 Feedback
|
Table Of Contents
Internet Key Exchange Security Protocol Commands on Cisco ASR 9000 Series Routers
clear crypto isakmp call admission statistics
crypto isakmp call admission limit
description (ISAKMP policy-set)
match identity (ISAKMP profile)
match identity (ISAKMP policy-set)
show crypto isakmp call admission statistics
show crypto key pubkey-chain rsa
Internet Key Exchange Security Protocol Commands on Cisco ASR 9000 Series Routers
This module describes the Cisco IOS XR software commands used to configure the Internet Key Exchange (IKE) security protocol on Cisco ASR 9000 Series Aggregation Services Routers.
For detailed information about IKE concepts, configuration tasks, and examples, see the Implementing Internet Key Exchange Security Protocol on Cisco ASR 9000 Series Routers module in the Cisco ASR 9000 Series Aggregation Services Router System Security Configuration Guide.
accounting (IKE)
To enable authentication, authorization, and accounting (AAA) services for all peers that connect through the ISAKMP profile, use the accounting command in ISAKMP profile configuration mode. To return to the default value, use the no form of this command.
accounting list-name
no accounting
Syntax Description
Defaults
The default value is no accounting.
Command Modes
ISAKMP profile configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task ID
Examples
The following example shows how to create an accounting list:
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto isakmp profile vpnprofileRP/0/RSP0/CPU0:router(config-isa-prof)# accounting aaalistRelated Commands
address
To specify the IP address for the Rivest, Shamir, and Adelman (RSA) public key of the remote peer you manually configure, use the address command in public key configuration mode. To remove the IP address of the remote peer, use the no form of this command.
address ip-address
no address ip-address
Syntax Description
Defaults
No default behavior or values
Command Modes
Public key configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the address command to specify the RSA public key for the IP Security (IPSec) peer you manually configure next.
When you finish specifying the RSA key, you must return to global configuration mode by entering quit on a new line.
Task ID
Examples
The following example manually specifies the RSA public keys of an IPSec peer:
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto keyring vpnkeyRP/0/RSP0/CPU0:router(config-keyring)# rsa-pubkey name host.vpn.comRP/0/RSP0/CPU0:router(config-pubkey)# address 10.5.5.1RP/0/RSP0/CPU0:router(config-pubkey)# key-string 005C300D 06092A86 4886F70D 01010105005C300D 06092A86 4886F70D 0101010500034B00 30480241 00C5E23B 55D6AB2204AEF1BA A54028A6 9ACC01C5 129D99E464CAB820 847EDAD9 DF0B4E4C 73A05DD2D58AD221 B583D7A4 71020301 0001quitRelated Commands
authentication (IKE policy)
To specify the authentication method within an Internet Key Exchange (IKE) policy, use the authentication command in ISAKMP policy configuration mode. To reset the authentication method to the default value, use the no form of this command.
authentication {pre-share | rsa-sig | rsa-encr}
no authentication {pre-share | rsa-sig | rsa-encr}
Syntax Description
Defaults
RSA signatures
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
IKE policies define a set of parameters during IKE negotiation. Use the authentication command to specify the authentication method in an IKE policy. If you specify preshared keys, you must also separately configure these preshared keys.
If you specify RSA encrypted nonces, you must ensure that each peer has the RSA public keys of the other peers. (See the address, rsa-pubkey, and key-string commands.)
If you specify RSA signatures, you must configure your peer routers to obtain certificates from a certification authority (CA).
Task ID
Examples
The following example shows how to configure an IKE policy with preshared keys as the authentication method (and with all other parameters set to the defaults):
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RSP0/CPU0:router(config-isakmp)# authentication pre-shareThe following example shows how to configure an IKE policy with RSA encrypted keys as the authentication method (and with all other parameters set to the defaults):
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RSP0/CPU0:router(config-isakmp)# authentication rsa-encrThe following example configures an IKE policy with RSA signatures as the authentication method (and with all other parameters set to the defaults):
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RSP0/CPU0:router(config-isakmp)# authentication rsa-sigRelated Commands
clear crypto isakmp
To clear active Internet Key Exchange (IKE) connections, use the clear crypto isakmp command in EXEC mode.
clear crypto isakmp [connection-id]
Syntax Description
connection-id
(Optional) Name of connection to clear. If this argument is not used, all existing connections are cleared. The range is from 1 to 64000.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Note
If the connection-id argument is not used, all existing IKE connections are cleared when this command is issued.
Task ID
Examples
The following example shows how to clear an IKE connection between two peers connected by interfaces 172.21.114.123 and 172.21.114.67:
RP/0/RSP0/CPU0:router# show crypto isakmp savrf dst src state conn-id nodeid---------- ------------ ------------ --------- ------- ------default 172.21.114.123 172.21.114.67 QM_IDLE 1 0default 172.0.0.2 172.0.0.1 QM_IDLE 8 0RP/0/RSP0/CPU0:router# configureEnter configuration commands, one per line. End with CNTL/Z.RP/0/RSP0/CPU0:router# clear crypto isakmp 1RP/0/RSP0/CPU0:router# show crypto isakmp savrf dst src state conn-id nodeid---------- ------------ ------------ --------- ------- ------default 172.0.0.2 172.0.0.1 QM_IDLE 8 0Related Commands
clear crypto isakmp call admission statistics
To clear ISAKMP call admission statistics, use the clear crypto isakmp call admission statistics command in EXEC mode.
clear crypto isakmp call isakmp call admission statistics
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task ID
Examples
The following example shows how to clear call admission statistics:
RP/0/RSP0/CPU0:router# clear crypto isakmp call admission statisticsRelated Commands
Displays the configuration for Call Admission Control (CAC) to the IKE protocol.
clear crypto isakmp errors
To clear the statistics for Internet Security Association and Key Management Protocol (ISAKMP) errors, use the clear crypto isakmp errors command in EXEC mode.
clear crypto isakmp error
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task ID
Examples
The following example shows how to clear ISAKMP error statistics:
RP/0/RSP0/CPU0:router# show crypto isakmp errorsControl Plane Errors---------------------ERR NO MEMORY.....................................0INVALID CERT......................................0CRYPTO FAILURE....................................0SA NOT AUTH.......................................0AUTHENTICATION FAILED.............................0GROUP AUTHOR FAILED...............................0USER AUTHEN REJECTED..............................0LOCAL ADDRESS FAILURE.............................0FAILED TO CREATE SKEYID...........................0RSA PUBLIC KEY NOT FOUND..........................0RETRANSMITION LIMIT...............................0MALFORMED MESSAGE.................................0QUICK MODE TIMER EXPIRED..........................0KEY NOT FOUND IN PROFILE..........................0PROFILE NOT FOUND.................................0PRESHARED KEY NOT FOUND...........................0PHASE2 PROPOSAL NOT CHOSEN........................0POLICY MISMATCH...................................0NO POLICY FOUND...................................0PACKET PROCESS FAILURE............................0Warnings---------CERT DOESNT MATCH ID..............................0CERT ISNT TRUSTED ROOT............................0PACKET NOT ENCRYPTED..............................0UNRELIABLE INFO MSG...............................0NO SA.............................................0BAD DOI SA........................................0UNKNOWN EXCHANGE TYPE.............................0OUTGOING PKT TOO BIG..............................0INCOMING PKT TOO BIG..............................0Informational--------------CAC DROPS.........................................0DEFAULT POLICY ACCEPTED...........................0RP/0/RSP0/CPU0:router# clear crypto isakmp errorsRelated Commands
clear crypto session
To delete crypto sessions (IP Security [IPSec] and Internet Key Exchange [IKE] security associations [SAs]), use the clear crypto session command in EXEC mode.
