method of operation.

Router(config)# crypto ca enroll myca

%

% Start certificate enrollment ..

% Create a challenge password. You will need to verbally provide this

   password to the CA Administrator in order to revoke your certificate.

   For security reasons your password will not be saved in the configuration.

   Please make a note of it.

Password: <mypassword>

Re-enter password: <mypassword>

% The subject name in the certificate will be: myrouter.example.com

% Include the router serial number in the subject name? [yes/no]: yes

% The serial number in the certificate will be: 03433678

% Include an IP address in the subject name [yes/no]? yes

Interface: ethernet0/0

Request certificate from CA [yes/no]? yes

% Certificate request sent to Certificate Authority

% The certificate request fingerprint will be displayed.

% The 'show crypto pki certificates' command will also show the fingerprint.

Some time later, the router receives the certificate from the CA and displays the following confirmation message:

Router(config)#   Fingerprint: 01234567 89ABCDEF FEDCBA98 75543210

%CRYPTO-6-CERTRET: Certificate received from Certificate Authority

Router(config)#

If necessary, the router administrator can verify the displayed Fingerprint with the CA administrator.

If there is a problem with the certificate request and the certificate is not granted, the following message is displayed on the console instead:

%CRYPTO-6-CERTREJ: Certificate enrollment request was rejected by Certificate Authority

The subject name in the certificate is automatically assigned to be the same as the RSA key pair's name. In the above example, the RSA key pair was named "myrouter.example.com." (The router assigned this name.)

Requesting certificates for a router with special usage keys would be the same as the previous example, except that two certificates would have been returned by the CA. When the router received the two certificates, the router would have displayed the same confirmation message:

%CRYPTO-6-CERTRET: Certificate received from Certificate Authority

Related Commands

Command	Description
debug crypto pki messages	Displays debug messages for the details of the interaction (message dump) between the CA and the router.
debug crypto pki transactions	Displays debug messages for the trace of interaction (message type) between the CA and the router.
show crypto pki certificates	Displays information about your certificate, the certificate of the CA, and any RA certificates.

crypto ca export pem

---

Note This command was replaced by the crypto pki export pem command effective with Cisco IOS Release 12.3(7)T.

---

To export certificates and Rivest, Shamir, and Adelman (RSA) keys that are associated with a trustpoint in a privacy-enhanced mail (PEM)-formatted file, use the crypto ca export pem command in global configuration mode.

crypto ca export trustpoint pem {terminal | url url} {3des | des} passphrase

Syntax Description

trustpoint	Name of the trustpoint that the associated certificate and RSA key pair will export. The trustpoint argument must match the name that was specified via the crypto pki trustpoint command.
terminal	Certificate and RSA key pair that will be displayed in PEM format on the console terminal.
url url	URL of the file system where your router should export the certificate and RSA key pairs.
3des	Export the trustpoint using the Triple Data Encryption Standard (3DES) encryption algorithm.
des	Export the trustpoint using the DES encryption algorithm.
passphrase	Passphrase that is used to encrypt the PEM file for import. Note The passphrase can be any phrase that is at least eight characters in length; it can include spaces and punctuation, excluding the question mark (?), which has special meaning to the Cisco IOS parser.

Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release	Modification
12.3(4)T	This command was introduced.

Usage Guidelines

The crypto ca export pem command allows you to export certificate and RSA key pairs in PEM-formatted files. The PEM files can then be imported back into the Cisco IOS router (via the crypto pki import pem command) or other public key infrastructure (PKI) applications.

Examples

The following example shows how to generate and export the RSA key pair "aaa" and certificates of the router in PEM files that are associated with the trustpoint "mycs":

Router(config)# crypto key generate rsa general-keys label aaa exportable 

The name for the keys will be:aaa

Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose 
Keys. Choosing a key modulus greater than 512 may take a few minutes. 

!

How many bits in the modulus [512]:

% Generating 512 bit RSA keys ...[OK]

!

Router(config)# crypto pki trustpoint mycs

Router(ca-trustpoint)# enrollment url http://mycs

Router(ca-trustpoint)# rsakeypair aaa

Router(ca-trustpoint)# exit

Router(config)# crypto pki authenticate mycs

Certificate has the following attributes:

Fingerprint:C21514AC 12815946 09F635ED FBB6CF31 

% Do you accept this certificate? [yes/no]:y

Trustpoint CA certificate accepted.

! 

Router(config)# crypto pki enroll mycs

%

% Start certificate enrollment .. 

% Create a challenge password. You will need to verbally provide this password to the CA 
Administrator in order to revoke your certificate.

For security reasons your password will not be saved in the configuration.

Please make a note of it.

Password:

Re-enter password:

% The fully-qualified domain name in the certificate will be:Router

% The subject name in the certificate will be:bizarro.cisco.com

% Include the router serial number in the subject name? [yes/no]:n

% Include an IP address in the subject name? [no]:n

Request certificate from CA? [yes/no]:y

% Certificate request sent to Certificate Authority

% The certificate request fingerprint will be displayed.

% The 'show crypto ca certificate' command will also show the fingerprint.

Router(config)# Fingerprint: 8DA777BC 08477073 A5BE2403 812DD157 

00:29:11:%CRYPTO-6-CERTRET:Certificate received from Certificate Authority

Router(config)# crypto ca export aaa pem terminal 3des cisco123

% CA certificate:

-----BEGIN CERTIFICATE-----

MIICAzCCAa2gAwIBAgIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzES

<snip>

waDeNOSI3WlDa0AWq5DkVBkxwgn0TqIJXJOCttjHnWHK1LMcMVGn

-----END CERTIFICATE-----

% Key name:aaa

    Usage:General Purpose Key

-----BEGIN RSA PRIVATE KEY-----

Proc-Type:4,ENCRYPTED

DEK-Info:DES-EDE3-CBC,ED6B210B626BC81A

Urguv0jnjwOgowWVUQ2XR5nbzzYHI2vGLunpH/IxIsJuNjRVjbAAUpGk7VnPCT87

<snip>

kLCOtxzEv7JHc72gMku9uUlrLSnFH5slzAtoC0czfU4=

-----END RSA PRIVATE KEY-----

% Certificate:

-----BEGIN CERTIFICATE-----

MIICTjCCAfigAwIBAgICIQUwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx

<snip>

6xlBaIsuMxnHmr89KkKkYlU6

-----END CERTIFICATE-----

Related Commands

Command	Description
crypto pki import pem	Imports certificates and RSA keys to a trustpoint from PEM-formatted files.
crypto pki trustpoint	Declares the CA that your router should use.
enrollment	Specifies the enrollment parameters of a CA.

crypto ca export pkcs12

---

Note This command was replaced by the crypto pki export pkcs12 command effective with Cisco IOS Release 12.3(7)T.

---

To export Rivest, Shamir, and Adelman (RSA) keys within a PKCS12 file at a specified location, use the crypto ca export pkcs12 command in global configuration mode.

crypto ca export trustpointname pkcs12 destination url passphrase

Syntax Description

trustpointname	Name of the trustpoint who issues the certificate that a user is going to export. When you export the PKCS12 file, the trustpoint name is the RSA key name.
destination url	Location of the PKCS12 file to which a user wants to import the RSA key pair.
passphrase	Passphrase that is used to encrypt the PKCS12 file for export.

Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

The crypto ca export pkcs12 command creates a PKCS 12 file that contains an RSA key pair. The PKCS12 file, along with a certificate authority (CA), is exported to the location that you specify with the destination URL. If you decide not to import the file to another router, you must delete the file.

Security Measures

Keep the PKCS12 file stored in a secure place with restricted access.

An RSA keypair is more secure than a passphrase because the private key in the key pair is not known by multiple parties. When you export an RSA key pair to a PKCS#12 file, the RSA key pair now is only as secure as the passphrase.

To create a good passphrase, be sure to include numbers, as well as both lowercase and uppercase letters. Avoid publicizing the passphrase by mentioning it in e-mail or cell phone communications because the information could be accessed by an unauthorized user.

Examples

The following example exports an RSA key pair with a trustpoint name "mytp" to a Flash file:

Router(config)# crypto ca export mytp pkcs12 flash:myexport mycompany

Related Commands

Command	Description
crypto pki import pkcs12	Imports RSA keys.

crypto ca identity

The crypto ca identity command is replaced by the crypto ca trustpoint command. See the crypto ca trustpoint command for more information.

crypto ca import

---

Note This command was replaced by the crypto pki import command effective with Cisco IOS Release 12.3(7)T.

---

To import a certificate manually via TFTP or as a cut-and-paste at the terminal, use the crypto ca import command in global configuration mode.

crypto ca import name certificate

Syntax Description

name certificate

Name of the certification authority (CA). This name is the same name used when the CA was declared with the crypto pki trustpoint command.

Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release	Modification
12.2(13)T	This command was introduced.

Usage Guidelines

You must enter the crypto ca import command twice if usage keys (signature and encryption keys) are used. The first time the command is entered, one of the certificates is pasted into the router; the second time the command is entered, the other certificate is pasted into the router. (It does not matter which certificate is pasted first.)

Examples

The following example shows how to import a certificate via cut-and-paste. In this example, the CA trustpoint is "MS."

crypto pki trustpoint MS

 enroll terminal

 crypto pki authenticate MS

!

crypto pki enroll MS

crypto ca import MS certificate

Related Commands

Command	Description
crypto pki trustpoint	Declares the CA that your router should use.
enrollment	Specifies the enrollment parameters of your CA.
enrollment terminal	Specifies manual cut-and-paste certificate enrollment.

crypto ca import pem

---

Note This command was replaced by the crypto pki import pem command effective with Cisco IOS Release 12.3(7)T.

---

To import certificates and Rivest, Shamir, and Adelman (RSA) keys to a trustpoint from privacy-enhanced mail (PEM)-formatted files, use the crypto ca import pem command in global configuration mode.

crypto ca import trustpoint pem [usage-keys] {terminal | url url} [exportable] passphrase

Syntax Description

trustpoint	Name of the trustpoint that is associated with the imported certificates and RSA key pairs. The trustpoint argument must match the name that was specified via the crypto pki trustpoint command.
usage-keys	(Optional) Specifies that two RSA special usage key pairs will be imported (that is, one encryption pair and one signature pair), instead of one general-purpose key pair.
terminal	Certificates and RSA key pairs will be manually imported from the console terminal.
url url	URL of the file system where your router should import the certificates and RSA key pairs.
exportable	(Optional) Specifies that the imported RSA key pair can be exported again to another Cisco device such as a router.
passphrase	Passphrase that is used to encrypt the PEM file for import. Note The passphrase can be any phrase that is at least eight characters in length; it can include spaces and punctuation, excluding the question mark (?), which has special meaning to the Cisco IOS parser.

Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release	Modification
12.3(4)T	This command was introduced.

Usage Guidelines

The crypto ca import pem command allows you import certificates and RSA key pairs in PEM-formatted files. The files can be previously exported from another router or generated from other public key infrastructure (PKI) applications.

Examples

The following example shows how to import PEM files to trustpoint "ggg" via TFTP:

Router(config)# crypto ca import ggg pem url tftp://10.1.1.2/johndoe/msca cisco1234

% Importing CA certificate...

Address or name of remote host [10.1.1.2]? 

Destination filename [johndoe/msca.ca]? 

Reading file from tftp://10.1.1.2/johndoe/msca.ca

Loading johndoe/msca.ca from 10.1.1.2 (via Ethernet0):!

[OK - 1082 bytes]

% Importing private key PEM file...

Address or name of remote host [10.1.1.2]? 

Destination filename [johndoe/msca.prv]? 

Reading file from tftp://10.1.1.2/johndoe/msca.prv

Loading johndoe/msca.prv from 10.1.1.2 (via Ethernet0):!

