ISAKMP Configuration Mode Commands


ISAKMP Configuration Mode Commands
 
 
The ISAKMP Configuration Mode is used to configure Internet Security Association Key Management Protocol (ISAKMP) policies that are used to define Internet Key Exchange (IKE) security associations (SAs).
Modification(s) to an existing ISAKMP policy configuration will not take effect until the related security association has been cleared. Refer to the clear crypto security-association command located in the Exec Mode Commands chapter of the Command Line Interface Reference for more information.
 
Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
 
authentication
Configures the ISAKMP policy authentication mode.
Product
PDSN, HA, GGSN
Privilege
Security Administrator, Administrator
Syntax
authentication preshared-key
[ default | no ] authentication
default
Restores the default setting of this parameter. The command is enabled by default.
no
Disables the preshared key authentication mode.
preshared-key
Specifies that the policy will be authenticated through the use of the pre-shared key.
Usage
When the system is configured to use ISAKMP-type crypto maps for establishing IPSec tunnels, this command is used to indicate that the policy will be authenticated through the use of the pre-shared key configured in the ISAKMP crypto map.
Example
The following command sets policy authentication mode to use a pre-shared key:
authentication preshared-key
 
encryption
Configures the encryption protocol to use to protect subsequent IKE SA negotiations.
Product
PDSN, HA, GGSN
Privilege
Security Administrator, Administrator
Syntax
encryption { 3des-cbc | des-cbc }
[ default | no ] encryption
default
Restores the default setting of this parameter.
no
Removes a previously configured encryption type.
3des-cbc
Specifies that the encryption protocol is Triple Data Encryption Standard (3DES) in chain block (CBC) mode.
des-cbc
Specifies that the encryption protocol is DES in CBC mode. This is the default setting.
Usage
Once the D-H exchange between the system and the security gateway has been successfully completed, subsequent IKE SA negotiations will be protected using the protocol specified by this command.
Example
The following command sets the IKE encryption method to 3des-cbc.
encryption 3des-cbc
 
end
Exits the current configuration mode and returns to the Exec mode.
Product
PDSN, HA, GGSN
Privilege
Security Administrator, Administrator
Syntax
end
Usage
Returns to the Exec mode.
 
exit
Exits the current configuration mode and returns to the Context configuration mode.
Product
PDSN, HA, GGSN
Privilege
Security Administrator, Administrator
Syntax
exit
Usage
Return to the Context Configuration mode.
 
group
Configures the Oakely group (also known as the Diffie-Hellman (D-H ) group) in which the D-H exchange occurs.
Product
PDSN, HA, GGSN
Privilege
Security Administrator, Administrator
Syntax
group { 1 | 2 | 5 }
[ default | no ] group
default
Restores the default setting of this parameter.
no
Removes a previously configured group.
{ 1 | 2 | 5 }
Default: 1
The number of the Oakley group. The following groups are allowed:
1 : Enables Oakley Group 1 using a 768-bit modp as defined in RFC 2409.
2 : Enables Oakley Group 2, using a 1024-bit modp as defined in RFC 2409.
5 : Enables Oakley Group 5, using a 1536-bit modp as defined in RFC 3526.
Usage
Specifies the Oakley group that determine the length of the base prime numbers that are used during the key exchange process.
Example
The following command sets the group to 5 which specifies 1536-bit base prime numbers.
group 5
 
hash
Configures the IKE hash protocol to use during IKE SA negotiations.
Product
PDSN, HA, GGSN
Privilege
Security Administrator, Administrator\
Syntax
hash { md5 | sha1 }
[ default | no ] hash
default
Restores the default setting of this parameter.
no
Removes a previously configured hash algorithm.
md5
Specifies that the hash protocol is Message Digest 5 truncated to 96 bits.
sha1
Specifies that the hash protocol is Secure Hash Algorithm-1 truncated to 96 bits. This is the default setting for this command.
Usage
Use this command to configure the hash algorithm used during key negotiation.
Example
Set the hash algorithm to Message-Digest 5 by entering the following command:
hash md5
 
lifetime
Configures the lifetime of the IKE Security Association (SA).
Product
PDSN, HA, GGSN
Privilege
Security Administrator, Administrator
Syntax
lifetime seconds
default lifetime
default
Restores the default setting of this parameter.
seconds
Default: 86400
The number of seconds for the SA to live. seconds must be an integer from 60 to 86400.
Usage
Use this command to set the time that an ISAKMP SA will be valid. The lifetime is negotiated with the peer and the lowest configured lifetime duration is used.
Example
The following command sets the SA lifetime to 100 seconds:
lifetime 100
 
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883