clear crypto session [user username | group group | interface | ivrf vrf-name | local ip-address | fvrf vrf-name | remote ip-address]
Syntax Description
Defaults
If the clear crypto session command is entered without any keywords, all existing sessions are deleted. The IPSec SAs are deleted first. Then, the IKE SAs are deleted. The default value for the remote port is 500.
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
To clear a specific crypto session or a subset of all the sessions, you need to provide session specific parameters, such as local interface, local IP address, remote IP address (and port), FVRF name, or IVRF name.
If a local IP address is provided as a parameter, all the sessions (and their IKE SAs and IPSec SAs) that share the IP address as a local crypto endpoint (IKE local address) are deleted.
Task ID
Examples
The following example shows how to delete all crypto sessions:
RP/0/RSP0/CPU0:router# clear crypto sessionThe following example shows that the crypto session of the FVRF named "blue" is deleted:
RP/0/RSP0/CPU0:router# clear crypto session fvrf blueThe following example shows that the crypto session of the local endpoint 10.1.1.1 is deleted:
RP/0/RSP0/CPU0:router# clear crypto session local 10.1.1.1Related Commands
Adds the description of an Internet Key Exchange (IKE) peer.
Displays status information for active crypto sessions.
crypto isakmp
To globally enable Internet Key Exchange (IKE) at your peer router, use the crypto isakmp command in global configuration mode. To disable IKE at the peer, use the no form of this command.
crypto isakmp
no crypto isakmp
Syntax Description
This command has no arguments or keywords.
Defaults
IKE is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
IKE need not be enabled for individual interfaces, but is enabled globally for all interfaces at the router.
Task ID
Examples
The following example shows how to disable IKE at one peer:
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto isakmpRP/0/RSP0/CPU0:router(config)# no crypto isakmpcrypto isakmp call admission limit
To deny incoming or outgoing session requests based on several metrics, use the crypto isakmp call admission limit command in global configuration mode. To disable this feature, use the no form of this command.
crypto isakmp call admission limit {cpu {total percent | ike percent} | in-negotiation-sa number | sa number}
no crypto isakmp call admission limit {cpu {total percent | ike percent} | in-negotiation-sa number | sa number}
Syntax Description
Defaults
The default value for the in-negotiation-sa keyword is set to 1000 SAs.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
A request for an IKE SA is denied if insufficient system resources exist to handle the negotiation.
Task ID
Examples
The following example shows how to use the crypto isakmp call admission limit command:
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto isakmp call admission limit cpu ike 30Related Commands
crypto isakmp identity
To specify the identity used by the router when participating in the Internet Key Exchange (IKE) protocol, use the crypto isakmp identity command in global configuration mode. To reset the Internet Security Association Key Management Protocol (ISAKMP) identity to the default value (address), use the no form of this command.
crypto isakmp identity {address | hostname}
no crypto isakmp identity
Syntax Description
Defaults
The IP address is used for the ISAKMP identity.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the crypto isakmp identity command to specify an ISAKMP identity either by IP address or by host name. As a general rule, you should set all identities for peers in the same way—either by IP address or by host name.
Set an ISAKMP identity whenever you specify preshared keys.
Use the address keyword when only one interface (and therefore only one IP address) is used by the peer for IKE negotiations, and the IP address is known.
Use the hostname keyword if more than one interface on the peer might be used for IKE negotiations, or if the IP address for the interface is unknown (such as with dynamically assigned IP addresses).
Task ID
Examples
The following example shows how to use preshared keys at two peers and set both their ISAKMP identities to the IP address.
At the local peer (at 10.0.0.1), the ISAKMP identity is set and the preshared key is specified.
RP/0/RSP0/CPU0:router(config)# crypto isakmp identity addressRP/0/RSP0/CPU0:router(config)# crypto keyring keyring1RP/0/RSP0/CPU0:router(config-keyring)# pre-shared-key address 192.168.1.33 key presharedkeyAt the remote peer (at 192.168.1.33), the ISAKMP identity is set and the same preshared key is specified.
RP/0/RSP0/CPU0:router(config)# crypto isakmp identity addressRP/0/RSP0/CPU0:router(config)# crypto keyring keyring1RP/0/RSP0/CPU0:router(config-keyring)# pre-shared-key address 10.0.0.1 key presharedkey
Note
The following example shows how to use preshared keys at two peers and set both their ISAKMP identities to the host name.
At the local peer, the ISAKMP identity is set and the preshared key is specified.
RP/0/RSP0/CPU0:router(config)# crypto isakmp identity hostnameRP/0/RSP0/CPU0:router(config)# crypto keyring keyring1RP/0/RSP0/CPU0:router(config-keyring)# pre-shared-key hostname remoterouter.example.com key presharedkeyAt the remote peer, the ISAKMP identity is set and the same preshared key is specified.
RP/0/RSP0/CPU0:router(config)# crypto isakmp identity hostnameRP/0/RSP0/CPU0:router(config)# crypto keyring keyring1RP/0/RSP0/CPU0:router(config-keyring)# pre-shared-key hostname localrouter.example.com key presharedkeyRelated Commands
crypto isakmp keepalive
To use the Internet Key Exchange (IKE) security association (SA) feature for providing a mechanism for detecting loss of connectivity between two IP Security (IPSec) peers, use the crypto isakmp keepalive command in global configuration mode. To disable this feature, use the no form of this command.
crypto isakmp keepalive seconds retry-seconds
no crypto isakmp keepalive
Syntax Description
seconds
Number of seconds between keepalive messages. The range is from 10 to 3600.
retry-seconds
Number of seconds between retries if keepalive fails. The range is from 2 to 60.
Defaults
IKE does not send keepalive messages until specified by this command.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
If IKE does not receive the keepalive acknowledge message from the peer after four tries, IKE concludes that it has lost connectivity with its peer.
