 Feedback
|
Table Of Contents
IPSec Network Security Commands on Cisco IOS XR Software
clear crypto ipsec sa interface
crypto ipsec df-bit (interface)
crypto mib ipsec flowmib history failure size
crypto ipsec pre-fragmentation disable
crypto ipsec nat-transparency disable
crypto ipsec security-association idle-time
crypto ipsec security-association lifetime
crypto ipsec security-association replay disable
crypto ipsec security-association replay window-size
set security-association idle-time
set security-association lifetime
set security-association replay disable
show crypto ipsec transform-set
IPSec Network Security Commands on Cisco IOS XR Software
This module describes the commands used to configure IP Security (IPSec) network security on the Cisco IOS XR software.
For detailed information about IPSec concepts, configuration tasks, and examples, see the Implementing IPSec Network Security on Cisco IOS XR software configuration module.
clear cryptoengine statistics
To clear the statistics for the crypto engine, use the clear crypto engine statistics command in EXEC mode.
clear crypto engine statistics location node-id
Syntax Description
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.5.0
This command was introduced.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Release 3.8.0
No modification.
Release 3.9.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
You must provide a location. For example, the location specifies a bay for a shared port adapter (SPA), which is either 0/1/0 or 0/1/1.
Task ID
Examples
The following example shows how to clear the statistics for the crypto engine for location 0/1/1:
RP/0/0/CPU0:router# clear crypto engine statistics location 0/1/1Related Commands
Displays information for the hardware data path counters that are gathered from the crypto engine statistics.
clear crypto ipsec sa
To delete specific security associations (SAs), or all SAs in the IP Security (IPSec) security associations database (SADB), use the clear crypto ipsec sa command in EXEC mode.
clear crypto ipsec sa {sa-id | all}
Syntax Description
sa-id
Identifier for the SA. IPSec supports from 1 to 64,500 sessions.
all
Deletes all IPSec SAs in the IPSec SADB.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
SAs are established to secure data flows in IPSec. Use the clear crypto ipsec sa command to delete active IPSec sessions or force IPSec to reestablish new SAs. Usually, the establishment of SAs is negotiated between peers through Internet Key Exchange (IKE) on behalf of IPSec.
Task ID
Examples
The following example shows how to remove the SA with ID 100 from the SADB:
RP/0/0/CPU0:router# clear crypto ipsec sa 100Related Commands
clear crypto ipsec sa interface
To clear all the security associations (SAs) under the specified the interface, use the clear crypto ipsec sa interface command in EXEC mode.
clear crypto ipsec sa interface {service_ipsec number | service_gre number |tunnel-ipsec number}
Syntax Description
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.5.0
This command was introduced.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Release 3.8.0
No modification.
Release 3.9.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
Task ID
Examples
The following example shows how clear all the SAs for a tunnel-ipsec interface:
RP/0/0/CPU0:router# clear crypto ipsec sa interface tunnel-ipsec 1Related Commands
Displays specific security associations (SAs), or all SAs in the IP Security (IPSec) security associations database (SADB).
Displays the crypto IPSec interface.
crypto ipsec df-bit (global)
To set the DF bit for the encapsulating header in tunnel mode to all interfaces, use the crypto ipsec df-bit command in global configuration mode.
crypto ipsec df-bit {clear | set | copy}
Syntax Description
Defaults
The default is the copy keyword.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
Use the crypto ipsec df-bit command in global configuration mode to configure your router to specify the DF bit in an encapsulated header.
You can use the clear setting for the DF bit when encapsulating tunnel mode IPSec traffic so that you can send packets larger than the available maximum transmission unit (MTU) size, even if you do not know the available MTU size.
Task ID
Examples
The following example shows how to clear the DF bit on all interfaces:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto ipsec df-bit clearRelated Commands
crypto ipsec df-bit (interface)
To set the DF bit for the encapsulating header in tunnel mode to a specific interface, use the crypto ipsec df-bit command in service-ipsec interface configuration mode.
crypto ipsec df-bit {clear | set | copy}
Syntax Description
Defaults
The default is taken from the global configuration.
Command Modes
service-ipsec interface configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
Use the crypto ipsec df-bit command in interface configuration mode to configure your router to specify the DF bit in an encapsulated header. This command overrides any existing DF bit global settings.
You can use the clear setting for the DF bit when encapsulating tunnel mode IPSec traffic so that you can send packets larger than the available maximum transmission unit (MTU) size, even if you do not know the available MTU size.
Task ID
Examples
In following example, the router is configured to globally clear the setting for the DF bit and copy the bit from the interface named service-ipsec 5. Thus, all interfaces except service-ipsec 5 allow the router to send packets larger than the available MTU size; service-ipsec 5 allows the router to fragment the packet:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# interface service-ipsec 5RP/0/0/CPU0:router(config-if)# crypto ipsec df-bit clearRelated Commands
crypto mib ipsec flowmib history failure size
To set the size of the IP Security (IPSec) MIB failure history table, use the crypto mib ipsec flowmib history failure size command in global configuration mode.
crypto mib ipsec flowmib history failure size number
Syntax Description
Defaults
The default value is 16000.
Command Modes
Global configuration
Command History
Release 3.5.0
This command was introduced.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Release 3.8.0
No modification.
Release 3.9.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
A failure history table stores the reason for tunnel failure and the time that the failure occurred. A failure history table is used as a simple method to distinguish between a normal and an abnormal tunnel termination. That is, if a tunnel entry in the tunnel history table has no associated failure record, the tunnel must have terminated normally. However, every failure does not correspond to a tunnel. Supported setup failures are recorded in the failure table, but a history table is not associated because a tunnel was never set up.
Task ID
Examples
The following example shows that the size of a failure history table is configured to be 140:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto mib ipsec flowmib history failure size 140crypto ipsec pmtu
To specify the default path maximum transmission unit (MTU) for the SAs that is created under the interface, use the crypto ipsec pmtu command in service-ipsec interface configuration mode. To disable this feature, use the no form of this command.
crypto ipsec pmtu pmtu
no crypto ipsec pmtu pmtu
Syntax Description
Defaults
If you do not specifically set the crypto ipsec pmtu command, the default value is 9000.
Command Modes
Service-ipsec interface configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
The crypto ipsec pmtu command is supported under service-ipsec interfaces only. The service-gre interfaces are not supported.
The PMTU must be set with the MTU value on the WAN (encrypted) side.
