-
Cisco IOS Security Command Reference: Commands A to C
-
aaa accounting through aaa local authentication attempts max-fail
-
aaa max-sessions through algorithm
-
all profile map configuration through browser-proxy
-
ca trust-point through clear eou
-
clear ip access-list counters through crl-cache none
-
crypto aaa attribute list through crypto ipsec transform-set
-
crypto isakmp aggressive-mode disable through crypto mib topn
-
crypto pki authenticate through cts sxp retry period
-
Index
-
Feedback
crypto aaa attribute list through crypto ipsec transform-set
- crypto ca authenticate
- crypto ca cert validate
- crypto ca certificate chain
- crypto ca certificate map
- crypto ca certificate query (ca-trustpoint)
- crypto ca certificate query (global)
- crypto ca crl request
- crypto ca enroll
- crypto ca export pem
- crypto ca export pkcs12
- crypto ca identity
- crypto ca import
- crypto ca import pem
- crypto ca import pkcs12
- crypto ca profile enrollment
- crypto ca trusted-root
- crypto ca trustpoint
- crypto call admission limit
- crypto connect vlan
- crypto ctcp
- crypto dynamic-map
- crypto-engine
- crypto engine accelerator
- crypto engine aim
- crypto engine em
- crypto engine mode vrf
- crypto engine nm
- crypto engine onboard
- crypto engine slot
- crypto engine slot (interface)
- crypto gdoi ks
- crypto gdoi gm
- crypto gdoi group
- crypto identity
- crypto ikev2 authorization policy
- crypto ikev2 certificate-cache
- crypto ikev2 cluster
- crypto ikev2 cookie-challenge
- crypto ikev2 cts
- crypto ikev2 diagnose
- crypto ikev2 dpd
- crypto ikev2 fragmentation
- crypto ikev2 http-url
- crypto ikev2 keyring
- crypto ikev2 limit
- crypto ikev2 name mangler
- crypto ikev2 nat
- crypto ikev2 policy
- crypto ikev2 profile
- crypto ikev2 proposal
- crypto ikev2 redirect
- crypto ikev2 window
- crypto ipsec client ezvpn (global)
- crypto ipsec client ezvpn (interface)
- crypto ipsec client ezvpn connect
- crypto ipsec client ezvpn xauth
- crypto ipsec transform-set default
- crypto ipsec df-bit (global)
- crypto ipsec df-bit (interface)
- crypto ipsec fragmentation (global)
- crypto ipsec fragmentation (interface)
- crypto ipsec ipv4-deny
- crypto ipsec nat-transparency
- crypto ipsec optional
- crypto ipsec optional retry
- crypto ipsec profile
- crypto ipsec security-association dummy
- crypto ipsec security-association idle-time
- crypto ipsec security-association lifetime
- crypto ipsec security-association replay disable
- crypto ipsec security-association replay window-size
- crypto ipsec server send-update
- crypto ipsec transform-set
crypto ca authenticate
NoteThis command was replaced by the crypto pki authenticate command effective with Cisco IOS Release 12.3(7)T and 12.2(18)SXE.
To authenticate the certification authority (by getting the certificate of the CA), use the crypto ca authenticate command in global configuration mode.
Usage Guidelines
This command is required when you initially configure CA support at your router.
This command authenticates the CA to your router by obtaining the self-signed certificate of the CA that contains the public key of the CA. Because the CA signs its own certificate, you should manually authenticate the public key of the CA by contacting the CA administrator when you perform this command.
If you are using RA mode (using the enrollment mode ra command) when you issue the crypto ca authenticate command, then registration authority signing and encryption certificates will be returned from the CA as well as the CA certificate.
This command is not saved to the router configuration. However. the public keys embedded in the received CA (and RA) certificates are saved to the configuration as part of the RSA public key record (called the “RSA public key chain”).
If the CA does not respond by a timeout period after this command is issued, the terminal control will be returned so it will not be tied up. If this happens, you must re-enter the command. Cisco IOS software will not recognize CA certificate expiration dates set for beyond the year 2049. If the validity period of the CA certificate is set to expire after the year 2049, the following error message will be displayed when authentication with the CA server is attempted:
error retrieving certificate :incomplete chain
If you receive an error message similar to this one, check the expiration date of your CA certificate. If the expiration date of your CA certificate is set after the year 2049, you must reduce the expiration date by a year or more.
Examples
In the following example, the router requests the certificate of the CA. The CA sends its certificate and the router prompts the administrator to verify the certificate of the CA by checking the CA certificate’s fingerprint. The CA administrator can also view the CA certificate’s fingerprint, so you should compare what the CA administrator sees to what the router displays on the screen. If the fingerprint on the router’s screen matches the fingerprint viewed by the CA administrator, you should accept the certificate as valid.
Router(config)# crypto ca authenticate myca Certificate has the following attributes: Fingerprint: 0123 4567 89AB CDEF 0123 Do you accept this certificate? [yes/no] y #crypto ca cert validate
NoteThis command was replaced by the crypto pki cert validate command effective with Cisco IOS Release 12.3(8)T and 12.2(18)SXE.
To determine if a trustpoint has been successfully authenticated, a certificate has been requested and granted, and if the certificate is currently valid, use the crypto ca cert validate command in global configuration mode.
Usage Guidelines
The crypto ca cert validate command validates the router's own certificate for a given trustpoint. Use this command as a sanity check after enrollment to verify that the trustpoint is properly authenticated, a certificate has been requested and granted for the trustpoint, and that the certificate is currently valid. A certificate is valid if it is signed by the trustpoint certification authority (CA), not expired, and so on.
Examples
The following examples show the possible output from the crypto ca cert validate command:
Router(config)# crypto ca cert validate ka Validation Failed: trustpoint not found for ka Router(config)# crypto ca cert validate ka Validation Failed: can't get local certificate chain Router(config)# crypto ca cert validate ka Certificate chain has 2 certificates. Certificate chain for ka is valid Router(config)# crypto ca cert validate ka Certificate chain has 2 certificates. Validation Error: no certs on chain Router(config)# crypto ca cert validate ka Certificate chain has 2 certificates. Validation Error: unspecified errorcrypto ca certificate chain
NoteThis command was replaced by the crypto pki certificate chain command effective with Cisco IOS Release 12.3(7)T and 12.2(18)SXE.
To enter the certificate chain configuration mode, use the crypto ca certificate chaincommand in global configuration mode. (You need to be in certificate chain configuration mode to delete certificates.)
Usage Guidelines
This command puts you into certificate chain configuration mode. When you are in certificate chain configuration mode, you can delete certificates using the certificate command.
Examples
The following example deletes the router’s certificate. In this example, the router had a general-purpose RSA key pair with one corresponding certificate. The show command is used to determine the serial number of the certificate to be deleted.
Router# show crypto ca certificates Certificate Subject Name Name: myrouter.example.com IP Address: 10.0.0.1 Status: Available Certificate Serial Number: 0123456789ABCDEF0123456789ABCDEF Key Usage: General Purpose CA Certificate Status: Available Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F Key Usage: Not Set Router# configure terminal Rrouter(config)# crypto ca certificate chain myca Router(config-cert-chain)# no certificate 0123456789ABCDEF0123456789ABCDEF % Are you sure you want to remove the certificate [yes/no]? yes % Be sure to ask the CA administrator to revoke this certificate. Router(config-cert-chain)# exitcrypto ca certificate map
NoteThis command was replaced by the crypto pki certificate map command effective with Cisco IOS Release 12.3(7)T, 12.2(18)SXD, and 12.2(18)SXE.
To define certificate-based access control lists (ACLs), use the crypto ca certificate map command in ca-certificate-map configuration mode. To remove the certificate-based ACLs, use the no form of this command.
Syntax Description
label
A user-specified label that is referenced within the crypto ca trustpoint command.
sequence-number
A number that orders the ACLs with the same label. ACLs with the same label are processed from lowest to highest sequence number. When an ACL is matched, processing stops with a successful result.
Usage Guidelines
Issuing this command places the router in CA certificate map configuration mode where you can specify several certificate fields together with their matching criteria. The general form of these fields is as follows:
field-name match-criteria match-valueThe field-name in the above example is one of the certificate fields. Field names are similar to the names used in the International Telecommunication Union Telecommunication Standardization Sector (ITU-T) X.509 standard. The namefield is a special field that matches any subject name or related name field in the certificate, such as the alt-subject-name, subject-name, and unstructured-subject-name fields.
- alt-subject-name -- Case-insensitive string.
- expires-on --Date field in the format dd mm yyyy hh:mm:ss or mmm dd yyyy hh:mm:ss.
- issuer-name -- Case-insensitive string.
- name -- Case-insensitive string.
- subject-name --Case-insensitive string.
- unstructured-subject-name -- Case-insensitive string.
- valid-start --Date field in the format dd mm yyyy hh:mm:ss or mmm dd yyyy hh:mm:ss.
NoteThe time portion is optional in both the expires-on date and valid-start field and defaults to 00:00:00 if not specified. The time is interpreted according to the time zone offset configured for the router. The string utc can be appended to the date and time when they are configured as Universal Time, Coordinated (UTC) rather than local time.
The match-criteria in the example is one of the following logical operators:
- eq --equal (valid for name and date fields)
- ne --not equal (valid for name and date fields)
- co --contains (valid only for name fields)
- nc --does not contain (valid only for name fields)
- lt --less than (valid only for date fields)
- ge --greater than or equal to (valid only for date fields)
The match-value is a case-insensitive string or a date.
Examples
The following example shows how to configure a certificate-based ACL that will allow any certificate issued by Cisco Systems to an entity within the cisco.com domain. The label is Cisco, and the sequence is 10.
crypto ca certificate map Cisco 10 issuer-name co Cisco Systems unstructured-subject-name co cisco.comThe following example accepts any certificate issued by Cisco Systems for an entity with DIAL or organizationUnit component ou=WAN. This certificate-based ACL consists of two separate ACLs tied together with the common label Group. Because the check for DIAL has a lower sequence number, it is performed first. Note that the string “DIAL” can occur anywhere in the subjectName field of the certificate, but the string WAN must be in the organizationUnit component.
crypto ca certificate map Group 10 issuer-name co Cisco Systems subject-name co DIAL crypto ca certificate map Group 20 issuer-name co Cisco Systems subject-name co ou=WANCase is ignored in string comparisons; therefore, DIAL in the previous example will match dial, DIAL, Dial, and so on. Also note that the component identifiers (o=, ou=, cn=, and so on) are not required unless it is desirable that the string to be matched occurs in a specific component of the name. (Refer to the ITU-T security standards for more information about certificate fields and components such as ou=.)
If a component identifier is specified in the match string, the exact string, including the component identifier, must appear in the certificate. This requirement can present a problem if more than one component identifier is included in the match string. For example, “ou=WAN,o=Cisco Systems” will not match a certificate with the string “ou=WAN,ou=Engineering,o=Cisco Systems” because the “ou=Engineering” string separates the two desired component identifiers.
To match both “ou=WAN” and “o=Cisco Systems” in a certificate while ignoring other component identifiers, you could use this certificate map:
crypto ca certificate map Group 10 subject-name co ou=WAN subject-name co o=CiscoAny space character proceeding or following the equal sign (=) character in component identifiers is ignored. Therefore “o=Cisco” in the proceeding example will match “o = Cisco,” “o= Cisco,” “o =Cisco,” and so on.
crypto ca certificate query (ca-trustpoint)
NoteThis command was replaced by the crypto pki certificate query (ca-trustpoint)command effective with Cisco IOS Release 12.3(7)T, 12.2(18)SXD, and 12.2(18)SXE.
To specify that certificates should not be stored locally but retrieved from a certification authority (CA) trustpoint, use the crypto ca certificate query command in ca-trustpoint configuration mode. To cause certificates to be stored locally per trustpoint, use the no form of this command.
Usage Guidelines
Normally, certain certificates are stored locally in the router’s NVRAM, and each certificate uses a moderate amount of memory. To save NVRAM space, you can use this command to put the router into query mode, preventing certificates from being stored locally; instead, they are retrieved from a specified CA trustpoint when needed. This will save NVRAM space but could result in a slight performance impact.
The crypto ca certificate query command is a subcommand for each trustpoint; thus, this command can be disabled on a per-trustpoint basis.
Before you can configure this command, you must enable the crypto pki trustpointcommand , which puts you in ca-trustpoint configuration mode.
NoteThis command replaces the crypto ca certificate querycommand in global configuration mode. Although you can still enter the global configuration command, the configuration mode and command will be written back as ca-trustpoint.
crypto ca crl request
NoteEffective with Cisco IOS Release 12.3(7)T and 12.2(18)SXE, this command was replaced by the crypto pki crl request command.
To request that a new certificate revocation list (CRL) be obtained immediately from the certification authority, use the crypto ca crl requestcommand in global configuration mode.
Command Default
Normally, the router requests a new CRL when it is verifying a certificate and there is no CRL cached.
Usage Guidelines
A CRL lists all the certificates of the network device that have been revoked. Revoked certificates will not be honored by your router; therefore, any IPSec device with a revoked certificate cannot exchange IP Security traffic with your router.
The first time your router receives a certificate from a peer, it will download a CRL from the CA. Your router then checks the CRL to make sure the certificate of the peer has not been revoked. (If the certificate appears on the CRL, it will not accept the certificate and will not authenticate the peer.)
A CRL can be reused with subsequent certificates until the CRL expires. If your router receives the certificate of a peer after the applicable CRL has expired, it will download the new CRL.
If your router has a CRL which has not yet expired, but you suspect that the contents of the CRL are out of date, use the crypto ca crl request command to request that the latest CRL be immediately downloaded to replace the old CRL.
This command is not saved to the configuration.
NoteThis command should be used only after the trustpoint is enrolled.
crypto ca enroll
NoteThis command was replaced by the crypto pki enroll command effective with Cisco IOS Release 12.3(7)T and 12.2(18)SXE.
To obtain the certificate(s) of your router from the certification authority, use the crypto ca enroll command in global configuration mode. To delete a current enrollment request, use the no form of this command.
Usage Guidelines
This command requests certificates from the CA for all of your router’s RSA key pairs. This task is also known as enrolling with the CA. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when this command is issued.)
Your router needs a signed certificate from the CA for each RSA key pairs of your router; if you previously generated general purpose keys, this command will obtain the one certificate corresponding to the one general purpose RSA key pair. If you previously generated special usage keys, this command will obtain two certificates corresponding to each of the special usage RSA key pairs.
