-
Cisco IOS XR System Security Command Reference, Release 3.3
-
Preface
-
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
-
Internet Key Exchange Security Protocol Commands on Cisco IOS XR Software
-
IPSec Network Security Commands on Cisco IOS XR Software
-
Public Key Infrastructure Commands on Cisco IOS XR Software
-
Secure Shell Commands on Cisco IOS XR Software
-
Secure Socket Layer Protocol Commands on Cisco IOS XR Software
-
Software Authentication Manager Commands on Cisco IOS XR Software
-
Key Chain Management Commands on Cisco IOS XR Software
-
Index
-
Table Of Contents
Internet Key Exchange Security Protocol Commands on Cisco IOS XR Software
crypto isakmp client configuration group
show crypto key pubkey-chain rsa
Internet Key Exchange Security Protocol Commands on Cisco IOS XR Software
This module describes the Cisco IOS XR software commands used to configure the Internet Key Exchange (IKE) security protocol.
For detailed information about IKE concepts, configuration tasks, and examples, see the Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software configuration module.
acl
To configure split tunneling, use the acl command in ISAKMP group configuration mode. To remove this command from your configuration and restore the default value, use the no form of this command.
acl acl-name
no acl acl-name
Syntax Description
acl-name
Specifies a group of access control list (ACL) rules that represent protected subnets for split tunneling purposes.
Defaults
Split tunneling is not enabled; all data is sent through the Virtual Private Network (VPN) tunnel.
Command Modes
ISAKMP group configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the acl command to specify which groups of ACLs represent protected subnets for split tunneling. Split tunneling is the ability to have a secure tunnel to the central site and simultaneous clear text tunnels to the Internet.
Task ID
Examples
The following example shows how to correctly apply split tunneling for the group name cisco. In this example, all traffic sourced from the client and destined to the subnet 192.168.1.0 are sent through the VPN tunnel.
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group ciscoRP/0/RP0/CPU0:router(isakmp-group)# key ciscoRP/0/RP0/CPU0:router(isakmp-group)# acl group1!RP/0/RP0/CPU0:router(config)# access-list 199 permit ip 192.168.1.0 0.0.0.255 anyRelated Commands
address
To specify the IP address for the Rivest, Shamir, and Adelman (RSA) public key of the remote peer you manually configure, use the address command in public key configuration mode. To remove the IP address of the remote peer, use the no form of this command.
address ip-address
no address ip-address
Syntax Description
Defaults
No default behavior or values
Command Modes
Public key configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the address command with the named-key command to specify the RSA public key for the IP Security (IPSec) peer you manually configure next. This command should be used only when the router has a single interface that processes IPSec.
Task ID
Examples
The following example manually specifies the RSA public keys of an IPSec peer:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto key pubkey-chain rsaRP/0/RP0/CPU0:router(config-pubkey-chain)# named-key otherpeer.example.comRP/0/RP0/CPU0:router(config-pubkey-key)# address 10.5.5.1RP/0/RP0/CPU0:router(config-pubkey-key)# key-string 005C300D 06092A86 4886F70D 01010105RP/0/RP0/CPU0:router(config-pubkey-key)# key-string 005C300D 06092A86 4886F70D 01010105RP/0/RP0/CPU0:router(config-pubkey-key)# key-string 00034B00 30480241 00C5E23B 55D6AB22RP/0/RP0/CPU0:router(config-pubkey-key)# key-string 04AEF1BA A54028A6 9ACC01C5 129D99E4RP/0/RP0/CPU0:router(config-pubkey-key)# key-string 64CAB820 847EDAD9 DF0B4E4C 73A05DD2RP/0/RP0/CPU0:router(config-pubkey-key)# key-string BD62A8A9 FA603DD2 E2A8A6F8 98F76E28RP/0/RP0/CPU0:router(config-pubkey-key)# key-string D58AD221 B583D7A4 71020301 0001RP/0/RP0/CPU0:router(config-isakmp)# exitRelated Commands
addressed-key
To specify the Rivest, Shamir, and Adelman (RSA) public key for the peer you manually configure, use the addressed-key command in public key chain configuration mode. To remove the encryption or signature public key pair of the remote peer, use the no form of this command.
addressed-key key-address [encryption | signature]
no addressed-key key-address [encryption | signature]
Syntax Description
Defaults
If neither the encryption nor the signature keyword is used, general-purpose keys are specified.
Command Modes
Public key chain configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the addressed-key command or the named-key command to specify the RSA public key you manually configure for the next IP Security (IPSec) peer.
