|
|
This chapter describes the function and displays the syntax for Internet Key Exchange (IKE) Security Protocol commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Security Command Reference.
ip-address | Specifies the IP address of the remote peer. |
To specify which peer's RSA public key you will manually configure, use the addressed-key public key chain configuration command.
addressed-key key-address [encryption | signature]
key-address | Specifies the IP address of the remote peer's RSA keys. |
encryption | (Optional) Indicates that the RSA public key to be specified will be an encryption special usage key. |
signature | (Optional) Indicates that the RSA public key to be specified will be a signature special usage key. |
To specify the authentication method within an IKE policy, use the authentication (IKE policy) ISAKMP policy configuration command. IKE policies define a set of parameters to be used during IKE negotiation. Use the no form of this command to reset the authentication method to the default value.
authentication {rsa-sig | rsa-encr | pre-share}
rsa-sig | Specifies RSA signatures as the authentication method. |
rsa-encr | Specifies RSA encrypted nonces as the authentication method. |
pre-share | Specifies preshared keys as the authentication method. |
To clear active IKE connections, use the clear crypto isakmp global configuration command.
clear crypto isakmp [connection-id]
connection-id | (Optional) Specifies which connection to clear. If this argument is not used, all existing connections will be cleared. |
To globally enable IKE at your peer router, use the crypto isakmp enable global configuration command. Use the no form of this command to disable IKE at the peer.
crypto isakmp enableTo define the identity the router uses when participating in the IKE protocol, use the crypto isakmp identity global configuration command. Set an ISAKMP identity whenever you specify pre-shared keys. Use the no form of this command to reset the ISAKMP identity to the default value (address).
crypto isakmp identity {address | hostname}
address | Sets the ISAKMP identity to the IP address of the interface that is used to communicate to the remote peer during IKE negotiations. |
hostname | Sets the ISAKMP identity to the host name concatenated with the domain name (for example, myhost.domain.com). |
To configure a pre-shared authentication key, use the crypto isakmp key global configuration command. You must configure this key whenever you specify pre-shared keys in an IKE policy. Use the no form of this command to delete a pre-shared authentication key.
crypto isakmp key key-string address peer-address
key-string | Specify the preshared key. Use any combination of alphanumeric characters up to 128 bytes. This pre-shared key must be identical at both peers. |
peer-address | Specify the IP address of the remote peer. |
peer-hostname | Specify the host name of the remote peer. This is the peer's host name concatenated with its domain name (for example, myhost.domain.com). |
To define an IKE policy, use the crypto isakmp policy global configuration command. IKE policies define a set of parameters to be used during the IKE negotiation. Use the no form of this command to delete an IKE policy.
crypto isakmp policy priority
priority | Uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10000, with 1 being the highest priority and 10000 the lowest. |
To generate RSA key pairs, use the crypto key generate rsa global configuration command.
crypto key generate rsa [usage-keys]
usage-keys | (Optional) Specifies that two RSA special usage key pairs should be generated (that is, one encryption pair and one signature pair), instead of one general- purpose key pair. |
To enter public key configuration mode (so you can manually specify other devices' RSA public keys), use the crypto key pubkey-chain rsa global configuration command.
crypto key pubkey-chain rsaTo specify the encryption algorithm within an IKE policy, use the encryption ISAKMP policy configuration command. IKE policies define parameters to be used during IKE negotiation. Use the no form of this command to reset the encryption algorithm to the default value.
encryption des
des | Specifies 56-bit DES-CBC as the encryption algorithm. |
To specify the Diffie-Hellman group identifier within an IKE policy, use the group ISAKMP policy configuration command. IKE policies define parameters to be used during IKE negotiation. Use the no form of this command to reset the Diffie-Hellman group identifier to the default value.
group {1 | 2}
1 | Specifies the 768-bit Diffie-Hellman group. |
2 | Specifies the 1024-bit Diffie-Hellman group. |
To specify the hash algorithm within an IKE policy, use the hash ISAKMP policy configuration command. IKE policies define parameters to be used during IKE negotiation. Use the no form of this command to reset the hash algorithm to the default SHA-1 hash algorithm.
hash {sha | md5}
sha | Specifies SHA-1 (HMAC variant) as the hash algorithm. |
md5 | Specifies MD5 (HMAC variant) as the hash algorithm. |
To manually specify a remote peer's RSA public key, use the key-string public key configuration command.
key-string key-string
key-string | Enter the key in hexadecimal format. Press the return key to continue entering data. |
To specify the lifetime of an IKE security association (SA), use the lifetime ISAKMP policy configuration command. Use the no form of this command to reset the SA lifetime to the default value.
lifetime seconds
seconds | Specifies how many seconds each SA should exist before expiring. Use an integer from 60 to 86400 seconds. |
To specify which peer's RSA public key you will manually configure, use the named-key public key chain configuration command. This command should only be used when the router has a single interface that processes IPSec.
named-key key-name [encryption | signature]
key-name | Specifies the name of the remote peer's RSA keys. This is always the fully qualified domain name of the remote peer; for example, router.domain.com. |
encryption | (Optional) Indicates that the RSA public key to be specified will be an encryption special usage key. |
signature | (Optional) Indicates that the RSA public key to be specified will be a signature special usage key. |
To view the parameters for each IKE policy, use the show crypto isakmp policy EXEC command.
show crypto isakmp policyTo view all current IKE security associations (SAs) at a peer, use the show crypto isakmp sa EXEC command.
show crypto isakmp saTo view your router's RSA public key(s), use the show crypto key mypubkey rsa EXEC command.
show crypto key mypubkey rsaTo view peers' RSA public keys stored on your router, use the show crypto key pubkey-chain rsa EXEC command.
show crypto key pubkey-chain rsa [name key-name | address key-address]
name key-name | (Optional) Specify the name of a particular public key to view. |
address key-address | (Optional) Specify the address of a particular public key to view. |
![]()
![]()
![]()
![]()
![]()
![]()
![]()
Posted: Mon Feb 8 13:54:42 PST 1999
Copyright 1989-1999©Cisco Systems Inc.