-
Cisco IOS XR System Security Command Reference, Release 3.4
-
Preface
-
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
-
Internet Key Exchange Security Protocol Commands on Cisco IOS XR Software
-
IPSec Network Security Commands on Cisco IOS XR Software
-
Public Key Infrastructure Commands on Cisco IOS XR Software
-
Secure Shell Commands on Cisco IOS XR Software
-
Secure Socket Layer Protocol Commands on Cisco IOS XR Software
-
Software Authentication Manager Commands on Cisco IOS XR Software
-
Key Chain Management Commands on Cisco IOS XR Software
-
Index
-
Table Of Contents
Internet Key Exchange Security Protocol Commands on Cisco IOS XR Software
clear crypto isakmp call admission statistics
crypto isakmp call admission limit
crypto isakmp client configuration group
show crypto isakmp call admission statistics
show crypto key pubkey-chain rsa
Internet Key Exchange Security Protocol Commands on Cisco IOS XR Software
This module describes the Cisco IOS XR software commands used to configure the Internet Key Exchange (IKE) security protocol.
For detailed information about IKE concepts, configuration tasks, and examples, see the Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software configuration module.
accounting (IKE)
To enable authentication, authorization, and accounting (AAA) services for all peers that connect through the ISAKMP profile, use the accounting command in ISAKMP profile configuration mode. To return to the default value, use the no form of this command.
accounting list-name
no accounting
Syntax Description
Defaults
The default value is no accounting.
Command Modes
ISAKMP profile configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following example shows how to create an accounting list:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp profile vpnprofileRP/0/RP0/CPU0:router(config-isa-prof)# accounting aaalistRelated Commands
acl
To configure split tunneling, use the acl command in ISAKMP group configuration mode. To remove this command from your configuration and restore the default value, use the no form of this command.
acl acl-name
no acl acl-name
Syntax Description
acl-name
Specifies a group of access control list (ACL) rules that represent protected subnets for split tunneling purposes.
Defaults
Split tunneling is not enabled; all data is sent through the Virtual Private Network (VPN) tunnel.
Command Modes
ISAKMP group configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the acl command to specify which groups of ACLs represent protected subnets for split tunneling. Split tunneling is the ability to have a secure tunnel to the central site and simultaneous clear text tunnels to the Internet.
Task ID
Examples
The following example shows how to correctly apply split tunneling for the group name cisco. In this example, all traffic sourced from the client and destined to the subnet 192.168.1.0 are sent through the VPN tunnel.
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group ciscoRP/0/RP0/CPU0:router(config-group)# key ciscoRP/0/RP0/CPU0:router(config-group)# acl group1!RP/0/RP0/CPU0:router(config)# access-list 199 permit ip 192.168.1.0 0.0.0.255 anyRelated Commands
address
To specify the IP address for the Rivest, Shamir, and Adelman (RSA) public key of the remote peer you manually configure, use the address command in public key configuration mode. To remove the IP address of the remote peer, use the no form of this command.
address ip-address
no address ip-address
Syntax Description
Defaults
No default behavior or values
Command Modes
Public key configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the address command to specify the RSA public key for the IP Security (IPSec) peer you manually configure next.
When you finish specifying the RSA key, you must return to global configuration mode by entering quit at the public key configuration mode prompt.
Task ID
Examples
The following example manually specifies the RSA public keys of an IPSec peer:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto keyring vpnkeyRP/0/RP0/CPU0:router(config-keyring)# rsa-pubkey name host.vpn.comRP/0/RP0/CPU0:router(config-pubkey)# address 10.5.5.1RP/0/RP0/CPU0:router(config-pubkey)# key-string 005C300D 06092A86 4886F70D 01010105005C300D 06092A86 4886F70D 0101010500034B00 30480241 00C5E23B 55D6AB2204AEF1BA A54028A6 9ACC01C5 129D99E464CAB820 847EDAD9 DF0B4E4C 73A05DD2BD62A8A9 FA603DD2 E2A8A6F8 98F76E28D58AD221 B583D7A4 71020301 0001quitRelated Commands
authentication (IKE policy)
To specify the authentication method within an Internet Key Exchange (IKE) policy, use the authentication command in ISAKMP policy configuration mode. To reset the authentication method to the default value, use the no form of this command.
authentication {pre-share | rsa-sig | rsa-encr}
no authentication {pre-share | rsa-sig | rsa-encr}
Syntax Description
Defaults
RSA signatures
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
IKE policies define a set of parameters during IKE negotiation. Use the authentication command to specify the authentication method in an IKE policy. If you specify preshared keys, you must also separately configure these preshared keys.
If you specify RSA encrypted nonces, you must ensure that each peer has the RSA public keys of the other peers. (See the address, rsa-pubkey, and key-string commands.)
If you specify RSA signatures, you must configure your peer routers to obtain certificates from a certification authority (CA).
Task ID
Examples
The following example shows how to configure an IKE policy with preshared keys as the authentication method (and with all other parameters set to the defaults):
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# authentication pre-shareThe following example shows how to configure an IKE policy with RSA encrypted keys as the authentication method (and with all other parameters set to the defaults):
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# authentication rsa-encrThe following example configures an IKE policy with RSA signatures as the authentication method (and with all other parameters set to the defaults):
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# authentication rsa-sigRelated Commands
backup-server
To specify the backup server, use the backup-server command in ISAKMP group configuration mode. To remove a backup server, use the no form of this command.
backup-server {ip-address | hostname}
no backup-server {ip-address | hostname}
Syntax Description
Defaults
A list of backup servers is not configured.
Command Modes
ISAKMP group configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Note
•
•
Task ID
Examples
The following example shows that server 10.1.1.1 has been configured as a backup server:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group marketingRP/0/RP0/CPU0:router(config-group)# backup-server 10.1.1.1Related Commands
clear crypto isakmp
To clear active Internet Key Exchange (IKE) connections, use the clear crypto isakmp command in EXEC mode.
clear crypto isakmp [connection-id]
Syntax Description
connection-id
(Optional) Name of connection to clear. If this argument is not used, all existing connections are cleared.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Note
Task ID
Examples
The following example shows how to clear an IKE connection between two peers connected by interfaces 172.21.114.123 and 172.21.114.67:
RP/0/RP0/CPU0:router# show crypto isakmp savrf dst src state conn-id nodeid---------- ------------ ------------ --------- ------- ------default 172.21.114.123 172.21.114.67 QM_IDLE 1 0default 172.0.0.2 172.0.0.1 QM_IDLE 8 0RP/0/RP0/CPU0:router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.RP/0/RP0/CPU0:router# clear crypto isakmp 1RP/0/RP0/CPU0:router# show crypto isakmp savrf dst src state conn-id nodeid---------- ------------ ------------ --------- ------- ------default 172.0.0.2 172.0.0.1 QM_IDLE 8 0Related Commands
clear crypto isakmp call admission statistics
To clear ISAKMP call admission statistics, use the clear crypto isakmp call admission statistics command in EXEC mode.
clear crypto isakmp call isakmp call admission statistics
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following example shows how to clear call admission statistics:
RP/0/RP0/CPU0:router# clear crypto isakmp call admission statisticsRelated Commands
Displays the configuration for Call Admission Control (CAC) to the IKE protocol.
client authentication list
To apply extended authentication (Xauth) for Internet Key Exchange (IKE) interaction, use the client authentication list command in ISAKMP profile configuration mode. To remove Xauth, use the no form of this command.
client authentication list authen-list-name
no client authentication list authen-list-name
Syntax Description
authen-list-name
Username and password storage location (local or remote server) as defined in the aaa authentication command.