Task ID
Examples
The following example shows how to set the number of seconds between keepalive messages to 20 seconds, and the number of seconds between retries to 20 seconds if keepalive fails:
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto isakmp keepalive 20Related Commands
crypto isakmp peer
To enable an IP Security (IPSec) peer for Internet Key Exchange (IKE), use the crypto isakmp peer command in global configuration mode. To disable this functionality, use the no form of this command.
crypto isakmp peer {address ip-address | hostname hostname} [description line | vrf fvrf-name]
no crypto isakmp peer {address ip-address | hostname hostname} [description line | vrf fvrf-name]
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the crypto isakmp peer command to enter ISAKMP peer configuration mode.
You can give a peer that is identified by an IP address a meaningful name or description.
Task ID
Examples
The following example shows that the peer address is 40.40.40.2 and named citeA:
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto isakmp peer address 40.40.40.2RP/0/RSP0/CPU0:router(config-isakmp-peer)# description citeARP/0/RSP0/CPU0:router(config-isakmp-peer)# commitRP/0/RSP0/CPU0:router# show crypto isakmp peersPeer: 60.60.60.2 Port: 500 Local: 70.70.70.2 vrf: defaultUDP encapsulate: FalseSA information:Connection ID: 2State: QM_IDLEPhase 1 ID: IPV4_ADDR 60.60.60.2Peer: 40.40.40.2 Port: 500 Local: 50.50.50.2 vrf: defaultDescription: peerAUDP encapsulate: FalseSA information:Connection ID: 1State: QM_IDLEPhase 1 ID: IPV4_ADDR 40.40.40.2Related Commands
Adds the description of an Internet Key Exchange (IKE) peer.
Displays peer structures.
crypto isakmp policy
To define an Internet Key Exchange (IKE) policy, use the crypto isakmp policy command in global configuration mode. To delete an IKE policy, use the no form of this command.
crypto isakmp policy priority
no crypto isakmp policy priority
Syntax Description
priority
Value that uniquely identifies the IKE policy and assigns a priority to the protection policy. Use an integer from 1 to 10000, with 1 being the highest priority and 10000 the lowest.
Defaults
There is a default policy, which always has the lowest priority. The default policy contains default values for the encryption, hash, authentication, Diffie-Hellman group, and lifetime parameters. (The parameter defaults are listed in the "Usage Guidelines" section.) When you create an IKE policy, the default for a particular parameter is used if no value is specified.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the crypto isakmp policy command to specify the parameters to use during an IKE negotiation. (These parameters create the IKE security association [SA].)
The crypto isakmp policy command enters ISAKMP policy configuration mode. The following commands are available in this mode to specify the parameters in the policy:
•
•
•
•
•
•
If you do not specify one of these commands for a policy, the default value is used for that parameter.
To exit ISAKMP policy configuration mode, use the exit command.
You can configure multiple IKE policies on each peer participating in IP Security (IPSec). When the IKE negotiation begins, it tries to find a common policy configured on both peers, starting with the highest priority policies as specified on the remote peer.
Task ID
Examples
The following example shows how to configure two policies for the peer:
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RSP0/CPU0:router(config-isakmp)# hash md5RP/0/RSP0/CPU0:router(config-isakmp)# authentication rsa-sigRP/0/RSP0/CPU0:router(config-isakmp)# group 2RP/0/RSP0/CPU0:router(config-isakmp)# lifetime 5000RP/0/RSP0/CPU0:router(config-isakmp)# exitRP/0/RSP0/CPU0:router(config)# crypto isakmp policy 20RP/0/RSP0/CPU0:router(config-isakmp)# authentication pre-shareRP/0/RSP0/CPU0:router(config-isakmp)# lifetime 10000RP/0/RSP0/CPU0:router(config-isakmp)# exitThe configuration results in the following policies:
Protection suite priority 15encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Message Digest 5authentication method: Rivest-Shamir-Adelman SignatureDiffie-Hellman Group: #2 (1024 bit)lifetime: 5000 seconds, no volume limitProtection suite priority 20encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: Pre-Shared KeyDiffie-Hellman Group: #1 (768 bit)lifetime: 10000 seconds, no volume limitDefault protection suiteencryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman Group: #1 (768 bit)lifetime: 86400 seconds, no volume limitIKE policy 15 is the highest priority, and the default policy is the lowest priority.
Related Commands
crypto isakmp policy-set
To define a policy set for an ISAKMP protection suite, use the crypto isakmp policy-set command in global configuration mode. To cancel a previously configured policy set, use the no variant to the command.
crypto isakmp policy-set policy-name
no crypto isakmp policy-set policy-name
Syntax Description
Defaults
No default behaviors or values
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use of this command takes you to ISAKMP policy set configuration mode.
Task ID
Examples
The following example shows how to define an ISAKMP policy set, based on the local address, to restrict users with remote access from accessing certain ISAKMP policies:
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto isakmp policy-set mypolicyRP/0/RSP0/CPU0:router(config-isakmp-pol-set)#Related Commands
crypto isakmp profile
To define an ISAKMP profile and audit IPSec user sessions, use the crypto isakmp profile command in global configuration mode. To delete a crypto ISAKMP profile, use the no form of this command.
crypto isakmp profile local profile-name
no crypto isakmp profile local profile-name
Syntax Description
Defaults
No default behaviors or values
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
The peers are mapped to an ISAKMP profile when their identities are matched (as given in the identification [ID] payload of the Internet Key Exchange [IKE]) against the identities defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid. At least one match identity command must also be defined in the ISAKMP profile for the profile to be complete.
Before you configure an ISAKMP profile, the key rings that are used for the profile should be configured.
Task ID
Examples
The following example shows how to define an ISAKMP profile and match the peer identities:
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto isakmp profile local profile1RP/0/RSP0/CPU0:router(config-isa-prof)# match identity address 10.1.1.0/24RP/0/RSP0/CPU0:router(config-isa-prof-match)# set interface tunnel-ipsec 1Related Commands
crypto keyring
To define a crypto keyring during IKE authentication, use the crypto keyring command in global configuration mode. To remove the keyring, use the no form of this command.
crypto keyring keyring-name [vrf fvrf-name]
no crypto keyring keyring-name [vrf fvrf-name]
Syntax Description
Defaults
If the vrf keyword is not defined, the keyring is referenced to the global VRF.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
A keyring is a repository of preshared and RSA public keys. The keyring is used in global configuration mode. The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile.
Use the crypto keyring command to enter keyring configuration mode.
