Table Of Contents

crypto isakmp aggressive-mode disable

crypto isakmp client configuration address-pool local

crypto isakmp client configuration browser-proxy

crypto isakmp client configuration group

crypto isakmp client firewall

crypto isakmp default policy

crypto isakmp enable

crypto isakmp fragmentation

crypto isakmp identity

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive

crypto isakmp key

crypto isakmp nat keepalive

crypto isakmp peer

crypto isakmp policy

crypto isakmp profile

crypto key decrypt rsa

crypto key encrypt rsa

crypto key export pem

crypto key generate rsa

crypto key import pem

crypto key lock rsa

crypto key move rsa

crypto key pubkey-chain rsa

crypto key storage

crypto key unlock rsa

crypto key zeroize rsa

crypto keyring

crypto logging ezvpn

crypto map (global IPSec)

crypto map (interface IPSec)

crypto map client authentication list

crypto map client configuration address

crypto map gdoi fail-close

crypto map isakmp authorization list

crypto map isakmp-profile

crypto map local-address

crypto map redundancy replay-interval

crypto mib ipsec flowmib history failure size

crypto mib ipsec flowmib history tunnel size

crypto isakmp aggressive-mode disable

To block all Internet Security Association and Key Management Protocol (ISAKMP) aggressive mode requests to and from a device, use the crypto isakmp aggressive-mode disable command in global configuration mode. To disable the blocking, use the no form of this command.

crypto isakmp aggressive-mode disable

no crypto isakmp aggressive-mode disable

Syntax Description

This command has no arguments or keywords.

Defaults

If this command is not configured, Cisco IOS software will attempt to process all incoming ISAKMP aggressive mode security association (SA) connections. In addition, if the device has been configured with the crypto isakmp peer address and the set aggressive-mode password or set aggressive-mode client-endpoint commands, the device will initiate aggressive mode if this command is not configured.

Command Modes

Global configuration

Command History

Release	Modification
12.3(1)	This command was introduced on all Cisco IOS platforms that support IP Security (IPSec).

Usage Guidelines

If you configure this command, all aggressive mode requests to the device and all aggressive mode requests made by the device are blocked, regardless of the ISAKMP authentication type (preshared keys or Rivest, Shamir, and Adelman [RSA] signatures).

If a request is made by or to the device for aggressive mode, the following syslog notification is sent:

Unable to initiate or respond to Aggressive Mode while disabled

---

Note This command will prevent Easy Virtual Private Network (Easy VPN) clients from connecting if they are using preshared keys because Easy VPN clients (hardware and software) use aggressive mode.

---

Examples

The following example shows that all aggressive mode requests to and from a device are blocked:

Router (config)# crypto isakmp aggressive-mode disable

crypto isakmp client configuration address-pool local

To configure the IP address local pool to reference Internet Key Exchange (IKE) on your router, use the crypto isakmp client configuration address-pool local command in global configuration mode. To restore the default value, use the no form of this command.

crypto isakmp client configuration address-pool local pool-name

no crypto isakmp client configuration address-pool local

Syntax Description

pool-name

Specifies the name of a local address pool.

Defaults

IP address local pools do not reference IKE.

Command Modes

Global configuration

Command History

Release	Modification
12.0(4)XE	This command was introduced.
12.0(7)T	This command was integrated into Cisco IOS release 12.0(7)T.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Examples

The following example references IP address local pools to IKE on your router, with "ire" as the pool-name:

crypto isakmp client configuration address-pool local ire

Related Commands

Command	Description
ip local pool	Configures a local pool of IP addresses to be used when a remote peer connects to a point-to-point interface.

crypto isakmp client configuration browser-proxy

To configure browser-proxy parameters for an Easy VPN remote device and to enter ISAKMP browser proxy configuration mode, use the crypto isakmp client configuration browser-proxy command in global configuration mode. To disable the browser-proxy parameters, use the no form of this command.

crypto isakmp client configuration browser-proxy {browser-proxy-name}

no crypto isakmp client configuration browser-proxy {browser-proxy-name}

Syntax Description

browser-proxy-name

Name of the browser proxy.

Command Default

Browser-proxy parameters are not set.