Defaults
No default behavior or values
Command Modes
ISAKMP profile configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Xauth allows all Cisco IOS XR software authentication, authorization, and accounting (AAA) methods to perform user authentication in a separate phase after the IKE authentication phase 1 exchange. For user authentication, the AAA configuration list name must match the Xauth configuration list name.
Task ID
Examples
In the following example, AAA username and password storage location information is applied from the list0 authentication list to a profile named sample:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp profile sampleRP/0/RP0/CPU0:router(config-isa-prof)# client authentication list list0Related Commands
crypto isakmp call admission limit
To deny incoming or outgoing session requests based on several metrics, use the crypto isakmp call admission limit command in global configuration mode. To disable this feature, use the no form of this command.
crypto isakmp call admission limit {cpu {total percent | ike percent} | in-negotiation-sa number | sa number}
no crypto isakmp call admission limit {cpu {total percent | ike percent} | in-negotiation-sa number | sa number}
Syntax Description
Defaults
The default value for the in-negotiation-sa keyword is set to 1000 SAs.
Command Modes
Global configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
A request for an IKE SA is denied if insufficient system resources exist to handle the negotiation.
Task ID
Examples
The following example shows how to use the crypto isakmp call admission limit command:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp call admission limit cpu ike 30crypto isakmp client configuration group
To include the configuration of a local group profile, use the crypto isakmp client configuration group command in global configuration mode.
crypto isakmp client configuration group group-name
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The key command must be enabled if the client identifies itself with a preshared key.
The following commands are available in the IKE group policy configuration mode:
•
•
Task ID
Examples
The following example shows how to include the configuration of a local group profile with the group name marketing:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group marketingRP/0/RP0/CPU0:router(config-group)#Related Commands
Configures split tunneling.
Configures the IPSec profile.
Defines an IKE policy.
Specifies the IKE preshared key for group policy attribute definition.
crypto isakmp
To globally enable Internet Key Exchange (IKE) at your peer router, use the crypto isakmp command in global configuration mode. To disable IKE at the peer, use the no form of this command.
crypto isakmp
no crypto isakmp
Syntax Description
This command has no arguments or keywords.
Defaults
IKE is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
IKE need not be enabled for individual interfaces, but is enabled globally for all interfaces at the router.
Task ID
Examples
The following example shows how to disable IKE at one peer:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# no crypto isakmpcrypto isakmp identity
To specify the identity used by the router when participating in the Internet Key Exchange (IKE) protocol, use the crypto isakmp identity command in global configuration mode. To reset the Internet Security Association Key Management Protocol (ISAKMP) identity to the default value (address), use the no form of this command.
crypto isakmp identity {address | hostname}
no crypto isakmp identity
Syntax Description
Defaults
The IP address is used for the ISAKMP identity.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the crypto isakmp identity command to specify an ISAKMP identity either by IP address or by host name. As a general rule, you should set all identities for peers in the same way—either by IP address or by host name.
Set an ISAKMP identity whenever you specify preshared keys.
Use the address keyword when only one interface (and therefore only one IP address) is used by the peer for IKE negotiations, and the IP address is known.
Use the hostname keyword if more than one interface on the peer might be used for IKE negotiations, or if the IP address for the interface is unknown (such as with dynamically assigned IP addresses).
Task ID
Examples
The following example shows how to use preshared keys at two peers and set both their ISAKMP identities to the IP address.
At the local peer (at 10.0.0.1), the ISAKMP identity is set and the preshared key is specified.
RP/0/RP0/CPU0:router(config)# crypto isakmp identity addressRP/0/RP0/CPU0:router(config)# crypto keyring keyring1RP/0/RP0/CPU0:router(config-keyring)# pre-shared-key address 192.168.1.33 key presharedkeyAt the remote peer (at 192.168.1.33), the ISAKMP identity is set and the same preshared key is specified.
RP/0/RP0/CPU0:router(config)# crypto isakmp identity addressRP/0/RP0/CPU0:router(config)# crypto keyring keyring1RP/0/RP0/CPU0:router(config-keyring)# pre-shared-key address 10.0.0.1 key presharedkey
Note
The following example shows how to use preshared keys at two peers and set both their ISAKMP identities to the host name.
At the local peer, the ISAKMP identity is set and the preshared key is specified.
RP/0/RP0/CPU0:router(config)# crypto isakmp identity hostnameRP/0/RP0/CPU0:router(config)# crypto keyring keyring1RP/0/RP0/CPU0:router(config-keyring)# pre-shared-key hostname remoterouter.example.com key presharedkeyAt the remote peer, the ISAKMP identity is set and the same preshared key is specified.
RP/0/RP0/CPU0:router(config)# crypto isakmp identity hostnameRP/0/RP0/CPU0:router(config)# crypto keyring keyring1RP/0/RP0/CPU0:router(config-keyring)# pre-shared-key hostname localrouter.example.com key presharedkeyRelated Commands
crypto isakmp keepalive
To use the Internet Key Exchange (IKE) security association (SA) feature for providing a mechanism for detecting loss of connectivity between two IP Security (IPSec) peers, use the crypto isakmp keepalive command in global configuration mode. To disable this feature, use the no form of this command.
crypto isakmp keepalive seconds retry-seconds [periodic | on-demand]
no crypto isakmp keepalive
Syntax Description
Defaults
IKE does not send keepalive messages until specified by this command.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
If IKE does not receive the keepalive acknowledge message from the peer after four tries, IKE concludes that it has lost connectivity with its peer.
Task ID
Examples
The following example shows how to set the number of seconds between keepalive messages to 20 seconds, and the number of seconds between retries to 20 seconds if keepalive fails:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp keepalive 20 20 on-demandRelated Commands
crypto isakmp policy
To define an Internet Key Exchange (IKE) policy, use the crypto isakmp policy command in global configuration mode. To delete an IKE policy, use the no form of this command.
crypto isakmp policy priority
no crypto isakmp policy priority
Syntax Description
priority
Value that uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10000, with 1 being the highest priority and 10000 the lowest.
Defaults
There is a default policy, which always has the lowest priority. The default policy contains default values for the encryption, hash, authentication, Diffie-Hellman group, and lifetime parameters. (The parameter defaults are listed in the "Usage Guidelines" section.) When you create an IKE policy, the default for a particular parameter is used if no value is specified.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the crypto isakmp policy command to specify the parameters to use during an IKE negotiation. (These parameters create the IKE security association [SA].)
The crypto isakmp policy command enters ISAKMP policy configuration mode. The following commands are available in this mode to specify the parameters in the policy:
•
•
•
–
–
–
•
•
•
If you do not specify one of these commands for a policy, the default value is used for that parameter.
To exit ISAKMP policy configuration mode, enter exit.
You can configure multiple IKE policies on each peer participating in IP Security (IPSec). When the IKE negotiation begins, it tries to find a common policy configured on both peers, starting with the highest priority policies as specified on the remote peer.
Task ID
Examples
The following example shows how to configure two policies for the peer:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# hash md5RP/0/RP0/CPU0:router(config-isakmp)# authentication rsa-sigRP/0/RP0/CPU0:router(config-isakmp)# group 2RP/0/RP0/CPU0:router(config-isakmp)# lifetime 5000RP/0/RP0/CPU0:router(config-isakmp)# exitRP/0/RP0/CPU0:router(config)# crypto isakmp policy 20RP/0/RP0/CPU0:router(config-isakmp)# authentication pre-shareRP/0/RP0/CPU0:router(config-isakmp)# lifetime 10000RP/0/RP0/CPU0:router(config-isakmp)# exitThe configuration results in the following policies:
Protection suite priority 15encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Message Digest 5authentication method: Rivest-Shamir-Adelman SignatureDiffie-Hellman Group: #2 (1024 bit)lifetime: 5000 seconds, no volume limitProtection suite priority 20encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: Pre-Shared KeyDiffie-Hellman Group: #1 (768 bit)lifetime: 10000 seconds, no volume limitDefault protection suiteencryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman Group: #1 (768 bit)lifetime: 86400 seconds, no volume limitIKE policy 15 is the highest priority, and the default policy is the lowest priority.