Task ID
Examples
The following example shows that the crypto ipsec pmtu command is set to 1500 for the service-ipsec interface:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# interface service-ipsec 5RP/0/0/CPU0:router(config-if)# crypto ipsec pmtu 1500Related Commands
crypto ipsec pre-fragmentation disable
To specify the handling of fragmentation for the near-MTU-sized packets, use the crypto ipsec pre-fragmentation disable command in global configuration mode or service-ipsec interface configuration mode. To disable this feature, use the no form of this command.
crypto ipsec pre-fragmentation disable
no crypto ipsec pre-fragmentation disable
Syntax Description
(
Defaults
Prefragmentation is enabled.
Command Modes
Global configuration
Service-ipsec interface configurationCommand History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
The prefragmentation feature allows an encrypting router to predetermine the encapsulated packet size from information available in transform sets, which are configured as part of the IPSec security association (SA). If it is predetermined that the packet exceeds the MTU of the interface, the packet is fragmented before encryption. This function avoids process-level reassembly before decryption and helps improve decryption performance and overall IPSec traffic throughput.
Task ID
Examples
The following example shows how to use the crypto ipsec pre-fragmentation disable command:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto ipsec pre-fragmentation disablecrypto ipsec profile
To configure the IP Security (IPSec) profile and enter profile configuration mode, use the crypto ipsec profile command in global configuration mode. To remove the IPSec profile, use the no form of this command.
crypto ipsec profile name
no crypto ipsec profile name
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
Use the crypto ipsec profile command to create a new crypto profile or modify an existing crypto profile.
Crypto profiles configure cryptographic behavior for IPSec transport and IPSec-enabled interfaces (service-ipsec, service-gre, and tunnel-ipsec).
The following commands are available in profile configuration mode:
•
match transform-set —Configures the access control list (ACL) to use for packet classification and the transform set to use for IPSec processing. Multiples of this command are supported under the same profile.
•
•
The default is group1, which corresponds to 768-bit Diffie-Hellman prime modulus group; group2 corresponds to 1024-bit Diffie-Hellman prime modulus group; and group5 corresponds to 1536-bit Diffie-Hellman prime modulus group.
PFS is a cryptographic characteristic associated with a derived shared secret value. With PFS, if one key is compromised, previous and subsequent keys are not compromised because subsequent keys are not derived from previous keys.
•
•
•
•
•
•
•
•
•
Task ID
Examples
The following example shows how to create a crypto profile named "newprofile," set the PFS to group2, and configure the profile as a dynamic profile:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto ipsec profile newprofileRP/0/0/CPU0:router(config-newprofile)# set pfs group2RP/0/0/CPU0:router(config-newprofile)# set type dynamicRP/0/0/CPU0:router(config-newprofile) match myacl transform-set mytransformsetRelated Commands
crypto ipsec nat-transparency disable
To disable security parameter index (SPI) matching or User Datagram Protocol (UDP) encapsulation between two Virtual Private Network (VPN) devices, use the crypto ipsec nat-transparency command on both devices in global configuration mode. To enable back this feature, use the no form of this command.
crypto ipsec nat-transparency disable
no crypto ipsec nat-transparency disable
Syntax Description
Defaults
The NAT transparency feature is enabled by default.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
Use the cryto ipsec nat-transparency command to resolve issues that arise when Network Address Translation (NAT) is configured in an IP Security (IPsec)-aware network.
Task ID
Examples
The following example shows how to use the crypto ipsec nat-transparency command:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto ipsec nat-transparency disablecrypto ipsec security-association idle-time
To configure the IP Security (IPSec) security association (SA) idle timer, use the crypto ipsec security-association idle-time command in global configuration mode. To inactivate the IPSec SA idle timer, use the no form of this command.
crypto ipsec security-association idle-time seconds
no crypto ipsec security-association idle-time
Syntax Description
seconds
Time, in seconds, that the idle timer allows an inactive peer to maintain an SA. Valid values for the seconds argument range from 600 to 86400.
Defaults
IPSec SA idle timers are disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
Use the crypto ipsec security-association idle-time command to configure the IPSec SA idle timer. The timer controls the amount of time that an SA is maintained for an idle peer.
The IPSec SA idle timers are different from the global lifetimes for IPSec SAs. The expiration of the global lifetimes is independent of peer activity. The IPSec SA idle timer allows SAs associated with inactive peers to be deleted before the global lifetime has expired.
Note
Task ID
Examples
The following example shows how to configure the IPSec SA idle timer to drop SAs for inactive peers after 600 seconds:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto ipsec security-association idle-time 600Related Commands
crypto ipsec security-association lifetime
To change the global lifetime values used when negotiating IP Security (IPSec) security associations (SAs), use the crypto ipsec security-association lifetime command in global configuration mode. To reset an SA lifetime to the default value, use the no form of this command.
crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}
no crypto ipsec security-association lifetime {seconds | kilobytes}
Syntax Description
Defaults
seconds: 3600 seconds (1 hour)
kilobytes: 4194303 kilobytes (10 MBps for 1 hour)Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
IPSec SAs use shared secret keys. These keys and their SAs time out together.
Assuming that the particular crypto profile entry does not have lifetime values configured, when the router requests new SAs during SA negotiation, it specifies its global lifetime value in the request to the peer; it uses this value as the lifetime of the new SAs. When the router receives a negotiation request from the peer, it uses either the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new SAs.
There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The SA expires after the first of these lifetimes is reached.
If you change a global lifetime, the change is not applied to existing SAs, but is used in subsequent negotiations to establish new SAs. If you want the new settings to take effect sooner, clear all or part of the SA database by using the clear crypto ipsec sa command.
To change the global timed lifetime, use the crypto ipsec security-association lifetime seconds form of the command. The timed lifetime causes the SA to time out after the specified number of seconds have passed.
To change the global traffic-volume lifetime, use the crypto ipsec security-association lifetime kilobytes form of the command. The traffic-volume lifetime causes the SA to time out after the specified amount of traffic (in KB) has been protected by the key of the SAs.
Shorter lifetimes can make mounting a successful key recovery attack more difficult because the attacker has less data encrypted under the same key with which to work. However, shorter lifetimes require more CPU processing time for establishing new SAs.
How These Lifetimes Work
The SA keys expire according to whichever occurs sooner, either after the number of seconds has passed (specified by the seconds keyword) or after the amount of traffic in KB has passed (specified by the kilobytes keyword).