Command Modes

Global configuration (config)

Command History

Release	Modification
12.4(2)T	This command was introduced.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX	This command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific 12.2SX release is dependent on your feature set, platform, and platform hardware.

Usage Guidelines

While specifying the proxy server, the proxy IP address and port number are separated with a colon. The proxy exception list is a semicolon-delimited string of IP addresses.

After enabling this command, you may specify the following subcommand:

•proxy—Configures proxy parameters for your Easy VPN remote device (see the proxy command for more information about this command and the acceptable parameters).

Examples

The following example shows various browser-proxy parameter settings for a browser proxy named "bproxy":

crypto isakmp client configuration browser-proxy bproxy

 proxy auto-detect

crypto isakmp client configuration browser-proxy bproxy

 proxy none

crypto isakmp client configuration browser-proxy bproxy

 proxy server 10.1.1.1:2000

 proxy exception-list 10.2.2.*,www.*org

 proxy by-pass-local

Related Commands

Command	Description
proxy	Configures proxy parameters for an Easy VPN remote device.

crypto isakmp client configuration group

To specify to which group a policy profile will be defined and to enter crypto ISAKMP group configuration mode, use the crypto isakmp client configuration group command in global configuration mode. To remove this command and all associated subcommands from your configuration, use the no form of this command.

crypto isakmp client configuration group {group-name | default}

no crypto isakmp client configuration group

Syntax Description

group-name	Group definition that identifies which policy is enforced for users.
default	Policy that is enforced for all users who do not offer a group name that matches a group-name argument. The default keyword can only be configured locally.

Defaults

No default behavior or values

Command Modes

Global configuration (config)

Command History

Release	Modification
12.2(8)T	This command was introduced.
12.3(2)T	The access-restrict, firewall are-u-there, group-lock, include-local-lan, and save-password commands were added. These commands are added during Mode Configuration. In addition, this command was modified so that output for this command will show that the preshared key is either encrypted or unencrypted.
12.3(4)T	The backup-gateway, max-logins, max-users, and pfs commands were added.
12.2(18)SXD	This command was integrated into Cisco IOS Release 12.2(18)SXD.
12.4(2)T	The browser-proxy command was added.
12.4(6)T	The firewall policy command was added.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.4(9)T	The crypto aaa attribute list, dhcp server, and dhcp timeout commands were added.
12.4(11)T	The dhcp giaddr command was added.

Usage Guidelines

Use the crypto isakmp client configuration group command to specify group policy information that needs to be defined or changed. You may wish to change the group policy on your router if you decide to connect to the client using a group ID that does not match the group-name argument.

After enabling this command, which puts you in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode, you can specify characteristics for the group policy using the following commands:

•access-restrict—Ties a particular Virtual Private Network (VPN) group to a specific interface for access to the Cisco IOS gateway and the services it protects.

•acl—Configures split tunneling.

•auto-update client—Configures auto upgrade.

•backup-gateway—Configures a server to "push down" a list of backup gateways to the client. These gateways are tried in order in the case of a failure of the previous gateway. The gateways may be specified using IP addresses or host names.

•banner—Specifies a mode configuration banner.

•browser-proxy—Applies a browser-proxy map to a group.

•configuration url—Specifies on a server the URL an Easy VPN remote device must use to get a configuration in a Mode Configuration Exchange.

•configuration version—Specifies on a server the version a Cisco Easy VPN remote device must use to get a particular configuration in a Mode Configuration Exchange.

•crypto aaa attribute list—Defines a AAA attribute list of per-user attributes on a local Easy VPN server.

•dhcp giaddr—Configures an IP address on the Easy VPN server for the Dynamic Host Configuration Protocol (DHCP) to use. The DHCP server uses the giaddr keyword to determine the scope for the client IP address assignment. If the giaddr keyword is not configured, the Easy VPN server must be configured with a loopback interface to communicate with the DHCP server, and the IP address on the loopback interface determines the scope for the client IP address assignment.

•dhcp server—Configures multiple DHCP server entries.

•dhcp timeout—Controls the wait time before the next DHCP server on the list is tried.

•dns—Specifies the primary and secondary Domain Name Service (DNS) servers for the group.

•domain—Specifies group domain membership.

•firewall are-u-there—Adds the Firewall-Are-U-There attribute to the server group if your PC is running the Black Ice or Zone Alarm personal firewalls.

