|
|
This chapter describes Cisco Encryption Technology (CET) commands. Cisco provides network data encryption as a means to safeguard network data that travels from one Cisco router to another, across unsecured networks.
Refer to the Command Reference Master Index or search online to find complete descriptions of other commands used when configuring CET.
For configuration information, refer to the chapter "Configuring Cisco Encryption Technology" in the Security Configuration Guide.
To define an encryption access list by number, use the extended IP access-list global configuration command. Use the no form of this command to remove a numbered encryption access list.
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}For Internet Control Message Protocol (ICMP), you can also use the following syntax:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}For Internet Group Management Protocol (IGMP), you can also use the following syntax:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}For TCP, you can also use the following syntax:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}For User Datagram Protocol (UDP), you can also use the following syntax:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
access-list-number | Number of an encryption access list. This is a decimal number from 100 to 199. |
dynamic dynamic-name | (Optional) Identifies this encryption access list as a dynamic encryption access list. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Security Configuration Guide. |
timeout minutes | (Optional) Specifies the absolute length of time (in minutes) that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Security Configuration Guide. |
deny | Does not encrypt/decrypt IP traffic if the conditions are matched. |
permit | Encrypts/decrypts IP traffic if the conditions are matched. |
protocol | Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip. Some protocols allow further qualifiers, as described in text that follows. |
source | Number of the network or host from which the packet is being sent. There are three other ways to specify the source:
|
source-wildcard | Wildcard bits (mask) to be applied to source. There are three other ways to specify the source wildcard:
|
destination | Number of the network or host to which the packet is being sent. There are three other ways to specify the destination:
|
destination-wildcard | Wildcard bits to be applied to the destination. There are three other ways to specify the destination wildcard:
|
precedence precedence | (Optional) Packets can be matched for encryption by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines." |
tos tos | (Optional) Packets can be matched for encryption by type of service level, as specified by a number from 0 to 15 or by name as listed in the section "Usage Guidelines." |
icmp-type | (Optional) ICMP packets can be matched for encryption by ICMP message type. The type is a number from 0 to 255. |
icmp-code | (Optional) ICMP packets that are matched for encryption by ICMP message type can also be matched by the ICMP message code. The code is a number from 0 to 255. |
icmp-message | (Optional) ICMP packets can be matched for encryption by an ICMP message type name or ICMP message type and code name. The possible names are discussed in the section "Usage Guidelines." |
igmp-type | (Optional) IGMP packets can be matched for encryption by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines." |
operator | (Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number. |
port | (Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP port names are listed in the section "Usage Guidelines." TCP port names can be used only when filtering TCP. UDP port names are listed in the section "Usage Guidelines." UDP port names can be used only when filtering UDP. |
established | (Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection. |
log | (Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number, whether the packet was encrypted/decrypted or not; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets encrypted/decrypted or not in the prior 5-minute interval. |
No numbered encryption access lists are defined, and therefore no traffic will be encrypted/decrypted. After being defined, all encryption access lists contain an implicit "deny" ("do not encrypt/decrypt") statement at the end of the list.
Global configuration
This command first appeared in Cisco IOS Release 11.2.
Use encryption access lists to control which packets on an interface are encrypted/decrypted, and which are transmitted as plain text (unencrypted).
When a packet is examined for an encryption access list match, encryption access list statements are checked in the order that the statements were created. After a packet matches the conditions in a statement, no more statements will be checked. This means that you need to carefully consider the order in which you enter the statements.
To use the encryption access list, you must first specify the access list in a crypto map and then apply the crypto map to an interface, using the crypto map (global configuration) and crypto map (interface configuration) commands.
Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended access lists used to control virtual terminal line access or restrict contents of routing updates must not match the TCP source port, the type of service value, or the packet's precedence.
The following is a list of precedence names:
The following is a list of type of service (TOS) names:
The following is a list of ICMP message type names and code names:
The following is a list of IGMP message names:
The following is a list of TCP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.
The following is a list of UDP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.
The following example creates a numbered encryption access list that specifies a class C subnet for the source and a class C subnet for the destination of IP packets. When the router uses this encryption access list, all TCP traffic that is exchanged between the source and destination subnets will be encrypted.
Router1(config)# access-list 101 permit tcp 172.21.3.0 0.0.0.255 172.22.2.0 0.0.0.255
This encryption access list will be applied to an interface as an outbound encryption access list after the router administrator defines a crypto map and applies the crypto map to the interface.
You can use the master indexes or search online to find documentation of related commands.
access-list (extended) (used for traffic filtering purposes)
crypto map (global configuration)
crypto map (interface configuration)
ip access-list extended (encryption)
show ip access-lists
To terminate an encrypted session in progress, use the clear crypto connection global configuration command.
clear crypto connection connection-id [slot | rsm | vip]
connection-id | Identifies the encrypted session to terminate. |
slot | (Optional) Identifies the crypto engine. This argument is available only on Cisco 7200, RSP7000, and 7500 series routers. If no slot is specified, the Cisco IOS crypto engine will be selected. Use the chassis slot number of the crypto engine location. For the Cisco IOS crypto engine, this is the chassis slot number of the Route Switch Processor (RSP). For the VIP2 crypto engine, this is the chassis slot number of the VIP2. For the ESA crypto engine, this is the chassis slot number of the ESA (Cisco 7200) or of the VIP2 (Cisco RSP7000 and 7500). |
rsm | (Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. It identifies the Route Switch Module on the Cisco Catalyst 5000 series switch. |
vip | (Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. It identifies the Versatile Interface Processor on the Cisco Catalyst 5000 series switch. |
Global configuration
This command first appeared in Cisco IOS Release 11.2. The slot argument and rsm and vip keywords were added in Cisco IOS Release 12.0.
Use this command to terminate an encrypted session currently in progress. Encrypted sessions will normally terminate when the session times out. Use the show crypto cisco connections command to learn the connection-id value.
The following example clears a pending encrypted session. (You could also clear an established encrypted session in the same way.)
Router1# show crypto cisco connections
Pending Connection Table
PE UPE Timestamp Conn_id
192.168.3.10 192.168.204.100 Mar 01 1993 00:01:09-1
Connection Table
PE UPE Conn_id New_id Alg TimeSlot
192.168.3.10 192.168.204.100 -1 1 0 Not Set4
flags:PEND_CONN
Router1# clear crypto connection -1
Router1# show crypto cisco connections
Connection Table
PE UPE Conn_id New_id Alg Time
192.168.3.10 192.168.204.100 0 0 0 Mar 01 1993 00:02:00
flags:BAD_CONN
Router1#
First, the show crypto cisco connections command is issued to learn the connection-id for the pending connection (-1). This value is then used to specify which connection to clear.
Notice that after the connection is cleared, the Pending Connection Table containing the connection entry (connection-id of -1) has disappeared from the show crypto cisco connections output. Also, the Connection Table no longer shows a -1 Conn_id.
You can use the master indexes or search online to find documentation of related commands.
The crypto cisco algorithm 40-bit-des command replaces this command. Refer to the description of the crypto cisco algorithm 40-bit-des command for more information.
The crypto cisco algorithm des command replaces this command. Refer to the description of the crypto cisco algorithm des command for more information.
To enable (select) either the ESA crypto engine or the Cisco IOS crypto engine in Cisco 7200 series routers, use the crypto card global configuration command.
crypto card {enable | shutdown} slot
enable | Selects the ESA crypto engine by enabling the ESA. |
shutdown | Selects the Cisco IOS crypto engine by shutting down the ESA. |
slot | The ESA chassis slot number. |
The Cisco IOS crypto engine is the selected (active) crypto engine.
Global configuration
This command first appeared in Cisco IOS Release 11.2 P.
This command only applies to Cisco 7200 series routers with an installed ESA.
Until the ESA is enabled, the Cisco IOS crypto engine will function as the crypto engine.
If you want to select the ESA crypto engine with this command, all other encryption configuration must already have been completed for the ESA.
If you select a crypto engine (either the ESA or the Cisco IOS crypto engine) that has not been completely configured for encryption, the router will not be able to encrypt any traffic. Any existing encryption sessions will abruptly terminate. Therefore, you must complete all encryption configuration for before you enable a crypto engine with this command.
The following example enables an ESA in the router chassis slot 2:
Router1(config)# crypto card enable 2 ...switching to HW crypto engine Router1(config)#
The following example switches from the CiscoIOS crypto engine to the ESA crypto engine. The ESA crypto engine is in the router chassis slot 4.
Router1(config)# crypto card enable 4 ...switching to HW crypto engine Router1(config)#
The following example switches from the ESA crypto engine to the CiscoIOS crypto engine. The ESA crypto engine is in the router chassis slot 4.
Router1(config)# crypto card shutdown 4 ...switching to SW crypto engine Router1(config)
To reset an Encryption Service Adapter (ESA), use the crypto card clear-latch global configuration command. This command resets the ESA by clearing a hardware extraction latch that is set when an ESA is removed and reinstalled in the chassis.
crypto card clear-latch {slot | vip}
slot | Identifies the ESA to reset. This argument is available only on Cisco 7200, RSP7000, and 7500 series routers. On a Cisco 7200 series router, this is the ESA chassis slot number. On a Cisco RSP7000 or 7500 series router, this is the chassis slot number of the ESA's second-generation Versatile Interface Processor (VIP2). |
vip | This keyword is only available on the Cisco Catalyst 5000 series switch. Identifies the Versatile Interface Processor on the Cisco Catalyst 5000 series switch. |
The ESA latch is not cleared.
Global configuration
This command first appeared in Cisco IOS Release 11.2. The vip keyword was added in Cisco IOS Release 12.0.
If an ESA is installed for the first time, or removed and reinstalled, the ESA will not function unless you reset it by using this command. Before the ESA is reset, the hardware extraction latch is set and the Tampered LED is on.
To complete this command, you must enter the ESA password. If the ESA does not have a password, you must create one at this time. (The ESA might not have a password if has never been previously used, or if the crypto key zeroize dss command was previously issued for the ESA.)
If you have forgotten a previously assigned password, you have to use the crypto key zeroize dss command instead of the crypto card clear-latch command to reset the ESA. After issuing the crypto key zeroize dss command, you must regenerate and re-exchange DSS keys. When you regenerate DSS keys you will be prompted to create a new password.
The following example resets an ESA card. The ESA card is housed in a VIP2 that is in slot 1.
Router1(config)# crypto card clear-latch 1 % Enter the crypto card password. Password: <passwd> Router1(config)#
The following example resets an ESA card housed in a VIP2 on a Cisco Catalyst 5000 series switch:
Router1(config)# crypto card clear-latch vip % Enter the crypto card password. Password: <passwd> Router1(config)#
You can use the master indexes or search online to find documentation of related commands.
crypto key generate dss
crypto key zeroize dss
To globally enable 40-bit Data Encryption Standard (DES) algorithm types, use the crypto cisco algorithm 40-bit-des global configuration command. Use the no form of this command to globally disable a 40-bit DES algorithm type.
crypto cisco algorithm 40-bit-des [cfb-8 | cfb-64]
cfb-8 | (Optional) Selects the 8-bit Cipher FeedBack (CFB) mode of the 40-bit DES algorithm. If no CFB mode is specified when you issue the command, 64-bit CFB mode is the default. |
cfb-64 | (Optional) Selects the 64-bit CFB mode of the 40-bit DES algorithm. If no CFB mode is specified when you issue the command, 64-bit CFB mode is the default. |
One DES algorithm is enabled by default, even if you never issue this command. If you are running a nonexportable image, the basic DES algorithm with 64-bit CFB is enabled by default. (The basic DES algorithm uses a 56-bit DES key.) If you are running an exportable image, the 40-bit DES algorithm with 64-bit CFB is enabled by default.
