|
|
This chapter describes Internet Key Exchange Security Protocol (IKE) commands.
Refer to the Command Reference Master Index or search online to find complete descriptions of other commands used when configuring IKE.
For configuration information, refer to the chapter "Configuring Internet Key Exchange Security Protocol" in the Security Configuration Guide.
ip-address | Specifies the IP address of the remote peer. |
This command has no defaults.
Public key configuration
This command first appeared in Cisco IOS Release 11.3 T.
Use this command in conjunction with the named-key command to specify which IPSec peer's RSA public key you will manually configure next.
This example manually specifies the RSA public keys of an IPSec peer.
myrouter(config)# crypto key pubkey-chain rsa
myrouter(config-pubkey-chain)# named-key otherpeer.domain.com
myrouter(config-pubkey-key)# address 10.5.5.1
myrouter(config-pubkey-key)# key-string
myrouter(config-pubkey)# 005C300D 06092A86 4886F70D 01010105
myrouter(config-pubkey)# 00034B00 30480241 00C5E23B 55D6AB22
myrouter(config-pubkey)# 04AEF1BA A54028A6 9ACC01C5 129D99E4
myrouter(config-pubkey)# 64CAB820 847EDAD9 DF0B4E4C 73A05DD2
myrouter(config-pubkey)# BD62A8A9 FA603DD2 E2A8A6F8 98F76E28
myrouter(config-pubkey)# D58AD221 B583D7A4 71020301 0001
myrouter(config-pubkey)# quit
myrouter(config-pubkey-key)# exit
myrouter(config-pubkey-chain)# exit
myrouter(config)#
You can use the master indexes or search online to find documentation of related commands.
addressed-key
crypto key pubkey-chain rsa
key-string
show crypto key pubkey-chain rsa
key-address | Specifies the IP address of the remote peer's RSA keys. |
encryption | (Optional) Indicates that the RSA public key to be specified will be an encryption special usage key. |
signature | (Optional) Indicates that the RSA public key to be specified will be a signature special usage key. |
If neither the encryption nor signature keywords are used, general purpose keys will be specified.
Public key chain configuration. This command invokes public key configuration mode.
This command first appeared in Cisco IOS Release 11.3 T.
Use this command or the named-key command to specify which IPSec peer's RSA public key you will manually configure next.
Follow this command with the key-string command to specify the key.
If the IPSec remote peer generated general purpose RSA keys, do not use the encryption or signature keywords.
If the IPSec remote peer generated special usage keys, you must manually specify both keys: perform this command and the key-string command twice and use the encryption and signature keywords respectively.
myrouter(config)# crypto key pubkey-chain rsa
myrouter(config-pubkey-chain)# named-key otherpeer.domain.com
myrouter(config-pubkey-key)# address 10.5.5.1
myrouter(config-pubkey-key)# key-string
myrouter(config-pubkey)# 005C300D 06092A86 4886F70D 01010105
myrouter(config-pubkey)# 00034B00 30480241 00C5E23B 55D6AB22
myrouter(config-pubkey)# 04AEF1BA A54028A6 9ACC01C5 129D99E4
myrouter(config-pubkey)# 64CAB820 847EDAD9 DF0B4E4C 73A05DD2
myrouter(config-pubkey)# BD62A8A9 FA603DD2 E2A8A6F8 98F76E28
myrouter(config-pubkey)# D58AD221 B583D7A4 71020301 0001
myrouter(config-pubkey)# quit
myrouter(config-pubkey-key)# exit
myrouter(config-pubkey-chain)# addressed-key 10.1.1.2 encryption
myrouter(config-pubkey-key)# key-string
myrouter(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973
myrouter(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5
myrouter(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8
myrouter(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB
myrouter(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B
myrouter(config-pubkey)# 90288A26 DBC64468 7789F76E EE21
myrouter(config-pubkey)# quit
myrouter(config-pubkey-key)# exit
myrouter(config-pubkey-chain)# addressed-key 10.1.1.2 signature
myrouter(config-pubkey-key)# key-string
myrouter(config-pubkey)# 0738BC7A 2BC3E9F0 679B00FE 53987BCC
myrouter(config-pubkey)# 01030201 42DD06AF E228D24C 458AD228
myrouter(config-pubkey)# 58BB5DDD F4836401 2A2D7163 219F882E
myrouter(config-pubkey)# 64CE69D4 B583748A 241BED0F 6E7F2F16
myrouter(config-pubkey)# 0DE0986E DF02031F 4B0B0912 F68200C4
myrouter(config-pubkey)# C625C389 0BFF3321 A2598935 C1B1
myrouter(config-pubkey)# quit
myrouter(config-pubkey-key)# exit
myrouter(config-pubkey-chain)# exit
myrouter(config)#
You can use the master indexes or search online to find documentation of related commands.