•firewall policy—Specifies the CPP firewall policy push name for the crypto ISAKMP client configuration group on a local AAA server.

•group-lock—Use if preshared key authentication is used with Internet Key Exchange (IKE). Allows you to enter your extended authentication (Xauth) username. The group delimiter is compared against the group identifier sent during IKE aggressive mode.

•include-local-lan—Configures the Include-Local-LAN attribute to allow a nonsplit-tunneling connection to access the local subnetwork at the same time as the client.

•key—Specifies the IKE preshared key when defining group policy information for Mode Configuration push.

•max-logins—Limits the number of simultaneous logins for users in a specific user group.

•max-users—Limits the number of connections to a specific server group.

•netmask—Subnet mask to be used by the client for local connectivity.

•pfs—Configures a server to notify the client of the central-site policy regarding whether PFS is required for any IPsec SA. Because the client device does not have a user interface option to enable or disable PFS negotiation, the server will notify the client device of the central site policy via this parameter. The Diffie-Hellman (D-H) group that is proposed for PFS will be the same that was negotiated in Phase 1 of the IKE negotiation.

•pool—Refers to the IP local pool address used to allocate internal IP addresses to clients.

•save-password—Saves your Xauth password locally on your PC.

•split-dns—Specifies a list of domain names that must be tunneled or resolved to the private network.

•wins—Specifies the primary and secondary Windows Internet Naming Service (WINS) servers for the group.

Output for the crypto isakmp client configuration group command (using the key subcommand) will show that the preshared key is either encrypted or unencrypted. An output example for an unencrypted preshared key would be as follows:

crypto isakmp client configuration group key test

An output example for a type 6 encrypted preshared key would be as follows:

crypto isakmp client configuration group

 key 6 JK_JHZPeJV_XFZTKCQFYAAB

Session Monitoring and Limiting for Easy VPN Clients

It is possible to mimic the functionality provided by some RADIUS servers for limiting the number of connections to a specific server group and also for limiting the number of simultaneous logins for users in that group.

To limit the number of connections to a specific server group, use the max-users subcommand. To limit the number of simultaneous logins for users in the server group, use the max-logins subcommand.

The following example shows the RADIUS attribute-value (AV) pairs for the maximum users and maximum logins parameters:

ipsec:max-users=1000

ipsec:max-logins=1

The max-users and max-logins commands can be enabled together or individually to control the usage of resources by any groups or individuals.

If you use a RADIUS server, such as a CiscoSecure access control server (ACS), it is recommended that you enable this session control on the RADIUS server if the functionality is provided. In this way, usage can be controlled across a number of servers by one central repository. When enabling this feature on the router itself, only connections to groups on that specific device are monitored, and load-sharing scenarios are not accurately accounted for.

Examples

The following example shows how to define group policy information for Mode Configuration push. In this example, the first group name is "cisco" and the second group name is "default." Thus, the default policy will be enforced for all users who do not offer a group name that matches "cisco."

crypto isakmp client configuration group cisco

 key cisco

 dns 10.2.2.2 10.2.2.3

 wins 10.6.6.6

 domain cisco.com

 pool fred

 acl 199

!

crypto isakmp client configuration group default

 key cisco

 dns 10.2.2.2 10.3.2.3

 pool fred

 acl 199

Related Commands

Command	Description
access-restrict	Ties a particular VPN group to a specific interface for access to the Cisco IOS gateway and the services it protects.
acl	Configures split tunneling.
backup-gateway	Configures a server to "push down" a list of backup gateways to the client.
browser-proxy	Applies browser-proxy parameter settings to a group.
crypto isakmp keepalive	Adds the Firewall-Are-U-There attribute to the server group if your PC is running the Black Ice or Zone Alarm personal firewalls.
dns	Specifies the primary and secondary DNS servers.
domain (isakmp-group)	Specifies the DNS domain to which a group belongs.
firewall are-u-there	Adds the Firewall-Are-U-There attribute to the server group if your PC is running the Black Ice or Zone Alarm personal firewalls.
firewall policy	Specifies the CPP firewall policy push name for the crypto ISAKMP client configuration group on a local AAA server.
group-lock	Allows you to enter your Xauth username, including the group name, when preshared key authentication is used with IKE.
include-local-lan	Configures the Include-Local-LAN attribute to allow a nonsplit-tunneling connection to access the local subnetwork at the same time as the client.
key (isakmp-group)	Specifies the IKE preshared key for Group-Policy attribute definition.
max-logins	Limits the number of simultaneous logins for users in a specific server group.
max-users	Limits the number of connections to a specific server group.
pool (isakmp-group)	Defines a local pool address.
save-password	Saves your Xauth password locally on your PC.
set aggressive-mode client-endpoint	Specifies the Tunnel-Client-Endpoint attribute within an ISAKMP peer configuration.