[OK - 573 bytes]

% Importing  certificate PEM file...

Address or name of remote host [10.1.1.2]? 

Destination filename [johndoe/msca.crt]? 

Reading file from tftp://10.1.1.2/johndoe/msca.crt

Loading johndoe/msca.crt from 10.1.1.2 (via Ethernet0):!

[OK - 1289 bytes]

% PEM files import succeeded.

Router(config)#

Related Commands

Command	Description
crypto pki export pem	Exports certificates and RSA keys that are associated with a trustpoint in a PEM-formatted file.
crypto pki trustpoint	Declares the CA that your router should use.
enrollment	Specifies the enrollment parameters of a CA.

crypto ca import pkcs12

---

Note This command was replaced by the crypto pki import pkcs12 command effective with Cisco IOS Release 12.3(7)T.

---

To import Rivest, Shamir, and Adelman (RSA) keys, use the crypto ca import pkcs12 command in global configuration mode.

crypto ca import trustpointname pkcs12 source url passphrase

Syntax Description

trustpointname	Name of the trustpoint who issues the certificate that a user is going to export or import. When importing, the trustpoint name will become the RSA key name.
source url	The location of the PKCS12 file to which a user wants to export the RSA key pair.
passphrase	Passphrase that must be entered to undo encryption when the RSA keys are imported.

Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

When you enter the cyrpto ca import pkcs12 command, a ke pair and a trustpoint are generated. If you then decide you want to remove the key pair and trustpoint that were generated, enter the crypto key zeroize rsa command to zeroize the key pair and enter the no crypto ca trustpoint command to remove the trustpoint.

---

Note After you import RSA keys to a target router, you cannot export those keys from the target router to another router.

---

Examples

In the following example, an RSA key pair that has been associated with the trustpoint "forward" is to be imported:

Router(config)# crypto ca import forward pkcs12 flash:myexport mycompany

Related Commands

Command	Description
crypto pki export pkcs12	Exports RSA keys.
crypto pki trustpoint	Declares the CA that your router should use.
crypto key zeroize rsa	Deletes all RSA keys from your router.

crypto ca profile enrollment

---

Note This command was replaced with the crypto pki profile enrollment command effective with Cisco IOS Release 12.3(7)T.

---

To define an enrollment profile, use the crypto ca profile enrollment command in global configuration mode. To delete all information associated with this enrollment profile, use the no form of this command.

crypto ca profile enrollment label

no crypto ca profile enrollment label

Syntax Description

label

Name for the enrollment profile; the enrollment profile name must match the name specified in the enrollment profile command.

Defaults

An enrollment profile does not exist.

Command Modes

Global configuration

Command History

Release	Modification
12.2(13)ZH	This command was introduced.
12.3(4)T	This command was integrated into Cisco IOS Release 12.3(4)T.

Usage Guidelines

Before entering this command, you must specify a named enrollment profile using the enrollment profile in ca-trustpoint configuration mode.

After entering the crypto ca profile enrollment command, you can use any of the following commands to define the profile parameters:

•authentication command—Specifies the HTTP command that is sent to the certification authority (CA) for authentication.

•authentication terminal—Specifies manual cut-and-paste certificate authentication requests.

•authentication url—Specifies the URL of the CA server to which to send authentication requests.

•enrollment command—Specifies the HTTP command that is sent to the CA for enrollment.

•enrollment terminal—Specifies manual cut-and-paste certificate enrollment.

•enrollment url—Specifies the URL of the CA server to which to send enrollment requests.

•parameter—Specifies parameters for an enrollment profile. This command can be used only if the authentication command or the enrollment command is used.

---

Note The authentication url, enrollment url, authentication terminal, and enrollment terminal commands allow you to specify different methods for certificate authentication and enrollment, such as TFTP authentication and manual enrollment.

---

Examples

The following example shows how to define the enrollment profile named "E" and associated profile parameters:

crypto ca trustpoint Entrust

  enrollment profile E

  serial

crypto ca profile enrollment E

 authentication url  http://entrust:81

 authentication command  GET /certs/cacert.der

 enrollment url  http://entrust:81/cda-cgi/clientcgi.exe

 enrollment command  POST reference_number=$P2&authcode=$P1

&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQ

 parameter 1 value aaaa-bbbb-cccc

 parameter 2 value 5001

Related Commands

Command	Description
crypto ca trustpoint	Declares the CA that your router should use.
enrollment profile	Specifies that an enrollment profile can be used for certificate authentication and enrollment.

crypto ca trusted-root

The crypto ca trusted-root command is replaced by the crypto ca trustpoint command. See the crypto ca trustpoint command for more information.

crypto ca trustpoint

---

Note Effective with Cisco IOS Release 12.3(8)T, the crypto ca trustpoint command is replaced with the crypto pki trustpoint command. See the crypto pki trustpoint command for more information.

---

To declare the certification authority (CA) that your router should use, use the crypto ca trustpoint command in global configuration mode. To delete all identity information and certificates associated with the CA, use the no form of this command.

crypto ca trustpoint name

no crypto ca trustpoint name

Syntax Description

name	Creates a name for the CA. (If you previously declared the CA and just want to update its characteristics, specify the name you previously created.)

Defaults

Your router does not recognize any CAs until you declare a CA using this command.

Command Modes

Global configuration

Command History

Release	Modification
12.2(8)T	This command was introduced.
12.2(15)T	The match certificate subcommand was introduced.
12.3(7)T	This command was replaced by the crypto pki trustpoint command. You can still enter the crypto ca trusted-root or crypto ca trustpoint command, but the command will be written in the configuration as "crypto pki trustpoint."

Usage Guidelines

Use the crypto ca trustpoint command to declare a CA, which can be a self-signed root CA or a subordinate CA. Issuing the crypto ca trustpoint command puts you in ca-trustpoint configuration mode.

You can specify characteristics for the trustpoint CA using the following subcommands:

•crl—Queries the certificate revocation list (CRL) to ensure that the certificate of the peer has not been revoked.

•default (ca-trustpoint)—Resets the value of ca-trustpoint configuration mode subcommands to their defaults.

•enrollment—Specifies enrollment parameters (optional).

•enrollment http-proxy—Accesses the CA by HTTP through the proxy server.

•match certificate—Associates a certificate-based access control list (ACL) defined with the crypto ca certificate map command.

•primary—Assigns a specified trustpoint as the primary trustpoint of the router.

•root—Defines the Trivial File Transfer Protocol (TFTP) to get the CA certificate and specifies both a name for the server and a name for the file that will store the CA certificate.

---

Note Beginning with Cisco IOS Release 12.2(8)T, the crypto ca trustpoint command unified the functionality of the crypto ca identity and crypto ca trusted-root commands, thereby replacing these commands. Although you can still enter the crypto ca identity and crypto ca trusted-root commands, the configuration mode and command will be written in the configuration as "crypto ca trustpoint."

---

The following example shows how to declare the CA named "ka" and specify enrollment and CRL parameters:

crypto ca trustpoint ka

 enrollment url http://kahului:80

The following example shows a certificate-based access control list (ACL) with the label "Group" defined in a crypto ca certificate map command and included in the match certificate subcommand of the crypto ca | pki trustpoint command:

crypto ca certificate map Group 10

 subject-name co ou=WAN

 subject-name co o=Cisco

!

crypto ca trustpoint pki

 match certificate Group

Related Commands

Command	Description
crl	Queries the CRL to ensure that the certificate of the peer has not been revoked.
default (ca-trustpoint)	Resets the value of a ca-trustpoint configuration subcommand to its default.
enrollment	Specifies the enrollment parameters of your CA.
enrollment http-proxy	Accesses the CA by HTTP through the proxy server.
primary	Assigns a specified trustpoint as the primary trustpoint of the router.
root	Obtains the CA certificate via TFTP.

crypto call admission limit

To specify the maximum number of Internet Key Exchange (IKE) security associations (SAs) that the router can establish before IKE begins rejecting new SA requests, use the crypto call admission limit command in global configuration mode. To disable this feature, use the no form of this command.

crypto call admission limit ike sa number

no crypto call admission limit ike sa number

Syntax Description

ikd sa number

Number of active IKE SAs allowed on the router. The value must be greater than 1.

Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release	Modification
12.3(8)T	This command was introduced.

Usage Guidelines

Use this command to limit the number of IKE SAs permitted to or from a router. By limiting the amount of dynamic tunnels that can be created to the router, you can prevent the router from being overwhelmed if it is suddenly inundated with IKE SA requests. The ideal limit depends on the particular platform, the network topology, the application, and traffic patterns. When the specified limit is reached, IKE rejects all new SA requests. If you specify an IKE SA limit that is less than the current number of active IKE SAs, a warning is displayed, but SAs are not terminated. New SA requests are rejected until the active SA count is below the configured limit.

Examples

The following example specifies that there can be a maximum of 50 IKE SAs before IKE begins rejecting new SA requests.

Router(config)# crypto call admission limit ike sa 50

Related Commands

Command	Description
show crypto call admission statistics	Monitors Crypto CAC statistics.

crypto dynamic-map

To create a dynamic crypto map entry and enter the crypto map configuration command mode, use the crypto dynamic-map command in global configuration mode. To delete a dynamic crypto map set or entry, use the no form of this command.

crypto dynamic-map dynamic-map-name dynamic-seq-num

no crypto dynamic-map dynamic-map-name [dynamic-seq-num]

Syntax Description

dynamic-map-name	Specifies the name of the dynamic crypto map set.
dynamic-seq-num	Specifies the number of the dynamic crypto map entry.

Defaults

No dynamic crypto maps exist.

Command Modes

Global configuration.

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

Use dynamic crypto maps to create policy templates that can be used when processing negotiation requests for new security associations from a remote IP Security peer, even if you do not know all of the crypto map parameters required to communicate with the remote peer (such as the peer's IP address). For example, if you do not know about all the IPSec remote peers in your network, a dynamic crypto map allows you to accept requests for new security associations from previously unknown peers. (However, these requests are not processed until the Internet Key Exchange authentication has completed successfully.)

When a router receives a negotiation request via IKE from another IPSec peer, the request is examined to see if it matches a crypto map entry. If the negotiation does not match any explicit crypto map entry, it will be rejected unless the crypto map set includes a reference to a dynamic crypto map.

The dynamic crypto map is a policy template; it will accept "wildcard" parameters for any parameters not explicitly stated in the dynamic crypto map entry. This allows you to set up IPSec security associations with a previously unknown IPSec peer. (The peer still must specify matching values for the "non-wildcard" IPSec security association negotiation parameters.)

If the router accepts the peer's request, at the point that it installs the new IPSec security associations it also installs a temporary crypto map entry. This entry is filled in with the results of the negotiation. At this point, the router performs normal processing, using this temporary crypto map entry as a normal entry, even requesting new security associations if the current ones are expiring (based upon the policy specified in the temporary crypto map entry). Once the flow expires (that is, all of the corresponding security associations expire), the temporary crypto map entry is removed.

Dynamic crypto map sets are not used for initiating IPSec security associations. However, they are used for determining whether or not traffic should be protected.

The only configuration required in a dynamic crypto map is the set transform-set command. All other configuration is optional.

Dynamic crypto map entries, like regular static crypto map entries, are grouped into sets. After you define a dynamic crypto map set (which commonly contains only one map entry) using this command, you include the dynamic crypto map set in an entry of the "parent" crypto map set using the crypto map (IPSec global configuration) command. The parent crypto map set is then applied to an interface.

You should make crypto map entries referencing dynamic maps the lowest priority map entries, so that negotiations for security associations will try to match the static crypto map entries first. Only after the negotiation request does not match any of the static map entries do you want it to be evaluated against the dynamic map.