Task ID
Examples
The following example shows how to use the crypto keyring command:
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto keyring vpnkeyRP/0/RSP0/CPU0:router(config-keyring)# pre-shared-key address 10.72.23.11 key vpnsecretRelated Commands
crypto logging
To enable the appearance of the cyrpto tunnel up or down message, use the crypto logging command in global configuration mode. To disable this option, use the no form of this command.
crypto logging {tunnel-status}
no crypto logging {tunnel-status}
Syntax Description
Defaults
The default is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task ID
Examples
The following example shows how to use the crypto logging command:
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto logging tunnel-statusdescription (IKE policy)
To create a description for an Internet Key Exchange (IKE) policy, use the description command in ISAKMP policy configuration mode. To delete an IKE policy description, use the no form of this command.
description string
no description
Syntax Description
Defaults
The default description is blank.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the description command inside the ISAKMP policy configuration submode to create a description for an IKE policy.
Task ID
Examples
The following example shows the creation of an IKE policy description:
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RSP0/CPU0:router(config-isakmp)# description this is a sample IKE policydescription (ISAKMP policy-set)
To create a description for an ISAKMP policy set, use the description command in ISAKMP policy configuration mode. To delete an ISAKMP policy-set description, use the no form of this command.
description string
no description
Syntax Description
Defaults
The default description is blank
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the description command inside the ISAKMP policy-set configuration submode to create a description for an IKE policy set.
Task ID
Examples
The following example shows the creation of an IKE policy description:
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto isakmp policy-set pol1RP/0/RSP0/CPU0:router(config-isakmp-pol-set)# description this is a sample IKE policy-setRelated CommandsRelated Commands
description (ISAKMP peer)
To add the description of an Internet Key Exchange (IKE) peer, use the description command in ISAKMP peer configuration mode. To delete the description, use the no form of this command.
description string
no description string
Syntax Description
Defaults
No default behavior or values
Command Modes
ISAKMP peer configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
IKE peers that "sit" behind a Network Address Translation (NAT) device cannot be uniquely identified; therefore, they have to share the same peer description.
Task ID
Examples
The following example shows that the description "connection from site A" is added for an IKE peer:
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto isakmp peer address 10.2.2.9RP/0/RSP0/CPU0:router(config-isakmp-peer)# description connection from site ARelated Commands
Deletes crypto sessions IPSec and IKE SAs for an ISAKMP group and user.
Enables an IP Security (IPSec) peer for Internet Key Exchange (IKE).
Displays peer structures.
description (keyring)
To create a one-line description for a keyring, use the description command in keyring configuration mode. To delete a keyring description, use the no form of this command.
description string
no description
Syntax Description
Defaults
The default description is blank.
Command Modes
Keyring configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the description command inside the ISAKMP policy configuration submode to create a description for a keyring.
Task ID
Examples
The following example shows the creation of a keyring description:
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto keyring vpnkeyRP/0/RSP0/CPU0:router(config-keyring)# description this is a sample keyringRelated Commands
encryption (IKE policy)
To specify the encryption algorithm within an Internet Key Exchange (IKE) policy, use the encryption command in ISAKMP policy configuration mode. To reset the encryption algorithm to the default value, use the no form of this command.
encryption {des | 3des | aes | aes 192 | aes 256}
no encryption
Syntax Description
Defaults
The 56-bit DES-CBC encryption algorithm (des).
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
IKE policies define a set of parameters during IKE negotiation. Use the encryption command to specify the encryption algorithm in an IKE policy.
Task ID
Examples
The following example shows how to configure an IKE policy with the 3DES encryption algorithm (and with all other parameters set to the defaults):
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RSP0/CPU0:router(config-isakmp)# encryption 3desRelated Commands
group (IKE policy)
To specify the Diffie-Hellman group identifier within an Internet Key Exchange (IKE) policy, use the group command in ISAKMP policy configuration mode. To reset the Diffie-Hellman group identifier to the default value, use the no form of this command.
group {1 | 2 | 5}
no group
Syntax Description
1
Specifies the 768-bit Diffie-Hellman group. This option is the default.
2
Specifies the 1024-bit Diffie-Hellman group.
5
Specifies the 1536-bit Diffie-Hellman group.
Defaults
768-bit Diffie-Hellman (group 1)
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
IKE policies define a set of parameters during IKE negotiation. Use this command to specify the Diffie-Hellman group in an IKE policy.
Task ID
Examples
The following example shows how to configure an IKE policy with the 1024-bit Diffie-Hellman group (all other parameters are set to the defaults):
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RSP0/CPU0:router(config-isakmp)# group 2Related Commands
hash (IKE policy)
To specify the hash algorithm within an Internet Key Exchange (IKE) policy, use the hash command in ISAKMP policy configuration mode. To reset the hash algorithm to the default SHA-1 hash algorithm, use the no form of this command.
hash {sha | md5}
no hash
Syntax Description
sha
Specifies SHA-1 (Hashed Message Authentication Code [HMAC]) as the hash algorithm. This option is the default.
md5
Specifies Message Digest 5 (MD5) (HMAC variant) as the hash algorithm.
Defaults
SHA-1 hash algorithm
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the hash command to specify the hash algorithm in an IKE policy. IKE policies define a set of parameters during IKE negotiation.
Task ID
Examples
The following example shows how to configure an IKE policy with the MD5 hash algorithm (all other parameters are set to the defaults):
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RSP0/CPU0:router(config-isakmp)# hash md5Related Commands
keepalive (ISAKMP profile)
To let the gateway send dead peer detection (DPD) messages to the Cisco IOS XR peer, use the keepalive command in ISAKMP profile configuration mode. To return to the default, use the no form of this command.
keepalive disable
no keepalive
Syntax Description
Defaults
Keepalive is enabled.
Command Modes
ISAKMP profile configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task ID
Examples
The following example shows how to use the keepalive command:
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto isakmp profile vpnprofileRP/0/RSP0/CPU0:router(config-isa-prof)# keepalive disableRelated Commands
keyring
To configure a keyring with an ISAKMP profile, use the keyring command in ISAKMP profile configuration mode. To remove the keyring from the ISAKMP profile, use the no form of this command.
keyring kr-name1 [kr-name2 [kr-name3 [kr-name4 [kr-name5 [kr-name6]]]]]
no keyring kr-name1 [kr-name2 [kr-name3 [kr-name4 [kr-name5 [kr-name6]]]]]
Syntax Description
Defaults
No default behavior or values
Command Modes
ISAKMP profile configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile. You must define at least one keyring.
An ISAKMP profile can define one or more keyrings. For example, multiple keyrings can be used when few IKE peer endpoints are in the public address space; whereas, others are in the front door virtual routing and forwarding (FVRF) space as the IKE local endpoints.
Task ID
Examples
The following example shows how to configure vpnkeyring as the keyring name:
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto isakmp profile vpnprofileRP/0/RSP0/CPU0:router(config-isa-prof)# keyring vpnkeyringRelated Commands
Defines an ISAKMP profile and audits IPSec user sessions.
Defines a crypto keyring during IKE authentication.