crypto isakmp client firewall

To define the Central Policy Push (CPP) firewall policypush on a server, use the crypto isakmp client firewall command in global configuration mode. To remove the CPP that was configured, use the no form of this command.

crypto isakmp client firewall {policy-name} {required | optional} {firewall-type}

nocrypto isakmp client firewall {policy-name} {required | optional} {firewall-type}

Syntax Description

policy-name	Uniquely identifies a policy. A policy name can be associated with an Easy VPN client group configuration on the server (local group configuration) or on the authentication, authorization, and accounting (AAA) server.
required	Policy is mandatory. If the CPP policy is defined as mandatory and is included in the Easy VPN server configuration, the tunnel setup is allowed only if the Cisco VPN Client confirms this policy. If the policy is not confirmed, the tunnel is terminated.
optional	Policy is optional. If the CPP policy is defined as optional and is included in the Easy VPN server configuration, the tunnel setup continues even if the Cisco VPN Client does not confirm the defined policy.
firewall-type	Type of firewall. See Table 25 for a list of acceptable firewall types.

Command Default

CPP is not configured.

Command Modes

Global configuration (config)

Command History

Release	Modification
12.4(6)T	This command was introduced.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX	This command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific 12.2SX release is dependent on your feature set, platform, and platform hardware.

Usage Guidelines

Table 25 lists firewall types that may be used for the firewall-type argument.

Table 25 Acceptable Firewall Types

Firewall Type
Cisco-Integrated-firewall (central-policy-push)
Cisco-Security-Agent (check-presence)
Zonelabs-Zonealarm (both)
Zonelabs-ZonealarmPro (both)

Examples

The following example defines the CPP policy name as "hw-client-g-cpp." The "Cisco-Security-Agent" policy type is mandatory. The CPP inbound list is "192" and the outbound list is "sample":

crypto isakmp client firewall hw-client-g-cpp required Cisco-Security-Agent

 policy central-policy-push access-list in 192

 policy central-policy-push access-list out sample

 policy check-presence

Related Commands

Command	Description
policy	Specifies the CPP policy.

crypto isakmp default policy

To enable default policies for Internet Security Association and Key Management Protocol (ISAKMP) protection suite, use the crypto isakmp default policy command in global configuration mode. To disable the default IKE policies, use the no form of this command.

crypto isakmp default policy

no crypto isakmp default policy

Syntax Description

This command has no arguments or keywords.

Command Default

The default ISAKMP policies are enabled.

Command Modes

Global configuration (config)

Command History

Release	Modification
12.4(20)T	This command was introduced.

Usage Guidelines

If you have neither manually configured ISAKMP policies with the crypto isakmp policy command nor issued the no crypto isakmp default policy command, IPsec will use the default ISAKMP policies to negotiate IKE proposals. There are eight default ISAKMP default policies supported (see Table 26). The default ISAKMP policies define the following policy set parameters:

•The priority, 65507-65514, where 65507 is the highest priority and 65514 is the lowest priority.

•The authentication method, Rivest, Shamir, and Adelman (RSA) or preshared keys (PSK).

•The encryption method, Advanced Encryption Standard (AES) or Triple Data Encryption Standard (3DES).

•The hash function, Secure Hash Algorithm (SHA-1) or Message-Digest algorithm 5 (MD5).

•The Diffie-Hellman (DH) group specification DH2 or DH5.

–DH2 specifies the 768-bit Diffie-Hellman group.

–DH5 specifies the 1536-bit Diffie-Hellman group.