To make a dynamic crypto map the lowest priority map entry, give the map entry referencing the dynamic crypto map the highest seq-num of all the map entries in a crypto map set.

For both static and dynamic crypto maps, if unprotected inbound traffic matches a permit statement in an access list, and the corresponding crypto map entry is tagged as "IPSec," then the traffic is dropped because it is not IPSec-protected. (This is because the security policy as specified by the crypto map entry states that this traffic must be IPSec-protected.)

For static crypto map entries, if outbound traffic matches a permit statement in an access list and the corresponding security association (SA) is not yet established, the router will initiate new SAs with the remote peer. In the case of dynamic crypto map entries, if no SA existed, the traffic would simply be dropped (because dynamic crypto maps are not used for initiating new SAs).

---

Note Use care when using the any keyword in permit entries in dynamic crypto maps. If it is possible for the traffic covered by such a permit entry to include multicast or broadcast traffic, the access list should include deny entries for the appropriate address range. Access lists should also include deny entries for network and subnet broadcast traffic, and for any other traffic that should not be IPSec protected.

---

Examples

The following example configures an IPSec crypto map set.

Crypto map entry "mymap 30" references the dynamic crypto map set "mydynamicmap," which can be used to process inbound security association negotiation requests that do not match "mymap" entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in "mydynamicmap," for a flow "permitted" by the access list 103, IPSec will accept the request and set up security associations with the remote peer without previously knowing about the remote peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the remote peer.

The access list associated with "mydynamicmap 10" is also used as a filter. Inbound packets that match a permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec SA are also dropped.

crypto map mymap 10 ipsec-isakmp

 match address 101

 set transform-set my_t_set1

 set peer 10.0.0.1

 set peer 10.0.0.2

crypto map mymap 20 ipsec-isakmp

 match address 102

 set transform-set my_t_set1 my_t_set2

 set peer 10.0.0.3

crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap

!

crypto dynamic-map mydynamicmap 10

 match address 103

 set transform-set my_t_set1 my_t_set2 my_t_set3

Related Commands

Command	Description
crypto map (global IPSec)	Creates or modifies a crypto map entry and enters the crypto map configuration mode.
crypto map (interface IPSec)	Applies a previously defined crypto map set to an interface.
crypto map local-address	Specifies and names an identifying interface to be used by the crypto map for IPSec traffic.
match address (IPSec)	Specifies an extended access list for a crypto map entry.
set peer (IPSec)	Specifies an IPSec peer in a crypto map entry.
set pfs	Specifies that IPSec should ask for perfect forward secrecy (PFS) when requesting new security associations for this crypto map entry, or that IPSec requires PFS when receiving requests for new security associations.
set security-association lifetime	Overrides (for a particular crypto map entry) the global lifetime value, which is used when negotiating IPSec security associations.
set transform-set	Specifies which transform sets can be used with the crypto map entry.
show crypto engine accelerator logs	Displays a dynamic crypto map set.
show crypto map (IPSec)	Displays the crypto map configuration.

crypto engine accelerator

---

Note Effective with Cisco IOS Release 12.3(11)T, this command is replaced by the crypto engine aim, crypto engine em, crypto engine nm, crypto engine onboard, and crypto engine slot commands. See these commands for more information.

---

To enable the onboard hardware accelerator of the router for IP security (IPsec) encryption, use the crypto engine accelerator command in global configuration mode. To disable the use of the onboard hardware IPsec accelerator, and thereby perform IPsec encryption or decryption in software, use the no form of this command.

crypto engine accelerator

no crypto engine accelerator

Syntax Description

This command has no arguments or keywords.

Defaults

The hardware accelerator for IPsec encryption is enabled.

Command Modes

Global configuration

Command History

Release	Modification
12.1(3)T	This command was introduced for the Cisco 1700 series router and other Cisco routers that support hardware accelerators for IPsec encryption.
12.1(3)XL	Support was added for the Cisco uBR905 cable access router.
12.2(2)XA	Support was added for the Cisco uBR925 cable access router.
12.2(13)T	This command was integrated into Cisco IOS Release 12.2(13)T and implemented for the AIM-VPN/EPII and AIM-VPN/HPII on the following platforms: Cisco 2691, Cisco 3660, Cisco 3725, and Cisco 3745.
12.2(15)ZJ	This command was implemented for the AIM-VPN/BPII on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.
12.3(4)T	The AIM-VPN/BPII was integrated into Cisco IOS Release 12.3(4)T on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.
12.3(11)T	This command was replaced by the crypto engine aim, crypto engine em, crypto engine nm, crypto engine onboard, and crypto engine slot commands.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.

Usage Guidelines

This command is not normally needed for typical operations because the onboard hardware accelerator of the router is enabled for IPsec encryption by default. The hardware accelerator should not be disabled except on instruction from Cisco Technical Assistance Center (TAC) personnel.

Examples

The following example shows how to disable the onboard hardware accelerator of the router for IPsec encryption. This disabling is normally needed only after the accelerator has been disabled for testing or debugging purposes.

Router(config)# no crypto engine accelerator

Warning! all current connections will be torn down.

Do you want to continue? [yes/no]:

Related Commands

Command	Description
clear crypto engine accelerator counter	Resets the statistical and error counters for the hardware accelerator to zero.
crypto ca	Defines the parameters for the certification authority used for a session.
crypto cisco	Defines the encryption algorithms and other parameters for a session.
crypto dynamic-map	Creates a dynamic map crypto configuration for a session.
crypto ipsec	Defines the IPSec security associations and transformation sets.
crypto isakmp	Enables and defines the IKE protocol and its parameters.
crypto key	Generates and exchanges keys for a cryptographic session.
crypto map	Creates and modifies a crypto map for a session.
debug crypto engine accelerator control	Displays each control command as it is given to the crypto engine.
debug crypto engine accelerator packet	Displays information about each packet sent for encryption and decryption.
show crypto engine accelerator ring	Displays the contents of command and transmits rings for the crypto engine.
show crypto engine accelerator sa-database	Displays the active (in-use) entries in the crypto engine SA database.
show crypto engine accelerator statistic	Displays the current run-time statistics and error counters for the crypto engine.
show crypto engine brief	Displays a summary of the configuration information for the crypto engine.
show crypto engine configuration	Displays the version and configuration information for the crypto engine.
show crypto engine connections	Displays a list of the current connections maintained by the crypto engine.

crypto engine aim

To reenable an advanced integration module (AIM), use the crypto engine aim command in global configuration mode. To disable an AIM encryption module, use the no form of this command.

crypto engine aim aim-slot-number

no crypto engine aim aim-slot-number

Syntax Description

aim-slot-number

Slot number to which an AIM is to be reenabled or disabled.

Defaults

An AIM is neither reenabled nor disabled.

Command Modes

Global configuration

Command History

Release	Modification
12.3(11)T	This command was introduced. This command replaces the crypto engine accelerator command.

Usage Guidelines

The crypto engine accelerator command will still be usable for a while, but if it is used, only the crypto engine aim command will be saved to the running and startup (nonvolatile memory) configuration.

Examples

The following example shows that the AIM in slot 0 is to be reenabled:

crypto engine aim 0

The following example shows that the AIM in slot 0 is to be disabled:

no crypto engine aim 0

crypto engine em

To enable the hardware accelerator of an expansion slot for IP security (IPsec) encryption, use the crypto engine em command in global configuration mode. To disable the hardware accelerator of the expansion slot, use the no form of this command.

crypto engine em slot-number

no crypto engine em slot-number

Syntax Description

slot-number

Slot number to which the hardware accelerator of the expansion slot is to be enabled or disabled (applies to slots 0 through 3).

Defaults

The hardware accelerator is neither enabled nor disabled.

Command Modes

Global configuration

Command History

Release	Modification
12.3(11)T	This command was introduced. This command replaces the crypto engine accelerator command.

Usage Guidelines

The crypto engine accelerator command will still be usable for a while, but if it is used, only the crypto engine em command will be saved to the running and startup (nonvolatile memory) configuration.

Examples

The following example shows that the hardware accelerator of expansion slot 1 is to be enabled:

crypto engine em 1

The following example shows that the hardware accelerator of expansion slot 1 is to be disabled:

no crypto engine em 1

crypto engine nm

To enable the onboard hardware accelerator of a network module for IP security (IPsec) encryption, use the crypto engine nm command in global configuration mode. To disable the accelerator of the network module, use the no form of this command.

crypto engine nm slot-number

no crypto engine nm slot-number

Syntax Description

slot-number

Slot number to which the hardware accelerator of a network module is to be enabled or disabled (applies to slots 0 through 5).

Defaults

The hardware accelerator is neither enabled nor disabled.

Command Modes

Global configuration

Command History

Release	Modification
12.3(11)T	This command was introduced. This command replaces the crypto engine accelerator command.

Usage Guidelines

The crypto engine accelerator command will still be usable for a while, but if it is used, only the crypto engine nm command will be saved to the running and startup (nonvolatile memory) configuration.

Examples

The following example shows that the hardware accelerator of the network module in slot 0 is to be enabled:

crypto engine nm 0

The following example shows that the hardware accelerator of the network module in slot 0 is to be disabled:

no crypto engine nm 0

crypto engine onboard

To enable the hardware accelerator of an onboard module for IP security (IPsec) encryption, use the crypto engine onboard command in global configuration mode. To disable the hardware accelerator of the onboard module, use the no form of this command.

crypto engine onboard slot-number

no crypto engine onboard slot-number

Syntax Description

slot-number

Slot number to which the hardware accelerator of the onboard module is to be enabled or disabled (applies to slots 0 and 1).

Defaults

The hardware accelerator is neither enabled nor disabled.

Command Modes

Global configuration

Command History

Release	Modification
12.3(11)T	This command was introduced. This command replaces the crypto engine accelerator command.

Usage Guidelines

The crypto engine accelerator command will still be usable for a while, but if it is used, only the crypto engine onboard command will be saved to the running and startup (nonvolatile memory) configuration.

Examples

The following example shows that the hardware accelerator of the onboard module in slot 1 is to be enabled:

crypto engine onboard 1

The following example shows that the hardware accelerator of the onboard module in slot 1 is to be disabled:

no crypto engine onboard 1

crypto engine slot

To reenable the onboard hardware accelerator in a service adapter, use the crypto engine slot command in global configuration mode. To disable the hardware accelerator in the service adapter, use the no form of this command.

crypto engine slot slot-number

no crypto engine slot slot-number

Syntax Description

slot-number

Slot number to which the hardware accelerator in a service adapter is to be reenabled or disabled (applies to slots 1 through 6).

Defaults

The hardware accelerator is neither enabled nor disabled.

Command Modes

Global configuration

Command History

Release	Modification
12.3(11)T	This command was introduced. This command replaces the crypto engine accelerator command.

Usage Guidelines

The crypto engine accelerator command will still be usable for a while, but if it is used, only the crypto engine slot command will be saved to the running and startup (nonvolatile memory) configuration.

Examples

The following example shows that the hardware accelerator of the service adaptor in slot 2is to be enabled:

crypto engine slot 2

The following example shows that the hardware accelerator of the service adaptor in slot 2 is to be disabled:

no crypto engine slot 2

crypto identity

To configure the identity of the router with a given list of distinguished names (DNs) in the certificate of the router, use the crypto identity command in global configuration mode. To delete all identity information associated with a list of DNs, use the no form of this command.

crypto identity name

no crypto identity name

Syntax Description

name	Identity of the router, which is associated with the given list of DNs.

Defaults

If this command is not enabled, the IP address is associated with the identity of the router.

Command Modes

Global configuration

Command History

Release	Modification
12.2(4)T	This command was introduced.