Related Commands
crypto isakmp profile
To define an ISAKMP profile and audit IPSec user sessions, use the crypto isakmp profile command in global configuration mode. To delete a crypto ISAKMP profile, use the no form of this command.
crypto isakmp profile [local] profile-name
no crypto isakmp profile [local] profile-name
Syntax Description
Defaults
No default behaviors or values
Command Modes
Global configuration
Command History
Release 3.4.0
This command was introduced on Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The peers are mapped to an ISAKMP profile when their identities are matched (as given in the identification [ID] payload of the Internet Key Exchange [IKE]) against the identities defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid. At least one match identity command must also be defined in the ISAKMP profile for the profile to be complete.
Before you configure an ISAKMP profile, the key rings that are used for the profile should be configured.
Task ID
Examples
The following example shows how to define an ISAKMP profile and match the peer identities:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp profile vpnprofileRP/0/RP0/CPU0:router(config-isa-prof)# match identity group vpngroupRP/0/RP0/CPU0:router(config-isa-prof-match)# set interface service-ipsec 1Related Commands
crypto keyring
To define a crypto keyring during IKE authentication, use the crypto keyring command in global configuration mode. To remove the keyring, use the no form of this command.
crypto keyring keyring-name [vrf fvrf-name]
no crypto keyring keyring-name [vrf fvrf-name]
Syntax Description
Defaults
If the vrf keyword is not defined, the keyring is referenced to the global VRF.
Command Modes
Global configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
A keyring is a repository of preshared and RSA public keys. The keyring is used in global configuration mode. The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile.
Use the crypto keyring command to enter keyring configuration mode.
Task ID
Examples
The following example shows how to use the crypto keyring command:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto keyring vpnkeyRP/0/RP0/CPU0:router(config-keyring)# pre-shared-key address 10.72.23.11 key vpnsecretRelated Commands
description (IKE policy)
To create a description for an Internet Key Exchange (IKE) policy, use the description command in ISAKMP policy configuration mode. To delete an IKE policy description, use the no form of this command.
description string
no description
Syntax Description
Defaults
The default description is blank.
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the description command inside the ISAKMP policy configuration submode to create a description for an IKE policy.
Task ID
Examples
The following example shows the creation of an IKE policy description:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# description this is a sample IKE policydescription (keyring)
To create a one line description for a keyring, use the description command in keyring configuration mode. To delete a keyring description, use the no form of this command.
description string
no description
Syntax Description
Defaults
The default description is blank.
Command Modes
Keyring configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the description command inside the ISAKMP policy configuration submode to create a description for a keyring.
Task ID
Examples
The following example shows the creation of a keyring description:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto keyring vpnkeyRP/0/RP0/CPU0:router(config-keyring)# description this is a sample keyringRelated Commands
dns
To specify the primary and secondary Domain Name Service (DNS) addresses, use the dns command in (Internet Security Association Key Management Protocol) ISAKMP group configuration mode. To remove this command from your configuration, use the no form of this command.
dns primary-server [secondary-server]
no dns primary-server [secondary-server]
Syntax Description
primary-server
IP address of the primary DNS.
secondary-server
(Optional) IP address of the secondary DNS.
Defaults
A DNS address is not specified.
Command Modes
ISAKMP group configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the dns command to specify the primary and secondary DNS addresses for the group.
You must enable the crypto isakmp client configuration group command, which specifies group policy information that needs to be defined or changed, before enabling the dns command.
Task ID
Examples
The following example shows how to define a primary and secondary DNS address for the marketing group name:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group marketingRP/0/RP0/CPU0:router(config-group)# key ciscoRP/0/RP0/CPU0:router(config-group)# dns 2.2.2.2 2.3.2.3RP/0/RP0/CPU0:router(config-group)# pool dogRP/0/RP0/CPU0:router(config-group)# acl 199Related Commands
domain (isakmp-group)
To specify the Domain Name Service (DNS) domain to which a group belongs, use the domain command in ISAKMP group configuration mode. To remove this command from your configuration, use the no form of this command.
domain name
no domain name
Syntax Description
Defaults
A DNS domain is not specified.
Command Modes
ISAKMP group configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the domain command to specify group domain membership.
You must enable the crypto isakmp configuration group command, which specifies group policy information that has to be defined or changed, before enabling the domain command.
Task ID
Examples
The following example shows that members of the group cisco also belong to the domain cisco.com:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group ciscoRP/0/RP0/CPU0:router(config-group)# key ciscoRP/0/RP0/CPU0:router(config-group)# dns 10.2.2.2 10.3.2.3RP/0/RP0/CPU0:router(config-group)# pool dogRP/0/RP0/CPU0:router(config-group)# acl 199RP/0/RP0/CPU0:router(config-group)# domain cisco.comRelated Commands
encryption (IKE policy)
To specify the encryption algorithm within an Internet Key Exchange (IKE) policy, use the encryption command in ISAKMP policy configuration mode. To reset the encryption algorithm to the default value, use the no form of this command.
encryption {des | 3des | aes | aes 192 | aes 256}
no encryption
Syntax Description
Defaults
The 56-bit DES-CBC encryption algorithm (des).
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
IKE policies define a set of parameters during IKE negotiation. Use the encryption command to specify the encryption algorithm in an IKE policy.
Task ID
Examples
The following example shows how to configure an IKE policy with the 3DES encryption algorithm (and with all other parameters set to the defaults):
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# encryption 3desRelated Commands
firewall are-u-there
To add the Firewall-Are-U-There attribute to the server group if your PC is running the Black Ice or Zone Alarm personal firewalls, use the firewall are-u-there command in ISAKMP group configuration mode. To disable the Firewall-Are-U-There attribute, use the no form of this command.
firewall are-u-there
no firewall are-u-there
Syntax Description
This command has no arguments or keywords.
Defaults
The server does not send the Firewall-Are-U-There attribute to the client.
Command Modes
ISAKMP group configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The Firewall-Are-U-There attribute is sent by the Black Ice and Zone Alarm personal firewalls if they are prompted by the server. If connections to the Virtual Private Network (VPN) are for protected devices only; that is, if a PC is running one of these personal firewalls, you should add the attribute to the server group. Devices that do not have a personal firewall do not respond with their capabilities, and their connections are dropped.
The Firewall-Are-U-There attribute is configured on a Cisco IOS XR router or in the RADIUS profile.
To configure the Firewall-Are-U-There attribute, use the firewall are-u-there command.
The following example is an attribute-value (AV) pair for the Firewall-Are-U-There attribute:
ipsec:firewall=1You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the firewall are-u-there command.
Note
•
•
Task ID
Examples
The following example shows that the Firewall-Are-U-There attribute is configured:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group ciscoRP/0/RP0/CPU0:router(config-group)# firewall are-u-thereRelated Commands
group (IKE policy)
To specify the Diffie-Hellman group identifier within an Internet Key Exchange (IKE) policy, use the group command in ISAKMP policy configuration mode. To reset the Diffie-Hellman group identifier to the default value, use the no form of this command.
group {1 | 2 | 5}
no group
Syntax Description
1
Specifies the 768-bit Diffie-Hellman group. This option is the default.
2
Specifies the 1024-bit Diffie-Hellman group.
5
Specifies the 1536-bit Diffie-Hellman group.
