Table Of Contents
crypto isakmp aggressive-mode disable
crypto isakmp client configuration address-pool local
crypto isakmp client configuration browser-proxy
crypto isakmp client configuration group
crypto isakmp client firewall
crypto isakmp default policy
crypto isakmp enable
crypto isakmp fragmentation
crypto isakmp identity
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive
crypto isakmp key
crypto isakmp nat keepalive
crypto isakmp peer
crypto isakmp policy
crypto isakmp profile
crypto key decrypt rsa
crypto key encrypt rsa
crypto key export pem
crypto key generate rsa
crypto key import pem
crypto key lock rsa
crypto key move rsa
crypto key pubkey-chain rsa
crypto key storage
crypto key unlock rsa
crypto key zeroize rsa
crypto keyring
crypto logging ezvpn
crypto map (global IPSec)
crypto map (interface IPSec)
crypto map client authentication list
crypto map client configuration address
crypto map gdoi fail-close
crypto map isakmp authorization list
crypto map isakmp-profile
crypto map local-address
crypto map redundancy replay-interval
crypto mib ipsec flowmib history failure size
crypto mib ipsec flowmib history tunnel size
crypto isakmp aggressive-mode disable
To block all Internet Security Association and Key Management Protocol (ISAKMP) aggressive mode requests to and from a device, use the crypto isakmp aggressive-mode disable command in global configuration mode. To disable the blocking, use the no form of this command.
crypto isakmp aggressive-mode disable
no crypto isakmp aggressive-mode disable
Syntax Description
This command has no arguments or keywords.
Defaults
If this command is not configured, Cisco IOS software will attempt to process all incoming ISAKMP aggressive mode security association (SA) connections. In addition, if the device has been configured with the crypto isakmp peer address and the set aggressive-mode password or set aggressive-mode client-endpoint commands, the device will initiate aggressive mode if this command is not configured.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(1)
|
This command was introduced on all Cisco IOS platforms that support IP Security (IPSec).
|
Usage Guidelines
If you configure this command, all aggressive mode requests to the device and all aggressive mode requests made by the device are blocked, regardless of the ISAKMP authentication type (preshared keys or Rivest, Shamir, and Adelman [RSA] signatures).
If a request is made by or to the device for aggressive mode, the following syslog notification is sent:
Unable to initiate or respond to Aggressive Mode while disabled
Note
This command will prevent Easy Virtual Private Network (Easy VPN) clients from connecting if they are using preshared keys because Easy VPN clients (hardware and software) use aggressive mode.
Examples
The following example shows that all aggressive mode requests to and from a device are blocked:
Router (config)# crypto isakmp aggressive-mode disable
crypto isakmp client configuration address-pool local
To configure the IP address local pool to reference Internet Key Exchange (IKE) on your router, use the crypto isakmp client configuration address-pool local command in global configuration mode. To restore the default value, use the no form of this command.
crypto isakmp client configuration address-pool local pool-name
no crypto isakmp client configuration address-pool local
Syntax Description
pool-name
|
Specifies the name of a local address pool.
|
Defaults
IP address local pools do not reference IKE.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.0(4)XE
|
This command was introduced.
|
12.0(7)T
|
This command was integrated into Cisco IOS release 12.0(7)T.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Examples
The following example references IP address local pools to IKE on your router, with "ire" as the pool-name:
crypto isakmp client configuration address-pool local ire
Related Commands
Command
|
Description
|
ip local pool
|
Configures a local pool of IP addresses to be used when a remote peer connects to a point-to-point interface.
|
crypto isakmp client configuration browser-proxy
To configure browser-proxy parameters for an Easy VPN remote device and to enter ISAKMP browser proxy configuration mode, use the crypto isakmp client configuration browser-proxy command in global configuration mode. To disable the browser-proxy parameters, use the no form of this command.
crypto isakmp client configuration browser-proxy {browser-proxy-name}
no crypto isakmp client configuration browser-proxy {browser-proxy-name}
Syntax Description
browser-proxy-name
|
Name of the browser proxy.
|
Command Default
Browser-proxy parameters are not set.