Follow the addressed-key command with the key-string command to specify the key. If the IPSec remote peer generated general-purpose RSA keys, do not use the encryption or signature keyword.
If the IPSec remote peer generated special-usage keys, you must manually specify both keys. Use the addressed-key command and the key-string command twice and use the encryption and signature keywords, respectively.
Task ID
Examples
The following example shows how to manually specify the RSA public keys of two IPSec peers. The peer at 10.5.5.1 uses general-purpose keys.
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto key pubkey-chain rsaRP/0/RP0/CPU0:router(config-pubkey-chain)# addressed-key 10.5.5.1RP/0/RP0/CPU0:router(config-pubkey-key)# address 10.5.5.1RP/0/RP0/CPU0:router(config-pubkey-key)# key-string 005C300D 06092A86 4886F70D 01010105RP/0/RP0/CPU0:router(config-pubkey-key)# key-string 00034B00 30480241 00C5E23B 55D6AB22RP/0/RP0/CPU0:router(config-pubkey-key)# key-string 04AEF1BA A54028A6 9ACC01C5 129D99E4RP/0/RP0/CPU0:router(config-pubkey-key)# key-string 64CAB820 847EDAD9 DF0B4E4C 73A05DD2RP/0/RP0/CPU0:router(config-pubkey-key)# key-string BD62A8A9 FA603DD2 E2A8A6F8 98F76E28RP/0/RP0/CPU0:router(config-pubkey-key)# key-string D58AD221 B583D7A4 71020301 0001Related Commands
authentication (IKE policy)
To specify the authentication method within an Internet Key Exchange (IKE) policy, use the authentication command in ISAKMP policy configuration mode. To reset the authentication method to the default value, use the no form of this command.
authentication {pre-share | rsa-sig | rsa-encr}
no authentication {pre-share | rsa-sig | rsa-encr}
Syntax Description
Defaults
RSA signatures
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
IKE policies define a set of parameters to be used during IKE negotiation. Use the authentication command to specify the authentication method to be used in an IKE policy. If you specify preshared keys, you must also separately configure these preshared keys.
If you specify RSA encrypted nonces, you must ensure that each peer has the RSA public keys of the other peers. (See the address, addressed-key, crypto key pubkey-chain rsa, key-string, and named-key commands.)
If you specify RSA signatures, you must configure your peer routers to obtain certificates from a certification authority (CA).
Task ID
Examples
The following example shows how to configure an IKE policy with preshared keys as the authentication method (and with all other parameters set to the defaults):
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# authentication pre-shareThe following example shows how to configure an IKE policy with RSA encrypted keys as the authentication method (and with all other parameters set to the defaults):
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# authentication rsa-encrThe following example configures an IKE policy with RSA signatures as the authentication method (and with all other parameters set to the defaults):
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# authentication rsa-sigRelated Commands
clear crypto isakmp
To clear active Internet Key Exchange (IKE) connections, use the clear crypto isakmp command in EXEC mode.
clear crypto isakmp [connection-id]
Syntax Description
connection-id
(Optional) Name of connection to clear. If this argument is not used, all existing connections are cleared.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Note
If the connection-id argument is not used, all existing IKE connections are cleared when this command is issued.
Task ID
Examples
The following example shows how to clear an IKE connection between two peers connected by interfaces 172.21.114.123 and 172.21.114.67:
RP/0/RP0/CPU0:router# show crypto isakmp sadst src state conn-id nodeid172.21.114.123 172.21.114.67 QM_IDLE 1 0172.0.0.2 172.0.0.1 QM_IDLE 8 0RP/0/RP0/CPU0:router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.RP/0/RP0/CPU0:router# clear crypto isakmp 1RP/0/RP0/CPU0:router# show crypto isakmp sadst src state conn-id nodeid172.0.0.2 172.0.0.1 QM_IDLE 8 0Related Commands
crypto isakmp chkpt-disabled
To disable Internet Key Exchange (IKE) checkpointing, use the crypto isakmp chkpt-disabled command in global configuration mode. To reenable checkpointing, use the no form of this command.
crypto isakmp chkpt-disabled
no crypto isakmp chkpt-disabled
Syntax Description
This command has no arguments or keywords.
Defaults
IKE checkpointing is enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
IKE checkpoints security associations in the local database. If an IKE process restarts, security associations are retrieved from the local database and need not be reestablished with remote peers.