Lists all the ISAKMP profiles that are defined on a router.
key-string (IKE)
To manually specify the Rivest, Shamir, and Adelman (RSA) public key of a remote peer, use the key-string command in public key configuration mode.
key-string key-string
Syntax Description
Defaults
No default behavior or values
Command Modes
Public key configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the key-string command to manually specify the RSA public key of an IP Security (IPSec) peer. Before using this command, you must identify the remote peer.
To avoid mistakes, you should cut and paste the key data (instead of attempting to type in the data).
When you finish specifying the RSA key, you must return to global configuration mode by entering quit on a new line.
Task ID
Examples
The following example shows how to manually specify the RSA public keys of an IPSec peer:
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto keyring vpnkeyringRP/0/RSP0/CPU0:router(config-keyring)# rsa-pubkey address 10.5.5.1RP/0/RSP0/CPU0:router(config-pubkey)# key-string 005C300D 06092A86 4886F70D 0101010500034B00 30480241 00C5E23B 55D6AB2204AEF1BA A54028A6 9ACC01C5 129D99E464CAB820 847EDAD9 DF0B4E4C 73A05DD2BD62A8A9 FA603DD2 E2A8A6F8 98F76E28D58AD221 B583D7A4 71020301 0001quitRelated Commands
Defines the Rivest, Shamir, and Adelman (RSA) public key by address or hostname.
Displays peer RSA public keys stored on your router.
lifetime (IKE policy)
To specify the lifetime of an Internet Key Exchange (IKE) security association (SA), use the lifetime command in ISAKMP policy configuration mode. To reset the SA lifetime to the default value, use the no form of this command.
lifetime seconds
no lifetime
Syntax Description
seconds
Length of time (in seconds) that each SA should exist before expiring. Use an integer from 60 to 86400 seconds.
Defaults
seconds: 86400 seconds (1 day)
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the lifetime command to specify how long an IKE SA exists before expiring.
When IKE begins negotiations, it first agrees upon the security parameters for its own session. The agreed-upon parameters are then referenced by an SA at each peer. The SA is retained by each peer until the lifetime of the SA expires. Before an SA expires, it can be reused by subsequent IKE negotiations, which can save time when new IP Security (IPSec) SAs are set up.
To save setup time for IPSec, configure a longer IKE SA lifetime. However, shorter lifetimes limit the exposure to attackers of this SA. The longer an SA is used, the more encrypted traffic can be gathered by an attacker and possibly used in an attack.
Note
Task ID
Examples
The following example shows how to configure an IKE policy with an SA lifetime of 600 seconds (all other parameters are set to the defaults):
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto isakmp policy 15RP/0/RSP0/CPU0:router(config-isakmp)# lifetime 600Related Commands
local-address (keyring)
To limit the scope of an ISAKMP keyring configuration to a local termination address, use the local-address command in keyring configuration mode. To disable the feature, use the no form of this command.
local-address ip-address
no local-address ip-address
Syntax Description
Defaults
If the local-address command is not configured, the ISAKMP keyring is available to all local addresses.
Command Modes
Keyring configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task ID
Examples
The following example shows that the scope of the ISAKMP keyring is limited only to IP address 130.40.1.1:
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto keyring vpnkeyringRP/0/RSP0/CPU0:router(config-keyring)# local-address 130.40.1.1RP/0/RSP0/CPU0:router(config-keyring)# pre-shared-key address 0.0.0.0 0.0.0.0 key mykeyRelated Commands
Specifies the identity used by the router when participating in the Internet Key Exchange (IKE) protocol.
Defines a crypto keyring during IKE authentication.
match identity (ISAKMP profile)
To match the identity of a peer in an ISAKMP profile, use the match identity command in ISAKMP profile configuration mode. To remove the identity, use the no form of this command.
match identity {group group-name | address address [mask] vrf [fvrf] | host hostname | host domain domain-name | user username | user domain domain-name}
no match identity {group group-name | address address [mask] vrf [fvrf] | host hostname | host domain domain-name | user username | user domain domain-name}
Syntax Description
Defaults
No default behavior or values
Command Modes
ISAKMP profile configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
An ISAKMP profile configuration must have at least one match identity command. The peers are mapped to an ISAKMP profile when their identities are matched (as given in the ID payload of the IKE exchange) against the identities that are defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid.
Task ID
Examples
The following example shows how to configure the group as vpngroup for the match identity command:
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto isakmp profile local tunnel_ipsecRP/0/RSP0/CPU0:router(config-isa-prof)# match identity address 10.1.1.6/32 vrf defaultRP/0/RSP0/CPU0:router(config-isa-prof-match)# set interface tunnel-ipsec 3001Related Commands
match identity (ISAKMP policy-set)
To create an SVI tunnel source, use the match identity command in ISAKMP policy-set configuration mode. To remove the identity, use the no form of this command.
match identity {local-address IP-address }
no match identity {local-address IP-address}
Syntax Description
local-address
This creates the SVI tunnel source for a remote peer.
IP-address
IP prefix for the SVI tunnel source.
Defaults
No default behavior or values
Command Modes
ISAKMP policy-set configuration mode
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
An ISAKMP profile configuration must have at least one match identity command. The peers are mapped to an ISAKMP profile when their identities are matched (as given in the ID payload of the IKE exchange) against the identities that are defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid.
The IP address identified in this command requires a particular preconfigured encryption algorithm and it should be the only one operational.
Task ID
Examples
The following example shows how to configure the match identity (ISAKMP policy-set) command:
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto isakmp policy-set p1RP/0/RSP0/CPU0:router(config-isakmp-pol-set)# policy pol2Related Commands
Defines a policy set for an ISAKMP protection suite.
Creates a description for an ISAKMP policy set.
Specifies the routing priority of a preconfigured policy.
policy (ISAKMP policy-set)
To specify the routing priority of a preconfigured policy, use the policy command within the ISAKMP policy-set submode. To cancel the priority, use the no variant of this command.
policy policy-number
no policy
Syntax Description
Defaults
No default behavior or values
Command Modes
ISAKMP policy-set configuration mode
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task ID
Examples
The following example shows how to configure a routing policy priority:
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto isakmp policy-set p1RP/0/RSP0/CPU0:router(config-isakmp-pol-set)# policy pol2Related Commands
Defines an ISAKMP policy set.
Defines a policy set for an ISAKMP protection suite.
Creates an SVI tunnel source.
pre-shared-key
To define a preshared key for IKE authentication, use the pre-shared-key command in keyring configuration mode. To disable, use the no form of this command.
pre-shared-key {address address [mask] | hostname hostname} key key
no pre-shared-key {address address [mask] | hostname hostname} key key
Syntax Description
Defaults
No default behaviors or values
Command Modes
Keyring configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task ID
Examples
The following example shows how to configure a preshared key using an IP address and hostname:
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto keyring vpnkeyringRP/0/RSP0/CPU0:router(config-keyring)# pre-shared-key address 10.72.23.11 key vpnkeyRP/0/RSP0/CPU0:router(config-keyring)# pre-shared-key hostname www.vpn.com key vpnkeyRelated Commands
Specifies the identity used by the router when participating in the Internet Key Exchange (IKE) protocol.
