StarOS CLI commands
support the creation of local and remote pre-shared keys (PSKs) associated
with crypto maps and crypto templates. Refer to the descriptions of
the crypto map and crypto template commands
in the Context Configuration
Mode Commands chapter of the Command Line Interface Reference.
StarOS also allows the
operator to configure a remote secret list that contains PSKs based
on remote ID types. The remote secret list can contain
up to 1000 entries; only one remote secret list is supported
per system. The remote secret list bound to a crypto map
and/or crypto template.
Each entry in the remote
secret list consists of either an alphanumerical string of 1 through 255
characters, or a hexadecimal string of 16 to 444 bytes.
The general sequence
for implementing the use of a remote PSK is as follows:
sends an IKE_INIT_REQUEST to the responder.
replies with an IKE_INIT_RESPONSE.
IKE_INIT_RESPONSE is received, the Initiator sends an IKE_AUTH_REQUEST to the
responder along with its peer ID.
responder receives the IKE_AUTH_REQUEST, it derives the peer ID from the
IKE_AUTH_REQUEST to search the remote secret list for the PSK. If the remote
secret list is bound to the respective map/template, it takes the PSK from the
list. Otherwise, it will take the remote PSK from the respective map or
Supported IKE ID
The following IKE ID
types are support supported in a remote secret list entry:
IPv4 and IPv6 address notations)
address in dotted-decimal notation)
Qualified Domain Name
address in colon-separated notation)
Syntax Notation One – Distinguished Name)
Syntax Notation One – General Name)
A group of remote clients
can be configured to use a separate pre-shared key, even
if they are using the same crypto map or crypto template.
The commands described
below appear in the CLI for this release. However, they
have not been qualified for use with any current Cisco StarOS gateway products.
Specifies the name of
the remote secret list for storing remote secrets based on the ID
type. This command sends you to the Remote Secret List
Configuration mode and the remote-id-id-type command. Only
one active remote-secret-list is supported per
You must unbind the
remote-secret-list from any crypto maps or templates
before it can be deleted.
For additional information, refer
to the Remote Secret
List Configuration Commands chapter of the Command Line Interface
Reference and the System Administration
Configures the remote
pre-shared key based on the ID type.