Task ID
Examples
In the following example, IKE checkpointing is disabled:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp chkpt-disabledcrypto isakmp client configuration group
To include the configuration of a local group profile, use the crypto isakmp client configuration group command in global configuration mode.
crypto isakmp client configuration group group-name
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The key command must be enabled if the client identifies itself with a preshared key.
The following commands are available in the IKE group policy configuration mode:
•
•
Task ID
Examples
The following example shows how to include the configuration of a local group profile with the group name marketing:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group marketingRelated Commands
Configures split tunneling.
Configures the IPSec profile.
Defines an IKE policy.
Specifies the IKE preshared key for group policy attribute definition.
crypto isakmp enable
To globally enable Internet Key Exchange (IKE) at your peer router, use the crypto isakmp enable command in global configuration mode. To disable IKE at the peer, use the no form of this command.
crypto isakmp enable
no crypto isakmp enable
Syntax Description
This command has no arguments or keywords.
Defaults
IKE is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
IKE need not be enabled for individual interfaces, but is enabled globally for all interfaces at the router.
Task ID
Examples
The following example shows how to disable IKE at one peer:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# no crypto isakmp enablecrypto isakmp identity
To specify the identity used by the router when participating in the Internet Key Exchange (IKE) protocol, use the crypto isakmp identity command in global configuration mode. To reset the Internet Security Association Key Management Protocol (ISAKMP) identity to the default value (address), use the no form of this command.
crypto isakmp identity {address | hostname}
no crypto isakmp identity
Syntax Description
Defaults
The IP address is used for the ISAKMP identity.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the crypto isakmp identity command to specify an ISAKMP identity either by IP address or by host name. As a general rule, you should set all identities for peers in the same way—either by IP address or by host name.
Set an ISAKMP identity whenever you specify preshared keys.
Use the address keyword when only one interface (and therefore only one IP address) is used by the peer for IKE negotiations, and the IP address is known.
Use the hostname keyword if more than one interface on the peer might be used for IKE negotiations, or if the IP address for the interface is unknown (such as with dynamically assigned IP addresses).
Task ID
Examples
The following example shows how to use preshared keys at two peers and set both their ISAKMP identities to the IP address.
At the local peer (at 10.0.0.1), the ISAKMP identity is set and the preshared key is specified.
RP/0/RP0/CPU0:router(config)# crypto isakmp identity addressRP/0/RP0/CPU0:router(config)# crypto isakmp key sharedkeystring address 10.0.0.1At the remote peer (at 192.168.1.33), the ISAKMP identity is set and the same preshared key is specified.
RP/0/RP0/CPU0:router(config)# crypto isakmp identity addressRP/0/RP0/CPU0:router(config)# crypto isakmp key sharedkeystring address 192.168.1.33
Note
The following example shows how to use preshared keys at two peers and set both their ISAKMP identities to the host name.
At the local peer, the ISAKMP identity is set and the preshared key is specified.
RP/0/RP0/CPU0:router(config)# crypto isakmp identity hostnameRP/0/RP0/CPU0:router(config)# crypto isakmp key sharedkeystring hostnameAt the remote peer, the ISAKMP identity is set and the same preshared key is specified.
RP/0/RP0/CPU0:router(config)# crypto isakmp identity hostnameRP/0/RP0/CPU0:router(config)# crypto isakmp key sharedkeystring hostnameRelated Commands
Specifies the authentication method within an IKE policy.
Configures a preshared authentication key.
crypto isakmp keepalive
To use the Internet Key Exchange (IKE) security association (SA) feature for providing a mechanism for detecting loss of connectivity between two IP Security (IPSec) peers, use the crypto isakmp keepalive command in global configuration mode. To disable this feature, use the no form of this command.
crypto isakmp keepalive seconds retry-seconds
no crypto isakmp keepalive
Syntax Description
seconds
Number of seconds between keepalive messages. The range is from 10 to 3600.
retry-seconds
Number of seconds between retries if keepalive fails. The range is from 2 to 60.
Defaults
IKE does not send keepalive messages until specified by this command.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
If IKE does not receive the keepalive acknowledge message from the peer after four tries, IKE concludes that it has lost connectivity with its peer.
Task ID
Examples
The following example shows how to set the number of seconds between keepalive messages to 20 seconds, and the number of seconds between retries to 20 seconds if keepalive fails:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp keepalive 20 20Related Commands
crypto isakmp key
To configure a preshared authentication key, use the crypto isakmp key command in global configuration mode. To delete a preshared authentication key, use the no form of this command.
crypto isakmp key keystring {address peer-address [subnet-address] | hostname peer-hostname}
no crypto isakmp key keystring {address peer-address | hostname peer-hostname}
Syntax Description
Defaults
There is no default preshared authentication key.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
You must configure this key whenever you specify preshared keys in an Internet Key Exchange (IKE) policy. You must enter the crypto isakmp key command at both peers.