Command Modes
Global configuration (config)
Command History
Release
|
Modification
|
12.4(2)T
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific 12.2SX release is dependent on your feature set, platform, and platform hardware.
|
Usage Guidelines
While specifying the proxy server, the proxy IP address and port number are separated with a colon. The proxy exception list is a semicolon-delimited string of IP addresses.
After enabling this command, you may specify the following subcommand:
•
proxy—Configures proxy parameters for your Easy VPN remote device (see the proxy command for more information about this command and the acceptable parameters).
Examples
The following example shows various browser-proxy parameter settings for a browser proxy named "bproxy":
crypto isakmp client configuration browser-proxy bproxy
crypto isakmp client configuration browser-proxy bproxy
crypto isakmp client configuration browser-proxy bproxy
proxy server 10.1.1.1:2000
proxy exception-list 10.2.2.*,www.*org
Related Commands
Command
|
Description
|
proxy
|
Configures proxy parameters for an Easy VPN remote device.
|
crypto isakmp client configuration group
To specify to which group a policy profile will be defined and to enter crypto ISAKMP group configuration mode, use the crypto isakmp client configuration group command in global configuration mode. To remove this command and all associated subcommands from your configuration, use the no form of this command.
crypto isakmp client configuration group {group-name | default}
no crypto isakmp client configuration group
Syntax Description
group-name
|
Group definition that identifies which policy is enforced for users.
|
default
|
Policy that is enforced for all users who do not offer a group name that matches a group-name argument. The default keyword can only be configured locally.
|
Defaults
No default behavior or values
Command Modes
Global configuration (config)
Command History
Release
|
Modification
|
12.2(8)T
|
This command was introduced.
|
12.3(2)T
|
The access-restrict, firewall are-u-there, group-lock, include-local-lan, and save-password commands were added. These commands are added during Mode Configuration. In addition, this command was modified so that output for this command will show that the preshared key is either encrypted or unencrypted.
|
12.3(4)T
|
The backup-gateway, max-logins, max-users, and pfs commands were added.
|
12.2(18)SXD
|
This command was integrated into Cisco IOS Release 12.2(18)SXD.
|
12.4(2)T
|
The browser-proxy command was added.
|
12.4(6)T
|
The firewall policy command was added.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.4(9)T
|
The crypto aaa attribute list, dhcp server, and dhcp timeout commands were added.
|
12.4(11)T
|
The dhcp giaddr command was added.
|
Usage Guidelines
Use the crypto isakmp client configuration group command to specify group policy information that needs to be defined or changed. You may wish to change the group policy on your router if you decide to connect to the client using a group ID that does not match the group-name argument.
After enabling this command, which puts you in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode, you can specify characteristics for the group policy using the following commands:
•
access-restrict—Ties a particular Virtual Private Network (VPN) group to a specific interface for access to the Cisco IOS gateway and the services it protects.
•
acl—Configures split tunneling.
•
auto-update client—Configures auto upgrade.
•
backup-gateway—Configures a server to "push down" a list of backup gateways to the client. These gateways are tried in order in the case of a failure of the previous gateway. The gateways may be specified using IP addresses or host names.
•
banner—Specifies a mode configuration banner.
•
browser-proxy—Applies a browser-proxy map to a group.
•
configuration url—Specifies on a server the URL an Easy VPN remote device must use to get a configuration in a Mode Configuration Exchange.
•
configuration version—Specifies on a server the version a Cisco Easy VPN remote device must use to get a particular configuration in a Mode Configuration Exchange.
•
crypto aaa attribute list—Defines a AAA attribute list of per-user attributes on a local Easy VPN server.
•
dhcp giaddr—Configures an IP address on the Easy VPN server for the Dynamic Host Configuration Protocol (DHCP) to use. The DHCP server uses the giaddr keyword to determine the scope for the client IP address assignment. If the giaddr keyword is not configured, the Easy VPN server must be configured with a loopback interface to communicate with the DHCP server, and the IP address on the loopback interface determines the scope for the client IP address assignment.
•
dhcp server—Configures multiple DHCP server entries.
•
dhcp timeout—Controls the wait time before the next DHCP server on the list is tried.
•
dns—Specifies the primary and secondary Domain Name Service (DNS) servers for the group.
