|
|
This chapter describes the function and displays the syntax for IPSec network security commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Security Command Reference.
To delete IPSec security associations, use the clear crypto sa global configuration command.
clear crypto sa
ip-address | Specify a remote peer's IP address. |
peer-name | Specify a remote peer's name as the fully qualified domain name, for example remotepeer.domain.com. |
map-name | Specify the name of a crypto map set. |
destination-address | Specify the IP address of your peer or the remote peer. |
protocol | Specify either the AH or ESP protocol. |
spi | Specify an SPI (found by displaying the security association database). |
To create a dynamic crypto map entry and enter the crypto map configuration command mode, use the crypto dynamic-map global configuration command. Use the no form of this command to delete a dynamic crypto map set or entry.
crypto dynamic-map dynamic-map-name dynamic-seq-num
dynamic-map-name | Specifies the name of the dynamic crypto map set. |
dynamic-seq-num | Specifies the number of the dynamic crypto map entry. |
To change global lifetime values used when negotiating IPSec security associations, use the crypto ipsec security-association lifetime global configuration command. To reset a lifetime to the default value, use the no form of the command.
crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}
seconds seconds | Specifies the number of seconds a security association will live before expiring. The default is 3600 seconds (one hour). |
kilobytes kilobytes | Specifies the volume of traffic (in kilobytes) that can pass between IPSec peers using a given security association before that security association expires. The default is 4,608,000 kilobytes. |
To define a transform set---an acceptable combination of security protocols and algorithms---use the crypto ipsec transform-set global configuration command. To delete a transform set, use the no form of the command.
crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]
transform-set-name | Specify the name of the transform set to create (or modify). |
transform1 | Specify up to three transforms (one is required) that define the IPSec security protocol(s) and algorithm(s). |
To create or modify a crypto map entry and enter the crypto map configuration mode, use the crypto map global configuration command. Use the no form of this command to delete a crypto map entry or set.
crypto map map-name seq-num [cisco]
cisco | (Default value) Indicates that CET will be used instead of IPSec for protecting the traffic specified by this newly specified crypto map entry. If you use this keyword, none of the IPSec-specific crypto map configuration commands will be available. Instead, the CET-specific commands will be available. |
map-name | The name you assign to the crypto map set. |
seq-num | The number you assign to the crypto map entry. See additional explanation for using this argument in the "Usage Guidelines" section. |
ipsec-manual | Indicates that IKE will not be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry. |
ipsec-isakmp | Indicates that IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry. |
dynamic | (Optional) Specifies that this crypto map entry is to reference a preexisting dynamic crypto map. Dynamic crypto maps are policy templates used in processing negotiation requests from a peer IPSec device. If you use this keyword, none of the crypto map configuration commands will be available. |
dynamic-map-name | (Optional) Specifies the name of the dynamic crypto map set that should be used as the policy template. |
To apply a previously defined crypto map set to an interface, use the crypto map interface configuration command. Use the no form of the command to remove the crypto map set from the interface.
crypto map map-name
map-name | The name which identifies the crypto map set. This is the name assigned when the crypto map was created. When the no form of the command is used, this argument is optional. Any value supplied for the argument is ignored. |
To specify and name an identifying interface to be used by the crypto map for IPSec traffic, use the crypto map local-address global configuration command. Use the no form of the command to remove this command from the configuration.
crypto map map-name local-address interface-id
map-name | The name which identifies the crypto map set. This is the name assigned when the crypto map was created. |
interface-id | Specify the identifying interface that should be used by the router to identify itself to remote peers. If IKE is enabled and you are using a certification authority (CA) to obtain certificates, this should be the interface with the address specified in the CA certificates. |
To change the length of the initialization vector for the esp-rfc1829 transform, use the initialization-vector size crypto transform configuration command. To reset the initialization vector length to the default value, use the no form of the command.
initialization-vector size [4 | 8]
4 | 8 | (Optional) Specifies the length of the initialization vector: either 4 bytes or |
To specify an extended access list for a crypto map entry, use the match address crypto map configuration command. Use the no form of this command to remove the extended access list from a crypto map entry.
match address [access-list-id | name]
access-list-id | (Optional) Identifies the extended access list by its name or number. This value should match the access-list-number or name argument of the extended access list being matched. |
name | (Optional) Identifies the named encryption access list. This name should match the name argument of the named encryption access list being matched. |
To change the mode for a transform set, use the mode crypto transform configuration command. To reset the mode to the default value of tunnel mode, use the no form of the command.
mode [tunnel | transport]
tunnel | transport | (Optional) Specifies the mode for a transform set: either tunnel or transport mode. If neither tunnel nor transport is specified, the default (tunnel mode) is assigned. |
To specify an IPSec peer in a crypto map entry, use the set peer crypto map configuration command. Use the no form of this command to remove an IPSec peer from a crypto map entry.