If an IKE policy includes preshared keys as the authentication method, these preshared keys must be configured at both peers—otherwise the policy cannot be used (the policy is not submitted for matching by the IKE process). The crypto isakmp key command is the second task required to configure the preshared keys at the peers. (The first task is accomplished with the crypto isakmp identity command.)
Use the command form with the address keyword if the remote peer previously set its ISAKMP identity with its IP address.
With the address keyword, you can also use the subnet-address argument to indicate that the remote peer ISAKMP identity is established using the preshared key only. If the subnet-address argument is used, preshared keys are no longer restricted between two users.
Note
Use the hostname keyword if the remote peer previously set its ISAKMP identity with its hostname.
With the hostname keyword, you might also need to map the host name of the remote peer to all IP addresses of the remote peer interfaces that could be used during the IKE negotiation. You need to map the host name to the IP address except when this mapping is already done in a Domain Name System or service (DNS) server.
Task ID
Examples
In the following example, the local peer specifies the preshared key and designates the remote peer by its IP address and a mask:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp key sharedkeystring address 172.16.0.2 255.255.255.254The remote peer specifies the same preshared key and designates the local peer by its host name:
RP/0/RP0/CPU0:router(config)# crypto isakmp key sharedkeystring hostname LocalRouter.domain.comNow, the preshared key must be specified at each peer.
In the following example, the local peer specifies the preshared key and designates the remote peer by its IP address and a mask:
RP/0/RP0/CPU0:router(config)# crypto isakmp key sharedkeystring address 172.21.230.33 255.255.255.255In the following example, the remote peer specifies the same preshared key and designates the local peer by its host name:
RP/0/RP0/CPU0:router(config)# crypto isakmp key sharedkeystring hostname LocalRouter.example.comRelated Commands
Specifies the authentication method within an IKE policy.
Defines the identity the router uses when participating in the IKE protocol.
crypto isakmp policy
To define an Internet Key Exchange (IKE) policy, use the crypto isakmp policy command in global configuration mode. To delete an IKE policy, use the no form of this command.
crypto isakmp policy priority
no crypto isakmp policy priority
Syntax Description
priority
Value that uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10000, with 1 being the highest priority and 10000 the lowest.
Defaults
There is a default policy, which always has the lowest priority. The default policy contains default values for the encryption, hash, authentication, Diffie-Hellman group, and lifetime parameters. (The parameter defaults are listed in the "Usage Guidelines" section.) When you create an IKE policy, the default for a particular parameter is used if no value is specified.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the crypto isakmp policy command to specify the parameters to use during an IKE negotiation. (These parameters create the IKE security association [SA].)
The crypto isakmp policy command enters ISAKMP policy configuration mode. The following commands are available in this mode to specify the parameters in the policy:
•
•
•
–
–
–
•
•
•
If you do not specify one of these commands for a policy, the default value is used for that parameter.
To exit ISAKMP policy configuration mode, enter exit.
You can configure multiple IKE policies on each peer participating in IP Security (IPSec). When the IKE negotiation begins, it tries to find a common policy configured on both peers, starting with the highest priority policies as specified on the remote peer.
Task ID
Examples
The following example shows how to configure two policies for the peer:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# hash md5RP/0/RP0/CPU0:router(config-isakmp)# authentication rsa-sigRP/0/RP0/CPU0:router(config-isakmp)# group 2RP/0/RP0/CPU0:router(config-isakmp)# lifetime 5000RP/0/RP0/CPU0:router(config-isakmp)# exitRP/0/RP0/CPU0:router(config)# crypto isakmp policy 20RP/0/RP0/CPU0:router(config-isakmp)# authentication pre-shareRP/0/RP0/CPU0:router(config-isakmp)# lifetime 10000RP/0/RP0/CPU0:router(config-isakmp)# exitThe configuration results in the following policies:
Protection suite priority 15encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Message Digest 5authentication method: Rivest-Shamir-Adelman SignatureDiffie-Hellman Group: #2 (1024 bit)lifetime: 5000 seconds, no volume limitProtection suite priority 20encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: Pre-Shared KeyDiffie-Hellman Group: #1 (768 bit)lifetime: 10000 seconds, no volume limitDefault protection suiteencryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman Group: #1 (768 bit)lifetime: 86400 seconds, no volume limitIKE policy 15 is the highest priority, and the default policy is the lowest priority.