Defaults
768-bit Diffie-Hellman (group 1)
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
IKE policies define a set of parameters during IKE negotiation. Use this command to specify the Diffie-Hellman group in an IKE policy.
Task ID
Examples
The following example shows how to configure an IKE policy with the 1024-bit Diffie-Hellman group (all other parameters are set to the defaults):
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# group 2Related Commands
group-lock
To allow you to enter your extended authentication (Xauth) username, including the group name, when preshared key authentication is used with Internet Key Exchange (IKE), use the group-lock command in ISAKMP group configuration mode. To remove the group lock, use the no form of this command.
group-lock
no group-lock
Syntax Description
This command has no arguments or keywords.
Defaults
Group lock is not configured.
Command Modes
ISAKMP group configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The Group-Lock attribute is used if preshared key authentication is used with IKE. When the attribute is enabled, you may enter your extended Xauth username as name/group, name\group, name@group, or name%group. The group that is specified after the delimiter is then compared against the group identifier that is sent during IKE aggressive mode. The groups must match or the connection is rejected.
The Group-Lock attribute is configured on a Cisco IOS XR router or in the RADIUS profile. This attribute has local (gateway) significance only and is not passed to the client.
The username in the local or RADIUS database must be of the following format:
username[/,\,%,@]group.To configure the Group-Lock attribute, use the group-lock command.
The following example is an attribute-value (AV) pair for the Group-Lock attribute:
ipsec:group-lock=1You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the group-lock command.
Note
•
•
•
Task ID
Examples
The following example shows that group lock is configured:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group ciscoRP/0/RP0/CPU0:router(config-group)# group-lockRelated Commands
hash (IKE policy)
To specify the hash algorithm within an Internet Key Exchange (IKE) policy, use the hash command in ISAKMP policy configuration mode. To reset the hash algorithm to the default SHA-1 hash algorithm, use the no form of this command.
hash {sha | md5}
no hash
Syntax Description
sha
Specifies SHA-1 (Hashed Message Authentication Code [HMAC]) as the hash algorithm. This option is the default.
md5
Specifies Message Digest 5 (MD5) (HMAC variant) as the hash algorithm.
Defaults
SHA-1 hash algorithm
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the hash command to specify the hash algorithm in an IKE policy. IKE policies define a set of parameters during IKE negotiation.
Task ID
Examples
The following example shows how to configure an IKE policy with the MD5 hash algorithm (all other parameters are set to the defaults):
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# hash md5Related Commands
include-local-lan
To configure the Include-Local-LAN attribute to allow a nonsplit-tunneling connection to access the local subnetwork at the same time as the client, use the include-local-lan command in ISAKMP group configuration mode. To disable the attribute that allows the nonsplit-tunneling connection, use the no form of this command.
include-local-lan
no include-local-lan
Syntax Description
This command has no arguments or keywords.
Defaults
A nonsplit-tunneling connection is not able to access the local subnet at the same time as the client.
Command Modes
ISAKMP group configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
If split tunneling is not in use (for example, the SPLIT_INCLUDE attribute was not negotiated), you lose not only Internet access, but also access to resources on the local subnetworks. The Include-Local-LAN attribute allows the server to push the attribute to the client, which allows for a nonsplit-tunneling connection to access the local subnetwork at the same time as the client (for example, the connection is to the subnetwork to which the client is directly attached).
The Include-Local-LAN attribute is configured on a Cisco IOS XR router or in the RADIUS profile.
To configure the Include-Local-LAN attribute, use the include-local-lan command.
The following example is an attribute-value (AV) pair for the Include-Local-LAN attribute:
ipsec:include-local-lan=1You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the include-local-lan command.
Note
•
•
•
•
Task ID
Examples
The following example shows that the Include-Local-LAN has been configured:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group ciscoRP/0/RP0/CPU0:router(config-group)# include-local-lanRelated Commands
isakmp authorization list
To specify the authorization list that is used for authorization for Internet Key Exchange (IKE) interaction, use the isakmp authorization list command in ISAKMP profile configuration mode. To remove mode configuration, use the no form of this command.
isakmp authorization list author-list-name
no isakmp authorization list author-list-name
Syntax Description
author-list-name
Storage source used to find the policy as defined in the
aaa authorization command.
Defaults
No default behavior or values
Command Modes
ISAKMP profile configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Mode configuration allows a gateway to download an IP address (and other network-level configuration) to the client as part of an IKE negotiation. Using this exchange, the gateway gives IP addresses to the IKE client as an "inner" IP address encapsulated under IP Security (IPSec). This method provides a known IP address for the client that can be matched against IPSec policy.
Use the isakmp authorization list command with the client authentication list command, which applies extended authentication (Xauth) for IKE interaction.
When you are authorized and respectively authenticated, the reply from the AAA server contains attributes that are used when and if the mode configuration is executed. However, the method list must be defined first for the authorization.
Task ID
Examples
In the following example, mode configuration is applied to a crypto ISAKMP profile named newprofile:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp profile newprofileRP/0/RP0/CPU0:router(config-isa-prof)# isakmp authorization list list2Related Commands
Applies extended authentication (Xauth) for Internet Key Exchange (IKE) interaction.
Defines an ISAKMP profile and audits IPSec user sessions.
keepalive (ISAKMP profile)
To let the gateway send dead peer detection (DPD) messages to the Cisco IOS XR peer, use the keepalive command in ISAKMP profile configuration mode. To return to the default, use the no form of this command.
keepalive disable
no keepalive
Syntax Description
Defaults
Keepalive is enabled.
Command Modes
ISAKMP profile configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following example shows how to use the keepalive command:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp profile vpnprofileRP/0/RP0/CPU0:router(config-isa-prof)# keepalive disableRelated Commands
key (IKE)
To specify the Internet Key Exchange (IKE) preshared key for group policy attribute definition, use the key command in ISAKMP group configuration mode. To remove a preshared key, use the no form of this command.
key preshared-key
no key preshared-key
Syntax Description
Defaults
No default behavior or values
Command Modes
ISAKMP group configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the key command to specify the IKE preshared key when defining group policy information for mode configuration push. (It follows the crypto isakmp client configuration group command.) You must configure the key command if the client identifies itself to the router with a preshared key. (You need not enable this command if the client uses a certificate for identification.)
Task ID
Examples
The following example shows how to specify the preshared key named cisco:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group defaultRP/0/RP0/CPU0:router(config-group)# key ciscoRP/0/RP0/CPU0:router(config-group)# acl group1Related Commands
Configures split tunneling.
Specifies the group whose policy profile is defined.
Specifies the primary and secondary Domain Name Service (DNS) addresses.
keyring
To configure a keyring with an ISAKMP profile, use the keyring command in ISAKMP profile configuration mode. To remove the keyring from the ISAKMP profile, use the no form of this command.
keyring kr-name1 [kr-name2 [kr-name3 [kr-name-4 [kr-name5 [kr-name6]]]]]]
no keyring kr-name1 [kr-name2 [kr-name3 [kr-name-4 [kr-name5 [kr-name6]]]]]]
Syntax Description
Defaults
No default behavior or values
Command Modes
ISAKMP profile configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile. You must define at least one keyring.
An ISAKMP profile can define one or more keyrings. For example, multiple keyrings can be used when few IKE peer endpoints are in the public address space; whereas, others are in the front door virtual routing and forwarding (FVRF) space as the IKE local endpoints.
Task ID
Examples
The following example shows how to configure vpnkeyring as the keyring name:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp profile vpnprofileRP/0/RP0/CPU0:router(config-isa-prof)# keyring vpnkeyringRelated Commands
Defines an ISAKMP profile and audits IPSec user sessions.