Defines a crypto keyring during IKE authentication.
rsa-pubkey
To define the Rivest, Shamir, and Adelman (RSA) manual key to be used for encryption or signature during IKE authentication, use the rsa-pubkey command in keyring configuration mode. To disable the feature, use the no form of this command.
rsa-pubkey {address address | name fqdn} [encryption | signature]
no rsa-pubkey {address address | name fqdn} [encryption | signature]
Syntax Description
Defaults
The key is used for the signature.
Command Modes
Keyring configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the rsa-pubkey command to enter public key configuration mode. Use this command when you need to manually specify RSA public keys of other IP Security (IPSec) peers. You need to specify the keys of other peers when you configure RSA encrypted nonces as the authentication method in an IKE policy at your peer router.
When you finish specifying the RSA key, you must return to global configuration mode by entering quit on a new line.
Task ID
Examples
The following example shows that the RSA manual key of an IPSec peer has been specified:
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto keyring vpnkeyringRP/0/RSP0/CPU0:router(config-keyring)# rsa-pubkey name host.vpn.comRP/0/RSP0/CPU0:router(config-pubkey)# key-string 005C300D 06092A86 4886F70D 01010105005C300D 06092A86 4886F70D 0101010500034B00 30480241 00C5E23B 55D6AB2204AEF1BA A54028A6 9ACC01C5 129D99E464CAB820 847EDAD9 DF0B4E4C 73A05DD2BD62A8A9 FA603DD2 E2A8A6F8 98F76E28D58AD221 B583D7A4 71020301 0001quitRelated Commands
self-identity
To define the identity that the local IKE uses to identify itself to the remote peer, use the self-identity command in ISAKMP profile configuration mode. To remove the ISAKMP identity that was defined for the IKE, use the no form of this command.
self-identity {address | fqdn | user-fqdn user-fqdn}
no self-identity {address | fqdn | user-fqdn user-fqdn}
Syntax Description
Defaults
If no ISAKMP identity is defined in the ISAKMP profile configuration, global configuration is the default.
Command Modes
ISAKMP profile configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
If the self-identity command is not defined, IKE uses the globally configured value.
Task ID
Examples
The following example shows that the IKE identity is the user FQDN "user@vpn.com":
RP/0/RSP0/CPU0:router# configureRR/0/RSP0/CPU0:router(config)# crypto isakmp profile vpnprofileRP/0/RSP0/CPU0:router(config-isa-prof)# self-identity user-fqdn user@vpn.comRelated Commands
set interface tunnel-ipsec
To predefine the interface instance when IKE negotiates for tunnel mode IPSec service associations (SAs) for the traffic that is locally sourced or terminated, use the set interface tunnel-ipsec command in ISAKMP profile match configuration mode. To disable the feature, use the no form of this command.
set interface tunnel-ipsec intf-index
no set interface tunnel-ipsec intf-index
Syntax Description
Defaults
No default behavior or values
Command Modes
ISAKMP profile match configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
The interface must be predefined by using the set interface command. Otherwise, the IKE SA cannot be established.
When the local endpoint is the IKE responder, the predefined interface is found according to the peers identity. When the local endpoint is the IKE initiator, the predefined interface is used to find the appropriate ISAKMP profile to be used. Thus, a virtual interface cannot be predefined in more than one ISAKMP profile.
Task ID
Examples
The following example shows how to predefine the interface instance:
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto isakmp profile local vpnprofileRP/0/RSP0/CPU0:router(config-isa-prof)# match identity group vpngroupRP/0/RSP0/CPU0:router(config-isa-prof-match)# set interface tunnel-ipsec 50Related Commands
Defines an ISAKMP profile and audits IPSec user sessions.
Predefines an IPSec profile instance.
set ipsec-profile
To predefine the IPSec profile instance when IKE negotiates for transport mode IPSec service associations (SAs) for the traffic that is locally sourced or terminated, use the set ipsec-profile command in ISAKMP profile match configuration mode. To disable the feature, use the no form of this command.
set ipsec-profile profile-name
no set ipsec-profile profile-name
Syntax Description
Defaults
No default behavior or values
Command Modes
ISAKMP profile match configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
The IPSec profile must be predefined by using the set ipsec-profile or the set interface tunnel-ipsec command when transport mode IPSec SAs are negotiated. Otherwise, the IKE SA cannot be established.
When the local endpoint is the IKE responder, the predefined interface is found according to the peer's identity. When the local endpoint is the IKE initiator, the predefined interface is used to find the appropriate ISAKMP profile to be used. Therefore, a virtual interface cannot be predefined in more than one ISAKMP profile.
The profile for the identity is determined based on the selected virtual interface, which can only be tunnel-ipsec.
When the local endpoint is the IKE initiator, the profile or interface configured is used to select the correct ISAKMP profile.
Task ID
Examples
The following example shows how to predefine the IPSec profile instance:
RP/0/RSP0/CPU0:router# configureRP/0/RSP0/CPU0:router(config)# crypto isakmp profile local vpnprofileRP/0/RSP0/CPU0:router(config-isa-prof)# match identity group vpngroupRP/0/RSP0/CPU0:router(config-isa-prof-match)# set ipsec-profile myprofileRelated Commands
Defines an ISAKMP profile and audits IPSec user sessions.
Predefines the interface instance.
show crypto isakmp call admission statistics
To monitor the Call Admission Control (CAC) statistics of the IKE protocol, use the show cyrpto isakmp call admission statistics command in EXEC mode.
show cyrpto isakmp call admission statistics
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task ID
Examples
The following example shows how to display the configuration for the show crypto isakmp call admission statistics command:
RP/0/RSP0/CPU0:router# show crypto isakmp call admission statistics---------------------------------------------------------------------Crypto Call Admission Control Statistics---------------------------------------------------------------------IKE Active SA Limit: 1, IKE In-Negotiation SA limit: 2Total CPU usage limit: 100, IKE CPU usage limit: 100Total IKE SA Count: 0, active: 0, negotiating: 0Incoming IKE Calls: 24 , accepted 24 , rejected 0Outgoing IKE Calls: 16 , accepted 6 , rejected 10Total Calls: 40Rejected IKE Calls: 10, resources low 0, limit exceeded 10Table 9 describes the significant fields shown in the display.
