Configuring Internet Key Exchange Security Protocol

For a complete description of the IKE commands used in this chapter, refer to the "Internet Key Exchange Security Protocol Commands" chapter in the Cisco IOS Security Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online.

In This Chapter

This chapter includes the following sections:

IKE Overview

IKE automatically negotiates IPSec security associations (SAs) and enables IPSec secure communications without costly manual preconfiguration. Specifically, IKE provides these benefits:

Eliminates the need to manually specify all the IPSec security parameters in the crypto maps at both peers.
Allows you to specify a lifetime for the IPSec security association.
Allows encryption keys to change during IPSec sessions.
Allows IPSec to provide anti-replay services.
Permits certification authority (CA) support for a manageable, scalable IPSec implementation.
Allows dynamic authentication of peers.

This section includes the following sections:

Supported Standards

Cisco implements the following standards:

IPSec---IP Security Protocol. IPSec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer; it uses IKE to handle negotiation of protocols and algorithms based on local policy, and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.

: For more information on IPSec, see the "Configuring IPSec Network Security" chapter.

Internet Key Exchange (IKE)---A hybrid protocol which implements Oakley and Skeme key exchanges inside the ISAKMP framework. While IKE can be used with other protocols, its initial implementation is with the IPSec protocol. IKE provides authentication of the IPSec peers, negotiates IPSec keys, and negotiates IPSec security associations.

: IKE is implemented per RFC 2409, "The Internet Key Exchange."

ISAKMP---The Internet Security Association and Key Management Protocol. A protocol framework which defines payload formats, the mechanics of implementing a key exchange protocol, and the negotiation of a security association.

: ISAKMP is implemented per the latest version of the "Internet Security Association and Key Management Protocol (ISAKMP)" Internet Draft (RFC 2408).

Oakley---A key exchange protocol which defines how to derive authenticated keying material.
Skeme---A key exchange protocol which defines how to derive authenticated keying material, with rapid key refreshment.

The component technologies implemented for use by IKE include:

DES---The Data Encryption Standard (DES) is used to encrypt packet data. IKE implements the 56-bit DES-CBC with Explicit IV standard. Cipher Block Chaining (CBC) requires an initialization vector (IV) to start encryption. The IV is explicitly given in the IPSec packet.

: Cisco IOS also implements Triple DES (168-bit) encryption, depending on the software versions available for a specific platform. Triple DES (3DES) is a strong form of encryption that allows sensitive information to be transmitted over untrusted networks. It enables customers, particularly in the finance industry, to utilize network layer encryption.

Note Cisco IOS images with strong encryption (including, but not limited to, 56-bit data encryption feature sets) are subject to United States government export controls, and have a limited distribution. Images to be installed outside the United States require an export license. Customer orders might be denied or subject to delay due to United States government regulations. Contact your sales representative or distributor for more information, or send e-mail to export@cisco.com.

Diffie-Hellman---A public-key cryptography protocol which allows two parties to establish a shared secret over an unsecure communications channel. Diffie-Hellman is used within IKE to establish session keys. 768-bit and 1024-bit Diffie-Hellman groups are supported.
MD5 (HMAC variant)---MD5 (Message Digest 5) is a hash algorithm used to authenticate packet data. HMAC is a variant which provides an additional level of hashing.
SHA (HMAC variant)---SHA (Secure Hash Algorithm) is a hash algorithm used to authenticate packet data. HMAC is a variant which provides an additional level of hashing.
RSA signatures and RSA encrypted nonces---RSA is the public key cryptographic system developed by Ron Rivest, Adi Shamir, and Leonard Adleman. RSA signatures provides non-repudiation while RSA encrypted nonces provide repudiation.

IKE interoperates with the following standard:

X.509v3 certificates---Used with the IKE protocol when authentication requires public keys. This certificate support allows the protected network to scale by providing the equivalent of a digital ID card to each device. When two devices wish to communicate, they exchange digital certificates to prove their identity (thus removing the need to manually exchange public keys with each peer or to manually specify a shared key at each peer).

List of Terms

anti-replay---A security service in which the receiver can reject old or duplicate packets in order to protect itself against replay attacks. IPSec provides optional anti-replay services by use of a sequence number combined with the use of authentication.

data authentication---Includes two concepts:

Data integrity (verify that data has not been altered).
Data origin authentication (verify that the data was actually sent by the claimed sender).