Related Commands
crypto key pubkey-chain rsa
To enter public key chain configuration mode when you need to manually specify Rivest, Shamir, and Adelman (RSA) public keys for other IP Security (IPSec) peers, use the crypto key pubkey-chain rsa command in global configuration mode. To remove the RSA public key pair chain, use the no form of this command.
crypto key pubkey-chain rsa
no crypto key pubkey-chain rsa
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
You must specify the keys for the other peer when you configure RSA encrypted nonces as the authentication method in an Internet Key Exchange (IKE) policy at your peer router.
Task ID
Examples
The following example shows how to specify the RSA public keys of two other IPSec peers. Each remote peers use its IP address as its identity.
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto key pubkey-chain rsaRP/0/RP0/CPU0:router(config-pubkey-chain)# addressed-key 10.5.5.1RP/0/RP0/CPU0:router(config-pubkey-key)# key-string 005C300D 06092A86 4886F70D 01010105RP/0/RP0/CPU0:router(config-pubkey-key)# key-string 00034B00 30480241 00C5E23B 55D6AB22RP/0/RP0/CPU0:router(config-pubkey-key)# key-string 04AEF1BA A54028A6 9ACC01C5 129D99E4RP/0/RP0/CPU0:router(config-pubkey-key)# key-string 64CAB820 847EDAD9 DF0B4E4C 73A05DD2RP/0/RP0/CPU0:router(config-pubkey-key)# key-string BD62A8A9 FA603DD2 E2A8A6F8 98F76E28RP/0/RP0/CPU0:router(config-pubkey-key)# key-string D58AD221 B583D7A4 71020301 0001RP/0/RP0/CPU0:router(config-pubkey-key)# exitRP/0/RP0/CPU0:router(config-pubkey-chain)# addressed-key 10.1.1.2RP/0/RP0/CPU0:router(config-pubkey-key)# key-string 0738BC7A 2BC3E9F0 679B00FE 53987BCCRP/0/RP0/CPU0:router(config-pubkey-key)# key-string 0738BC7A 2BC3E9F0 679B00FE 53987BCCRP/0/RP0/CPU0:router(config-pubkey-key)# key-string 01030201 42DD06AF E228D24C 458AD228RP/0/RP0/CPU0:router(config-pubkey-key)# key-string 58BB5DDD F4836401 2A2D7163 219F882ERP/0/RP0/CPU0:router(config-pubkey-key)# key-string 64CE69D4 B583748A 241BED0F 6E7F2F16RP/0/RP0/CPU0:router(config-pubkey-key)# key-string 0DE0986E DF02031F 4B0B0912 F68200C4RP/0/RP0/CPU0:router(config-pubkey-key)# key-string C625C389 0BFF3321 A2598935 C1B1RP/0/RP0/CPU0:router(config-pubkey-key)# exitRelated Commands
description (IKE policy)
To create a description for an Internet Key Exchange (IKE) policy, use the description command in ISAKMP policy configuration mode. To delete an IKE policy description, use the no form of this command.
description string
no description
Syntax Description
Defaults
The default description is blank.
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the description command inside the ISAKMP policy configuration submode to create a description for an IKE policy.
Task ID
Examples
The following example shows the creation of an IKE policy description:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# description this is a sample IKE policyencryption (IKE policy)
To specify the encryption algorithm within an Internet Key Exchange (IKE) policy, use the encryption command in ISAKMP policy configuration mode. To reset the encryption algorithm to the default value, use the no form of this command.
encryption {des | 3des | aes | aes 192 | aes 256}
no encryption
Syntax Description
Defaults
The 56-bit DES-CBC encryption algorithm (des).
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
IKE policies define a set of parameters to be used during IKE negotiation. Use the encryption command to specify the encryption algorithm to be used in an IKE policy.
Task ID
Examples
The following example shows how to configure an IKE policy with the 3DES encryption algorithm (and with all other parameters set to the defaults):
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# encryption 3desRelated Commands
group (IKE policy)
To specify the Diffie-Hellman group identifier within an Internet Key Exchange (IKE) policy, use the group command in ISAKMP policy configuration mode. To reset the Diffie-Hellman group identifier to the default value, use the no form of this command.
group {1 | 2 | 5}
no group
Syntax Description
1
Specifies the 768-bit Diffie-Hellman group. This option is the default.
2
Specifies the 1024-bit Diffie-Hellman group.