•
domain—Specifies group domain membership.
•
firewall are-u-there—Adds the Firewall-Are-U-There attribute to the server group if your PC is running the Black Ice or Zone Alarm personal firewalls.
•
firewall policy—Specifies the CPP firewall policy push name for the crypto ISAKMP client configuration group on a local AAA server.
•
group-lock—Use if preshared key authentication is used with Internet Key Exchange (IKE). Allows you to enter your extended authentication (Xauth) username. The group delimiter is compared against the group identifier sent during IKE aggressive mode.
•
include-local-lan—Configures the Include-Local-LAN attribute to allow a nonsplit-tunneling connection to access the local subnetwork at the same time as the client.
•
key—Specifies the IKE preshared key when defining group policy information for Mode Configuration push.
•
max-logins—Limits the number of simultaneous logins for users in a specific user group.
•
max-users—Limits the number of connections to a specific server group.
•
netmask—Subnet mask to be used by the client for local connectivity.
•
pfs—Configures a server to notify the client of the central-site policy regarding whether PFS is required for any IPsec SA. Because the client device does not have a user interface option to enable or disable PFS negotiation, the server will notify the client device of the central site policy via this parameter. The Diffie-Hellman (D-H) group that is proposed for PFS will be the same that was negotiated in Phase 1 of the IKE negotiation.
•
pool—Refers to the IP local pool address used to allocate internal IP addresses to clients.
•
save-password—Saves your Xauth password locally on your PC.
•
split-dns—Specifies a list of domain names that must be tunneled or resolved to the private network.
•
wins—Specifies the primary and secondary Windows Internet Naming Service (WINS) servers for the group.
Output for the crypto isakmp client configuration group command (using the key subcommand) will show that the preshared key is either encrypted or unencrypted. An output example for an unencrypted preshared key would be as follows:
crypto isakmp client configuration group key test
An output example for a type 6 encrypted preshared key would be as follows:
crypto isakmp client configuration group
key 6 JK_JHZPeJV_XFZTKCQFYAAB
Session Monitoring and Limiting for Easy VPN Clients
It is possible to mimic the functionality provided by some RADIUS servers for limiting the number of connections to a specific server group and also for limiting the number of simultaneous logins for users in that group.
To limit the number of connections to a specific server group, use the max-users subcommand. To limit the number of simultaneous logins for users in the server group, use the max-logins subcommand.
The following example shows the RADIUS attribute-value (AV) pairs for the maximum users and maximum logins parameters:
The max-users and max-logins commands can be enabled together or individually to control the usage of resources by any groups or individuals.
If you use a RADIUS server, such as a CiscoSecure access control server (ACS), it is recommended that you enable this session control on the RADIUS server if the functionality is provided. In this way, usage can be controlled across a number of servers by one central repository. When enabling this feature on the router itself, only connections to groups on that specific device are monitored, and load-sharing scenarios are not accurately accounted for.
Examples
The following example shows how to define group policy information for Mode Configuration push. In this example, the first group name is "cisco" and the second group name is "default." Thus, the default policy will be enforced for all users who do not offer a group name that matches "cisco."
crypto isakmp client configuration group cisco
crypto isakmp client configuration group default
Related Commands
Command
|
Description
|
access-restrict
|
Ties a particular VPN group to a specific interface for access to the Cisco IOS gateway and the services it protects.
|
acl
|
Configures split tunneling.
|
backup-gateway
|
Configures a server to "push down" a list of backup gateways to the client.
|
browser-proxy
|
Applies browser-proxy parameter settings to a group.
|
crypto isakmp keepalive
|
Adds the Firewall-Are-U-There attribute to the server group if your PC is running the Black Ice or Zone Alarm personal firewalls.
|
dns
|
Specifies the primary and secondary DNS servers.
|
domain (isakmp-group)
|
Specifies the DNS domain to which a group belongs.
|
firewall are-u-there
|
Adds the Firewall-Are-U-There attribute to the server group if your PC is running the Black Ice or Zone Alarm personal firewalls.
|
firewall policy
|
Specifies the CPP firewall policy push name for the crypto ISAKMP client configuration group on a local AAA server.