A new SA is negotiated before the lifetime threshold of the existing SA is reached to ensure that a new SA is ready for use when the old one expires. The new SA is negotiated approximately 30 seconds before the seconds lifetime expires or when the volume of traffic through the tunnel reaches around 90percent of the kilobytes lifetime (whichever occurs first). The final values of the seconds and kilobytes lifetimes are determined per SA during the SA negotiation and are agreed on by both sides. Each side offers the configured lifetime and the shortest lifetime is then chosen.
If no traffic has passed through the tunnel during the entire life of the SA, a new SA is not negotiated when the lifetime expires. Instead, a new SA is negotiated only when IPSec identifies another packet that should be protected.
Task ID
Examples
The following example shows how to shorten lifetimes to reduce the risk that the keys could be compromised. The timed lifetime is shortened to 2700 seconds (45 minutes), and the traffic-volume lifetime is shortened to 2304000 KB (10 MBps for 30 minutes).
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto ipsec security-association lifetime seconds 2700RP/0/0/CPU0:router(config)# crypto ipsec security-association lifetime kilobytes 2304000Related Commands
crypto ipsec security-association replay disable
To disable antireplay checking globally, use the crypto ipsec security-association replay disable command in global configuration mode. To reset the configuration to enable antireplay checking, use the no form of this command.
crypto ipsec security-association replay disable
Syntax Description
This command has no arguments or keywords.
Defaults
Antireplay checking is enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
Task ID
Examples
The following example shows that antireplay checking has been disabled globally:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto ipsec security-association replay disableRelated Commands
Sets the size of the security association (SA) antireplay window globally.
Configures the IPSec SA idle timer.
crypto ipsec security-association replay window-size
To set the size of the security association (SA) antireplay window globally, use the crypto ipsec security-association replay window-size command in global configuration mode. To reset the window size to the default of 64, use the no form of this command.
crypto ipsec security-association replay window-size {N}
no crypto ipsec security-association replay window-size
Syntax Description
N
Size of the window. Values are 64, 128, 256, 512, and 1024. This value becomes the default value.
Note
Defaults
If a window size is not entered, the default is 64.
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
Task ID
Examples
The following example shows that the size of the SA antireplay window is set globally to 128:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto ipsec security-association replay window-size 128Related Commands
crypto ipsec transform-set
To define a transform set (an acceptable combination of security protocols and algorithms), use the crypto ipsec transform-set command in global configuration mode. To delete a transform set, use the no form of this command.
crypto ipsec transform-set name
transform-set submode transform protocol
transform-set submode mode {transport | tunnel}no crypto ipsec transform-set name
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
The syntax for the crypto ipsec transform-set command is similar to the crypto ipsec profile command.
Use transform sets to define the IPSec security protocols and algorithms for Authentication Header (AH), Encapsulating Security Payload (ESP), or both.
For AH, use either of the following authentication algorithms:
•
•
For ESP, use any of the following cipher algorithms:
•
•
•
•
•
For an optional ESP, use either of the following authentication algorithms:
•
•
Verification of valid transform combinations is done during command-line interface (CLI) configuration. Multiple transform sets can be configured, and then one or more of these transform sets are specified in the crypto profile. The transform set defined in the crypto profile is used in the IPSec service affecting negotiation to protect the data flows specified by that crypto profile access list. During the negotiation, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and applied to the protected traffic as part of the IPSec SAs for both peers. Changes to an existing transform set affects subsequent SA negotiations.
Examples of acceptable transform combinations to define the IPSec security protocols and algorithms for AH, ESP, or both follow:
•
•
•
•
The CLI parser prevents you from entering invalid combinations; for example, after you specify an AH transform, you cannot specify another AH transform for the current transform set.
IPSec Protocols: Encapsulation Security Protocol and Authentication Header
Both the ESP and AH protocols implement security services for IPSec.
ESP provides packet encryption and optional data authentication and antireplay services. ESP encapsulates the protected data—either a full IP datagram or only the payload—with an ESP header and ESP trailer.
AH provides data authentication and antireplay services. AH is embedded in the protected data; it inserts an AH header immediately after the outer IP header and before the inner IP datagram or payload.
Traffic that originates and terminates at the IPSec peers can be sent in either tunnel or transport mode; all other traffic is sent in tunnel mode. Tunnel mode encapsulates and protects a full IP datagram; transport mode encapsulates and protects the payload of an IP datagram.
Tip
•
•
•
•
Note
Suggested transform combinations follow:
•
•
Changing Existing Transforms
If one or more transforms are specified in the crypto ipsec transform-set command for an existing transform set, the specified transform replaces the existing transform for that transform set.
Any change to a transform set definition is applied only to crypto profile entries that reference the transform set. The changes are not applied to existing SAs, but are used in subsequent negotiations to establish new SAs. If you want the new settings to take effect sooner, clear all or part of the security association database (SADB) by using the clear crypto ipsec sa command.
You can change the mode that is specified for the transform. This setting is used only when the traffic to be protected has the same IP address as the IPSec peers. (This traffic can be encapsulated either in tunnel or transport mode.) This setting is ignored for all other traffic. (All other traffic is encapsulated in tunnel mode.)
After you define a transform set, you are put into the transform configuration mode. While in this mode you can change the mode to either tunnel or transport. This change applies only to the transform set just defined.
If you use this command to change the mode, the change affects only the negotiation of subsequent IPSec security associations that specify the transform set. (If you want the new settings to take effect sooner, you can clear all or part of the security association database. For more information, see the clear crypto ipsec sa command.
Transport Mode
With transport mode, only the payload (data) of the original IP packet is protected (encrypted, authenticated, or both). The payload is encapsulated by the IPSec headers and trailers (an Encapsulation Security Protocol [ESP] header and trailer, an Authentication Header [AH], or both). The original IP headers remain intact and are not protected by IPSec.
Use transport mode only when the IP traffic to be protected has IPSec peers as both the source and destination. For example, you could use transport mode to protect router management traffic and for service-gre interfaces. Specifying transport mode allows the router to negotiate with the remote peer whether to use transport or tunnel mode.
Tunnel Mode
With tunnel mode, the entire original IP packet is protected (encrypted, authenticated, or both) and is encapsulated by the IPSec headers and trailers (an ESP header and trailer, an AH, or both). Then a new IP header is prefixed to the packet, specifying the IPSec endpoints as the source and destination.
Tunnel mode can be used with any IP traffic. Tunnel mode must be used if IPSec is protecting traffic from hosts behind the IPSec peers. For example, tunnel mode is used with Virtual Private Networks (VPNs) in which hosts on one protected network send packets to hosts on a different protected network through a pair of IPSec peers. With VPNs, the IPSec peers "tunnel" the protected traffic between the peers while the hosts on their protected networks are the session endpoints.