5
Specifies the 1536-bit Diffie-Hellman group.
Defaults
768-bit Diffie-Hellman (group 1)
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
IKE policies define a set of parameters to be used during IKE negotiation. Use this command to specify the Diffie-Hellman group to be used in an IKE policy.
Task ID
Examples
The following example shows how to configure an IKE policy with the 1024-bit Diffie-Hellman group (all other parameters are set to the defaults):
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# group 2Related Commands
hash (IKE policy)
To specify the hash algorithm within an Internet Key Exchange (IKE) policy, use the hash command in ISAKMP policy configuration mode. To reset the hash algorithm to the default SHA-1 hash algorithm, use the no form of this command.
hash {sha | md5}
no hash
Syntax Description
sha
Specifies SHA-1 (Hashed Message Authentication Code [HMAC]) as the hash algorithm. This option is the default.
md5
Specifies Message Digest 5 (MD5) (HMAC variant) as the hash algorithm.
Defaults
SHA-1 hash algorithm
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the hash command to specify the hash algorithm to be used in an IKE policy. IKE policies define a set of parameters to be used during IKE negotiation.
Task ID
Examples
The following example shows how to configure an IKE policy with the MD5 hash algorithm (all other parameters are set to the defaults):
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# hash md5Related Commands
key (IKE)
To specify the Internet Key Exchange (IKE) preshared key for group policy attribute definition, use the key command in ISAKMP group configuration mode. To remove a preshared key, use the no form of this command.
key preshared-key
no key preshared-key
Syntax Description
Defaults
No default behavior or values
Command Modes
ISAKMP group configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the key command to specify the IKE preshared key when defining group policy information for mode configuration push. (It follows the crypto isakmp client configuration group command.) You must configure the key command if the client identifies itself to the router with a preshared key. (You need not enable this command if the client uses a certificate for identification.)
Task ID
Examples
The following example shows how to specify the preshared key named cisco:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group defaultRP/0/RP0/CPU0:router(config-group)# key ciscoRP/0/RP0/CPU0:router(config-group)# acl group1Related Commands
key-string (IKE)
To manually specify the Rivest, Shamir, and Adelman (RSA) public key of a remote peer, use the key-string command in public key configuration mode.
key-string key-string
Syntax Description
Defaults
No default behavior or values
Command Modes
Public key configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the key-string command to manually specify the RSA public key of an IP Security (IPSec) peer. Before using this command, you must identify the remote peer using either the addressed-key or named-key command.
To avoid mistakes, you should cut and paste the key data (instead of attempting to type in the data).
On each line you enter a key, you must enter key-string before the key. When you finish specifying the RSA key, you must return to global configuration mode by entering exit at the config-pubkey-key prompt.
Task ID
Examples
The following example shows how to manually specify the RSA public keys of an IPSec peer:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto key pubkey-chain rsaRP/0/RP0/CPU0:router(config-pubkey-chain)# named-key otherpeer.example.comRP/0/RP0/CPU0:router(config-pubkey-key)# address 10.5.5.1RP/0/RP0/CPU0:router(config-pubkey-key)# key-string 005C300D 06092A86 4886F70D 01010105RP/0/RP0/CPU0:router(config-pubkey-key)# key-string 00034B00 30480241 00C5E23B 55D6AB22RP/0/RP0/CPU0:router(config-pubkey-key)# key-string 04AEF1BA A54028A6 9ACC01C5 129D99E4RP/0/RP0/CPU0:router(config-pubkey-key)# key-string 64CAB820 847EDAD9 DF0B4E4C 73A05DD2RP/0/RP0/CPU0:router(config-pubkey-key)# key-string BD62A8A9 FA603DD2 E2A8A6F8 98F76E28RP/0/RP0/CPU0:router(config-pubkey-key)# key-string D58AD221 B583D7A4 71020301 0001RP/0/RP0/CPU0:router(config-pubkey-key)# exitRelated Commands
lifetime (IKE policy)
To specify the lifetime of an Internet Key Exchange (IKE) security association (SA), use the lifetime command in ISAKMP policy configuration mode. To reset the SA lifetime to the default value, use the no form of this command.
lifetime seconds
no lifetime
Syntax Description
seconds
Length of time (in seconds) that each SA should exist before expiring. Use an integer from 60 to 86400 seconds.
Defaults
seconds: 86400 seconds (1 day)
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the lifetime command to specify how long an IKE SA exists before expiring.