crypto key pubkey-chain rsa
key-string
named-key
show crypto key pubkey-chain rsa
rsa-sig | Specifies RSA signatures as the authentication method. |
rsa-encr | Specifies RSA encrypted nonces as the authentication method. |
pre-share | Specifies pre-shared keys as the authentication method. |
RSA signatures
ISAKMP policy configuration (config-isakmp)
This command first appeared in Cisco IOS Release 11.3 T.
Use this command to specify the authentication method to be used in an IKE policy.
If you specify RSA encrypted nonces, you must ensure that each peer has the other peer's RSA public keys. (See the crypto key pubkey-chain rsa, addressed-key, named-key, address, and key-string commands.)
If you specify pre-shared keys, you must also separately configure these pre-shared keys. (See the crypto isakmp identity and crypto isakmp key commands.)
MyPeerRouter(config)# crypto isakmp policy 15
MyPeerRouter(config-isakmp)# authentication pre-share
MyPeerRouter(config-isakmp)# exit
MyPeerRouter(config)#
You can use the master indexes or search online to find documentation of related commands.
crypto isakmp key
crypto isakmp policy
crypto key generate rsa
encryption (IKE policy)
group (IKE policy)
hash (IKE policy)
lifetime (IKE policy)
show crypto isakmp policy
To clear active IKE connections, use the clear crypto isakmp global configuration command.
clear crypto isakmp [connection-id]
connection-id | (Optional) Specifies which connection to clear. If this argument is not used, all existing connections will be cleared. |
If the connection-id argument is not used, all existing IKE connections will be cleared when this command is issued.
Global configuration
This command first appeared in Cisco IOS Release 11.3 T.
Use this command to clear active IKE connections.
MyPeerRouter# show crypto isakmp sa
dst src state conn-id slot 172.21.114.123 172.21.114.67 QM_IDLE 1 0 155.0.0.2 155.0.0.1 QM_IDLE 8 0 MyPeerRouter# configure terminal
Enter configuration commands, one per line. End with CNTL/Z. MyPeerRouter(config)# clear crypto isakmp 1
MyPeerRouter(config)# exit
MyPeerRouter# show crypto isakmp sa
dst src state conn-id slot 155.0.0.2 155.0.0.1 QM_IDLE 8 0 MyPeerRouter#
You can use the master indexes or search online to find documentation of related commands.
To globally enable IKE at your peer router, use the crypto isakmp enable global configuration command. Use the no form of this command to disable IKE at the peer.
crypto isakmp enableThis command has no arguments or keywords.
IKE is enabled.
Global configuration
This command first appeared in Cisco IOS Release 11.3 T.
IKE is enabled by default. IKE does not have to be enabled for individual interfaces, but is enabled globally for all interfaces at the router.
If you disable IKE, you will have to make these concessions at the peers:
This example disables IKE at one peer. (The same command should be issued at all remote peers.)
no crypto isakmp enable
To define the identity the router uses when participating in the IKE protocol, use the crypto isakmp identity global configuration command. Set an ISAKMP identity whenever you specify pre-shared keys. Use the no form of this command to reset the ISAKMP identity to the default value (address).
crypto isakmp identity {address | hostname}
address | Sets the ISAKMP identity to the IP address of the interface that is used to communicate to the remote peer during IKE negotiations. |
hostname | Sets the ISAKMP identity to the host name concatenated with the domain name (for example, myhost.domain.com). |
The IP address is used for the ISAKMP identity.
Global configuration
This command first appeared in Cisco IOS Release 11.3 T.
Use this command to specify an ISAKMP identity either by IP address or by host name.
The address keyword is typically used when there is only one interface (and therefore only one IP address) that will be used by the peer for IKE negotiations, and the IP address is known.