If you already have a certificate for your keys you will be unable to complete this command; instead, you will be prompted to remove the existing certificate first. (You can remove existing certificates with the no certificate command.)
The crypto ca enroll command is not saved in the router configuration.
NoteIf your router reboots after you issue the crypto ca enroll command but before you receive the certificate(s), you must reissue the command.
Responding to Prompts
When you issue the crypto ca enroll command, you are prompted a number of times.
First, you are prompted to create a challenge password. This password can be up to 80 characters in length. This password is necessary in the event that you ever need to revoke your router’s certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.
NoteThis password is not stored anywhere, so you need to remember this password.
If you lose the password, the CA administrator may still be able to revoke the router’s certificate but will require further manual authentication of the router administrator identity.
You are also prompted to indicate whether or not your router’s serial number should be included in the obtained certificate. The serial number is not used by IP Security or Internet Key Exchange but may be used by the CA to either authenticate certificates or to later associate a certificate with a particular router. (Note that the serial number stored is the serial number of the internal board, not the one on the enclosure.) Ask your CA administrator if serial numbers should be included. If you are in doubt, include the serial number.
Normally, you would not include the IP address because the IP address binds the certificate more tightly to a specific entity. Also, if the router is moved, you would need to issue a new certificate. Finally, a router has multiple IP addresses, any of which might be used with IPSec.
If you indicate that the IP address should be included, you will then be prompted to specify the interface of the IP address. This interface should correspond to the interface that you apply your crypto map set to. If you apply crypto map sets to more than one interface, specify the interface that you name in the crypto map local-address command.
Examples
In the following example, a router with a general-purpose RSA key pair requests a certificate from the CA. When the router displays the certificate fingerprint, the administrator verifies this number by calling the CA administrator, who checks the number. The fingerprint is correct, so the router administrator accepts the certificate.
There can be a delay between when the router administrator sends the request and when the certificate is actually received by the router. The amount of delay depends on the CA method of operation.
Router(config)# crypto ca enroll myca % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: <mypassword> Re-enter password: <mypassword> % The subject name in the certificate will be: myrouter.example.com % Include the router serial number in the subject name? [yes/no]: yes % The serial number in the certificate will be: 03433678 % Include an IP address in the subject name [yes/no]? yes Interface: ethernet0/0 Request certificate from CA [yes/no]? yes % Certificate request sent to Certificate Authority % The certificate request fingerprint will be displayed. % The ’show crypto pki certificates’ command will also show the fingerprint.Some time later, the router receives the certificate from the CA and displays the following confirmation message:
Router(config)# Fingerprint: 01234567 89ABCDEF FEDCBA98 75543210 %CRYPTO-6-CERTRET: Certificate received from Certificate Authority Router(config)#If necessary, the router administrator can verify the displayed Fingerprint with the CA administrator.
If there is a problem with the certificate request and the certificate is not granted, the following message is displayed on the console instead:
%CRYPTO-6-CERTREJ: Certificate enrollment request was rejected by Certificate AuthorityThe subject name in the certificate is automatically assigned to be the same as the RSA key pair’s name. In the above example, the RSA key pair was named “myrouter.example.com.” (The router assigned this name.)
Requesting certificates for a router with special usage keys would be the same as the previous example, except that two certificates would have been returned by the CA. When the router received the two certificates, the router would have displayed the same confirmation message:
%CRYPTO-6-CERTRET: Certificate received from Certificate AuthorityRelated Commands
Command
Description
debug crypto pki messages
Displays debug messages for the details of the interaction (message dump) between the CA and the router.
debug crypto pki transactions
Displays debug messages for the trace of interaction (message type) between the CA and the router.
show crypto pki certificates
Displays information about your certificate, the certificate of the CA, and any RA certificates.
crypto ca export pem
NoteThis command was replaced by the crypto pki export pem command effective with Cisco IOS Release 12.3(7)T and 12.2(18)SXE.
To export certificates and Rivest, Shamir, and Adelman (RSA) keys that are associated with a trustpoint in a privacy-enhanced mail (PEM)-formatted file, use the crypto ca export pemcommand in global configuration mode.
Syntax Description
Usage Guidelines
NoteSecurity threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the Next Generation Encryption (NGE) white paper.
The crypto ca export pemcommand allows you to export certificate and RSA key pairs in PEM-formatted files. The PEM files can then be imported back into the Cisco IOS router (via the crypto pki import pem command) or other public key infrastructure (PKI) applications.
Examples
The following example shows how to generate and export the RSA key pair “aaa” and certificates of the router in PEM files that are associated with the trustpoint “mycs”:
Router(config)# crypto key generate rsa general-keys label aaa exportable The name for the keys will be:aaa Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. ! How many bits in the modulus [512]: 2048 % Generating 2048 bit RSA keys ...[OK] ! Router(config)# crypto pki trustpoint mycs Router(ca-trustpoint)# enrollment url http://mycs Router(ca-trustpoint)# rsakeypair aaa Router(ca-trustpoint)# exit Router(config)# crypto pki authenticate mycs Certificate has the following attributes: Fingerprint:C21514AC 12815946 09F635ED FBB6CF31 % Do you accept this certificate? [yes/no]:y Trustpoint CA certificate accepted. ! Router(config)# crypto pki enroll mycs % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: Re-enter password: % The fully-qualified domain name in the certificate will be:Router % The subject name in the certificate will be:bizarro.cisco.com % Include the router serial number in the subject name? [yes/no]:n % Include an IP address in the subject name? [no]:n Request certificate from CA? [yes/no]:y % Certificate request sent to Certificate Authority % The certificate request fingerprint will be displayed. % The 'show crypto ca certificate' command will also show the fingerprint. Router(config)# Fingerprint: 8DA777BC 08477073 A5BE2403 812DD157 00:29:11:%CRYPTO-6-CERTRET:Certificate received from Certificate Authority Router(config)# crypto ca export aaa pem terminal 3des cisco123 % CA certificate: -----BEGIN CERTIFICATE----- MIICAzCCAa2gAwIBAgIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzES <snip> waDeNOSI3WlDa0AWq5DkVBkxwgn0TqIJXJOCttjHnWHK1LMcMVGn -----END CERTIFICATE----- % Key name:aaa Usage:General Purpose Key -----BEGIN RSA PRIVATE KEY----- Proc-Type:4,ENCRYPTED DEK-Info:DES-EDE3-CBC,ED6B210B626BC81A Urguv0jnjwOgowWVUQ2XR5nbzzYHI2vGLunpH/IxIsJuNjRVjbAAUpGk7VnPCT87 <snip> kLCOtxzEv7JHc72gMku9uUlrLSnFH5slzAtoC0czfU4= -----END RSA PRIVATE KEY----- % Certificate: -----BEGIN CERTIFICATE----- MIICTjCCAfigAwIBAgICIQUwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx <snip> 6xlBaIsuMxnHmr89KkKkYlU6 -----END CERTIFICATE-----crypto ca export pkcs12
NoteThis command was replaced by the crypto pki export pkcs12 command effective with Cisco IOS Release 12.3(7)T and 12.2(18)SXE.
To export Rivest, Shamir, and Adelman (RSA) keys within a PKCS12 file at a specified location, use the crypto ca export pkcs12 command in global configuration mode.
Syntax Description
trustpointname
Name of the trustpoint who issues the certificate that a user is going to export. When you export the PKCS12 file, the trustpoint name is the RSA key name.
destination url
Location of the PKCS12 file to which a user wants to import the RSA key pair.
passphrase
Passphrase that is used to encrypt the PKCS12 file for export.
Usage Guidelines
The crypto ca export pkcs12command creates a PKCS 12 file that contains an RSA key pair. The PKCS12 file, along with a certificate authority (CA), is exported to the location that you specify with the destination URL. If you decide not to import the file to another router, you must delete the file.
Security Measures
Keep the PKCS12 file stored in a secure place with restricted access.
An RSA keypair is more secure than a passphrase because the private key in the key pair is not known by multiple parties. When you export an RSA key pair to a PKCS#12 file, the RSA key pair now is only as secure as the passphrase.
To create a good passphrase, be sure to include numbers, as well as both lowercase and uppercase letters. Avoid publicizing the passphrase by mentioning it in e-mail or cell phone communications because the information could be accessed by an unauthorized user.
crypto ca import
NoteThis command was replaced by the crypto pki import command effective with Cisco IOS Release 12.3(7)T and 12.2(18)SXD.
To import a certificate manually via TFTP or as a cut-and-paste at the terminal, use the crypto ca importcommand in global configuration mode.
Usage Guidelines
You must enter the crypto ca import command twice if usage keys (signature and encryption keys) are used. The first time the command is entered, one of the certificates is pasted into the router; the second time the command is entered, the other certificate is pasted into the router. (It does not matter which certificate is pasted first.)
crypto ca import pem
NoteThis command was replaced by the crypto pki import pem command effective with Cisco IOS Release 12.3(7)T and 12.2(18)SXE.
To import certificates and Rivest, Shamir, and Adelman (RSA) keys to a trustpoint from privacy-enhanced mail (PEM)-formatted files, use the crypto ca import pem command in global configuration mode.
Syntax Description
trustpoint
Name of the trustpoint that is associated with the imported certificates and RSA key pairs.
The trustpoint argument must match the name that was specified via the crypto pki trustpoint command.
usage-keys
(Optional) Specifies that two RSA special usage key pairs will be imported (that is, one encryption pair and one signature pair), instead of one general-purpose key pair.
terminal
Certificates and RSA key pairs will be manually imported from the console terminal.
url url
URL of the file system where your router should import the certificates and RSA key pairs.
exportable
(Optional) Specifies that the imported RSA key pair can be exported again to another Cisco device such as a router.
passphrase
Passphrase that is used to encrypt the PEM file for import.
Note The passphrase can be any phrase that is at least eight characters in length; it can include spaces and punctuation, excluding the question mark (?), which has special meaning to the Cisco IOS parser.
Usage Guidelines
The crypto ca import pemcommand allows you import certificates and RSA key pairs in PEM-formatted files.The files can be previously exported from another router or generated from other public key infrastructure (PKI) applications.
Examples
The following example shows how to import PEM files to trustpoint “ggg” via TFTP:
Router(config)# crypto ca import ggg pem url tftp://10.1.1.2/johndoe/msca cisco1234 % Importing CA certificate... Address or name of remote host [10.1.1.2]? Destination filename [johndoe/msca.ca]? Reading file from tftp://10.1.1.2/johndoe/msca.ca Loading johndoe/msca.ca from 10.1.1.2 (via Ethernet0):! [OK - 1082 bytes] % Importing private key PEM file... Address or name of remote host [10.1.1.2]? Destination filename [johndoe/msca.prv]? Reading file from tftp://10.1.1.2/johndoe/msca.prv Loading johndoe/msca.prv from 10.1.1.2 (via Ethernet0):! [OK - 573 bytes] % Importing certificate PEM file... Address or name of remote host [10.1.1.2]? Destination filename [johndoe/msca.crt]? Reading file from tftp://10.1.1.2/johndoe/msca.crt Loading johndoe/msca.crt from 10.1.1.2 (via Ethernet0):! [OK - 1289 bytes] % PEM files import succeeded. Router(config)#crypto ca import pkcs12
NoteThis command was replaced by the crypto pki import pkcs12 command effective with Cisco IOS Release 12.3(7)T and 12.2(18)SXE.
To import Rivest, Shamir, and Adelman (RSA) keys, use the crypto ca import pkcs12 command in global configuration mode.
Syntax Description
trustpointname
Name of the trustpoint who issues the certificate that a user is going to export or import. When importing, the trustpoint name will become the RSA key name.
source url
The location of the PKCS12 file to which a user wants to export the RSA key pair.
passphrase
Passphrase that must be entered to undo encryption when the RSA keys are imported.
Usage Guidelines
When you enter the cyrpto ca import pkcs12 command, a ke pair and a trustpoint are generated. If you then decide you want to remove the key pair and trustpoint that were generated, enter the crypto key zeroize rsa command to zeroize the key pair and enter the no crypto ca trustpoint command to remove the trustpoint.
NoteAfter you import RSA keys to a target router, you cannot export those keys from the target router to another router.
crypto ca profile enrollment
NoteThis command was replaced with the crypto pki profile enrollment command effective with Cisco IOS Release 12.3(7)T and 12.2(18)SXE.
To define an enrollment profile, use the crypto ca profile enrollmentcommand in global configuration mode. To delete all information associated with this enrollment profile, use the no form of this command.
Usage Guidelines
Before entering this command, you must specify a named enrollment profile using the enrollment profile in ca-trustpoint configuration mode.
After entering the crypto ca profile enrollment command, you can use any of the following commands to define the profile parameters:
- authentication command --Specifies the HTTP command that is sent to the certification authority (CA) for authentication.
- authentication terminal --Specifies manual cut-and-paste certificate authentication requests.
- authentication url --Specifies the URL of the CA server to which to send authentication requests.
- enrollment command --Specifies the HTTP command that is sent to the CA for enrollment.
- enrollment terminal --Specifies manual cut-and-paste certificate enrollment.
- enrollment url --Specifies the URL of the CA server to which to send enrollment requests.
- parameter --Specifies parameters for an enrollment profile. This command can be used only if the authentication command or the enrollment command is used.
NoteThe authentication url, enrollment url, authentication terminal, and enrollment terminal commands allow you to specify different methods for certificate authentication and enrollment, such as TFTP authentication and manual enrollment.
Examples
The following example shows how to define the enrollment profile named “E” and associated profile parameters:
crypto ca trustpoint Entrust enrollment profile E serial crypto ca profile enrollment E authentication url http://entrust:81 authentication command GET /certs/cacert.der enrollment url http://entrust:81/cda-cgi/clientcgi.exe enrollment command POST reference_number=$P2&authcode=$P1 &retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQ parameter 1 value aaaa-bbbb-cccc parameter 2 value 5001crypto ca trustpoint
NoteEffective with Cisco IOS Release 12.3(8)T, 12.2(18)SXD, and 12.2(18)SXE, the crypto ca trustpoint command is replaced with the crypto pki trustpoint command. See the crypto pki trustpoint command for more information.
To declare the certification authority (CA) that your router should use, use the crypto ca trustpoint command in global configuration mode. To delete all identity information and certificates associated with the CA, use the no form of this command.
Command History
Release
Modification
12.2(8)T
This command was introduced.