Table 26 Default ISAKMP Policies  

Priority	Authentication	Encryption	Hash	Diffie-Hellman
65507	RSA	AES	SHA	DH5
65508	PSK	AES	SHA	DH5
65509	RSA	AES	MD5	DH5
65510	PSK	AES	MD5	DH5
65511	RSA	3DES	SHA	DH2
65512	PSK	3DES	SHA	DH2
65513	RSA	3DES	MD5	DH2
65514	PSK	3DES	MD5	DH2

Examples

The following example disables the default ISAKMP policies and shows the resulting output of the show crypto isakmp default policy command, which is blank:

Router# configure terminal

Router(config)# no crypto isakmp default policy

Router(config)# exit

Router# show crypto isakmp default policy

Router#

!There is no output since the default IKE policies have been disabled.

The following example enables the default ISAKMP policies and displays the resulting output of the show crypto isakmp default policy command. The default policies are displayed because there are no user configured policies, and the default policies have not been disabled.

Router# configure terminal

Router(config)# crypto isakmp default policy

Router(config)# exit

Router# show crypto isakmp default policy

Default IKE policy

Default protection suite of priority 65507

        encryption algorithm:   AES - Advanced Encryption Standard (128 bit key.

        hash algorithm:         Secure Hash Standard

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

Default protection suite of priority 65508

        encryption algorithm:   AES - Advanced Encryption Standard (128 bit key.

        hash algorithm:         Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

Default protection suite of priority 65509

        encryption algorithm:   AES - Advanced Encryption Standard (128 bit key.

        hash algorithm:         Message Digest 5

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

Default protection suite of priority 65510

        encryption algorithm:   AES - Advanced Encryption Standard (128 bit key.

        hash algorithm:         Message Digest 5

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

Default protection suite of priority 65511

        encryption algorithm:   Three key triple DES

        hash algorithm:         Secure Hash Standard

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

Default protection suite of priority 65512

        encryption algorithm:   Three key triple DES

        hash algorithm:         Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

Default protection suite of priority 65513

        encryption algorithm:   Three key triple DES

        hash algorithm:         Message Digest 5

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

Default protection suite of priority 65514

        encryption algorithm:   Three key triple DES

        hash algorithm:         Message Digest 5

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

Related Commands

Command	Description
show crypto isakmp default policy	Displays the default ISAKMP policies currently in use.

crypto isakmp enable

To globally enable Internet Key Exchange (IKE) for your peer router, use the crypto isakmp enable command in global configuration mode. To disable IKE for the peer, use the no form of this command.

crypto isakmp enable

no crypto isakmp enable

Syntax Description

This command has no arguments or keywords.

Defaults

IKE is enabled.

Command Modes

Global configuration

Command History

Release	Modification
11.3 T	This command was introduced.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

IKE is enabled by default. IKE does not have to be enabled for individual interfaces, but is enabled globally for all interfaces at the router.

If you do not want IKE to be used for your IPSec implementation, you can disable IKE for all your IP Security peers. If you disable IKE for one peer, you must disable it for all IPSec peers.

If you disable IKE, you will have to make these concessions at the peers:

•You must manually specify all the IPSec security associations (SAs) in the crypto maps at the peers. (Crypto map configuration is described in the chapter "Configuring IPSec Network Security" in the Cisco IOS Security Configuration Guide.)

•The IPSec SAs of the peers will never time out for a given IPSec session.

•During IPSec sessions between the peers, the encryption keys will never change.

•Anti-replay services will not be available between the peers.

•Certification authority (CA) support cannot be used.

---

Note Effective with Cisco IOS Release 12.3(2)T, a device is prevented from responding to Internet Security Association and Key Management Protocol (ISAKMP) by default unless there is a crypto map applied to an interface or if Easy VPN is configured.

---

Examples

The following example disables IKE at one peer. (The same command should be issued for all remote peers.)

no crypto isakmp enable

crypto isakmp fragmentation

To enable fragmentation of large Internet Key Exchange (IKE) packets into a series of smaller IKE packets to avoid fragmentation at the User Datagram Protocol (UDP) layer, use the crypto isakmp fragmentation command in global configuration mode. To disable fragmentation, use the no form of this command.

crypto isakmp fragmentation

no crypto isakmp fragmentation

Syntax Description

This command has no arguments or keywords.

Command Default

Fragmentation is not allowed.