Related Commands
show crypto isakmp errors
To display the Internet Security Association and Key Management Protocol (ISAKMP) error that occurred during tunnel establishment, use the show crypto isakmp errors command in EXEC mode.
show crypto isakmp errors
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task ID
Examples
The following sample output is from the show crypto isakmp errors command:
RP/0/RSP0/CPU0:router# show crypto isakmp errorsControl Plane Errors---------------------ERR NO MEMORY.....................................0INVALID CERT......................................0CRYPTO FAILURE....................................0SA NOT AUTH.......................................0AUTHENTICATION FAILED.............................0GROUP AUTHOR FAILED...............................0USER AUTHEN REJECTED..............................0LOCAL ADDRESS FAILURE.............................0FAILED TO CREATE SKEYID...........................0RSA PUBLIC KEY NOT FOUND..........................0RETRANSMITION LIMIT...............................0MALFORMED MESSAGE.................................0QUICK MODE TIMER EXPIRED..........................0KEY NOT FOUND IN PROFILE..........................0PROFILE NOT FOUND.................................0PRESHARED KEY NOT FOUND...........................0PHASE2 PROPOSAL NOT CHOSEN........................0POLICY MISMATCH...................................0NO POLICY FOUND...................................0PACKET PROCESS FAILURE............................0Warnings---------CERT DOESNT MATCH ID..............................0CERT ISNT TRUSTED ROOT............................0PACKET NOT ENCRYPTED..............................0UNRELIABLE INFO MSG...............................0NO SA.............................................0BAD DOI SA........................................0UNKNOWN EXCHANGE TYPE.............................0OUTGOING PKT TOO BIG..............................0INCOMING PKT TOO BIG..............................0Informational--------------CAC DROPS.........................................0DEFAULT POLICY ACCEPTED...........................0Table 10 describes the significant fields shown in the display.
Related Commands
show crypto isakmp key
To display the Internet Security Association and Key Management Protocol (ISAKMP) preshared keys for a router, use the show crypto isakmp key command in EXEC mode.
show crypto isakmp key
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task ID
Examples
The following example shows how to display the IP hostname and address preshared keys:
RP/0/RSP0/CPU0:router# show crypto isakmp keyKeyring Hostname/Address Preshared KeyK1 3.3.3.1 rd26K2 5.5.5.5 ex22K2 tzvi.cisco.com pppTable 11 describes the significant fields shown in the display.
Table 11 show crypto isakmp key Field Descriptions
Hostname/Address
IP hostname or address of the router.
Preshared Key
ISAKMP preshared key for the router.
show crypto isakmp peers
To display peer structures, use the show crypto isakmp peers command in EXEC mode.
show crypto isakmp peers [ip-address | vrf vrf-name]
Syntax Description
ip-address
(Optional) IP address of the peer.
vrf vrf-name
(Optional) Specifies the front door VRF of the peer. The vrf-name argument is the name assigned to a VRF.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task ID
Examples
The following example shows sample output from the show crypto isakmp peers command:
RP/0/RSP0/CPU0:router# show crypto isakmp peersPeer: 10.0.83.1 Port: 4500 Local: 30.0.0.4 vrf: defaultUDP encapsulate: TrueSA information:Connection ID: 1State: QM_IDLEPhase 1 ID: DER_ASN1_DN srbuTable 12 describes the significant fields shown in the display.
Table 12 show crypto isakmp peers Field Descriptions
Connection ID
Internet Key Exchange (IKE) ID.
State
Output display for the various states. For a detailed description of each state, see Table 16.
Phase1 ID
Internet Key Exchange (IKE) ID.
Related Commands
Enables an IP Security (IPSec) peer for Internet Key Exchange (IKE).
Adds the description of an Internet Key Exchange (IKE) peer.
show crypto isakmp policy
To display the parameters for each Internet Key Exchange (IKE) policy, use the show crypto isakmp policy command in EXEC mode.
show crypto isakmp policy
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task ID
Examples
The following sample output is from the show crypto isakmp policy command after two IKE policies have been configured (with priorities 15 and 20, respectively):
RP/0/RSP0/CPU0:router# show crypto isakmp policyProtection suite priority 15encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Message Digest 5authentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman Group: #2 (1024 bit)lifetime: 5000 seconds, no volume limitProtection suite priority 20encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: preshared KeyDiffie-Hellman Group: #1 (768 bit)lifetime: 10000 seconds, no volume limitDefault protection suiteencryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman Group: #1 (768 bit)lifetime: 86400 seconds, no volume limit
Note
Table 13 describes the significant fields shown in the display.
Related Commands
show crypto isakmp profile
To list all the ISAKMP profiles that are defined on a router, use the show crypto isakmp profile command in EXEC mode.
show crypto isakmp profile [interface intf-name | ipsec-profile ipsec-prof-name | tag isakmp-prof-name]
Syntax Description
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task ID
Examples
The following sample output is from the show crypto isakmp profile command:
RP/0/RSP0/CPU0:router# show crypto isakmp profileISAKMP Profile: isakmp-prof2Keyring(s): kr2Identities matched are:Address: 10.0.2.1 255.255.255.255 fvrf: greenInterface: service-ipsec2ISAKMP Profile: isakmp-prof1Keyring(s): kr1Identities matched are:Group: srbuInterface: service-gre1Table 14 describes the fields for the show crypto isakmp profile command.
Related Commands
Defines an ISAKMP profile and audits IPSec user sessions.
Configures a keyring with an ISAKMP profile.
show crypto isakmp sa
To display all current Internet Key Exchange (IKE) security associations (SAs) at a peer, use the show crypto isakmp sa command in EXEC mode.
show crypto isakmp sa [connection ID]
Syntax Description
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the connection ID argument to display the list of identifiers.'
Task ID
Examples
The following sample output is from the show crypto isakmp sa command, after IKE negotiations have been successfully completed between two peers:
RP/0/RSP0/CPU0:router# show crypto isakmp savrf dst src state conn-id nodeid---------- ------------ ------------ --------- ------- ------default 30.0.0.4 10.0.83.1 QM_IDLE 1 0Table 15 describes the fields shown in the display. Table 16 shows the various states that may be displayed in the output of the show crypto isakmp sa command. When an Internet Security Association and Key Management Protocol (ISAKMP) SA exists, it is most likely in its quiescent state (QM_IDLE). For long exchanges, some MM_xxx states may be observed.
Table 15 show crypto isakmp sa Field Descriptions
vrf
Virtual route forwarding (VRF) for the ISAKMP SA details per VRF.
dst
Destination IP address.
src
Source IP address.
state
Table 16 shows the various states that may be displayed in the output of the show crypto isakmp sa command. When an Internet Security Association and Key Management Protocol (ISAKMP) SA exists, it is most likely in its quiescent state (QM_IDLE). For long exchanges, some MM_xxx states may be observed.
conn-id
Connection ID.
nodeid
Node ID.
Related Commands
Defines an IKE policy.
Specifies the lifetime of an IKE SA.
Displays the number of ISAKMP security associations (SAs).