12.2(15)T
The match certificate subcommand was introduced.
12.3(7)T
This command was replaced by the crypto pki trustpoint command. You can still enter the crypto ca trusted-rootor crypto ca trustpoint command, but the command will be written in the configuration as “crypto pki trustpoint.”
Usage Guidelines
Use the crypto ca trustpoint command to declare a CA, which can be a self-signed root CA or a subordinate CA. Issuing the crypto ca trustpoint command puts you in ca-trustpoint configuration mode.
You can specify characteristics for the trustpoint CA using the following subcommands:
- crl --Queries the certificate revocation list (CRL) to ensure that the certificate of the peer has not been revoked.
- default (ca-trustpoint) --Resets the value of ca-trustpoint configuration mode subcommands to their defaults.
- enrollment --Specifies enrollment parameters (optional).
- enrollment http-proxy --Accesses the CA by HTTP through the proxy server.
- match certificate --Associates a certificate-based access control list (ACL) defined with the crypto ca certificate mapcommand.
- primary --Assigns a specified trustpoint as the primary trustpoint of the router.
- root --Defines the Trivial File Transfer Protocol (TFTP) to get the CA certificate and specifies both a name for the server and a name for the file that will store the CA certificate.
NoteBeginning with Cisco IOS Release 12.2(8)T, the crypto ca trustpoint command unified the functionality of the crypto ca identity and crypto ca trusted-root commands, thereby replacing these commands. Although you can still enter the crypto ca identity and crypto ca trusted-root commands, theconfiguration mode and command will be written in the configuration as “crypto ca trustpoint.”
Examples
The following example shows how to declare the CA named “ka” and specify enrollment and CRL parameters:
crypto ca trustpoint ka enrollment url http://kahului:80The following example shows a certificate-based access control list (ACL) with the label “Group” defined in a crypto ca certificate map command and included in the match certificate subcommand of the crypto ca | pki trustpoint command:
crypto ca certificate map Group 10 subject-name co ou=WAN subject-name co o=Cisco ! crypto ca trustpoint pki match certificate GroupRelated Commands
Command
Description
crl
Queries the CRL to ensure that the certificate of the peer has not been revoked.
default (ca-trustpoint)
Resets the value of a ca-trustpoint configuration subcommand to its default.
enrollment
Specifies the enrollment parameters of your CA.
enrollment http-proxy
Accesses the CA by HTTP through the proxy server.
primary
Assigns a specified trustpoint as the primary trustpoint of the router.
root
Obtains the CA certificate via TFTP.
crypto call admission limit
To specify the maximum number of Internet Key Exchange (IKE) security associations (SAs) that the device can establish before IKE begins rejecting new SA requests, use the crypto call admission limit command in global configuration mode. To disable this feature, use the no form of this command.
crypto call admission limit ike { in-negotiation-sa number | sa number }
no crypto call admission limit ike { in-negotiation-sa number | sa number }
Command History
Release
Modification
12.3(8)T
This command was introduced.
12.2(18)SXD1
This command was integrated into Cisco IOS Release 12.2(18)SXD1 on the Cisco 6500 and Cisco 7600.
12.4(6)T
This command was modified. The in-negotiation-sa number keyword-argument pair was added.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA on the Cisco 7600. The in-negotiation-sa number keyword-argument pair was not supported.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH. The in-negotiation-sa number keyword-argument pair was not supported.
Usage Guidelines
Use this command to limit the number of IKE SAs permitted to or from a device. By limiting the number of IKE SAs that can be created on the device, you can prevent the device from being impacted due to sudden inflow of IKE SA requests. The ideal limit depends on the particular platform, the network topology, the application, and traffic patterns. When the specified limit is reached, IKE rejects all new SA requests. If you specify an IKE SA limit that is less than the current number of active IKE SAs, a warning is displayed, but SAs are not terminated. New SA requests are rejected until the active SA count is below the configured limit.
Examples
The following example shows how to configure a maximum of 50 IKE SAs before IKE begins rejecting new SA requests.
Device(config)# crypto call admission limit ike sa 50The following example shows how to configure a maximum of 100 in-negotiation IKE SAs before IKE begins rejecting new SA requests.
Device(config)# crypto call admission limit ike in-negotiation-sa 100crypto connect vlan
To create an interface VLAN for an IPSec VPN SPA and enter crypto-connect mode, use the crypto connect vlan command in interface configuration mode. To remove the interface VLAN status from the VLAN, use the no form of this command.
Usage Guidelines
You can enter the crypto connect vlan command only from the following:
- The associated port VLAN interface when the EtherChannel interface (port-channel interface) and participating interfaces are switch ports.
- The EtherChannel interface when the EtherChannel interface (port-channel interface) and participant interfaces are routed ports.
The crypto engine subslotcommand is only available for VLANs prior to the VLANs being made interface VLANs by the crypto connect vlan command.
When you enter the crypto connect vlan command, a target VLAN is made an interface VLAN if and only if the target VLAN is not currently an interface VLAN, and the target VLAN has been added to an inside trunk port using the crypto engine subslot command. If the VLAN has been added to more than one inside trunk port, the crypto connect vlan command is rejected.
The no crypto engine subslot command is allowed only after you enter the no crypto connect vlan command, or before you enter the crypto connect vlan command.
When you remove an interface VLAN from an inside trunk port and a corresponding crypto engine subslot configuration state exists, then that crypto engine subslot configuration state is not removed. If you remove a VLAN that has a crypto engine subslot configuration state, you need to manually add it back to recover. While in this inconsistent state, any attempt to enter the no crypto connect vlan command is rejected.
When you enter the no crypto connect vlan command, the interface VLAN status is removed from a VLAN. Any associated crypto engine subslot configuration state is not altered.
Examples
The following example adds port 2/1 to the outside access port VLAN and connects the outside access port VLAN to the inside interface VLAN:
Router(config)# interface Vlan101 Router(config-if)# ip address 192.168.101.1 255.255.255.0 Router(config-if)# crypto map cmap Router(config-if)# crypto engine subslot 3/0 Router(config-if)# interface GigabitEthernet2/1 Router(config-if)# crypto connect vlan 101crypto ctcp
To configure Cisco Tunneling Control Protocol (cTCP) encapsulation for Easy VPN, use the crypto ctcpcommand in global configuration mode. To remove the cTCP encapsulation, use the no form of this command.
crypto ctcp [ keepalive number-of-seconds | port port-number ]
no crypto ctcp [ keepalive number-of-seconds | port port-number ]
Syntax Description
keepalive
(Optional) Sets the interval of cTCP keepalives that are sent by the remote device.
Note This command is configured on the remote device.
number-of-seconds
(Optional) Number of seconds between the keepalives. Value = 5 through 3600. If the keepalive keyword is not configured, the default is 5.
port
(Optional) Port number that cTCP will listen to. Up to 10 numbers can be configured.
Note This keyword is configured only on the server.
port-number
(Optional) Actual port number. Value = 1 through 65535. If the port keyword is not configured, the default port number is 10000.
Usage Guidelines
If cTCP is enabled on a port, any application that uses that port will not function.
When cTCP encapsulation is enabled on the router, only packets less than or equal to 1407 in size can pass through the IPsec tunnel with the Don’t Fragment (DF) bit set. If an attempt is made to send a larger size packet, the following syslog message is generated:
CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1450, mtu=1407
NoteIf a Cisco IOS device is acting as a remote device, it has to send keepalives periodically to keep Network Address Translation (NAT) or firewall sessions from timing out.
crypto dynamic-map
To create a dynamic crypto map entry and enter crypto map configuration command mode, use the crypto dynamic-map command in global configuration mode. To delete a dynamic crypto map set or entry, use the no form of this command.
crypto dynamic-map dynamic-map-name dynamic-seq-num
no crypto dynamic-map dynamic-map-name [dynamic-seq-num]
Command History
Release
Modification
11.3 T
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
12.4(15)T
This command was modified. All changes to PFS settings in the dynamic crypto map template are immediately passed on to the instantiated crypto map PFS settings.
Usage Guidelines
Use dynamic crypto maps to create policy templates that can be used when processing negotiation requests for new security associations from a remote IP security peer, even if you do not know all of the crypto map parameters required to communicate with the remote peer (such as the peer’s IP address). For example, if you do not know about all the IPsec remote peers in your network, a dynamic crypto map allows you to accept requests for new security associations from previously unknown peers. (However, these requests are not processed until the Internet Key Exchange authentication has completed successfully.)
When a router receives a negotiation request via IKE from another IPsec peer, the request is examined to see if it matches a crypto map entry. If the negotiation does not match any explicit crypto map entry, it will be rejected unless the crypto map set includes a reference to a dynamic crypto map.
The dynamic crypto map is a policy template; it will accept “wildcard” parameters for any parameters not explicitly stated in the dynamic crypto map entry. This allows you to set up IPsec security associations with a previously unknown IPsec peer. (The peer still must specify matching values for the nonwildcard IPsec security association negotiation parameters.)
If the router accepts the peer’s request, at the point that it installs the new IPsec security associations it also installs a temporary crypto map entry. This entry is filled in with the results of the negotiation. At this point, the router performs normal processing, using this temporary crypto map entry as a normal entry, even requesting new security associations if the current ones are expiring (based upon the policy specified in the temporary crypto map entry). Once the flow expires (that is, all of the corresponding security associations expire), the temporary crypto map entry is removed.
If changes are made to the Perfect Forward Secrecy (PFS) settings in the dynamic crypto map template,the changes are passed on to the PFS settings in the instantiated crypto map. During the next rekey process the new settings are used to negotiate with the remote peer.
Dynamic crypto map sets are not used for initiating IPsec security associations. However, they are used for determining whether or not traffic should be protected.
The only configuration required in a dynamic crypto map is the set transform-set command. All other configuration is optional.
Dynamic crypto map entries, like regular static crypto map entries, are grouped into sets. After you define a dynamic crypto map set (which commonly contains only one map entry) using this command, you include the dynamic crypto map set in an entry of the “parent” crypto map set using the crypto map (IPsec global configuration) command. The parent crypto map set is then applied to an interface.
You should make crypto map entries referencing dynamic maps the lowest priority map entries, so that negotiations for security associations will try to match the static crypto map entries first. Only after the negotiation request does not match any of the static map entries do you want it to be evaluated against the dynamic map.
To make a dynamic crypto map the lowest priority map entry, give the map entry referencing the dynamic crypto map the highest seq-num of all the map entries in a crypto map set.
For both static and dynamic crypto maps, if unprotected inbound traffic matches a permit statement in an access list, and the corresponding crypto map entry is tagged as “IPsec,” then the traffic is dropped because it is not IPsec protected. (This is because the security policy as specified by the crypto map entry states that this traffic must be IPsec protected.)
For static crypto map entries, if outbound traffic matches a permit statement in an access list and the corresponding security association (SA) is not yet established, the router will initiate new SAs with the remote peer. In the case of dynamic crypto map entries, if no SA existed, the traffic would simply be dropped (because dynamic crypto maps are not used for initiating new SAs).
NoteUse care when using the any keyword in permit entries in dynamic crypto maps. If it is possible for the traffic covered by such a permit entry to include multicast or broadcast traffic, the access list should include deny entries for the appropriate address range. Access lists should also include deny entries for network and subnet broadcast traffic, and for any other traffic that should not be IPsec protected.
Examples
The following example shows how to configure an IPsec crypto map set.
Crypto map entry “mymap 30” references the dynamic crypto map set “mydynamicmap,” which can be used to process inbound security association negotiation requests that do not match “mymap” entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in “mydynamicmap,” for a flow “permitted” by the access list 103, IPsec will accept the request and set up security associations with the remote peer without previously knowing about the remote peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the remote peer.
The access list associated with “mydynamicmap 10” is also used as a filter. Inbound packets that match a permit statement in this list are dropped for not being IPsec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPsec SA are also dropped.
crypto map mymap 10 ipsec-isakmp match address 101 set transform-set my_t_set1 set peer 10.0.0.1 set peer 10.0.0.2 crypto map mymap 20 ipsec-isakmp match address 102 set transform-set my_t_set1 my_t_set2 set peer 10.0.0.3 crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap ! crypto dynamic-map mydynamicmap 10 match address 103 set transform-set my_t_set1 my_t_set2 my_t_set3Related Commands
Command
Description
crypto map (global IPsec)
Creates or modifies a crypto map entry and enters the crypto map configuration mode.
crypto map (interface IPsec)
Applies a previously defined crypto map set to an interface.
crypto map local-address
Specifies and names an identifying interface to be used by the crypto map for IPsec traffic.
match address (IPsec)
Specifies an extended access list for a crypto map entry.
set peer (IPsec)
Specifies an IPsec peer in a crypto map entry.
set pfs
Specifies that IPsec should ask for PFS when requesting new security associations for this crypto map entry, or that IPsec requires PFS when receiving requests for new security associations.
set security-association lifetime
Overrides (for a particular crypto map entry) the global lifetime value, which is used when negotiating IPsec security associations.
set transform-set
Specifies which transform sets can be used with the crypto map entry.
show crypto engine accelerator logs
Displays a dynamic crypto map set.
show crypto map (IPsec)
Displays the crypto map configuration.
crypto-engine
To enter the QoS policy map configuration mode for the IPsec VPN module, use the crypto-engine command in interface configuration mode.
Usage Guidelines
Once you enter the crypto-engine command, the prompt changes to the following:
Router(config-crypto-engine)#
The following crypto engine configuration commands are available when you enter the crypto-engine command:
- default --Sets a command to its defaults.
- exit --Exit service-flow submode.
- no --Negates a command or set its defaults.
- service-policy output policy-map-name --Configures the service policy by assigning a policy map to the output of an interface.
crypto engine accelerator
NoteEffective with Cisco IOS Release 12.3(11)T, this command is replaced by the crypto engine aim, crypto engine em, crypto engine nm, crypto engine onboard, and crypto engine slotcommands. See these commands for more information.
To enable the onboard hardware accelerator of the router for IP security (IPsec) encryption, use the crypto engine accelerator command in global configuration mode. To disable the use of the onboard hardware IPsec accelerator, and thereby perform IPsec encryption or decryption in software, use the no form of this command.
Command History
Release
Modification
12.1(3)T
This command was introduced for the Cisco 1700 series router and other Cisco routers that support hardware accelerators for IPsec encryption.
12.1(3)XL
Support was added for the Cisco uBR905 cable access router.