When IKE begins negotiations, it first agrees upon the security parameters for its own session. The agreed-upon parameters are then referenced by an SA at each peer. The SA is retained by each peer until the lifetime of the SA expires. Before an SA expires, it can be reused by subsequent IKE negotiations, which can save time when new IP Security (IPSec) SAs are set up.
To save setup time for IPSec, configure a longer IKE SA lifetime. However, shorter lifetimes limit the exposure to attackers of this SA. The longer an SA is used, the more encrypted traffic can be gathered by an attacker and possibly used in an attack.
Note
Task ID
Examples
The following example shows how to configure an IKE policy with an SA lifetime of 600 seconds (all other parameters are set to the defaults):
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# lifetime 600Related Commands
named-key
To specify the Rivest, Shamir, and Adelman (RSA) public key for the peer you will manually configure, use the named-key command in public key chain configuration mode. To remove the encryption or signature public key pair of the remote peer, use the no form of this command.
named-key key-name [encryption | signature]
no named-key key-name [encryption | signature]
Syntax Description
Defaults
If neither the encryption nor the signature keyword is used, general-purpose keys are specified.
Command Modes
Public key chain configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the named-key command or the addressed-key command to specify the RSA public key you manually configure for the next IP Security (IPSec) peer.
Follow the named-key command with the key-string command to specify the key.
If you use the named-key command, you also need to use the address command to specify the IP address of the peer.
If the IPSec remote peer generated general-purpose RSA keys, do not use the encryption or signature keyword.
If the IPSec remote peer generated special-usage keys, you must manually specify both keys. Use this command and the key-string command twice and use the encryption and signature keywords, respectively.
Task ID
Examples
The following example shows how to manually specify the RSA public keys of two IPSec peers. The peer at 10.5.5.1 uses general-purpose keys, and the other peer uses special-usage keys.
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto key pubkey-chain rsaRP/0/RP0/CPU0:router(config-pubkey-chain)# named-key otherpeer.example.comaddress 10.5.5.1key-string 005C300D 06092A86 4886F70D 01010105key-string 005C300D 06092A86 4886F70D 01010105key-string 00034B00 30480241 00C5E23B 55D6AB22key-string 04AEF1BA A54028A6 9ACC01C5 129D99E4key-string 64CAB820 847EDAD9 DF0B4E4C 73A05DD2key-string BD62A8A9 FA603DD2 E2A8A6F8 98F76E28key-string D58AD221 B583D7A4 71020301 0001exitaddressed-key 10.1.1.2 encryptionkey-string 00302017 4A7D385B 1234EF29 335FC973key-string 00302017 4A7D385B 1234EF29 335FC973key-string 2DD50A37 C4F4B0FD 9DADE748 429618D5key-string 18242BA3 2EDFBDD3 4296142A DDF7D3D8key-string 08407685 2F2190A0 0B43F1BD 9A8A26DBkey-string 07953829 791FCDE9 A98420F0 6A82045Bkey-string 90288A26 DBC64468 7789F76E EE21exitaddressed-key 10.1.1.2 signaturekey-string 0738BC7A 2BC3E9F0 679B00FE 098533ABkey-string 0738BC7A 2BC3E9F0 679B00FE 098533ABkey-string 01030201 42DD06AF E228D24C 458AD228key-string 58BB5DDD F4836401 2A2D7163 219F882Ekey-string 64CE69D4 B583748A 241BED0F 6E7F2F16key-string 0DE0986E DF02031F 4B0B0912 F68200C4key-string C625C389 0BFF3321 A2598935 C1B1exitRelated Commands
show crypto isakmp key
To display the Internet Security Association and Key Management Protocol (ISAKMP) preshared keys for a router, use the show crypto isakmp key command in EXEC mode.
show crypto isakmp key
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following example shows how to display the IP hostname and address preshared keys:
RP/0/RP0/CPU0:router# show crypto isakmp keyHostname/Address Preshared Key10.1.1.1 abc10.1.1.2 cde10.1.1.3 123Table 10 describes the significant fields shown in the display.
Table 10 show crypto isakmp key Field Descriptions
Hostname/Address
IP hostname or address of the router.
Preshared Key
ISAKMP preshared key for the router.
show crypto isakmp policy
To display the parameters for each Internet Key Exchange (IKE) policy, use the show crypto isakmp policy command in EXEC mode.
show crypto isakmp policy
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following is sample output from the show crypto isakmp policy command after two IKE policies have been configured (with priorities 15 and 20, respectively):
RP/0/RP0/CPU0:router# show crypto isakmp policyProtection suite priority 15encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Message Digest 5authentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman Group: #2 (1024 bit)lifetime: 5000 seconds, no volume limitProtection suite priority 20encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: preshared KeyDiffie-Hellman Group: #1 (768 bit)lifetime: 10000 seconds, no volume limitDefault protection suiteencryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman Group: #1 (768 bit)lifetime: 86400 seconds, no volume limit
Note
Table 11 describes the significant fields shown in the display.