Usage Guidelines

The crypto identity command allows you to configure the identity of a router with a given list of DNs. Thus, when used with the dn and fqdn commands, you can set restrictions in the router configuration that prevent peers with specific certificates, especially certificates with particular DNs, from having access to selected encrypted interfaces.

---

Note The identity of the peer must be the same as the identity in the exchanged certificate.

---

Examples

The following example shows how to configure a DN-based crypto map:

! The following is an IPSec crypto map (part of IPSec configuration). It can be used only 

! by peers that have been authenticated by DN and if the certificate belongs to BigBiz.

crypto map map-to-bigbiz 10 ipsec-isakmp

 set peer 172.21.114.196

 set transform-set my-transformset 

 match address 124

 identity to-bigbiz

!

crypto identity to-bigbiz

 dn ou=BigBiz

!

!

! This crypto map can be used only by peers that have been authenticated by hostname

! and if the certificate belongs to little.com.

crypto map map-to-little-com 10 ipsec-isakmp

 set peer 172.21.115.119

 set transform-set my-transformset 

 match address 125

 identity to-little-com

!

crypto identity to-little-com

 fqdn little.com

!

Related Commands

Command	Description
crypto mib ipsec flowmib history failure size	Associates the identity of the router with the DN in the certificate of the router.
fqdn	Associates the identity of the router with the hostname that the peer used to authenticate itself.

crypto ipsec client ezvpn (global)

To create a Cisco Easy VPN remote configuration and enter the Cisco Easy VPN remote configuration mode, use the crypto ipsec client ezvpn command in global configuration mode. To delete the Cisco Easy VPN remote configuration, use the no form of this command.

crypto ipsec client ezvpn name

no crypto ipsec client ezvpn name

---

Note A separate crypto ipsec client ezvpn command in interface configuration mode assigns a Cisco Easy VPN remote configuration to the interface.

---

Syntax Description

name	Identifies the Cisco Easy VPN remote configuration with a unique, arbitrary name.

Defaults

Newly created Cisco Easy VPN remote configurations default to client mode.

Command Modes

Global configuration

Command History

Release	Modification
12.2(4)YA	This command was introduced for Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers; Cisco 1700 series routers; and Cisco uBR905 and Cisco uBR925 cable access routers.
12.2(13)T	This command was integrated into Cisco IOS Release 12.2(13)T.
12.2(8)YJ	This command was enhanced to enable you to manually establish and terminate an IPSec VPN tunnel on demand for Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers; Cisco 1700 series routers; and Cisco uBR905 and Cisco uBR925 cable access routers.
12.2(15)T	This command was integrated into Cisco IOS Release 12.2(15)T.
12.3(4)T	The username subcommand was added, and the peer subcommand was changed so that the command may now be input multiple times.
12.3(7)XR	The acl and backup subcommands were added.
12.3(11)T	The acl subcommand was integrated into Cisco IOS Release 12.3(11)T. However, the backup subcommand was not integrated into Cisco IOS 12.3(11)T.

Usage Guidelines

The crypto ipsec client ezvpn command creates a Cisco Easy VPN remote configuration and then enters the Cisco Easy VPN Remote configuration mode, at which point you can enter the following subcommands:

•acl {acl-name | acl-number}—Specifies multiple subnets in a Virtual Private Network (VPN) tunnel. Up to 50 subnets may be configured.

–The acl-name argument is the name of the access control list (ACL).

–The acl-number argument is the number of the ACL.

•backup {ezvpn-config-name} track {tracked-object-number}—Specifies the Easy VPN configuration that will be activated when backup is triggered.

–backup {ezvpn-config-name}—Specifies the Easy VPN configuration that will be activated when backup is triggered.

–track {tracked-object-number}—Specifies the link to the tracking system so that the Easy VPN state machine can get the notification to trigger the backup.

•connect [auto | manual | acl]—To manually establish and terminate an IP Security (IPSec) Virtual Private Network (VPN) tunnel on demand.

–The auto option is the default setting, because it was the initial Cisco Easy VPN remote functionality. The IPSec VPN tunnel is automatically connected when the Cisco Easy VPN Remote feature is configured on an interface.

–The manual option specifies the manual setting to direct the Cisco Easy VPN remote to wait for a command or application programming interface (API) call before attempting to establish the Cisco Easy VPN Remote connection. When the tunnel times out or fails, subsequent connections have to wait for the command to reset to manual or to an API call.

–The acl option specifies the ACL-triggered setting, which is used for transactional-based applications and dial backup. Using this option, you can define the "interesting" traffic that triggers the tunnel to be established.

•default—Sets the following command to its default values.

•exit—Exits the Cisco Easy VPN configuration mode and returns to global configuration mode.

•group group-name key group-key—Specifies the group name and key value for the VPN connection.

•local-address interface-name—Informs the Cisco Easy VPN remote which interface is used to determine the public IP address, which is used to source the tunnel. This applies only to the Cisco uBR905 and Cisco uBR925 cable access routers.

–The value of the interface-name argument specifies the interface used for tunnel traffic.

After specifying the local address used to source tunnel traffic, the IP address can be obtained in two ways:

–The local-address subcommand can be used with the cable-modem dhcp-proxy {interface loopback number} command to obtain a public IP address and automatically assign it to the loopback interface.

–The IP address can be manually assigned to the loopback interface.

•mode {client | network-extension | network extension plus}—Specifies the VPN mode of operation of the router:

–The client mode (default) automatically configures the router for Cisco Easy VPN client mode operation, which uses Network Address Translation (NAT) or Peer Address Translation (PAT) address translations. When the Cisco Easy VPN remote configuration is assigned to an interface,the router automatically creates the NAT or PAT and access list configuration needed for the VPN connection.

–The network-extension option specifies that the router should become a remote extension of the enterprise network at the other end of the VPN connection. The PCs that are connected to the router typically are assigned an IP address in the address space of the enterprise network.

–The network extension plus mode is identical to network extension mode with the additional capability of being able to request an IP address via mode configuration and automatically assign it to an available loopback interface. The IPSec security associations (SAs) for this IP address are automatically created by Easy VPN Remote. The IP address is typically used for troubleshooting (using ping, Telnet, and Secure Shell).

•no—Removes the command or sets it to its default values.

•peer {ipaddress | hostname}—Sets the peer IP address or hostname for the VPN connection. A hostname can be specified only when the router has a Domain Name System (DNS) server available for hostname resolution.

The peer subcommand may be input multiple times.

•username name password {0 | 6} {password}—Allows you to save your extended authentication (Xauth) password locally on the PC. On subsequent authentications, you may activate the save-password tick box on the software client or add the username and password to the Cisco IOS hardware client profile. The setting remains until the save-password attribute is removed from the server group profile.

–0 specifies that an unencrypted password will follow.

–6 specifies that an encrypted password will follow.

–password specifies an unencrypted (cleartext) user password.

The save-password option is useful only if the user password is static, that is, it is not a one-time password (OTP), such as a password generated by a token.

After configuring the Cisco Easy VPN remote configuration, use the exit command to exit the Cisco Easy VPN Remote configuration mode and return to global configuration mode.

---

Note You cannot use the no crypto ipsec client ezvpn command to delete a Cisco Easy VPN remote configuration that is assigned to an interface. You must remove that Cisco Easy VPN remote configuration from the interface before you can delete the configuration.

---

Examples

The following example shows a Cisco Easy VPN remote configuration named "telecommuter-client" being created on a Cisco uBR905 or Cisco uBR925 cable access router and being assigned to cable interface 0:

Router# configure terminal 

Router(config)# crypto ipsec client ezvpn telecommuter-client 

Router(config-crypto-ezvpn)# group telecommute-group key secret-telecommute-key 

Router(config-crypto-ezvpn)# peer telecommuter-server 

Router(config-crypto-ezvpn)# mode client 

Router(config-crypto-ezvpn)# exit 

Router(config)# interface c0 

Router(config-if)# crypto ezvpn telecommuter-client 

Router(config-if)# exit 

---

Note Specifying the mode client option as shown above is optional, because this is default configuration for these options.

---

The following example shows the Cisco Easy VPN remote configuration named "telecommuter-client" being removed from the interface and then deleted:

Router# configure terminal 

Router(config)# interface e1 

Router(config-if)# no crypto ipsec client ezvpn telecommuter-client 

Router(config-if)# exit 

Router(config)# no crypto ipsec client ezvpn telecommuter-client

Related Commands

Command	Description
crypto ipsec client ezvpn (interface)	Assigns a Cisco Easy VPN Remote configuration to an interface.

crypto ipsec client ezvpn (interface)

To assign a Cisco Easy VPN Remote configuration to an interface, specify whether the interface is outside or inside, and configure multiple outside and inside interfaces, use the crypto ipsec client ezvpn command in interface configuration mode. To remove the Cisco Easy VPN Remote configuration from the interface, use the no form of this command.

crypto ipsec client ezvpn name [outside | inside]

no crypto ipsec client ezvpn name [outside | inside]

---

Note A separate crypto ipsec client ezvpn command exists in global configuration mode that creates a Cisco Easy VPN Remote configuration.

---

Syntax Description

name	Specifies the Cisco Easy VPN Remote configuration to be assigned to the interface.
outside	(Optional) Specifies the outside interface of the IP Security (IPSec) client router. You can add up to four outside tunnels for all platforms, one tunnel per outside interfaces.
inside	(Optional) Specifies the inside interface of the IPSec client router. The Cisco 1700 series has no default inside interface, and any inside interface must be configured. The Cisco 800 series routers and Cisco uBR905 and Cisco uBR925 cable access routers have default inside interfaces. However, you can configure any inside interface. You can add up to three inside interfaces for all platforms.

Defaults

The default inside interface is the Ethernet interface on Cisco 800 series routers and Cisco uBR905 and Cisco uBR925 cable access routers.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(4)YA	This command was introduced on Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers; Cisco 1700 series routers; and Cisco uBR905 and Cisco uBR925 cable access routers.
12.2(13)T	This command was integrated into Cisco IOS Release 12.2(13)T.
12.2(8)YJ	This command was enhanced to enable you to configure multiple outside and inside interfaces for Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers; Cisco 1700 series routers; and Cisco uBR905 and Cisco uBR925 cable access routers.
12.2(15)T	This command was integrated into Cisco IOS Release 12.2(15)T.

Usage Guidelines

The crypto ipsec client ezvpn command assigns a Cisco Easy VPN Remote configuration to an interface, enabling the creation of a Virtual Private Network (VPN) connection over that interface to the specified VPN peer. If the Cisco Easy VPN Remote configuration is configured for the client mode of operation, this also automatically configures the router for network address translation (NAT) or port address translation (PAT) and for an associated access list.

In Cisco IOS Release 12.2(8)YJ, the crypto ipsec client ezvpn command was enhanced to allow you to configure multiple outside and inside interfaces. To configure multiple outside and inside interfaces, you must use the interface interface-name command to first define the type of interface on the IPSec client router.

•In client mode for the Cisco Easy VPN Client, a single security association (SA) connection is used for encrypting and decrypting the traffic coming from all the inside interfaces. In network extension mode, one SA connection is established for each inside interface.

•When a new inside interface is added or an existing one is removed, all established SA connections are deleted and new ones are initiated.

•Configuration information for the default inside interface is shown with the crypto ipsec client ezvpn name inside command. All inside interfaces, whether they belong to a tunnel, are listed in interface configuration mode as an inside interface, along with the tunnel name.

The following Cisco IOS Release 12.2(4)YA restrictions apply to the crypto ipsec client ezvpn command:

•The Cisco Easy VPN Remote feature supports only one tunnel, so the crypto ipsec client ezvpn command can be assigned to only one interface. If you attempt to assign it to more than one interface, an error message is displayed. You must use the no form of this command to remove the configuration from the first interface before assigning it to the second interface.