|
group-lock
|
Allows you to enter your Xauth username, including the group name, when preshared key authentication is used with IKE.
|
include-local-lan
|
Configures the Include-Local-LAN attribute to allow a nonsplit-tunneling connection to access the local subnetwork at the same time as the client.
|
key (isakmp-group)
|
Specifies the IKE preshared key for Group-Policy attribute definition.
|
max-logins
|
Limits the number of simultaneous logins for users in a specific server group.
|
max-users
|
Limits the number of connections to a specific server group.
|
pool (isakmp-group)
|
Defines a local pool address.
|
save-password
|
Saves your Xauth password locally on your PC.
|
set aggressive-mode client-endpoint
|
Specifies the Tunnel-Client-Endpoint attribute within an ISAKMP peer configuration.
|
crypto isakmp client firewall
To define the Central Policy Push (CPP) firewall policypush on a server, use the crypto isakmp client firewall command in global configuration mode. To remove the CPP that was configured, use the no form of this command.
crypto isakmp client firewall {policy-name} {required | optional} {firewall-type}
nocrypto isakmp client firewall {policy-name} {required | optional} {firewall-type}
Syntax Description
policy-name
|
Uniquely identifies a policy. A policy name can be associated with an Easy VPN client group configuration on the server (local group configuration) or on the authentication, authorization, and accounting (AAA) server.
|
required
|
Policy is mandatory. If the CPP policy is defined as mandatory and is included in the Easy VPN server configuration, the tunnel setup is allowed only if the Cisco VPN Client confirms this policy. If the policy is not confirmed, the tunnel is terminated.
|
optional
|
Policy is optional. If the CPP policy is defined as optional and is included in the Easy VPN server configuration, the tunnel setup continues even if the Cisco VPN Client does not confirm the defined policy.
|
firewall-type
|
Type of firewall. See Table 25 for a list of acceptable firewall types.
|
Command Default
CPP is not configured.
Command Modes
Global configuration (config)
Command History
Release
|
Modification
|
12.4(6)T
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific 12.2SX release is dependent on your feature set, platform, and platform hardware.
|
Usage Guidelines
Table 25 lists firewall types that may be used for the firewall-type argument.
Table 25 Acceptable Firewall Types
Firewall Type
|
Cisco-Integrated-firewall (central-policy-push)
|
Cisco-Security-Agent (check-presence)
|
Zonelabs-Zonealarm (both)
|
Zonelabs-ZonealarmPro (both)
|
Examples
The following example defines the CPP policy name as "hw-client-g-cpp." The "Cisco-Security-Agent" policy type is mandatory. The CPP inbound list is "192" and the outbound list is "sample":
crypto isakmp client firewall hw-client-g-cpp required Cisco-Security-Agent
policy central-policy-push access-list in 192
policy central-policy-push access-list out sample
Related Commands
Command
|
Description
|
policy
|
Specifies the CPP policy.
|
crypto isakmp default policy
To enable default policies for Internet Security Association and Key Management Protocol (ISAKMP) protection suite, use the crypto isakmp default policy command in global configuration mode. To disable the default IKE policies, use the no form of this command.
crypto isakmp default policy
no crypto isakmp default policy
Syntax Description
This command has no arguments or keywords.
Command Default
The default ISAKMP policies are enabled.
Command Modes
Global configuration (config)
Command History
Release
|
Modification
|
12.4(20)T
|
This command was introduced.
|
Usage Guidelines
If you have neither manually configured ISAKMP policies with the crypto isakmp policy command nor issued the no crypto isakmp default policy command, IPsec will use the default ISAKMP policies to negotiate IKE proposals. There are eight default ISAKMP default policies supported (see Table 26). The default ISAKMP policies define the following policy set parameters:
•
The priority, 65507-65514, where 65507 is the highest priority and 65514 is the lowest priority.
•
The authentication method, Rivest, Shamir, and Adelman (RSA) or preshared keys (PSK).
•
The encryption method, Advanced Encryption Standard (AES) or Triple Data Encryption Standard (3DES).
•
The hash function, Secure Hash Algorithm (SHA-1) or Message-Digest algorithm 5 (MD5).
•
The Diffie-Hellman (DH) group specification DH2 or DH5.
–
DH2 specifies the 768-bit Diffie-Hellman group.
–
DH5 specifies the 1536-bit Diffie-Hellman group.
Table 26 Default ISAKMP Policies
Priority
|
Authentication
|
Encryption
|
Hash
|
Diffie-Hellman
|
65507
|
RSA
|
AES
|
SHA
|
DH5
|
65508
|
PSK
|
AES
|
SHA
|
DH5
|
65509
|
RSA
|
AES
|
MD5
|
DH5
|
65510
|
PSK
|
AES
|
MD5
|
DH5
|
65511
|
RSA
|
3DES
|
SHA
|
DH2
|
65512
|
PSK
|
3DES
|
SHA
|
DH2
|
65513
|
RSA
|
3DES
|
MD5
|
DH2
|
65514
|
PSK
|
3DES
|
MD5
|
DH2
|
Examples
The following example disables the default ISAKMP policies and shows the resulting output of the show crypto isakmp default policy command, which is blank:
Router# configure terminal
Router(config)# no crypto isakmp default policy
Router# show crypto isakmp default policy
!There is no output since the default IKE policies have been disabled.
The following example enables the default ISAKMP policies and displays the resulting output of the show crypto isakmp default policy command. The default policies are displayed because there are no user configured policies, and the default policies have not been disabled.
Router# configure terminal
Router(config)# crypto isakmp default policy
Router# show crypto isakmp default policy
Default protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit key.
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65508
encryption algorithm: AES - Advanced Encryption Standard (128 bit key.
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65509
encryption algorithm: AES - Advanced Encryption Standard (128 bit key.
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65510
encryption algorithm: AES - Advanced Encryption Standard (128 bit key.
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65511
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65512
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65513
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65514
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Related Commands
Command
|
Description
|
show crypto isakmp default policy
|
Displays the default ISAKMP policies currently in use.
|
crypto isakmp enable
To globally enable Internet Key Exchange (IKE) for your peer router, use the crypto isakmp enable command in global configuration mode. To disable IKE for the peer, use the no form of this command.
crypto isakmp enable
no crypto isakmp enable
Syntax Description
This command has no arguments or keywords.
Defaults
IKE is enabled.
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
IKE is enabled by default. IKE does not have to be enabled for individual interfaces, but is enabled globally for all interfaces at the router.
If you do not want IKE to be used for your IPSec implementation, you can disable IKE for all your IP Security peers. If you disable IKE for one peer, you must disable it for all IPSec peers.
If you disable IKE, you will have to make these concessions at the peers:
•
You must manually specify all the IPSec security associations (SAs) in the crypto maps at the peers. (Crypto map configuration is described in the chapter "Configuring IPSec Network Security" in the Cisco IOS Security Configuration Guide.)
•
The IPSec SAs of the peers will never time out for a given IPSec session.
•
During IPSec sessions between the peers, the encryption keys will never change.
•
Anti-replay services will not be available between the peers.
•
Certification authority (CA) support cannot be used.
Note
Effective with Cisco IOS Release 12.3(2)T, a device is prevented from responding to Internet Security Association and Key Management Protocol (ISAKMP) by default unless there is a crypto map applied to an interface or if Easy VPN is configured.
Examples
The following example disables IKE at one peer. (The same command should be issued for all remote peers.)
crypto isakmp fragmentation
To enable fragmentation of large Internet Key Exchange (IKE) packets into a series of smaller IKE packets to avoid fragmentation at the User Datagram Protocol (UDP) layer, use the crypto isakmp fragmentation command in global configuration mode. To disable fragmentation, use the no form of this command.
crypto isakmp fragmentation
no crypto isakmp fragmentation
Syntax Description
This command has no arguments or keywords.
Command Default
Fragmentation is not allowed.
Command Modes
Global configuration (config)
Command History
Release
|
Modification
|
12.4(15)T7
|
This command was introduced.
|
Usage Guidelines
Do not configure IKE fragmentation on a Cisco IOS router with Cisco Easy VPN Client versions 5.01 through 5.03. Versions earlier than version 5.01 and version 5.04 or a later release should be all right.