The hostname keyword should be used if there is more than one interface on the peer that might be used for IKE negotiations, or if the interface's IP address is unknown (such as with dynamically-assigned IP addresses).
As a general rule, you should set all peers' identities in the same way, either by IP address or by host name.
At the local peer (at 10.0.0.1) the ISAKMP identity is set and the pre-shared key is specified:
crypto isakmp identity address crypto isakmp key sharedkeystring address 192.168.1.33
At the remote peer (at 192.168.1.33) the ISAKMP identity is set and the same pre-shared key is specified:
crypto isakmp identity address crypto isakmp key sharedkeystring address 10.0.0.1
The following example uses pre-shared keys at two peers and sets both their ISAKMP identities to hostname.
At the local peer the ISAKMP identity is set and the pre-shared key is specified:
crypto isakmp identity hostname crypto isakmp key sharedkeystring hostname RemoteRouter.domain.com ip host RemoteRouter.domain.com 192.168.0.1
At the remote peer the ISAKMP identity is set and the same pre-shared key is specified:
crypto isakmp identity hostname crypto isakmp key sharedkeystring hostname LocalRouter.domain.com ip host LocalRouter.domain.com 10.0.0.1 10.0.0.2
In the above example, host names are used for the peers' identities because the local peer has two interfaces that might be used during an IKE negotiation.
In the above example the IP addresses are also mapped to the host names; this mapping is not necessary if the routers' host names are already mapped in DNS.
You can use the master indexes or search online to find documentation of related commands.
authentication (IKE policy)
crypto isakmp key
To configure a pre-shared authentication key, use the crypto isakmp key global configuration command. You must configure this key whenever you specify pre-shared keys in an IKE policy. Use the no form of this command to delete a pre-shared authentication key.
crypto isakmp key keystring address peer-address
keystring | Specify the pre-shared key. Use any combination of alphanumeric characters up to 128 bytes. This pre-shared key must be identical at both peers. |
peer-address | Specify the IP address of the remote peer. |
hostname | Specify the host name of the remote peer. This is the peer's host name concatenated with its domain name (for example, myhost.domain.com). |
There is no default pre-shared authentication key.
Global configuration
This command first appeared in Cisco IOS Release 11.3 T.
Use this command to configure pre-shared authentication keys. You must perform this command at both peers.
If an IKE policy includes pre-shared keys as the authentication method, these pre-shared keys must be configured at both peers---otherwise the policy cannot be used (the policy will not be submitted for matching by the IKE process). The crypto isakmp key command is the second task required to configure the pre-shared keys at the peers. (The first task is accomplished with the crypto isakmp identity command.)
Use the address keyword if the remote peer ISAKMP identity was set with its IP address.
Use the hostname keyword if the remote ISAKMP identity was set with its host name.
With the hostname keyword, you might also need to map the remote peer's host name to all IP addresses of the remote peer interfaces that could be used during the IKE negotiation. (This is done with the ip host command.) You need to map the host name to IP address unless this mapping is already done in a DNS server.
The remote peer "RemoteRouter" specifies an ISAKMP identity by address:
crypto isakmp identity address
The local peer "LocalRouter" also specifies an ISAKMP identity, but by host name:
crypto isakmp identity hostname
Now, the pre-shared key must be specified at each peer.
The local peer specifies the pre-shared key and designates the remote peer by its IP address:
crypto isakmp key sharedkeystring address 192.168.1.33
The remote peer specifies the same pre-shared key and designates the local peer by its host name:
crypto isakmp key sharedkeystring hostname LocalRouter.domain.com
The remote peer also maps multiple IP addresses to the same host name for the local peer because the local peer has two interfaces which both might be used during an IKE negotiation with the local peer. These two interfaces' IP addresses (10.0.0.1 and 10.0.0.2) are both mapped to the remote peer's host name:
ip host LocalRouter.domain.com 10.0.0.1 10.0.0.2
(This mapping would not have been necessary if LocalRouter.domain.com was already mapped in DNS.)
In this example, a remote peer specifies its ISAKMP identity by address, and the local peer specifies its ISAKMP identity by host name. Depending on the circumstances in your network, both peers could specify their ISAKMP identity by address, or both by host name.