Command Modes

Global configuration (config)

Command History

Release	Modification
12.4(15)T7	This command was introduced.

Usage Guidelines

Do not configure IKE fragmentation on a Cisco IOS router with Cisco Easy VPN Client versions 5.01 through 5.03. Versions earlier than version 5.01 and version 5.04 or a later release should be all right.

Examples

The following example shows that fragmentation has been enabled:

crypto isakmp fragmentation

crypto isakmp policy 1

  encryption 3des

crypto isakmp profile ezvpn-SW

  match group frag-clients

  vrf frags

crypto isakmp identity

To define the identity used by the router when participating in the Internet Key Exchange (IKE) protocol, use the crypto isakmp identity command in global configuration mode. Set an Internet Security Association Key Management Protocol (ISAKMP) identity whenever you specify preshared keys. To reset the ISAKMP identity to the default value (address), use the no form of this command.

crypto isakmp identity {address | hostname}

no crypto isakmp identity

Syntax Description

address	Sets the ISAKMP identity to the IP address of the interface that is used to communicate to the remote peer during IKE negotiations.
hostname	Sets the ISAKMP identity to the host name concatenated with the domain name (for example, myhost.example.com).

Command Default

The IP address is used for the ISAKMP identity.

Command Modes

Global configuration

Command History

Release	Modification
11.3 T	This command was introduced.
12.4(4)T	Support for IPv6 was added.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use this command to specify an ISAKMP identity either by IP address or by host name.

The address keyword is typically used when there is only one interface (and therefore only one IP address) that will be used by the peer for IKE negotiations, and the IP address is known.

The hostname keyword should be used if there is more than one interface on the peer that might be used for IKE negotiations, or if the interface's IP address is unknown (such as with dynamically assigned IP addresses).

As a general rule, you should set all peers' identities in the same way, either by IP address or by host name.

Examples

The following example uses preshared keys at two peers and sets both their ISAKMP identities to IP address.

At the local peer (at 10.0.0.1) the ISAKMP identity is set and the preshared key is specified.

crypto isakmp identity address

crypto isakmp key sharedkeystring address 192.168.1.33

At the remote peer (at 192.168.1.33) the ISAKMP identity is set and the same preshared key is specified.

crypto isakmp identity address

crypto isakmp key sharedkeystring address 10.0.0.1

---

Note In the preceding example if the crypto isakmp identity command had not been performed, the ISAKMP identities would have still been set to IP address, the default identity.

---

The following example uses preshared keys at two peers and sets both their ISAKMP identities to host name.

At the local peer the ISAKMP identity is set and the preshared key is specified.

crypto isakmp identity hostname

crypto isakmp key sharedkeystring hostname RemoteRouter.example.com

ip host RemoteRouter.example.com 192.168.0.1

At the remote peer the ISAKMP identity is set and the same preshared key is specified.

crypto isakmp identity hostname

crypto isakmp key sharedkeystring hostname LocalRouter.example.com

ip host LocalRouter.example.com 10.0.0.1 10.0.0.2

In the above example, host names are used for the peers' identities because the local peer has two interfaces that might be used during an IKE negotiation.

In the above example the IP addresses are also mapped to the host names; this mapping is not necessary if the routers' host names are already mapped in DNS.

Related Commands

Command	Description
crypto ipsec security-association lifetime	Specifies the authentication method within an IKE policy.
crypto isakmp key	Configures a preshared authentication key.

crypto isakmp invalid-spi-recovery

To initiate the Internet Key Exchange (IKE) security association (SA) to notify the receiving IP Security (IPSec) peer that there is an "Invalid SPI" error, use the crypto isakmp invalid-spi-recovery command in global configuration mode. To disable the notification process, use the no form of this command.

crypto isakmp invalid-spi-recovery

no crypto isakmp invalid-spi-recovery

Syntax Description

This command has no arguments or keywords.

Defaults

The IKE notification process is not enabled.

Command Modes

Global configuration

Command History

Release	Modification
12.3(2)T	This command was introduced.
12.2(18)SXE	This command was integrated into Cisco IOS Release 12.2(18)SXE.