Examples
The following example shows that fragmentation has been enabled:
crypto isakmp fragmentation
crypto isakmp profile ezvpn-SW
crypto isakmp identity
To define the identity used by the router when participating in the Internet Key Exchange (IKE) protocol, use the crypto isakmp identity command in global configuration mode. Set an Internet Security Association Key Management Protocol (ISAKMP) identity whenever you specify preshared keys. To reset the ISAKMP identity to the default value (address), use the no form of this command.
crypto isakmp identity {address | hostname}
no crypto isakmp identity
Syntax Description
address
|
Sets the ISAKMP identity to the IP address of the interface that is used to communicate to the remote peer during IKE negotiations.
|
hostname
|
Sets the ISAKMP identity to the host name concatenated with the domain name (for example, myhost.example.com).
|
Command Default
The IP address is used for the ISAKMP identity.
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
12.4(4)T
|
Support for IPv6 was added.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
Use this command to specify an ISAKMP identity either by IP address or by host name.
The address keyword is typically used when there is only one interface (and therefore only one IP address) that will be used by the peer for IKE negotiations, and the IP address is known.
The hostname keyword should be used if there is more than one interface on the peer that might be used for IKE negotiations, or if the interface's IP address is unknown (such as with dynamically assigned IP addresses).
As a general rule, you should set all peers' identities in the same way, either by IP address or by host name.
Examples
The following example uses preshared keys at two peers and sets both their ISAKMP identities to IP address.
At the local peer (at 10.0.0.1) the ISAKMP identity is set and the preshared key is specified.
crypto isakmp identity address
crypto isakmp key sharedkeystring address 192.168.1.33
At the remote peer (at 192.168.1.33) the ISAKMP identity is set and the same preshared key is specified.
crypto isakmp identity address
crypto isakmp key sharedkeystring address 10.0.0.1
Note
In the preceding example if the crypto isakmp identity command had not been performed, the ISAKMP identities would have still been set to IP address, the default identity.
The following example uses preshared keys at two peers and sets both their ISAKMP identities to host name.
At the local peer the ISAKMP identity is set and the preshared key is specified.
crypto isakmp identity hostname
crypto isakmp key sharedkeystring hostname RemoteRouter.example.com
ip host RemoteRouter.example.com 192.168.0.1
At the remote peer the ISAKMP identity is set and the same preshared key is specified.
crypto isakmp identity hostname
crypto isakmp key sharedkeystring hostname LocalRouter.example.com
ip host LocalRouter.example.com 10.0.0.1 10.0.0.2
In the above example, host names are used for the peers' identities because the local peer has two interfaces that might be used during an IKE negotiation.
In the above example the IP addresses are also mapped to the host names; this mapping is not necessary if the routers' host names are already mapped in DNS.
Related Commands
Command
|
Description
|
crypto ipsec security-association lifetime
|
Specifies the authentication method within an IKE policy.
|
crypto isakmp key
|
Configures a preshared authentication key.
|
crypto isakmp invalid-spi-recovery
To initiate the Internet Key Exchange (IKE) security association (SA) to notify the receiving IP Security (IPSec) peer that there is an "Invalid SPI" error, use the crypto isakmp invalid-spi-recovery command in global configuration mode. To disable the notification process, use the no form of this command.
crypto isakmp invalid-spi-recovery
no crypto isakmp invalid-spi-recovery
Syntax Description
This command has no arguments or keywords.
Defaults
The IKE notification process is not enabled.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(2)T
|
This command was introduced.
|
12.2(18)SXE
|
This command was integrated into Cisco IOS Release 12.2(18)SXE.
|
Usage Guidelines
This command allows you to configure your router so that when an invalid security parameter index error (shown as "Invalid SPI") occurs, an IKE SA is initiated. The "IKE" module, which serves as a checkpoint in the IPSec session, recognizes the "Invalid SPI" situation. The IKE module then sends an "Invalid Error" message to the packet-receiving peer so that synchronization of the security association databases (SADBs) of the two peers can be attempted. As soon as the SADBs are resynchronized, packets are no longer dropped.
Note
SPI recovery initiates a new IKE SA only for static peers.
