Table of Contents
IPSec Network Security Commands
This chapter explains the function and syntax of the IPSec network security commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Cisco IOS Security Command Reference, Release 12.1.
To delete IPSec security associations, use the clear crypto sa command in global configuration mode.
clear crypto sa
clear crypto sa peer {ip-address | peer-name}
clear crypto sa map map-name
clear crypto sa entry destination-address protocol spi
clear crypto sa counters
Syntax Description
ip-address
| Specify a remote peer's IP address.
|
peer-name
| Specify a remote peer's name as the fully qualified domain name, for example remotepeer.example.com.
|
map-name
| Specify the name of a crypto map set.
|
destination-address
| Specify the IP address of your peer or the remote peer.
|
protocol
| Specify either the AH or ESP protocol.
|
spi
| Specify an SPI (found by displaying the security association database).
|
To create a dynamic crypto map entry and enter the crypto map configuration command mode, use the crypto dynamic-map command in global configuration mode. Use the no form of this command to delete a dynamic crypto map set or entry.
crypto dynamic-map dynamic-map-name dynamic-seq-num
no crypto dynamic-map dynamic-map-name [dynamic-seq-num]
Syntax Description
dynamic-map-name
| Specifies the name of the dynamic crypto map set.
|
dynamic-seq-num
| Specifies the number of the dynamic crypto map entry.
|
To change global lifetime values used when negotiating IPSec security associations, use the crypto ipsec security-association lifetime command in global configuration mode. Use the no form of the command to reset a lifetime to the default value.
crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}
no crypto ipsec security-association lifetime {seconds | kilobytes}
Syntax Description
seconds seconds
| Specifies the number of seconds a security association will live before expiring. The default is 3600 seconds (one hour).
|
kilobytes kilobytes
| Specifies the volume of traffic (in kilobytes) that can pass between IPSec peers using a given security association before that security association expires. The default is 4,608,000 kilobytes.
|
To define a transform set---an acceptable combination of security protocols and algorithms---use the crypto ipsec transform-set command in global configuration mode. Use the no form of the command to delete a transform set.
crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]
no crypto ipsec transform-set transform-set-name
Syntax Description
transform-set-name
| Specify the name of the transform set to create (or modify).
|
transform1
transform2
transform3
| Specify up to three "transforms." These transforms define the IPSec security protocol(s) and algorithm(s).
|
To create or modify a crypto map entry and enter the crypto map configuration mode, use the crypto map (IPSec global configuration) command in global configuration mode. Use the no form of this command to delete a crypto map entry or set.
crypto map map-name seq-num ipsec-manual
crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name] [discover]
no crypto map map-name [seq-num]
 |
Note Issue the crypto map map-name seq-num command without a keyword to modify an existing crypto map entry. |
Syntax Description
map-name
| The name you assign to the crypto map set.
|
seq-num
| The number you assign to the crypto map entry.
|
ipsec-manual
| Indicates that IKE will not be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.
|
ipsec-isakmp
| Indicates that IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.
|
dynamic
| (Optional) Specifies that this crypto map entry is to reference a preexisting dynamic crypto map. Dynamic crypto maps are policy templates used in processing negotiation requests from a peer IPSec device. If you use this keyword, none of the crypto map configuration commands will be available.
|
dynamic-map-name
| (Optional) Specifies the name of the dynamic crypto map set that should be used as the policy template.
|
discover
| (Optional) Enables peer discovery. By default, peer discovery is not enabled.
|
To apply a previously defined crypto map set to an interface, use the crypto map command in interface configuration mode. Use the no form of the command to remove the crypto map set from the interface.
crypto map map-name
no crypto map [map-name]
Syntax Description
map-name
| The name that identifies the crypto map set. This is the name assigned when the crypto map was created.
When the no form of the command is used, this argument is optional. Any value supplied for the argument is ignored.
|
To specify and name an identifying interface to be used by the crypto map for IPSec traffic, use the crypto map local-address command in global configuration mode. Use the no form of the command to remove this command from the configuration.
crypto map map-name local-address interface-id
no crypto map map-name local-address
Syntax Description
map-name
| The name that identifies the crypto map set. This is the name assigned when the crypto map was created.
|
interface-id
| Specify the identifying interface that should be used by the router to identify itself to remote peers.
If IKE is enabled and you are using a certification authority (CA) to obtain certificates, this should be the interface with the address specified in the CA certificates.
|
To specify an extended access list for a crypto map entry, use the match address command in crypto map configuration mode. Use the no form of this command to remove the extended access list from a crypto map entry.
match address [access-list-id | name]
no match address [access-list-id | name]
Syntax Description
access-list-id
| (Optional) Identifies the extended access list by its name or number. This value should match the access-list-number or name argument of the extended access list being matched.
|
name
| (Optional) Identifies the named encryption access list. This name should match the name argument of the named encryption access list being matched.
|
To change the mode for a transform set, use the mode command in crypto transform configuration mode. Use the no form of the command to reset the mode to the default value of tunnel mode.
mode [tunnel | transport]
no mode
Syntax Description
tunnel | transport
| (Optional) Specifies the mode for a transform set: either tunnel or transport mode. If neither tunnel nor transport is specified, the default (tunnel mode) is assigned.
|
To specify an IPSec peer in a crypto map entry, use the set peer command in crypto map configuration mode. Use the no form of this command to remove an IPSec peer from a crypto map entry.
set peer {hostname | ip-address}
no set peer {hostname | ip-address}
Syntax Description
hostname
| Specifies the IPSec peer by its host name. This is the peer's host name concatenated with its domain name (for example, myhost.example.com).
|
ip-address
| Specifies the IPSec peer by its IP address.
|
To specify that IPSec should ask for perfect forward secrecy (PFS) when requesting new security associations for this crypto map entry, or that IPSec requires PFS when receiving requests for new security associations, use the set pfs command in crypto map configuration mode. Use the no form of the command to specify that IPSec should not request PFS.
set pfs [group1 | group2]
no set pfs
Syntax Description
group1
| (Optional) Specifies that IPSec should use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.
|
group2
| (Optional) Specifies that IPSec should use the 1024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.
|
To specify that separate IPSec security associations should be requested for each source/destination host pair, use the set security-association level per-host command in crypto map configuration mode. Use the no form of this command to specify that one security association should be requested for each crypto map access list permit entry.
set security-association level per-host
no set security-association level per-host
Syntax Description
This command has no arguments or keywords.
To override (for a particular crypto map entry) the global lifetime value, which is used when negotiating IPSec security associations, use the set security-association lifetime command in crypto map configuration mode. Use the no form of the command to reset a crypto map entry's lifetime value to the global value.
set security-association lifetime {seconds seconds | kilobytes kilobytes}
no set security-association lifetime {seconds | kilobytes}
Syntax Description
seconds seconds
| Specifies the number of seconds a security association will live before expiring.
|
kilobytes kilobytes
| Specifies the volume of traffic (in kilobytes) that can pass between IPSec peers using a given security association before that security association expires.
|
To manually specify the IPSec session keys within a crypto map entry, use the set session-key command in crypto map configuration mode. This command is only available for ipsec-manual crypto map entries. Use the no form of this command to remove IPSec session keys from a crypto map entry.
set session-key {inbound | outbound} ah spi hex-key-string
set session-key {inbound | outbound} esp spi cipher hex-key-string [authenticator hex-key-string]
no set session-key {inbound | outbound} ah
no set session-key {inbound | outbound} esp
Syntax Description
inbound
| Sets the inbound IPSec session key. (You must set both inbound and outbound keys.)
|
outbound
| Sets the outbound IPSec session key. (You must set both inbound and outbound keys.)
|
ah
| Sets the IPSec session key for the AH protocol. Use when the crypto map entry's transform set includes an AH transform.
|
esp
| Sets the IPSec session key for the ESP protocol. Use when the crypto map entry's transform set includes an ESP transform.
|
spi
| Specifies the security parameter index (SPI), a number that is used to uniquely identify a security association. The SPI is an arbitrary number you assign in the range of 256 to 4,294,967,295 (FFFF FFFF).
You can assign the same SPI to both directions and both protocols. However, not all peers have the same flexibility in SPI assignment. For a given destination address/protocol combination, unique SPI values must be used. The destination address is that of the router if inbound, the peer if outbound.
|
hex-key-string
| Specifies the session key; enter in hexadecimal format.
This is an arbitrary hexadecimal string of 8, 16, or 20 bytes.
If the crypto map's transform set includes a DES algorithm, specify at least 8 bytes per key.
If the crypto map's transform set includes an MD5 algorithm, specify at least 16 bytes per key.
If the crypto map's transform set includes an SHA algorithm, specify 20 bytes per key.
Keys longer than the above sizes are simply truncated.
|
cipher
| Indicates that the key string is to be used with the ESP encryption transform.
|
authenticator
| (Optional) Indicates that the key string is to be used with the ESP authentication transform. This argument is required only when the crypto map entry's transform set includes an ESP authentication transform.
|
To specify which transform sets can be used with the crypto map entry, use the set transform-set command in crypto map configuration mode. Use the no form of this command to remove all transform sets from a crypto map entry.
set transform-set transform-set-name [transform-set-name2...transform-set-name6]
no set transform-set
Syntax Description
transform-set-name
| Name of the transform set.
For an ipsec-manual crypto map entry, you can specify only one transform set.
For an ipsec-isakmp or dynamic crypto map entry, you can specify up to 6 transform sets.
|
To view a dynamic crypto map set, use the show crypto dynamic-map command in EXEC mode.
show crypto dynamic-map [tag map-name]
Syntax Description
tag map-name
| (Optional) Shows only the crypto dynamic map set with the specified map-name.
|
To view the settings used by current security associations, use the show crypto ipsec sa command in EXEC mode.
show crypto ipsec sa [map map-name | address | identity] [detail]
Syntax Description
map map-name
| (Optional) Shows any existing security associations created for the crypto map set named map-name.
|
address
| (Optional) Shows the all existing security associations, sorted by the destination address (either the local address or the address of the IPSec remote peer) and then by protocol (AH or ESP).
|
identity
| (Optional) Shows only the flow information. It does not show the security association information.
|
detail
| (Optional) Shows detailed error counters. (The default is the high level send/receive error counters.)
|
To view the security-association lifetime value configured for a particular crypto map entry, use the show crypto ipsec security-association lifetime command in EXEC mode.
show crypto ipsec security-association lifetime
Syntax Description
This command has no arguments or keywords.
To view the configured transform sets, use the show crypto ipsec transform-set command in EXEC mode.
show crypto ipsec transform-set [tag transform-set-name]
Syntax Description
tag transform-set-name
| (Optional) Shows only the transform sets with the specified transform-set-name.
|
To view the crypto map configuration, use the show crypto map command in EXEC mode.
show crypto map [interface interface | tag map-name]
Syntax Description
interface interface
| (Optional) Shows only the crypto map set applied to the specified interface.
|
tag map-name
| (Optional) Shows only the crypto map set with the specified map-name.
|
Posted: Wed Jul 26 16:23:54 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.