If you do not know if your image is exportable or nonexportable, you can perform the show crypto cisco algorithms command to determine which DES algorithms are currently enabled.
Global configuration
This command first appeared in Cisco IOS Release 11.2.
Use this command to enable a 40-bit DES algorithm type. Enabling a DES algorithm type once allows it to be used by all crypto engines of a router.
You must enable all DES algorithms that will be used to communicate with any other peer encrypting router. If you do not enable a DES algorithm, you will not be able to use that algorithm, even if you try to assign the algorithm to a crypto map at a later time.
If your router tries to set up an encrypted communication session with a peer router, and the two routers do not have the same DES algorithm enabled at both ends, the encrypted session will fail. If at least one common DES algorithm is enabled at both ends, the encrypted session can proceed.
Forty-bit DES uses a 40-bit DES key, which is easier for attackers to "crack" than basic DES, which uses a 56-bit DES key. However, some international applications might require you to use 40-bit DES, because of export laws.
Eight-bit CFB is more commonly used than 64-bit CFB, but requires more CPU processing time. If you do not specify 8-bit or 64-bit CFB, 64-bit CFB will be selected by default.
The following example enables 40-bit DES with 8-bit CFB and 40-bit DES with 64-bit CFB:
crypto cisco algorithm 40-bit-des cfb-8 crypto cisco algorithm 40-bit-des cfb-64
You can use the master indexes or search online to find documentation of related commands.
crypto cisco algorithm des
show crypto cisco algorithms
To globally enable Data Encryption Standard (DES) algorithm types that use a 56-bit DES key, use the crypto cisco algorithm des global configuration command. Use the no form of this command to globally disable a DES algorithm type.
crypto cisco algorithm des [cfb-8 | cfb-64]
cfb-8 | (Optional) Selects the 8-bit Cipher FeedBack (CFB) mode of the basic DES algorithm. If no CFB mode is specified when you issue the command, 64-bit CFB mode is the default. |
cfb-64 | (Optional) Selects the 64-bit CFB mode of the basic DES algorithm. If no CFB mode is specified when you issue the command, 64-bit CFB mode is the default. |
One DES algorithm is enabled by default, even if you never issue this command. If you are running a nonexportable image, the basic DES algorithm with 8-bit CFB is enabled by default. (The basic DES algorithm uses a 56-bit DES key.) If you are running an exportable image, the 40-bit DES algorithm with 8-bit CFB is enabled by default.
If you do not know if your image is exportable or nonexportable, you can perform the show crypto cisco algorithms command to determine which DES algorithms are currently enabled.
Global configuration
This command first appeared in Cisco IOS Release 11.2.
Use this command to enable a DES algorithm type that uses a 56-bit DES key. Enabling a DES algorithm type once allows it to be used by all crypto engines of a router.
You must enable all DES algorithms that will be used to communicate with any other peer encrypting router. If you do not enable a DES algorithm, you will not be able to use that algorithm, even if you try to assign the algorithm to a crypto map at a later time.
If your router tries to set up an encrypted communication session with a peer router, and the two routers do not have the same DES algorithm enabled at both ends, the encrypted session will fail. If at least one common DES algorithm is enabled at both ends, the encrypted session can proceed.
Eight-bit CFB is more commonly used than 64-bit CFB, but requires more CPU processing time. If you do not specify 8-bit or 64-bit CFB, 64-bit CFB will be selected by default.
The following example enables DES with 8-bit CFB and DES with 64-bit CFB:
crypto cisco algorithm des cfb-8 crypto cisco algorithm des cfb-64
You can use the master indexes or search online to find documentation of related commands.
crypto cisco algorithm 40-bit-des
show crypto cisco algorithms
To change the maximum number of destinations (hosts or subnets) per source that you can define in encryption access list statements, use the crypto cisco connections global configuration command. Use the no form of the command to restore the default.
crypto cisco connections number
number | Specifies the maximum number of destinations per source. Use a value from This argument is not required when using the no form of the command. |
|
|
|
|
A maximum of 10 destinations can be paired with each source specified in encryption access list criteria statements.
Global configuration
This command first appeared in Cisco IOS Release 11.3.
When you configure encryption access lists, you configure source and destination pairs in criteria statements. Any traffic that matches the criteria is then encrypted.
By default, the maximum number of distinct sources (host or subnets) that you can define in your encryption access lists is 100. Also, the maximum number of distinct destinations that you can define for any given source address is 10. For example, if you define six different source addresses, you can define up to 10 destination addresses for each of the six sources, for a total of 60 access list criteria statements.
Use this command if you need to specify more than 10 destinations for a particular source (host or subnet) in encryption access list statements.
For most situations, the defaults of 100 maximum sources and 10 maximum destinations per source are sufficient. Cisco recommends that you do not change the defaults unless you actually exceed the number of sources or destinations per source.
The amount of memory reserved for encrypted connections changes if you change the defaults with this command.
When using this command, you should consider the amount of memory that will be allocated. In general, use the crypto cisco entities and crypto cisco connections commands together: if you increase one value, decrease the other value. This prevents your router from running out of memory because too much memory was preallocated.
For every additional source specified with the crypto cisco entities command, the following additional bytes of memory will be allocated:
64 + (68 x the specified number of maximum destinations)
For every additional destination specified with the crypto cisco connections, the following additional bytes of memory will be allocated:
68 x the specified number of maximum sources
For example, if you specify 5 maximum sources, and 250 maximum destinations per source, the memory allocated for encryption connections is calculated as follows:
{5 x [64 + (68 x 250)]} + {250 x (68 x 5)} = 170320 bytes
In this example, there are 50 remote sites connecting to a single server. The connections between the server and each site need to be encrypted. The server is located behind the local router named Router1. Each of the remote sites connects through its own router.
Because of the large number of destination addresses that must be paired with the same source address in the local encryption access list, the default limits are changed.
Router1(config)# crypto cisco connections 60 %Please reboot for the new connection size to take effect Router1(config)# crypto cisco entities 5 %Please reboot for the new table size to take effect
Note that the maximum number of sources is reduced to balance the increase in maximum destinations per source. This prevents too much memory from being preallocated to encryption connections.
Also note that even though there is only one server, and only 50 remote sites, this example defines 5 sources and 60 destinations. This allows room for future growth of the encryption access list. If another source or destination is added later, the limits will not have to be increased and the router rebooted again, which is a disruptive process.
You can use the master indexes or search online to find documentation of related commands.
To change the maximum number of sources (hosts or subnets) that you can define in encryption access list statements, use the crypto cisco entities global configuration command. Use the no form of the command to restore the default.
crypto cisco entities number
number | Specifies the maximum number of sources. Use a value from 3 to 500. This argument is not required when using the no form of the command. |
A maximum of 100 sources can be specified in encryption access list criteria statements.
Global configuration
This command first appeared in Cisco IOS Release 11.3.
When you configure encryption access lists, you configure source and destination pairs in criteria statements. Any traffic that matches the criteria is then encrypted.
By default, the maximum number of distinct sources (host or subnets) that you can define in your encryption access lists is 100. Also, the maximum number of distinct destinations that you can define for any given source address is 10. For example, if you define six different source addresses, you can define up to 10 destination addresses for each of the six sources, for a total of 60 access list criteria statements.
Use this command if you need to specify more than 100 sources (host or subnet) in encryption access list statements.
For most situations, the defaults of 100 maximum sources and 10 maximum destinations per source are sufficient. Cisco recommends that you do not change the defaults unless you actually exceed the number of sources or destinations per source.
The amount of memory reserved for encrypted connections changes if you change the defaults with this command.
When using this command, you should consider the amount of memory that will be allocated. In general, use the crypto cisco entities and crypto cisco connections commands together: if you increase one value, decrease the other value. This prevents your router from running out of memory because too much memory was preallocated.
For every additional source specified with the crypto cisco entities command, the following additional bytes of memory will be allocated:
64 + (68 x the specified number of maximum destinations)
For every additional destination specified with the crypto cisco connections, the following additional bytes of memory will be allocated
68 x the specified number of maximum sources
For example, if you specify 5 maximum sources, and 250 maximum destinations per source, the memory allocated for encryption connections is calculated as follows:
{5 x [64 + (68 x 250)]} + {250 x (68 x 5)} = 170320 bytes
In this example, there are 50 remote sites connecting to a single server. The connections between the server and each site need to be encrypted. The server is located behind the local router named Router1. Each of the remote sites connects through its own router.
Because of the large number of destination addresses that must be paired with the same source address in the local encryption access list, the default limits are changed.
Router1(config)# crypto cisco connections 60 %Please reboot for the new connection size to take effect Router1(config)# crypto cisco entities 5 %Please reboot for the new table size to take effect
Note that the maximum number of sources is reduced to balance the increase in maximum destinations per source. This prevents too much memory from being preallocated to encryption connections.
Also note that even though there is only one server, and only 50 remote sites, this example defines 5 sources and 60 destinations. This allows room for future growth of the encryption access list. If another source or destination is added later, the limits will not have to be increased and the router rebooted again, which is a disruptive process.
You can use the master indexes or search online to find documentation of related commands.
To specify the duration of encrypted sessions, use the crypto cisco key-timeout global configuration command. Use the no form to restore the duration of encrypted sessions to the default of 30 minutes.
crypto cisco key-timeout minutes
minutes | Specifies the duration of encrypted sessions. Can be from 1 to 1440 minutes (24 hours) in 1 minute increments. Specified by an integer from 1 to 1440. When the no form of the command is used, this argument is optional. Any value supplied for the argument is ignored by the router. |
Encrypted sessions time out in 30 minutes.
Global configuration
This command first appeared in Cisco IOS Release 11.2.
After an encrypted communication session is established, it is valid for a specific length of time. After this length of time, the session times out. A new session must be negotiated, and a new Data Encryption Standard (DES) (session) key must be generated for encrypted communication to continue. Use this command to change the time that an encrypted communication session will last before it expires (times out).
The following example sets encrypted session timeouts to 2 hours:
crypto cisco key-timeout 120
The following example shows one way to restore the default session time of 30 minutes:
no crypto cisco key-timeout
The following example shows another way to restore the default session time of 30 minutes:
crypto cisco key-timeout 30
You can use the master indexes or search online to find documentation of related commands.
