Creating IKE Policies
IPsec and long keys (the “k9” subsystem) must be supported.
AES cannot encrypt IPsec and IKE traffic if an acceleration card is present.
enable configure terminal crypto isakmp policy 10 encryption aes 256 hash sha authentication pre-share group 14 end
Clear (and reinitialize) IPsec SAs by using the clear crypto sa EXEC command.
Using the clear crypto sa command without parameters will clear out the full SA database, which will clear out active security sessions. You may also specify the peer , map , or entry keywords to clear out only a subset of the SA database. For more information, see the clear crypto sa command in the Cisco IOS Security Command Reference.
The default policy and default values for configured policies do not show up in the configuration when you issue the show running-config command. To display the default policy and any default values within configured policies, use the show crypto isakmp policy command.
Any IPsec transforms or IKE encryption methods that the current hardware does not support should be disabled; they are ignored whenever an attempt to negotiate with the peer is made.
If a user enters an IPsec transform or an IKE encryption method that the hardware does not support, a warning message will be generated. These warning messages are also generated at boot time. When an encrypted card is inserted, the current configuration is scanned. If any IPsec transforms or IKE encryption methods are found that are not supported by the hardware, a warning message will be generated.