You can use the master indexes or search online to find documentation of related commands.
authentication (IKE policy)
crypto isakmp identity
ip host
To define an IKE policy, use the crypto isakmp policy global configuration command. IKE policies define a set of parameters to be used during the IKE negotiation. Use the no form of this command to delete an IKE policy.
crypto isakmp policy priority
priority | Uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10,000, with 1 being the highest priority and 10,000 the lowest. |
There is a default policy which is always the lowest priority. This default policy contains default values for the encryption, hash, authentication, Diffie-Hellman group, and lifetime parameters. (The parameter defaults are listed below in the Usage Guidelines section.)
When you create an IKE policy, if you do not specify a value for a particular parameter, the default for that parameter will be used.
Global configuration
This command first appeared in Cisco IOS Release 11.3 T.
Use this command to specify the parameters to be used during an IKE negotiation. (These parameters are used to create the IKE security association [SA].)
If you do not specify one of these commands for a policy, the default value will be used for that parameter.
To exit the config-isakmp command mode, type exit.
The following example configures two policies for the peer:
crypto isakmp policy 15 hash md5 authentication rsa-sig group 2 lifetime 5000 crypto isakmp policy 20 authentication pre-share lifetime 10000
The above configuration results in the following policies:
MyPeerRouter# show crypto isakmp policy
Protection suite priority 15 encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Message Digest 5 authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman Group: #2 (1024 bit) lifetime: 5000 seconds, no volume limit Protection suite priority 20 encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman Group: #1 (768 bit) lifetime: 10000 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman Group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
You can use the master indexes or search online to find documentation of related commands.
authentication (IKE policy)
encryption (IKE policy)
group (IKE policy)
hash (IKE policy)
lifetime (IKE policy)
show crypto isakmp policy
To generate RSA key pairs, use the crypto key generate rsa global configuration command.
crypto key generate rsa [usage-keys]
usage-keys | (Optional) Specifies that two RSA special usage key pairs should be generated (i.e. one encryption pair and one signature pair), instead of one general purpose key pair. |
RSA key pairs do not exist. If the usage-keys keyword is not used, general purpose keys will be generated.
Global configuration
This command first appeared in Cisco IOS Release 11.3 T.
Use this command to generate RSA key pairs for your Cisco device (such as a router).
RSA keys are generated in pairs---one public RSA key and one private RSA key.
If your router already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.
This command is not saved in the router configuration; however, the keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device).
There are two mutually-exclusive types of RSA key pairs: special usage keys and general purpose keys. When you generate RSA key pairs, you can indicate whether to generate special usage keys or general purpose keys.
If you generate special usage keys, two pairs of RSA keys will be generated. One pair will be used with any IKE policy that specifies RSA signatures as the authentication method, and the other pair used with any IKE policy that specifies RSA encrypted nonces as the authentication method.
If you plan to have both types of RSA authentication methods in your IKE policies, you might prefer to generate special usage keys. With special usage keys, each key is not unnecessarily exposed. (Without special usage keys, one key is used for both authentication methods, increasing that key's exposure.)
If you generate general purpose keys, only one pair of RSA keys will be generated. This pair will be used with IKE policies specifying either RSA signatures or RSA encrypted nonces. Therefore, a general purpose key pair might get used more frequently than a special usage key pair.
When you generate RSA keys, you will be prompted to enter a modulus length. A longer modulus could offer stronger security, but takes longer to generate (see Table 29 for sample times) and takes longer to use. Below 512 is normally not recommended. (In certain situations, the shorter modulus may not function properly with IKE, so Cisco recommends using a minimum modulus of 1024.)
| Modulus Length | ||||
|---|---|---|---|---|
| Router | 360 bits | 512 bits | 1024 bits | 2048 bits |
Cisco 2500 | 11 seconds | 20 seconds | 4 minutes, 38 seconds | longer than 1 hour |
Cisco 4700 | less than 1 second | 1 second | 4 seconds | 50 seconds |
The following example generates special usage RSA keys.
myrouter(config)# crypto key generate rsa usage-keys
The name for the keys will be: myrouter.domain.com Choose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus[512]? <return>
Generating RSA keys.... [OK]. Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus[512]? <return>
Generating RSA keys.... [OK]. myrouter(config)#
The following example generates general purpose RSA keys.
myrouter(config)# crypto key generate rsa
The name for the keys will be: myrouter.domain.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus[512]? <return>
Generating RSA keys.... [OK]. myrouter(config)#
You can use the master indexes or search online to find documentation of related commands.