Task ID
Examples
The following example shows how to define the transform set with an IPSec peer that supports esp-sha-hmac:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto ipsec transform-set newRP/0/0/CPU0:router(config-transform-set new)# transform esp-sha-hmacThe following example shows how to change the mode to transport for a transform set:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto ipsec transform-set newRP/0/0/CPU0:router(config-transform-set new)# mode transportRelated Commands
crypto ipsec transport
To enter IPSec transport configuration mode, use the crypto ipsec transport command in global configuration mode. To exit IPSec transport configuration mode, use the no form of this command.
crypto ipsec transport
no crypto ipsec transport
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
Authentication Header (AH) and Encapsulating Security Payload (ESP) operate in two IPSec modes, transport and tunnel.
In the transport mode, IP Security (IPSec) protects the Upper Layer Protocol (ULP) header and the payload. IPSec transport mode is used when security is desired end-to-end, that is, security endpoints are the same as host endpoints.
In the tunnel mode, the entire IP datagram is protected, which includes the IP header, the ULP header, and the payload. Tunnel mode is used when security endpoints are not the same as host endpoints. IPSec tunnels can be nested.
All transport mode IPSec traffic must be configured in the crypto ipsec transport mode.
Task ID
Examples
The following example shows that IPSec transport configuration mode is entered and then a crypto profile is configured in this mode:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto ipsec transportRP/0/0/CPU0:router(config-transport)# profile pn1Related Commands
description (IPSec profile)
To create a description of an IPSec profile, use the description command in profile configuration mode. To delete a profile description, use the no form of this command.
description string
no description
Syntax Description
Defaults
No default behavior or values.
Command Modes
Crypto IPSec profile
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
Use the description command inside the profile configuration submode to create a description for an IPSec profile.
Task ID
Examples
The following example shows the creation of a profile description:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto ipsec profile newprofileRP/0/0/CPU0:router(config-newprofile)# description this is a sample profileRelated Commands
reverse-route
Configures reverse-route injection (RRI) metrics for a crypto profile.
interface service-ipsec
To create a static IPSec-protected virtual interface, use the interface service-ipsec command in global configuration mode. To delete the static IPSec virtual interface, use the no form of this command.
interface service-ipsec number
no interface service-ipsec number
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
Use the interface service-ipsec command to enter service-ipsec interface configuration mode.
Task ID
Examples
The following example shows how to use the interface service-ipsec command:
RP/0/RSP00/CPU0:router# configureRP/0/RSP00/CPU0:router(config)# interface service-ipsec 200RP/0/RSP00/CPU0:router(config-if)#Related Commands
interface service-gre
To create a static IPSec-protected generic routing encapsulation (GRE) interface, use the interface service-gre command in global configuration mode. To delete a static IPSec-protected GRE interface, use the no form of this command.
interface service-gre number
no interface service-gre number
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
Use the interface service-gre command to enter service-gre interface configuration mode.
Task ID
Examples
The following example shows how to use the interface service-gre command:
RP/0/RSP00/CPU0:router# configureRP/0/RSP00/CPU0:router(config)# interface service-gre 500RP/0/RSP00/CPU0:router(config-if)#Related Commands
RP/0//CPU0:router# configureRP/0//CPU0:router(config)# interface tunnel-ip 50000RP/0//CPU0:router(config-if)#interface tunnel-ipsec
To create a virtual IPSec-protected tunnel interface, use the interface tunnel-ipsec command in global configuration mode. To delete the IPSec tunnel interface, use the no form of this command.
interface tunnel-ipsec number
no interface tunnel-ipsec number
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
The interface tunnel-ipsec command is used for virtual tunnel interfaces, which are not implemented on a service card.
Use the interface tunnel-ipsec command to enter tunnel-ipsec interface configuration mode.
Task ID
Examples
The following example shows how to use the interface tunnel-ipsec command:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# interface tunnel-ipsec 50000RP/0/0/CPU0:router(config-if)#Related Commands
match transform-set
To configure an access control list (ACL) to use for packet classification, and if the packet needs protecting, the transform set to use for IP Security (IPSec) processing, use the match transform-set command in profile configuration mode. To remove the configuration, use the no form of this command.
match acl-name transform-set transform-set-name
no match acl-name transform-set transform-set-name
Syntax Description
Defaults
No default behavior or values
Command Modes
Profile configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
For the Cisco IPSec VPN SPA, the crypto IPSec profiles that use this syntax are attached only to the tunnel-ipsec interfaces and service-ipsec interfaces and not to the service-gre interfaces.
You can configure a few lines of the match transform-set command under one profile. The following example shows that acl1 and acl2 can match different traffic patterns:
crypto ipsec profile p1match acl1 transform-set ts1match acl2 transform-set ts2We do not recommend configuring ACLs that match the same traffic pattern under the same profile.
Task ID
Examples
The following example shows how to specify 101 as the ACL and tset1 as the transform set:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto ipsec profile newprofileRP/0/0/CPU0:router(config-newprofile)# match 101 transform-set tset1Related Commands
profile
To specify which crypto profile to use for IP Security (IPSec) processing, use the profile command in the appropriate configuration mode. To remove a crypto profile name, use the no form of this command.
profile profile-name
no profile profile-name
Syntax Description
Defaults
No default behavior or values
Command Modes
Transport configuration
Tunnel-ipsec interface configuration
Service-ipsec interface configuration
Service-gre interface configurationCommand History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
Use the profile command to specify the profile to use in IPSec processing, and then determine which traffic is protected and how the traffic is protected.
The same profile cannot be shared in different IPSec modes.
The following conditions are listed:
•
•
Task ID
Examples
The following example shows a crypto profile being configured:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto ipsec transportRP/0/0/CPU0:router(config-transport)# profile pn1RP/0/0/CPU0:router(config-transport)# exitRelated Commands
reverse-route
To enable configuration of reverse-route injection (RRI) metrics for a crypto profile entry, based on a routing preference for either statically or dynamically learned routes, use the reverse-route command in profile configuration mode. To cancel RRI metric configuration or revert to a crypto profile, use the no form of this command.
reverse-route {[distance distance value | tag tag value]}
no reverse-route
Syntax Description
Defaults
Default distance is 0, indicating a static route. Statically learned routes take precedence by default.
Command Default
IPSec profile configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
You may configure either the distance or tag keyword, or both, in any order, as desired.