Data authentication can refer either to integrity alone or to both of these concepts (although data origin authentication is dependent upon data integrity).

peer---In the context of this chapter, a peer refers to a router or other device that participates in IPSec and IKE.

perfect forward secrecy (PFS)---A cryptographic characteristic associated with a derived shared secret value. With PFS, if one key is compromised, previous and subsequent keys are not also compromised, because subsequent keys are not derived from previous keys.

repudiation---A quality that prevents a third party from being able to prove that a communication between two other parties ever took place. This is a desirable quality if you do not want your communications to be traceable. Non-repudiation is the opposite quality---a third party can prove that a communication between two other parties took place. Non-repudiation is desirable if you want to be able to trace your communications and prove that they occurred.

security association---A security association (SA) describes how two or more entities will utilize security services to communicate securely. For example, an IPSec SA defines the encryption algorithm (if used), the authentication algorithm, and the shared session key to be used during the IPSec connection.

Both IPSec and IKE require and use SAs to identify the parameters of their connections. IKE can negotiate and establish its own SA. The IPSec SA is established either by IKE or by manual user configuration.

IKE Aggressive Mode Behavior

This section describes IKE aggressive mode behavior when using Cisco IOS software.

IKE has two phases of key negotiation: phase 1 and phase 2. Phase 1 negotiates a security association (a key) between two IKE peers. The key negotiated in phase 1 enables IKE peers to communicate securely in phase 2. During phase 2 negotiation, IKE establishes keys (security associations) for other applications, such as IPSec.

Phase 1 negotiation can occur using one of two modes: main mode or aggressive mode. Main mode tries to protect all information during the negotiation, meaning that no information is available to a potential attacker. When using main mode, the identities of the two sides are hidden. While this mode of operation is very secure, it is more costly in terms of the time it takes to complete the negotiation. Aggressive mode takes less time to negotiate keys between peers; however, it gives up some of the security provided by main mode negotiation. For example, the identities of the two parties trying to establish a security association are exposed to an eavesdropper.

The two modes serve different purposes and have different strengths. Main mode is slower than aggressive mode, but main mode is more secure and more flexible because if can offer an IKE peer more security proposals than aggressive mode. Aggressive mode is less flexible and not as secure, but much faster.

In Cisco IOS, the two modes are not configurable. The default action for IKE authentication (rsa-sig, rsa-encr, or pre-shared) is to initiate main mode; however, in cases where there is no corresponding information to initiate authentication, and there is a pre-shared key associated with the hostname of the peer, Cisco IOS can initiate aggressive mode. Cisco IOS will respond in aggressive mode to an IKE peer that initiates aggressive mode.

IKE Configuration Task List

To configure IKE, perform the tasks in the following sections. The tasks in the first three sections are required; the remaining may be optional, depending on what parameters are configured.

Enabling or Disabling IKE (Required)
Ensuring Access Lists Are Compatible with IKE (Required)
Creating IKE Policies (Required)
Manually Configuring RSA Keys (Optional, depending on IKE parameters)
Configuring Pre-Shared Keys (Optional, depending on IKE parameters)
Configuring Internet Key Exchange Mode Configuration (Optional)
Configuring Tunnel Endpoint Discovery (Optional)
Clearing IKE Connections (Optional)
Troubleshooting IKE (Optional)

For IKE configuration examples, refer to the "IKE Configuration Examples" section at the end of this chapter.

Enabling or Disabling IKE

IKE is enabled by default. IKE does not have to be enabled for individual interfaces, but is enabled globally for all interfaces at the router.

If you do not want IKE to be used with your IPSec implementation, you can disable it at all IPSec peers.

If you disable IKE, you will have to make these concessions at the peers:

You must manually specify all the IPSec security associations in the crypto maps at all peers. (Crypto map configuration is described in the "Configuring IPSec Network Security" chapter.)
The peers' IPSec security associations will never time out for a given IPSec session.
During IPSec sessions between the peers, the encryption keys will never change.
Anti-replay services will not be available between the peers.
Certification authority (CA) support cannot be used.

To disable or enable IKE, use one of the following commands in global configuration mode:

Command Purpose

Router (config)# no crypto isakmp enable
Disables IKE.

Router (config)# crypto isakmp enable
Enables IKE.

Command	Purpose
Router (config)# no crypto isakmp enable	Disables IKE.
Router (config)# crypto isakmp enable	Enables IKE.

If you disable IKE, you can skip the rest of the tasks in this chapter and go directly to IPSec configuration as described in the "Configuring IPSec Network Security" chapter.

After the two peers agree upon a policy, the security parameters of the policy are identified by a security association established at each peer, and these security associations apply to all subsequent IKE traffic during the negotiation.

You can create multiple, prioritized policies at each peer to ensure that at least one policy will match a remote peer's policy.

What Parameters Do You Define in a Policy?