•The crypto ipsec client ezvpn command should be assigned to the outside interface of the NAT or PAT translation. This command cannot be used on the inside NAT or PAT interface. On some platforms, the inside and outside interfaces are fixed.

For example, on Cisco uBR905 and Cisco uBR925 cable access routers, the outside interface is always the cable interface. On Cisco 1700 series routers, the FastEthernet interface defaults to being the inside interface, so attempting to use the crypto ipsec client ezvpn command on the FastEthernet interface displays an error message.

---

Note You must first use the global configuration version of the crypto ipsec client ezvpn command to create a Cisco Easy VPN Remote configuration before assigning it to an interface.

---

Examples

The following example shows a Cisco Easy VPN Remote configuration named "telecommuter-client" being assigned to the cable interface on a Cisco uBR905/uBR925 cable access router:

Router# configure terminal

Router(config)# interface c0 

Router(config-if)# crypto ipsec client ezvpn telecommuter-client 

Router(config-if)# exit 

The following example first shows an attempt to delete the Cisco Easy VPN Remote configuration named "telecommuter-client," but the configuration cannot be deleted because it is still assigned to an interface. The configuration is then removed from the interface and deleted.

Router# configure terminal 

Router(config)# no crypto ipsec client ezvpn telecommuter-client 

Error: crypto map in use by interface; cannot delete

Router(config)# interface e1 

Router(config-if)# no crypto ipsec client ezvpn telecommuter-client 

Router(config-if)# exit 

Router(config)# no crypto ipsec client ezvpn telecommuter-client 

Related Commands

Command	Description
crypto ipsec client ezvpn (global)	Creates and modifies a Cisco Easy VPN Remote configuration.
interface	Configures an interface type.

crypto ipsec client ezvpn connect

To connect to a specified IPSec Virtual Private Network (VPN) tunnel in a manual configuration, use the crypto ipsec client ezvpn connect command in privileged EXEC mode. To disable the connection, use the no form of this command.

crypto ipsec client ezvpn connect name

no crypto ipsec client ezvpn connect name

Syntax Description

name	Identifies the IPSec VPN tunnel with a unique, arbitrary name.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(8)YJ	This command was introduced on Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers; Cisco 1700 series routers; and Cisco uBR905 and Cisco uBR925 cable access routers.
12.2(15)T	This command was integrated into Cisco IOS Release 12.2(15)T.

Usage Guidelines

This command is used with the connect [auto | manual | acl] subcommand. After the manual setting is designated, the Cisco Easy VPN remote waits for a command or application programming interface (API) call before attempting to establish the Cisco Easy VPN remote connection.

If the configuration is manual, the tunnel is connected only after the crypto ipsec client ezvpn connect name command is entered in privileged EXEC mode, and after the connect [auto] | manual subcommand is entered.

Examples

The following example shows how to connect an IPSec VPN tunnel named ISP-tunnel on a Cisco uBR905/uBR925 cable access router:

Router# crypto ipsec client ezvpn connect ISP-tunnel

Related Commands

Command	Description
connect	Manually establishes and terminates an IPSec VPN tunnel on demand.
crypto ipsec client ezvpn (global)	Creates and modifies a Cisco Easy VPN remote configuration.

crypto ipsec client ezvpn xauth

To respond to a pending Virtual Private Network (VPN) authorization request, use the crypto ipsec client ezvpn xauth command in privileged EXEC mode.

crypto ipsec client ezvpn xauth name

Syntax Description

name	Identifies the IP Security (IPSec) VPN tunnel with a unique, arbitrary name. This name is required.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(4)YA	This command was introduced on Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers; Cisco 1700 series routers; and Cisco uBR905 and Cisco uBR925 cable access routers.
12.2(8)YJ	This command was enhanced to specify an IPSec VPN tunnel for Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers; Cisco 1700 series routers; and Cisco uBR905 and Cisco uBR925 cable access routers.
12.2(8)YJ	This command was enhanced to specify an IPSec VPN tunnel for Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers; Cisco 1700 series routers; and Cisco uBR905 and Cisco uBR925 cable access routers.
12.2(15)T	This command was integrated into Cisco IOS Release 12.2(15)T.

Usage Guidelines

If the tunnel name is not specified, the authorization request is made on the active tunnel. If there is more than one active tunnel, the command fails with an error requesting that you specify the tunnel name.

When making a VPN connection, individual users might also be required to provide authorization information, such as a username or password. When the remote end requires this information, the router displays a message on the console of the router instructing the user to enter the crypto ipsec client ezvpn xauth command. The user then uses command-line interface (CLI) to enter this command and to provide the information requested by the prompts that follow after the command has been entered.

---

Note If the user does not respond to the authentication notification, the message is repeated every 10 seconds.

---

Examples

The following example shows an example of the user being prompted to enter the crypto ipsec client ezvpn xauth command. The user then enters the requested information and continues.

Router# 

20:27:39: EZVPN: Pending XAuth Request, Please enter the following command:

20:27:39: EZVPN: crypto ipsec client ezvpn xauth

Router> crypto ipsec client ezvpn xauth 

Enter Username and Password: userid 

Password: ************

Related Commands

Command	Description
crypto ipsec client ezvpn (interface)	Assigns a Cisco Easy VPN Remote configuration to an interface.

crypto ipsec df-bit (global)

To set the DF bit for the encapsulating header in tunnel mode to all interfaces, use the crypto ipsec df-bit command in global configuration mode.

crypto ipsec df-bit [clear | set | copy]

Syntax Description

clear	Outer IP header will have the DF bit cleared, and the router may fragment the packet to add the IP Security (IPSec) encapsulation.
set	Outer IP header will have the DF bit set; however, the router may fragment the packet if the original packet had the DF bit cleared.
copy	The router will look in the original packet for the outer DF bit setting. The copy keyword is the default setting.

Defaults

The default is copy.

Command Modes

Global configuration

Command History

Release	Modification
12.2(2)T	This command was introduced.

Usage Guidelines

Use the crypto ipsec df-bit command in global configuration mode to configure your router to specify the DF bit in an encapsulated header.

You may want use the clear setting for the DF bit when encapsulating tunnel mode IPSec traffic so you can send packets larger than the available maximum transmission unit (MTU) size or if you do not know what the available MTU size is.

If this command is enabled without a specified setting, the router will use the copy setting as the default.

Examples

The following example shows how to clear the DF bit on all interfaces:

crypto ipsec df-bit clear

crypto ipsec df-bit (interface)

To set the DF bit for the encapsulating header in tunnel mode to a specific interface, use the crypto ipsec df-bit command in interface configuration mode.

crypto ipsec df-bit [clear | set | copy]

Syntax Description

clear	Outer IP header will have the DF bit cleared, and the router may fragment the packet to add the IP Security (IPSec) encapsulation.
set	Outer IP header will have the DF bit set; however, the router may fragment the packet if the original packet had the DF bit cleared.
copy	The router will look in the original packet for the outer DF bit setting. The copy keyword is the default setting.

Defaults

The default is copy.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(2)T	This command was introduced.

Usage Guidelines

Use the crypto ipsec df-bit command in interface configuration mode to configure your router to specify the DF bit in an encapsulated header. This command overrides any existing DF bit global settings.

You may want use the clear setting for the DF bit when encapsulating tunnel mode IPSec traffic so you can send packets larger than the available maximum transmission unit (MTU) size or if you do not know what the available MTU size is.

If this command is enabled without a specified setting, the router will use the copy setting as default.

Examples

In following example, the router is configured to globally clear the setting for the DF bit and copy the DF bit on the interface named Ethernet0. Thus, all interfaces except Ethernet0 will allow the router to send packets larger than the available MTU size; Ethernet0 will allow the router to fragment the packet.

crypto isakmp policy 1

 hash md5

 authentication pre-share

crypto isakmp key Delaware address 192.168.10.66

crypto isakmp key Key-What-Key address 192.168.11.19

!

!

crypto ipsec transform-set BearMama ah-md5-hmac esp-des

crypto ipsec df-bit clear

!

!

crypto map armadillo 1 ipsec-isakmp

set peer 192.168.10.66

set transform-set BearMama

match address 101

!

crypto map basilisk 1 ipsec-isakmp

set peer 192.168.11.19

set transform-set BearMama

match address 102

!

!

interface Ethernet0

 ip address 192.168.10.38 255.255.255.0

 ip broadcast-address 0.0.0.0

 media-type 10BaseT

 crypto map armadillo

 crypto ipsec df-bit copy

!

interface Ethernet1

 ip address 192.168.11.75 255.255.255.0

 ip broadcast-address 0.0.0.0

 media-type 10BaseT

 crypto map basilisk

!

interface Serial0

 no ip address

 ip broadcast-address 0.0.0.0

 no ip route-cache

 no ip mroute-cache

crypto ipsec fragmentation (global)

To enable prefragmentation for IP Security (IPSec) Virtual Private Networks (VPNs) on a global basis, use the crypto ipsec fragmentation command in global configuration mode. To disable a manually configured command, use the no form of this command.

crypto ipsec fragmentation {before-encryption | after-encryption}

no crypto ipsec fragmentation {before-encryption | after-encryption}

Syntax Description

before-encryption	Enables prefragmentation for IPSec VPNs. The default is that prefragmentation is enabled.
after-encryption	Disables prefragmentation for IPSec VPNs.

Command Default

If you do not enter this command, prefragmentation is enabled.

Command Modes

Global configuration

Command History

Release	Modification
12.1(11b)E	This command was introduced.
12.2(13)T	This command was integrated into Cisco IOS Release 12.2(13)T.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.

Usage Guidelines

Use the before-encryption keyword to enable prefragmentation for IPSec VPNs; use the after-encryption keyword to disable prefragmentation for IPSec VPNs. This command allows an encrypting router to predetermine the encapsulated packet size from information available in transform sets, which are configured as part of the IPSec security association (SA). If it is predetermined that the packet will exceed the maximum transmission unit (MTU) of the output interface, the packet is fragmented before encryption.

---

Note This command does not show up in the a running configuration if the default global command is enabled. It shows in the running configuration only when you explicitly enable the command on an interface.

---

Examples

The following example shows how to globally enable prefragmentation for IPSec VPNs:

crypto ipsec fragmentation before-encryption

crypto ipsec fragmentation (interface)

To enable prefragmentation for IP Security (IPSec) Virtual Private Networks (VPNs) on an interface, use the crypto ipsec fragmentation command in interface configuration mode. To disable a manually configured command, use the no form of this command.

crypto ipsec fragmentation {before-encryption | after-encryption}

no crypto ipsec fragmentation {before-encryption | after-encryption}

Syntax Description

before-encryption	Enables prefragmentation for IPSec VPNs.
after-encryption	Disables prefragmentation for IPSec VPNs.

Defaults

If no other prefragmentation for IPSec VPNs commands are in the configuration, the router will revert to the default global configuration.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(11b)E	This command was introduced.
12.2(13)T	This command was integrated into Cisco IOS Release 12.2(13)T.

Usage Guidelines

Use the before-encryption keyword to enable prefragmentation for IPSec VPNs per interface; use the after-encryption keyword to disable prefragmentation for IPSec VPNs. This command allows an encrypting router to predetermine the encapsulated packet size from information available in transform sets, which are configured as part of the IPSec security association (SA). If it is predetermined that the packet will exceed the maximum transmission unit (MTU) of output interface, the packet is fragmented before encryption.

Examples

The following example shows how to enable prefragmentation for IPSec VPNs on an interface and then how to display the output of the show running configuration command:

---

Note This command shows in the running configuration only when you explicitly enable it on the interface.

---

Router(config-if)# crypto ipsec fragmentation before-encryption

Router(config-if)# exit

Router# show running-config

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key abcd123 address 209.165.202.130

!

crypto ipsec transform-set fooprime esp-3des esp-sha-hmac

!

crypto map bar 10 ipsec-isakmp

 set peer 209.165.202.130

 set transform-set fooprime

 match address 102

crypto ipsec nat-transparency

To enable security parameter index (SPI) matching or User Datagram Protocol (UDP) encapsulation between two Virtual Private Network (VPN) devices, use the crypto ipsec nat-transparency command on both devices in global configuration mode. To disable both SPI matching and UDP encapsulation, use the no form of this command with each keyword.

crypto ipsec nat-transparency {spi-matching | udp-encaps}

no crypto ipsec nat-transparency {spi-matching | udp-encaps}

Syntax Description

spi-matching	Enables SPI matching on both endpoints.
udp-encaps	Enables UDP encapsulation on both endpoints.

Defaults

When this command is entered, UDP encapsulation is enabled by default.

Command Modes

Global configuration

Command History

Release	Modification
12.2(13)T	This command was introduced.
12.2(15)T	The command syntax was modified to add the spi-matching keyword.

Usage Guidelines

You can use this command to resolve issues that arise when Network Address Translation (NAT) is configured in an IP Security (IPsec)-aware network. This command has two mutually exclusive options:

•The default option is UDP encapsulation of the IPsec protocols.

•The alternative is to match the inbound SPI to the outbound SPI.

When you enter the crypto ipsec nat-transparency command, UDP encapsulation is configured unless you either specifically disable it or configure SPI matching. You can disable both options, but doing so might cause problems if the device you are configuring uses NAT and is part of a VPN.

To disable SPI matching, configure UDP encapsulation or use the no form of this command with the keyword spi-matching. To disable UDP encapsulation, configure SPI matching or use the no form of this command with the keyword udp-encaps. To disable both SPI matching and UDP encapsulation, first disable UDP encapsulation, and then disable SPI matching. If you disable both options, the show running-config command displays: no crypto ipsec nat-transparency udp-encaps.

Examples

The following example enables SPI matching on the endpoint routers:

crypto ipsec nat-transparency spi-matching

Related Commands

Command	Description
clear ip nat translation	Clears dynamic NAT translations from the translation table.
ip nat	Designates that traffic originating from or destined for the interface is subject to NAT.
ip nat inside destination	Enables NAT of the inside destination address.
ip nat inside source	Enables NAT of the inside source address.
ip nat outside source	Enables NAT of the outside source address.
show ip nat statistics	Displays NAT statistics.
show ip nat translations	Displays active NAT translations.
show crypto isakmp sa detail nat	Displays NAT translations of source and destination addresses.

crypto ipsec optional

To enable IP Security (IPSec) passive mode, use the crypto ipsec optional command in global configuration mode. To disable IPSec passive mode, use the no form of this command.

crypto ipsec optional

no crypto ipsec optional

Syntax Description

This command has no arguments or keywords.

Defaults

IPSec passive mode is not enabled.

Command Modes

Global configuration

Command History

Release	Modification
12.2(13)T	This command was introduced.

Usage Guidelines

Use the crypto ipsec optional command to implement an intermediate mode (IPSec passive mode) that allows a router to accept unencrypted and encrypted data. IPSec passive mode is valuable for users who wish to migrate existing networks to IPSec because all routers will continue to interact with routers that encrypt data (that is, that have been upgraded with IPSec) and also with routers that have yet to be upgraded.

After this feature is disabled, all active connections that are sending unencrypted packets are cleared, and a message that reminds the user to enter the write memory command is sent.

---

Note Because a router in IPSec passive mode is insecure, ensure that no routers are accidentally left in this mode after upgrading a network.

---

Examples

The following example shows how to enable IPSec passive mode:

crypto map xauthmap 10 ipsec-isakmp 

 set peer 209.165.202.145

 set transform-set xauthtransform

 match address 192 

! 

crypto ipsec optional

!

interface Ethernet1/0 

 ip address 209.165.202.147 255.255.255.224 

 crypto map xauthmap

! 

access-list 192 permit ip host 209.165.202.147 host 209.165.202.145

crypto ipsec optional retry

To adjust the amount of time that a packet can be routed in the clear (unencrypted), use the crypto ipsec optional retry command in global configuration mode. To return to the default setting (5 minutes), use the no form of this command.

crypto ipsec optional retry seconds

no crypto ipsec optional retry seconds

Syntax Description

seconds

Time a connection can exist before another attempt is made to establish an encrypted IP Security (IPSec) session. The default value is 5 minutes.

Defaults

5 minutes

Command Modes

Global configuration

Command History

Release	Modification
12.2(13)T	This command was introduced.

Usage Guidelines

You must enable the crypto ipsec optional command, which enables IPSec passive mode, before you can use this command.

Examples

The following example shows how to enable IPSec passive mode:

crypto map xauthmap 10 ipsec-isakmp 

 set peer 209.165.202.145

 set transform-set xauthtransform

 match address 192 

! 

crypto ipsec optional

crypto ipsec optional retry 60

!

interface Ethernet1/0 

 ip address 209.165.202.147 255.255.255.224 

 crypto map xauthmap

! 

access-list 192 permit ip host 209.165.202.147 host 209.165.202.145

Related Commands

Command	Description
crypto ipsec optional	Enables IPSec passive mode.

crypto ipsec profile

To define the IPSecurity (IPSec) parameters that are to be used for IPSec encryption between two IPSec routers, use the crypto ipsec profile command in global configuration mode. To delete an IPSec profile, use the no form of this command.

crypto ipsec profile name

no crypto ipsec profile name

Syntax Description

name	Profile name.

Defaults

An IPSec profile is not defined.

Command Modes

Global configuration

Command History

Release	Modification
12.2(13)T	This command was introduced.
12.2(18)SXE	This command was integrated into Cisco IOS Release 12.2(18)SXE.

Usage Guidelines

An IPSec profile abstracts the IPSec policy settings into a single profile that can be used in other parts of the Cisco IOS configuration.

The IPSec profile shares most of the same commands with the crypto map configuration, but only a subset of the commands are valid in an IPSec profile. Only commands that pertain to an IPSec policy can be issued under an IPSec profile; you cannot specify the IPSec peer address or the access control list (ACL) to match the packets that are to be encrypted.

The following valid commands can be configured under an IPSec profile:

•set-transform-set—Specifies a list of transform sets in order of priority.

•set pfs—Specifies perfect forward secrecy (PFS) settings.

•set security-association—Defines security association parameters.

•set-identity—Specifies identity restrictions.

After enabling this command, the only parameter that must be defined under the profile is the transform set via the set transform-set command.

For more information on transform sets, refer to the section "Defining Transform Sets" in the chapter "Configuring IPSec Network Security" in the Cisco IOS Security Configuration Guide.

Examples

The following example shows how to configure a crypto map that uses an IPSec profile:

crypto ipsec transform-set cat-transforms esp-des esp-sha-hmac

 mode transport

!

crypto ipsec profile cat-profile

 set transform-set cat-transforms

 set pfs group2

!

interface Tunnel1

 ip address 192.168.1.1 255.255.255.252

 tunnel source FastEthernet2/0

 tunnel destination 10.13.7.67

 tunnel protection ipsec profile cat-profile

Related Commands

Command	Description
crypto ipsec transform-set	Defines a transform set.
set pfs	Specifies that IP Security should ask for PFS when requesting new security associations for a crypto map entry.
set transform-set	Specifies which transform sets can be used with the crypto map entry.
tunnel protection	Associates a tunnel interface with an IPSec profile.

crypto ipsec security-association idle-time

To configure the IP Security (IPSec) security association (SA) idle timer, use the crypto ipsec security-association idle-time command in global configuration mode or crypto map configuration mode. To inactivate the IPSec SA idle timer, use the no form of this command.

crypto ipsec security-association idle-time seconds

no crypto ipsec security-association idle-time

Syntax Description

seconds

Time, in seconds, that the idle timer will allow an inactive peer to maintain an SA. Valid values for the seconds argument range from 60 to 86400.

Defaults

IPSec SA idle timers are disabled.

Command Modes

Global configuration
Crypto map configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

Use the crypto ipsec security-association idle-time command to configure the IPSec SA idle timer. This timer controls the amount of time that an SA will be maintained for an idle peer.

Use the crypto ipsec security-association lifetime command to configure global lifetimes for IPSec SAs. There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. A security association expires after the first of these lifetimes is reached.

The IPSec SA idle timers are different from the global lifetimes for IPSec SAs. The expiration of the global lifetimes is independent of peer activity. The IPSec SA idle timer allows SAs associated with inactive peers to be deleted before the global lifetime has expired.

If the IPSec SA idle timers are not configured with the crypto ipsec security-association idle-time command, only the global lifetimes for IPSec SAs are applied. SAs are maintained until the global timers expire, regardless of peer activity.

---

Note If the last IPSec SA to a given peer is deleted due to idle timer expiration, the Internet Key Exchange (IKE) SA to that peer will also be deleted.

---

Examples

The following example configures the IPSec SA idle timer to drop SAs for inactive peers after 600 seconds:

crypto ipsec security-association idle-time 600

Related Commands

Command	Description
clear crypto sa	Deletes IPSec SAs.
crypto ipsec security-association lifetime	Changes global lifetime values used when negotiating IPSec SAs.

crypto ipsec security-association lifetime

To change global lifetime values used when negotiating IPSec security associations, use the crypto ipsec security-association lifetime command in global configuration mode. To reset a lifetime to the default value, use the no form of this command.

crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}

no crypto ipsec security-association lifetime {seconds |  kilobytes}

Syntax Description

seconds seconds	Specifies the number of seconds a security association will live before expiring. The default is 3600 seconds (one hour).
kilobytes kilobytes	Specifies the volume of traffic (in kilobytes) that can pass between IPSec peers using a given security association before that security association expires. The default is 4,608,000 kilobytes.

Defaults

3600 seconds (one hour) and 4,608,000 kilobytes (10 megabits per second for one hour).

Command Modes

Global configuration

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

IPSec security associations use shared secret keys. These keys and their security associations time out together.

Assuming that the particular crypto map entry does not have lifetime values configured, when the router requests new security associations during security association negotiation, it will specify its global lifetime value in the request to the peer; it will use this value as the lifetime of the new security associations. When the router receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations.

There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The security association expires after the first of these lifetimes is reached.

If you change a global lifetime, the change is only applied when the crypto map entry does not have a lifetime value specified. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command. Refer to the clear crypto sa command for more details.

To change the global timed lifetime, use the crypto ipsec security-association lifetime seconds form of the command. The timed lifetime causes the security association to time out after the specified number of seconds have passed.

To change the global traffic-volume lifetime, use the crypto ipsec security-association lifetime kilobytes form of the command. The traffic-volume lifetime causes the security association to time out after the specified amount of traffic (in kilobytes) has been protected by the security associations' key.

Shorter lifetimes can make it harder to mount a successful key recovery attack, since the attacker has less data encrypted under the same key to work with. However, shorter lifetimes require more CPU processing time for establishing new security associations.

The lifetime values are ignored for manually established security associations (security associations installed using an ipsec-manual crypto map entry).

How These Lifetimes Work

The security association (and corresponding keys) will expire according to whichever occurs sooner, either after the number of seconds has passed (specified by the seconds keyword) or after the amount of traffic in kilobytes has passed (specified by the kilobytes keyword).

A new security association is negotiated before the lifetime threshold of the existing security association is reached, to ensure that a new security association is ready for use when the old one expires. The new security association is negotiated either 30 seconds before the seconds lifetime expires or when the volume of traffic through the tunnel reaches 256 kilobytes less than the kilobytes lifetime (whichever occurs first).

If no traffic has passed through the tunnel during the entire life of the security association, a new security association is not negotiated when the lifetime expires. Instead, a new security association will be negotiated only when IPSec sees another packet that should be protected.

Examples

The following example shortens both lifetimes, because the administrator feels there is a higher risk that the keys could be compromised. The timed lifetime is shortened to 2700 seconds (45 minutes), and the traffic-volume lifetime is shortened to 2,304,000 kilobytes (10 megabits per second for one half hour).

crypto ipsec security-association lifetime seconds 2700

crypto ipsec security-association lifetime kilobytes 2304000

Related Commands

Command	Description
set security-association lifetime	Overrides (for a particular crypto map entry) the global lifetime value, which is used when negotiating IPSec security associations.
show crypto ipsec security-association lifetime	Displays the security-association lifetime value configured for a particular crypto map entry.

crypto ipsec security-association replay disable

To disable anti-replay checking globally, use the crypto ipsec security-association replay disable command in global configuration mode. To reset the configuration to enable anti-replay checking, use the no form of this command.

crypto ipsec security-association replay disable

no crypto ipsec security-association replay disable

Syntax Description

This command has no arguments or keywords.

Defaults

Anti-replay checking is enabled.

Command Modes

Global configuration

Command History

Release	Modification
12.3(14)T	This command was introduced.

Examples

The following example shows that anti-replay checking has been disabled globally:

crypto map mymap 10

exit

crypto ipsec security-association replay disable

Related Commands

Command	Description
crypto ipsec security-association replay window-size	Sets the size of the SA anti-replay window.

crypto ipsec security-association replay window-size

To set the size of the security association (SA) anti-replay window globally, use the crypto ipsec security-association replay window-size command in global configuration mode. To reset the window size to the default of 64, use the no form of this command.

crypto ipsec security-association replay window-size [N]

no crypto ipsec security-association replay window-size

Syntax Description

N	(Optional) Size of the window. Values can be 64, 128, 256, 512, or 1024. This value becomes the default value. Note The window size is significant only if anti-replay checking is enabled.

Defaults

If a window size is not entered, the default is 64.

Command Modes

Global configuration

Command History

Release	Modification
12.3(14)T	This command was introduced.

Examples

The following example shows that the size of the SA anti-replay window has been set globally to 128:

crypto map mymap 20

exit

crypto ipsec security-association replay window-size 128

Related Commands

Command	Description
crypto ipsec security-association replay disable	Disables anti-replay checking.

crypto ipsec transform-set

To define a transform set—an acceptable combination of security protocols and algorithms—use the crypto ipsec transform-set command in global configuration mode. To delete a transform set, use the no form of this command.

crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4]

no crypto ipsec transform-set transform-set-name

Syntax Description

transform-set-name	Name of the transform set to create (or modify).
transform1 transform2 transform3 transform4	Type of transform set. You may specify up to four "transforms": one Authentication Header (AH), one Encapsulating Security Payload (ESP) encryption, one ESP authentication, and one compression. These transforms define the IP Security (IPSec) security protocols and algorithms. Accepted transform values are described in Table 17.

Defaults

No default behavior or values

Command Modes

Global configuration

This command invokes the crypto transform configuration mode.

Command History

Release	Modification
11.3 T	This command was introduced.
12.2(13)T	The following transform set options were added: esp-aes, esp-aes 192, and esp-aes 256.
12.3(7)T	The esp-seal transform set option was added.

Usage Guidelines

A transform set is an acceptable combination of security protocols, algorithms, and other settings to apply to IPSec-protected traffic. During the IPSec security association (SA) negotiation, the peers agree to use a particular transform set when protecting a particular data flow.

You can configure multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry is used in the IPSec SA negotiation to protect the data flows specified by the access list of that crypto map entry. During the negotiation, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and will be applied to the protected traffic as part of the IPSec SAs of both peers.

When Internet Key Exchange (IKE) is not used to establish SAs, a single transform set must be used. The transform set is not negotiated.

Before a transform set can be included in a crypto map entry, it must be defined using this command.

A transform set specifies one or two IPSec security protocols (either AH, ESP, or both) and specifies which algorithms to use with the selected security protocol. The AH and ESP IPSec security protocols are described in the section "IPSec Protocols: AH and ESP."

To define a transform set, you specify one to four "transforms"—each transform represents an IPSec security protocol (AH or ESP) plus the algorithm you want to use. When the particular transform set is used during negotiations for IPSec SAs, the entire transform set (the combination of protocols, algorithms, and other settings) must match a transform set at the remote peer.

In a transform set you can specify the AH protocol, the ESP protocol, or both. If you specify an ESP protocol in a transform set, you can specify just an ESP encryption transform set or both an ESP encryption transform set and an ESP authentication transform set.

Table 17 lists the acceptable transform set combination selections for the AH and ESP protocols.

Table 17 Allowed Transform Combinations

Transform Type	Transform	Description
AH Transform (Pick only one.)	ah-md5-hmac ah-sha-hmac	AH with the MD5 (Message Digest 5) (a Hash-based Message Authentication Code [HMAC] variant) authentication algorithm AH with the SHA (Secure Hash Algorithm) (an HMAC variant) authentication algorithm
ESP Encryption Transform (Pick only one.)	esp-aes esp-aes 192 esp-aes 256 esp-des esp-3des esp-null esp-seal	ESP with the 128-bit Advanced Encryption Standard (AES) encryption algorithim ESP with the 192-bit AES encryption algorithim ESP with the 256-bit AES encryption algorithim ESP with the 56-bit Data Encryption Standard (DES) encryption algorithm ESP with the 168-bit DES encryption algorithm (3DES or Triple DES) Null encryption algorithm ESP with the 160-bit SEAL encryption algorithm.
ESP Authentication Transform (Pick only one.)	esp-md5-hmac esp-sha-hmac	ESP with the MD5 (HMAC variant) authentication algorithm ESP with the SHA (HMAC variant) authentication algorithm
IP Compression Transform	comp-lzs	IP compression with the Lempel-Ziv-Stac (LZS) algorithm

Examples of acceptable transform set combinations are as follows:

•ah-md5-hmac

•esp-des

•esp-3des and esp-md5-hmac

•ah-sha-hmac and esp-des and esp-sha-hmac

•comp-lzs and esp-sha-hmac and esp-aes (In general, the comp-lzs transform set can be included with any other legal combination that does not already include the comp-lzs transform.)

•esp-seal and esp-md5-hmac

The parser will prevent you from entering invalid combinations; for example, after you specify an AH transform set, it will not allow you to specify another AH transform set for the current transform set.

IPSec Protocols: AH and ESP

Both the AH and ESP protocols implement security services for IPSec.

AH provides data authentication and antireplay services.

ESP provides packet encryption and optional data authentication and antireplay services.

ESP encapsulates the protected data—either a full IP datagram (or only the payload)—with an ESP header and an ESP trailer. AH is embedded in the protected data; it inserts an AH header immediately after the outer IP header and before the inner IP datagram or payload. Traffic that originates and terminates at the IPSec peers can be sent in either tunnel or transport mode; all other traffic is sent in tunnel mode. Tunnel mode encapsulates and protects a full IP datagram, while transport mode encapsulates or protects the payload of an IP datagram. For more information about modes, see the mode (IPSec) command description.

The esp-seal Transform

There are three limitations on the use of the esp-seal transform set:

•The esp-seal transform set can be used only if no crypto accelerators are present. This limitation is present because no current crypto accelerators implement the SEAL encryption transform set, and if a crypto accelerator is present, it will handle all IPSec connections that are negotiated with IKE. If a crypto accelerator is present, the Cisco IOS software will allow the transform set to be configured, but it will warn that it will not be used as long as the crypto accelerator is enabled.

•The esp-seal transform set can be used only in conjunction with an authentication transform set, namely one of these: esp-md5-hmac, esp-sha-hmac, ah-md5-hmac, or ah-sha-hmac. This limitation is present because SEAL encryption is especially weak when it comes to protecting against modifications of the encrypted packet. Therefore, to prevent such a weakness, an authentication transform set is required. (Authentication transform sets are designed to foil such attacks.) If you attempt to configure an IPSec transform set using SEAL but without an authentication transform set, an error is generated, and the transform set is rejected.

•The esp-seal transform set cannot be used with a manually keyed crypto map. This limitation is present because such a configuration would reuse the same keystream for each reboot, which would compromise security. Because of the security issue, such a configuration is prohibited. If you attempt to configure a manually keyed crypto map with a SEAL-based transform set, an error is generated, and the transform set is rejected.

Selecting Appropriate Transform Sets

The following tips may help you select transform sets that are appropriate for your situation:

•If you want to provide data confidentiality, include an ESP encryption transform set.

•If you want to ensure data authentication for the outer IP header as well as the data, include an AH transform set. (Some consider the benefits of outer IP header data integrity to be debatable.)

•If you use an ESP encryption transform set, also consider including an ESP authentication transform set or an AH transform set to provide authentication services for the transform set.

•If you want data authentication (either using ESP or AH), you can choose from the MD5 or SHA (HMAC keyed hash variants) authentication algorithms. The SHA algorithm is generally considered stronger than MD5 but is slower.

•Note that some transform sets might not be supported by the IPSec peer.

---

Note If a user enters an IPSec transform set that the hardware does not support, a warning message will be displayed immediately after the crypto ipsec transform-set command is entered.

---

•In cases where you need to specify an encryption transform set but do not actually encrypt packets, you can use the esp-null transform.

Suggested transform set combinations follow:

•esp-3des and esp-sha-hmac

•esp-aes and esp-md5-hmac

The Crypto Transform Configuration Mode

After you issue the crypto ipsec transform-set command, you are put into the crypto transform configuration mode. While in this mode, you can change the mode to tunnel or transport. (These are optional changes.) After you have made these changes, type exit to return to global configuration mode. For more information about these optional changes, see the match address (IPSec) and mode (IPSec) command descriptions.

Changing Existing Transform Sets

If one or more transform sets are specified in the crypto ipsec transform-set command for an existing transform set, the specified transform sets will replace the existing transform sets for that transform set.

If you change a transform set definition, the change is only applied to crypto map entries that reference the transform set. The change will not be applied to existing SAs but will be used in subsequent negotiations to establish new SAs. If you want the new settings to take effect sooner, you can clear all or part of the SA database by using the clear crypto sa command.

Examples

The following example defines two transform sets. The first transform set will be used with an IPSec peer that supports the newer ESP and AH protocols. The second transform set will be used with an IPSec peer that supports only the older transforms.

Router (config)# crypto ipsec transform-set newer esp-3des esp-sha-hmac

Router (config)# crypto ipsec transform-set older ah-rfc-1828 esp-rfc1829

The following example is a sample warning message that is displayed when a user enters an IPSec transform set that the hardware does not support:

Router (config)# crypto ipsec transform transform-1 esp-aes 256 esp-md5

WARNING:encryption hardware does not support transform

esp-aes 256 within IPSec transform transform-1

The following output example shows that SEAL encryption has been correctly configured with an authentication transform set:

Router (config)# crypto ipsec transform-set seal esp-seal esp-sha-hmac

The following example is a warning message that is displayed when SEAL encryption has been configured with a crypto accelerator present:

Router (config)# show running-config

crypto ipsec transform-set seal esp-seal esp-sha-hmac

! Disabled because transform not supported by encryption hardware

The following example is an error message that is displayed when SEAL encryption has been configured without an authentication transform set:

Router (config)# crypto ipsec transform seal esp-seal

ERROR: Transform requires either ESP or AH authentication.

The following example is an error message that is displayed when SEAL encryption has been configured within a manually keyed crypto map:

Router (config)# crypto map green 10 ipsec-manual

%Note: This new crypto map will remain disabled until a peer 
        and a valid access list have been configured.

Router (config-crypto-map)# set transform seal

ERROR: transform seal illegal for a manual crypto map.

Related Commands

Command	Description
clear crypto sa	Deletes IPSec security associations.
crypto ipsec transform-set	Defines a transform set—an acceptable combination of security protocols and algorithms.
match address	Specifies an extended access list for a crypto map entry.
mode (IPSec)	Changes the mode for a transform set.
set transform-set	Specifies which transform sets can be used with the crypto map entry.
show crypto ipsec transform-set	Displays the configured transform sets.

crypto isakmp aggressive-mode disable

To block all Internet Security Association and Key Management Protocol (ISAKMP) aggressive mode requests to and from a device, use the crypto isakmp aggressive-mode disable command in global configuration mode. To disable the blocking, use the no form of this command.

crypto isakmp aggressive-mode disable

no crypto isakmp aggressive-mode disable

Syntax Description

This command has no arguments or keywords.

Defaults

If this command is not configured, Cisco IOS software will attempt to process all incoming ISAKMP aggressive mode security association (SA) connections. In addition, if the device has been configured with the crypto isakmp peer address and the set aggressive-mode password or set aggressive-mode client-endpoint commands, the device will initiate aggressive mode if this command is not configured.

Command Modes

Global configuration

Command History

Release	Modification
12.3(1)	This command was introduced on all Cisco IOS platforms that support IP Security (IPSec).

Usage Guidelines

If you configure this command, all aggressive mode requests to the device and all aggressive mode requests made by the device are blocked, regardless of the ISAKMP authentication type (preshared keys or Rivest, Shamir, and Adelman [RSA] signatures).

If a request is made by or to the device for aggressive mode, the following syslog notification is sent:

Unable to initiate or respond to Aggressive Mode while disabled

---

Note This command will prevent Easy Virtual Private Network (Easy VPN) clients from connecting if they are using preshared keys because Easy VPN clients (hardware and software) use aggressive mode.

---

Examples

The following example shows that all aggressive mode requests to and from a device are blocked:

Router (config)# crypto isakmp aggressive-mode disable

crypto isakmp client configuration address-pool local

To configure the IP address local pool to reference Internet Key Exchange (IKE) on your router, use the crypto isakmp client configuration address-pool local command in global configuration mode. To restore the default value, use the no form of this command.

crypto isakmp client configuration address-pool local pool-name

no crypto isakmp client configuration address-pool local

Syntax Description

pool-name

Specifies the name of a local address pool.

Defaults

IP address local pools do not reference IKE.

Command Modes

Global configuration

Command History

Release	Modification
12.0(4)XE	This command was introduced.
12.0(7)T	This command was integrated into Cisco IOS release 12.0(7)T.

Examples

The following example references IP address local pools to IKE on your router, with "ire" as the pool-name:

crypto isakmp client configuration address-pool local ire

Related Commands

Command	Description
ip local pool	Configures a local pool of IP addresses to be used when a remote peer connects to a point-to-point interface.

crypto isakmp client configuration group

To specify to which group a policy profile will be defined, use the crypto isakmp client configuration group command in global configuration mode. To remove this command and all associated subcommands from your configuration, use the no form of this command.

crypto isakmp client configuration group {group-name | default}

no crypto isakmp client configuration group

Syntax Description

group-name	Group definition that identifies which policy is enforced for users.
default	Policy that is enforced for all users who do not offer a group name that matches a group-name argument. The default keyword can only be configured locally.

Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release	Modification
12.2(8)T	This command was introduced.
12.3(2)T	The access-restrict, firewall are-u-there, group-lock, include-local-lan, and save-password commands were added. These commands are added during Mode Configuration. In addition, this command was modified so that output for this command will show that the preshared key is either encrypted or unencrypted.
12.3(4)T	The backup-gateway, max-logins, max-users, and pfs commands were added.

Usage Guidelines

Use the crypto isakmp client configuration group command to specify group policy information that needs to be defined or changed. You may wish to change the group policy on your router if you decide to connect to the client using a group ID that does not match the group-name argument.

After enabling this command, which puts you in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode, you can specify characteristics for the group policy using the following commands:

•access-restrict—Ties a particular Virtual Private Network (VPN) group to a specific interface for access to the Cisco IOS gateway and the services it protects.

•acl—Configures split tunneling.

•backup-gateway—Configures a server to "push down" a list of backup gateways to the client. These gateways are tried in order in the case of a failure of the previous gateway. The gateways may be specified using IP addresses or host names.

•dns—Specifies the primary and secondary Domain Name Service (DNS) servers for the group.

•domain—Specifies group domain membership.

•firewall are-u-there—Adds the Firewall-Are-U-There attribute to the server group if your PC is running the Black Ice or Zone Alarm personal firewalls.

•group-lock—Use if preshared key authentication is used with Internet Key Exchange (IKE). Allows you to enter your extended authentication (Xauth) username. The group delimiter is compared against the group identifier sent during IKE aggressive mode.

•include-local-lan—Configures the Include-Local-LAN attribute to allow a nonsplit-tunneling connection to access the local subnetwork at the same time as the client.

•key—Specifies the IKE preshared key when defining group policy information for Mode Configuration push.

•max-logins—Limits the number of simultaneous logins for users in a specific user group.

•max-users—Limits the number of connections to a specific server group.

•pfs—Configures a server to notify the client of the central-site policy regarding whether PFS is required for any IPSec SA. Because the client device does not have a user interface option to enable or disable PFS negotiation, the server will notify the client device of the central site policy via this parameter. The Diffie-Hellman (D-H) group that is proposed for PFS will be the same that was negotiated in Phase 1 of the IKE negotiation.

•pool—Refers to the IP local pool address used to allocate internal IP addresses to clients.

•save-password—Saves your Xauth password locally on your PC.

•split-dns—Specifies a list of domain names that must be tunneled or resolved to the private network.

•wins—Specifies the primary and secondary Windows Internet Naming Service (WINS) servers for the group.

Output for the crypto isakmp client configuration group command (using the key subcommand) will show that the preshared key is either encrypted or unencrypted. An output example for an unencrypted preshared key would be as follows:

crypto isakmp client configuration group key test

An output example for a type 6 encrypted preshared key would be as follows:

crypto isakmp client configuration group

 key 6 JK_JHZPeJV_XFZTKCQFYAAB

Session Monitoring and Limiting for Easy VPN Clients

It is possible to mimic the functionality provided by some RADIUS servers for limiting the number of connections to a specific server group and also for limiting the number of simultaneous logins for users in that group.

To limit the number of connections to a specific server group, use the max-users subcommand. To limit the number of simultaneous logins for users in the server group, use the max-logins subcommand.

The following example shows the RADIUS attribute-value (AV) pairs for the maximum users and maximum logins parameters:

ipsec:max-users=1000

ipsec:max-logins=1

The max-users and max-logins commands can be enabled together or individually to control the usage of resources by any groups or individuals.

If you use a RADIUS server, such as a CiscoSecure access control server (ACS), it is recommended that you enable this session control on the RADIUS server if the functionality is provided. In this way, usage can be controlled across a number of servers by one central repository. When enabling this feature on the router itself, only connections to groups on that specific device are monitored, and load-sharing scenarios are not accurately accounted for.

Examples

The following example shows how to define group policy information for Mode Configuration push. In this example, the first group name is "cisco" and the second group name is "default." Thus, the default policy will be enforced for all users who do not offer a group name that matches "cisco."

crypto isakmp client configuration group cisco

 key cisco

 dns 2.2.2.2 2.2.2.3

 wins 6.6.6.6

 domain cisco.com

 pool fred

 acl 199

!

crypto isakmp client configuration group default

 key cisco

 dns 2.2.2.2 2.3.2.3

 pool fred

 acl 199

Related Commands

Command	Description
access-restrict	Ties a particular VPN group to a specific interface for access to the Cisco IOS gateway and the services it protects.
acl	Configures split tunneling.
backup-gateway	Configures a server to "push down" a list of backup gateways to the client.
crypto isakmp keepalive	Adds the Firewall-Are-U-There attribute to the server group if your PC is running the Black Ice or Zone Alarm personal firewalls
dns	Specifies the primary and secondary DNS servers.
domain (isakmp-group)	Specifies the DNS domain to which a group belongs.
firewall are-u-there	Adds the Firewall-Are-U-There attribute to the server group if your PC is running the Black Ice or Zone Alarm personal firewalls.
group-lock	Allows you to enter your Xauth username, including the group name, when preshared key authentication is used with IKE.
include-local-lan	Configures the Include-Local-LAN attribute to allow a nonsplit-tunneling connection to access the local subnetwork at the same time as the client.
key (isakmp-group)	Specifies the IKE preshared key for Group-Policy attribute definition.
max-logins	Limits the number of simultaneous logins for users in a specific server group.
max-users	Limits the number of connections to a specific server group.
pool (isakmp-group)	Defines a local pool address.
save-password	Saves your Xauth password locally on your PC.
set aggressive-mode client-endpoint	Specifies the Tunnel-Client-Endpoint attribute within an ISAKMP peer configuration.

crypto isakmp enable

To globally enable Internet Key Exchange (IKE) for your peer router, use the crypto isakmp enable command in global configuration mode. To disable IKE for the peer, use the no form of this command.

crypto isakmp enable

no crypto isakmp enable

Syntax Description

This command has no arguments or keywords.

Defaults

IKE is enabled.

Command Modes

Global configuration

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

IKE is enabled by default. IKE does not have to be enabled for individual interfaces, but is enabled globally for all interfaces at the router.

If you do not want IKE to be used for your IPSec implementation, you can disable IKE for all your IP Security peers. If you disable IKE for one peer, you must disable it for all IPSec peers.

If you disable IKE, you will have to make these concessions at the peers:

•You must manually specify all the IPSec security associations (SAs) in the crypto maps at the peers. (Crypto map configuration is described in the chapter "Configuring IPSec Network Security" in the Cisco IOS Security Configuration Guide.)

•The IPSec SAs of the peers will never time out for a given IPSec session.

•During IPSec sessions between the peers, the encryption keys will never change.

•Anti-replay services will not be available between the peers.

•Certification authority (CA) support cannot be used.

---

Note Effective with Cisco IOS Release 12.3(2)T, a device is prevented from responding to Internet Security Association and Key Management Protocol (ISAKMP) by default unless there is a crypto map applied to an interface or if Easy VPN is configured.

---

Examples

The following example disables IKE at one peer. (The same command should be issued for all remote peers.)

no crypto isakmp enable

crypto isakmp identity

To define the identity used by the router when participating in the Internet Key Exchange (IKE) protocol, use the crypto isakmp identity command in global configuration mode. Set an Internet Security Association Key Management Protocol (ISAKMP) identity whenever you specify preshared keys. To reset the ISAKMP identity to the default value (address), use the no form of this command.

crypto isakmp identity {address | hostname}

no crypto isakmp identity

Syntax Description

address	Sets the ISAKMP identity to the IP address of the interface that is used to communicate to the remote peer during IKE negotiations.
hostname	Sets the ISAKMP identity to the host name concatenated with the domain name (for example, myhost.example.com).

Defaults

The IP address is used for the ISAKMP identity.

Command Modes

Global configuration

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

Use this command to specify an ISAKMP identity either by IP address or by host name.

The address keyword is typically used when there is only one interface (and therefore only one IP address) that will be used by the peer for IKE negotiations, and the IP address is known.

The hostname keyword should be used if there is more than one interface on the peer that might be used for IKE negotiations, or if the interface's IP address is unknown (such as with dynamically assigned IP addresses).

As a general rule, you should set all peers' identities in the same way, either by IP address or by host name.

Examples

The following example uses preshared keys at two peers and sets both their