Related Commands
show crypto isakmp sa
To display all current Internet Key Exchange (IKE) security associations (SAs) at a peer, use the show crypto isakmp sa command in EXEC mode.
show crypto isakmp sa
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following is sample output from the show crypto isakmp sa command, after IKE negotiations have been successfully completed between two peers:
RP/0/RP0/CPU0:router# show crypto isakmp sadst src state conn-id nodeid172.21.114.123 172.21.114.67 QM_IDLE 1 0172.16.0.2 172.16.0.1 QM_IDLE 8 0Table 12 describes the fields shown in the display.
Table 12 show crypto isakmp sa Field Descriptions
dst
Destination IP address.
src
Source IP address.
conn-id
Connection ID.
nodeid
Node ID.
Table 13 shows the various states that may be displayed in the output of the show crypto isakmp sa command. When an Internet Security Association and Key Management Protocol (ISAKMP) SA exists, it is most likely in its quiescent state (QM_IDLE). For long exchanges, some MM_xxx states may be observed.
Related Commands
show crypto key pubkey-chain rsa
To display the Rivest, Shamir, and Adelman (RSA) public keys stored on your router for the peer, use the show crypto key pubkey-chain rsa command in EXEC mode.
show crypto key pubkey-chain rsa [name key-name | address key-address]
Syntax Description
name key-name
(Optional) Displays the name of a particular public key.
address key-address
(Optional) Displays the address of a particular public key.
Defaults
All RSA public keys stored on your router is displayed.
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use this command to display RSA public keys stored on your router. The display includes the RSA public keys for the peer that were manually configured at your router and keys received by your router through other means (such as by a certificate, if certification authority support is configured).
If a router reboots, any public key derived by certificates are lost because the router asks for certificates again, at which time the public key is derived again.
Use the name or address keyword to display details about a particular RSA public key stored on your router.
If no keyword is used, this command displays a list of all RSA public keys stored on your router.
Task ID
Examples
The following sample output is from the show crypto key pubkey-chain rsa command:
RP/0/RP0/CPU0:router# show crypto key pubkey-chain rsaCodes: M - Manually Configured, C - Extracted from certificateCode Usage IP-address NameM Signature 10.0.0.l myrouter.example.comM Encryption 10.0.0.1 myrouter.example.comC Signature 172.16.0.1 routerA.example.comC Encryption 172.16.0.1 routerA.example.comC General 192.168.10.3 routerB.domain1.comThe following example shows manually configured special-usage RSA public keys for the peer named somerouter. This example also shows three keys obtained from peer certificates: two special-usage keys for peer routerA and a general-purpose key for peer routerB.
Certificate support is used in the example; if certificate support were not in use, none of the peer keys would show "C" in the Code column, and would all need to be manually configured.
Table 14 describes the significant fields shown in the display.
The following sample output is from the show crypto key pubkey-chain rsa command for the name keyword that names the public key as somerouter.example.com:
RP/0/RP0/CPU0:router# show crypto key pubkey-chain rsa name somerouter.example.comKey name: somerouter.example.comKey address: 10.0.0.1Usage: Signature KeySource: ManualData:305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B 55D6AB2204AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9 DF0B4E4C 73A05DD2BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4 71020301 0001Key name: somerouter.example.comKey address: 10.0.0.1Usage: Encryption KeySource: ManualData:00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D518242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21
Note
The following sample output is from the show crypto key pubkey-chain rsa command for address 192.168.10.3:
RP/0/RP0/CPU0:router# show crypto key pubkey-chain rsa address 192.168.10.3Key name: routerB.example.comKey address: 192.168.10.3Usage: General Purpose KeySource: CertificateData:0738BC7A 2BC3E9F0 679B00FE 53987BCC 01030201 42DD06AF E228D24C 458AD22858BB5DDD F4836401 2A2D7163 219F882E 64CE69D4 B583748A 241BED0F 6E7F2F160DE0986E DF02031F 4B0B0912 F68200C4 C625C389 0BFF3321 A2598935 C1B1The Source field in the example indicates "Certificate," meaning that the keys were received by the router by way of the certificate from the other router.