Usage Guidelines

This command allows you to configure your router so that when an invalid security parameter index error (shown as "Invalid SPI") occurs, an IKE SA is initiated. The "IKE" module, which serves as a checkpoint in the IPSec session, recognizes the "Invalid SPI" situation. The IKE module then sends an "Invalid Error" message to the packet-receiving peer so that synchronization of the security association databases (SADBs) of the two peers can be attempted. As soon as the SADBs are resynchronized, packets are no longer dropped.

---

Note SPI recovery initiates a new IKE SA only for static peers.

---

---

Caution Using this command to initiate an IKE SA to notify an IPSec peer of an "Invalid SPI" error can result in a denial-of-service (DoS) attack.

---

Examples

The following example shows that the IKE module process has been initiated to notify the receiving peer that there is an "Invalid SPI" error:

Router (config)# crypto isakmp invalid-spi-recovery

crypto isakmp keepalive

To allow the gateway to send dead peer detection (DPD) messages to the peer, use the crypto isakmp keepalive command in global configuration mode. To disable keepalives, use the no form of this command.

crypto isakmp keepalive seconds [retries] [periodic | on-demand]

no crypto isakmp keepalive seconds [retries] [periodic | on-demand]

Syntax Description

seconds	When the periodic keyword is used, this argument is the number of seconds between DPD messages; the range is from 10 to 3600 seconds. When the on-demand keyword is used, this argument is the number of seconds during which traffic is not received from the peer before DPDs are sent if there is data (IPSec) traffic to send; the range is from 10 to 3600 seconds. Note If you do not specify a time interval, an error message appears.
retries	(Optional) Number of seconds between DPD retries if the DPD message fails; the range is from 2 to 60 seconds. If unspecified, the default is 2 seconds. Note To configure DPD with IPsec High Availability (HA), the recommendation is to use a value other than the default (which is 2 seconds). A keepalive timer of 10 seconds with 5 retries seems to work well with HA because of the time that it takes for the router to get into active mode.
periodic	(Optional) DPD messages are sent at regular intervals.
on-demand	(Optional) The default behavior. DPD retries are sent on demand. Note Because this option is the default, the on-demand keyword does not appear in configuration output.

Command Default

No DPD messages are sent.

Command Modes

Global configuration (config)

Command History

Release	Modification
12.2(8)T	This command was introduced.
12.3(7)T	The periodic and on-demand keywords were added.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH	This command was integrated into Cisco IOS Release 12.2(33)SXH.

Usage Guidelines

Use the crypto isakmp keepalive command to enable the gateway to send DPD messages to the peer. DPD is a keepalives scheme that allows the router to query the liveliness of its Internet Key Exchange (IKE) peer.

Use the periodic keyword to configure your router so that DPD messages are "forced" at regular intervals. This forced approach results in earlier detection of dead peers than with the on-demand approach. If you do not configure the periodic option, the router defaults to the on-demand approach.

---

Note When the crypto isakmp keepalive command is configured, the Cisco IOS software negotiates the use of Cisco IOS keepalives or DPD, depending on which protocol the peer supports.

---

---

Note Cisco IOS VPN Client connections are not supported if you configure the crypto isakmp keepalive command with the periodic keyword (for example, crypto isakmp keepalive timeoutval periodic) on a Cisco IOS device.

---

Examples

The following example shows how to configure DPD messages to be sent every 60 seconds and every 5 seconds between retries if the peer does not respond:

crypto isakmp keepalive 60 5

The following example shows that periodic DPD messages are to be sent at intervals of 10 seconds:

crypto isakmp keepalive 10 periodic

The following example shows that the above periodic behavior is being disabled:

crypto isakmp keepalive 10 on-demand

The following example shows that DPD has been configured with IPsec HA. The number of seconds between DPD messages is 10, and the number of seconds between DPD retries is 5. DPD messages are to be sent at regular intervals.

crypto isakmp keepalive 10 5 periodic

Related Commands

Command	Description
acl	Configures split tunneling.

crypto isakmp key

To configure a preshared authentication key, use the crypto isakmp key command in global configuration mode. To delete a preshared authentication key, use the no form of this command.

crypto isakmp key enc-type-digit keystring {address peer-address [mask] | ipv6 ipv6-address/ipv6-prefix | hostname hostname} [no-xauth]

no crypto isakmp key enc-type-digit keystring {address peer-address [mask] | ipv6 ipv6-address/ipv6-prefix | hostname hostname} [no-xauth]