To enable pregeneration of Diffie-Hellman (DH) public numbers, use the crypto cisco pregen-dh-pairs global configuration command. Use the no form to disable pregeneration of DH public numbers for all crypto engines.
crypto cisco pregen-dh-pairs count [slot | rsm | vip]
count | Specifies how many DH public numbers to pregenerate and hold in reserve. Specified by an integer from 0 to 10. |
slot | (Optional) Identifies the crypto engine. This argument is available only on Cisco 7200, RSP7000, and 7500 series routers. If no slot is specified, the Cisco IOS crypto engine will be selected. Use the chassis slot number of the crypto engine location. For the Cisco IOS crypto engine, this is the chassis slot number of the Route Switch Processor (RSP). For the VIP2 crypto engine, this is the chassis slot number of the VIP2. For the ESA crypto engine, this is the chassis slot number of the ESA (Cisco 7200) or of the VIP2 (Cisco RSP7000 and 7500). |
rsm | (Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. Identifies the Route Switch Module on the Cisco Catalyst 5000 series switch. |
vip | (Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. Identifies the Versatile Interface Processor on the Cisco Catalyst 5000 series switch. |
DH number pairs are generated only when needed, during encrypted session setup.
Global configuration
This command first appeared in Cisco IOS Release 11.2. The rsm and vip keywords were added in Cisco IOS Release 12.0.
Each encrypted session uses a unique pair of DH numbers. Every time a new session is set up, new DH number pairs must be generated. When the session completes, these numbers are discarded. Generating new DH number pairs is a CPU-intensive activity, which can make session setup slow---especially for low-end routers.
To speed up session setup, you can choose to have a specified amount of DH number pairs pregenerated and held in reserve. Then, when an encrypted communication session is being set up, a DH number pair will be provided from that reserve. After a DH number pair is used, the reserve is automatically replenished with a new DH number pair, so there should always be a DH number pair ready for use.
It is usually not necessary to have more than one or two DH number pairs pregenerated, unless your router will be setting up multiple encrypted sessions so frequently that a pregenerated reserve of one or two DH number pairs will be depleted too quickly.
If you have a Cisco 7200, RSP7000, or 7500 series router or Cisco Catalyst 5000 series switch, you can perform this command for each crypto engine in service.
Setting the number of pregenerated pairs to be zero disables pregeneration but allows you to use the pairs already in reserve. Using the no form of the command disables pregeneration for all crypto engines of your router and deletes any DH number pairs currently in reserve. If you have a Cisco 7200, RSP7000, or 7500 series router or Cisco Catalyst 5000 series switch and wish to discontinue pregenerating DH numbers for only one crypto engine, set the count argument to 0, and specify the crypto engine with the slot argument.
The following example turns on pregeneration of DH public number pairs for a Cisco 2500 series router. Two DH number pairs will be held in constant reserve.
crypto cisco pregen-dh-pairs 2
The following example turns on pregeneration of DH public numbers for the ESA crypto engine of a VIP2 card in slot 3 of a Cisco 7500 series router. One DH number pair will be held in constant reserve.
crypto cisco pregen-dh-pairs 1 3
The following example turns on pregeneration of DH public numbers for a VIP on a Cisco Catalyst5000 series switch:
crypto cisco pregen-dh-pairs 1 vip
You can use the master indexes or search online to find documentation of related commands.
show crypto cisco pregen-dh-pairs
The crypto card clear-latch command replaces this command. Refer to the description of the crypto card clear-latch command for more information.
The crypto card command replaces this command. Refer to the description of the crypto card command for more information.
The crypto key generate dss command replaces this command. Refer to the description of the crypto key generate dss command for more information.
The crypto key exchange dss command replaces this command. Refer to the description of the crypto key exchange dss command for more information.
To exchange Digital Signature Standard (DSS) public keys, the administrator of the peer encrypting router that is designated ACTIVE must use the crypto key exchange dss global configuration command.
crypto key exchange dss ip-address key-name [tcp-port]
ip-address | The IP address of the peer router (designated PASSIVE) participating with you in the key exchange. |
key-name | Identifies the crypto engine---either the Cisco IOS crypto engine, a second-generation Versatile Interface Processor (VIP2) crypto engine, or an Encryption Service Adapter (ESA) crypto engine. This name must match the key-name argument assigned when you generated DSS keys using the crypto key generate dss command. |
tcp-port | (Optional) Cisco IOS software uses the unassigned1 TCP port number of 1964 to designate a key exchange. You may use this optional keyword to select a different number to designate a key exchange, if your system already uses the port number 1964 for a different purpose. If this keyword is used, you must use the same value as the PASSIVE router's tcp-port value. |
| 11964 is a TCP port number that has not been preassigned by the Internetworking Engineering Task Force (IETF). |
No DSS keys are exchanged.
Global configuration
This command first appeared in Cisco IOS Release 11.2.
Peer encrypting routers must exchange DSS public keys before any encrypted communication can occur.
If you have a Cisco 7200, RSP7000, or 7500 series router, you will need to exchange DSS public keys for each crypto engine you plan to use.
To exchange DSS public keys, the two router administrators must call each other on the phone, and verbally assign one router to the PASSIVE role, and the other router to the ACTIVE role.
The PASSIVE administrator uses the crypto key exchange dss passive command to start the DSS key exchange. Then the ACTIVE administrator uses the crypto key exchange dss command to send the first DSS public key. During the key exchange sequence, the two administrators must remain on the phone to verify the receipt of DSS keys. To verify the receipt of DSS keys, the administrators should compare screens to match DSS key serial numbers and fingerprints. Screen prompts will guide both administrators through the exchange.
The following example shows a DSS key exchange sequence from the point of view of a router named Router2. Router2 is designated ACTIVE. The other router is named Router1. Router1 is designated PASSIVE, and has previously generated DSS keys with the key-name Router1. Router2 has previously generated DSS keys with the key-name Router2ESA:
Router2(config)# crypto key exchange dss 172.21.114.68 Router2ESA Public key for Router2ESA: Serial Number 01461300 Fingerprint 0F1D 373F 2FC1 872C D5D7 Wait for peer to send a key[confirm]<Return> Waiting .... Public key for Router1: Serial Number 01579312 Fingerprint BF1F 9EAC B17E F2A1 BA77 Add this public key to the configuration? [yes/no]: y Router2(config)#
You can use the master indexes or search online to find documentation of related commands.
crypto key exchange dss passive
crypto key pubkey-chain dss
show crypto key mypubkey dss
show crypto key pubkey-chain dss
To enable an exchange of Digital Signature Standard (DSS) public keys, the administrator of the peer encrypting router that is designated PASSIVE must use the crypto key exchange dss passive global configuration command.
crypto key exchange dss passive [tcp-port]
tcp-port | (Optional) Cisco IOS software uses the unassigned1 TCP port number of 1964 to designate a key exchange. You may use this optional keyword to select a different number to designate a key exchange, if your system already uses the port number 1964 for a different purpose. If this keyword is used, you must use the same value as the ACTIVE router's tcp-port value. |
| 11964 is a TCP port number that has not been preassigned by the Internetworking Engineering Task Force (IETF). |
No DSS keys are exchanged.
Global configuration
This command first appeared in Cisco IOS Release 11.2.
Peer encrypting routers must exchange DSS public keys before any encrypted communication can occur.
To exchange DSS public keys, the two router administrators must call each other on the phone, and verbally assign one router to the PASSIVE role, and the other router to the ACTIVE role.
Then the PASSIVE administrator should use the crypto key exchange dss passive command to start the DSS key exchange. During the key exchange sequence, the two administrators must remain on the phone to verify the receipt of DSS keys. To verify the receipt of DSS keys, the administrators should compare screens to match DSS key serial numbers and fingerprints. Screen prompts will guide both administrators through the exchange.
The following example shows a DSS key exchange sequence from the point of view of a router named Router1. Router1 is designated PASSIVE, and has previously generated DSS keys with the key-name Router1. The other router is named Router2 and has previously generated DSS keys with the key-name Router2ESA:
Router1(config)# crypto key exchange dss passive Enter escape character to abort if connection does not complete. Wait for connection from peer[confirm]<Return> Waiting .... Public key for Router2ESA: Serial Number 01461300 Fingerprint 0F1D 373F 2FC1 872C D5D7 Add this public key to the configuration? [yes/no]: y Send peer a key in return[confirm]<Return> Which one? Router1? [yes]: <Return> Public key for Router1: Serial Number 01579312 Fingerprint BF1F 9EAC B17E F2A1 BA77 Router1(config)#
You can use the master indexes or search online to find documentation of related commands.
crypto key exchange dss
crypto key pubkey-chain dss
show crypto key mypubkey dss
show crypto key pubkey-chain dss
The crypto key exchange dss passive command replaces this command. Refer to the description of the crypto key exchange dss passive command for more information.
To generate a Digital Signature Standard (DSS) public/private key pair, use the crypto key generate dss global configuration command.
crypto key generate dss key-name [slot | rsm | vip]
key-name | A name you assign to the crypto engine. This will name either the Cisco IOS software crypto engine, a second-generation Versatile Interface Processor (VIP2) crypto engine, or an Encryption Service Adapter (ESA) crypto engine. Any character string is valid. Using a fully qualified domain name might make it easier to identify public keys. |
slot | (Optional) Identifies the crypto engine. This argument is available only on Cisco 7200, RSP7000, and 7500 series routers. If no slot is specified, the Cisco IOS crypto engine will be selected. Use the chassis slot number of the crypto engine location. For the Cisco IOS crypto engine, this is the chassis slot number of the Route Switch Processor (RSP). For the VIP2 crypto engine, this is the chassis slot number of the VIP2. For the ESA crypto engine, this is the chassis slot number of the ESA (Cisco 7200) or of the VIP2 (Cisco RSP7000 and 7500). |
rsm | (Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. Identifies the Route Switch Module on the Cisco Catalyst 5000 series switch. |
vip | (Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. Identifies the Versatile Interface Processor on the Cisco Catalyst 5000 series switch. |
No DSS public/private keys are defined.
Global configuration
This command first appeared in Cisco IOS Release 11.2. The rsm and vip keywords were added in Cisco IOS Release 12.0.
Use this command to generate a DSS public/private key pair. This is the first configuration task required to set up a router for network data encryption.
If you have a Cisco 7200, RSP7000, or 7500 series router, use the slot argument. If you have a Cisco Catalyst 5000 series switch, use the rsm or vip keyword. You must perform this command once for each crypto engine you plan to use.
If you are using a Cisco 7200, RSP7000, or 7500 series router or a Cisco Catalyst 5000 series switch with an ESA, DSS keys generated for the ESA crypto engine are automatically saved to tamper resistant memory of the ESA during the DSS key generation process.
If you are using a Cisco 7200, RSP7000, or 7500 series router or a Cisco Catalyst 5000 series switch with an ESA, you will be prompted to enter a password when you generate DSS keys for the ESA crypto engine.
If you previously reset the ESA with the crypto key zeroize dss command, you must create a new password at this time.
If you previously reset the ESA with the crypto card clear-latch command, you created a password at that time; use that same password now. If you have forgotten the password, the only workaround is to first use the crypto key zeroize dss command and then regenerate DSS keys.
If you need to regenerate DSS keys for the ESA, you will be required to enter the same ESA password to complete the DSS key regeneration.