Defines a crypto keyring during IKE authentication.
Lists all the ISAKMP profiles that are defined on a router.
key-string (IKE)
To manually specify the Rivest, Shamir, and Adelman (RSA) public key of a remote peer, use the key-string command in public key configuration mode.
key-string key-string
Syntax Description
Defaults
No default behavior or values
Command Modes
Public key configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the key-string command to manually specify the RSA public key of an IP Security (IPSec) peer. Before using this command, you must identify the remote peer.
To avoid mistakes, you should cut and paste the key data (instead of attempting to type in the data).
When you finish specifying the RSA key, you must return to global configuration mode by entering quit at the public key configuration mode prompt.
Task ID
Examples
The following example shows how to manually specify the RSA public keys of an IPSec peer:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto keyring vpnkeyringRP/0/RP0/CPU0:router(config-keyring)# rsa-pubkey address 10.5.5.1RP/0/RP0/CPU0:router(config-pubkey)# key-string 005C300D 06092A86 4886F70D 0101010500034B00 30480241 00C5E23B 55D6AB2204AEF1BA A54028A6 9ACC01C5 129D99E464CAB820 847EDAD9 DF0B4E4C 73A05DD2BD62A8A9 FA603DD2 E2A8A6F8 98F76E28D58AD221 B583D7A4 71020301 0001quitRelated Commands
Defines the Rivest, Shamir, and Adelman (RSA) public key by address or hostname.
Displays peer RSA public keys stored on your router.
lifetime (IKE policy)
To specify the lifetime of an Internet Key Exchange (IKE) security association (SA), use the lifetime command in ISAKMP policy configuration mode. To reset the SA lifetime to the default value, use the no form of this command.
lifetime seconds
no lifetime
Syntax Description
seconds
Length of time (in seconds) that each SA should exist before expiring. Use an integer from 60 to 86400 seconds.
Defaults
seconds: 86400 seconds (1 day)
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the lifetime command to specify how long an IKE SA exists before expiring.
When IKE begins negotiations, it first agrees upon the security parameters for its own session. The agreed-upon parameters are then referenced by an SA at each peer. The SA is retained by each peer until the lifetime of the SA expires. Before an SA expires, it can be reused by subsequent IKE negotiations, which can save time when new IP Security (IPSec) SAs are set up.
To save setup time for IPSec, configure a longer IKE SA lifetime. However, shorter lifetimes limit the exposure to attackers of this SA. The longer an SA is used, the more encrypted traffic can be gathered by an attacker and possibly used in an attack.
Note
Task ID
Examples
The following example shows how to configure an IKE policy with an SA lifetime of 600 seconds (all other parameters are set to the defaults):
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# lifetime 600Related Commands
local-address (keyring)
To limit the scope of an ISAKMP keyring configuration to a local termination address, use the local-address command in keyring configuration mode. To disable the feature, use the no form of this command.
local-address ip-address
no local-address ip-address
Syntax Description
Defaults
If the local-address command is not configured, the ISAKMP keyring is available to all local addresses.
Command Modes
Keyring configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following example shows that the scope of the ISAKMP keyring is limited only to IP address 130.40.1.1:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto keyring vpnkeyringRP/0/RP0/CPU0:router(config-keyring)# local-address 130.40.1.1RP/0/RP0/CPU0:router(config-keyring)# pre-shared-key address 0.0.0.0 0.0.0.0 key mykeyRelated Commands
Specifies the identity used by the router when participating in the Internet Key Exchange (IKE) protocol.
Defines a crypto keyring during IKE authentication.
match identity
To match the identity of a peer in an ISAKMP profile, use the match identity command in ISAKMP profile configuration mode. To remove the identity, use the no form of this command.
match identity {group group-name | address address [mask] vrf [fvrf] | host hostname | host domain domain-name | user username | user domain domain-name}
no match identity {group group-name | address address [mask] [fvrf] | host hostname | host domain domain-name | user username | user domain domain-name}
Syntax Description
Defaults
No default behavior or values
Command Modes
ISAKMP profile configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
An ISAKMP profile configuration must have at least one match identity command. The peers are mapped to an ISAKMP profile when their identities are matched (as given in the ID payload of the IKE exchange) against the identities that are defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid.
Task ID
Examples
The following example shows how to configure the group as vpngroup for the match identity command:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp profile vpnprofileRP/0/RP0/CPU0:router(config-isa-prof)# match identity group vpngroupRP/0/RP0/CPU0:router(config-isa-prof-match)# set interface service-ipsec 1Related Commands
max-logins
To specify the maximum number of concurrent logins that are allowed for a certain user, use the max-logins command in ISAKMP group configuration mode. To remove the number of connections that were set, use the no form of this command.
max-logins number-of-logins
no max-logins number-of-logins
Syntax Description
number-of-logins
Number of logins. The value ranges from 0 to 16 and 384.
Note
Defaults
The default is 10.
Command Modes
ISAKMP group configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The crypto isakmp client configuration group command must be configured before this command can be configured.
This command makes it possible to mimic the functionality provided by some RADIUS servers for limiting the number of simultaneous logins for users in that group.
The max-users and max-logins commands are enabled together or individually to control the usage of resources by any groups or individuals.
Task ID
Examples
The following example shows that the maximum number of logins for users in server group cisco is set to 8:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group ciscoRP/0/RP0/CPU0:router(config-group)# max-logins 8Related Commands
Specifies the group whose policy profile is defined.
Limits the number of connections to a specific server group.
max-users
To limit the number of connections to a specific server group, use the max-users command in ISAKMP group configuration mode. To remove the number of connections that were set, use the no form of this command.
max-users number-of-users
no max-users number-of-users
Syntax Description
Defaults
The default is 1000.
Command Modes
ISAKMP group configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The crypto isakmp client configuration group command must be configured before this command can be configured.
This command makes it possible to mimic the functionality provided by some RADIUS servers for limiting the number of connections to a specific server group.
The max-users and max-logins commands are enabled together or individually to control the usage of resources by any groups or individuals.
Task ID
Examples
The following example shows that the maximum number of connections to server group cisco is set to 1200:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group ciscoRP/0/RP0/CPU0:router(config-group)# max-users 1200Related Commands
Specifies the group whose policy profile is defined.
Limits the number of simultaneous logins for users in a specific server group.
netmask
To set the IP network mask, use the netmask command in ISAKMP group configuration mode. To disable this feature, use the no form of this command.
netmask mask
no netmask mask
Syntax Description
Defaults
The default is that the attribute is not sent to the VPN client.
Command Modes
ISAKMP group configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following example shows how to set the IP network mask:
RRP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group ciscoRP/0/RP0/CPU0:router(config-group)# netmask 255.255.255.0Related Commands
pfs
To configure a server to notify the client of the central-site policy regarding whether PFS is required for any IP Security (IPSec) Security Association (SA), use the pfs command in ISAKMP group configuration mode. To restore the default behavior, use the no form of this command.
pfs
no pfs
Syntax Description
This command has no arguments or keywords.
Defaults
The server does not notify the client of the central-site policy regarding whether PFS is required for any IPSec SA.
Command Modes
ISAKMP group configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Before you use the pfs command, you must first configure the crypto isakmp client configuration group command.
The following example is an attribute-value (AV) pair for the PFS attribute:
ipsec:pfs=1Task ID
Examples
The following example shows that the server is configured to notify the client of the central-site policy regarding whether PFS is required for any IPSec SA:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group ciscoRP/0/RP0/CPU0:router(config-group)# pfsRelated Commands
pool (isakmp-group)
To define the name of an address-pool in which an address is allocated if required, use the pool command in ISAKMP group configuration mode. To remove a local pool from your configuration, use the no form of this command.
pool name
no pool name
Syntax Description
Defaults
No default behavior or values
Command Modes
ISAKMP group configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the pool command to refer to an IP local pool address, which defines a range of addresses that is used to allocate an internal IP address to a client. Although a user must define at least one pool name, a separate pool is defined for each group policy.
Note
You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the pool command.
Task ID
Examples
The following example shows how to refer to the local pool address named dog:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group ciscoRP/0/RP0/CPU0:router(config-group)# key ciscoRP/0/RP0/CPU0:router(config-group)# dns 10.2.2.2 10.3.2.3RP/0/RP0/CPU0:router(config-group)# pool dogRP/0/RP0/CPU0:router(config-group)# acl 199Related Commands
pre-shared-key
To define a preshared key for IKE authentication, use the pre-shared-key command in keyring configuration mode. To disable, use the no form of this command.
pre-shared-key {address address [mask] | hostname hostname} key key
no pre-shared-key {address address [mask] | hostname hostname} key key
Syntax Description
Defaults
No default behaviors or values
Command Modes
Keyring configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following example shows how to configure a preshared key using an IP address and hostname:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto keyring vpnkeyringRP/0/RP0/CPU0:router(config-keyring)# pre-shared-key address 10.72.23.11 key vpnkeyRP/0/RP0/CPU0:router(config-keyring)# pre-shared-key hostname www.vpn.com key vpnkeyRelated Commands
Specifies the identity used by the router when participating in the Internet Key Exchange (IKE) protocol.
Defines a crypto keyring during IKE authentication.
rsa-pubkey
To define the Rivest, Shamir, and Adelman (RSA) manual key to be used for encryption or signature during IKE authentication, use the rsa-pubkey command in keyring configuration mode. To disable the feature, use the no form of this command.
rsa-pubkey {address address | name fqdn} [encryption | signature]
no rsa-pubkey {address address | name fqdn} [encryption | signature]
Syntax Description
Defaults
The key is used for the signature.
Command Modes
Keyring configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the rsa-pubkey command to enter public key chain configuration mode. Use this command when you need to manually specify RSA public keys of other IP Security (IPSec) peers. You need to specify the keys of other peers when you configure RSA encrypted nonces as the authentication method in an IKE policy at your peer router.
When you finish specifying the RSA key, you must return to global configuration mode by entering quit at the public key configuration mode prompt.
Task ID
Examples
The following example shows that the RSA manual key of an IPSec peer has been specified:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto keyring vpnkeyringRP/0/RP0/CPU0:router(config-keyring)# rsa-pubkey name host.vpn.comRP/0/RP0/CPU0:router(config-pubkey)# key-string 005C300D 06092A86 4886F70D 01010105005C300D 06092A86 4886F70D 0101010500034B00 30480241 00C5E23B 55D6AB2204AEF1BA A54028A6 9ACC01C5 129D99E464CAB820 847EDAD9 DF0B4E4C 73A05DD2BD62A8A9 FA603DD2 E2A8A6F8 98F76E28D58AD221 B583D7A4 71020301 0001quitRelated Commands
save-password
To save your extended authentication (Xauth) password locally on your PC or Easy VPN client, use the save-password command in ISAKMP group configuration mode. To disable the Save-Password attribute, use the no form of this command.
save-password
no save-password
Syntax Description
This command has no arguments or keywords.
Defaults
Your Xauth password is not saved locally on your PC, and the Save-Password attribute is not added to the server group profile.
Command Modes
ISAKMP group configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Save password control allows you to save your Xauth password locally on your PC so that after you have initially entered the password, the Save-Password attribute is pushed from the server to the client.
Note
On subsequent authentications, you can activate the password by using the tick box on the software client or by adding the username and password to the Cisco IOS XR hardware client profile. The password setting remains until the Save-Password attribute is removed from the server group profile. After the password has been activated, the username and password are sent automatically to the server during Xauth without your intervention.
The Save-Password option is useful only if your password is static; that is, if it is not a one-time password such as one that is generated by a token.
The Save-Password attribute is configured on a Cisco IOS XR router or in the RADIUS profile.
To configure save password control, use the save-password command.
The following example is an attribute-value (AV) pair for the Save-Password attribute:
ipsec:save-password=1You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the save-password command.
Note
•
•
•
Task ID
Examples
The following example shows that the Save-Password attribute is configured:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group ciscoRP/0/RP0/CPU0:router(config-group)# save-passwordRelated Commands
Configures split tunneling.
Specifies the group whose policy profile is defined.
self-identity
To define the identity that the local IKE uses to identify itself to the remote peer, use the self-identity command in ISAKMP profile configuration mode. To remove the ISAKMP identity that was defined for the IKE, use the no form of this command.
self-identity {address | fqdn | user-fqdn user-fqdn}
no self-identity {address | fqdn | user-fqdn user-fqdn}
Syntax Description
Defaults
If no ISAKMP identity is defined in the ISAKMP profile configuration, global configuration is the default.
Command Modes
ISAKMP profile configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
If the self-identity command is not defined, IKE uses the globally configured value.
Task ID
Examples
The following example shows that the IKE identity is the user FQDN "user@vpn.com":
RP/0/RP0/CPU0:router# configureRR/0/RP0/CPU0:router(config)# crypto isakmp profile vpnprofileRP/0/RP0/CPU0:router(config-isa-prof)# self-identity user-fqdn user@vpn.comRelated Commands
set interface
To specify that the virtual interface is predefined when the local endpoint is the IKE responder and when it is the IKE initiator, use the set interface command in ISAKMP profile match configuration mode. To disable the feature, use the no form of this command.
set interface {service-ipsec | service-gre} intf-index
no set interface {service-ipsec | service-gre} intf-index
Syntax Description
service-ipsec
Specifies the IPSec service interfaces.
service-gre
Specifies the GRE service interfaces.
intf-index
The range is from 1 to 65535.
Defaults
No default behavior or values
Command Modes
ISAKMP profile match configuration
Command History
Release 3.4.0
This command was introduced on the Cisco XR 12000 Series Router IPSec VPN SPA.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The profile for the identity is determined based on the selected virtual interface.
The virtual interface must be predefined by using the set interface command. Otherwise, the IKE SA cannot be established.
When the local endpoint is the IKE responder, the predefined interface is found according to the peer's identity. When the local endpoint is the IKE initiator, the predefined interface is used to find the appropriate ISAKMP profile. Therefore, a virtual interface cannot be predefined in more than one ISAKMP profile.
When the local endpoint is the IKE initiator, the interface, which is configured, is used to select the correct ISAKMP profile.
Note
Task ID
Examples
The following example shows how to set the interface index to 50 by using the service-ipsec keyword:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto isakmp profile vpnprofileRP/0/0/CPU0:router(config-isa-prof)# match identity group vpngroupRP/0/0/CPU0:router(config-isa-prof-match)# set interface service-ipsec 50Related Commands
Defines an ISAKMP profile and audits IPSec user sessions.
Matches the identity of a peer in an ISAKMP profile.
set interface tunnel-ipsec
To predefine the interface instance when IKE negotiates for tunnel mode IPSec service associations (SAs) for the traffic that is locally sourced or terminated, use the set interface tunnel-ipsec command in ISAKMP profile match configuration mode. To disable the feature, use the no form of this command.
set interface tunnel-ipsec intf-index
no set interface tunnel-ipsec intf-index
Syntax Description
Defaults
No default behavior or values
Command Modes
ISAKMP profile match configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The interface must be predefined by using the set interface command. Otherwise, the IKE SA cannot be established.
When the local endpoint is the IKE responder, the predefined interface is found according to the peers identity. When the local endpoint is the IKE initiator, the predefined interface is used to find the appropriate ISAKMP profile to be used. Thus, a virtual interface cannot be predefined in more than one ISAKMP profile.
Note
Task ID
Examples
The following example shows how to predefine the interface instance:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto isakmp profile vpnprofileRP/0/0/CPU0:router(config-isa-prof)# match identity group vpngroupRP/0/0/CPU0:router(config-isa-prof-match)# set interface tunnel-ipsec 50Related Commands
Defines an ISAKMP profile and audits IPSec user sessions.
Matches the identity of a peer in an ISAKMP profile.
Predefines an IPSec profile instance.
set ipsec-profile
To predefine the IPSec profile instance when IKE negotiates for transport mode IPSec service associations (SAs) for the traffic that is locally sourced or terminated, use the set ipsec-profile command in ISAKMP profile match configuration mode. To disable the feature, use the no form of this command.
set ipsec-profile profile-name
no set ipsec-profile profile-name
Syntax Description
Defaults
No default behavior or values
Command Modes
ISAKMP profile match configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The IPSec profile must be predefined by using the set ipsec-profile command when transport mode IPSec SAs are negotiated. Otherwise, the IKE SA cannot be established.
When the local endpoint is the IKE responder, the predefined interface is found according to the peer's identity. When the local endpoint is the IKE initiator, the predefined interface is used to find the appropriate ISAKMP profile to be used. Thus, a virtual interface cannot be predefined in more than one ISAKMP profile.
Note
The profile for the identity is determined based on the selected virtual interface.
When the local endpoint is the IKE initiator, the profile or interface configured is used to select the correct ISAKMP profile.
Task ID
Examples
The following example shows how to predefine the IPSec profile instance:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto isakmp profile vpnprofileRP/0/0/CPU0:router(config-isa-prof)# match identity group vpngroupRP/0/0/CPU0:router(config-isa-prof-match)# set ipsec-profile myprofileRelated Commands
Defines an ISAKMP profile and audits IPSec user sessions.
Matches the identity of a peer in an ISAKMP profile.
Predefines the interface instance.
show crypto isakmp call admission statistics
To monitor the Call Admission Control (CAC) statistics of the IKE protocol, use the show cyrpto isakmp call admission statistics command in EXEC mode.
show cyrpto isakmp call admission statistics
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following example shows how to display the configuration for the show crypto isakmp call admission statistics command:
RP/0/RP0/CPU0:router# show crypto isakmp call admission statistics---------------------------------------------------------------------Crypto Call Admission Control Statistics---------------------------------------------------------------------IKE Active SA Limit: 1, IKE In-Negotiation SA limit: 2Total CPU usage limit: 100, IKE CPU usage limit: 100Total IKE SA Count: 0, active: 0, negotiating: 0Incoming IKE Calls: 24 , accepted 24 , rejected 0Outgoing IKE Calls: 16 , accepted 6 , rejected 10Total Calls: 40Rejected IKE Calls: 10, resources low 0, limit exceeded 10Table 1 describes the significant fields shown in the display.
Related Commands
show crypto isakmp key
To display the Internet Security Association and Key Management Protocol (ISAKMP) preshared keys for a router, use the show crypto isakmp key command in EXEC mode.
show crypto isakmp key
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following example shows how to display the IP hostname and address preshared keys:
RP/0/RP0/CPU0:router# show crypto isakmp keyKeyring Hostname/Address Preshared KeyK1 3.3.3.1 rd26K2 5.5.5.5 ex22K2 tzvi.cisco.com pppTable 2 describes the significant fields shown in the display.
Table 2 show crypto isakmp key Field Descriptions
Hostname/Address
IP hostname or address of the router.
Preshared Key
ISAKMP preshared key for the router.
show crypto isakmp peers
To display peer structures, use the show crypto isakmp peers command in EXEC mode.
show crypto isakmp peers [ip-address | vrf vrf-name]
Syntax Description
ip-address
(Optional) IP address of the peer.
vrf vrf-name
(Optional) Specifies the front door VRF of the peer. The vrf-name argument is the name assigned to a VRF.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following example shows sample output from the show crypto isakmp peers command:
RP/0/RP0/CPU0:router# show crypto isakmp peersPeer: 10.0.83.1 Port: 4500 Local: 30.0.0.4 vrf: defaultUDP encapsulate: TrueSA information:Connection ID: 1State: QM_IDLEPhase 1 ID: DER_ASN1_DN srbuTable 3 describes the significant fields shown in the display.
Table 3 show crypto isakmp peers Field Descriptions
Connection ID
Internet Key Exchange (IKE) ID.
State
Output display for the various states. For a detailed description of each state, see Table 7.
Phase1 ID
Internet Key Exchange (IKE) ID.
show crypto isakmp policy
To display the parameters for each Internet Key Exchange (IKE) policy, use the show crypto isakmp policy command in EXEC mode.
show crypto isakmp policy
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following sample output is from the show crypto isakmp policy command after two IKE policies have been configured (with priorities 15 and 20, respectively):
RP/0/RP0/CPU0:router# show crypto isakmp policyProtection suite priority 15encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Message Digest 5authentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman Group: #2 (1024 bit)lifetime: 5000 seconds, no volume limitProtection suite priority 20encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: preshared KeyDiffie-Hellman Group: #1 (768 bit)lifetime: 10000 seconds, no volume limitDefault protection suiteencryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman Group: #1 (768 bit)lifetime: 86400 seconds, no volume limit
Note
Table 4 describes the significant fields shown in the display.
Related Commands
show crypto isakmp profile
To list all the ISAKMP profiles that are defined on a router, use the show crypto isakmp profile command in EXEC mode.
show crypto isakmp profile [interface intf-name | ipsec-profile ipsec-prof-name | tag isakmp-prof-name]
Syntax Description
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following sample output is from the show crypto isakmp profile command:
RP/0/0/CPU0:router# show crypto isakmp profile
ISAKMP Profile: isakmp-prof2Keyring(s): kr2Identities matched are:Address: 10.0.2.1 255.255.255.255 fvrf: greenInterface: service-ipsec2ISAKMP Profile: isakmp-prof1Keyring(s): kr1Identities matched are:Group: srbuInterface: service-gre1Table 5 describes the fields for the show crypto isakmp profile command.
Related Commands
Defines an ISAKMP profile and audits IPSec user sessions.
Configures a keyring with an ISAKMP profile.
show crypto isakmp sa
To display all current Internet Key Exchange (IKE) security associations (SAs) at a peer, use the show crypto isakmp sa command in EXEC mode.
show crypto isakmp sa
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following sample output is from the show crypto isakmp sa command, after IKE negotiations have been successfully completed between two peers:
RP/0/RP0/CPU0:router# show crypto isakmp savrf dst src state conn-id nodeid---------- ------------ ------------ --------- ------- ------default 30.0.0.4 10.0.83.1 QM_IDLE 1 0Table 6 describes the fields shown in the display.
Table 7 shows the various states that may be displayed in the output of the show crypto isakmp sa command. When an Internet Security Association and Key Management Protocol (ISAKMP) SA exists, it is most likely in its quiescent state (QM_IDLE). For long exchanges, some MM_xxx states may be observed.
Related Commands
Defines an IKE policy.
Specifies the lifetime of an IKE SA.
Displays the number of ISAKMP security associations (SAs).
Displays the ISAKMP security association (SA) details
show crypto isakmp sa count
To display the number of ISAKMP security associations (SAs), use the show crypto isakmp sa count command in EXEC mode.
show crypto isakmp sa count
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following sample output is from the show crypto isakmp sa count command:
RP/0/RP0/CPU0:router# show crypto isakmp sa countActive ISAKMP SA's: 1Currently being negotiated ISAKMP SA's: 0Dead ISAKMP SA's: 0Table 8 describes the significant fields shown in the display.