There are five parameters to define in each IKE policy:

Parameter Accepted Values Keyword Default Value

encryption algorithm

56-bit DES-CBC

168-bit DES

des

3des

56-bit DES-CBC

168-bit DES

hash algorithm

SHA-1 (HMAC variant)

MD5 (HMAC variant)

sha

md5

SHA-1

authentication method

RSA signatures

RSA encrypted nonces

pre-shared keys

rsa-sig

rsa-encr

pre-share

RSA signatures

Diffie-Hellman group identifier

768-bit Diffie-Hellman or

1024-bit Diffie-Hellman

1

2

768-bit Diffie-Hellman

security association's lifetime¹

Can specify any number of seconds

---

86400 seconds (one day)

¹For information about this lifetime and how it is used, see the command description for the lifetime (IKE policy) command.

Parameter	Accepted Values	Keyword	Default Value
encryption algorithm	56-bit DES-CBC 168-bit DES	des 3des	56-bit DES-CBC 168-bit DES
hash algorithm	SHA-1 (HMAC variant) MD5 (HMAC variant)	sha md5	SHA-1
authentication method	RSA signatures RSA encrypted nonces pre-shared keys	rsa-sig rsa-encr pre-share	RSA signatures
Diffie-Hellman group identifier	768-bit Diffie-Hellman or 1024-bit Diffie-Hellman	1 2	768-bit Diffie-Hellman
security association's lifetime¹	Can specify any number of seconds	---	86400 seconds (one day)

These parameters apply to the IKE negotiations when the IKE security association is established.

How Do IKE Peers Agree upon a Matching Policy?

When the IKE negotiation begins, IKE looks for an IKE policy that is the same on both peers. The peer that initiates the negotiation will send all its policies to the remote peer, and the remote peer will try to find a match. The remote peer looks for a match by comparing its own highest priority policy against the other peer's received policies. The remote peer checks each of its policies in order of its priority (highest priority first) until a match is found.

A match is made when both policies from the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values, and when the remote peer's policy specifies a lifetime less than or equal to the lifetime in the policy being compared. (If the lifetimes are not identical, the shorter lifetime---from the remote peer's policy---will be used.)

If no acceptable match is found, IKE refuses negotiation and IPSec will not be established.

If a match is found, IKE will complete negotiation, and IPSec security associations will be created.

NoteDepending on which authentication method is specified in a policy, additional configuration might be required (as described in the "Additional Configuration Required for IKE Policies" section). If a peer's policy does not have the required companion configuration, the peer will not submit the policy when attempting to find a matching policy with the remote peer.

Which Value Should You Select for Each Parameter?

You can select certain values for each parameter, per the IKE standard. But why chose one value over another?

If you are interoperating with a device that supports only one of the values for a parameter, your choice is limited to the other device's supported value. Aside from this, there is often a trade-off between security and performance, and many of these parameter values represent such a trade-off. You should evaluate the level of your network's security risks and your tolerance for these risks. Then the following tips might help you select which value to specify for each parameter:

The encryption algorithm has two options: 56-bit DES-CBC and 168-bit DES.
The hash algorithm has two options: SHA-1 and MD5.

: MD5 has a smaller digest and is considered to be slightly faster than SHA-1. There has been a demonstrated successful (but extremely difficult) attack against MD5; however, the HMAC variant used by IKE prevents this attack.

The
authentication method has three options: RSA signatures, RSA encrypted nonces, and pre-shared keys.
- RSA signatures provides non-repudiation for the IKE negotiation (you can prove to a third party after the fact that you did indeed have an IKE negotiation with the remote peer).
RSA signatures requires use of a certification authority (CA). Using a CA can dramatically improve the manageability and scalability of your IPSec network. Additionally, RSA signature-based authentication uses only two public key operations while RAS encryption uses four public key operations, which is costlier in terms of overall performance.
- RSA encrypted nonces provides repudiation for the IKE negotiation (you cannot prove to a third party that you had an IKE negotiation with the remote peer). This is used to prevent a
RSA encrypted nonces require that peers possess each other's public keys but do not use a certification authority. Instead, there are two ways for peers to get each others' public keys:

1) During configuration you manually configure RSA keys (as described in the "Manually Configuring RSA Keys" section).

2) If your local peer has previously used RSA signatures during a successful IKE negotiation with a remote peer, your local peer already possesses the remote peer's public key. (The peers' public keys are exchanged during the RSA-signatures-based IKE negotiations.)
- Pre-shared keys are clumsy to use if your secured network is large, and do not scale well with a growing network. However, they do not require use of a certification authority, as do RSA signatures, and might be easier to set up in a small network with fewer than 10nodes. RSA signatures also can be considered more secure when compared to pre-shared key authentication.
The Diffie-Hellman group identifier has two options: 768-bit or 1024-bit Diffie-Hellman.

: The 1024-bit Diffie-Hellman option is harder to crack, but requires more CPU time to execute.

The security association's lifetime can be set to any value.

: As a general rule, the shorter the lifetime (up to a point), the more secure your IKE negotiations will be. However, with longer lifetimes, future IPSec security associations can be set up more quickly. For more information about this parameter and how it is used, see the command description for the lifetime (IKE policy) command.

Creating Policies

You can create multiple IKE policies, each with a different combination of parameter values. For each policy that you create, you assign a unique priority (1 through 10,000, with 1 being the highest priority).

You can configure multiple policies on each peer---but at least one of these policies must contain exactly the same encryption, hash, authentication, and Diffie-Hellman parameter values as one of the policies on the remote peer. (The lifetime parameter does not necessarily have to be the same; see details in the "How Do IKE Peers Agree upon a Matching Policy?" section.)

If you do not configure any policies, your router will use the default policy, which is always set to the lowest priority, and which contains each parameter's default value.

To configure a policy, use the following commands, beginning in global configuration mode:

Command Purpose

Step1

Router (config)# crypto isakmp policy priority
Identifies the policy to create. (Each policy is uniquely identified by the priority number you assign.)

(This command puts you into the config-isakmp command mode.)

Step2

Router (config-isakmp)# encryption {des | 3des}
Specifies the encryption algorithm.

Step3

Router (config-isakmp)# hash {sha | md5}
Specifies the hash algorithm.

Step4

Router (config-isakmp)# authentication {rsa-sig | rsa-encr | pre-share}
Specifies the authentication method.

Step5

Router (config-isakmp)# group {1 | 2}
Specifies the Diffie-Hellman group identifier.

Step6

Router (config-isakmp)# lifetime seconds
Specifies the security association's lifetime.

Step7

Router (config-isakmp)# exit
Exits the config-isakmp command mode.

Step8

Router (config)# exit
Exits the global configuration mode.

Step9

Router# show crypto isakmp policy
(Optional) Displays all existing IKE policies.

(Use this command in EXEC mode.)

	Command	Purpose
Step1	Router (config)# crypto isakmp policy priority	Identifies the policy to create. (Each policy is uniquely identified by the priority number you assign.) (This command puts you into the config-isakmp command mode.)
Step2	Router (config-isakmp)# encryption {des \| 3des}	Specifies the encryption algorithm.
Step3	Router (config-isakmp)# hash {sha \| md5}	Specifies the hash algorithm.
Step4	Router (config-isakmp)# authentication {rsa-sig \| rsa-encr \| pre-share}	Specifies the authentication method.
Step5	Router (config-isakmp)# group {1 \| 2}	Specifies the Diffie-Hellman group identifier.
Step6	Router (config-isakmp)# lifetime seconds	Specifies the security association's lifetime.
Step7	Router (config-isakmp)# exit	Exits the config-isakmp command mode.
Step8	Router (config)# exit	Exits the global configuration mode.
Step9	Router# show crypto isakmp policy	(Optional) Displays all existing IKE policies. (Use this command in EXEC mode.)

If you do not specify a value for a parameter, the default value is assigned.

NoteThe default policy and the default values for configured policies do not show up in the configuration when you issue a show running command. Instead, to see the default policy and any default values within configured policies, use the show crypto isakmp policy command.

Additional Configuration Required for IKE Policies

Depending on which authentication method you specify in your IKE policies, you need to do certain additional configuration before IKE and IPSec can successfully use the IKE policies.

Each authentication method requires additional companion configuration as follows:

RSA signatures method:

: If you specify RSA signatures as the authentication method in a policy, you must configure the peers to obtain certificates from a certification authority (CA). (And, of course, the CA must be properly configured to issue the certificates.) Configure this certificate support as described in the "Configuring Certification Authority Interoperability" chapter.
: The certificates are used by each peer to securely exchange public keys. (RSA signatures requires that each peer has the remote peer's public signature key.) When both peers have valid certificates, they will automatically exchange public keys with each other as part of any IKE negotiation in which RSA signatures are used.

RSA encrypted nonces method:

: If you specify RSA encrypted nonces as the authentication method in a policy, you need to ensure that each peer has the other peers' public keys.

Pre-shared keys authentication method:

: If you specify pre-shared keys as the authentication method in a policy, you must configure these pre-shared keys as described in the "Configuring Pre-Shared Keys" section.

If RSA encryption is configured and signature mode is negotiated, the peer will request both signature and encryption keys. Basically, the router will request as many keys as the configuration will support. If RSA encryption is not configured, it will just request a signature key.

Manually Configuring RSA Keys

Manually configure RSA keys when you specify RSA encrypted nonces as the authentication method in an IKE policy and you are not using a certification authority (CA).

To manually configure RSA keys, perform these tasks at each IPSec peer that uses RSA encrypted nonces in an IKE policy:

Generating RSA Keys

To generate RSA keys, use the following commands starting in global configuration mode:

Command Purpose

Step1

Router (config)# crypto key generate rsa [usage-keys]
Generates RSA keys.

Step2

Router# show crypto key mypubkey rsa
Displays the generated RSA public key (in EXEC mode).

	Command	Purpose
Step1	Router (config)# crypto key generate rsa [usage-keys]	Generates RSA keys.
Step2	Router# show crypto key mypubkey rsa	Displays the generated RSA public key (in EXEC mode).

Remember to repeat these tasks at each peer (without CA support) that uses RSA encrypted nonces in an IKE policy.

Setting ISAKMP Identity

You should set the ISAKMP identity for each peer that uses pre-shared keys in an IKE policy.

When two peers use IKE to establish IPSec security associations, each peer sends its identity to the remote peer. Each peer sends either its host name or its IP address, depending on how you have the router's ISAKMP identity set.

By default, a peer's ISAKMP identity is the peer's IP address. If appropriate, you could change the identity to be the peer's host name instead. As a general rule, set all peers' identities the same way---either all peers should use their IP address, or all peers should use their host name. If some peers use their host name and some peers use their IP address to identify themselves to each other, IKE negotiations could fail if a remote peer's identity is not recognized and a DNS lookup is unable to resolve the identity.

To set a peer's ISAKMP identity, use the following commands in global configuration mode:

Command Purpose

Step1

Router (config)# crypto isakmp identity {address | hostname}
At the local peer: Specifies the peer's ISAKMP identity by IP address or by host name.¹

Step2

Router (config)# ip host hostname address1 [address2...address8]
At all remote peers: If the local peer's ISAKMP identity was specified using a host name, maps the peer's host name to its IP address(es) at all the remote peers. (This step might be unnecessary if the host name/address is already mapped in a DNS server.)

¹See the crypto isakmp identity command description for guidelines for when to use the IP address vs. the host name.

	Command	Purpose
Step1	Router (config)# crypto isakmp identity {address \| hostname}	At the local peer: Specifies the peer's ISAKMP identity by IP address or by host name.¹
Step2	Router (config)# ip host hostname address1 [address2...address8]	At all remote peers: If the local peer's ISAKMP identity was specified using a host name, maps the peer's host name to its IP address(es) at all the remote peers. (This step might be unnecessary if the host name/address is already mapped in a DNS server.)

Remember to repeat these tasks at each peer that uses pre-shared keys in an IKE policy.

Specifying All the Other Peers' RSA Public Keys

At each peer, specify all the other peers' RSA public keys by using the following commands starting in global configuration mode:

Command Purpose

Step1

Router (config)# crypto key pubkey-chain rsa
Enters public key chain configuration mode.

Step2

Router (config-pubkey-c)# named-key key-name [encryption | signature]
or

Router (config-pubkey-c)# addressed-key key-address [encryption | signature]
Indicates which remote peer's RSA public key you are going to specify. Enters public key configuration mode.

If the remote peer uses its host name as its ISAKMP identity, use the named-key command and specify the remote peer's fully qualified domain name (such as somerouter.example.com) as the key-name.

If the remote peer uses its IP address as its ISAKMP identity, use the addressed-key command and specify the remote peer's IP address as the key-address.

Step3

Router (config-pubkey-k)# address ip-address
If you used a fully qualified domain name to name the remote peer in Step2 (using the named-key command), you can optionally specify the remote peer's IP address.

Step4

Router (config-pubkey-k)# key-string
key-string
Specifies the remote peer's RSA public key. This is the key viewed by the remote peer's administrator previously when he generated his router's RSA keys.

Step5

Router (config-pubkey-k)# quit
Returns to public key chain configuraiton mode.

Step6

---

Repeat Steps 2 through 4 to specify the RSA public keys of all the other IPSec peers that use RSA encrypted nonces in an IKE policy.

Step7

Router (config-pubkey-c)# exit
Returns to global configuration mode.

	Command	Purpose
Step1	Router (config)# crypto key pubkey-chain rsa	Enters public key chain configuration mode.
Step2	Router (config-pubkey-c)# named-key key-name [encryption \| signature] or Router (config-pubkey-c)# addressed-key key-address [encryption \| signature]	Indicates which remote peer's RSA public key you are going to specify. Enters public key configuration mode. If the remote peer uses its host name as its ISAKMP identity, use the named-key command and specify the remote peer's fully qualified domain name (such as somerouter.example.com) as the key-name. If the remote peer uses its IP address as its ISAKMP identity, use the addressed-key command and specify the remote peer's IP address as the key-address.
Step3	Router (config-pubkey-k)# address ip-address	If you used a fully qualified domain name to name the remote peer in Step2 (using the named-key command), you can optionally specify the remote peer's IP address.
Step4	Router (config-pubkey-k)# key-string key-string	Specifies the remote peer's RSA public key. This is the key viewed by the remote peer's administrator previously when he generated his router's RSA keys.
Step5	Router (config-pubkey-k)# quit	Returns to public key chain configuraiton mode.
Step6	---	Repeat Steps 2 through 4 to specify the RSA public keys of all the other IPSec peers that use RSA encrypted nonces in an IKE policy.
Step7	Router (config-pubkey-c)# exit	Returns to global configuration mode.

Remember to repeat these tasks at each peer that uses RSA encrypted nonces in an IKE policy.

To view RSA public keys while or after you configure them, use the following command in EXEC mode:

Command Purpose

Router# show crypto key pubkey-chain rsa {name key-name | address key-address}
Displays a list of all the RSA public keys stored on your router, or displays details of a particular RSA public key stored on your router.

Command	Purpose
Router# show crypto key pubkey-chain rsa {name key-name \| address key-address}	Displays a list of all the RSA public keys stored on your router, or displays details of a particular RSA public key stored on your router.

Configuring Pre-Shared Keys

To configure pre-shared keys, perform these tasks at each peer that uses pre-shared keys in an IKE policy:

First, set each peer's ISAKMP identity. Each peer's identity should be set to either its host name or by its IP address. By default, a peer's identity is set to its IP address. Setting ISAKMP identities is described previously in the "Setting ISAKMP Identity" section.
Next, specify the shared keys at each peer. Note that a given pre-shared key is shared between two peers. At a given peer you could specify the same key to share with multiple remote peers; however, a more secure approach is to specify different keys to share between different pairs of peers.

To specify pre-shared keys at a peer, use the following commands in global configuration mode:

Command Purpose

Step1

Router (config)# crypto isakmp key keystring address peer-address
or

Router (config)# crypto isakmp key keystring hostname peer-hostname
At the local peer: Specifies the shared key to be used with a particular remote peer.

If the remote peer specified their ISAKMP identity with an address, use the address keyword in this step; otherwise use the hostname keyword in this step.

Step2

Router (config)# crypto isakmp key keystring address peer-address
or

Router (config)# crypto isakmp key keystring hostname peer-hostname
At the remote peer: Specifies the shared key to be used with the local peer. This is the same key you just specified at the local peer.

If the local peer specified their ISAKMP identity with an address, use the address keyword in this step; otherwise use the hostname keyword in this step.

Step3

---

Repeat the previous two steps for each remote peer.

	Command	Purpose
Step1	Router (config)# crypto isakmp key keystring address peer-address or Router (config)# crypto isakmp key keystring hostname peer-hostname	At the local peer: Specifies the shared key to be used with a particular remote peer. If the remote peer specified their ISAKMP identity with an address, use the address keyword in this step; otherwise use the hostname keyword in this step.
Step2	Router (config)# crypto isakmp key keystring address peer-address or Router (config)# crypto isakmp key keystring hostname peer-hostname	At the remote peer: Specifies the shared key to be used with the local peer. This is the same key you just specified at the local peer. If the local peer specified their ISAKMP identity with an address, use the address keyword in this step; otherwise use the hostname keyword in this step.
Step3	---	Repeat the previous two steps for each remote peer.

Remember to repeat these tasks at each peer that uses pre-shared keys in an IKE policy.

Configuring Internet Key Exchange Mode Configuration

Internet Key Exchange (IKE) Mode Configuration , as defined by the Internet Engineering Task Force (IETF), allows a gateway to download an IP address (and other network level configuration) to the client as part of an IKE negotiation. Using this exchange, the gateway gives IP addresses to the IKE client to be used as an "inner" IP address encapsulated under IPSec. This provides a known IP address for the client which can be matched against Internet Protocol Security (IPSec) policy.

To implement IPSec Virtual Private Networks (VPNs) between remote access clients with dynamic IP addresses and a corporate gateway, you have to dynamically administer scalable IPSec policy on the gateway once each client is authenticated. With IKE Mode Configuration, the gateway can set up scalable policy for a very large set of clients irrespective of the IP addresses of those clients.

There are two types of IKE Mode Configuration:

Gateway initiation---Gateway initiates the configuration mode with the client. Once the client responds, the IKE modifies the sender's identity, the message is processed, and the client receives a response.
Client initiation---Client initiates the configuration mode with the gateway. The gateway responds with an IP address it has allocated for the client.

IKE Mode Configuration has the following restrictions:

Interfaces with crypto maps which are configured for IKE Mode Configuration may experience a slightly longer connection set up time. This is true even for IKE peers that refuse to be configured or do not respond to the configuration mode request. In both cases, the gateway initiates the configuration of the client.
At the time of this publication, this feature is an IETF draft with limited support. Therefore, this feature was not designed to enable the configuration mode for every IKE connection by default. Configure this feature at the global crypto map level.
The following items in the IETF draft are not currently supported:
- Configuration attributes other than INTERNAL_IP_ADDRESS
- Unprotected exchanges

There are two steps to configuring IKE Mode Configuration on a router:

1. Define the pool of IP addresses.

2. Define which crypto maps should attempt to configure clients.

To configure IKE Mode Configuration on your Cisco access router, use the following commands in global configuration mode:

Command Purpose

Step1

router(config)# ip local pool pool-name start-addr end-addr
Existing local address pools are used to define a set of addresses. To define a local address pool, use the existing ip local pool command. For more information on the ip local pool command, refer to the Cisco IOS Dial Services Command Reference.

Step2

router(config)# crypto isakmp client configuration address-pool local pool-name
The local pool references the IKE configuration. To reference this local address pool in the IKE configuration, use the new crypto isakmp client configuration address-pool local command. For more information on the crypto isakmp client configuration address-pool local command, refer to the Cisco IOS Security Command Reference.

Step3

router(config)# crypto map tag client configuration address [initiate | respond]
To configure IKE Mode Configuration in global crypto map configuration mode, use the new crypto map client configuration address command. For more information on the crypto map client configuration address command, refer to the CiscoIOS Security Command Reference.

	Command	Purpose
Step1	router(config)# ip local pool pool-name start-addr end-addr	Existing local address pools are used to define a set of addresses. To define a local address pool, use the existing ip local pool command. For more information on the ip local pool command, refer to the Cisco IOS Dial Services Command Reference.
Step2	router(config)# crypto isakmp client configuration address-pool local pool-name	The local pool references the IKE configuration. To reference this local address pool in the IKE configuration, use the new crypto isakmp client configuration address-pool local command. For more information on the crypto isakmp client configuration address-pool local command, refer to the Cisco IOS Security Command Reference.
Step3	router(config)# crypto map tag client configuration address [initiate \| respond]	To configure IKE Mode Configuration in global crypto map configuration mode, use the new crypto map client configuration address command. For more information on the crypto map client configuration address command, refer to the CiscoIOS Security Command Reference.

Configuring Tunnel Endpoint Discovery

Tunnel Endpoint Discovery is an enhancement to the IP Security Protocol (IPSec) feature. Defining a dynamic crypto map allows you to be able to dynamically determine an IPSec peer; however, only the receiving router has this ability. With Tunnel Endpoint Discovery, the initiating router can dynamically determine an IPSec peer for secure IPSec communications.

Dynamic Tunnel Endpoint Discovery allows IPSec to scale to large networks by reducing multiple encryptions, reducing the setup time, and allowing for simple configurations on participating peer routers. Each node has a simple configuration that defines the local network that the router is protecting and the IPSec transforms that are required.

Tunnel Endpoint Discovery has the following restrictions:

The Internet Key Exchange (IKE) cannot occur until the peer is identified. You can identify the peer using the crypto dynamic-map command. Using the discover keyword with this command, the receiving router sends a probe out to receive a response from the peer router.
This feature is only available on dynamic crypto maps. The dynamic crypto map template is based on the dynamic crypto map performing peer discovery. Although there are no access-list restrictions on the dynamic crypto map template, the dynamic crypto map template should cover data sourced from the protected traffic and the receiving router using the any keyword. When using the any keyword, include explicit deny statements to exempt routing protocol traffic prior to entering the permit any command.

To create a dynamic crypto map entry with Tunnel Endpoint Discovery configured, use the following commands, beginning in crypto-map configuration mode:

Command Purpose

Step1

Router (config)# crypto dynamic-map dynamic-map-name dynamic-map-number
Router (config-crypto-m)# set transform-set transform-set-name1 [transform-set-name2...transform-set-name6]
Router (config-crypto-m)# match address access-list-id
Router (config-crypto-m)# set peer {hostname | ip-address}
Router (config-crypto-m)# set security-association lifetime seconds seconds
and/or

Router (config-crypto-m)# set security-association lifetime kilobytes kilobytes
Router (config-crypto-m)# set pfs [group1 | group2]
Router (config-crypto-m)# exit
Configures a dynamic crypto map using the crypto dynamic-map command. For more information on the crypto dynamic-map command, refer to the "IPSec Network Security Commands" chapter of the Cisco IOS Security Command Reference.

Step2

Router (config)# crypto map map-name map-number ipsec-isakmp dynamic dynamic-map-name [discover]
(Optional) Adds a crypto map set to a static crypto map set.

For more information on the crypto map command, refer to the "IPSec Network Security Commands" chapter of the Cisco IOS Security Command Reference.

(Optional) Enter the discover keyword on the dynamic crypto map to enable peer discovery. After the dynamic crypto map template permits an outbound packet, peer discovery occurs when the packet reaches an interface configured with the dynamic crypto map.

	Command	Purpose
Step1	Router (config)# crypto dynamic-map dynamic-map-name dynamic-map-number Router (config-crypto-m)# set transform-set transform-set-name1 [transform-set-name2...transform-set-name6] Router (config-crypto-m)# match address access-list-id Router (config-crypto-m)# set peer {hostname \| ip-address} Router (config-crypto-m)# set security-association lifetime seconds seconds and/or Router (config-crypto-m)# set security-association lifetime kilobytes kilobytes Router (config-crypto-m)# set pfs [group1 \| group2] Router (config-crypto-m)# exit	Configures a dynamic crypto map using the crypto dynamic-map command. For more information on the crypto dynamic-map command, refer to the "IPSec Network Security Commands" chapter of the Cisco IOS Security Command Reference.
Step2	Router (config)# crypto map map-name map-number ipsec-isakmp dynamic dynamic-map-name [discover]	(Optional) Adds a crypto map set to a static crypto map set. For more information on the crypto map command, refer to the "IPSec Network Security Commands" chapter of the Cisco IOS Security Command Reference. (Optional) Enter the discover keyword on the dynamic crypto map to enable peer discovery. After the dynamic crypto map template permits an outbound packet, peer discovery occurs when the packet reaches an interface configured with the dynamic crypto map.

Clearing IKE Connections

If you want, you can clear existing IKE connections.

To clear IKE connections, use the following commands in EXEC mode:

Command Purpose

Step1

Router# show crypto isakmp sa
Displays existing IKE connections; note the connection identifiers for connections you wish to clear.

Step2

Router# clear crypto isakmp [connection-id]
Clears IKE connections.

	Command	Purpose
Step1	Router# show crypto isakmp sa	Displays existing IKE connections; note the connection identifiers for connections you wish to clear.
Step2	Router# clear crypto isakmp [connection-id]	Clears IKE connections.

Troubleshooting IKE

To assist in IKE troubleshooting, use the following commands in EXEC mode:

Command Purpose

Router# show crypto isakmp policy
Displays the parameters for each configured IKE policy.

Router# show crypto isakmp sa
Displays all current IKE security associations.

Router# show running-config
Verifies IKE configuration.

Router# debug crypto isakmp
Displays debug messages about IKE events.

Command	Purpose
Router# show crypto isakmp policy	Displays the parameters for each configured IKE policy.
Router# show crypto isakmp sa	Displays all current IKE security associations.
Router# show running-config	Verifies IKE configuration.
Router# debug crypto isakmp	Displays debug messages about IKE events.

What to Do Next

After IKE configuration is complete, you can configure IPSec. IPSec configuration is described in the "Configuring IPSec Network Security" chapter.

IKE Configuration Examples

This example creates two IKE policies, with policy 15 as the highest priority, policy 20 as the next priority, and the existing default priority as the lowest priority. It also creates a pre-shared key to be used with policy 20 with the remote peer whose IP address is 192.168.224.33.

crypto isakmp policy 15
encryption 3des
hash md5
authentication rsa-sig
group 2
lifetime 5000
crypto isakmp policy 20
authentication pre-share
lifetime 10000
crypto isakmp key 1234567890 address 192.168.224.33

In the preceding example, the encryption des of policy 15 would not appear in the written configuration because this is the default value for the encryption algorithm parameter.

If the show crypto isakmp policy command is issued with this configuration, the output would be as follows:

Protection suite priority 15
	encryption algorithm:	DES - Data Encryption Standard (56 bit keys)
	hash algorithm:	Message Digest 5
	authentication method:	Rivest-Shamir-Adleman Signature
	Diffie-Hellman group:	#2 (1024 bit)
	lifetime:	5000 seconds, no volume limit
Protection suite priority 20
	encryption algorithm:	DES - Data Encryption Standard (56 bit keys)
	hash algorithm:	Secure Hash Standard
	authentication method:	Pre-Shared Key
	Diffie-Hellman group:	#1 (768 bit)
	lifetime:	10000 seconds, no volume limit
Default protection suite
	encryption algorithm:	DES - Data Encryption Standard (56 bit keys)
	hash algorithm:	Secure Hash Standard
	authentication method:	Rivest-Shamir-Adleman Signature
	Diffie-Hellman group:	#1 (768 bit)
	lifetime:	86400 seconds, no volume limit

Note that although the output shows "no volume limit" for the lifetimes, you can currently only configure a time lifetime (such as 86,400 seconds); volume limit lifetimes are not configurable.

Table of Contents

Configuring Internet Key Exchange Security Protocol

Configuring Internet Key Exchange Security Protocol