The following example generates a DSS public/private key pair for the first time on a Cisco 2500 series router:
Router1(config)# crypto key generate dss Router1 Generating DSS keys .... [OK] Router1(config)#
The following example generates DSS public/private key pairs for a Cisco 7500 series router with an RSP in slot 4 and a VIP2 (with an ESA) in slot 3. The ESA was previously reset with the crypto key zeroize dss command. Notice that when DSS keys are generated for the ESA, you must type a newly created password:
Router1(config)# crypto key generate dss Router1RSP 4 Generating DSS keys .... [OK] Router1(config)# crypto key generate dss Router1ESA 3 % Initialize the crypto card password. You will need this password in order to generate new signature keys or clear the crypto card extraction latch. Password: <passwd> Re-enter password: <passwd> Generating DSS keys .... [OK] Router1(config)#
In the previous example, the ESA crypto engine provides encryption services for the VIP2 interfaces, and the Cisco IOS crypto engine (located in the RSP) provides encryption services for all other designated ports.
The next example shows DSS keys being generated a second time, for the same ESA crypto engine shown in the previous example (DSS keys already exist for this crypto engine). Notice that the password used in the previous example must be entered in this example to complete the DSS key regeneration.
Router1(config)# crypto key generate dss Router1ESA 3 % Generating new DSS keys will require re-exchanging public keys with peers who already have the public key named Router1ESA! Generate new DSS keys? [yes/no]: y % Enter the crypto card password. Password: <passwd> Generating DSS keys .... [OK]
You can use the master indexes or search online to find documentation of related commands.
To manually specify the Digital Signature Standard (DSS) public key of a peer encrypting router, use the crypto key pubkey-chain dss global configuration command. Use the no form of this command to delete the DSS public key of a peer encrypting router.
crypto key pubkey-chain dss
key-name | Identifies the crypto engine of the peer encrypting router. If the device is a Cisco router, the name should be a fully qualified domain name. |
special-usage | If the special-usage parameter is not specified, the key is considered a general-purpose key. |
serial-number | The serial number of the peer encrypting router's public DSS key. When the no form of the command is used, this argument is optional. Any value supplied for the argument is ignored by the router. |
hex | The DSS public key of the peer encrypting router, in hexadecimal format. |
quit | When you are done entering the public key, type quit to exit the hex input mode. |
No peer encrypting router DSS keys are known.
Global configuration
Performing this command invokes the hex input mode. To complete the command, you must return to the global configuration mode by typing quit at the config-pubkey prompt.
This command first appeared in Cisco IOS Release 11.2.
Use this command to specify DSS public keys of peer encrypting routers, instead of using the crypto key exchange dss passive and crypto key exchange dss commands. The administrator of the peer router can provide the exact values for the key-name, serial-number, and hex-key-data command arguments. The administrator of the peer router can discover these values by performing the show crypto key mypubkey dss command at the peer router.
The following example specifies the DSS public key of a peer encrypting router:
Router1(config)# crypto key pubkey-chain dss Router1(config-pubkey)# named-key router.domain.com Router1(config-pubkey)# serial-number 03259625 Router1(config-pubkey)# key-string 8F1440B9 4C860989 8791A12B 69746E27 307ACACB 62915B02 0261B58F 1F7ABB10 90CE70A9 08F86652 16B52064 37C857D4 7066DAA3 7FC33212 445275EE 542DCD06 Router1(config-pubkey)# quit Router1(config)# exit Router1# %SYS-5-CONFIG_I: Configured from console by console Router1# show crypto key pubkey-chain dss name router.domain.com Key name: router.domain.com Serial number: 03259625 Usage: Signature Key Source: Manually entered Data: 8F1440B9 4C860989 8791A12B 69746E27 307ACACB 62915B02 0261B58F 1F7ABB10
90CE70A9 08F86652 16B52064 37C857D4 7066DAA3 7FC33212 445275EE 542DCD06 Router1#
You can use the master indexes or search online to find documentation of related commands.
crypto key exchange dss
crypto key exchange dss passive
show crypto key mypubkey dss
show crypto key pubkey-chain dss
The crypto cisco key-timeout command replaces this command. Refer to the description of the crypto cisco key-timeout command for more information.
To delete the Digital Signature Standard (DSS) public/private key pair of a crypto engine, use the crypto key zeroize dss global configuration command.
crypto key zeroize dss [slot | rsm | vip] | Caution DSS keys cannot be recovered after they have been removed. Use this command only after careful consideration. |
slot | (Optional) Identifies the crypto engine. This argument is available only on Cisco 7200, RSP7000, and 7500 series routers. If no slot is specified, the Cisco IOS crypto engine will be selected. Use the chassis slot number of the crypto engine location. For the Cisco IOS crypto engine, this is the chassis slot number of the Route Switch Processor (RSP). For the VIP2 crypto engine, this is the chassis slot number of the VIP2. For the ESA crypto engine, this is the chassis slot number of the ESA (Cisco 7200) or of the VIP2 (Cisco RSP7000 and 7500). |
rsm | (Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. It identifies the Route Switch Module on the Cisco Catalyst 5000 series switch. |
vip | (Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. It identifies the Versatile Interface Processor on the Cisco Catalyst 5000 series switch. |
DSS public/private keys will remain valid indefinitely.
Global configuration
This command first appeared in Cisco IOS Release 11.2. The rsm and vip keywords were added in Cisco IOS Release 12.0.
If you choose to stop using encryption on a router, completely or for a specific crypto engine, you may delete the public/private DSS key pair(s) for your router's crypto engine(s). However, after you delete them, you cannot use that crypto engine for any encrypted sessions with peer routers, unless you regenerate and re-exchange new DSS keys. If only one crypto engine is configured at your router, issuing this command will prevent you from performing any encryption at the router.
This command can be used if you lose the password required to complete the crypto card clear-latch or crypto key generate dss commands. After using the crypto key zeroize dss command, you will need to regenerate and re-exchange new DSS keys. You will be prompted to supply a new password when you regenerate new DSS keys with the crypto key generate dss command.
The following example deletes the DSS public/private key of a router named Router1, which is a Cisco 7500 series router with an RSP in slot 4:
Router1(config)# crypto key zeroize dss 4 Warning! Zeroize will remove your DSS signature keys. Do you want to continue? [yes/no]: y Keys to be removed are named Router1IOS. Do you really want to remove these keys? [yes/no]: y [OK] Router1(config)#
The following example deletes the DSS public/private key on the RSM of a Cisco Catalyst 5000 series switch:
Router1(config)# crypto key zeroize dss rsm Warning! Zeroize will remove your DSS signature keys. Do you want to continue? [yes/no]: y Keys to be removed are named Router1IOS. Do you really want to remove these keys? [yes/no]: y [OK] Router1(config)#
You can use the master indexes or search online to find documentation of related commands.
cisco | (Default value) Indicates that CET will be used instead of IPSec for protecting the traffic specified by this newly specified crypto map entry. If you use this keyword, none of the IPSec-specific crypto map configuration commands will be available. Instead, the CET-specific commands will be available. |
map-name | The name you assign to the crypto map set. |
seq-num | The number you assign to the crypto map entry. See additional explanation for using this argument in the "Usage Guidelines" section. |
No crypto maps exist.
Global configuration.
Performing this command invokes the crypto map configuration command mode.
This command first appeared in Cisco IOS Release 11.2. The cisco keyword was added in Cisco IOS Release 11.3 T.
This command is also documented in the chapter "IPSec Network Security Commands" where it has slightly different functionality.
Use this command to create a new crypto map definition, or to modify an existing crypto map definition. Crypto maps link together definitions of encryption access lists, peer routers, and Data Encryption Standard (DES) algorithms. A crypto map must later be applied to an interface for the definitions to take effect; this is done using the crypto map (interface configuration) command.
When you issue the crypto map (global configuration) command, the router will invoke the crypto map configuration command mode. While in this mode, you will specify the crypto map definitions. Crypto map configuration command mode commands are used to create these definitions.
A crypto map definition must have three parts. First, you specify which remote peer encrypting router (crypto engine) will provide the far-end encryption services (the remote encryption end-point). This is accomplished using the set peer command. Next, you specify which encryption access list(s) will participate in encryption services with the peer router. This is accomplished using the match address command. Finally, you specify which DES algorithm(s) to apply to the encrypted packets in the access list. This is accomplished using either the set algorithm 40-bit-des command or the set algorithm des command.
Because only one crypto map can be applied to a given interface, the seq-num argument provides a way to create several distinct definition sets that coexist within a single crypto map. Figure 3 illustrates the sequence number concept.
Having multiple distinct definition sets is useful if one router port will provide the encryption interface to more than one peer router.
A crypto map set is a collection of crypto map entries each with a different seq-num but the same map-name. Therefore, for a given interface, you could have certain traffic forwarded to one IPSec peer with specified security applied to that traffic, and other traffic forwarded to the same or a different IPSec peer with different IPSec security applied. To accomplish this you would create two crypto maps, each with the same map-name, but each with a different seq-num. A crypto map set can include a combination of CET and IPSec crypto map entries.
The number you assign to the seq-num argument should not be arbitrary. This number is used to rank multiple crypto map entries within a crypto map set. Within a crypto map set, a crypto map entry with a lower seq-num is evaluated before a map entry with a higher seq-num; that is, the map entry with the lower number has a higher priority.
For example, imagine there is a crypto map set that contains three crypto map entries: mymap 10, mymap 20, and mymap 30. The crypto map set named mymap is applied to interface Serial 0. When traffic passes through the Serial 0 interface, the traffic is evaluated first for mymap 10. If the traffic matches a permit entry in the extended access list in mymap 10, the traffic will be processed according to the information defined in mymap 10 (including establishing IPSec security associations or CET connections when necessary). If the traffic does not match the mymap 10 access list, the traffic will be evaluated for mymap 20, and then mymap 30, until the traffic matches a permit entry in a map entry. If the traffic does not match a permit entry in any crypto map entry, it will be forwarded without any CET (or IPSec) security.
The following example creates a crypto map and defines the map parameters:
Router1(config)# crypto map Research 10 Router1(config-crypto-map)# set peer Router2ESA.HQ Router1(config-crypto-map)# set algorithm des cfb-8 Router1(config-crypto-map)# match address 101 Router1(config-crypto-map)# exit Router1(config)#
You can use the master indexes or search online to find documentation of related commands.
crypto map (interface configuration)
match address
set algorithm 40-bit-des
set algorithm des
set peer
show crypto map
show crypto mypubkey
To apply a previously defined crypto map to an interface, use the crypto map interface configuration command. Use the no form of the command to eliminate the crypto map from the interface.
crypto map map-name
map-name | The name which identifies the crypto map. This is the name assigned when the crypto map was created. When the no form of the command is used, this argument is optional. Any value supplied for the argument is ignored. |
No crypto maps are assigned to interfaces.
Interface configuration
This command first appeared in Cisco IOS Release 11.2.
This command is also documented in the chapter "IPSec Network Security Commands."
Use this command to assign a crypto map set to an interface. You must assign a crypto map set to an interface before that interface can provide CET or IPSec services. Only one crypto map set can be assigned to an interface. If multiple crypto map entries have the same map-name but a different seq-num, they are considered to be part of the same set and will all be applied to the interface. The crypto map entry with the lowest seq-num is considered the highest priority and will be evaluated first.