Displays the ISAKMP security association (SA) details.
show crypto isakmp stats
To display the information for ISAKMP global statistics, use the show crypto isakmp stats command in EXEC mode.
show cryto isakmp stats [vrf vrf-name]
Syntax Description
vrf vrf-name
(Optional) Specifies the ISAKMP statistics per VPN routing and forwarding (VRF) instance. The vrf-name argument is the name assigned to a VRF.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the show crypto isakmp stats command to display the ISAKMP statistics per VRF instance. If the VRF instance is not specified, the default for the statistics of the VRF instance is shown.
The following global statistics are printed from the show crypto isakmp stats command:
•
•
•
•
•
Task ID
Examples
The following example displays sample output from the show crypto isakmp stats command:
RP/0/RSP0/CPU0:router# show crypto isakmp statsVRF ISAKMP statistics:Active Tunnels: 0Previous Tunnels: 0In Octets: 0In Packets: 0In Drop Packets: 0In Notifys Messages: 0In Phase2 Exchanges: 0In Phase2 Exchange Invalids: 0In Phase2 Exchange Rejects: 0In Phase2 SA Delete Requests: 0Out Octets: 0Out Packets: 0Out Drop Packets: 0Out Notifys Messages: 0Out Phase2 Exchanges: 0Out Phase2 Exchange Invalids: 0Out Phase2 Exchange Rejects: 0Out Phase2 SA Delete Requests: 0Initiator Tunnels: 0Initiator Tunnel Setup Fails: 0Responder Tunnel Setup Fails: 0Sys Cap Fails: 0Auth Failures: 0Decryption Fails: 0Hash Valid Fails: 0No SA Fails: 0Table 17 describes the significant fields shown in the display.
show crypto key pubkey-chain rsa
To display the Rivest, Shamir, and Adelman (RSA) public keys stored on your router for the peer, use the show crypto key pubkey-chain rsa command in EXEC mode.
show crypto key pubkey-chain rsa [name key-name | address key-address]
Syntax Description
name key-name
(Optional) Displays the name of a particular public key.
address key-address
(Optional) Displays the address of a particular public key.
Defaults
All RSA public keys stored on your router is displayed.
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use this command to display RSA public keys stored on your router. The display includes the RSA public keys for the peer that were manually configured at your router and keys received by your router through other means (such as by a certificate, if certification authority support is configured).
If a router reboots, any public key derived by certificates are lost because the router asks for certificates again, at which time the public key is derived again.
Use the name or address keyword to display details about a particular RSA public key stored on your router.
If no keyword is used, this command displays a list of all RSA public keys stored on your router.
Task ID
Examples
The following sample output is from the show crypto key pubkey-chain rsa command:
RP/0/RSP0/CPU0:router# show crypto key pubkey-chain rsaCodes: M - Manually Configured, C - Extracted from certificateCode Usage IP-Address VRF Keyring NameM Encrypt K1 example.cisco.comM Signing 5.5.5.5 green K2The following example shows manually configured special-usage RSA public keys for the peer named somerouter. This example also shows three keys obtained from peer certificates: two special-usage keys for peer routerA and a general-purpose key for peer routerB.
Certificate support is used in the example; if certificate support were not in use, none of the peer keys would show "C" in the Code column, and would all need to be manually configured.
Table 18 describes the significant fields shown in the display.
The following sample output is from the show crypto key pubkey-chain rsa command for the name keyword that names the public key as somerouter.example.com:
RP/0/RSP0/CPU0:router# show crypto key pubkey-chain rsa name somerouter.example.comKey name: somerouter.example.comKey address: 10.0.0.1Usage: Signature KeySource: ManualData:305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B 55D6AB2204AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9 DF0B4E4C 73A05DD2BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4 71020301 0001Key name: somerouter.example.comKey address: 10.0.0.1Usage: Encryption KeySource: ManualData:00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D518242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21
Note
The following sample output is from the show crypto key pubkey-chain rsa command for address 192.168.10.3:
RP/0/RSP0/CPU0:router# show crypto key pubkey-chain rsa address 192.168.10.3Key name: routerB.example.comKey address: 192.168.10.3Usage: General Purpose KeySource: CertificateData:0738BC7A 2BC3E9F0 679B00FE 53987BCC 01030201 42DD06AF E228D24C 458AD22858BB5DDD F4836401 2A2D7163 219F882E 64CE69D4 B583748A 241BED0F 6E7F2F160DE0986E DF02031F 4B0B0912 F68200C4 C625C389 0BFF3321 A2598935 C1B1The Source field in the example indicates "Certificate," meaning that the keys were received by the router by way of the certificate from the other router.
show crypto session
To display status information for active crypto sessions, use the show crypto session command in EXEC mode.
show crypto session [detail | fvrf fvrf-name [detail] | group group-name | groups | interface interface-name | ivrf ivrf-name | local IP-address [fvrf fvrf-name | detail] | profile profile-name [detail] | remote IP-address [detail | port remote-port | fvrf fvrf-name] | user username [detail] | users]
Syntax Description
Defaults
If the show crypto session command is entered without any keywords, all existing sessions are displayed. Port default values are 500.
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
You can get a list of all the active ISAKMP sessions and of the IKE and IPSec SAs for each session by using the show crypto session command. The following list is included:
•
•
•
Multiple IKE or IPSec SAs are established for the same peer (for the same session), in which case, IKE peer descriptions are repeated with different values for the IKE SAs that are associated with the peer and for the IPSec SAs that are serving the flows of the session.
Task ID
Examples
The following example shows the list of fields from the show crypto session command:
RP/0/RSP0/CPU0:router# show crypto sessionInterface: tunnel-ipsec3001Profile: TUNNEL_IPSECISAKMP policy: 10Fvrf: defaultIvrf: defaultPeer: 10.1.1.5/500Ike SAs: 1IPsec Flows: 1IKE SA : conn-id 1 local 10.1.1.6/500 remote 10.1.1.5/500 QM_IDLEIPSEC FLOW 1: permit ipv4 10.7.208.2/255.255.255.255 10.7.208.2/255.255.255.255Active SAs 2The following example shows the detailed information of the session:
RP/0/RSP0/CPU0:router# show crypto session detailInterface: tunnel-ipsec3001Profile: TUNNEL_IPSECISAKMP policy: 10Fvrf: defaultIvrf: defaultPeer: 10.1.1.6/500Ike SAs: 1IPsec Flows: 1IKE SA : conn-id 2 local 10.1.1.5/500 remote 10.1.1.6/500 QM_IDLEIPSEC FLOW 2: permit ipv4 10.7.208.2/255.255.255.255 10.7.208.2/255.255.255.255Active SAs 2Inbound: #pkts dec'ed 5 drop 0 life (KB/Sec) 100000000/3249Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 100000000/3249Table 19 describes the significant fields shown in the display.
Related Commands
