ISAKMP Configuration Mode Commands

The ISAKMP Configuration Mode is used to configure Internet Security Association Key Management Protocol (ISAKMP) policies that are used to define Internet Key Exchange (IKE) security associations (SAs).

Modification(s) to an existing ISAKMP policy configuration will not take effect until the related security association has been cleared. Refer to the clear crypto security-association command described in the Exec Mode (A–C) Commands chapter for more information.

IMPORTANT:

The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).

authentication

Configures the ISAKMP policy authentication mode.

Platform:

ASR 5000

Product:

PDSN, HA, GGSN


Privilege:

Security Administrator, Administrator


Syntax 
authentication preshared-key

[ default | no ] authentication
default authentication

Restores the default setting of this parameter. This command is enabled by default.

no authentication

Disables the preshared key authentication mode.

preshared-key

Specifies that the policy will be authenticated through the use of the pre-shared key.


Usage:

When the system is configured to use ISAKMP-type crypto maps for establishing IPSec tunnels, this command is used to indicate that the policy will be authenticated through the use of the pre-shared key configured in the ISAKMP crypto map.


Example:
The following command sets policy authentication mode to use a pre-shared key:
authentication preshared-key
encryption

Configures the encryption protocol to use to protect subsequent IKE SA negotiations.

Platform:

ASR 5000

Product:

PDSN, HA, GGSN


Privilege:

Security Administrator, Administrator


Syntax 
encryption { 3des-cbc | aes-cbc-128 | aes-cbc-256 | des-cbc }[ default | no ] encryption
default encryption

Restores the default setting of this parameter.

no encryption

Removes a previously configured encryption type.

3des-cbc

Specifies that the encryption protocol is Triple Data Encryption Standard (3DES) in chain block (CBC) mode.

aes-cbc-128

Specifies that the encryption protocol is Advanced Encryption Standard (AES) in CBC mode with a 128-bit key.

aes-cbc-256

Specifies that the encryption protocol is Advanced Encryption Standard (AES) in CBC mode with a 256-bit key.

des-cbc

Specifies that the encryption protocol is DES in CBC mode. This is the default setting.


Usage:

Once the D-H exchange between the system and the security gateway has been successfully completed, subsequent IKE SA negotiations will be protected using the protocol specified by this command.


Example:
The following command sets the IKE encryption method to 3des-cbc:
encryption 3des-cbc
end

Exits the current configuration mode and returns to the Exec mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax 
end

Usage:

Use this command to return to the Exec mode.

exit

Exits the current mode and returns to the parent configuration mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax 
exit

Usage:

Use this command to return to the parent configuration mode.

group

Configures the Oakely group (also known as the Diffie-Hellman [D-H] group) in which the D-H exchange occurs.

Platform:

ASR 5000

Product:

PDSN, HA, GGSN


Privilege:

Security Administrator, Administrator


Syntax 
group { 1 | 2 | 5 }[ default | no ] group
default group

Restores the default setting of this parameter.

no group

Removes a previously configured group.

{ 1 | 2 | 5 }

Default: 1

Specifies the number of the Oakley group. The following groups are allowed:
  • 1: Enables Oakley Group 1 using a 768-bit modp as defined in RFC 2409.
  • 2: Enables Oakley Group 2, using a 1024-bit modp as defined in RFC 2409.
  • 5: Enables Oakley Group 5, using a 1536-bit modp as defined in RFC 3526.

Usage:

Specifies the Oakley group that determine the length of the base prime numbers that are used during the key exchange process.


Example:
The following command sets the group to 5 which specifies 1536-bit base prime numbers:
group 5
hash

Configures the IKE hash protocol to use during IKE SA negotiations.

Platform:

ASR 5000

Product:

PDSN, HA, GGSN


Privilege:

Security Administrator, Administrator\


Syntax 
hash { md5 | sha1 } 

[ default | no ] hash
default

Restores the default setting of this parameter.

no

Removes a previously configured hash algorithm.

md5

Specifies that the hash protocol is Message Digest 5 truncated to 96 bits.

sha1

Specifies that the hash protocol is Secure Hash Algorithm-1 truncated to 96 bits. This is the default setting for this command.


Usage:

Use this command to configure the hash algorithm used during key negotiation.


Example:
Set the hash algorithm to Message-Digest 5 by entering the following command:
hash md5
lifetime

Configures the lifetime of the IKE Security Association (SA).

Platform:

ASR 5000

Product:

PDSN, HA, GGSN


Privilege:

Security Administrator, Administrator


Syntax 
lifetime secondsdefault lifetime
default lifetime

Restores the default setting of this parameter.

seconds

Default: 86400

The number of seconds for the SA to live. seconds must be an integer from 60 to 86400.


Usage:

Use this command to set the time that an ISAKMP SA will be valid. The lifetime is negotiated with the peer and the lowest configured lifetime duration is used.


Example:
The following command sets the SA lifetime to 100 seconds:
lifetime 100