12.2(2)XA
Support was added for the Cisco uBR925 cable access router.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T and implemented for the AIM-VPN/EPII and AIM-VPN/HPII on the following platforms: Cisco 2691, Cisco 3660, Cisco 3725, and Cisco 3745.
12.2(15)ZJ
This command was implemented for the AIM-VPN/BPII on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.
12.3(4)T
The AIM-VPN/BPII was integrated into Cisco IOS Release 12.3(4)T on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.
12.3(11)T
This command was replaced by the crypto engine aim, crypto engine em, crypto engine nm, crypto engine onboard, and crypto engine slotcommands.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
This command is not normally needed for typical operations because the onboard hardware accelerator of the router is enabled for IPsec encryption by default. The hardware accelerator should not be disabled except on instruction from Cisco Technical Assistance Center (TAC) personnel.
Examples
The following example shows how to disable the onboard hardware accelerator of the router for IPsec encryption. This disabling is normally needed only after the accelerator has been disabled for testing or debugging purposes.
Router(config)# no crypto engine accelerator Warning! all current connections will be torn down. Do you want to continue? [yes/no]:Related Commands
Command
Description
clear crypto engine accelerator counter
Resets the statistical and error counters for the hardware accelerator to zero.
crypto ca
Defines the parameters for the certification authority used for a session.
crypto cisco
Defines the encryption algorithms and other parameters for a session.
crypto dynamic-map
Creates a dynamic map crypto configuration for a session.
crypto ipsec
Defines the IPSec security associations and transformation sets.
crypto isakmp
Enables and defines the IKE protocol and its parameters.
crypto key
Generates and exchanges keys for a cryptographic session.
crypto map
Creates and modifies a crypto map for a session.
debug crypto engine accelerator control
Displays each control command as it is given to the crypto engine.
debug crypto engine accelerator packet
Displays information about each packet sent for encryption and decryption.
show crypto engine accelerator ring
Displays the contents of command and transmits rings for the crypto engine.
show crypto engine accelerator sa database
Displays the active (in-use) entries in the crypto engine SA database.
show crypto engine accelerator statistic
Displays the current run-time statistics and error counters for the crypto engine.
show crypto engine brief
Displays a summary of the configuration information for the crypto engine.
show crypto engine configuration
Displays the version and configuration information for the crypto engine.
show crypto engine connections
Displays a list of the current connections maintained by the crypto engine.
crypto engine aim
To reenable an advanced integration module (AIM), use the crypto engine aimcommand in global configuration mode. To disable an AIM encryption module, use the no form of this command.
crypto engine em
To enable the hardware accelerator of an expansion slot for IP security (IPsec) encryption, use the crypto engine emcommand in global configuration mode. To disable the hardware accelerator of the expansion slot, use the no form of this command.
crypto engine mode vrf
To enable VRF-Aware mode for the IPSec VPN SPA, use the crypto engine mode vrfcommand in global configuration mode. To disable VRF-aware mode, use the no form of this command.
Usage Guidelines
The VRF-Aware IPSec feature introduces IPSec tunnel mapping to Multiprotocol Label Switching (MPLS) VPNs.
Using the VRF-Aware IPSec feature, you can map IPSec tunnels to VPN routing and forwarding instances (VRFs) using a single public-facing address.
Unlike other IPSec VPN SPA feature configurations, when configuring VRF-Aware features, you do not use the crypto connect vlan command.
Examples
The following example shows a VRF-Aware IPSec implementation:
ip vrf pepsi rd 1000:1 route-target export 1000:1 route-target import 1000:1 ! ip vrf coke rd 2000:1 route-target export 2000:1 route-target import 2000:1 crypto engine mode vrf interface vlan 100 ip vrf forwarding pepsi ip address 10.2.1.1 255.255.255.0 crypto engine subslot 3/0 crypto map map100 interface vlan 200 ip vrf forwarding coke ip address 10.2.1.1 255.255.255.0 crypto engine subslot 3/0 crypto map map200 interface gi1/1 (hidden VLAN 1000) ip address 171.1.1.1 crypto engine subslot 3/0 ! BASIC MPLS CONFIGURATION mpls label protocol ldp tag-switching tdp router-id Loopback0 mls ip multicast flow-stat-timer 9 no mls flow ip no mls flow ipv6 ! ! CONFIGURE THE INTERFACE CONNECTED TO THE MPLS BACKBONE WITH LABEL/TAG SWITCHING interface GigabitEthernet2/12 ip address 20.1.0.34 255.255.255.252 logging event link-status speed nonegotiate mpls label protocol ldp tag-switching ipRelated Commands
Command
Description
crypto engine subslot
Assigns an interface VLAN that requires encryption to the IPSec VPN SPA.
ip vrf
Configures a VRF routing table and enters VRF configuration mode.
ip vrf forwarding
Associates a VRF with an interface or subinterface.
vrf
Defines the VRF to which the IPSec tunnel will be mapped.
crypto engine nm
To enable the onboard hardware accelerator of a network module for IP security (IPsec) encryption, use the crypto engine nmcommand in global configuration mode. To disable the accelerator of the network module, use the no form of this command.
crypto engine onboard
To enable the hardware accelerator of an onboard module for IP security (IPsec) encryption, use the crypto engine onboardcommand in global configuration mode. To disable the hardware accelerator of the onboard module, use the no form of this command.
crypto engine slot
To reenable the onboard hardware accelerator in a service adapter, use the crypto engine slotcommand in global configuration mode. To disable the hardware accelerator in the service adapter, use the no form of this command.
crypto engine slot (interface)
To assign an interface VLAN, Virtual Routing and Forwarding (VRF) tunnel interface, or Front-door VRF (FVRF) interface that requires encryption to the IPSec VPN Shared Port Adapter (SPA), use the crypto engine slot command in interface configuration mode. The command usage and syntax varies based on whether you are in crypto-connect mode or VRF mode. In crypto-connect mode, the command is applied to interface VLANs and only the slot/subslot arguments are specified; in VRF-mode, the command is applied to interface VLANs, tunnel interfaces, or FVRF interfaces and either the inside or outside keyword must also be specified. To remove the interface, use the corresponding no form of this command.
Crypto-Connect Mode Syntax
crypto engine slot slot
no crypto engine slot slot
VRF Mode Syntax
crypto engine slot slot { inside | outside }
no crypto engine slot slot { inside | outside }
Syntax Description
slot
Chassis slot number where the Cisco 7600 SSC-400 card is located. Refer to the appropriate hardware manual for slot information. For SIPs and SSCs, refer to the platform-specific SPA hardware installation guide or the corresponding “Identifying Slots and Subslots for SIPs and SPAs” topic in the platform-specific SPA software configuration guide.
inside
(VRF Mode Only) Identifies the interface as an interface VLAN or tunnel interface.
outside
(VRF Mode Only) Identifies the interface as an FVRF interface.
Usage Guidelines
Usage guidelines vary based on whether you are in crypto-connect mode or VRF mode:
Crypto-Connect Mode Usage Guidelines
With this command, you do not need to explicitly add interface VLANs to the IPSec VPN SPA inside trunk port.
It is strongly recommended that you use the crypto engine slot command instead of manually adding and removing VLANs from the inside trunk port.
When you add an interface VLAN to an inside trunk port and that interface VLAN is not already added to another inside trunk port, the crypto engine slot configuration state on the interface VLAN is combined. If the interface VLAN is already added to another inside trunk port, the command is rejected.
You should not try to add all VLANs at one time (If you attempt this, you can recover by manually removing the VLANs from the inside trunk port.)
In crypto-connect mode, the crypto engine slot command is used in conjunction with the crypto connect vlan command.
In crypto-connect mode, the crypto engine slot command is only available for VLANs prior to the VLANs being made interface VLANs by the crypto connect vlan command.
The crypto engine slot command is rejected if you enter it on a crypto-connected interface VLAN whose current crypto engine slot configuration is different from the subslot specified in the crypto engine slot command. To change the crypto engine slot configuration on an interface VLAN, you must ensure that the VLAN is not crypto-connected.
If you change the crypto engine slot configuration on an interface VLAN, any IPSec and IKE SAs that are currently active on that interface VLAN are deleted.
If you enter the no crypto engine slot command and the interface VLAN is crypto-connected, the no crypto engine slot command is rejected. The no crypto engine slot command is allowed only after you enter the no crypto connect vlan command, or before you enter the crypto connect vlan command.
When you remove an interface VLAN from an inside trunk port and a corresponding crypto engine slot configuration state exists, then that crypto engine slot configuration state is not removed. If you remove a VLAN that has a crypto engine slot configuration state, you need to manually add it back to recover. While in this inconsistent state, any attempt to enter the no crypto connect vlan command is rejected.
When you enter the no crypto connect vlan command, the interface VLAN status is removed from a VLAN. Any associated crypto engine slot configuration state is not altered.
When you write the configuration or show the configuration, the crypto engine slot configuration state is expressed in the context of the associated interface VLAN. The interface VLAN is also shown as having been added to the appropriate inside trunk port. This is the case even if the configuration was loaded from a legacy (pre-crypto engine slot) configuration file, or if VLANs were manually added instead of being added through the crypto engine slot command.
By editing the crypto engine slot commands and inside trunk port VLANs, it is possible to produce an inconsistent configuration file.
VRF Mode Usage Guidelines
When configuring an interface VLAN or tunnel interface in VRF mode, the crypto-engine slot inside command must be specified.
When configuring an FVRF interface in VRF mode, the crypto-engine slot outside command must be specified.
In VRF mode, the crypto-connect vlan command is not used.
In Cisco IOS Release 12.2(33)SRE and later releases the subslot argument was removed.
Examples
The following crypto-connect mode example shows how to assign VLAN interface 101 to the IPSec VPN SPA in slot 3, subslot 0:
Router(config)# interface Vlan101 Router(config-if)# ip address 192.168.101.1 255.255.255.0 Router(config-if)# crypto map cmap Router(config-if)# crypto engine slot 3/0 Router(config)# interface GigabitEthernet2/1 Router(config-if)# crypto connect Vlan101The following VRF mode example shows how to assign VLAN interface 101 to the IPSec VPN SPA in slot 3, subslot 0:
Router(config)# interface Vlan101 Router(config-if)# ip vrf forwarding abc Router(config-if)# ip address 10.2.1.1 255.255.255.0 Router(config-if)# crypto engine slot 3/0 inside Router(config-if)# crypto map map100The following VRF mode example shows how to assign Tunnel interface 1 to the IPSec VPN SPA in slot 4, subslot 0:
Router(config)# interface Tunnel1 Router(config)# ip vrf forwarding abc Router(config-if)# ip address 10.1.1.254 255.255.255.0 Router(config-if)# tunnel source 172.1.1.1 Router(config-if)# tunnel destination 100.1.1.1 Router(config-if)# tunnel mode ipsec profile tp Router(config-if)# crypto engine slot 4/0 insideThe following VRF mode example assigns the WAN-side interface GigabitEthernet1/1 to the IPSec VPN SPA in slot 3, subslot 0:
Router(config)# interface GigabitEthernet1/1 Router(config-if)# ip address 171.1.1.1 255.255.255.0 Router(config-if)# crypto engine slot 3/0 outsideRelated Commands
Command
Description
crypto connect vlan
Creates an interface VLAN for an IPSec VPN SPA and enters crypto-connect mode.
crypto map (interface IPSec)
Applies a previously defined crypto map set to an interface.
ip vrf forwarding
Associates a VRF with an interface.
show crypto vlan
Displays the VPN running state for an IPSec VPN SPA.
tunnel vrf
Associates a VRF instance with a specific tunnel interface.
crypto gdoi ks
To trigger a rekey of group members in a GET VPN network, use the crypto gdoi ks command in privileged EXEC mode.
Usage Guidelines
When you change the policy (for example, from DES to AES) on the key server (KS) and exit from global configuration mode, a syslog message appears on the primary KS indicating that the policy has changed and a rekey is needed. You can enter the crypto gdoi ks command to send a rekey based on the latest security policy in the running configuration.
When each GM receives this triggered rekey, it installs the new SAs (for example, for AES) and shortens the lifetimes of the old SAs (for example, for DES). The GM continues to encrypt and decrypt traffic using the old SAs until their shortened lifetimes expire.
For GMs that are running older versions that do not yet support the crypto gdoi ks command, the primary KS uses the software versioning feature to detect those versions and only triggers a rekey without sending instruction for policy replacement. Therefore, when a GM receives the rekey, it installs the new SAs but does not shorten the lifetimes of the old SAs. (This behavior is the same as the prior rekey method and ensures backward compatibility for devices that cannot support policy replacement.)
If the replace-now keyword is used, the GM that receives the rekey will immediately remove the old TEKs and KEK and install the new TEKs and KEK. Therefore, the new policy takes effect immediately without waiting for existing policy SAs to expire.
You must use this command on the KS or primary KS. If you try to use this command on the secondary KS, it rejects the command as shown below:
Device# crypto gdoi ks rekey ERROR for group GET: This command must be executed on Pri-KS
NoteThe replace-now keyword could cause a temporary traffic discontinuity, because all GMs may not receive the rekey message at the same time.
Examples
The following example shows how to trigger a rekey on all GMs:
Device# crypto gdoi ks rekey Device# *Jan 28 09:17:44.363: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey with policy-replace for group GET from address 10.0.8.1 with seq # 2The following example shows how to remove the old TEKs and KEK from GMs immediately and install the new TEKs and KEK:
Device# crypto gdoi ks rekey replace-nowcrypto gdoi gm
For group members to change the IP security (IPsec) security association (SA) status, use the crypto gdoi gmcommand in privileged EXEC mode.
crypto gdoi gm group group-name { ipsec direction inbound optional | ipsec direction inbound only | ipsec direction both }
Syntax Description
group group-name
Name of the group.
ipsec direction inbound optional
Allows a group member to change the IPsec SA status to inbound optional. IPsec SA will accept cipher or plain text or both and will encrypt the packet before forwarding it.
ipsec direction inbound only
Allows a group member to change the IPsec SA status to inbound only. IPsec SA will accept cipher or plain text or both and will forward the packet in clear text.
ipsec direction both
Allows a group member to change the IPsec SA status to both inbound and outbound. IPsec SA will accept only cipher text and will encrypt the packet before forwarding it.
Command Default
If the sa receive-onlycommand is specified on the key server, the group member remains in receive-only mode.
Usage Guidelines
This command is executed on group members. This command and its various keywords aid in testing individual group members and verifies that the group members are encrypting or decrypting traffic. This command and its keywords can be used only after the sa receive-only command has been configured on the key server.
The ipsec direction inbound optionalkeyword is used for situations in which all group members have been instructed to install the IPsec SAs as inbound only but for which a group member wants to install the IPsec SAs as inbound optional.
The ipsec direction inbound only keyword is used when a group member wants to change a previously set IPsec SA status to inbound only.
The ipsec direction bothkeyword is used when a group member has to change a previously set IPsec SA status to both inbound and outbound. In this setting, the group member accepts only cipher text.
Examples
The following example shows how to determine whether a group member can accept cipher text.
On Group Member 1, configure the following:
crypto gdoi gm group groupexample ipsec direction inbound onlyOn Group Member 2, configure the following:
crypto gdoi gm group groupexample ipsec direction inbound optionalThen Ping Group Member 1.
Group Member 2 will have encrypted the packet and will send an encrypted packet to Group Member 1, which then decrypts that packet. If the traffic is from Group Member 1 to Group Member 2, Group Member 1 will forward the packet in clear text, and Group Member will accept it.
crypto gdoi group
To create a Group Domain of Interpretation (GDOI) group and enter GDOI group configuration mode, use the crypto gdoi group command in global configuration mode. To disable a GDOI group, use the no form of this command.
Usage Guidelines
There are more options for configuring a group on a key server than there are for configuring a group member. The group is identified by an identity and by the server. If the GDOI group is a group member, the address of the server is specified. If the GDOI group is a key server, “server local” is specified, which indicates that this is the key server.
Examples
The following example shows how to configure an IPv4 GDOI group for a key server:
crypto gdoi group mygroup identity number 4444 server localThe following example shows how to configure an IPv6 GDOI group for a key server:
crypto gdoi group ipv6 mygroup2 identity number 4444 server localThe following example shows how to configure an IPv4 GDOI group for a group member:
crypto gdoi group mygroup3 identity number 3333 server address ipv4 10.0.5.2crypto identity
To configure the identity of the router with a given list of distinguished names (DNs) in the certificate of the router, use the crypto identity command in global configuration mode. To delete all identity information associated with a list of DNs, use the no form of this command.
Command Default
If this command is not enabled, the IP address is associated with the identity of the router.
Usage Guidelines
The crypto identity command allows you to configure the identity of a router with a given list of DNs. Thus, when used with the dn and fqdn commands, you can set restrictions in the router configuration that prevent peers with specific certificates, especially certificates with particular DNs, from having access to selected encrypted interfaces.
NoteThe identity of the peer must be the same as the identity in the exchanged certificate.
Examples
The following example shows how to configure a DN-based crypto map:
! The following is an IPSec crypto map (part of IPSec configuration). It can be used only ! by peers that have been authenticated by DN and if the certificate belongs to BigBiz. crypto map map-to-bigbiz 10 ipsec-isakmp set peer 172.21.114.196 set transform-set my-transformset match address 124 identity to-bigbiz ! crypto identity to-bigbiz dn ou=BigBiz ! ! ! This crypto map can be used only by peers that have been authenticated by hostname ! and if the certificate belongs to little.com. crypto map map-to-little-com 10 ipsec-isakmp set peer 172.21.115.119 set transform-set my-transformset match address 125 identity to-little-com ! crypto identity to-little-com fqdn little.com !crypto ikev2 authorization policy
To configure an IKEv2 authorization policy, use the crypto ikev2 authorization policy command in global configuration mode. To remove this command and all associated subcommands from your configuration, use the no form of this command. To return the authorization policy to its default value, use the default form of this command.
crypto ikev2 authorization policy policy-name
no crypto ikev2 authorization policy policy-name
default crypto ikev2 authorization policy
Usage Guidelines
Use the crypto ikev2 authorization policy command to specify the group for which a policy profile must be defined and the group policy information that needs to be defined or changed. You may wish to change the group policy on your router if you decide to connect to the client using a group ID that does not match the policy-name argument. The authorization policy is referred from the IKEv2 profile using the aaa authorization group command where the group name can be directly specified or derived from the remote identities using a name mangler.
If AAA authorization is configured as local, AAA derives the authorization attributes from IKEv2 client configuration group through the callback to crypto component.
After enabling this command, which puts the networking device in IKEv2 group authorization policy mode, you can specify the characteristics for the authorization policy using the following commands:
- dhcp-- Configures an IP address on the remote access client for the Dynamic Host Configuration Protocol (DHCP) to use.
- dns --Specifies the primary and secondary Domain Name Service (DNS) servers for the group.
- netmask --Subnet mask to be used by the client for local connectivity.
- pool --Refers to the IP local pool address used to allocate internal IP addresses to clients.
- subnet-acl --Configures split tunneling.
- wins --Specifies the primary and secondary Windows Internet Naming Service (WINS) servers for the group.
You can modify the default authorization policy using the crypto ikev2 authorization policy default command. You can either modify the entire authorization policy or modify one of the above commands.
You can disable the default authorization policy using the no crypto ikev2 authorization policy default command. When disabled, the values in the default authorization policy are copied and the default proposal remains inactive.
Examples
The following example shows how the client configuration group is referred from IKEv2 profile using the aaa authorization group command where the group name is specified directly. In this example, the policy is enforced for users that matches the group name “abc.”
aaa new-model aaa authorization network aaa-group-list default local ! crypto ikev2 authorization policy abc pool pool1 dns 198.51.100.1 198.51.100.100 wins 203.0.113.1 203.0.113.115 dhcp server 3.3.3.3 dhcp giaddr 192.0.2.1 dhcp timeout 10 netmask 255.255.255.0 subnet-acl acl-123 ! crypto ikev2 profile profile1 authentication remote eap aaa authorization group aaa-group-list abc ! ip access-list extended acl-123 permit ip 209.165.200.225 0.0.0.31 any permit ip 209.165.201.1 255.255.255.224 anyRelated Commands
Command
Description
aaa authorization group
Sets parameters that restrict user access to a network.
dhcp
Configures an IP address for the DHCP to use.
dns
Specifies the primary and secondary DNS servers for the group.
netmask
Specifies the netmask of the subnet address that is assigned to the client.
pool
Defines a local pool address for assigning IP addresses.
subnet-acl
Defines ACL for split tunneling.
wins
Specifies the internal WINS server addresses.
crypto ikev2 certificate-cache
To set the cache size to store certificates, use the crypto ikev2 certificate-cache command in global configuration mode. To delete the cache size, use the no form of this command.
Usage Guidelines
Use this command to set the cache to store the maximum number of certificates fetched from the HTTP URLs.
Examples
The following example sets the cache size to store 500 certificates:
Router(config)# crypto ikev2 certificate-cache 500Related Commands
Command
Description
crypto ikev2 cookie-challenge
Enables IKEv2 cookie challenge.
crypto ikev2 diagnose error
Enables IKEv2 error diagnosis.
crypto ikev2 dpd
Defines DPD globally for all peers.
crypto ikev2 http-url cert
Enables HTTP CERT support.
crypto ikev2 limit
Defines call admission control for all peers.
crypto ikev2 nat
Defines NAT keepalive globally for all peers.
crypto ikev2 window
Specifies the IKEv2 window size.
crypto logging ikev2
Enables IKEv2 syslog messages on a server.
crypto ikev2 cluster
To configure an Internet Key Exchange Version 2 (IKEv2) cluster policy in a Hot Standby Router Protocol (HSRP) cluster, use the crypto ikev2 cluster command in global configuration mode. To remove this command and all associated commands from your configuration, use the no form of this command.
Usage Guidelines
Use the crypto ikev2 cluster command to define an IKEv2 cluster policy and to enter IKEv2 cluster configuration mode.
After enabling this command, you can specify the characteristics for the cluster policy by using the following commands:
To view the cluster configuration, use the show crypto ikev2 cluster command.
Examples
The following example shows how to configure an IKEv2 cluster policy:
Device(config)# crypto ikev2 cluster Device(config-ikev2-cluster)# master crypto-load 10 Device(config-ikev2-cluster)# slave priority 90Related Commands
Command
Description
holdtime
Specifies the time interval to receive messages.
master (IKEv2)
Defines settings for the master gateway in the HSRP cluster.
port (IKEv2)
Specifies port settings for the HSRP cluster.
show crypto ikev2 cluster
Displays the cluster policy configuration.
slave (IKEv2)
Defines settings for the slave gateways in the HSRP cluster.
standby-group
Defines HSRP cluster settings.
crypto ikev2 cookie-challenge
To enable a cookie challenge for Internet Key Exchange Version 2 (IKEv2), use the crypto ikev2 cookie-challenge command in global configuration mode. To disable the cookie challenge, use the no form of this command.
Usage Guidelines
Use this command to enable the IKEv2 cookie challenge. A cookie challenge mitigates the effect of a DoS attack when an IKEv2 responder is flooded with session initiation requests from forged IP addresses.
Examples
The following example sets the cookie challenge to 450:
Router(config)# crypto ikev2 cookie-challenge 450Related Commands
Command
Description
crypto ikev2 certificate-cache
Specifies the cache size to store certificates fetched from HTTP URLs.
crypto ikev2 diagnose error
Enables IKEv2 error diagnosis.
crypto ikev2 dpd
Defines DPD globally for all peers.
crypto ikev2 http-url cert
Enables HTTP CERT support.
crypto ikev2 limit
Defines call admission control for all peers.
crypto ikev2 nat
Defines NAT keepalive globally for all peers.
crypto ikev2 window
Specifies the IKEv2 window size.
crypto logging ikev2
Enables IKEv2 syslog messages on a server.
crypto ikev2 cts
To enable IPsec inline tagging globally, use the crypto ikev2 cts command in global configuration mode. To disable the SGT inline tagging, use the no form of this command.
Usage Guidelines
NoteSecurity threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the Next Generation Encryption (NGE) white paper.
This command applies to all sessions on the router. If IPsec inline tagging is disabled, the new negotiated sessions do not negotiate the vendor ID (VID). However, the current SA and the subsequent SA rekey are enabled with the feature until the lifetime of the SA. This applies to the new IPsec SA and the rekey of the IPsec SA established using the parent or rekeyed IKE SA.
Examples
The following example shows how to enable IPsec inline tagging on an sVTI initiator and dVTI responder.
crypto ikev2 proposal p1 encryption aes-cbc-128 integrity sha1 group 14 ! crypto ikev2 policy policy1 proposal p1 ! crypto ikev2 keyring key peer peer address ::/0 pre-shared-key cisco ! peer v4 address 0.0.0.0 0.0.0.0 pre-shared-key cisco ! ! ! crypto ikev2 profile prof3 match identity remote address 0.0.0.0 authentication local pre-share authentication remote pre-share keyring key ! crypto ikev2 cts sgt ! crypto ipsec transform-set trans1 esp-aes esp-sha-hmac ! crypto map cmap 1 ipsec-isakmp set peer 10.1.1.2 set transform-set trans set ikev2-profile prof3 match address ipv4acl ! ! interface Loopback1 ip address 209.165.201.1 255.255.255.224 ipv6 address 2001::4:1/112 ! interface Loopback2 ip address 209.165.200.1 255.255.255.224 ipv6 address 2001::40:1/112 ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 ip address 192.168.210.74 255.255.255.0 duplex auto speed auto ! interface GigabitEthernet0/1 ip address 172.16.0.1 255.240.0.0 duplex auto speed auto ipv6 address 2001::5:1/112 ipv6 enable crypto map cmap ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 172.16.0.2 ip route 10.12.255.200 255.0.0.0 172.31.255.254 ! ip access-list extended ipv4acl permit ip host 209.165.201.1host 192.168.12.125 permit ip host 209.165.200.1 host 172.18.0.1 permit ip host 172.28.0.1 host 10.10.10.1 permit ip host 10.12.255.200 host 192.168.14.1 ! logging esm config ipv6 route ::/0 2001::5:2 ! ! ! ! !! control-plane ! ! ! line con 0 exec-timeout 0 0 line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 login transport input all ! exception data-corruption buffer truncate scheduler allocate 20000 1000crypto ikev2 proposal p1 encryption aes-cbc-192 integrity sha1 group 15 ! crypto ikev2 policy policy1 proposal p1 ! crypto ikev2 keyring key peer peer address 172.160.1.1 255.240.0.0 pre-shared-key cisco ! peer v4_p2 address 172.31.255.1 255.240.0.0 pre-shared-key cisco ! crypto ikev2 profile prof match identity remote address 0.0.0.0 authentication local pre-share authentication remote pre-share keyring key virtual-template 25 ! crypto ikev2 cts sgt ! crypto ipsec transform-set trans esp-null esp-sha-hmac ! crypto ipsec profile prof_ipv4 set transform-set trans set ikev2-profile prof1_ipv4 ! ! interface Loopback0 ip address 192.168.12.1 255.255.0.0 ! interface Loopback1 no ip address ! interface Loopback2 ip address 172.18.0.1 255.240.0.0 ! interface Loopback10 no ip address ipv6 address 2001::8:1/112 ! interface Loopback11 no ip address ipv6 address 2001::80:1/112 ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 ip address 10.1.1.2 255.0.0.0 duplex auto speed auto ipv6 address 2001::7:1/112 ipv6 enable ! interface GigabitEthernet0/1 ip address 10.10.10.2 255.255.255.0 duplex auto speed auto ! interface GigabitEthernet0/2 ip address 192.168.210.144 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/0/0 no ip address shutdown ! interface FastEthernet0/0/1 no ip address ! interface FastEthernet0/0/2 no ip address ! interface FastEthernet0/0/3 no ip address ! ! interface Virtual-Template25 type tunnel ip unnumbered GigabitEthernet0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile prof_ipv4 ! interface Vlan1 no ip address ! ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 10.1.1.1 ip route 172.17.0.0 255.240.0.0 10.10.10.1 ! logging esm config ipv6 route ::/0 2001::7:2 ! control-plane ! ! ! line con 0 exec-timeout 0 0 line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 login transport input all ! exception data-corruption buffer truncate scheduler allocate 20000 1000 endcrypto ikev2 diagnose
To enable Internet Key Exchange Version 2 (IKEv2) error diagnostics, use the crypto ikev2 diagnose command in global configuration mode. To disable the error diagnostics, use the no form of this command.
Usage Guidelines
Use this command to enable IKEv2 error path tracing and to specify the number of entries in the exit path database. When the number exceeds the specified number, new entries replace the old entries.
Examples
The following example sets the maximum number of entries that can be logged:
Router(config)# crypto ikev2 diagnose error 500Related Commands
Command
Description
crypto ikev2 certificate-cache
Specifies the cache size to store certificates fetched from HTTP URLs.
crypto ikev2 cookie-challenge
Enables IKEv2 cookie challenge.
crypto ikev2 dpd
Defines DPD globally for all peers.
crypto ikev2 http-url cert
Enables HTTP CERT support.
crypto ikev2 limit
Defines call admission control for all peers.
crypto ikev2 nat
Defines NAT keepalive globally for all peers.
crypto ikev2 window
Specifies the IKEv2 window size.
crypto logging ikev2
Enables IKEv2 syslog messages on a server.
crypto ikev2 dpd
To configure Dead Peer Detection (DPD) for Internet Key Exchange Version 2 (IKEv2), use the crypto ikev2 dpdcommand in global configuration mode. To delete DPD, use the no form of this command.
Syntax Description
interval
Specifies the keepalive interval in seconds.
retry-interval
Specifies the retry interval in seconds when there is no reply from the peer.
on-demand
Specifies the on-demand mode to send keepalive only in the absence of any incoming data traffic, to check the liveness of the peer before sending any data.
periodic
Specifies the periodic mode to send keepalives regularly at a specified interval.
Usage Guidelines
Use this command to configure DPD globally for all peers. The DPD configuration in a Internet Key Exchange Version 2 (IKEv2) profile overrides the global DPD configuration.
Examples
The following example shows how to configure the periodic mode for DPD:
Router(config)# crypto ikev2 dpd 500 50 periodicRelated Commands
Command
Description
crypto ikev2 certificate-cache
Specifies the cache size to store certificates fetched from HTTP URLs.
crypto ikev2 cookie-challenge
Enables IKEv2 cookie challenge.
crypto ikev2 diagnose error
Enables IKEv2 error diagnosis.
crypto ikev2 http-url cert
Enables HTTP CERT support.
crypto ikev2 limit
Defines call admission control for all peers.
crypto ikev2 nat
Defines NAT keepalive globally for all peers.
crypto ikev2 window
Specifies the IKEv2 window size.
crypto logging ikev2
Enables IKEv2 syslog messages on a server.
crypto ikev2 fragmentation
To configure Internet Key Exchange Version 2 (IKEv2) fragmentation, use the crypto ikev2 fragmentation command in global configuration mode. To disable the fragmentation, use the no form of this command.
crypto ikev2 http-url
To enable lookup based on HTTP URL, use the crypto ikev2 http-urlcommand in global configuration mode. To disable the lookup based on HTTP URL, use the no form of this command.
Usage Guidelines
Use this command to enable certificate lookup based on the HTTP URL. HTTP CERT indicates that the node is capable of looking up certificates based on the URL. This avoids the fragmentation that results when transferring large certificates.
Examples
The following example shows how to configure HTTP CERT:
Router(config)# crypto ikev2 http-url certRelated Commands
Command
Description
crypto ikev2 certificate-cache
Specifies the cache size to store certificates fetched from HTTP URLs.
crypto ikev2 cookie-challenge
Enables IKEv2 cookie challenge.
crypto ikev2 diagnose error
Enables IKEv2 error diagnosis.
crypto ikev2 dpd
Defines DPD globally for all peers.
crypto ikev2 limit
Defines call admission control for all peers.
crypto ikev2 nat
Defines NAT keepalive globally for all peers.
crypto ikev2 window
Specifies the IKEv2 window size.
crypto logging ikev2
Enables IKEv2 syslog messages on a server.
crypto ikev2 keyring
To configure an Internet Key Exchange version 2 (IKEv2) key ring, use the crypto ikev2 keyring command in the global configuration mode. To delete an IKEv2 keyring, use the no form of this command.
Usage Guidelines
IKEv2 keyrings are independent of IKEv1 keyrings. The key differences are as follows:
- IKEv2 keyrings support symmetric and asymmetric preshared keys.
- IKEv2 keyrings do not support Rivest, Shamir and Adleman (RSA) public keys.
- IKEv2 keyrings are specified in the IKEv2 profile and are not looked up, unlike IKEv1 where keys are looked up on receipt of MM1 to negotiate the preshared key authentication method. The authentication method is not negotiated in IKEv2.
- IKEv2 keyrings are not associated with VPN routing and forwarding (VRF) during configuration. The VRF of an IKEv2 keyring is the VRF of the IKEv2 profile that refers the keyring.
- A single keyring can be specified in an IKEv2 profile, unlike an IKEv1 profile, which can specify multiple keyrings.
- A single keyring can be specified in more than one IKEv2 profile, if the same keys are shared across peers matching different profiles.
- An IKEv2 keyring is structured as one or more peer subblocks.
On an IKEv2 initiator, IKEv2 keyring key lookup is performed using the peer’s hostname or the address, in that order. Use the hostname (ikev2 keyring) and address (ikev2 keyring) commands to configure the hostname and address in the IKEv2 keyring peer configuration mode.
On an IKEv2 responder, the key lookup is performed using the peer’s IKEv2 identity or the address, in that order. Use the address (ikev2 keyring) and identity(ikev2 keyring) command to configure the address and identity in IKEv2 keyring peer configuration mode.
NoteYou cannot configure the same identity in more than one peer.
The best match is only performed for address configurations and a key lookup is performed for the remaining peer identification, including identity address.
Examples
The following example shows how to configure a keyring:
Router(config)# crypto ikev2 keyring keyring-1 Router(config-ikev2-keyring)# peer peer1 Router(config-ikev2-keyring-peer)# description example.com Router(config-ikev2-keyring-peer)# address 0.0.0.0 0.0.0.0 Router(config-ikev2-keyring-peer)# pre-shared-key xyz-keyThe following example shows how a keyring match is performed. In the example, the key lookup for peer 10.0.0.1 would first match the wildcard key abc-key, then the prefix key abc-key and finally the host key host1-abc-key and the best match host1-abc-key is used.
Router(config)# crypto ikev2 keyring keyring-1 Router(config-ikev2-keyring)# peer peer1 Router(config-ikev2-keyring-peer)# description example.com Router(config-ikev2-keyring-peer)# address 0.0.0.0 0.0.0.0 Router(config-ikev2-keyring-peer)# pre-shared-key xyz-key Router(config-ikev2-keyring)# peer peer1 Router(config-ikev2-keyring-peer)# description abc.example.com Router(config-ikev2-keyring-peer)# address 10.0.0.0 255.255.0.0 Router(config-ikev2-keyring-peer)# pre-shared-key abc-key Router(config-ikev2-keyring)# peer host1 Router(config-ikev2-keyring-peer)# description host1@abc.example.com Router(config-ikev2-keyring-peer)# address 10.0.0.1 Router(config-ikev2-keyring-peer)# pre-shared-key host1-abc-keyIn the following example, the key lookup for peer 10.0.0.1 would first match the host key host1-abc-key. Because, this is a specific match, no further lookup is performed.
Router(config)# crypto ikev2 keyring keyring-2 Router(config-ikev2-keyring)# peer host1 Router(config-ikev2-keyring-peer)# description host1 in abc.example.com sub-domain Router(config-ikev2-keyring-peer)# address 10.0.0.1 Router(config-ikev2-keyring-peer)# pre-shared-key host1-abc-key Router(config-ikev2-keyring)# peer host2 Router(config-ikev2-keyring-peer)# description example domain Router(config-ikev2-keyring-peer)# address 0.0.0.0 0.0.0.0 Router(config-ikev2-keyring-peer)# pre-shared-key xyz-keyRelated Commands
Command
Description
address (ikev2 keyring)
Specifies the IPv4 address or the range of the peers in IKEv2 keyring.
description (ikev2 keyring)
Describes an IKEv2 peer or a peer group for the IKEv2 keyring.
hostname (ikev2 keyring)
Specifies the hostname for the peer in the IKEv2 keyring.
identity (ikev2 keyring)
Identifies the peer with IKEv2 types of identity.
peer
Defines a peer or a peer group for the keyring.
pre-shared-key (ikev2 keyring)
Defines a preshared key for the IKEv2 peer.
crypto ikev2 limit
To enable call admission control in Internet Key Exchange Version 2 (IKEv2), use the crypto ikev2 limitcommand in global configuration mode. To disable call admission control, use the no form of this command.
crypto ikev2 limit { max-in-negotiation-sa | max-sa } limit
no crypto ikev2 limit { max-in-negotiation-sa | max-sa }
Usage Guidelines
Call admission control limits the in-negotiation and total number of IKEv2 SA on a node.
NoteIn IKEv2, rekey is not a new security association (SA) unlike in IKEv1. Hence, the rekey SA is not counted.
Examples
The following example shows how to enable call admission control:
Router(config)# crypto ikev2 max-in-negotiation-sa limit 5000Related Commands
Command
Description
crypto ikev2 certificate-cache
Specifies the cache size to store certificates fetched from HTTP URLs.
crypto ikev2 cookie-challenge
Enables IKEv2 cookie challenge.
crypto ikev2 diagnose error
Enables IKEv2 error diagnosis.
crypto ikev2 dpd
Defines DPD globally for all peers.
crypto ikev2 http-url cert
Enables HTTP CERT support.
crypto ikev2 nat
Defines NAT keepalive globally for all peers.
crypto ikev2 window
Specifies the IKEv2 window size.
crypto logging ikev2
Enables IKEv2 syslog messages on a server.
crypto ikev2 name mangler
To configure the Internet Key Exchange version 2 (IKEv2) name mangler, use the crypto ikev2 name mangler command in global configuration mode. To delete the name mangler, use the no form of this command.
Usage Guidelines
The IKEv2 name mangler is used to derive a name for the AAA group or user authorization requests. The name mangler contains multiple statements--one for each identity type. The name mangler is derived from the specified portions of different forms of remote IKE identities or EAP identity. The name mangler is referred in the IKEv2 profile using the aaa authorization command.
After enabling this command, which puts the networking device in IKEv2 name mangler configuration mode, you can specify the characteristics for the name mangler using the following commands:
- dn-- Derives the name from the remote identity of type distinguished name (DN).
- eap --Derives the name from remote identities of type Extensible Authentication Protocol (EAP).
- email --Derives the name from the remote identity of type e-mail.
- fqdn --Derives the name from the remote identity of type Fully Qualified Domain Name (FQDN).
Examples
The following example shows how to define name manglers based on identity of type FQDN:
crypto ikev2 name-mangler mangler1 fqdn domain crypto ikev2 name-mangler mangler2 fqdn hostname crypto ikev2 name-mangler mangler3 fqdn allThe following example shows how to define name manglers based on identity of type e-mail:
crypto ikev2 name-mangler mangler1 email domain crypto ikev2 name-mangler mangler2 email username crypto ikev2 name-mangler mangler3 email allThe following example shows how to define name manglers based on identity of type DN:
crypto ikev2 name-mangler mangler2 DN country crypto ikev2 name-mangler mangler3 DN state crypto ikev2 name-mangler mangler4 DN organization crypto ikev2 name-mangler mangler5 DN organization-unitThe following example shows how to define name manglers based on identity of type EAP:
crypto ikev2 name-mangler mangler1 eap all crypto ikev2 name-mangler mangler2 eap prefix user123 delimiter @ crypto ikev2 name-mangler mangler3 eap suffix cisco delimiter crypto ikev2 name-mangler mangler4 eap DN common-namecrypto ikev2 nat
To configure Network Address Translation (NAT) keepalive for Internet Key Exchange Version 2 (IKEv2), use the crypto ikev2 natcommand in global configuration mode. To delete NAT keepalive configuration, use the no form of this command.
Usage Guidelines
Use this command to configure NAT keepalive globally for all peers. The NAT keepalive configuration specified in the IKEv2 profile overrides the global configuration. NAT keepalive prevents the deletion of NAT translation entries in the absence of any traffic, when NAT is between IKEv2 peers.
Examples
The following example shows how to specify a NAT keepalive interval of 500 seconds:
Router(config)# crypto ikev2 nat keepalive 500Related Commands
Command
Description
crypto ikev2 certificate-cache
Specifies the cache size to store certificates fetched from HTTP URLs.
crypto ikev2 cookie-challenge
Enables IKEv2 cookie challenge.
crypto ikev2 diagnose error
Enables IKEv2 error diagnosis.
crypto ikev2 dpd
Defines DPD globally for all peers.
crypto ikev2 http-url cert
Enables HTTP CERT support.
crypto ikev2 limit
Defines call admission control for all peers.
crypto ikev2 window
Specifies the IKEv2 window size.
crypto logging ikev2
Enables IKEv2 syslog messages on a server.
crypto ikev2 policy
To configure an Internet Key Exchange Version 2 (IKEv2) policy, use the crypto ikev2 policy command in global configuration mode. To delete a policy, use the no form of this command. To return the policy to its default value, use the default form of this command.
Command Default
A default IKEv2 policy is used only in the absence of any user-defined IKEv2 policy. The default IKEv2 policy will have the default IKEv2 proposal and will match all local addresses in a global VPN Routing and Forwarding (VRF).
Usage Guidelines
An IKEv2 policy contains the proposals that are used to negotiate the encryption, integrity, Psuedo-Random Function (PRF) algorithms and Diffie-Hellman (DH) group in SA_INIT exchange. IKEv2 policy can have match statements, which are used as selection criteria to select a policy for negotiation.
An IKEv2 policy must contain at least one proposal to be considered as complete, and can have more proposals and match statements.
A policy can have similar or different match statements. Match statements that are similar are logically ORed and match statements that are different are logically ANDed. There is no precedence between match statements of different types. If there are policies with similar match statements, the first policy configured is selected. If there are policies with overlapping match statements, the policy with the best or most specific match is selected.
A policy is matched as follows:
- If no IKEv2 policy is configured, the default policy is used for negotiating a SA that uses any local address in a global VRF.
- If IKEv2 policies are configured, the policy with the best match is selected.
- If none of the configured policies matches, the SA_INIT exchange does not start.
You can modify the default policy using the crypto ikev2 policy default command. You can modify the entire policy or one of the statements in the policy.
You can disable the default policy using the no crypto ikev2 policy default command. When disabled, the values in the default policy are copied and the default policy remains inactive.
Examples
The following examples show how to configure a policy and how a policy match is performed:
Router(config)# crypto ikev2 policy policy1 Router(config-ikev2-policy)# proposal pro1 Router(config-ikev2-policy)# match fvrf green Router(config-ikev2-policy)# match address local 10.0.0.1The policy policy1 is selected and proposal pro1 is used for negotiating IKEv2 SA with the local address as 10.0.0.1 and the FVRF as green:
Router(config)# crypto ikev2 policy policy1 Router(config-ikev2-policy)# proposal pro1 Router(config-ikev2-policy)# match address local 10.0.0.1The policy policy1 is selected and proposal pro1 is used for negotiation of the IKEv2 SA that is negotiatied with the local address as 10.0.0.1 and the FVRF as global:
Router(config)# crypto ikev2 policy policy1 Router(config-ikev2-policy)# proposal pro1 Router(config-ikev2-policy)# match fvrf greenThe policy policy1 is selected and proposal pro1 is used for negotiation of the IKEv2 SA that is negotiatied with any local address and the FVRF as green.
Examples
The following example shows how a policy is chosen out of two policies:
Router(config)# crypto ikev2 policy policy1 Router(config-ikev2-policy)# proposal1 Router(config-ikev2-policy)# match fvrf green Router(config)# crypto ikev2 policy policy2 Router(config-ikev2-policy)# proposal1 Router(config-ikev2-policy)# match fvrf green Router(config-ikev2-policy)# match local address 10.0.0.1To negotiate the SA for local address 10.0.0.1 and FVRF as green, policy 2 is selected because policy 2 is the best match:
Router(config)# crypto ikev2 policy policy1 Router(config-ikev2-policy)# proposal2 Router(config-ikev2-policy)# match local address 10.0.0.1 Router(config-ikev2-policy)# match fvrf green Router(config)# crypto ikev2 policy policy2 Router(config-ikev2-policy)# proposal1 Router(config-ikev2-policy)# match fvrf green Router(config-ikev2-policy)# match local address 10.0.0.1In this case, even though both the policies are the best match, policy1 is selected, because it was configured first.
crypto ikev2 profile
To configure an Internet Key Exchange Version 2 (IKEv2) profile, use the crypto ikev2 profile command in global configuration mode. To delete the profile, use the no form of this command.
Command Default
There is no default IKEv2 profile. However, there are default values for some commands under the profile, such as lifetime.
Usage Guidelines
Use this command to define an IKEv2 profile. An IKEv2 profile is a repository of the nonnegotiable parameters of the IKE security associations (SAs) (such as local/remote identities and authentication methods) and the services that will be available to the authenticated peers that match the profile. The following are the characteristics of an IKEv2 profile:
- It must be attached to either a crypto map or an IPsec profile on the IKEv2 initiator and responder.
- It must contain a match identity or match certificate statement; otherwise the profile is considered incomplete and is unused.
- The statements match VRF, local or remote authentication methods are optional.
The table below describes the differences between IKEv1 and IKEv2 profiles.
Table 1 Differences between IKEv1 and IKEv2 Profiles IKEv1
IKEv2
The authentication method is a negotiable parameter and must be specified in the ISAKMP policy.
The authentication method is not a negotiable parameter, can be asymmetric, and must be specified in the profile.
Multiple keyrings can be specified in the profile.
A single keyring can be specified in the profile and is optional also.
The IKEv2 profile applied on the crypto interface must be the same as IKEv2 profile that matches the peer identity received in the IKE_AUTH exchange.
Examples
The following examples show an IKEv2 profile matched on a remote identity and an IKEv2 profile catering to two peers using different authentication method.
Examples
The following profile caters to peers that identify using fqdn example.com and authenticate with rsa-signature using trustpoint-remote. The local node authenticates with pre-share using keyring-1.
Router(config)# crypto ikev2 profile profile2 Router(config-ikev2-profile)# match identity remote fqdn example.com Router(config-ikev2-profile)# identity local email router2@example.com Router(config-ikev2-profile)# authentication local pre-share Router(config-ikev2-profile)# authentication remote rsa-sig Router(config-ikev2-profile)# keyring keyring-1 Router(config-ikev2-profile)# pki trustpoint trustpoint-remote verify Router(config-ikev2-profile)# lifetime 300 Router(config-ikev2-profile)# dpd 5 10 on-demand Router(config-ikev2-profile)# virtual-template 1Examples
The following profile caters to two peers: user1@example.com that authenticate with pre-share using keyring-1, and user2@example.com authenticates with rsa-signature using trustpoint-remote. However, the local peer authenticates the remote peers with rsa-signature using trustpoint-local.
Router(config)# crypto ikev2 profile profile2 Router(config-ikev2-profile)# match identity remote email user1@example.com Router(config-ikev2-profile)# match identity remote email user2@example.com Router(config-ikev2-profile)# identity local email router2@abc.com Router(config-ikev2-profile)# authentication local rsa-sig Router(config-ikev2-profile)# authentication remote pre-share Router(config-ikev2-profile)# authentication remote rsa-sig Router(config-ikev2-profile)# keyring keyring-1 Router(config-ikev2-profile)# pki trustpoint trustpoint-local sign Router(config-ikev2-profile)# pki trustpoint trustpoint-remote verify Router(config-ikev2-profile)# lifetime 300 Router(config-ikev2-profile)# dpd 5 10 on-demand Router(config-ikev2-profile)# virtual-template 1Examples
The following example shows how to configure the remote access server using the remote EAP authentication method with an external EAP server:
aaa new-model aaa authentication login aaa-eap-list default group radius ! crypto ikev2 profile profile2 authentication remote eap aaa authentication eap aaa-eap-listExamples
The following example shows how to configure the remote access server with local and external EAP server using the remote EAP authentication method:
aaa new-model aaa authentication login aaa-eap-list default group radius aaa authentication login aaa-eap-local-list default group tacacs ! crypto ikev2 profile profile2 authentication remote eap authentication remote eap-local aaa authentication eap aaa-eap-list aaa authentication eap-local aaa-eap-local-listExamples
This example shows how to configure the AAA authorization for a local group policy:
aaa new-model aaa authorization network aaa-group-list default local ! crypto ikev2 client configuration group cisco pool addr-pool1 dns 198.51.100.1 198.51.100.100 wins 203.0.113.1 203.0.113.115 ! crypto ikev2 profile profile1 authentication remote eap aaa authorization group aaa-group-list abcThe aaa-group-list specifies that the group authorization is local and that the AAA username is abc. The authorization list name corresponds to the group policy defined in the crypto ikev2 client configuration group command.
Examples
This example shows how to configure an external AAA-based group policy. The aaa-group-list specifies that the group authorization is RADIUS based. The name mangler derives the group name from the domain part of ID-FQDN, which is abc.
aaa new-model aaa authorization network aaa-group-list default group radius ! crypto ikev2 name-mangler mangler1 fqdn domain ! crypto ikev2 profile profile1 identity remote fqdn host1.abc authentication remote eap aaa authorization group aaa-group-list name-mangler mangler1Examples
This example shows how to configure an external AAA-based group policy. The aaa-user-list specifies that the user authorization is RADIUS based. The name mangler derives the username from the hostname part of ID-FQDN, which is host1.
aaa new-model aaa authorization network aaa-user-list default group radius ! crypto ikev2 name-mangler mangler2 fqdn hostname ! crypto ikev2 profile profile1 match identity remote fqdn host1.abc authentication remote eap aaa authorization user aaa-user-list name-mangler mangler2Related Commands
Command
Description
aaa authentication (IKEv2 profile)
Defines the AAA authentication list for EAP authentication.
aaa authorization (IKEv2 profile)
Defines the AAA authorization for a local or group policy.
authentication (IKEv2 profile)
Defines the local and remote authentication methods.
crypto ikev2 keyring
Defines an IKEv2 keyring.
show crypto ikev2 profile
Displays the IKEv2 profile.
crypto ikev2 proposal
To configure an Internet Key Exchange Version 2 (IKEv2) proposal, use the crypto ikev2 proposal command in global configuration mode. To delete an IKEv2 proposal, use the no form of this command. To return the proposal to its default value, use the default form of this command.
Usage Guidelines
NoteSecurity threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the Next Generation Encryption (NGE) white paper.
An IKEv2 proposal is a set of transforms used in the negotiation of IKEv2 SA as part of the IKE_SA_INIT exchange. An IKEv2 proposal is regarded as complete only when it has at least an encryption algorithm, an integrity algorithm and a Diffie-Hellman (DH) group configured. If no proposal is configured and attached to an IKEv2 policy, then the default proposal is used in negotiation.
You can modify the default proposal using the crypto ikev2 proposal default command. You can modify the entire proposal or one of the transforms namely, the encryption algorithm, the integrity algorithm and the DH group.
You can disable the default proposal using the no crypto ikev2 proposal default command. When disabled, the values in the default proposal are copied and the default proposal remains inactive.
Although this command is similar to the crypto isakmp policy command, the IKEv2 proposal differs as follows:
- An IKEv2 proposal allows configuration of one or more transforms for each transform type.
- An IKEv2 proposal does not have any associated priority.
NoteThe IKEv2 proposals must be attached to the IKEv2 policies for using the proposals in negotiation. If a proposal is not configured, then the default IKEv2 proposal is used with the default IKEv2 policy.
When multiple transforms are configured for a transform type, the order of priority is from left to right.
A proposal with multiple transforms for each transform type translates to all possible combinations of transforms. If only a subset of these combinations is required, then they must be configured as individual proposals.
Router(config)# crypto ikev2 proposal proposal-1 Router(config-ikev2-proposal)# encryption aes-cbc-128, aes-cbc-192 Router(config-ikev2-proposal)# integrity sha, sha256 Router(config-ikev2-proposal)# group 14For example, the commands shown translates to the following transform combinations:
aes-cbc-128, sha, 14 aes-cbc-192, sha, 14 aes-cbc-128, sha256, 14 aes-cbc-192, sha256, 14To configure the first and last transform combinations, the commands are as follows:
Router(config)# crypto ikev2 proposal proposal-1 Router(config-ikev2-proposal)# encryption aes-cbc-128 Router(config-ikev2-proposal)# integrity sha Router(config-ikev2-proposal)# group 14 Router(config)# crypto ikev2 proposal proposal-2 Router(config-ikev2-proposal)# encryption aes-cbc-192 Router(config-ikev2-proposal)# integrity sha256 Router(config-ikev2-proposal)# group 14Examples
Device(config)# crypto ikev2 proposal proposal-1 Device(config-ikev2-proposal)# encryption aes-cbc-128 Device(config-ikev2-proposal)# integrity sha1 Device(config-ikev2-proposal)# group 14Examples
Device(config)# crypto ikev2 proposal proposal-2 Device(config-ikev2-proposal)# encryption aes-cbc-128 aes-cbc-192 Device(config-ikev2-proposal)# integrity sha2 sha256 Device(config-ikev2-proposal)# group 14 15The IKEv2 proposal proposal-2 shown translates to the following prioritized list of transform combinations:
Examples
The proposal of the initiator is as follows:
Device(config)# crypto ikev2 proposal proposal-1 Device(config-ikev2-proposal)# encryption aes-cbc-128 aes-cbc-196 Device(config-ikev2-proposal)# integrity sha1 sha256 Device(config-ikev2-proposal)# group 14 16The proposal of the responder is as follows:
Device(config)# crypto ikev2 proposal proposal-2 Device(config-ikev2-proposal)# encryption aes-cbc-196 aes-cbc-128 Device(config-ikev2-proposal)# integrity sha256 sha1 Device(config-ikev2-proposal)# group 16 14In the scenario shown, the initiator choice of algorithms is preferred and the selected algorithms are as follows:
encryption aes-cbc-128 integrity sha1 group 14Related Commands
Command
Description
encryption (ikev2 proposal)
Specifies the encryption algorithm in an IKEv2 proposal.
group (ikev2 proposal)
Specifies the Diffie-Hellman group identifier in an IKEv2 proposal.
integrity (ikev2 proposal)
Specifies the integrity algorithm in an IKEv2 proposal.
show crypto ikev2 proposal
Displays the parameters for each IKEv2 proposal.
crypto ikev2 redirect
To configure an Internet Key Exchange Version 2 (IKEv2) redirect mechanism on a gateway and a client, use the crypto ikev2 redirect command in global configuration mode. To remove the redirect mechanism, use the no form of this command.
crypto ikev2 redirect { client [ max-redirects number ] | gateway { auth | init } }
no crypto ikev2 redirect { client | gateway }
Syntax Description
client
Enables the redirect mechanism on a FlexVPN client.
max-redirects number
(Optional) Specifies the maximum number of redirects that can be configured per session on a FlexVPN client for redirect loop detection. The range is from 1 to 255. The default is 5.
gateway
Enables the redirect mechanism on a gateway.
auth
Enables the redirects mechanism on a gateway when a security association (SA) is authenticated.
init
Enables the redirect mechanism on a gateway when an SA is initiated.
Usage Guidelines
A thorough security analysis shows that redirect during IKE_AUTH is neither more nor less secure than redirect during IKE_INIT. However, for performance and scalability reasons, we recommend redirect during IKE_INIT.
crypto ikev2 window
To configure the Internet Key Exchange Version 2 (IKEv2) window size, use the crypto ikev2 windowcommand in global configuration mode. To delete IKEv2 window configuration, use the no form of this command.
Usage Guidelines
Window size allows multiple IKEv2 request-response pairs in transit. Use this command to specify the IKEv2 window size to have multiple IKEv2 request-response pairs in transit.
Examples
The following example shows how to configure a window size of 10:
Router(config)# crypto ikev2 window size 10Related Commands
Command
Description
crypto ikev2 certificate-cache
Specifies the cache size to store certificates fetched from HTTP URLs.
crypto ikev2 cookie-challenge
Enables IKEv2 cookie challenge.
crypto ikev2 diagnose error
Enables IKEv2 error diagnosis.
crypto ikev2 dpd
Defines DPD globally for all peers.
crypto ikev2 http-url cert
Enables HTTP CERT support.
crypto ikev2 limit
Defines call admission control for all peers.
crypto ikev2 nat
Defines NAT keepalive globally for all peers.
crypto logging ikev2
Enables IKEv2 syslog messages on a server.
crypto ipsec client ezvpn (global)
To create a Cisco Easy VPN remote configuration and enter the Cisco Easy VPN remote configuration mode, use the crypto ipsec client ezvpn command in global configuration mode. To delete the Cisco Easy VPN remote configuration, use the no form of this command.