Syntax Description

enc-type-digit	Specifies whether the password to be used is encrypted or unencrypted. •0—Specifies that an unencrypted password follows. •6—Specifies that an encrypted password follows.
keystring	Specifies the preshared key. Use any combination of alphanumeric or special characters up to 128 bytes. Special characters include the following: !?"#$%&'()*+,-./:;<=>@[\]^_`~. (Type "CTRL-V" before the "?" symbol to avoid invoking help.) This preshared key must be identical at both peers.
address	Use this keyword if the remote peer Internet Security Association Key Management Protocol (ISAKMP) identity was set with its IP or IPv6 address. The peer-address argument specifies the IP or IPv6 address of the remote peer.
peer-address	Specifies the IP address of the remote peer.
mask	(Optional) Specifies the subnet address of the remote peer. (The argument can be used only if the remote peer ISAKMP identity was set with its IP address.)
ipv6	Specifies that an IPv6 address of a remote peer will be used.
ipv6-address	IPv6 address of the remote peer. This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.
ipv6-prefix	IPv6 prefix of the remote peer.
hostname hostname	Fully qualified domain name (FQDN) of the peer. The hostname keyword and hostname argument are not supported by IPv6.
no-xauth	(Optional) Use this keyword if router-to-router IP Security (IPSec) is on the same crypto map as a Virtual Private Network (VPN)-client-to-Cisco-IOS IPSec. This keyword prevents the router from prompting the peer for extended authentication (Xauth) information (username and password).

Command Default

There is no default preshared authentication key.

Command Modes

Global configuration

Command History

Release	Modification
11.3T	This command was introduced.
12.1(1)T	The mask argument was added.
12.2(4)T	The no-xauth keyword was added.
12.3(2)T	This command was modified so that output shows that the preshared key is either encrypted or unencrypted.
12.2(18)SXD	This command was integrated into Cisco IOS Release 12.2(18)SXD.
12.4(4)T	The ipv6 keyword and the ipv6-address and ipv6-prefix arguments were added.

Usage Guidelines

You must use this command to configure a key whenever you specify preshared keys in an Internet Key Exchange (IKE) policy; you must enable this command at both peers.

If an IKE policy includes preshared keys as the authentication method, these preshared keys must be configured at both peers—otherwise the policy cannot be used (the policy will not be submitted for matching by the IKE process). The crypto isakmp key command is the second task required to configure the preshared keys at the peers. (The first task is accomplished using the crypto isakmp identity command.)

Use the address keyword if the remote peer ISAKMP identity was set with its IP address.

With the address keyword, you can also use the mask argument to indicate the remote peer ISAKMP identity will be established using the preshared key only. If the mask argument is used, preshared keys are no longer restricted between two users.

---

Note If you specify mask, you must use a subnet address. (The subnet address 0.0.0.0 is not recommended because it encourages group preshared keys, which allow all peers to have the same group key, thereby reducing the security of your user authentication.)

---

When using IKE main mode, preshared keys are indexed by IP address only because the identity payload has not yet been received. This means that the hostname keyword in the identity statement is not used to look up a preshared key and will be used only when sending and processing the identity payloads later in the main mode exchange. The identity keyword can be used when preshared keys are used with IKE aggressive mode, and keys may be indexed by identity types other than IP address as the identity payload is received in the first IKE aggressive mode packet.

If crypto isakmp identity hostname is configured as identity, the preshared key must be configured with the peer's IP address for the process to work when using IKE in main mode.

Use the no-xauth keyword to prevent the router from prompting the peer for Xauth information (username and password). This keyword disables Xauth for static IPSec peers. The no-xauth keyword should be enabled when configuring the preshared key for router-to-router IPSec—not VPN-client-to-Cisco-IOS IPSec.

Output for the crypto isakmp key command will show that the preshared key is either encrypted or unencrypted. An output example for an unencrypted preshared key would be as follows:

crypto isakmp key test123 address 10.1.0.1

An output example for a type 6 encrypted preshared key would be as follows:

crypto isakmp key 6 RHZE[JACMUI\bcbTdELISAAB address 10.1.0.1

Examples

In the following example, the remote peer "RemoteRouter" specifies an ISAKMP identity by address: