-
Cisco IOS XR System Security Command Reference, Release 3.5
-
Preface
-
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
-
Internet Key Exchange Security Protocol Commands on Cisco IOS XR Software
-
IPSec Network Security Commands on Cisco IOS XR Software
-
Public Key Infrastructure Commands on Cisco IOS XR Software
-
Secure Shell Commands on Cisco IOS XR Software
-
Secure Socket Layer Protocol Commands on Cisco IOS XR Software
-
Software Authentication Manager Commands on Cisco IOS XR Software
-
Key Chain Management Commands on Cisco IOS XR Software
-
Management Plane Protection Commands on Cisco IOS XR Software
-
Virtual Firewall Commands on Cisco IOS XR Software
-
Index
-
Table Of Contents
Internet Key Exchange Security Protocol Commands on Cisco IOS XR Software
clear crypto isakmp call admission statistics
crypto ipsec server send-update
crypto isakmp call admission limit
crypto isakmp client configuration browser-proxy
crypto isakmp client configuration group
show crypto isakmp call admission statistics
show crypto key pubkey-chain rsa
Internet Key Exchange Security Protocol Commands on Cisco IOS XR Software
This module describes the Cisco IOS XR software commands used to configure the Internet Key Exchange (IKE) security protocol.
For detailed information about IKE concepts, configuration tasks, and examples, see the Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software configuration module in Cisco IOS XR System Security Configuration Guide.
accounting (IKE)
To enable authentication, authorization, and accounting (AAA) services for all peers that connect through the ISAKMP profile, use the accounting command in ISAKMP profile configuration mode. To return to the default value, use the no form of this command.
accounting list-name
no accounting
Syntax Description
Defaults
The default value is no accounting.
Command Modes
ISAKMP profile configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following example shows how to create an accounting list:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp profile vpnprofileRP/0/RP0/CPU0:router(config-isa-prof)# accounting aaalistRelated Commands
acl
To configure split tunneling, use the acl command in ISAKMP group configuration mode. To remove this command from your configuration and restore the default value, use the no form of this command.
acl acl-name
no acl acl-name
Syntax Description
acl-name
Specifies a group of access control list (ACL) rules that represent protected subnets for split tunneling purposes.
Defaults
Split tunneling is not enabled; all data is sent through the Virtual Private Network (VPN) tunnel.
Command Modes
ISAKMP group configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the acl command to specify which groups of ACLs represent protected subnets for split tunneling. Split tunneling is the ability to have a secure tunnel to the central site and simultaneous clear text tunnels to the Internet.
Task ID
Examples
The following example shows how to correctly apply split tunneling for the group name cisco. In this example, all traffic sourced from the client and destined to the subnet 192.168.1.0 are sent through the VPN tunnel.
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group ciscoRP/0/RP0/CPU0:router(config-group)# key ciscoRP/0/RP0/CPU0:router(config-group)# acl group1!RP/0/RP0/CPU0:router(config)# access-list 199 permit ip 192.168.1.0 0.0.0.255 anyRelated Commands
address
To specify the IP address for the Rivest, Shamir, and Adelman (RSA) public key of the remote peer you manually configure, use the address command in public key configuration mode. To remove the IP address of the remote peer, use the no form of this command.
address ip-address
no address ip-address
Syntax Description
Defaults
No default behavior or values
Command Modes
Public key configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the address command to specify the RSA public key for the IP Security (IPSec) peer you manually configure next.
When you finish specifying the RSA key, you must return to global configuration mode by entering quit at the public key configuration mode prompt.
Task ID
Examples
The following example manually specifies the RSA public keys of an IPSec peer:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto keyring vpnkeyRP/0/RP0/CPU0:router(config-keyring)# rsa-pubkey name host.vpn.comRP/0/RP0/CPU0:router(config-pubkey)# address 10.5.5.1RP/0/RP0/CPU0:router(config-pubkey)# key-string 005C300D 06092A86 4886F70D 01010105005C300D 06092A86 4886F70D 0101010500034B00 30480241 00C5E23B 55D6AB2204AEF1BA A54028A6 9ACC01C5 129D99E464CAB820 847EDAD9 DF0B4E4C 73A05DD2BD62A8A9 FA603DD2 E2A8A6F8 98F76E28D58AD221 B583D7A4 71020301 0001quitRelated Commands
authentication (IKE policy)
To specify the authentication method within an Internet Key Exchange (IKE) policy, use the authentication command in ISAKMP policy configuration mode. To reset the authentication method to the default value, use the no form of this command.
authentication {pre-share | rsa-sig | rsa-encr}
no authentication {pre-share | rsa-sig | rsa-encr}
Syntax Description
Defaults
RSA signatures
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
IKE policies define a set of parameters during IKE negotiation. Use the authentication command to specify the authentication method in an IKE policy. If you specify preshared keys, you must also separately configure these preshared keys.
If you specify RSA encrypted nonces, you must ensure that each peer has the RSA public keys of the other peers. (See the address, rsa-pubkey, and key-string commands.)
If you specify RSA signatures, you must configure your peer routers to obtain certificates from a certification authority (CA).
Task ID
Examples
The following example shows how to configure an IKE policy with preshared keys as the authentication method (and with all other parameters set to the defaults):
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# authentication pre-shareThe following example shows how to configure an IKE policy with RSA encrypted keys as the authentication method (and with all other parameters set to the defaults):
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# authentication rsa-encrThe following example configures an IKE policy with RSA signatures as the authentication method (and with all other parameters set to the defaults):
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# authentication rsa-sigRelated Commands
auto-update client
To configure automatic update parameters for a Cisco Easy VPN remote device, use the auto-update client command in ISAKMP group configuration mode. To disable the parameters, use the no form of this command.
auto-update client {type-of-system} {url url} {rev review-version}
no auto-update client {type-of-system} {url url} {rev review-version}
Syntax Description
type-of-system
Free-format string (see Table 1).
url url
Specifies the URL in which the Cisco Easy VPN device obtains the automatic update.
rev review-version
Specifies that the version number is a comma-delimited string of acceptable versions.
Defaults
Automatic updates cannot occur.
Command Modes
ISAKMP group configuration
Command History
Release 3.5.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Table 1 lists the possible free-format strings that are used for the type-of-system argument.
The URL is a generic way to specify the protocol, username, password, address of the server, directory, and filename. The format of a URL is as follows: protocol://username:password@server address:port/directory/filename.
The automatic update on the remote device is triggered only if the current version of the software is earlier than the one specified in the revision string. Otherwise, the automatic update is ignored.
Task ID
Examples
The following example shows that the update parameters are set for a Windows 2000 operating system, a URL of http:www.ourcompanysite.com/newclient, and version 3.0.1:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto isakmp client configuration group marketingRP/0/0/CPU0:router(config-group)# auto-update client Win2000 url http:www.ourcompanysite.com/newclient rev 3.0.1Related Commands
backup-server
To specify the backup server, use the backup-server command in ISAKMP group configuration mode. To remove a backup server, use the no form of this command.
backup-server {ip-address | hostname}
no backup-server {ip-address | hostname}
Syntax Description
Defaults
A list of backup servers is not configured.
Command Modes
ISAKMP group configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Note
•
•
Task ID
Examples
The following example shows that server 10.1.1.1 has been configured as a backup server:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group marketingRP/0/RP0/CPU0:router(config-group)# backup-server 10.1.1.1Related Commands
banner
To configure an extended authentication (Xauth) banner string under a group policy definition, use the banner command in ISAKMP group configuration mode. To disable the banner, use the no form of this command.
banner {banner-text}
no banner {banner-text}
Syntax Description
Defaults
If a banner is not configured, a banner is not displayed.
Command Modes
ISAKMP group configuration
Command History
Release 3.5.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following example shows that the banner "thequickbrowndog" is specified:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group marketingRP/0/RP0/CPU0:router(config-group)# banner thequickbrowndogRelated Commands
browser-proxy
To apply browser-proxy parameter settings to a group, use the browser-proxy command in ISAKMP group configuration mode. To disable the parameter settings, use the no form of this command.
browser-proxy {browser-proxy-map-name}
no browser-proxy {browser-proxy-map-name}
Syntax Description
Defaults
Browser-proxy settings are not applied to a group.
Command Modes
ISAKMP group configuration
Command History
Release 3.5.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
You must define the browser proxy name before you define the crypto Internet Security Association and Key Management Protocol (ISAKMP) client configuration group name. The two names must be the same.
Task ID
Examples
The following example shows that browser proxy map EZVPN is applied to the group EZVPN:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group EZVPNRP/0/RP0/CPU0:router(config-group)# browser-proxy EZVPNRelated Commands
clear crypto isakmp
To clear active Internet Key Exchange (IKE) connections, use the clear crypto isakmp command in EXEC mode.
clear crypto isakmp [connection-id]
Syntax Description
connection-id
(Optional) Name of connection to clear. If this argument is not used, all existing connections are cleared. The range is from 1 to 64000.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Note
Task ID
Examples
The following example shows how to clear an IKE connection between two peers connected by interfaces 172.21.114.123 and 172.21.114.67:
RP/0/RP0/CPU0:router# show crypto isakmp savrf dst src state conn-id nodeid---------- ------------ ------------ --------- ------- ------default 172.21.114.123 172.21.114.67 QM_IDLE 1 0default 172.0.0.2 172.0.0.1 QM_IDLE 8 0RP/0/RP0/CPU0:router# configureEnter configuration commands, one per line. End with CNTL/Z.RP/0/RP0/CPU0:router# clear crypto isakmp 1RP/0/RP0/CPU0:router# show crypto isakmp savrf dst src state conn-id nodeid---------- ------------ ------------ --------- ------- ------default 172.0.0.2 172.0.0.1 QM_IDLE 8 0Related Commands
clear crypto isakmp call admission statistics
To clear ISAKMP call admission statistics, use the clear crypto isakmp call admission statistics command in EXEC mode.
clear crypto isakmp call isakmp call admission statistics
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following example shows how to clear call admission statistics:
RP/0/RP0/CPU0:router# clear crypto isakmp call admission statisticsRelated Commands
Displays the configuration for Call Admission Control (CAC) to the IKE protocol.
clear crypto isakmp errors
To clear the statistics for Internet Security Association and Key Management Protocol (ISAKMP) errors, use the clear crypto isakmp errors command in EXEC mode.
clear crypto isakmp error
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.5.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following example shows how to clear ISAKMP error statistics:
RP/0/RP0/CPU0:router# show crypto isakmp errorsControl Plane Errors---------------------ERR NO MEMORY.....................................0INVALID CERT......................................0CRYPTO FAILURE....................................0SA NOT AUTH.......................................0AUTHENTICATION FAILED.............................0GROUP AUTHOR FAILED...............................0USER AUTHEN REJECTED..............................0LOCAL ADDRESS FAILURE.............................0FAILED TO CREATE SKEYID...........................0RSA PUBLIC KEY NOT FOUND..........................0RETRANSMITION LIMIT...............................0MALFORMED MESSAGE.................................0QUICK MODE TIMER EXPIRED..........................0KEY NOT FOUND IN PROFILE..........................0PROFILE NOT FOUND.................................0PRESHARED KEY NOT FOUND...........................0PHASE2 PROPOSAL NOT CHOSEN........................0POLICY MISMATCH...................................0NO POLICY FOUND...................................0PACKET PROCESS FAILURE............................0Warnings---------CERT DOESNT MATCH ID..............................0CERT ISNT TRUSTED ROOT............................0PACKET NOT ENCRYPTED..............................0UNRELIABLE INFO MSG...............................0NO SA.............................................0BAD DOI SA........................................0UNKNOWN EXCHANGE TYPE.............................0OUTGOING PKT TOO BIG..............................0INCOMING PKT TOO BIG..............................0Informational--------------CAC DROPS.........................................0DEFAULT POLICY ACCEPTED...........................0RP/0/RP0/CPU0:router# clear crypto isakmp errorsRelated Commands
clear crypto session
To delete crypto sessions (IP Security [IPSec] and Internet Key Exchange [IKE] security associations [SAs]), use the clear crypto session command in EXEC mode.
clear crypto session [user username | group group | interface | ivrf vrf-name | local ip-address | fvrf vrf-name | remote ip-address]
Syntax Description
Defaults
If the clear crypto session command is entered without any keywords, all existing sessions are deleted. The IPSec SAs are deleted first. Then, the IKE SAs are deleted. The default value for the remote port is 500.
Command Modes
EXEC
Command History
Release 3.5.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
To clear a specific crypto session or a subset of all the sessions, you need to provide session specific parameters, such as local interface, local IP address, remote IP address (and port), FVRF name, or IVRF name.
If a local IP address is provided as a parameter, all the sessions (and their IKE SAs and IPSec SAs) that share the IP address as a local crypto endpoint (IKE local address) are deleted.
Task ID
Examples
The following example shows how to delete all crypto sessions:
RP/0/RP0/CPU0:router# clear crypto sessionThe following example shows that the crypto session of the FVRF named "blue" is deleted:
RP/0/RP0/CPU0:router# clear crypto session fvrf blueThe following example shows that the crypto session of the local endpoint 10.1.1.1 is deleted:
RP/0/RP0/CPU0:router# clear crypto session local 10.1.1.1Related Commands
Adds the description of an Internet Key Exchange (IKE) peer.
Displays status information for active crypto sessions.
client authentication list
To apply extended authentication (Xauth) for Internet Key Exchange (IKE) interaction, use the client authentication list command in ISAKMP profile configuration mode. To remove Xauth, use the no form of this command.
client authentication list authen-list-name
no client authentication list authen-list-name
Syntax Description
authen-list-name
Username and password storage location (local or remote server) as defined in the aaa authentication command.
Defaults
No default behavior or values
Command Modes
ISAKMP profile configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Xauth allows all Cisco IOS XR software authentication, authorization, and accounting (AAA) methods to perform user authentication in a separate phase after the IKE authentication phase 1 exchange. For user authentication, the AAA configuration list name must match the Xauth configuration list name.
Task ID
Examples
In the following example, AAA username and password storage location information is applied from the list0 authentication list to a profile named sample:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp profile sampleRP/0/RP0/CPU0:router(config-isa-prof)# client authentication list list0Related Commands
client single-sa-per-inft
To enable a single IP Security (IPSec) security association (SA) per interface, use the client single-sa-per-inft command in Internet Security Association and Key Management Protocol (ISAKMP) profile configuration mode. To disable IPSec SAs per interface, use the no form of this command.
client single-sa-per-inft
no client single-sa-per-inft
Syntax Description
This command has no arguments or keywords.
Defaults
No limit for the number of IPSec SAs per interface, in which the actual number is dependent on the number of remote users and sites to connect to the service-ipsec interface.
Command Modes
ISAKMP profile configuration
Command History
Release 3.5.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The client single-sa-per-inft command is used to limit the number of IPSec SAs that are terminating on one service-ipsec interface to one.
The client single-sa-per-intft command is useful to interoperate with the remote Cisco Easy VPN clients in the following cases:
•
•
Task ID
Examples
The following example shows how to enable multiple IPSec security associations (SAs) per interface:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp profile vpnprofileRP/0/RP0/CPU0:router(config-isa-prof)# client single-sa-per-inftRelated Commands
configuration url
To specify on a server the URL that a Cisco Easy VPN remote device must use to get a configuration in a Mode Configuration Exchange, use the configuration url command in ISAKMP group configuration mode. To delete the URL, use the no form of this command.
configuration url {url}
no configuration url {url}
Syntax Description
Defaults
A Cisco Easy VPN remote device cannot request a configuration from a server in a Mode Configuration Exchange.
Command Modes
ISAKMP group configuration
Command History
Release 3.5.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
After the server pushes the URL to a Cisco Easy VPN remote device, the remote device downloads the content located at the URL site and applies the configuration content to its running configuration.
Before this command is configured, the crypto isakmp client configuration group command must already be configured.
Task ID
Examples
The following example shows that a server has specified the URL the Cisco Easy VPN remote device must use to download the URL:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group group1RP/0/RP0/CPU0:router(config-group)# configuration url http://10.10.8.8/easy.cfgRelated Commands
configuration version
To specify on a server the version that a Cisco Easy VPN remote device must use to get a particular configuration in a Mode Configuration Exchange, use the configuration version command in ISAKMP group configuration mode. To delete the version number, use the no form of this command.
configuration version {version-number}
no configuration version {version-number}
Syntax Description
version-number
Version of the configuration. The version number is an unsigned integer in the range of 1 to 10.
Defaults
A version number is not sent.
Command Modes
ISAKMP group configuration
Command History
Release 3.5.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Before this command is configured, the crypto isakmp client configuration group command must already be configured.
Task ID
Examples
The following example shows that a server has specified the version number a Cisco Easy VPN remote device must use to obtain that particular configuration version:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group group1RP/0/RP0/CPU0:router(config-group)# configuration version 10Related Commands
crypto ipsec server send-update
To send auto-update notifications any time after a Cisco Easy VPN connection is up, use the crypto ipsec server send-update command in EXEC mode. To disable auto-update notifications, use the no form of this command.
crypto ipsec server send-update {group-name}
no crypto ipsec server send-update {group-name}
Syntax Description
Defaults
Auto-update notifications are not sent.
Command Modes
EXEC
Command History
Release 3.5.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
This command is configured on a server. By configuring the command, the auto update notification is sent manually after the tunnel is up.
Task ID
Examples
The following example shows that automatic update notifications are sent to GroupA:
RP/0/0/CPU0:router# crypto ipsec server send-update GroupAInformed SA : 0Related Commands
crypto isakmp
To globally enable Internet Key Exchange (IKE) at your peer router, use the crypto isakmp command in global configuration mode. To disable IKE at the peer, use the no form of this command.
crypto isakmp
no crypto isakmp
Syntax Description
This command has no arguments or keywords.
Defaults
IKE is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
IKE need not be enabled for individual interfaces, but is enabled globally for all interfaces at the router.
Task ID
Examples
The following example shows how to disable IKE at one peer:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# no crypto isakmpcrypto isakmp call admission limit
To deny incoming or outgoing session requests based on several metrics, use the crypto isakmp call admission limit command in global configuration mode. To disable this feature, use the no form of this command.
crypto isakmp call admission limit {cpu {total percent | ike percent} | in-negotiation-sa number | sa number}
no crypto isakmp call admission limit {cpu {total percent | ike percent} | in-negotiation-sa number | sa number}
Syntax Description
Defaults
The default value for the in-negotiation-sa keyword is set to 1000 SAs.
Command Modes
Global configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
A request for an IKE SA is denied if insufficient system resources exist to handle the negotiation.
Task ID
Examples
The following example shows how to use the crypto isakmp call admission limit command:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp call admission limit cpu ike 30crypto isakmp client configuration browser-proxy
To configure browser-proxy parameters for a Cisco Easy VPN remote device and to enter ISAKMP browser proxy configuration mode, use the crypto isakmp client configuration browser-proxy command in global configuration mode. To disable the browser-proxy parameters, use the no form of this command.
crypto isakmp client configuration browser-proxy {browser-proxy-name}
no crypto isakmp client configuration browser-proxy {browser-proxy-name}
Syntax Description
Defaults
Browser-proxy parameters are not set.
Command Modes
Global configuration
Command History
Release 3.5.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
While specifying the proxy server, the proxy IP address and port number are separated with a colon. The proxy exception list is a semicolon-delimited string of IP addresses.
After enabling this command, you may specify the proxy subcommand to configure proxy parameters for your Cisco Easy VPN remote device.
Task ID
Examples
The following example shows browser-proxy parameter settings for a browser proxy named bproxy:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration browser-proxy bproxyRP/0/RP0/CPU0:router(config-crypto-isakmp-browser-proxy)# proxy auto-detectRelated Commands
crypto isakmp client configuration group
To include the configuration of a local group profile, use the crypto isakmp client configuration group command in global configuration mode.
crypto isakmp client configuration group group-name
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The key command must be enabled if the client identifies itself with a preshared key.
The following commands are available in the IKE group policy configuration mode:
•
•
Task ID
Examples
The following example shows how to include the configuration of a local group profile with the group name marketing:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group marketingRP/0/RP0/CPU0:router(config-group)#Related Commands
Configures split tunneling.
Configures the IPSec profile.
Defines an IKE policy.
Specifies the IKE preshared key for group policy attribute definition.
crypto isakmp identity
To specify the identity used by the router when participating in the Internet Key Exchange (IKE) protocol, use the crypto isakmp identity command in global configuration mode. To reset the Internet Security Association Key Management Protocol (ISAKMP) identity to the default value (address), use the no form of this command.
crypto isakmp identity {address | hostname}
no crypto isakmp identity
Syntax Description
Defaults
The IP address is used for the ISAKMP identity.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the crypto isakmp identity command to specify an ISAKMP identity either by IP address or by host name. As a general rule, you should set all identities for peers in the same way—either by IP address or by host name.
Set an ISAKMP identity whenever you specify preshared keys.
Use the address keyword when only one interface (and therefore only one IP address) is used by the peer for IKE negotiations, and the IP address is known.
Use the hostname keyword if more than one interface on the peer might be used for IKE negotiations, or if the IP address for the interface is unknown (such as with dynamically assigned IP addresses).
Task ID
Examples
The following example shows how to use preshared keys at two peers and set both their ISAKMP identities to the IP address.
At the local peer (at 10.0.0.1), the ISAKMP identity is set and the preshared key is specified.
RP/0/RP0/CPU0:router(config)# crypto isakmp identity addressRP/0/RP0/CPU0:router(config)# crypto keyring keyring1RP/0/RP0/CPU0:router(config-keyring)# pre-shared-key address 192.168.1.33 key presharedkeyAt the remote peer (at 192.168.1.33), the ISAKMP identity is set and the same preshared key is specified.
RP/0/RP0/CPU0:router(config)# crypto isakmp identity addressRP/0/RP0/CPU0:router(config)# crypto keyring keyring1RP/0/RP0/CPU0:router(config-keyring)# pre-shared-key address 10.0.0.1 key presharedkey
Note
The following example shows how to use preshared keys at two peers and set both their ISAKMP identities to the host name.
At the local peer, the ISAKMP identity is set and the preshared key is specified.
RP/0/RP0/CPU0:router(config)# crypto isakmp identity hostnameRP/0/RP0/CPU0:router(config)# crypto keyring keyring1RP/0/RP0/CPU0:router(config-keyring)# pre-shared-key hostname remoterouter.example.com key presharedkeyAt the remote peer, the ISAKMP identity is set and the same preshared key is specified.
RP/0/RP0/CPU0:router(config)# crypto isakmp identity hostnameRP/0/RP0/CPU0:router(config)# crypto keyring keyring1RP/0/RP0/CPU0:router(config-keyring)# pre-shared-key hostname localrouter.example.com key presharedkeyRelated Commands
crypto isakmp keepalive
To use the Internet Key Exchange (IKE) security association (SA) feature for providing a mechanism for detecting loss of connectivity between two IP Security (IPSec) peers, use the crypto isakmp keepalive command in global configuration mode. To disable this feature, use the no form of this command.
crypto isakmp keepalive seconds retry-seconds [periodic | on-demand]
no crypto isakmp keepalive
Syntax Description
Defaults
IKE does not send keepalive messages until specified by this command.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
If IKE does not receive the keepalive acknowledge message from the peer after four tries, IKE concludes that it has lost connectivity with its peer.
DPD for both periodic or on-demand cannot coexist with the idle-timeout from the crypto ipsec security-association idle-time command. For a given ISAKMP peer, you can configure only either of the functions but not both.
Task ID
Examples
The following example shows how to set the number of seconds between keepalive messages to 20 seconds, and the number of seconds between retries to 20 seconds if keepalive fails:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp keepalive 20 20 on-demandRelated Commands
crypto isakmp peer
To enable an IP Security (IPSec) peer for Internet Key Exchange (IKE), use the crypto isakmp peer command in global configuration mode. To disable this functionality, use the no form of this command.
crypto isakmp peer {address ip-address | hostname hostname} [description line | vrf fvrf-name]
no crypto isakmp peer {address ip-address | hostname hostname} [description line | vrf vrf-name]
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Release 3.5.0
This command was introduced on Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the crypto isakmp peer command to enter ISAKMP peer configuration mode.
You can give a peer that is identified by an IP address a meaningful name or description.
Task ID
Examples
The following example shows that the peer address is 40.40.40.2 and named citeA:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp peer address 40.40.40.2RP/0/RP0/CPU0:router(config-isakmp-peer)# description citeARP/0/RP0/CPU0:router(config-isakmp-peer)# commitRP/0/RP0/CPU0:router# show crypto isakmp peersPeer: 60.60.60.2 Port: 500 Local: 70.70.70.2 vrf: defaultUDP encapsulate: FalseSA information:Connection ID: 2State: QM_IDLEPhase 1 ID: IPV4_ADDR 60.60.60.2Peer: 40.40.40.2 Port: 500 Local: 50.50.50.2 vrf: defaultDescription: peerAUDP encapsulate: FalseSA information:Connection ID: 1State: QM_IDLEPhase 1 ID: IPV4_ADDR 40.40.40.2Related Commands
Adds the description of an Internet Key Exchange (IKE) peer.
Displays peer structures.
crypto isakmp policy
To define an Internet Key Exchange (IKE) policy, use the crypto isakmp policy command in global configuration mode. To delete an IKE policy, use the no form of this command.
crypto isakmp policy priority
no crypto isakmp policy priority
Syntax Description
priority
Value that uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10000, with 1 being the highest priority and 10000 the lowest.
Defaults
There is a default policy, which always has the lowest priority. The default policy contains default values for the encryption, hash, authentication, Diffie-Hellman group, and lifetime parameters. (The parameter defaults are listed in the "Usage Guidelines" section.) When you create an IKE policy, the default for a particular parameter is used if no value is specified.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the crypto isakmp policy command to specify the parameters to use during an IKE negotiation. (These parameters create the IKE security association [SA].)
The crypto isakmp policy command enters ISAKMP policy configuration mode. The following commands are available in this mode to specify the parameters in the policy:
•
•
•
–
–
–
•
•
•
If you do not specify one of these commands for a policy, the default value is used for that parameter.
To exit ISAKMP policy configuration mode, enter exit.
You can configure multiple IKE policies on each peer participating in IP Security (IPSec). When the IKE negotiation begins, it tries to find a common policy configured on both peers, starting with the highest priority policies as specified on the remote peer.
Task ID
Examples
The following example shows how to configure two policies for the peer:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# hash md5RP/0/RP0/CPU0:router(config-isakmp)# authentication rsa-sigRP/0/RP0/CPU0:router(config-isakmp)# group 2RP/0/RP0/CPU0:router(config-isakmp)# lifetime 5000RP/0/RP0/CPU0:router(config-isakmp)# exitRP/0/RP0/CPU0:router(config)# crypto isakmp policy 20RP/0/RP0/CPU0:router(config-isakmp)# authentication pre-shareRP/0/RP0/CPU0:router(config-isakmp)# lifetime 10000RP/0/RP0/CPU0:router(config-isakmp)# exitThe configuration results in the following policies:
Protection suite priority 15encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Message Digest 5authentication method: Rivest-Shamir-Adelman SignatureDiffie-Hellman Group: #2 (1024 bit)lifetime: 5000 seconds, no volume limitProtection suite priority 20encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: Pre-Shared KeyDiffie-Hellman Group: #1 (768 bit)lifetime: 10000 seconds, no volume limitDefault protection suiteencryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman Group: #1 (768 bit)lifetime: 86400 seconds, no volume limitIKE policy 15 is the highest priority, and the default policy is the lowest priority.
Related Commands
crypto isakmp profile
To define an ISAKMP profile and audit IPSec user sessions, use the crypto isakmp profile command in global configuration mode. To delete a crypto ISAKMP profile, use the no form of this command.
crypto isakmp profile [local] profile-name
no crypto isakmp profile [local] profile-name
Syntax Description
Defaults
No default behaviors or values
Command Modes
Global configuration
Command History
Release 3.4.0
This command was introduced on Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The peers are mapped to an ISAKMP profile when their identities are matched (as given in the identification [ID] payload of the Internet Key Exchange [IKE]) against the identities defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid. At least one match identity command must also be defined in the ISAKMP profile for the profile to be complete.
Before you configure an ISAKMP profile, the key rings that are used for the profile should be configured.
Task ID
Examples
The following example shows how to define an ISAKMP profile and match the peer identities:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp profile vpnprofileRP/0/RP0/CPU0:router(config-isa-prof)# match identity group vpngroupRP/0/RP0/CPU0:router(config-isa-prof-match)# set interface service-ipsec 1Related Commands
crypto keyring
To define a crypto keyring during IKE authentication, use the crypto keyring command in global configuration mode. To remove the keyring, use the no form of this command.
crypto keyring keyring-name [vrf fvrf-name]
no crypto keyring keyring-name [vrf fvrf-name]
Syntax Description
Defaults
If the vrf keyword is not defined, the keyring is referenced to the global VRF.
Command Modes
Global configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
A keyring is a repository of preshared and RSA public keys. The keyring is used in global configuration mode. The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile.
Use the crypto keyring command to enter keyring configuration mode.
Task ID
Examples
The following example shows how to use the crypto keyring command:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto keyring vpnkeyRP/0/RP0/CPU0:router(config-keyring)# pre-shared-key address 10.72.23.11 key vpnsecretRelated Commands
crypto logging
To enable the appearance of the cyrpto tunnel up or down message, use the crypto logging command in global configuration mode. To disable this option, use the no form of this command.
crypto logging {tunnel-status}
no crypto logging {tunnel-status}
Syntax Description
Defaults
The default is disabled.
Command Modes
Global configuration
Command History
Release 3.5.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following example shows how to use the crypto logging command:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto logging tunnel-statusdescription (IKE policy)
To create a description for an Internet Key Exchange (IKE) policy, use the description command in ISAKMP policy configuration mode. To delete an IKE policy description, use the no form of this command.
description string
no description
Syntax Description
Defaults
The default description is blank.
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the description command inside the ISAKMP policy configuration submode to create a description for an IKE policy.
Task ID
Examples
The following example shows the creation of an IKE policy description:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# description this is a sample IKE policydescription (ISAKMP peer)
To add the description of an Internet Key Exchange (IKE) peer, use the description command in ISAKMP peer configuration mode. To delete the description, use the no form of this command.
description line-of-description
no description line-of-description
Syntax Description
Defaults
No default behavior or values
Command Modes
ISAKMP peer configuration
Command History
Release 3.5.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
IKE peers that "sit" behind a Network Address Translation (NAT) device cannot be uniquely identified; therefore, they have to share the same peer description.
Task ID
Examples
The following example shows that the description "connection from site A" is added for an IKE peer:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp peer address 10.2.2.9RP/0/RP0/CPU0:router(config-isakmp-peer)# description connection from site ARelated Commands
description (keyring)
To create a one line description for a keyring, use the description command in keyring configuration mode. To delete a keyring description, use the no form of this command.
description string
no description
Syntax Description
Defaults
The default description is blank.
Command Modes
Keyring configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the description command inside the ISAKMP policy configuration submode to create a description for a keyring.
Task ID
Examples
The following example shows the creation of a keyring description:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto keyring vpnkeyRP/0/RP0/CPU0:router(config-keyring)# description this is a sample keyringRelated Commands
dns
To specify the primary and secondary Domain Name Service (DNS) addresses, use the dns command in (Internet Security Association Key Management Protocol) ISAKMP group configuration mode. To remove this command from your configuration, use the no form of this command.
dns primary-server [secondary-server]
no dns primary-server [secondary-server]
Syntax Description
primary-server
IP address of the primary DNS.
secondary-server
(Optional) IP address of the secondary DNS.
Defaults
A DNS address is not specified.
Command Modes
ISAKMP group configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the dns command to specify the primary and secondary DNS addresses for the group.
You must enable the crypto isakmp client configuration group command, which specifies group policy information that needs to be defined or changed, before enabling the dns command.
Task ID
Examples
The following example shows how to define a primary and secondary DNS address for the marketing group name:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group marketingRP/0/RP0/CPU0:router(config-group)# key ciscoRP/0/RP0/CPU0:router(config-group)# dns 2.2.2.2 2.3.2.3RP/0/RP0/CPU0:router(config-group)# pool dogRP/0/RP0/CPU0:router(config-group)# acl 199Related Commands
domain (isakmp-group)
To specify the Domain Name Service (DNS) domain to which a group belongs, use the domain command in ISAKMP group configuration mode. To remove this command from your configuration, use the no form of this command.
domain name
no domain name
Syntax Description
Defaults
A DNS domain is not specified.
Command Modes
ISAKMP group configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the domain command to specify group domain membership.
You must enable the crypto isakmp configuration group command, which specifies group policy information that has to be defined or changed, before enabling the domain command.
Task ID
Examples
The following example shows that members of the group cisco also belong to the domain cisco.com:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group ciscoRP/0/RP0/CPU0:router(config-group)# key ciscoRP/0/RP0/CPU0:router(config-group)# dns 10.2.2.2 10.3.2.3RP/0/RP0/CPU0:router(config-group)# pool dogRP/0/RP0/CPU0:router(config-group)# acl 199RP/0/RP0/CPU0:router(config-group)# domain cisco.comRelated Commands
encryption (IKE policy)
To specify the encryption algorithm within an Internet Key Exchange (IKE) policy, use the encryption command in ISAKMP policy configuration mode. To reset the encryption algorithm to the default value, use the no form of this command.
encryption {des | 3des | aes | aes 192 | aes 256}
no encryption
Syntax Description
Defaults
The 56-bit DES-CBC encryption algorithm (des).
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
IKE policies define a set of parameters during IKE negotiation. Use the encryption command to specify the encryption algorithm in an IKE policy.
Task ID
Examples
The following example shows how to configure an IKE policy with the 3DES encryption algorithm (and with all other parameters set to the defaults):
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# encryption 3desRelated Commands
firewall are-u-there
To add the Firewall-Are-U-There attribute to the server group if your PC is running the Black Ice or Zone Alarm personal firewalls, use the firewall are-u-there command in ISAKMP group configuration mode. To disable the Firewall-Are-U-There attribute, use the no form of this command.
firewall are-u-there
no firewall are-u-there
Syntax Description
This command has no arguments or keywords.
Defaults
The server does not send the Firewall-Are-U-There attribute to the client.
Command Modes
ISAKMP group configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The Firewall-Are-U-There attribute is sent by the Black Ice and Zone Alarm personal firewalls if they are prompted by the server. If connections to the Virtual Private Network (VPN) are for protected devices only; that is, if a PC is running one of these personal firewalls, you should add the attribute to the server group. Devices that do not have a personal firewall do not respond with their capabilities, and their connections are dropped.
The Firewall-Are-U-There attribute is configured on a Cisco IOS XR router or in the RADIUS profile.
To configure the Firewall-Are-U-There attribute, use the firewall are-u-there command.
The following example is an attribute-value (AV) pair for the Firewall-Are-U-There attribute:
ipsec:firewall=1You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the firewall are-u-there command.
Note
•
•
Task ID
Examples
The following example shows that the Firewall-Are-U-There attribute is configured:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group ciscoRP/0/RP0/CPU0:router(config-group)# firewall are-u-thereRelated Commands
group (IKE policy)
To specify the Diffie-Hellman group identifier within an Internet Key Exchange (IKE) policy, use the group command in ISAKMP policy configuration mode. To reset the Diffie-Hellman group identifier to the default value, use the no form of this command.
group {1 | 2 | 5}
no group
Syntax Description
1
Specifies the 768-bit Diffie-Hellman group. This option is the default.
2
Specifies the 1024-bit Diffie-Hellman group.
5
Specifies the 1536-bit Diffie-Hellman group.
Defaults
768-bit Diffie-Hellman (group 1)
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
IKE policies define a set of parameters during IKE negotiation. Use this command to specify the Diffie-Hellman group in an IKE policy.
Task ID
Examples
The following example shows how to configure an IKE policy with the 1024-bit Diffie-Hellman group (all other parameters are set to the defaults):
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# group 2Related Commands
group-lock
To allow you to enter your extended authentication (Xauth) username, including the group name, when preshared key authentication is used with Internet Key Exchange (IKE), use the group-lock command in ISAKMP group configuration mode. To remove the group lock, use the no form of this command.
group-lock
no group-lock
Syntax Description
This command has no arguments or keywords.
Defaults
Group lock is not configured.
Command Modes
ISAKMP group configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The Group-Lock attribute is used if preshared key authentication is used with IKE. When the attribute is enabled, you may enter your extended Xauth username as name/group, name\group, name@group, or name%group. The group that is specified after the delimiter is then compared against the group identifier that is sent during IKE aggressive mode. The groups must match or the connection is rejected.
The Group-Lock attribute is configured on a Cisco IOS XR router or in the RADIUS profile. This attribute has local (gateway) significance only and is not passed to the client.
The username in the local or RADIUS database must be of the following format:
username[/,\,%,@]group.To configure the Group-Lock attribute, use the group-lock command.
The following example is an attribute-value (AV) pair for the Group-Lock attribute:
ipsec:group-lock=1You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the group-lock command.
Note
•
•
•
Task ID
Examples
The following example shows that group lock is configured:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group ciscoRP/0/RP0/CPU0:router(config-group)# group-lockRelated Commands
hash (IKE policy)
To specify the hash algorithm within an Internet Key Exchange (IKE) policy, use the hash command in ISAKMP policy configuration mode. To reset the hash algorithm to the default SHA-1 hash algorithm, use the no form of this command.
hash {sha | md5}
no hash
Syntax Description
sha
Specifies SHA-1 (Hashed Message Authentication Code [HMAC]) as the hash algorithm. This option is the default.
md5
Specifies Message Digest 5 (MD5) (HMAC variant) as the hash algorithm.
Defaults
SHA-1 hash algorithm
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the hash command to specify the hash algorithm in an IKE policy. IKE policies define a set of parameters during IKE negotiation.
Task ID
Examples
The following example shows how to configure an IKE policy with the MD5 hash algorithm (all other parameters are set to the defaults):
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# hash md5Related Commands
include-local-lan
To configure the Include-Local-LAN attribute to allow a nonsplit-tunneling connection to access the local subnetwork at the same time as the client, use the include-local-lan command in ISAKMP group configuration mode. To disable the attribute that allows the nonsplit-tunneling connection, use the no form of this command.
include-local-lan
no include-local-lan
Syntax Description
This command has no arguments or keywords.
Defaults
A nonsplit-tunneling connection is not able to access the local subnet at the same time as the client.
Command Modes
ISAKMP group configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
If split tunneling is not in use (for example, the SPLIT_INCLUDE attribute was not negotiated), you lose not only Internet access, but also access to resources on the local subnetworks. The Include-Local-LAN attribute allows the server to push the attribute to the client, which allows for a nonsplit-tunneling connection to access the local subnetwork at the same time as the client (for example, the connection is to the subnetwork to which the client is directly attached).
The Include-Local-LAN attribute is configured on a Cisco IOS XR router or in the RADIUS profile.
To configure the Include-Local-LAN attribute, use the include-local-lan command.
The following example is an attribute-value (AV) pair for the Include-Local-LAN attribute:
ipsec:include-local-lan=1You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the include-local-lan command.
Note
•
•
•
•
Task ID
Examples
The following example shows that the Include-Local-LAN has been configured:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group ciscoRP/0/RP0/CPU0:router(config-group)# include-local-lanRelated Commands
isakmp authorization list
To specify the authorization list that is used for authorization for Internet Key Exchange (IKE) interaction, use the isakmp authorization list command in ISAKMP profile configuration mode. To remove mode configuration, use the no form of this command.
isakmp authorization list author-list-name
no isakmp authorization list author-list-name
Syntax Description
author-list-name
Storage source used to find the policy as defined in the
aaa authorization command.
Defaults
No default behavior or values
Command Modes
ISAKMP profile configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Mode configuration allows a gateway to download an IP address (and other network-level configuration) to the client as part of an IKE negotiation. Using this exchange, the gateway gives IP addresses to the IKE client as an "inner" IP address encapsulated under IP Security (IPSec). This method provides a known IP address for the client that can be matched against IPSec policy.
Use the isakmp authorization list command with the client authentication list command, which applies extended authentication (Xauth) for IKE interaction.
When you are authorized and respectively authenticated, the reply from the AAA server contains attributes that are used when and if the mode configuration is executed. However, the method list must be defined first for the authorization.
Task ID
Examples
In the following example, mode configuration is applied to a crypto ISAKMP profile named newprofile:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp profile newprofileRP/0/RP0/CPU0:router(config-isa-prof)# isakmp authorization list list2Related Commands
Applies extended authentication (Xauth) for Internet Key Exchange (IKE) interaction.
Defines an ISAKMP profile and audits IPSec user sessions.
keepalive (ISAKMP profile)
To let the gateway send dead peer detection (DPD) messages to the Cisco IOS XR peer, use the keepalive command in ISAKMP profile configuration mode. To return to the default, use the no form of this command.
keepalive disable
no keepalive
Syntax Description
Defaults
Keepalive is enabled.
Command Modes
ISAKMP profile configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following example shows how to use the keepalive command:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp profile vpnprofileRP/0/RP0/CPU0:router(config-isa-prof)# keepalive disableRelated Commands
key (IKE)
To specify the Internet Key Exchange (IKE) preshared key for group policy attribute definition, use the key command in ISAKMP group configuration mode. To remove a preshared key, use the no form of this command.
key preshared-key
no key preshared-key
Syntax Description
Defaults
No default behavior or values
Command Modes
ISAKMP group configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the key command to specify the IKE preshared key when defining group policy information for mode configuration push. (It follows the crypto isakmp client configuration group command.) You must configure the key command if the client identifies itself to the router with a preshared key. (You need not enable this command if the client uses a certificate for identification.)
Task ID
Examples
The following example shows how to specify the preshared key named cisco:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group defaultRP/0/RP0/CPU0:router(config-group)# key ciscoRP/0/RP0/CPU0:router(config-group)# acl group1Related Commands
Configures split tunneling.
Specifies the group whose policy profile is defined.
Specifies the primary and secondary Domain Name Service (DNS) addresses.
keyring
To configure a keyring with an ISAKMP profile, use the keyring command in ISAKMP profile configuration mode. To remove the keyring from the ISAKMP profile, use the no form of this command.
keyring kr-name1 [kr-name2 [kr-name3 [kr-name-4 [kr-name5 [kr-name6]]]]]]
no keyring kr-name1 [kr-name2 [kr-name3 [kr-name-4 [kr-name5 [kr-name6]]]]]]
Syntax Description
Defaults
No default behavior or values
Command Modes
ISAKMP profile configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile. You must define at least one keyring.
An ISAKMP profile can define one or more keyrings. For example, multiple keyrings can be used when few IKE peer endpoints are in the public address space; whereas, others are in the front door virtual routing and forwarding (FVRF) space as the IKE local endpoints.
Task ID
Examples
The following example shows how to configure vpnkeyring as the keyring name:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp profile vpnprofileRP/0/RP0/CPU0:router(config-isa-prof)# keyring vpnkeyringRelated Commands
Defines an ISAKMP profile and audits IPSec user sessions.
Defines a crypto keyring during IKE authentication.
Lists all the ISAKMP profiles that are defined on a router.
key-string (IKE)
To manually specify the Rivest, Shamir, and Adelman (RSA) public key of a remote peer, use the key-string command in public key configuration mode.
key-string key-string
Syntax Description
Defaults
No default behavior or values
Command Modes
Public key configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the key-string command to manually specify the RSA public key of an IP Security (IPSec) peer. Before using this command, you must identify the remote peer.
To avoid mistakes, you should cut and paste the key data (instead of attempting to type in the data).
When you finish specifying the RSA key, you must return to global configuration mode by entering quit at the public key configuration mode prompt.
Task ID
Examples
The following example shows how to manually specify the RSA public keys of an IPSec peer:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto keyring vpnkeyringRP/0/RP0/CPU0:router(config-keyring)# rsa-pubkey address 10.5.5.1RP/0/RP0/CPU0:router(config-pubkey)# key-string 005C300D 06092A86 4886F70D 0101010500034B00 30480241 00C5E23B 55D6AB2204AEF1BA A54028A6 9ACC01C5 129D99E464CAB820 847EDAD9 DF0B4E4C 73A05DD2BD62A8A9 FA603DD2 E2A8A6F8 98F76E28D58AD221 B583D7A4 71020301 0001quitRelated Commands
Defines the Rivest, Shamir, and Adelman (RSA) public key by address or hostname.
Displays peer RSA public keys stored on your router.
lifetime (IKE policy)
To specify the lifetime of an Internet Key Exchange (IKE) security association (SA), use the lifetime command in ISAKMP policy configuration mode. To reset the SA lifetime to the default value, use the no form of this command.
lifetime seconds
no lifetime
Syntax Description
seconds
Length of time (in seconds) that each SA should exist before expiring. Use an integer from 60 to 86400 seconds.
Defaults
seconds: 86400 seconds (1 day)
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the lifetime command to specify how long an IKE SA exists before expiring.
When IKE begins negotiations, it first agrees upon the security parameters for its own session. The agreed-upon parameters are then referenced by an SA at each peer. The SA is retained by each peer until the lifetime of the SA expires. Before an SA expires, it can be reused by subsequent IKE negotiations, which can save time when new IP Security (IPSec) SAs are set up.
To save setup time for IPSec, configure a longer IKE SA lifetime. However, shorter lifetimes limit the exposure to attackers of this SA. The longer an SA is used, the more encrypted traffic can be gathered by an attacker and possibly used in an attack.
Note
Task ID
Examples
The following example shows how to configure an IKE policy with an SA lifetime of 600 seconds (all other parameters are set to the defaults):
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RP0/CPU0:router(config-isakmp)# lifetime 600Related Commands
local-address (keyring)
To limit the scope of an ISAKMP keyring configuration to a local termination address, use the local-address command in keyring configuration mode. To disable the feature, use the no form of this command.
local-address ip-address
no local-address ip-address
Syntax Description
Defaults
If the local-address command is not configured, the ISAKMP keyring is available to all local addresses.
Command Modes
Keyring configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following example shows that the scope of the ISAKMP keyring is limited only to IP address 130.40.1.1:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto keyring vpnkeyringRP/0/RP0/CPU0:router(config-keyring)# local-address 130.40.1.1RP/0/RP0/CPU0:router(config-keyring)# pre-shared-key address 0.0.0.0 0.0.0.0 key mykeyRelated Commands
Specifies the identity used by the router when participating in the Internet Key Exchange (IKE) protocol.
Defines a crypto keyring during IKE authentication.
match identity
To match the identity of a peer in an ISAKMP profile, use the match identity command in ISAKMP profile configuration mode. To remove the identity, use the no form of this command.
match identity {group group-name | address address [mask] vrf [fvrf] | host hostname | host domain domain-name | user username | user domain domain-name}
no match identity {group group-name | address address [mask] vrf [fvrf] | host hostname | host domain domain-name | user username | user domain domain-name}
Syntax Description
Defaults
No default behavior or values
Command Modes
ISAKMP profile configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
An ISAKMP profile configuration must have at least one match identity command. The peers are mapped to an ISAKMP profile when their identities are matched (as given in the ID payload of the IKE exchange) against the identities that are defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid.
Task ID
Examples
The following example shows how to configure the group as vpngroup for the match identity command:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp profile vpnprofileRP/0/RP0/CPU0:router(config-isa-prof)# match identity group vpngroupRP/0/RP0/CPU0:router(config-isa-prof-match)# set interface service-ipsec 1Related Commands
max-logins
To specify the maximum number of concurrent logins that are allowed for a certain user, use the max-logins command in ISAKMP group configuration mode. To remove the number of connections that were set, use the no form of this command.
max-logins number-of-logins
no max-logins number-of-logins
Syntax Description
number-of-logins
Number of logins. The value ranges from 0 to 16 and 384.
Note
Defaults
The default is 10.
Command Modes
ISAKMP group configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The crypto isakmp client configuration group command must be configured before this command can be configured.
This command makes it possible to mimic the functionality provided by some RADIUS servers for limiting the number of simultaneous logins for users in that group.
The max-users and max-logins commands are enabled together or individually to control the usage of resources by any groups or individuals.
Task ID
Examples
The following example shows that the maximum number of logins for users in server group cisco is set to 8:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group ciscoRP/0/RP0/CPU0:router(config-group)# max-logins 8Related Commands
Specifies the group whose policy profile is defined.
Limits the number of connections to a specific server group.
max-users
To limit the number of connections to a specific server group, use the max-users command in ISAKMP group configuration mode. To remove the number of connections that were set, use the no form of this command.
max-users number-of-users
no max-users number-of-users
Syntax Description
Defaults
The default is 1000.
Command Modes
ISAKMP group configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The crypto isakmp client configuration group command must be configured before this command can be configured.
This command makes it possible to mimic the functionality provided by some RADIUS servers for limiting the number of connections to a specific server group.
The max-users and max-logins commands are enabled together or individually to control the usage of resources by any groups or individuals.
Task ID
Examples
The following example shows that the maximum number of connections to server group cisco is set to 1200:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group ciscoRP/0/RP0/CPU0:router(config-group)# max-users 1200Related Commands
Specifies the group whose policy profile is defined.
Limits the number of simultaneous logins for users in a specific server group.
netmask
To set the IP network mask, use the netmask command in ISAKMP group configuration mode. To disable this feature, use the no form of this command.
netmask mask
no netmask mask
Syntax Description
Defaults
The default is that the attribute is not sent to the VPN client.
Command Modes
ISAKMP group configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following example shows how to set the IP network mask:
RRP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group ciscoRP/0/RP0/CPU0:router(config-group)# netmask 255.255.255.0Related Commands
pfs
To configure a server to notify the client of the central-site policy regarding whether PFS is required for any IP Security (IPSec) Security Association (SA), use the pfs command in ISAKMP group configuration mode. To restore the default behavior, use the no form of this command.
pfs
no pfs
Syntax Description
This command has no arguments or keywords.
Defaults
The server does not notify the client of the central-site policy regarding whether PFS is required for any IPSec SA.
Command Modes
ISAKMP group configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Before you use the pfs command, you must first configure the crypto isakmp client configuration group command.
The following example is an attribute-value (AV) pair for the PFS attribute:
ipsec:pfs=1Task ID
Examples
The following example shows that the server is configured to notify the client of the central-site policy regarding whether PFS is required for any IPSec SA:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group ciscoRP/0/RP0/CPU0:router(config-group)# pfsRelated Commands
pool (isakmp-group)
To define the name of an address-pool in which an address is allocated if required, use the pool command in ISAKMP group configuration mode. To remove a local pool from your configuration, use the no form of this command.
pool name
no pool name
Syntax Description
Defaults
No default behavior or values
Command Modes
ISAKMP group configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the pool command to refer to an IP local pool address, which defines a range of addresses that is used to allocate an internal IP address to a client. Although a user must define at least one pool name, a separate pool is defined for each group policy.
Note
You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the pool command.
Task ID
Examples
The following example shows how to refer to the local pool address named dog:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group ciscoRP/0/RP0/CPU0:router(config-group)# key ciscoRP/0/RP0/CPU0:router(config-group)# dns 10.2.2.2 10.3.2.3RP/0/RP0/CPU0:router(config-group)# pool dogRP/0/RP0/CPU0:router(config-group)# acl 199Related Commands
pre-shared-key
To define a preshared key for IKE authentication, use the pre-shared-key command in keyring configuration mode. To disable, use the no form of this command.
pre-shared-key {address address [mask] | hostname hostname} key key
no pre-shared-key {address address [mask] | hostname hostname} key key
Syntax Description
Defaults
No default behaviors or values
Command Modes
Keyring configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following example shows how to configure a preshared key using an IP address and hostname:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto keyring vpnkeyringRP/0/RP0/CPU0:router(config-keyring)# pre-shared-key address 10.72.23.11 key vpnkeyRP/0/RP0/CPU0:router(config-keyring)# pre-shared-key hostname www.vpn.com key vpnkeyRelated Commands
Specifies the identity used by the router when participating in the Internet Key Exchange (IKE) protocol.
Defines a crypto keyring during IKE authentication.
proxy
To configure proxy parameters for a Cisco Easy VPN remote device, use the proxy command in ISAKMP browser proxy configuration mode. To disable the parameters, use the no form of this command.
proxy {auto-detect | bypass-local | exception-list semicolon delimited exception list | none | server}
no {auto-detect | bypass-local | exception-list semicolon delimited exception list | none | server IPAddress:PortNumber}
Syntax Description
Defaults
Proxy parameters are not set.
Command Modes
ISAKMP browser proxy configuration
Command History
Release 3.5.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
This command is a subcommand of the crypto isakmp client configuration browser-proxy command.
Task ID
Examples
The following example shows various browser-proxy parameter settings for a browser proxy named bproxy:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration browser-proxy bproxyRP/0/RP0/CPU0:router(config-crypto-isakmp-browser-proxy)# proxy bypass-localRP/0/RP0/CPU0:router(config-crypto-isakmp-browser-proxy)# proxy exception-list 10.2.2.*,www.*orgRP/0/RP0/CPU0:router(config-crypto-isakmp-browser-proxy)# proxy server 10.1.1.1:2000RP/0/RP0/CPU0:router(config-crypto-isakmp-browser-proxy)# proxy noneRP/0/RP0/CPU0:router(config-crypto-isakmp-browser-proxy)# proxy auto-detectRelated Commands
Configures browser-proxy parameters for a Cisco Easy VPN remote device and to enter ISAKMP browser proxy configuration mode.
rsa-pubkey
To define the Rivest, Shamir, and Adelman (RSA) manual key to be used for encryption or signature during IKE authentication, use the rsa-pubkey command in keyring configuration mode. To disable the feature, use the no form of this command.
rsa-pubkey {address address | name fqdn} [encryption | signature]
no rsa-pubkey {address address | name fqdn} [encryption | signature]
Syntax Description
Defaults
The key is used for the signature.
Command Modes
Keyring configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the rsa-pubkey command to enter public key configuration mode. Use this command when you need to manually specify RSA public keys of other IP Security (IPSec) peers. You need to specify the keys of other peers when you configure RSA encrypted nonces as the authentication method in an IKE policy at your peer router.
When you finish specifying the RSA key, you must return to global configuration mode by entering quit at the public key configuration mode prompt.
Task ID
Examples
The following example shows that the RSA manual key of an IPSec peer has been specified:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto keyring vpnkeyringRP/0/RP0/CPU0:router(config-keyring)# rsa-pubkey name host.vpn.comRP/0/RP0/CPU0:router(config-pubkey)# key-string 005C300D 06092A86 4886F70D 01010105005C300D 06092A86 4886F70D 0101010500034B00 30480241 00C5E23B 55D6AB2204AEF1BA A54028A6 9ACC01C5 129D99E464CAB820 847EDAD9 DF0B4E4C 73A05DD2BD62A8A9 FA603DD2 E2A8A6F8 98F76E28D58AD221 B583D7A4 71020301 0001quitRelated Commands
save-password
To save your extended authentication (Xauth) password locally on your PC or Cisco Easy VPN client, use the save-password command in ISAKMP group configuration mode. To disable the Save-Password attribute, use the no form of this command.
save-password
no save-password
Syntax Description
This command has no arguments or keywords.
Defaults
Your Xauth password is not saved locally on your PC, and the Save-Password attribute is not added to the server group profile.
Command Modes
ISAKMP group configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Save password control allows you to save your Xauth password locally on your PC so that after you have initially entered the password, the Save-Password attribute is pushed from the server to the client.
Note
On subsequent authentications, you can activate the password by using the tick box on the software client or by adding the username and password to the Cisco IOS XR hardware client profile. The password setting remains until the Save-Password attribute is removed from the server group profile. After the password has been activated, the username and password are sent automatically to the server during Xauth without your intervention.
The Save-Password option is useful only if your password is static; that is, if it is not a one-time password such as one that is generated by a token.
The Save-Password attribute is configured on a Cisco IOS XR router or in the RADIUS profile.
To configure save password control, use the save-password command.
The following example is an attribute-value (AV) pair for the Save-Password attribute:
ipsec:save-password=1You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the save-password command.
Note
•
•
•
Task ID
Examples
The following example shows that the Save-Password attribute is configured:
RP/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group ciscoRP/0/RP0/CPU0:router(config-group)# save-passwordRelated Commands
Configures split tunneling.
Specifies the group whose policy profile is defined.
self-identity
To define the identity that the local IKE uses to identify itself to the remote peer, use the self-identity command in ISAKMP profile configuration mode. To remove the ISAKMP identity that was defined for the IKE, use the no form of this command.
self-identity {address | fqdn | user-fqdn user-fqdn}
no self-identity {address | fqdn | user-fqdn user-fqdn}
Syntax Description
Defaults
If no ISAKMP identity is defined in the ISAKMP profile configuration, global configuration is the default.
Command Modes
ISAKMP profile configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
If the self-identity command is not defined, IKE uses the globally configured value.
Task ID
Examples
The following example shows that the IKE identity is the user FQDN "user@vpn.com":
RP/0/RP0/CPU0:router# configureRR/0/RP0/CPU0:router(config)# crypto isakmp profile vpnprofileRP/0/RP0/CPU0:router(config-isa-prof)# self-identity user-fqdn user@vpn.comRelated Commands
set interface
To specify that the virtual interface is predefined when the local endpoint is the IKE responder and when it is the IKE initiator, use the set interface command in ISAKMP profile match configuration mode. To disable the feature, use the no form of this command.
set interface {service-ipsec | service-gre} intf-index
no set interface {service-ipsec | service-gre} intf-index
Syntax Description
service-ipsec
Specifies the IPSec service interfaces.
service-gre
Specifies the GRE service interfaces.
intf-index
The range is from 1 to 65535.
Defaults
No default behavior or values
Command Modes
ISAKMP profile match configuration
Command History
Release 3.4.0
This command was introduced on the Cisco XR 12000 Series Router IPSec VPN SPA.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The profile for the identity is determined based on the selected virtual interface.
The virtual interface must be predefined by using the set interface command. Otherwise, the IKE SA cannot be established.
When the local endpoint is the IKE responder, the predefined interface is found according to the peer's identity. When the local endpoint is the IKE initiator, the predefined interface is used to find the appropriate ISAKMP profile. Therefore, a virtual interface cannot be predefined in more than one ISAKMP profile.
When the local endpoint is the IKE initiator, the interface, which is configured, is used to select the correct ISAKMP profile.
Note
Task ID
Examples
The following example shows how to set the interface index to 50 by using the service-ipsec keyword:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto isakmp profile vpnprofileRP/0/0/CPU0:router(config-isa-prof)# match identity group vpngroupRP/0/0/CPU0:router(config-isa-prof-match)# set interface service-ipsec 50Related Commands
Defines an ISAKMP profile and audits IPSec user sessions.
Matches the identity of a peer in an ISAKMP profile.
Enables multiple IPSec security associations (SAs) per interface.
set interface tunnel-ipsec
To predefine the interface instance when IKE negotiates for tunnel mode IPSec service associations (SAs) for the traffic that is locally sourced or terminated, use the set interface tunnel-ipsec command in ISAKMP profile match configuration mode. To disable the feature, use the no form of this command.
set interface tunnel-ipsec intf-index
no set interface tunnel-ipsec intf-index
Syntax Description
Defaults
No default behavior or values
Command Modes
ISAKMP profile match configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The interface must be predefined by using the set interface command. Otherwise, the IKE SA cannot be established.
When the local endpoint is the IKE responder, the predefined interface is found according to the peers identity. When the local endpoint is the IKE initiator, the predefined interface is used to find the appropriate ISAKMP profile to be used. Thus, a virtual interface cannot be predefined in more than one ISAKMP profile.
Note
Task ID
Examples
The following example shows how to predefine the interface instance:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto isakmp profile vpnprofileRP/0/0/CPU0:router(config-isa-prof)# match identity group vpngroupRP/0/0/CPU0:router(config-isa-prof-match)# set interface tunnel-ipsec 50Related Commands
Defines an ISAKMP profile and audits IPSec user sessions.
Matches the identity of a peer in an ISAKMP profile.
Predefines an IPSec profile instance.
set ipsec-profile
To predefine the IPSec profile instance when IKE negotiates for transport mode IPSec service associations (SAs) for the traffic that is locally sourced or terminated, use the set ipsec-profile command in ISAKMP profile match configuration mode. To disable the feature, use the no form of this command.
set ipsec-profile profile-name
no set ipsec-profile profile-name
Syntax Description
Defaults
No default behavior or values
Command Modes
ISAKMP profile match configuration
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
The IPSec profile must be predefined by using the set ipsec-profile command when transport mode IPSec SAs are negotiated. Otherwise, the IKE SA cannot be established.
When the local endpoint is the IKE responder, the predefined interface is found according to the peer's identity. When the local endpoint is the IKE initiator, the predefined interface is used to find the appropriate ISAKMP profile to be used. Thus, a virtual interface cannot be predefined in more than one ISAKMP profile.
Note
The profile for the identity is determined based on the selected virtual interface.
When the local endpoint is the IKE initiator, the profile or interface configured is used to select the correct ISAKMP profile.
Task ID
Examples
The following example shows how to predefine the IPSec profile instance:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto isakmp profile vpnprofileRP/0/0/CPU0:router(config-isa-prof)# match identity group vpngroupRP/0/0/CPU0:router(config-isa-prof-match)# set ipsec-profile myprofileRelated Commands
Defines an ISAKMP profile and audits IPSec user sessions.
Matches the identity of a peer in an ISAKMP profile.
Predefines the interface instance.
show crypto isakmp call admission statistics
To monitor the Call Admission Control (CAC) statistics of the IKE protocol, use the show cyrpto isakmp call admission statistics command in EXEC mode.
show cyrpto isakmp call admission statistics
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.4.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.5.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following example shows how to display the configuration for the show crypto isakmp call admission statistics command:
RP/0/RP0/CPU0:router# show crypto isakmp call admission statistics---------------------------------------------------------------------Crypto Call Admission Control Statistics---------------------------------------------------------------------IKE Active SA Limit: 1, IKE In-Negotiation SA limit: 2Total CPU usage limit: 100, IKE CPU usage limit: 100Total IKE SA Count: 0, active: 0, negotiating: 0Incoming IKE Calls: 24 , accepted 24 , rejected 0Outgoing IKE Calls: 16 , accepted 6 , rejected 10Total Calls: 40Rejected IKE Calls: 10, resources low 0, limit exceeded 10Table 2 describes the significant fields shown in the display.
Related Commands
show crypto isakmp errors
To display the Internet Security Association and Key Management Protocol (ISAKMP) error that occurred during tunnel establishment, use the show crypto isakmp errors command in EXEC mode.
show crypto isakmp errors
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.5.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following sample output is from the show crypto isakmp errors command:
RP/0/RP0/CPU0:router# show crypto isakmp errorsControl Plane Errors---------------------ERR NO MEMORY.....................................0INVALID CERT......................................0CRYPTO FAILURE....................................0SA NOT AUTH.......................................0AUTHENTICATION FAILED.............................0GROUP AUTHOR FAILED...............................0USER AUTHEN REJECTED..............................0LOCAL ADDRESS FAILURE.............................0FAILED TO CREATE SKEYID...........................0RSA PUBLIC KEY NOT FOUND..........................0RETRANSMITION LIMIT...............................0MALFORMED MESSAGE.................................0QUICK MODE TIMER EXPIRED..........................0KEY NOT FOUND IN PROFILE..........................0PROFILE NOT FOUND.................................0PRESHARED KEY NOT FOUND...........................0PHASE2 PROPOSAL NOT CHOSEN........................0POLICY MISMATCH...................................0NO POLICY FOUND...................................0PACKET PROCESS FAILURE............................0Warnings---------CERT DOESNT MATCH ID..............................0CERT ISNT TRUSTED ROOT............................0PACKET NOT ENCRYPTED..............................0UNRELIABLE INFO MSG...............................0NO SA.............................................0BAD DOI SA........................................0UNKNOWN EXCHANGE TYPE.............................0OUTGOING PKT TOO BIG..............................0INCOMING PKT TOO BIG..............................0Informational--------------CAC DROPS.........................................0DEFAULT POLICY ACCEPTED...........................0Table 3 describes the significant fields shown in the display.
Related Commands
show crypto isakmp key
To display the Internet Security Association and Key Management Protocol (ISAKMP) preshared keys for a router, use the show crypto isakmp key command in EXEC mode.
show crypto isakmp key
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
