Internet Key Exchange Security Protocol Commands

This chapter explains the function and syntax of the Internet Key Exchange security protocol commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Cisco IOS Security Command Reference, Release 12.1.

address

To specify the IP address of the remote peer's RSA public key you will manually configure, use the address command in public key configuration mode. This command should only be used when the router has a single interface that processes IPSec.

address ip-address

Syntax Description

ip-address

Specifies the IP address of the remote peer.

ip-address	Specifies the IP address of the remote peer.

addressed-key

To specify which peer's RSA public key you will manually configure, use the addressed-key command in public key chain configuration mode.

addressed-key key-address [encryption | signature]

Syntax Description

key-address

Specifies the IP address of the remote peer's RSA keys.

encryption

(Optional) Indicates that the RSA public key to be specified will be an encryption special usage key.

signature

(Optional) Indicates that the RSA public key to be specified will be a signature special usage key.

key-address	Specifies the IP address of the remote peer's RSA keys.
encryption	(Optional) Indicates that the RSA public key to be specified will be an encryption special usage key.
signature	(Optional) Indicates that the RSA public key to be specified will be a signature special usage key.

authentication (IKE policy)

To specify the authentication method within an IKE policy, use the authentication (IKE policy) command in ISAKMP policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. Use the no form of this command to reset the authentication method to the default value.

authentication {rsa-sig | rsa-encr | pre-share}

no authentication

Syntax Description

rsa-sig

Specifies RSA signatures as the authentication method.

rsa-encr

Specifies RSA encrypted nonces as the authentication method.

pre-share

Specifies preshared keys as the authentication method.

rsa-sig	Specifies RSA signatures as the authentication method.
rsa-encr	Specifies RSA encrypted nonces as the authentication method.
pre-share	Specifies preshared keys as the authentication method.

clear crypto isakmp

To clear active IKE connections, use the clear crypto isakmp command in EXEC configuration mode.

clear crypto isakmp [connection-id]

Syntax Description

connection-id

(Optional) Specifies which connection to clear. If this argument is not used, all existing connections will be cleared.

connection-id	(Optional) Specifies which connection to clear. If this argument is not used, all existing connections will be cleared.

crypto isakmp client configuration address-pool local

To configure the IP address local pool to reference IKE on your router, use the crypto isakmp client configuration address-pool local command in global configuration mode. Use the no form of this command to restore the default value.

crypto isakmp client configuration address-pool local pool-name

no crypto isakmp client configuration address-pool local

Syntax Description

pool-name

Specifies the name of a local address pool.

pool-name	Specifies the name of a local address pool.

crypto isakmp enable

To globally enable IKE at your peer router, use the crypto isakmp enable command in global configuration mode. Use the no form of this command to disable IKE at the peer.

crypto isakmp enable

no crypto isakmp enable

Syntax Description

This command has no arguments or keywords.

crypto isakmp identity

To define the identity the router uses when participating in the IKE protocol, use the crypto isakmp identity command in global configuration mode. Set an ISAKMP identity whenever you specify preshared keys. Use the no form of this command to reset the ISAKMP identity to the default value (address).

crypto isakmp identity {address | hostname}

no crypto isakmp identity

Syntax Description

address

Sets the ISAKMP identity to the IP address of the interface that is used to communicate to the remote peer during IKE negotiations.

hostname

Sets the ISAKMP identity to the host name concatenated with the domain name (for example, myhost.example.com).

address	Sets the ISAKMP identity to the IP address of the interface that is used to communicate to the remote peer during IKE negotiations.
hostname	Sets the ISAKMP identity to the host name concatenated with the domain name (for example, myhost.example.com).

crypto isakmp key

To configure a preshared authentication key, use the crypto isakmp key command in global configuration mode. You must configure this key whenever you specify preshared keys in an IKE policy. Use the no form of this command to delete a preshared authentication key.

crypto isakmp key keystring address peer-address

crypto isakmp key keystring hostname peer-hostname

no crypto isakmp key keystring address peer-address

no crypto isakmp key keystring hostname peer-hostname

Syntax Description

keystring

Specify the preshared key. Use any combination of alphanumeric characters up to 128 bytes. This preshared key must be identical at both peers.

peer-address

Specify the IP address of the remote peer.

peer-hostname

Specify the host name of the remote peer. This is the peer's host name concatenated with its domain name (for example, myhost.example.com).

keystring	Specify the preshared key. Use any combination of alphanumeric characters up to 128 bytes. This preshared key must be identical at both peers.
peer-address	Specify the IP address of the remote peer.
peer-hostname	Specify the host name of the remote peer. This is the peer's host name concatenated with its domain name (for example, myhost.example.com).

crypto isakmp policy

To define an IKE policy, use the crypto isakmp policy command in global configuration mode. IKE policies define a set of parameters to be used during the IKE negotiation. Use the no form of this command to delete an IKE policy.

crypto isakmp policy priority

no crypto isakmp policy

Syntax Description

priority

Uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10,000, with 1 being the highest priority and 10,000 the lowest.

priority	Uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10,000, with 1 being the highest priority and 10,000 the lowest.

crypto key generate rsa (IKE)

To generate RSA key pairs, use the crypto key generate rsa command in global configuration mode.

crypto key generate rsa [usage-keys]

Syntax Description

usage-keys

(Optional) Specifies that two RSA special usage key pairs should be generated (that is, one encryption pair and one signature pair), instead of one general purpose key pair.

usage-keys	(Optional) Specifies that two RSA special usage key pairs should be generated (that is, one encryption pair and one signature pair), instead of one general purpose key pair.

crypto key pubkey-chain rsa

To enter public key configuration mode (so you can manually specify other devices' RSA public keys), use the crypto key pubkey-chain rsa command in global configuration mode.

crypto key pubkey-chain rsa

Syntax Description

This command has no arguments or keywords.

crypto map client configuration address

To configure IKE Mode Configuration on your router, use the crypto map client-configuration address command in global configuration mode. Use the no form of this command to restore the default value.

crypto map tag client configuration address [initiate | respond]

no crypto map tag client configuration address

Syntax Description

tag

The name that identifies the crypto map.

initiate

(Optional) A keyword that indicates the router will attempt to set IP addresses for each peer.

respond

(Optional) A keyword that indicates the router will accept requests for IP addresses from any requesting peer.

tag	The name that identifies the crypto map.
initiate	(Optional) A keyword that indicates the router will attempt to set IP addresses for each peer.
respond	(Optional) A keyword that indicates the router will accept requests for IP addresses from any requesting peer.

encryption (IKE policy)

To specify the encryption algorithm within an IKE policy, use the encryption (IKE policy) command in ISAKMP policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. Use the no form of this command to reset the encryption algorithm to the default value.

encryption {des | 3des}

no encryption

Syntax Description

des

Specifies 56-bit DES-CBC as the encryption algorithm.

3des

Specifies 168-bit DES (3DES) as the encryption algorithm.

des	Specifies 56-bit DES-CBC as the encryption algorithm.
3des	Specifies 168-bit DES (3DES) as the encryption algorithm.

group (IKE policy)

To specify the Diffie-Hellman group identifier within an IKE policy, use the group (IKE policy) command in ISAKMP policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. Use the no form of this command to reset the Diffie-Hellman group identifier to the default value.

group {1 | 2}

no group

Syntax Description

1

Specifies the 768-bit Diffie-Hellman group.

2

Specifies the 1024-bit Diffie-Hellman group.

1	Specifies the 768-bit Diffie-Hellman group.
2	Specifies the 1024-bit Diffie-Hellman group.

hash (IKE policy)

To specify the hash algorithm within an IKE policy, use the hash (IKE policy) command in ISAKMP policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. Use the no form of this command to reset the hash algorithm to the default SHA-1 hash algorithm.

hash {sha | md5}

no hash

Syntax Description

sha

Specifies SHA-1 (HMAC variant) as the hash algorithm.

md5

Specifies MD5 (HMAC variant) as the hash algorithm.

sha	Specifies SHA-1 (HMAC variant) as the hash algorithm.
md5	Specifies MD5 (HMAC variant) as the hash algorithm.

key-string (IKE)

To manually specify a remote peer's RSA public key, use the key-string (IKE) command in public key configuration mode.

key-string key-string

Syntax Description

key-string

Enter the key in hexadecimal format. While entering the key data, you can press the return key to continue entering data.

key-string	Enter the key in hexadecimal format. While entering the key data, you can press the return key to continue entering data.

lifetime (IKE policy)

To specify the lifetime of an IKE security association (SA), use the lifetime (IKE policy) command in ISAKMP policy configuration mode. Use the no form of this command to reset the SA lifetime to the default value.

lifetime seconds

no lifetime

Syntax Description

seconds

Specifies how many seconds each SA should exist before expiring. Use an integer from 60 to 86,400 seconds.

seconds	Specifies how many seconds each SA should exist before expiring. Use an integer from 60 to 86,400 seconds.

named-key

To specify which peer's RSA public key you will manually configure, use the named-key command in public key chain configuration mode. This command should only be used when the router has a single interface that processes IPSec.

named-key key-name [encryption | signature]

Syntax Description

key-name

Specifies the name of the remote peer's RSA keys. This is always the fully qualified domain name of the remote peer; for example, router.example.com.

encryption

(Optional) Indicates that the RSA public key to be specified will be an encryption special usage key.

signature

(Optional) Indicates that the RSA public key to be specified will be a signature special usage key.

key-name	Specifies the name of the remote peer's RSA keys. This is always the fully qualified domain name of the remote peer; for example, router.example.com.
encryption	(Optional) Indicates that the RSA public key to be specified will be an encryption special usage key.
signature	(Optional) Indicates that the RSA public key to be specified will be a signature special usage key.

show crypto isakmp policy

To view the parameters for each IKE policy, use the show crypto isakmp policy command in EXEC mode.

show crypto isakmp policy

Syntax Description

This command has no arguments or keywords.

show crypto isakmp sa

To view all current IKE security associations (SAs) at a peer, use the show crypto isakmp sa command in EXEC mode.

show crypto isakmp sa

Syntax Description

This command has no arguments or keywords.

show crypto key mypubkey rsa

To view your router's RSA public key(s), use the show crypto key mypubkey rsa command in EXEC mode.

show crypto key mypubkey rsa

Syntax Description

This command has no arguments or keywords.

show crypto key pubkey-chain rsa

To view peers' RSA public keys stored on your router, use the show crypto key pubkey-chain rsa command in EXEC mode.

show crypto key pubkey-chain rsa [name key-name | address key-address]

Syntax Description

name key-name

(Optional) Specify the name of a particular public key to view.

address key-address

(Optional) Specify the address of a particular public key to view.

name key-name	(Optional) Specify the name of a particular public key to view.
address key-address	(Optional) Specify the address of a particular public key to view.

Table of Contents

Internet Key Exchange Security Protocol Commands