set peer {hostname | ip-address}
hostname | Specifies the IPSec peer by its host name. This is the peer's host name concatenated with its domain name (for example, myhost.domain.com) |
ip-address | Specifies the IPSec peer by its IP address. |
To specify that IPSec should ask for perfect forward secrecy (PFS) when requesting new security associations for this crypto map entry, or that IPSec requires PFS when receiving requests for new security associations, use the set pfs crypto map configuration command. To specify that IPSec should not request PFS, use the no form of the command.
set pfs [group1 | group2]
group1 | (Optional) Specifies that IPSec should use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange. |
group2 | (Optional) Specifies that IPSec should use the 1024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange. |
To specify that separate IPSec security associations should be requested for each source/destination host pair, use the set security-association level per-host crypto map configuration command. Use the no form of this command to specify that one security association should be requested for each crypto map access list permit entry.
set security-association level per-hostTo override (for a particular crypto map entry) the global lifetime value, which is used when negotiating IPSec security associations, use the set security-association lifetime crypto map configuration command. To reset a crypto map entry's lifetime value to the global value, use the no form of the command.
set security-association lifetime {seconds seconds | kilobytes kilobytes}
seconds seconds | Specifies the number of seconds a security association will live before expiring. |
kilobytes kilobytes | Specifies the volume of traffic (in kilobytes) that can pass between IPSec peers using a given security association before that security association expires. |
To manually specify the IPSec session keys within a crypto map entry, use the set session-key crypto map configuration command. Use the no form of this command to remove IPSec session keys from a crypto map entry. This command is only available for ipsec-manual crypto map entries.
set session-key {inbound | outbound} ah spi hex-key-string
inbound | Sets the inbound IPSec session key. (You must set both inbound and outbound keys.) |
outbound | Sets the outbound IPSec session key. (You must set both inbound and outbound keys.) |
ah | Sets the IPSec session key for the AH protocol. Use when the crypto map entry's transform set includes an AH transform. |
spi | Specifies the security parameter index (SPI), a number that is used to uniquely identify a security association. The SPI is an arbitrary number you assign in the range of 256 to 4,294,967,295 (FFFF FFFF). You can assign the same SPI to both directions and both protocols. However, not all peers have the same flexibility in SPI assignment. For a given destination address/protocol combination, unique SPI values must be used. The destination address is that of the router if inbound, the peer if outbound. |
hex-key-string | Specifies the session key; enter in hexadecimal format. This is an arbitrary hexadecimal string of 8, 16, or 20 bytes. If the crypto map's transform set includes a DES algorithm, specify at least If the crypto map's transform set includes an MD5 algorithm, specify at least 16 bytes per key. If the crypto map's transform set includes an SHA algorithm, specify 20 bytes per key. Keys longer than the above sizes are simply truncated. |
esp | Sets the IPSec session key for the ESP protocol. Use when the crypto map entry's transform set includes an ESP transform. |
cipher | Indicates that the key string is to be used with the ESP encryption transform. |
authenticator | (Optional) Indicates that the key string is to be used with the ESP authentication transform. This argument is required only when the crypto map entry's transform set includes an ESP authentication transform. |
To specify which transform sets can be used with the crypto map entry, use the set transform-set crypto map configuration command. Use the no form of this command to remove all transform sets from a crypto map entry.
set transform-set transform-set-name1 [transform-set-name2...transform-set-name6]
transform-set-name1.... | Name of the transform set. For an ipsec-manual crypto map entry, you can specify only one transform set. For an ipsec-isakmp or dynamic crypto map entry, you can specify up to 6 transform sets. |
To view a dynamic crypto map set, use the show crypto dynamic-map EXEC command.
show crypto dynamic-map [tag map-name]
tag map-name | (Optional) Shows only the crypto dynamic map set with the specified map-name. |
To view the settings used by current security associations, use the show crypto ipsec sa EXEC command.
show crypto ipsec sa [map map-name | address | identity] [detail]
map map-name | (Optional) Shows any existing security associations created for the crypto map set named map-name. |
address | (Optional) Shows the all existing security associations, sorted by the destination address (either the local address or the address of the IPSec remote peer) and then by protocol (AH or ESP). |
identity | (Optional) Shows only the flow information. It does not show the security association information. |
detail | (Optional) Shows detailed error counters. (The default is the high level send/receive error counters.) |
To view the security-association lifetime value configured for a particular crypto map entry, use the show crypto ipsec security-association lifetime EXEC command.
show crypto ipsec security-association lifetimeTo view the configured transform sets, use the show crypto ipsec transform-set EXEC command.
show crypto ipsec transform-set [tag transform-set-name]
tag transform-set-name | (Optional) Shows only the transform sets with the specified transform-set-name. |
To view the crypto map configuration, use the show crypto map EXEC command.
show crypto map [interface interface | tag map-name]
interface interface | (Optional) Shows only the crypto map set applied to the specified interface. |
tag map-name | (Optional) Shows only the crypto map set with the specified map-name. |
Posted: Mon Feb 8 13:56:40 PST 1999
Copyright 1989-1999©Cisco Systems Inc.