Task ID
Examples
The following example shows how to use the reverse-route command:
RP/0/0/CPU0:router# crypto ipsec profile myprofileRP/0/0/CPU0:router(config-myprofile)# reverse-route distance 1 tag 11Related Commands
Configures the IP Security (IPSec) profile and enters profile configuration mode.
service-location (IPSec)
To specify both active and standby locations for the interface, use the service-location command in the appropriate configuration mode. To remove the service location from the interface, use the no form of this command.
service-location preferred-active node-id [preferred-standby node-id [auto-revert]]
no service-location preferred-active node-id [preferred-standby node-id [auto-revert]]
Syntax Description
Defaults
No default behavior or values
Command Modes
service-ipsec interface configuration
service-gre interface configurationCommand History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
By using the no form of this command, the features and the interface are removed from the specified location.
The service-location (IPSec) command is configured only under the service-ipsec and service-gre interfaces.
When the service-location command is specified, features of the interface are created on the specified locations. When removing the service-location command, all of the features, such as QoS and IPSec SAs are removed from the location.
A virtual interface must be associated with an IPSec service SPA. All interfaces that share the same, for example, tunnel source and front door virtual routing and forwarding (FVRF) number of objects, must be associated with the same service location.
If a location is specified and there is no Cisco IPSec VPN SPA in this location, the features are not configured on the interface.
Task ID
Examples
The following example shows how to use the service-location command:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# interface service-ipsec 500RP/0/0/CPU0:router(config-if)# service-location preferred-active 0/0/0 preferred-standby 0/1/0Related Commands
set pfs
To set or reset the perfect forward secrecy (PFS) setting for Internet Key Exchange (IKE) to handle Diffie-Hellman negotiation, use the set pfs command in profile configuration mode. To reset the PFS setting, use the no form of this command.
set pfs {group1 | group2 | group5}
no set pfs {group1 | group2 | group5}
Syntax Description
Defaults
The default is 768-bit Diffie-Hellman (group 1).
Command Modes
Profile configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
PFS is a cryptographic characteristic associated with a derived shared secret value. With PFS, if one key is compromised, previous and subsequent keys are not compromised, because subsequent keys are not derived from previous keys.
Task IDd
Examples
In the following example, an IP Security (IPSec) profile named myprofile is created and PFS is set to group2:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto ipsec profile myprofileRP/0/0/CPU0:router(config-myprofile)# set pfs group2set security-association idle-time
To specify the maximum time in which the current peer can be idle before the default peer is used and to override the global configuration, use the set security-association idle-time command in profile configuration mode. To disable this feature, use the no form of this command.
set security-association idle-time seconds
no set security-association idle-time seconds
Syntax Description
seconds
Number of seconds for which the current peer can be idle before the default peer is used. The valid values are 600 to 86400.
Defaults
If none is specified, the global settings are used.
Command Modes
Profile configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
Use the set security-association idle-time command if you want the default peer when the current peer times out. If there is a timeout to the current peer, the connection to that peer is closed.
For more usage information, see the crypto ipsec security-association idle-time command.
Task ID
Examples
The following example shows how to use the set security-association idle-time command:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto ipsec profile myprofileRP/0/0/CPU0:router(config-myprofile)# set security-association idle-time 800Related Commands
set security-association lifetime
To override (for a particular crypto map entry) the global lifetime value, which is used when negotiating IP Security security associations, use the set security-association lifetime command in profile configuration mode. To reset an SA lifetime to the default value, use the no form of this command.
set security-association lifetime seconds seconds kilobytes kilobytes
no set security-association lifetime seconds seconds kilobytes kilobytes
Syntax Description
Defaults
Default is taken from global configuration.
Command Modes
Profile configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
For more usage information, see the crypto ipsec security-association lifetime command.
Task ID
Examples
The following example shows how to shorten lifetimes to reduce the risk that the keys could be compromised. The timed lifetime is shortened to 2700 seconds (45 minutes), and the traffic-volume lifetime is shortened to 2,304,000 KB (10 MBps for 30 minutes).
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto ipsec profile myprofileRP/0/0/CPU0:router(config-myprofile)# set security-association lifetime seconds 2700RP/0/0/CPU0:router(config-myprofile)# set security-association lifetime kilobytes 2304000Related Commands
set security-association replay disable
To disable replay checking for a particular crypto profile, use the set security-association replay disable command in profile configuration mode.
set security-association replay disable
Syntax Description
This command has no arguments or keywords.
Defaults
Antireplay checking is enabled.
Command Modes
Profile configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
You must set the inbound keys.
The set security-association replay disable command overrides the global setting. For more usage information, see the crypto ipsec security-association replay disable command.
Task ID
Examples
The following example shows how to disable replay checking for a particular crypto profile:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto ipsec profile myprofileRP/0/0/CPU0:router(config-myprofile)# set security-association replay disableRelated Commands
Configures the IP Security (IPSec) profile and enters profile configuration mode.
Disables antireplay checking globally.
set session-key inbound ah
To manually specify the IP Security session keys to set the inbound IPSec session key for the Authentication Header (AH) protocol, use the set session-key inbound ah command in profile configuration mode. To remove IPSec session keys, use the no form of this command.
set session-key inbound ah spi hex-key-data
no set session-key inbound ah
Syntax Description
Defaults
No default behavior or values
Command Modes
Profile configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
To create a manual SA, both inbound and outbound keys must be configured. The keys must match the specified transform-set under the profile.
Task ID
Examples
The following example shows how to manually establish security associations and include an AH protocol:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto ipsec profile map-p1RP/0/0/CPU0:router(config-map-p1)# set pfs group1RP/0/0/CPU0:router(config-map-p1)# set type staticRP/0/0/CPU0:router(config-map-p1)# match acl transform-set ts10RP/0/0/CPU0:router(config-map-p1)# set session-key inbound ah 1631532061 74353698822494650663329589937693Related Commands
set session-key inbound esp
To manually specify the IP Security session key to set the inbound IPSec session key for Encapsulation Security Protocol (ESP), use the set session-key inbound esp command in profile configuration mode. To remove IPSec session keys, use the no form of this command.
set session-key inbound esp spi {cipher hex-key-data | authentication hex-key-data}
no set session-key inbound esp
Syntax Description
Defaults
No default behavior or values
Command Modes
Profile configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
If the transform set includes an ESP encryption protocol, you must define IPSec keys for ESP encryption for inbound traffic. If the transform set includes an ESP authentication protocol, you must define IPSec keys for ESP authentication for inbound traffic.