Related Commands
Displays all current Internet Key Exchange (IKE) security associations (SAs) at a peer.
Displays the ISAKMP security association (SA) details.
show crypto isakmp sa detail
To display the ISAKMP security association (SA) details, use the show crypto isakmp sa detail command in EXEC mode.
show crypto isakmp sa detail vrf vrf-name
Syntax Description
vrf vrf-name
(Optional) Displays the ISAKMP SA details per VRF. The vrf-name argument is the name assigned to a VRF.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following sample output is from the show crypto isakmp sa detail command:
RP/0/RP0/CPU0:router# show crypto isakmp sa detailCodes: C - IKE configuration mode, D - Dead Peer DetectionK - Keepalives, N - NAT-traversalX - IKE Extended Authentication, M - Continuous Channel ModeI - Initiator, R - ResponderMM - Main Mode, AM - Aggressive ModePsK - Preshared key, RSig - RSA signatureREnc - RSA encryption, DssS - DSS signatureCon-ID I/O Local Remote F-VRF Status State Mode Encr Hash Auth Lifetime Cap.------------------------------------------------------------------------------------------1 R 30.0.0.4 10.0.83.1 default ACTIVE QM_IDLE MM aesmd5 RSig 23:48:57 NTable 9 describes the significant fields shown in the display.
Table 9 show crypto isakmp sa detail Field Descriptions
Con-ID
Connection ID.
I/O
Local crypto endpoint is Initiator (I) or responder (O).
Local
IP address of the local crypto endpoint.
Remote
IP address of the remote crypto endpoint.
F-VRF
The front door virtual routing and forwarding (FVRF) of the IKE SA. If the FVRF is global, the output shows f_vrf as an empty field.
Status
Status for Internet Key Exchange (IKE) Security Association (SA).
State
Output display for the various states. For a detailed description of each state, see Table 7.
Mode
Main mode and aggressive mode.
Encr
Encryption algorithm within the IKE policy.
Hash
Hash algorithm within the IKE policy.
Auth
Authentication method used in the IKE policy.
Lifetime
Length of time (in seconds) the security association (SA) exists before expiring.
Cap.
Capability of IKE such as Dead Peer Detection (DPD), NAT-T, and so forth.
show crypto key pubkey-chain rsa
To display the Rivest, Shamir, and Adelman (RSA) public keys stored on your router for the peer, use the show crypto key pubkey-chain rsa command in EXEC mode.
show crypto key pubkey-chain rsa [name key-name | address key-address]
Syntax Description
name key-name
(Optional) Displays the name of a particular public key.
address key-address
(Optional) Displays the address of a particular public key.
Defaults
All RSA public keys stored on your router is displayed.
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use this command to display RSA public keys stored on your router. The display includes the RSA public keys for the peer that were manually configured at your router and keys received by your router through other means (such as by a certificate, if certification authority support is configured).
If a router reboots, any public key derived by certificates are lost because the router asks for certificates again, at which time the public key is derived again.
Use the name or address keyword to display details about a particular RSA public key stored on your router.
If no keyword is used, this command displays a list of all RSA public keys stored on your router.
Task ID
Examples
The following sample output is from the show crypto key pubkey-chain rsa command:
RP/0/RP0/CPU0:router# show crypto key pubkey-chain rsaCodes: M - Manually Configured, C - Extracted from certificateCode Usage IP-Address VRF Keyring NameM Encrypt K1 tzvi.cisco.comM Signing 5.5.5.5 green K2The following example shows manually configured special-usage RSA public keys for the peer named somerouter. This example also shows three keys obtained from peer certificates: two special-usage keys for peer routerA and a general-purpose key for peer routerB.
Certificate support is used in the example; if certificate support were not in use, none of the peer keys would show "C" in the Code column, and would all need to be manually configured.
Table 10 describes the significant fields shown in the display.
The following sample output is from the show crypto key pubkey-chain rsa command for the name keyword that names the public key as somerouter.example.com:
RP/0/RP0/CPU0:router# show crypto key pubkey-chain rsa name somerouter.example.comKey name: somerouter.example.comKey address: 10.0.0.1Usage: Signature KeySource: ManualData:305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B 55D6AB2204AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9 DF0B4E4C 73A05DD2BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4 71020301 0001Key name: somerouter.example.comKey address: 10.0.0.1Usage: Encryption KeySource: ManualData:00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D518242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21
Note
The following sample output is from the show crypto key pubkey-chain rsa command for address 192.168.10.3:
RP/0/RP0/CPU0:router# show crypto key pubkey-chain rsa address 192.168.10.3Key name: routerB.example.comKey address: 192.168.10.3Usage: General Purpose KeySource: CertificateData:0738BC7A 2BC3E9F0 679B00FE 53987BCC 01030201 42DD06AF E228D24C 458AD22858BB5DDD F4836401 2A2D7163 219F882E 64CE69D4 B583748A 241BED0F 6E7F2F160DE0986E DF02031F 4B0B0912 F68200C4 C625C389 0BFF3321 A2598935 C1B1The Source field in the example indicates "Certificate," meaning that the keys were received by the router by way of the certificate from the other router.
split-dns
To specify a domain name that must be tunneled or resolved to the private network, use the split-dns command in ISAKMP group configuration mode. To remove a domain name, use the no form of this command.
split-dns domain-name
no split-dns domain-name
Syntax Description
domain-name
Name of the Domain Name System (DNS) domain that must be tunneled or resolved to the private network.
Defaults
All domain names are resolved through the public DNS server.
Command Modes
ISAKMP group configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
If you configure the split-dns command, the split-dns attribute is added to the policy group. The attribute includes the list of domain names that you configured. All other names are resolved through the public DNS server.
You must enable the crypto isakmp client configuration group command, which specifies group policy information that needs to be defined or changed, before enabling the split-dns command.
Note
Task ID
Examples
The following example shows that the domain names green.com and acme.org are added to the policy group:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group ciscoRP/0/RP0/CPU0:router(config-group)# key ciscoRP/0/RP0/CPU0:router(config-group)# dns 10.2.2.2 10.2.2.3RP/0/RP0/CPU0:router(config-group)# wins 10.6.6.6RP/0/RP0/CPU0:router(config-group)# domain cisco.comRP/0/RP0/CPU0:router(config-group)# pool greenRP/0/RP0/CPU0:router(config-group)# acl 199RP/0/RP0/CPU0:router(config-group)# split-dns green.comRP/0/RP0/CPU0:router(config-group)# split-dns acme.orgRelated Commands
wins
To specify the primary and secondary Windows Internet Naming Service (WINS) servers, use the wins command in ISAKMP group configuration mode. To remove this command from your configuration, use the no form of this command.
wins primary-server [secondary-server]
no wins primary-server [secondary-server]
Syntax Description
primary-server
Name of the primary WINS server.
secondary-server
(Optional) Name of the secondary WINS server.
Defaults
No default behavior or values
Command Modes
ISAKMP group configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the wins command.
Task ID
Examples
The following example shows how to define a primary and secondary WINS server for the group cisco:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group ciscoRP/0/RP0/CPU0:router(config-group)# key ciscoRP/0/RP0/CPU0:router(config-group)# dns 10.2.2.2 10.3.2.3RP/0/RP0/CPU0:router(config-group)# pool dogRP/0/RP0/CPU0:router(config-group)# acl 199RP/0/RP0/CPU0:router(config-group)# wins 10.1.1.2 10.1.1.3Related Commands