Caution 
Using this command to initiate an IKE SA to notify an IPSec peer of an "Invalid SPI" error can result in a denial-of-service (DoS) attack.
Examples
The following example shows that the IKE module process has been initiated to notify the receiving peer that there is an "Invalid SPI" error:
Router (config)# crypto isakmp invalid-spi-recovery
crypto isakmp keepalive
To allow the gateway to send dead peer detection (DPD) messages to the peer, use the crypto isakmp keepalive command in global configuration mode. To disable keepalives, use the no form of this command.
crypto isakmp keepalive seconds [retries] [periodic | on-demand]
no crypto isakmp keepalive seconds [retries] [periodic | on-demand]
Syntax Description
seconds
|
When the periodic keyword is used, this argument is the number of seconds between DPD messages; the range is from 10 to 3600 seconds.
When the on-demand keyword is used, this argument is the number of seconds during which traffic is not received from the peer before DPDs are sent if there is data (IPSec) traffic to send; the range is from 10 to 3600 seconds.
Note If you do not specify a time interval, an error message appears.
|
retries
|
(Optional) Number of seconds between DPD retries if the DPD message fails; the range is from 2 to 60 seconds. If unspecified, the default is 2 seconds.
Note To configure DPD with IPsec High Availability (HA), the recommendation is to use a value other than the default (which is 2 seconds). A keepalive timer of 10 seconds with 5 retries seems to work well with HA because of the time that it takes for the router to get into active mode.
|
periodic
|
(Optional) DPD messages are sent at regular intervals.
|
on-demand
|
(Optional) The default behavior. DPD retries are sent on demand.
Note Because this option is the default, the on-demand keyword does not appear in configuration output.
|
Command Default
No DPD messages are sent.
Command Modes
Global configuration (config)
Command History
Release
|
Modification
|
12.2(8)T
|
This command was introduced.
|
12.3(7)T
|
The periodic and on-demand keywords were added.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2(33)SXH
|
This command was integrated into Cisco IOS Release 12.2(33)SXH.
|
Usage Guidelines
Use the crypto isakmp keepalive command to enable the gateway to send DPD messages to the peer. DPD is a keepalives scheme that allows the router to query the liveliness of its Internet Key Exchange (IKE) peer.
Use the periodic keyword to configure your router so that DPD messages are "forced" at regular intervals. This forced approach results in earlier detection of dead peers than with the on-demand approach. If you do not configure the periodic option, the router defaults to the on-demand approach.
Note
When the crypto isakmp keepalive command is configured, the Cisco IOS software negotiates the use of Cisco IOS keepalives or DPD, depending on which protocol the peer supports.
Note
Cisco IOS VPN Client connections are not supported if you configure the crypto isakmp keepalive command with the periodic keyword (for example, crypto isakmp keepalive timeoutval periodic) on a Cisco IOS device.
Examples
The following example shows how to configure DPD messages to be sent every 60 seconds and every 5 seconds between retries if the peer does not respond:
crypto isakmp keepalive 60 5
The following example shows that periodic DPD messages are to be sent at intervals of 10 seconds:
crypto isakmp keepalive 10 periodic
The following example shows that the above periodic behavior is being disabled:
crypto isakmp keepalive 10 on-demand
The following example shows that DPD has been configured with IPsec HA. The number of seconds between DPD messages is 10, and the number of seconds between DPD retries is 5. DPD messages are to be sent at regular intervals.
crypto isakmp keepalive 10 5 periodic
Related Commands
Command
|
Description
|
acl
|
Configures split tunneling.
|
crypto isakmp key
To configure a preshared authentication key, use the crypto isakmp key command in global configuration mode. To delete a preshared authentication key, use the no form of this command.
crypto isakmp key enc-type-digit keystring {address peer-address [mask] | ipv6
ipv6-address/ipv6-prefix | hostname hostname} [no-xauth]
no crypto isakmp key enc-type-digit keystring {address peer-address [mask] | ipv6
ipv6-address/ipv6-prefix | hostname hostname} [no-xauth]
Syntax Description
enc-type-digit
|
Specifies whether the password to be used is encrypted or unencrypted.
• 0—Specifies that an unencrypted password follows.