To create a manual SA, both inbound and outbound keys must be configured. The keys match the specified transform-set under the profile.
Task ID
Examples
The following example shows how to manually establish security associations and include an ESP protocol for inbound traffic; session keys are created by using the cipher keyword:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto ipsec profile map-p1RP/0/0/CPU0:router(config-map-p1)# set pfs group1RP/0/0/CPU0:router(config-map-p1)# set type staticRP/0/0/CPU0:router(config-map-p1)# match acl transform-set ts10RP/0/0/CPU0:router(config-map-p1)# set session-key inbound esp 1771900421 cipher 799479494599315713206965743872311481573994372323Related Commands
Configures the IP Security (IPSec) profile and enters profile configuration mode.
Specifies the IP Security session key to set the outbound IPSec session key for ESP manually.
set session-key outbound ah
To manually specify the IP Security session key to set the outbound IPSec session key for the Authentication Header (AH) protocol, use the set session-key outbound ah command in profile configuration mode. To remove IPSec session keys, use the no form of this command.
set session-key outbound ah spi hex-key-data
no set session-key outbound ah spi hex-key-data
Syntax Description
Defaults
No default behavior or values
Command Modes
Profile configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
To create a manual SA, both inbound and outbound keys must be configured. The keys must match the specified transform set under the profile.
Task ID
Examples
The following example shows how to manually establish security associations and include an AH protocol for outbound traffic:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto ipsec profile map-p1RP/0/0/CPU0:router(config-map-p1)# set pfs group1RP/0/0/CPU0:router(config-map-p1)# set type staticRP/0/0/CPU0:router(config-map-p1)# match acl transform-set ts10RP/0/0/CPU0:router(config-map-p1)# set session-key outbound ah 1913957174 44556535898960895859936813538982Related Commands
set session-key outbound esp
To manually specify the IP Security session key to set the outbound IPSec session key for ESP, use the set session-key outbound esp command in profile configuration mode. To remove IPSec session keys, use the no form of this command.
set session-key outbound esp spi {cipher hex-key-data| authentication hex-key-data}
no set session-key outbound esp
Syntax Description
Defaults
No default behavior or values
Command Modes
Profile configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
To create a manual SA, both inbound and outbound keys must be configured. The keys must match the specified transform-set under the profile.
Task ID
Examples
The following example shows how to manually establish security associations and include an ESP protocol for outbound traffic; session keys are created by using the cipher and authentication keywords:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto ipsec profile map-p1RP/0/0/CPU0:router(config-map-p1)# set pfs group1RP/0/0/CPU0:router(config-map-p1)# set type staticRP/0/0/CPU0:router(config-map-p1)# match acl transform-set ts10RP/0/0/CPU0:router(config-map-p1)#set session-key outbound esp 1658435903 cipher 912193353585357311806395978334388155793849992803Related Commands
set transform-set
To specify a list of transform sets in priority order, use the set transform-set command in profile configuration mode. To disable this feature, use the no form of this command.
set transform-set transform-set-name
no set transform-set transform-set-name
Syntax Description
transform-set-name
Name of the transform set. You can configure up to five transform sets in priority order. The maximum number of characters is 32.
Defaults
No default behavior or values
Command Modes
Profile configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
Profiles that use the set transform-set command are attached only to service-gre interfaces.
Task ID
Examples
The following example shows that the transform set is named ts1:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# crypto ipsec profile myprofileRP/0/0/CPU0:router(config-myprofile)# set transform-set ts1Related Commands
set type
To set the profile mode type, use the set type command in profile configuration mode. To reset the mode type, use the no form of this command.
set type {static | dynamic}
no set type
Syntax Description
Defaults
The profile mode type is static by default.
Command Modes
Profile configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
When configuring a dynamic profile, the interface in which the profile is attached to should not be configured with a tunnel destination.
Task ID
Examples
The following example shows that the profile mode type is set to dynamic and IKE TED handling is enabled:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# configurecrypto ipsec profile myprofileset type dynamicRelated Commands
Configures the IP Security (IPSec) profile and enters profile configuration mode.
show crypto engine statistics
To display information for the hardware data path counters that are gathered from the Cisco IPSec VPN SPA, use the show crypto engine statistics command in EXEC mode.
show crypto engine statistics [inbound| outbound] [detail] location node-id
Syntax Description
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.5.0
This command was introduced.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Release 3.8.0
No modification.
Release 3.9.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
Task ID
Examples
The following example displays sample output from the show crypto engine statistics command:
RP/0/0/CPU0:router# show crypto engine statistics detail location 0/3/1Decryption Side Data Path Statistics====================================Packets RX.................: 0Packets TX.................: 0IPSec Transport Mode.......: 0IPSec Tunnel Mode..........: 0AH Packets.................: 0ESP Packets................: 0NAT-T Decapsulations.......: 0Clear......................: 0ICMP.......................: 0Packets Drop...............: 0Authentication Errors......: 0Decryption Errors..........: 0Decryption Errors..........: 0Replay Check Failed........: 0Policy Check Failed........: 0Illegal CLear Packet.......: 0SPD Errors.................: 0Hard Life Drop.............: 0Invalid SA.................: 0SPI No Match...............: 0Destination No Match.......: 0Protocol No Match..........: 0Reassembly Frag RX.........: 0IPSec Fragments............: 0IPSec Reasm Done...........: 0Clear Fragments............: 0Clear Reasm Done...........: 0Reasm Datagrams Drop.......: 0Fragments Drop.............: 0Decryption Side Controller Statistics=====================================Frames RX..................: 0Bytes RX...................: 0Mcast/Bcast Frames RX......: 0RX Less 128Bytes...........: 0RX Less 512Bytes...........: 0RX Less 1KBytes............: 0RX Less 9KBytes............: 0RX Frames Drop.............: 0Frames TX..................: 18Bytes TX...................: 1486Mcast/Bcast Frames TX......: 0TX Less 128Bytes...........: 15TX Less 512Bytes...........: 3TX Less 1KBytes............: 0TX Less 9KBytes............: 0Encryption Side Data Path Statistics=====================================Packets RX.................: 0Packets TX.................: 0IPSec Transport Mode.......: 0IPSec Tunnel Mode..........: 0NAT-T Encapsulations.......: 0LAF prefragmented..........: 0Fragmented.................: 0Clear......................: 0ICMP.......................: 0Packets Drop...............: 0IKE/TED Drop...............: 0Authentication Errors......: 0Encryption Errors..........: 0Fragmentation Failure......: 0Hard life Drop.............: 0Invalid SA.................: 0Reassembly Frag RX.........: 0Clear Fragments............: 0Clear Reasm Done...........: 0Datagrams Drop.............: 0Fragments Drop.............: 0Encryption Side Controller Statistics=====================================Frames RX..................: 11Bytes RX...................: 1072Mcast/Bcast Frames RX......: 0RX Less 128Bytes...........: 8RX Less 512Bytes...........: 3RX Less 1KBytes............: 0RX Less 9KBytes............: 0RX Frames Drop.............: 0Frames TX..................: 0Bytes TX...................: 0Mcast/Bcast Frames TX......: 0TX Less 128Bytes...........: 0TX Less 512Bytes...........: 0TX Less 1KBytes............: 0TX Less 9KBytes............: 0Related Commands
show crypto ipsec interface
To display the crypto IPSec interface, use the show crypto ipsec interface command in EXEC mode.
show crypto ipsec interface {service-gre number | service-ipsec number tunnel-ipsec number}
Syntax Description
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
Task ID
Examples
The following sample output is for the service-ipsec interface:
RP/0/0/CPU0:router# show crypto ipsec interface service-ipsec 1--------------- IPSec interface ----------------Interface service-ipsec1, mode Tunnel, intf_handle 0x5000180Locations 0/1/1, 0/2/0 VRF default (60000000)Number of profiles 0, number of flows 0Tunnel: source 0.0.0.0, destination 0.0.0.0, tunnel VRF defaultDF-bit: copy, pre-fragmentation enabledefault pmtu: 9216No flows on this interface.Table 9 describes the significant fields shown in the display.
Related Commands
Creates a static IPSec-protected generic routing encapsulation (GRE) interface.
Creates a static IPSec virtual interface.
Creates a virtual IPSec tunnel interface.
show crypto ipsec profile
To display crypto profiles that are defined on a router, use the show crypto ipsec profile command in EXEC mode.
show crypto ipsec profile [profile name]
Syntax Description
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.5.0
This command was introduced.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Release 3.8.0
No modification.
Release 3.9.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
If no profile is specified, all profiles are displayed.
Task ID
Examples
The following sample output is from the show crypto ipsec profile command:
RP/0/0/CPU0:router# show crypto ipsec profileCrypto Profile: ipsec1Profile is StaticAnti Replay EnableInterfaces using this profile:(service-ipsec/gre)service-ipsec100ACLs matched by this profile:acl-1 :Transform-sets:tsfm1,Crypto Profile: greProfile is StaticAnti Replay EnableInterfaces using this profile:(service-ipsec/gre)service-gre1ACLs matched by this profile:Transform-sets:tsfm2,Related Commands
Configures the IP Security (IPSec) profile and enters profile configuration mode.
show crypto ipsec sa
To display security association (SA) information based on the rack/slot/module location, use the show crypto ipsec sa command in EXEC mode.
show crypto ipsec sa [sa-id | peer ip-address | profile profile-name | detail | fvrf fvrf-name | ivrf ivrf-name | location node-id]
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
If no optional argument or keyword is used, all SAs are displayed within a flow. Within a flow, the SAs are listed by protocol (Encapsulating Security Payload [ESP] or Authentication Header [AH]) and direction (inbound or outbound).
The detail keyword provides additional information only for SAs that are configured in a software crypto engine. The SAs are configured by using tunnel-ipsec and transport.
Task ID
Examples
The following sample output is from the show crypto ipsec sa command:
RP/0/0/CPU0:router# show crypto ipsec saSSA id: 510Node id: 0/1/0SA Type: MANUALinterface: service-ipsec22profile : p7local ident (addr/mask/prot/port) : (0.0.0.0/0.0.0.255/512/0)remote ident (addr/mask/prot/port) : (0.0.0.0/0.0.0.0/512/0)local crypto endpt: 0.0.0.0, remote crypto endpt: 0.0.0.0, vrf default#pkts tx :0 #pkts rx :0#bytes tx :0 #bytes rx :0#pkts encrypt :0 #pkts decrypt :0#pkts digest :0 #pkts verify :0#pkts encrpt fail:0 #pkts decrpt fail:0#pkts digest fail:0 #pkts verify fail:0#pkts replay fail:0#pkts tx errors :0 #pkts rx errors :0outbound esp sas:spi: 0x322(802)transform: esp-3des-md5in use settings = Tunnelsa agreed lifetime: 3600s, 4194303kbsa timing: remaining key lifetime: 3142303931sec/0kbsa DPD: disable, mode none, timeout 0ssa idle timeout: disable, 0ssa anti-replay (HW accel): enable, window 64inbound esp sas:spi: 0x322(802)transform: esp-3des-md5in use settings = Tunnelsa agreed lifetime: 3600s, 4194303kbsa timing: remaining key lifetime: 3142303931sec/0kbsa DPD: disable, mode none, timeout 0ssa idle timeout: disable, 0ssa anti-replay (HW accel): enable, window 64Table 10 describes the significant fields shown in the display.
The following sample output is from the show crypto ipsec sa command for the profile keyword for a profile named pn1:
RP/0/0/CPU0:router# show crypto ipsec sa profile pn1SA id: 2interface: tunnel0profile: pn1local ident (addr/mask/prot/port): (172.19.70.92/255.255.255.255/0/0)remote ident (addr/mask/prot/port): (172.19.72.120/255.255.255.255/0/0)local crypto endpt: 172.19.70.92, remote crypto endpt: 172.19.72.120outbound esp sas:spi: 0x8b0e950f (2332988687)transform: esp-3des-shain use settings = Tunnelsa lifetime: 3600s, 4194303kbSA id: 2interface: tunnel0profile: pn1local ident (addr/mask/prot/port): (172.19.72.120/255.255.255.255/0/0)remote ident (addr/mask/prot/port): (172.19.70.92/255.255.255.255/0/0)local crypto endpt: 172.19.72.120, remote crypto endpt: 172.19.70.92inbound esp sas:spi: 0x2777997c (662149500)transform: esp-3des-shain use settings = Tunnelsa lifetime: 3600s, 4194303kbThe following sample output is from the show crypto ipsec sa command for the peer keyword:
RP/0/0/CPU0:router# show crypto ipsec sa peer 172.19.72.120SA id: 2interface: tunnel0profile: pn1local ident (addr/mask/prot/port): (172.19.70.92/255.255.255.255/0/0)remote ident (addr/mask/prot/port): (172.19.72.120/255.255.255.255/0/0)local crypto endpt: 172.19.70.92, remote crypto endpt: 172.19.72.120outbound esp sas:spi: 0x8b0e950f (2332988687)transform: esp-3des-shain use settings = Tunnelsa lifetime: 3600s, 4194303kbSA id: 2interface: tunnel0profile: pn1local ident (addr/mask/prot/port): (172.19.72.120/255.255.255.255/0/0)remote ident (addr/mask/prot/port): (172.19.70.92/255.255.255.255/0/0)local crypto endpt: 172.19.72.120, remote crypto endpt: 172.19.70.92inbound esp sas:spi: 0x2777997c (662149500)transform: esp-3des-shain use settings = Tunnelsa lifetime: 3600s, 4194303kbshow crypto ipsec statistics
To display global statistics for all inside virtual routing and forwarding (IVRF), use the show crypto ipsec statistics command in EXEC mode.
show crypto ipsec statistics [ivrf [vrf name]]
Syntax Description
ivrf vrf name
(Optional) Specifies that all existing SAs whose inside virtual routing and forwarding (IVRF) is the same as the ivrf-name.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
You can use the show crypto ipsec statistics command with the following results:
•
•
•
Task ID
Examples
The following sample output displays the statistics of all the VRFs that are associated to IPSec from the show crypto ipsec statistics command:
RP/0/0/CPU0:router# show crypto ipsec statisticsVRF: default (VRF ID: 60000000)Active Tunnels : 1Expired Tunnels: 0pkts tx :0 pkts rx :0bytes tx :0 bytes rx :0pkts encrypt :0 pkts decrypt :0pkts digest :0 pkts verify :0pkts encrpt fail:0 pkts decrpt fail:0pkts digest fail:0 pkts verify fail:0pkts replay fail:0pkts No SA fails:0pkts sys cap fails:0pkts tx errors :0 pkts rx errors :0Table 11 describes the significant fields shown in the display.
show crypto ipsec summary
To display IP Security (IPSec) summary information, use the show crypto ipsec summary command in EXEC mode.
show crypto ipsec summary
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
Task ID
Examples
The following sample output is from the show crypto ipsec summary command:
RP/0/0/CPU0:router# show crypto ipsec summary# * Attached to a transform indicates a bundle# Active IPSec Sessions: 1SA Interface Local Peer/Port Remote Peer/Port FVRF Profile Transform Lifetime------------------------------------------------------------------------------------------502 service-ipsec100 70.70.70.2/500 60.60.60.2/500 default ipsec1 esp-3des esp 3600/100000000Table 12 describes the significant fields shown in the display.
show crypto ipsec transform-set
To display the configured transform sets, use the show crypto ipsec transform-set command in EXEC mode.
show crypto ipsec transform-set [transform-set-name]
Syntax Description
transform-set-name
(Optional) IPSec transform set with the specified value for the transform-set-name argument are displayed.
Defaults
No default values. The default behavior is to print all the available transform-sets.
Command Modes
EXEC
Command History
Release 3.5.0
This command was introduced.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Release 3.8.0
No modification.
Release 3.9.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
If no transform is specified, all transforms are displayed.
Task ID
Examples
The following sample output is from the show crypto ipsec transform-set command:
RP/0/0/CPU0:router# show crypto ipsec transform-setTransform set combined-des-sha: {esp-des esp-sha-hmac}Transform set tsfm2: {esp-md5-hmac esp-3des }Mode: TransportTransform set tsfm1: {esp-md5-hmac esp-3des }Mode: TunnelTransform set ts1: {esp-des }Mode: TunnelRelated Commands
tunnel destination (IPSec)
To specify the destination for a tunnel interface, use the tunnel destination command in interface configuration mode. To remove the destination, use the no form of this command.
tunnel destination ip-address
no tunnel destination ip-address
Syntax Description
Defaults
No tunnel interface destination is specified.
Command Modes
Interface configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
Use the tunnel destination command to configure the destination address for an IP Security (IPSec) tunnel.
You should not have two tunnels using the same encapsulation mode with the same source and destination address.
Task ID
Examples
The following example shows how to configure the tunnel destination 172.19.72.120:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# interface tunnel-ip 25RP/0/0/CPU0:router(config-if)# tunnel source 172.19.70.92RP/0/0/CPU0:router(config-if)# tunnel destination 172.19.72.120RP/0/0/CPU0:router(config-if)# profile pn1Related Commands
tunnel source (IPSec)
To specify the source address for a tunnel interface, use the tunnel source command in IPSEC interface configuration mode. To remove the source address, use the no form of this command.
tunnel source {ip-address| type interface-path-id}
no tunnel source
Syntax Description
Defaults
No tunnel interface source address or interface is specified.
Command Modes
Interface configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
Use the tunnel source command to configure the source address or interface type and instance for an IP Security tunnel.
Task ID
Examples
The following example shows how to configure the tunnel source 172.19.72.92:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# interface tunnel-ip 25RP/0/0/CPU0:router(config-if)# tunnel source 172.19.72.92RP/0/0/CPU0:router(config-if)# tunnel destination 172.19.72.120RP/0/0/CPU0:router(config-if)# profile pn1Related Commands
tunnel vrf (IPSec)
To associate a VRF instance with a specific tunnel destination, interface, or subinterface, use the tunnel vrf command in interface configuration mode. To disassociate a VRF from the tunnel destination, use the no form of this command.
tunnel vrf vrf-name
no tunnel vrf vrf-name
Syntax Description
Defaults
The default destination is determined by the global routing table.
Command Modes
Interface configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
The tunnel source and destination must be in the same VRF.
Either the IP VRF or the tunnel VRF can be set to the global routing table (using the no vrf forwarding command or the no tunnel vrf command).
The tunnel is disabled if no route to the tunnel destination is defined. If the tunnel VRF is set, there must be a route to that destination in the VRF.
Task ID
Examples
The following example shows how to associate VRF forwarding with either tunnel destination or tunnel source:
RP/0/0/CPU0:router# configureRP/0/0/CPU0:router(config)# interface service-ipsec 1RP/0/0/CPU0:router(config-if)# tunnel vrf forwardingRP/0/0/CPU0:router(config-if)# tunnel source 172.19.72.92RP/0/0/CPU0:router(config-if)# tunnel destination 172.19.62.82RP/0/0/CPU0:router(config-if)# service-location preferred-active 0/0/0 preferred-standby 0/1/0Related Commands
Specifies both active and standby locations for the interface.
Specifies the destination for a tunnel interface.
Specifies the source address for a tunnel interface.