The following example assigns crypto map set "mymap" to the S0 interface. When traffic passes through S0, the traffic will be evaluated against all the crypto map entries in the "mymap" set. When outbound traffic matches an access list in one of the "mymap" crypto map entries, a security association (if IPsec) or CET connection (if CET) will be established per that crypto map entry's configuration (if no security association or connection already exists).
interface S0 crypto map mymap
You can use the master indexes or search online to find documentation of related commands.
crypto map (global configuration)
show crypto map
The crypto cisco pregen-dh-pairs command replaces this command. Refer to the description of the crypto cisco pregen-dh-pairs command for more information.
The crypto key pubkey-chain dss command replaces this command. Refer to the description of the crypto key pubkey-chain dss command for more information.
The crypto cisco connections command replaces this command. Refer to the description of the crypto cisco connections command for more information.
The crypto cisco entities command replaces this command. Refer to the description of the crypto cisco entities command for more information.
The crypto key zeroize dss command replaces this command. Refer to the description of the crypto key zeroize dss command for more information.
To set conditions for a named encryption access list, use the deny access-list configuration command. The deny command prevents IP traffic from being encrypted/decrypted if the conditions are matched. Use the no form of this command to remove a deny condition from an encryption access list.
deny source [source-wildcard]For ICMP, you can also use the following syntax:
deny icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] |For IGMP, you can also use the following syntax:
deny igmp source source-wildcard destination destination-wildcard [igmp-type]For TCP, you can also use the following syntax:
deny tcp source source-wildcard [operator port [port]] destination destination-wildcardFor UDP, you can also use the following syntax:
deny udp source source-wildcard [operator port [port]] destination destination-wildcard
source | Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source:
|
source-wildcard | (Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard:
|
protocol | Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 through 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the keyword ip. Some protocols allow further qualifiers described later. |
source | Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:
|
source-wildcard | Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:
|
destination | Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:
|
destination-wildcard | Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:
|
precedence precedence | (Optional) Packets can be matched for encryption by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines" section of the access-list (encryption) command. |
tos tos | (Optional) Packets can be matched for encryption by type of service level, as specified by a number from 0 to 15 or by name as listed in the "Usage Guidelines" section of the access-list (encryption) command. |
icmp-type | (Optional) ICMP packets can be matched for encryption by ICMP message type. The type is a number from 0 to 255. |
icmp-code | (Optional) ICMP packets which are matched for encryption by ICMP message type can also be matched by the ICMP message code. The code is a number from 0 to 255. |
icmp-message | (Optional) ICMP packets can be matched for encryption by an ICMP message type name or ICMP message type and code name. The possible names are found in the "Usage Guidelines" section of the access-list (encryption) command. |
igmp-type | (Optional) IGMP packets can be matched for encryption by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the "Usage Guidelines" section of the access-list (encryption) command. |
operator | (Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number. |
port | (Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65,535. TCP and UDP port names are listed in the "Usage Guidelines" section of the access-list (encryption) command. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP. |
established | (Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection. |
log | (Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval. |
There is no specific condition under which a packet is prevented from being encrypted/decrypted. However, if a packet does not match any deny or permit command statements, the packet will not be encrypted/decrypted. (See the "Usage Guidelines" section that follows for more information about matching encryption access list conditions.)
Access-list configuration
This command first appeared in Cisco IOS Release 11.2.
Use this command to specify conditions under which a packet will not be encrypted/decrypted. Use this command after you use the ip access-list extended (encryption) command.
After a named encryption access list is fully specified using permit and deny commands, the encryption access list must be specified in a crypto map, and the crypto map must be applied to an interface. After this is accomplished, packets will be either encrypted/decrypted or not encrypted/decrypted at the router depending on the conditions defined within the permit and deny commands.
If a packet matches the conditions in any deny command, the packet will not be encrypted/decrypted. Also, if a packet does not match any conditions in either a deny or a permit command, the packet will not be encrypted/decrypted. This occurs because all encryption access lists contain an implicit "deny" ("do not encrypt/decrypt") statement at the end of the list.
1. Example of an Inappropriately Configured Access List
This first example shows a named encryption access list configured in an inappropriate way. After this list is applied to an interface using a crypto map, no UDP traffic will be encrypted. This occurs even though there are permit commands.
ip access-list extended Router1cryptomap10 deny UDP any any permit UDP 192.168.33.145 0.0.0.15 172.31.0.0 0.0.255.255 permit UDP 192.168.33.145 0.0.0.15 10.0.0.0 0.255.255.255
2. Another Example of an Inappropriately Configured Access List
The second example shows another inappropriate configuration for an encryption access list. This example will cause the router to encrypt all UDP traffic leaving the interface, including traffic to routers not configured for encryption. When this happens, the router will attempt to set up an encryption session with a non-encrypting router.
ip access-list extended Router1cryptomap10 permit UDP 192.168.33.145 0.0.0.15 172.31.0.0 0.0.255.255 permit UDP 192.168.33.145 0.0.0.15 10.0.0.0 0.255.255.255 permit UDP any any
3. Example of a Correctly Configured Access List
The third example will encrypt/decrypt only traffic that matches the source and destination addresses defined in the two permit statements. All other traffic will not be encrypted/decrypted.
ip access-list extended Router1cryptomap10 permit UDP 192.168.33.145 0.0.0.15 172.31.0.0 0.0.255.255 permit UDP 192.168.33.145 0.0.0.15 10.0.0.0 0.255.255.255
You can use the master indexes or search online to find documentation of related commands.
access-list (encryption)
ip access-list extended (encryption)
permit
show ip access-list
To define an encryption access list by name, use the ip access-list extended global configuration command. Use the no form of this command to remove a named encryption access list.
ip access-list extended name
name | Name of the encryption access list. Names cannot contain a space or quotation mark, and must begin with an alphabetic character to prevent ambiguity with numbered access lists. |
There is no named encryption access list.
Global configuration
This command invokes the access-list configuration command mode.
This command first appeared in Cisco IOS Release 11.2.
Use this command to configure a named IP access list (as opposed to a numbered IP access list). This command will take you into access-list configuration mode. From this mode you use the deny and permit commands to define the conditions for which traffic will be encrypted/decrypted or not encrypted/decrypted.
To use the encryption access list, you must first specify the access list in a crypto map definition, and then apply the crypto map to an interface.
1. Example of an Inappropriately Configured Access List
The first example shows a named encryption access list configured in an inappropriate way. After this list is applied to an interface using a crypto map, no UDP traffic will be encrypted. This occurs even though there are permit commands.
ip access-list extended Router1cryptomap10 deny UDP any any permit UDP 192.168.33.145 0.0.0.15 172.31.0.0 0.0.255.255 permit UDP 192.168.33.145 0.0.0.15 10.0.0.0 0.255.255.255
2. Another Example of an Inappropriately Configured Access List
The second example shows another inappropriate configuration for an encryption access list. This example will cause the router to encrypt all UDP traffic leaving the interface, including traffic to routers not configured for encryption. When this happens, the router will attempt to set up an encryption session with a non-encrypting router.
ip access-list extended Router1cryptomap10 permit UDP 192.168.33.145 0.0.0.15 172.31.0.0 0.0.255.255 permit UDP 192.168.33.145 0.0.0.15 10.0.0.0 0.255.255.255 permit UDP any any
3. Example of a Correctly Configured Access List
The third example will encrypt/decrypt only traffic that matches the source and destination addresses defined in the two permit statements. All other traffic will not be encrypted/decrypted.
ip access-list extended Router1cryptomap10 permit UDP 192.168.33.145 0.0.0.15 172.31.0.0 0.0.255.255 permit UDP 192.168.33.145 0.0.0.15 10.0.0.0 0.255.255.255
You can use the master indexes or search online to find documentation of related commands.
access-list (encryption)
crypto map (global configuration)
crypto map (interface configuration)
deny
ip access-list (used for traffic filtering purposes)
permit
show ip access-list
access-list-id | (Optional) Identifies the extended access list by its name or number. This value should match the access-list-number or name argument of the extended access list being matched. |
name | (Optional) Identifies the named encryption access list. This name should match the name argument of the named encryption access list being matched. |
No access lists are matched to the crypto map entry.
Crypto map configuration
This command first appeared in Cisco IOS Release 11.2.
This command is also documented in the chapter "IPSec Network Security Commands."
This command is required for all static crypto map entries. If you are defining a dynamic crypto map entry (with the crypto dynamic-map command), this command is not required but is strongly recommended.
Use this command to assign an extended access list to a crypto map entry. You also need to define this access list using the access-list or ip access-list extended commands.
The extended access list specified with this command will be used by IPSec (or CET, depending on the setting of the crypto map entry) to determine which traffic should be protected by crypto and which traffic does not need crypto protection. (Traffic that is permitted by the access list will be protected. Traffic that is denied by the access list will not be protected in the context of the corresponding crypto map entry.)
The crypto access list specified by this command is used when evaluating both inbound and outbound traffic. Outbound traffic is evaluated against the crypto access lists specified by the interface's crypto map entries to determine if it should be protected by crypto and if so (if traffic matches a permit entry) which crypto policy applies. (If necessary, in the case of static IPSec crypto maps, new security associations are established using the data flow identity as specified in the permit entry; in the case of CET, new connections are established; in the case of dynamic crypto map entries, if no SA exists, the packet is dropped.) After passing the regular access lists at the interface, inbound traffic is evaluated against the crypto access lists specified by the entries of the interface's crypto map set to determine if it should be protected by crypto and, if so, which crypto policy applies. (In the case of IPSec, unprotected traffic is discarded because it should have been protected by IPSec; in the case of CET, the traffic is decrypted even though it was never encrypted.)
In the case of IPSec, the access list is also used to identify the flow for which the IPSec security associations are established. In the outbound case, the permit entry is used as the data flow identity (in general), while in the inbound case the data flow identity specified by the peer must be "permitted" by the crypto access list.
The following example creates a crypto map and defines an encryption access list for the map:
Router1(config)# crypto map Research 10 Router1(config-crypto-map)# match address 101
You can use the master indexes or search online to find documentation of related commands.
access-list (encryption)
crypto map (global configuration)
ip access-list extended (encryption)
show crypto map
To set conditions for a named encryption access list, use the permit access-list configuration command. The permit command causes IP traffic to be encrypted/decrypted if the conditions are matched. Use the no form of this command to remove a permit condition from an encryption access list.
permit source [source-wildcard]For ICMP, you can also use the following syntax:
permit icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] |For IGMP, you can also use the following syntax:
permit igmp source source-wildcard destination destination-wildcard [igmp-type]For TCP, you can also use the following syntax:
permit tcp source source-wildcard [operator port [port]] destination destination-wildcardFor UDP, you can also use the following syntax:
permit udp source source-wildcard [operator port [port]] destination destination-wildcard
source | Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source:
|
source-wildcard | (Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard:
|
protocol | Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 through 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the keyword ip. Some protocols allow further qualifiers described later. |
source | Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:
|
source-wildcard | Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:
|
destination | Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:
|
destination-wildcard | Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:
|
precedence precedence | (Optional) Packets can be matched for encryption by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines" section of the access-list (encryption) command. |
tos tos | (Optional) Packets can be matched for encryption by type of service level, as specified by a number from 0 to 15 or by name as listed in the "Usage Guidelines" section of the access-list (encryption) command. |
icmp-type | (Optional) ICMP packets can be matched for encryption by ICMP message type. The type is a number from 0 to 255. |
icmp-code | (Optional) ICMP packets which are matched for encryption by ICMP message type can also be matched by the ICMP message code. The code is a number from 0 to 255. |
icmp-message | (Optional) ICMP packets can be matched for encryption by an ICMP message type name or ICMP message type and code name. The possible names are found in the "Usage Guidelines" section of the access-list (extended) command. |
igmp-type | (Optional) IGMP packets can be matched for encryption by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the "Usage Guidelines" section of the access-list (extended) command. |
operator | (Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number. |
port | (Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the "Usage Guidelines" section of the access-list (extended) command. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP. |
established | (Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection. |
log | (Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval. |
There is no specific condition under which a packet is caused to be encrypted/decrypted. However, if a packet does not match any deny or permit command statements, the packet will not be encrypted/decrypted. (See the "Usage Guidelines" section for more information about matching encryption access list conditions.)
Access-list configuration
This command first appeared in Cisco IOS Release 11.2.
Use this command following the ip access-list extended (encryption) command to specify conditions under which a packet will be encrypted/decrypted.
After a named encryption access list is fully specified using permit and deny commands, the encryption access list must be specified in a crypto map, and the crypto map must be applied to an interface. After this is accomplished, packets will be either encrypted/decrypted or not encrypted/decrypted at the router depending on the conditions defined within the permit and deny commands.
If a packet matches the conditions in any permit command, the packet will be encrypted/decrypted. If a packet does not match any conditions in either a deny or a permit command, the packet will not be encrypted/decrypted. This occurs because all encryption access lists contain an implicit "deny" ("do not encrypt/decrypt") statement at the end of the list.
1. Example of an Inappropriately Configured Access List
The first example shows a named encryption access list configured in an inappropriate way. After this list is applied to an interface using a crypto map, no UDP traffic will be encrypted. This occurs even though there are permit commands.
ip access-list extended Router1cryptomap10 deny UDP any any permit UDP 192.168.33.145 0.0.0.15 172.31.0.0 0.0.255.255 permit UDP 192.168.33.145 0.0.0.15 10.0.0.0 0.255.255.255
2. Another Example of an Inappropriately Configured Access List
The second example shows another inappropriate configuration for an encryption access list. This example will cause the router to encrypt all UDP traffic leaving the interface, including traffic to routers not configured for encryption. When this happens, the router will attempt to set up an encryption session with a non-encrypting router.
ip access-list extended Router1cryptomap10 permit UDP 192.168.33.145 0.0.0.15 172.31.0.0 0.0.255.255 permit UDP 192.168.33.145 0.0.0.15 10.0.0.0 0.255.255.255 permit UDP any any
3. Example of a Correctly Configured Access List
The third example will encrypt/decrypt only traffic that matches the source and destination addresses defined in the two permit statements. All other traffic will not be encrypted/decrypted.
ip access-list extended Router1cryptomap10 permit UDP 192.168.33.145 0.0.0.15 172.31.0.0 0.0.255.255 permit UDP 192.168.33.145 0.0.0.15 10.0.0.0 0.255.255.255
You can use the master indexes or search online to find documentation of related commands.
access-list (encryption)
deny
ip access-list extended (encryption)
show ip access-list
To specify a 40-bit Data Encryption Standard (DES) algorithm type within a crypto map definition, use the set algorithm 40-bit-des crypto map configuration command. Use the no form of this command to disable a 40-bit DES algorithm type within a crypto map definition.
set algorithm 40-bit-des [cfb-8 | cfb-64]
cfb-8 | (Optional) Selects the 8-bit Cipher FeedBack (CFB) mode of the 40-bit DES algorithm. If no CFB mode is specified when the command is issued, 64-bit CFB mode is the default. |
cfb-64 | (Optional) Selects the 64-bit CFB mode of the 40-bit DES algorithm. If no CFB mode is specified when the command is issued, 64-bit CFB mode is the default. |
If no DES algorithm is specified within a crypto map, all globally enabled DES algorithms will be matched to the map by default. Refer to the crypto cisco algorithm 40-bit-des or crypto cisco algorithm des command descriptions to learn about globally enabling DES algorithms.
Crypto map configuration
This command first appeared in Cisco IOS Release 11.2.
Use this command to specify 40-bit DES algorithm types for a given crypto map definition. Forty-bit DES algorithms use a 40-bit DES key. The DES algorithms specified within a crypto map definition will be used to encrypt/decrypt all traffic at an interface when the crypto map is applied to the interface.
The following example defines a 40-bit DES algorithm type for a crypto map:
Router1(config)# crypto map Research 10 Router1(config-crypto-map)# set algorithm 40-bit-des cfb-8
You can use the master indexes or search online to find documentation of related commands.
crypto map (global configuration)
set algorithm des
show crypto map
show crypto mypubkey
To enable basic Data Encryption Standard (DES) algorithm types within a crypto map definition, use the set algorithm des crypto map configuration command. Use the no form of this command to disable a basic DES algorithm type within a crypto map definition.
set algorithm des [cfb-8 | cfb-64]
cfb-8 | (Optional) Selects the 8-bit Cipher FeedBack (CFB) mode of the basic DES algorithm. If no CFB mode is specified when the command is issued, 64-bit CFB mode is the default. |
cfb-64 | (Optional) Selects the 64-bit CFB mode of the basic DES algorithm. If no CFB mode is specified when the command is issued, 64-bit CFB mode is the default. |
If no DES algorithm is specified within a crypto map, all globally enabled DES algorithms will be matched to the map by default. Refer to the crypto cisco algorithm 40-bit-des or crypto cisco algorithm des command descriptions to learn about globally enabling DES algorithms.
Crypto map configuration
This command first appeared in Cisco IOS Release 11.2.
Use this command to specify basic DES algorithm types for a given crypto map definition. Basic DES algorithms use a 56-bit DES key. The DES algorithms specified within a crypto map definition will be used to encrypt/decrypt all traffic at an interface when the crypto map is applied to the interface.
The following example defines a DES algorithm type for a crypto map:
Router1(config)# crypto map Research 10 Router1(config-crypto-map)# set algorithm des cfb-8
You can use the master indexes or search online to find documentation of related commands.
crypto map (global configuration)
set algorithm 40-bit-des
show crypto map
show crypto mypubkey
To specify a peer encrypting router within a crypto map definition, use the set peer crypto map configuration command. Use the no form of this command to eliminate a peer encrypting router from a crypto map definition.
set peer key-name
key-name | Identifies the crypto engine of the peer encrypting router. |
No peer is defined by default.
Crypto map configuration
This command first appeared in Cisco IOS Release 11.2.
This command is also documented in the chapter "IPSec Network Security Commands" where it has slightly different functionality.
Use this command to specify a peer encrypting router as the remote encryption route endpoint for a given crypto map definition.
The following example creates a crypto map and defines a peer router for the map:
Router1(config)# crypto map Research 10 Router1(config-crypto-map)# set peer Router2ESA.HQ
You can use the master indexes or search online to find documentation of related commands.
crypto map (global configuration)
show crypto map
show crypto mypubkey
The show crypto cisco algorithms command replaces this command. Refer to the description of the show crypto cisco algorithms command for more information.
To view the operational status of an Encryption Service Adapter (ESA), use the show crypto card privileged EXEC command. This command is available only on Cisco 7200, RSP7000, or 7500 series routers with an installed ESA.
show crypto card [slot | vip]
slot | (Optional) This argument is available only on Cisco 7200, RSP7000, and 7500 series routers. Identifies the ESA to show. Use the chassis slot number of the VIP2 containing the ESA. |
vip | (Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. It identifies the Versatile Interface Processor on the Cisco Catalyst 5000 series switch. |
Privileged EXEC
This command first appeared in Cisco IOS Release 11.2. The vip keyword was added in Cisco IOS Release 12.0.
The following is sample output from the show crypto card command:
Router1# show crypto card 1 Crypto card in slot: 1 Tampered: No Xtracted: No Password set: Yes DSS Key set: Yes FW version:5049702
The following is sample output from the show crypto card command for the Versatile Interface Processor on a Cisco Catalyst 5000 series switch:
Router1# show crypto card vip Crypto card in slot: vip Tampered: No Xtracted: No Password set: Yes DSS Key set: Yes FW version:5049702
Table 20 explains each field.
| Field | Description |
|---|---|
Tampered | "Yes" indicates that somebody attempted to physically remove the tamper shield cover from the ESA card. Such an action causes the ESA card to clear its memory, similar to issuing the crypto key zeroize dss command for the ESA. |
Xtracted | "Yes" indicates that the ESA card had been extracted (removed) from the router. |
Password set | "Yes" indicates that the ESA card password has already been set. This password is set with the crypto card clear-latch or crypto key generate dss command, and is required for subsequent issues of the crypto card clear-latch and crypto key generate dss commands. |
DSS Key set | "Yes" indicates that DSS keys are generated and ready for use. DSS keys are generated using the crypto key generate dss command. |
FW version | Version number of the firmware running on the ESA card. |
To view which Data Encryption Standard (DES) algorithm types are globally enabled for your router, use the show crypto cisco algorithms privileged EXEC command. This displays all basic DES and 40-bit DES algorithm types globally enabled.
show crypto cisco algorithmsThis command has no arguments or keywords.
Privileged EXEC
This command first appeared in Cisco IOS Release 11.2.
The following is sample output from the show crypto cisco algorithms command:
Router1# show crypto cisco algorithms des cfb-8
You can use the master indexes or search online to find documentation of related commands.
crypto cisco algorithm 40-bit-des
crypto cisco algorithm des
To view current and pending encrypted session connections, use the show crypto cisco connections privileged EXEC command.
show crypto cisco connectionsThis command has no arguments or keywords.
Privileged EXEC
This command first appeared in Cisco IOS Release 11.2.
The following is sample output from the show crypto cisco connections command:
Router1# show crypto cisco connections
Pending Connection Table
PE UPE Timestamp Conn_id
172.21.115.22 172.21.115.18 Mar 01 1993 00:01:09 -1
Connection Table
PE UPE Conn_id New_id Alg Time
172.21.115.22 172.21.115.18 -1 1DES_56_CFB64 Not Set
flags:PEND_CONN
Table 21 explains each field.
| Field | Description |
|---|---|
PE | "Protected Entity." This shows a representative source IP address as specified in the crypto map's encryption access list. This IP address can be any host that matches a source in the encryption access list being used in the connection. |
UPE | "Unprotected Entity." This shows a representative destination IP address as specified in the crypto map's encryption access list. This IP address can be any host that matches a destination in the encryption access list that is being used in the connection. |
Timestamp | Identifies the time when the connection was initiated. |
Conn_id | A number used to identify and track the connection. This can be a positive integer value from 1 to 299, or any negative integer value. Each connection is assigned a negative connection-id when the connection is pending (being set up). Once the connection is established, a positive connection-id is assigned to the connection. |
New_id | Lists the connection-id number that will be assigned to a connection, after the connection is set up. The New_id value will be a positive number from 0 to 299. If the New_id value is 0, there is no pending connection. If the New_id value is a positive integer, a connection is pending. As soon as the pending connection has been established, the New_id value will be transferred to the Conn_id for the established connection, and New_id will be reset to 0. |
Alg | Identifies the DES encryption algorithm used for the current connection. DES_56_CFB8 = basic DES (56 bit) with 8-bit Cipher FeedBack (CFB) DES_56_CFB64 = basic DES (56 bit) with 64-bit CFB DES_40_CFB8 = 40-bit DES with 8-bit CFB DEC_40_CFB64 = 40-bit DES with 64-bit CFB Unknown = no connection |
Time | Identifies the time when the connection was initiated. |
flags | PEND_CONN = identifies the table entry as a pending connection XCHG_KEYS = the connection has timed out; for encrypted communication to occur again, the router must first exchange DH numbers and generated a new session (DES) key TIME_KEYS = the encrypted communication session is currently in progress (a session key is currently installed, and the session is counting down to timeout) BAD_CONN = no existing or pending connection exists for this table entry UNK_STATUS = invalid status (error) |
To view the current setting for the duration of encrypted sessions, use the show crypto cisco key-timeout privileged EXEC command.
show crypto cisco key-timeoutThis command has no arguments or keywords.
Privileged EXEC
This command first appeared in Cisco IOS Release 11.2.
The following is sample output from the show crypto cisco key-timeout command:
Router1# show crypto cisco key-timeout Session keys will be re-negotiated every 120 minutes.
You can use the master indexes or search online to find documentation of related commands.
To view the number of Diffie-Hellman (DH) number pairs currently generated, use the show crypto cisco pregen-dh-pairs privileged EXEC command.
show crypto cisco pregen-dh-pairs [slot | rsm | vip]
slot | (Optional) Identifies the crypto engine. This argument is available only on Cisco 7200, RSP7000, and 7500 series routers. If no slot is specified, the Cisco IOS crypto engine will be selected. Use the chassis slot number of the crypto engine location. For the Cisco IOS crypto engine, this is the chassis slot number of the Route Switch Processor (RSP). For the VIP2 crypto engine, this is the chassis slot number of the VIP2. For the ESA crypto engine, this is the chassis slot number of the ESA (Cisco 7200) or of the VIP2 (Cisco RSP7000 and 7500). |
rsm | (Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. It identifies the Route Switch Module on the Cisco Catalyst 5000 series switch. |
vip | (Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. It identifies the Versatile Interface Processor on the Cisco Catalyst 5000 series switch. |
Privileged EXEC
This command first appeared in Cisco IOS Release 11.2. The rsm and vip keywords were added in Cisco IOS Release 12.0.
The following is sample output from the show crypto cisco pregen-dh-pairs command:
Router1# show crypto cisco pregen-dh-pairs Number of pregenerated DH pairs: 1
The number one shown in the output indicates that there is one DH number pair ready and available for the next encrypted connection.
The following is sample output from the show crypto cisco pregen-dh-pairs command for a Cisco Catalyst 5000 series switch:
Router1# show crypto cisco pregen-dh-pairs rsm Number of pregenerated DH pairs for slot rsm: 1
The following is sample output from the show crypto cisco pregen-dh-pairs command (using the slot argument) for a Cisco 7500 series router:
Router1# show crypto cisco pregen-dh-pairs 2 Number of pregenerated DH pairs for slot 2: 1
If you do not enter a slot number on a Cisco 7500 series router, the default is the slot number of the RSP.
You can use the master indexes or search online to find documentation of related commands.
The show crypto cisco connections command replaces this command. Refer to the description of the show crypto cisco connections command for more information.
To view all crypto engines within a Cisco 7200, RSP7000, or 7500 series router, use the show crypto engine brief privileged EXEC command.
show crypto engine briefThis command has no arguments or keywords.
Privileged EXEC
This command first appeared in Cisco IOS Release 11.2.
This command is only available on Cisco 7200, RSP7000, and 7500 series routers.
The following is sample output from the show crypto engine brief command. In this example, the router has two crypto engines: a Cisco IOS crypto engine and an Encryption Service Adapter (ESA) crypto engine. Both crypto engines have Digital Signature Standard (DSS) keys generated.
Router1# show crypto engine brief crypto engine name: Router1ESA crypto engine type: ESA crypto engine state: dss key generated crypto firmware version:5049702 crypto engine in slot: 1 crypto engine name: Router1IOS crypto engine type: software crypto engine state: dss key generated crypto lib version: 2.0.0 crypto engine in slot: 4
Table 22 explains each field.
| Field | Description |
|---|---|
crypto engine name | Name of the crypto engine as assigned with the key-name argument in the crypto key generate dss command. |
crypto engine type | If "software" is listed, the crypto engine resides in either the Route Switch Processor (RSP) (the Cisco IOS crypto engine) or in a second-generation Versatile Interface Processor (VIP2). If "crypto card" or "ESA" is listed, the crypto engine is associated with an Encryption Service Adapter (ESA). |
crypto engine state | The state "installed" indicates that a crypto engine is located in the given slot, but is not configured for encryption. The state "dss key generated" indicates the crypto engine found in that slot has DSS keys already generated. In a Cisco 7200 series router, the state "installed (ESA pending)" indicates that the ESA crypto engine will be replaced with the Cisco IOS crypto engine as soon as it becomes available. |
crypto firmware version | Version number of the crypto firmware running on the ESA. |
crypto lib version | Version number of the crypto library running on the router. |
crypto engine in slot | Chassis slot number of the crypto engine. For the Cisco IOS crypto engine, this is the chassis slot number of the Route Switch Processor (RSP). For the VIP2 crypto engine, this is the chassis slot number of the VIP2. For the ESA crypto engine, this is the chassis slot number of the ESA (Cisco 7200) or of the VIP2 (Cisco RSP7000 and 7500). |
You can use the master indexes or search online to find documentation of related commands.
show crypto engine configuration
To view the Cisco IOS crypto engine of your router, use the show crypto engine configuration privileged EXEC command.
show crypto engine configurationThis command has no arguments or keywords.
Privileged EXEC
This command first appeared in Cisco IOS Release 11.2.
The following is sample output from the show crypto engine configuration command for a Cisco 2500 series router:
Router1# show crypto engine configuration engine name: Router1 engine type: software serial number: 01709642 platform: rp crypto engine Encryption Process Info: input queue top: 75 input queue bot: 75 input queue count: 0
The following is sample output from the show crypto engine configuration command for a Cisco7500 series router:
Router2# show crypto engine configuration engine name: Router2IOS engine type: software serial number: 02863239 platform: rsp crypto engine Encryption Process Info: input queue top: 44 input queue bot: 44 input queue count: 0
Table 23 explains each field.
| Field | Description |
|---|---|
engine name | Name of the crypto engine as assigned with the key-name argument in the crypto key generate dss command. |
engine type | Should always display "software." |
serial number | Serial number of the Route Processor or Route Switch Processor. |
platform | If the router is a Cisco RSP7000 or 7500 series router, this field will display "rsp crypto engine." If the router is a Cisco 7200 series router, this field will display "rp crypto engine." |
input queue top (Encryption Process Info) | The queue location of the (inbound) packet next in line to be processed (decrypted). This packet will come off the top of the circular queue next. (This field is useful for debugging purposes.) |
input queue bot (Encryption Process Info) | The queue location of the (inbound) packet last in line to be processed (decrypted). The packet is the most recently received and queued at the bottom of the circular queue. (This field is useful for debugging purposes.) |
input queue count (Encryption Process Info) | The total number of packets currently in the circular queue. These are inbound packets waiting for processing. (This field is useful for debugging purposes.) |
You can use the master indexes or search online to find documentation of related commands.
To view the current active encrypted session connections for all crypto engines, use the show crypto engine connections active privileged EXEC command.
show crypto engine connections active [slot | rsm | vip]
slot | (Optional) Identifies the crypto engine. This argument is available only on Cisco 7200, RSP7000, and 7500 series routers. If no slot is specified, the Cisco IOS crypto engine will be selected. Use the chassis slot number of the crypto engine location. For the Cisco IOS crypto engine, this is the chassis slot number of the Route Switch Processor (RSP). For the VIP2 crypto engine, this is the chassis slot number of the VIP2. For the ESA crypto engine, this is the chassis slot number of the ESA (Cisco 7200) or of the VIP2 (Cisco RSP7000 and 7500). |
rsm | (Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. It identifies the Route Switch Module on the Cisco Catalyst 5000 series switch. |
vip | (Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. It identifies the Versatile Interface Processor on the Cisco Catalyst 5000 series switch. |
Privileged EXEC
This command first appeared in Cisco IOS Release 11.2. The rsm and vip keywords were added in Cisco IOS Release 12.0.
The following is sample output from the show crypto engine connections active command:
Router1# show crypto engine connections active Connection Interface IP-Address State Algorithm Encrypt Decrypt 2 Ethernet0 172.21.114.9 set DES_56_CFB64 41 32 3 Ethernet1 172.29.13.2 set DES_56_CFB64 110 65 4 Serial0 172.17.42.1 set DES_56_CFB64 36 27
The following is sample output from the show crypto engine connections active command on a Cisco7500 series router, where the VIP is in slot 4:
Router1# show crypto engine connections active 4 Connection Interface IP-Address State Algorithm Encrypt Decrypt 2 Ethernet0 172.21.114.9 set DES_56_CFB64 41 32 3 Ethernet1 172.29.13.2 set DES_56_CFB64 110 65 4 Serial0 172.17.42.1 set DES_56_CFB64 36 27
If you do not enter a slot number on a Cisco 7500 series router, the default is the slot number of the RSP.
The following is sample output from the show crypto engine connections active command on a Cisco Catalyst 5000 series switch:
Router1# show crypto engine connections active vip Connection Interface IP-Address State Algorithm Encrypt Decrypt 2 Ethernet0 172.21.114.9 set DES_56_CFB64 41 32 3 Ethernet1 172.29.13.2 set DES_56_CFB64 110 65 4 Serial0 172.17.42.1 set DES_56_CFB64 36 27
If you do not enter a keyword on a Cisco Catalyst 5000 series switch, the default is rsm.
Table 24 explains each field.
| Field | Description |
|---|---|
Connection | Identifies the connection by its number. Each active encrypted session connection is identified by a positive number from 1 to 299. These connection numbers correspond to the table entry numbers. |
Interface | Identifies the interface involved in the encrypted session connection. This will display only the actual interface, not a subinterface (even if a subinterface is defined and used for the connection). |
IP-Address | Identifies the IP address of the interface. Note that if a subinterface is used for the connection, this field will display "unassigned." |
State | The state "set" indicates an active connection. |
Algorithm | Identifies the Data Encryption Standard (DES) algorithm used to encrypt/decrypt packets at the interface. |
Encrypt | Shows the total number of encrypted outbound IP packets. |
Decrypt | Shows the total number of decrypted inbound IP packets. |
You can use the master indexes or search online to find documentation of related commands.
show crypto engine connections dropped-packets
To view information about packets dropped during encrypted sessions for all router crypto engines, use the show crypto engine connections dropped-packets privileged EXEC command.
show crypto engine connections dropped-packetsThis command has no arguments or keywords.
Privileged EXEC
This command first appeared in Cisco IOS Release 11.2.
The following is sample output from the show crypto engine connections dropped-packets command:
Router1# show crypto engine connections dropped-packets Interface IP-Address Drop Count Ethernet0/0 172.21.114.165 4
The Drop Count number indicates the total number of dropped packets for the lifetime of the crypto engine.
You can use the master indexes or search online to find documentation of related commands.
show crypto engine connections active
To view Digital Signature Standard (DSS) public keys (for all your router crypto engines) in hexadecimal form, use the show crypto key mypubkey dss EXEC command.
show crypto key mypubkey dssThis command has no arguments or keywords.
EXEC
This command first appeared in Cisco IOS Release 11.2.
The following is sample output from the show crypto key mypubkey dss command for a Cisco 2500 series router with a crypto engine called "Router1.branch":
Router1# show crypto key mypubkey dss Key name: Router1 Serial number: 05706421 Usage: Signature Key Key Data: 8F1440B9 4C860989 8791A12B 69746E27 307ACACB 62915B02 0261B58F 1F7ABB10
90CE70A9 08F86652 16B52064 37C857D4 7066DAA3 7FC33212 445275EE 542DCD06
You can use the master indexes or search online to find documentation of related commands.
show crypto key pubkey-chain dss
To view peer router Digital Signature Standard (DSS) public keys known to your router, use the show crypto key pubkey-chain dss EXEC command.
show crypto key pubkey-chain dss [name key-name | serial serial-number]
name | The name assigned when the DSS public key was created with the crypto key pubkey-chain dss command. |
serial-number | The serial number of the encrypting router's public DSS key. |
EXEC
This command first appeared in Cisco IOS Release 11.2.
The following is sample output from the show crypto key pubkey-chain dss command:
Router1# show crypto key pubkey-chain dss Codes: M - Manually configured Code UsageSerial NumberName MSigning03259625router1
The following is sample output from the show crypto key pubkey-chain dss command using the name keyword:
Router1# show crypto key pubkey-chain dss name router1 Key name: router1 Serial number: 03259625 Usage: Signature Key Source: Manually entered Data: 8F1440B9 4C860989 8791A12B 69746E27 307ACACB 62915B02 0261B58F 1F7ABB10 90CE70A9 08F86652 16B52064 37C857D4 7066DAA3 7FC33212 445275EE 542DCD06
The following is sample output from the show crypto key pubkey-chain dss command using the serial-number keyword:
Router1# show crypto key pubkey-chain dss serial 03259625 Key name: router1 Serial number: 03259625 Usage: Signature Key Source: Manually entered Data: 8F1440B9 4C860989 8791A12B 69746E27 307ACACB 62915B02 0261B58F 1F7ABB10 90CE70A9 08F86652 16B52064 37C857D4 7066DAA3 7FC33212 445275EE 542DCD06
You can use the master indexes or search online to find documentation of related commands.
crypto key exchange dss
crypto key generate dss
show crypto key pubkey-chain dss
The show crypto cisco key-timeout command replaces this command. Refer to the description of the show crypto cisco key-timeout command for more information.
To view the crypto map configuration, use the show crypto map privileged EXEC command.
show crypto map [interface interface | tag map-name]
interface interface | (Optional) Shows only the crypto map set applied to the specified interface. |
tag map-name | (Optional) Shows only the crypto map set with the specified map-name. |
If no keywords are used, all crypto maps configured at the router will be displayed.
Privileged EXEC
This command first appeared in Cisco IOS Release 11.2.
This command is also documented in the chapter "IPSec Network Security Commands" where it has slightly different functionality.
The following is sample output from the show crypto map command performed at a Cisco 2500 series router.
Router1# show crypto map
Crypto Map "Canada" 10
Connection Id = UNSET (2 established, 0 failed)
Crypto Engine = Router1IOS (2)
Algorithm = 40-bit-des cfb-64
Peer = Router2
PE = 172.21.114.9
UPE = 192.168.23.116
Extended IP access list 101
access-list 101 permit ip host 10.0.0.1 host 192.168.15.0
access-list 101 permit ip host 172.21.114.9 host 192.168.23.116
The following is sample output from the show crypto map command performed at a Cisco7500series router. Two crypto maps are shown: a crypto map named ResearchSite with subdefinitions 10 and 20, and another crypto map named HQ.
Router2# show crypto map
Crypto Map "ResearchSite" 10
Connection Id = 6 (6 established, 0 failed)
Crypto Engine = Router2IOS (4)
Algorithm = 40-bit-des cfb-64
Peer = Router1
PE = 192.168.15.0
UPE = 10.0.0.1
Extended IP access list 102
access-list 102 permit ip host 192.168.15.0 host 10.0.0.1
Crypto Map "ResearchSite" 20
Connection Id = UNSET (0 established, 0 failed)
Crypto Engine = Router2IOS (4)
Algorithm = 56-bit-des cfb-64
Peer = Router3
PE = 192.168.129.33
UPE = 172.21.114.165
Extended IP access list 103
access-list 103 permit ip host 192.168.129.33 host 172.21.114.165
Crypto Map "HQ" 10
Connection Id = UNSET (3 established, 0 failed)
Crypto Engine = Router2ESA (2)
Algorithm = 56-bit-des cfb-64
Peer = Eggplant
PE = 192.168.129.10
UPE = 10.1.2.3
Extended IP access list 104
access-list 104 permit ip host 192.168.129.10 host 10.1.2.3
The command output separately lists each crypto map subdefinition.
If more than one subdefinition exists for a crypto map, each subdefinition will be listed separately by sequence number (per the seq-num argument of the crypto map (global configuration) command). The sequence number is shown following the crypto map name.
Table 25 explains each field.
| Field | Description |
|---|---|
Connection Id | Identifies the connection by its number. Each active encrypted session connection is identified by a positive number from 1 to 299. A value of UNSET indicates that no connection currently exists and is using the crypto map. |
established | Indicates the total number of encrypted connections that have been successfully established using the crypto map. |
failed | Indicates the total number of attempted encrypted connections that failed to be established while using the crypto map. |
Crypto Engine | Lists the name of the governing crypto engine, followed by the crypto engine slot number in parentheses. The slot number could be the Route Switch Processor (RSP) slot number, indicating a Cisco IOS crypto engine, or a second-generation Versatile Interface Processor (VIP2) slot number, indicating a VIP2 or an ESA crypto engine, or (Cisco 7200 only) an ESA slot number, indicating an ESA crypto engine. (Not displayed on routers other than Cisco 7200, RSP7000, or 7500 series routers.) |
Algorithm | Indicates the type of DES encryption algorithm used by the crypto map. |
Peer | Indicates the name of the crypto map of the remote peer encrypting router. |
PE | "Protected Entity." This shows a representative source IP address as specified in the crypto map's encryption access list. This IP address can be any host that matches a source in the encryption access list that is being used in the connection. |
UPE | "Unprotected Entity." This shows a representative destination IP address as specified in the crypto map's encryption access list. This IP address can be any host that matches a destination in the encryption access list that is being used in the connection. |
Extended IP access list | Lists the access list associated with the crypto map. If no access list is associated, the message "No matching address list set" is displayed. |
You can use the master indexes or search online to find documentation of related commands.
crypto map (global configuration)
crypto map (interface configuration)
The show crypto key mypubkey dss command replaces this command. Refer to the description of the show crypto key mypubkey dss command for more information.
The show crypto cisco pregen-dh-pairs command replaces this command. Refer to the description of the show crypto cisco pregen-dh-pairs command for more information.
The show crypto key pubkey-chain dss command replaces this command. Refer to the description of the show crypto key pubkey-chain dss command for more information.
The show crypto key pubkey-chain dss command replaces this command. Refer to the description of the show crypto key pubkey-chain dss command for more information.
The show crypto key pubkey-chain dss command replaces this command. Refer to the description of the show crypto key pubkey-chain dss command for more information.
To set up a test encryption session, use the test crypto initiate-session privileged EXEC command.
test crypto initiate-session src-ip-addr dst-ip-addr map-name seq-num
src-ip-addr | IP address of source host. Should be included in an encryption access list definition as a valid IP address source address. |
dst-ip-addr | IP address of destination host. Should be included in an encryption access list definition as a valid IP address destination address. |
map-name | Names the crypto map to be used. |
seq-num | Names the crypto map sequence number. |
Privileged EXEC
This command first appeared in Cisco IOS Release 11.2.
Use this command to set up a test encryption session. This command can be used after you have completed all the essential encryption configuration tasks for your router. After issuing this command, use the show crypto cisco connections command to verify the status of the connection just created.
The following example sets up and verifies a test encryption session.
"Router1" sets up a test encryption session with "Router2" and then views the connection status to verify a successful encrypted session connection.
Step 1 "Router1" sets up a test encryption connection with "Router2."
Router1# test crypto initiate-session 192.168.3.12 192.168.204.110 Router2ESA.TXbranch 10 Sending CIM to: 192.168.204.110 from: 192.168.3.12. Connection id: -1
Notice the connection-id value is -1. A negative value indicates that the connection is being set up. (CIM stands for Connection Initiation Message.)
Step 2 "Router1" issues the show crypto cisco connections command.
Router1# show crypto cisco connections
Pending Connection Table
PE UPE Timestamp Conn_id
192.168.3.10 192.168.204.100 Mar 01 1993 00:01:09-1
Connection Table
PE UPE Conn_id New_id Alg Time
192.168.3.10 192.168.204.100 -1 1 0 Not Set
flags:PEND_CONN
Look in the Pending Connection Table for an entry with a Conn_id value equal to the previously shown connection-id value---in this case, look for an entry with a Conn_id value of -1. If this is the first time an encrypted connection has been attempted, there will only be one entry (as shown).
Note the PE and UPE addresses for this entry.
Step 3 Now, look in the Connection Table for an entry with the same PE and UPE addresses. In this case, there is only one entry in both tables, so finding the right Connection Table entry is easy.
Step 4 At the Connection Table entry, note the Conn_id and New_id values. In this case, Conn_id equals -1, and New_id equals 1. The New_id value of 1 will be assigned to the test connection when setup is complete. (Positive numbers are assigned to established, active connections.)
Step 5 "Router1" waits a moment for the test connection to set up, and then reissues the show crypto cisco connections command.
Router1# show crypto cisco connections
Connection Table
PE UPE Conn_id New_id Alg Time
192.168.3.10 192.168.204.100 1 0 10 Mar 01 1993 00:02:00
flags:TIME_KEYS
Again, look for the Connection Table entry with the same PE and UPE addresses as shown before. In this entry, notice that the Conn_id value has changed to 1. This indicates that our test connection has been successfully established, because the Conn_id value has changed to match the New_id value of Step 4. Also, New_id has been reset to 0 at this point, indicating that there are no new connections currently being set up.
In the command output of Step 5, there is no longer a Pending Connection Table being displayed, which indicates that there are currently no pending connections. This is also indicates that the test connection was successfully established.
The show crypto cisco connections command is explained in greater detail previously in this chapter, including a description of how connection-ids are assigned during and following connection setup.
You can use the master indexes or search online to find documentation of related commands.
Posted: Wed Oct 13 16:07:05 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.