• 6—Specifies that an encrypted password follows.
|
keystring
|
Specifies the preshared key. Use any combination of alphanumeric or special characters up to 128 bytes. Special characters include the following: !?"#$%&'()*+,-./:;<=>@[\]^_`~. (Type "CTRL-V" before the "?" symbol to avoid invoking help.) This preshared key must be identical at both peers.
|
address
|
Use this keyword if the remote peer Internet Security Association Key Management Protocol (ISAKMP) identity was set with its IP or IPv6 address. The peer-address argument specifies the IP or IPv6 address of the remote peer.
|
peer-address
|
Specifies the IP address of the remote peer.
|
mask
|
(Optional) Specifies the subnet address of the remote peer. (The argument can be used only if the remote peer ISAKMP identity was set with its IP address.)
|
ipv6
|
Specifies that an IPv6 address of a remote peer will be used.
|
ipv6-address
|
IPv6 address of the remote peer.
This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.
|
ipv6-prefix
|
IPv6 prefix of the remote peer.
|
hostname hostname
|
Fully qualified domain name (FQDN) of the peer. The hostname keyword and hostname argument are not supported by IPv6.
|
no-xauth
|
(Optional) Use this keyword if router-to-router IP Security (IPSec) is on the same crypto map as a Virtual Private Network (VPN)-client-to-Cisco-IOS IPSec. This keyword prevents the router from prompting the peer for extended authentication (Xauth) information (username and password).
|
Command Default
There is no default preshared authentication key.
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.3T
|
This command was introduced.
|
12.1(1)T
|
The mask argument was added.
|
12.2(4)T
|
The no-xauth keyword was added.
|
12.3(2)T
|
This command was modified so that output shows that the preshared key is either encrypted or unencrypted.
|
12.2(18)SXD
|
This command was integrated into Cisco IOS Release 12.2(18)SXD.
|
12.4(4)T
|
The ipv6 keyword and the ipv6-address and ipv6-prefix arguments were added.
|
Usage Guidelines
You must use this command to configure a key whenever you specify preshared keys in an Internet Key Exchange (IKE) policy; you must enable this command at both peers.
If an IKE policy includes preshared keys as the authentication method, these preshared keys must be configured at both peers—otherwise the policy cannot be used (the policy will not be submitted for matching by the IKE process). The crypto isakmp key command is the second task required to configure the preshared keys at the peers. (The first task is accomplished using the crypto isakmp identity command.)
Use the address keyword if the remote peer ISAKMP identity was set with its IP address.
With the address keyword, you can also use the mask argument to indicate the remote peer ISAKMP identity will be established using the preshared key only. If the mask argument is used, preshared keys are no longer restricted between two users.
Note
If you specify mask, you must use a subnet address. (The subnet address 0.0.0.0 is not recommended because it encourages group preshared keys, which allow all peers to have the same group key, thereby reducing the security of your user authentication.)
When using IKE main mode, preshared keys are indexed by IP address only because the identity payload has not yet been received. This means that the hostname keyword in the identity statement is not used to look up a preshared key and will be used only when sending and processing the identity payloads later in the main mode exchange. The identity keyword can be used when preshared keys are used with IKE aggressive mode, and keys may be indexed by identity types other than IP address as the identity payload is received in the first IKE aggressive mode packet.
If crypto isakmp identity hostname is configured as identity, the preshared key must be configured with the peer's IP address for the process to work when using IKE in main mode.
Use the no-xauth keyword to prevent the router from prompting the peer for Xauth information (username and password). This keyword disables Xauth for static IPSec peers. The no-xauth keyword should be enabled when configuring the preshared key for router-to-router IPSec—not VPN-client-to-Cisco-IOS IPSec.
Output for the crypto isakmp key command will show that the preshared key is either encrypted or unencrypted. An output example for an unencrypted preshared key would be as follows:
crypto isakmp key test123 address 10.1.0.1
An output example for a type 6 encrypted preshared key would be as follows:
crypto isakmp key 6 RHZE[JACMUI\bcbTdELISAAB address 10.1.0.1
Examples
In the following example, the remote peer "RemoteRouter" specifies an ISAKMP identity by address: