describes how to create and verify ISAKMP (Internet Security Association Key
Management Protocol) policies. ISAKMP is a protocol defined by RFC 2408 for
establishing Security Associations (SA) and cryptographic keys in an Internet
ISAKMP defines the
procedures for authenticating a communicating peer, creation and management of
Security Associations, key generation techniques and threat mitigation (for
example, denial of service and replay attacks).
procedures and packet formats to establish, negotiate, modify and delete
Security Associations. SAs contain all the information required for execution
of various network security services, such as the IP layer services (header
authentication and payload encapsulation), transport or application layer
services or self-protection of negotiation traffic. ISAKMP defines payloads for
exchanging key generation and authentication data. These formats provide a
consistent framework for transferring key and authentication data which is
independent of the key generation technique, encryption algorithm and
configuration to flash memory, an external memory device, and/or a network
location using the Exec mode command
configuration. For additional information on how to verify and save
configuration files, refer to the
Administration Guide and the
Use the following
example to create the ISAKMP policy on your system:
ctxt_name is the
system context in which you wish to create and configure the ISAKMP policy.
priority dictates the
order in which the ISAKMP policies are proposed when negotiating IKE SAs.
information on parameters, refer to the
Configuration Mode Commands chapter in the
Line Interface Reference.
Verifying the ISAKMP
Enter the following
Exec mode command for the appropriate context to display and verify your ISAKMP
show crypto isakmp policypriority
produces an output similar to that displayed below using the configuration of a
transform set named test1.
1 ISAKMP Policies are configured Priority : 1Authentication Method : preshared-key Lifetime : 120 seconds IKE group : 5 hash : md5 encryption : 3des-cbc
an existing ISAKMP policy configuration will not take effect until the related
security association has been cleared. Refer to the
security-association command located in the
Commands chapter of the
Interface Reference for more information.