To enter public key configuration mode (so you can manually specify other devices' RSA public keys), use the crypto key pubkey-chain rsa global configuration command.
crypto key pubkey-chain rsaThis command has no arguments or keywords.
This command has no defaults.
Global configuration. This command invokes public key chain configuration mode.
This command first appeared in Cisco IOS Release 11.3 T.
Use this command to enter public key chain configuration mode. Use this command when you need to manually specify other IPSec peers' RSA public keys. You need to specify other peers' keys when you configure RSA encrypted nonces as the authentication method in an IKE policy at your peer router.
myrouter(config)# crypto key pubkey-chain rsa
myrouter(config-pubkey-chain)# addressed-key 10.5.5.1
myrouter(config-pubkey-key)# key-string
myrouter(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973
myrouter(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5
myrouter(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8
myrouter(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB
myrouter(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B
myrouter(config-pubkey)# 90288A26 DBC64468 7789F76E EE21
myrouter(config-pubkey)# quit
myrouter(config-pubkey-key)# exit
myrouter(config-pubkey-chain)# addressed-key 10.1.1.2
myrouter(config-pubkey-key)# key-string
myrouter(config-pubkey)# 0738BC7A 2BC3E9F0 679B00FE 53987BCC
myrouter(config-pubkey)# 01030201 42DD06AF E228D24C 458AD228
myrouter(config-pubkey)# 58BB5DDD F4836401 2A2D7163 219F882E
myrouter(config-pubkey)# 64CE69D4 B583748A 241BED0F 6E7F2F16
myrouter(config-pubkey)# 0DE0986E DF02031F 4B0B0912 F68200C4
myrouter(config-pubkey)# C625C389 0BFF3321 A2598935 C1B1
myrouter(config-pubkey)# quit
myrouter(config-pubkey-key)# exit
myrouter(config-pubkey-chain)# exit
myrouter(config)#
You can use the master indexes or search online to find documentation of related commands.
address
addressed-key
key-string
named-key
show crypto key pubkey-chain rsa
des | Specifies 56-bit DES-CBC as the encryption algorithm. |
The 56-bit DES-CBC encryption algorithm.
ISAKMP policy configuration (config-isakmp)
This command first appeared in Cisco IOS Release 11.3 T.
Use this command to specify the encryption algorithm to be used in an IKE policy.
MyPeerRouter(config)# crypto isakmp policy 15
MyPeerRouter(config-isakmp)# encryption des
MyPeerRouter(config-isakmp)# exit
MyPeerRouter(config)#
You can use the master indexes or search online to find documentation of related commands.
authentication (IKE policy)
crypto isakmp policy
group (IKE policy)
hash (IKE policy)
lifetime (IKE policy)
show crypto isakmp policy
1 | Specifies the 768-bit Diffie-Hellman group. |
2 | Specifies the 1024-bit Diffie-Hellman group. |
768-bit Diffie-Hellman (group 1)
ISAKMP policy configuration (config-isakmp)
This command first appeared in Cisco IOS Release 11.3 T.
Use this command to specify the Diffie-Hellman group to be used in an IKE policy.
MyPeerRouter(config)# crypto isakmp policy 15
MyPeerRouter(config-isakmp)# group 2
MyPeerRouter(config-isakmp)# exit
MyPeerRouter(config)#
You can use the master indexes or search online to find documentation of related commands.
authentication (IKE policy)
crypto isakmp policy
encryption (IKE policy)
hash (IKE policy)
lifetime (IKE policy)
show crypto isakmp policy
sha | Specifies SHA-1 (HMAC variant) as the hash algorithm. |
md5 | Specifies MD5 (HMAC variant) as the hash algorithm. |
The SHA-1 hash algorithm.
ISAKMP policy configuration (config-isakmp)
This command first appeared in Cisco IOS Release 11.3 T.
Use this command to specify the hash algorithm to be used in an IKE policy.
MyPeerRouter(config)# crypto isakmp policy 15
MyPeerRouter(config-isakmp)# hash md5
MyPeerRouter(config-isakmp)# exit
MyPeerRouter(config)#
You can use the master indexes or search online to find documentation of related commands.
authentication (IKE policy)
crypto isakmp policy
encryption (IKE policy)
group (IKE policy)
lifetime (IKE policy)
show crypto isakmp policy
key-string | Enter the key in hexadecimal format. While entering the key data you can press the return key to continue entering data. |
This command has no defaults.
Public key configuration
This command first appeared in Cisco IOS Release 11.3 T.
Use this command to manually specify the RSA public key of an IPSec peer. Before using this command you must identify the remote peer using either the addressed-key or named-key command.
If possible, to avoid mistakes, you should cut and paste the key data (instead of attempting to type in the data).
This example manually specifies the RSA public keys of an IPSec peer.
myrouter(config)# crypto key pubkey-chain rsa
myrouter(config-pubkey-chain)# named-key otherpeer.domain.com
myrouter(config-pubkey-key)# address 10.5.5.1
myrouter(config-pubkey-key)# key-string
myrouter(config-pubkey)# 005C300D 06092A86 4886F70D 01010105
myrouter(config-pubkey)# 00034B00 30480241 00C5E23B 55D6AB22
myrouter(config-pubkey)# 04AEF1BA A54028A6 9ACC01C5 129D99E4
myrouter(config-pubkey)# 64CAB820 847EDAD9 DF0B4E4C 73A05DD2
myrouter(config-pubkey)# BD62A8A9 FA603DD2 E2A8A6F8 98F76E28
myrouter(config-pubkey)# D58AD221 B583D7A4 71020301 0001
myrouter(config-pubkey)# quit
myrouter(config-pubkey-key)# exit
myrouter(config-pubkey-chain)# exit
myrouter(config)#
You can use the master indexes or search online to find documentation of related commands.
addressed-key
crypto key pubkey-chain rsa
named-key
show crypto key pubkey-chain rsa
seconds | Specifies how many seconds each SA should exist before expiring. Use an integer from 60 to 86,400 seconds. |
86,400 seconds (one day)
ISAKMP policy configuration (config-isakmp)
This command first appeared in Cisco IOS Release 11.3 T.
Use this command to specify how long an IKE SA exists before expiring.
When IKE begins negotiations, the first thing it does is agree upon the security parameters for its own session. The agreed-upon parameters are then referenced by an SA at each peer. The SA is retained by each peer until the SA's lifetime expires. Before an SA expires, it can be reused by subsequent IKE negotiations, which can save time when setting up new IPSec SAs. New SAs are negotiated before current SAs expire.
So, to save setup time for IPSec, configure a longer IKE SA lifetime. However, the shorter the lifetime (up to a point), the more secure the IKE negotiation is likely to be.
Note that when your local peer initiates an IKE negotiation between itself and a remote peer, an IKE policy can be selected only if the lifetime of the remote peer's policy is shorter than or equal to the lifetime of the local peer's policy. Then, if the lifetimes are not equal, the shorter lifetime will be selected. To restate this behavior: If the two peer's policies' lifetimes are not the same, the initiating peer's lifetime must be longer and the responding peer's lifetime must be shorter, and the shorter lifetime will be used.
MyPeerRouter(config)# crypto isakmp policy 15
MyPeerRouter(config-isakmp)# lifetime 600
MyPeerRouter(config-isakmp)# exit
MyPeerRouter(config)#
You can use the master indexes or search online to find documentation of related commands.
authentication (IKE policy)
crypto isakmp policy
encryption (IKE policy)
group (IKE policy)
hash (IKE policy)
show crypto isakmp policy
key-name | Specifies the name of the remote peer's RSA keys. This is always the fully qualified domain name of the remote peer; for example, router.domain.com. |
encryption | (Optional) Indicates that the RSA public key to be specified will be an encryption special usage key. |
signature | (Optional) Indicates that the RSA public key to be specified will be a signature special usage key. |
If neither the encryption nor signature keywords are used, general purpose keys will be specified.
Public key chain configuration. This command invokes public key configuration mode.
This command first appeared in Cisco IOS Release 11.3 T.
Use this command or the addressed-key command to specify which IPSec peer's RSA public key you will manually configure next.
Follow this command with the key-string command to specify the key.
If you use the named-key command you also need to use the address public key configuration command to specify the IP address of the peer.
If the IPSec remote peer generated general purpose RSA keys, do not use the encryption or signature keywords.
If the IPSec remote peer generated special usage keys, you must manually specify both keys: perform this command and the key-string command twice and use the encryption and signature keywords respectively.
myrouter(config)# crypto key pubkey-chain rsa
myrouter(config-pubkey-chain)# named-key otherpeer.domain.com
myrouter(config-pubkey-key)# address 10.5.5.1
myrouter(config-pubkey-key)# key-string
myrouter(config-pubkey)# 005C300D 06092A86 4886F70D 01010105
myrouter(config-pubkey)# 00034B00 30480241 00C5E23B 55D6AB22
myrouter(config-pubkey)# 04AEF1BA A54028A6 9ACC01C5 129D99E4
myrouter(config-pubkey)# 64CAB820 847EDAD9 DF0B4E4C 73A05DD2
myrouter(config-pubkey)# BD62A8A9 FA603DD2 E2A8A6F8 98F76E28
myrouter(config-pubkey)# D58AD221 B583D7A4 71020301 0001
myrouter(config-pubkey)# quit
myrouter(config-pubkey-key)# exit
myrouter(config-pubkey-chain)# addressed-key 10.1.1.2 encryption
myrouter(config-pubkey-key)# key-string
myrouter(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973
myrouter(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5
myrouter(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8
myrouter(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB
myrouter(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B
myrouter(config-pubkey)# 90288A26 DBC64468 7789F76E EE21
myrouter(config-pubkey)# quit
myrouter(config-pubkey-key)# exit
myrouter(config-pubkey-chain)# addressed-key 10.1.1.2 signature
myrouter(config-pubkey-key)# key-string
myrouter(config-pubkey)# 0738BC7A 2BC3E9F0 679B00FE 098533AB
myrouter(config-pubkey)# 01030201 42DD06AF E228D24C 458AD228
myrouter(config-pubkey)# 58BB5DDD F4836401 2A2D7163 219F882E
myrouter(config-pubkey)# 64CE69D4 B583748A 241BED0F 6E7F2F16
myrouter(config-pubkey)# 0DE0986E DF02031F 4B0B0912 F68200C4
myrouter(config-pubkey)# C625C389 0BFF3321 A2598935 C1B1
myrouter(config-pubkey)# quit
myrouter(config-pubkey-key)# exit
myrouter(config-pubkey-chain)# exit
myrouter(config)#
You can use the master indexes or search online to find documentation of related commands.
address
addressed-key
crypto key pubkey-chain rsa
key-string
show crypto key pubkey-chain rsa
To view the parameters for each IKE policy, use the show crypto isakmp policy EXEC command.
show crypto isakmp policyThis command has no arguments or keywords.
EXEC
This command first appeared in Cisco IOS Release 11.3 T.
MyPeerRouter# show crypto isakmp policy
Protection suite priority 15 encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Message Digest 5 authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman Group: #2 (1024 bit) lifetime: 5000 seconds, no volume limit Protection suite priority 20 encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman Group: #1 (768 bit) lifetime: 10000 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman Group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
You can use the master indexes or search online to find documentation of related commands.
authentication (IKE policy)
crypto isakmp policy
encryption (IKE policy)
group (IKE policy)
hash (IKE policy)
lifetime (IKE policy)
This command has no arguments or keywords.
EXEC
This command first appeared in Cisco IOS Release 11.3 T.
MyPeerRouter# show crypto isakmp sa
dst src state conn-id slot 172.21.114.123 172.21.114.67 QM_IDLE 1 0 155.0.0.2 155.0.0.1 QM_IDLE 8 0
Table 30 through Table 32 show the various states that may be displayed in the output of the show crypto isakmp sa command. When an ISAKMP SA exists, it will most likely be in its quiescent state (OAK_QM_IDLE). For long exchanges, some of the OAK_MM_xxx states may be observed.
| State | Explanation |
|---|---|
OAK_MM_NO_STATE | The ISAKMP SA has been created but nothing else has happened yet. It is "larval" at this stage---there is no state. |
OAK_MM_SA_SETUP | The peers have agreed on parameters for the ISAKMP SA. |
OAK_MM_KEY_EXCH | The peers have exchanged Diffie-Hellman public keys and have generated a shared secret. The ISAKMP SA remains unauthenticated. |
OAK_MM_KEY_AUTH | The ISAKMP SA has been authenticated. If the router initiated this exchange, this state transitions immediately to OAK_QM_IDLE and a Quick Mode exchange begins. |
| State | Explanation |
OAK_AG_NO_STATE | The ISAKMP SA has been created but nothing else has happened yet. It is "larval" at this stage---there is no state. |
OAK_AG_INIT_EXCH | The peers have done the first exchange in Aggressive Mode but the SA is not authenticated. |
OAK_AG_AUTH | The ISAKMP SA has been authenticated. If the router initiated this exchange, this state transitions immediately to OAK_QM_IDLE and a Quick Mode exchange begins. |
| State | Explanation |
|---|---|
OAK_QM_IDLE | The ISAKMP SA is idle. It remains authenticated with its peer and may be used for subsequent Quick Mode exchanges. It is in a quiescent state. |
You can use the master indexes or search online to find documentation of related commands.
crypto isakmp policy
lifetime (IKE policy)
To view your router's RSA public key(s), use the show crypto key mypubkey rsa EXEC command.
show crypto key mypubkey rsaThere are no arguments or keywords with this command.
EXEC
This command first appeared in Cisco IOS Release 11.3 T.
This command displays your router's RSA public key(s).
The following is sample output from the show crypto key mypubkey rsa command. Special usage RSA keys were previously generated for this router using the crypto key generate rsa command:
% Key pair was generated at: 06:07:49 UTC Jan 13 1996 Key name: myrouter.domain.com Usage: Signature Key Key Data: 005C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B 55D6AB22 04AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9 DF0B4E4C 73A05DD2 BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4 71020301 0001 % Key pair was generated at: 06:07:50 UTC Jan 13 1996 Key name: myrouter.domain.com Usage: Encryption Key Key Data: 00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D5
18242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB
07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21
You can use the master indexes or search online to find documentation of related commands.
name key-name | (Optional) Specify the name of a particular public key to view. |
address key-address | (Optional) Specify the address of a particular public key to view. |
If no keywords are used, this command displays a list of all RSA public keys stored on your router.
EXEC
This command first appeared in Cisco IOS Release 11.3 T.
This command shows RSA public keys stored on your router. This includes peers' RSA public keys manually configured at your router and keys received by your router via other means (such as by a certificate, if CA support is configured).
If a router reboots, any public key derived by certificates will be lost. This is because the router will ask for certificates again, at which time the public key will be derived again.
Use the name or address keywords to display details about a particular RSA public key stored on your router.
The following is sample output from the show crypto key pubkey-chain rsa command:
Codes: M - Manually Configured, C - Extracted from certificate Code Usage IP-address Name M Signature 10.0.0.l myrouter.domain.com M Encryption 10.0.0.1 myrouter.domain.com C Signature 172.16.0.1 routerA.domain.com C Encryption 172.16.0.1 routerA.domain.com C General 192.168.10.3 routerB.domain1.com
This sample shows manually configured special usage RSA public keys for the peer "somerouter." This sample also shows three keys obtained from peers' certificates: special usage keys for peer "routerA" and a general purpose key for peer "routerB."
Certificate support is used in the above example; if certificate support was not in use, none of the peers' keys would show "C" in the code column, but would all have to be manually configured.
The following is sample output when you issue the command show crypto key pubkey rsa name somerouter.domain.com:
Key name: somerouter.domain.com Key address: 10.0.0.1 Usage: Signature Key Source: Manual Data: 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B 55D6AB22 04AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9 DF0B4E4C 73A05DD2 BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4 71020301 0001 Key name: somerouter.domain.com Key address: 10.0.0.1 Usage: Encryption Key Source: Manual Data: 00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D5
18242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB
07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21
The following is sample output when you issue the command show crypto key pubkey rsa address 192.168.10.3:
Key name: routerB.domain.com Key address: 192.168.10.3 Usage: General Purpose Key Source: Certificate Data: 0738BC7A 2BC3E9F0 679B00FE 53987BCC 01030201 42DD06AF E228D24C 458AD228 58BB5DDD F4836401 2A2D7163 219F882E 64CE69D4 B583748A 241BED0F 6E7F2F16 0DE0986E DF02031F 4B0B0912 F68200C4 C625C389 0BFF3321 A2598935 C1B1
|
|