NoteA separate crypto ipsec client ezvpn command in interface configuration mode assigns a Cisco Easy VPN remote configuration to the interface.
Command History
Release
Modification
12.2(4)YA
This command was introduced for Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers; Cisco 1700 series routers; and Cisco uBR905 and Cisco uBR925 cable access routers.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
12.2(8)YJ
This command was enhanced to enable you to manually establish and terminate an IPsec VPN tunnel on demand for Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers; Cisco 1700 series routers; and Cisco uBR905 and Cisco uBR925 cable access routers.
12.2(15)T
This command was integrated into Cisco IOS Release 12.2(15)T.
12.3(4)T
The username command was added, and the peecommand was changed so that the command may now be input multiple times.
12.3(7)XR
The acl and backup commands were added.
12.2(18)SXD
This command was integrated into Cisco IOS Release 12.2(18)SXD.
12.3(11)T
The acl command was integrated into Cisco IOS Release 12.3(11)T. However, the backup command was not integrated into Cisco IOS Release 12.3(11)T.
12.4(2)T
The virtual-interface command was added.
12.4(4)T
The default keyword was added to the peer command, and the flow allow acl and idle-time commands were added.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.4(11)T
The nat acl and nat allow commands were added.
Usage Guidelines
The crypto ipsec client ezvpn command creates a Cisco Easy VPN remote configuration and then enters the Cisco Easy VPN remote configuration mode, at which point you can enter the following commands:
NoteUse the acl command in the Network Extension Mode (NEM) to expand the networks that are being extended. The permit statements in the ACL allow you to add additional networks to the list of extended networks. Without an ACL, the VPN only provides connectivity with the directly connected network of the inside interface.
- backup {ezvpn-config-name}--Specifies the Easy VPN configuration that will be activated when the backup is triggered.
- track {tracked-object-number}--Specifies the link to the tracking system so that the Easy VPN state machine can get the notification to trigger the backup.
- The auto keyword is the default setting, because it was the initial Cisco Easy VPN remote functionality. The IPsec VPN tunnel is automatically connected when the Cisco Easy VPN Remote feature is configured on an interface.
- The manual keyword specifies the manual setting to direct the Cisco Easy VPN remote to wait for a command or application programming interface (API) call before attempting to establish the Cisco Easy VPN remote connection. When the tunnel times out or fails, subsequent connections have to wait for the command to reset to manual or to an API call.
- The acl keyword specifies the ACL-triggered setting, which is used for transactional-based applications and dial backup. Using this option, you can define the “interesting” traffic that triggers the tunnel to be established.
- default--Sets the following command to its default values.
- exit--Exits the Cisco Easy VPN configuration mode and returns to global configuration mode.
- flow allow acl [name | number]--Restricts the client from sending traffic in clear text when the tunnel is down. The name argument is the access list name. The number argument is the access list number, which can be 100 through 199.
- group group-name key group-key--Specifies the group name and key value for the VPN connection.
- idletime--(Optional) Sets the idle time after which an Easy VPN tunnel is brought down.
- The value of the interface-name argument specifies the interface used for tunnel traffic.
After specifying the local address used to source tunnel traffic, the IP address can be obtained in two ways:
- The client keyword (default) automatically configures the router for Cisco Easy VPN client mode operation, which uses Network Address Translation (NAT) or Peer Address Translation (PAT) address translations. When the Cisco Easy VPN remote configuration is assigned to an interface, the router automatically creates the NAT or PAT and access list configuration needed for the VPN connection.
- The network-extension keyword specifies that the router should become a remote extension of the enterprise network at the other end of the VPN connection. The PCs that are connected to the router typically are assigned an IP address in the address space of the enterprise network.
- The network extension plus keyword is identical to network extension mode with the additional capability of being able to request an IP address via mode configuration and automatically assign it to an available loopback interface. The IPsec security associations (SAs) for this IP address are automatically created by Easy VPN Remote. The IP address is typically used for troubleshooting (using ping, Telnet, and Secure Shell).
- nat allow--Allows NAT to be integrated with Cisco Easy VPN.
- no--Removes the command or sets it to its default values.
- peer {ipaddress | hostname } [default]--Sets the peer IP address or hostname for the VPN connection. A hostname can be specified only when the router has a Domain Name System (DNS) server available for hostname resolution.
The peer command may be input multiple times.
The default keyword defines the given peer as the primary peer. When Phase 1 SA negotiations fail and Easy VPN fails over from the primary peer to the next peer on its backup list and the primary peer is again available, the current connection is torn down and the primary peer is reconnected.
- 0 specifies that an unencrypted password will follow.
- 6 specifies that an encrypted password will follow.
- password specifies an unencrypted (cleartext) user password.
The save-password option is useful only if the user password is static, that is, it is not a one-time password (OTP), such as a password generated by a token.
- virtual-interface [virtual-template-number]--Specifies a virtual interface for an Easy VPN remote device. If a virtual template number is specified, the virtual interface is derived from the virtual template that is configured. If a virtual template number is not specified, a generic virtual-access interface of the type tunnel is created. If the creation is successful, Easy VPN makes the virtual-access interface its outside interface (that is, the crypto map and NAT are applied on the virtual-access interface). If the creation is a failure, Easy VPN prints an error message and remains in the IDLE state.
After configuring the Cisco Easy VPN remote configuration, use the exit command to exit the Cisco Easy VPN remote configuration mode and return to global configuration mode.
NoteYou cannot use the no crypto ipsec client ezvpn command to delete a Cisco Easy VPN remote configuration that is assigned to an interface. You must remove that Cisco Easy VPN remote configuration from the interface before you can delete the configuration.
Examples
The following example shows a Cisco Easy VPN remote configuration named “telecommuter-client” being created on a Cisco uBR905 or Cisco uBR925 cable access router and being assigned to cable interface 0:
Router# configure terminal Router(config)# crypto ipsec client ezvpn telecommuter-client Router(config-crypto-ezvpn)# group telecommute-group key secret-telecommute-key Router(config-crypto-ezvpn)# peer telecommuter-server Router(config-crypto-ezvpn)# mode client Router(config-crypto-ezvpn)# exit Router(config)# interface c0 Router(config-if)# crypto ezvpn telecommuter-client Router(config-if)# exit
NoteSpecifying the mode client option as shown above is optional because this is a default configuration for these options.
The following example shows the Cisco Easy VPN remote configuration named “telecommuter-client” being removed from the interface and then deleted:
Router# configure terminal Router(config)# interface e1 Router(config-if)# no crypto ipsec client ezvpn telecommuter-client Router(config-if)# exit Router(config)# no crypto ipsec client ezvpn telecommuter-clientThe following example shows that a virtual IPsec interface has been configured for the Easy VPN remote device:
crypto ipsec client ezvpn EasyVPN1 virtual-interface 3crypto ipsec client ezvpn (interface)
To assign a Cisco Easy Virtual Private Network (VPN) remote configuration to an interface other than a virtual interface, to specify whether the interface is outside or inside, and to configure multiple outside and inside interfaces, use the crypto ipsec client ezvpn command in interface configuration mode. To remove the Cisco Easy VPN remote configuration from the interface, use the no form of this command.
crypto ipsec client ezvpn name [ outside | inside ]
no crypto ipsec client ezvpn name [ outside | inside ]
Syntax Description
name
Specifies the Cisco Easy VPN remote configuration to be assigned to the interface.
Note The interface specified cannot be a virtual interface.
outside
(Optional) Specifies the outside interface of the IP Security (IPsec) client router. You can add up to four outside tunnels for all platforms, one tunnel per outside interface.
inside
(Optional) Specifies the inside interface of the IPsec client router. The Cisco 1700 series has no default inside interface, and any inside interface must be configured. The Cisco 800 series routers and Cisco uBR905 and Cisco uBR925 cable access routers have default inside interfaces. However, you can configure any inside interface and add up to three inside interfaces for all platforms.
Command Default
The default inside interface is the Ethernet interface on Cisco 800 series routers and Cisco uBR905 and Cisco uBR925 cable access routers.
Command History
Release
Modification
12.2(4)YA
This command was introduced on Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers; Cisco 1700 series routers; and Cisco uBR905 and Cisco uBR925 cable access routers.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
12.2(8)YJ
This command was enhanced to enable you to configure multiple outside and inside interfaces for Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers; Cisco 1700 series routers; and Cisco uBR905 and Cisco uBR925 cable access routers.
12.2(15)T
This command was integrated into Cisco IOS Release 12.2(15)T.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific 12.2SX release is dependent on your feature set, platform, and platform hardware.
Usage Guidelines
The crypto ipsec client ezvpn command assigns a Cisco Easy VPN remote configuration to an interface, enabling the creation of a VPN connection over that interface to the specified VPN peer. If the Cisco Easy VPN remote configuration is configured for the client mode of operation, the router is also automatically configured for network address translation (NAT) or port address translation (PAT) and for an associated access list.
NoteThe crypto ipsec client ezvpn command is not supported on virtual interfaces.
Release 12.2(8)YJ
The crypto ipsec client ezvpn command was enhanced to allow you to configure multiple outside and inside interfaces. To configure multiple outside and inside interfaces, you must use the interface interface-name command to first define the type of interface on the IPsec client router.
- In client mode for the Cisco Easy VPN client, a single security association (SA) connection is used for encrypting and decrypting the traffic coming from all the inside interfaces. In network extension mode, one SA connection is established for each inside interface.
- When a new inside interface is added or an existing one is removed, all established SA connections are deleted and new ones are initiated.
- Configuration information for the default inside interface is shown with the crypto ipsec client ezvpn name inside command. All inside interfaces, whether they belong to a tunnel, are listed in interface configuration mode as an inside interface, along with the tunnel name.
Release 12.2(4)YA
The following restrictions apply to the crypto ipsec client ezvpn command:
- The Cisco Easy VPN remote feature supports only one tunnel, so the crypto ipsec client ezvpn command can be assigned to only one interface. If you attempt to assign it to more than one interface, an error message is displayed. You must use the no form of this command to remove the configuration from the first interface before assigning it to the second interface.
- The crypto ipsec client ezvpn command should be assigned to the outside interface of the NAT or PAT. This command cannot be used on the inside NAT or PAT interface. On some platforms, the inside and outside interfaces are fixed.
For example, on Cisco uBR905 and Cisco uBR925 cable access routers, the outside interface is always the cable interface. On Cisco 1700 series routers, the FastEthernet interface defaults to being the inside interface, so attempting to use the crypto ipsec client ezvpn command on the FastEthernet interface displays an error message.
NoteA separate crypto ipsec client ezvpn command exists in global configuration mode that creates a Cisco Easy VPN remote configuration. You must first use the global configuration version of the crypto ipsec client ezvpn command to create a Cisco Easy VPN remote configuration before assigning it to an interface.
Examples
The following example shows a Cisco Easy VPN remote configuration named “ telecommuter-client” being assigned to the cable interface on a Cisco uBR905 or a Cisco uBR925 cable access router:
Router# configure terminal Router(config)# interface c0 Router(config-if)# crypto ipsec client ezvpn telecommuter-client Router(config-if)# exitThe fo llowing example first shows an attempt to delete the Cisco Easy VPN remote configuration named “telecommuter-client, ” but the configuration cannot be deleted because it is still assigned to an interface. The configuration is then removed from the interface and deleted.
Router# configure terminal Router(config)# no crypto ipsec client ezvpn telecommuter-client Error: crypto map in use by interface; cannot delete Router(config)# interface e1 Router(config-if)# no crypto ipsec client ezvpn telecommuter-client Router(config-if)# exit Router(config)# no crypto ipsec client ezvpn telecommuter-clientcrypto ipsec client ezvpn connect
To connect to a specified IPSec Virtual Private Network (VPN) tunnel in a manual configuration, use the crypto ipsec client ezvpn connect command in privileged EXEC mode. To disable the connection, use the no form of this command.
Command History
Release
Modification
12.2(8)YJ
This command was introduced on Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers; Cisco 1700 series routers; and Cisco uBR905 and Cisco uBR925 cable access routers.
12.2(15)T
This command was integrated into Cisco IOS Release 12.2(15)T.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific 12.2SX release is dependent on your feature set, platform, and platform hardware.
Usage Guidelines
This command is used with the connect [auto | manual | acl] subcommand. After the manual setting is designated, the Cisco Easy VPN remote waits for a command or application programming interface (API) call before attempting to establish the Cisco Easy VPN remote connection.
If the configuration is manual, the tunnel is connected only after the crypto ipsec client ezvpn connect name command is entered in privileged EXEC mode, and after the connect [auto] | manual subcommand is entered.
crypto ipsec client ezvpn xauth
To respond to a pending Virtual Private Network (VPN) authorization request, use the crypto ipsec client ezvpn xauth command in privileged EXEC mode.
Command History
Release
Modification
12.2(4)YA
This command was introduced on Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers; Cisco 1700 series routers; and Cisco uBR905 and Cisco uBR925 cable access routers.
12.2(8)YJ
This command was enhanced to specify an IPSec VPN tunnel for Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers; Cisco 1700 series routers; and Cisco uBR905 and Cisco uBR925 cable access routers.
12.2(8)YJ
This command was enhanced to specify an IPSec VPN tunnel for Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers; Cisco 1700 series routers; and Cisco uBR905 and Cisco uBR925 cable access routers.
12.2(15)T
This command was integrated into Cisco IOS Release 12.2(15)T.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific 12.2SX release is dependent on your feature set, platform, and platform hardware.
Usage Guidelines
If the tunnel name is not specified, the authorization request is made on the active tunnel. If there is more than one active tunnel, the command fails with an error requesting that you specify the tunnel name.
When making a VPN connection, individual users might also be required to provide authorization information, such as a username or password. When the remote end requires this information, the router displays a message on the console of the router instructing the user to enter the crypto ipsec client ezvpn xauthcommand. The user then uses command-line interface (CLI) to enter this command and to provide the information requested by the prompts that follow after the command has been entered.
NoteIf the user does not respond to the authentication notification, the message is repeated every 10 seconds.
Examples
The following example shows an example of the user being prompted to enter the crypto ipsec client ezvpn xauth command. The user then enters the requested information and continues.
Router# 20:27:39: EZVPN: Pending XAuth Request, Please enter the following command: 20:27:39: EZVPN: crypto ipsec client ezvpn xauth Router> crypto ipsec client ezvpn xauth Enter Username and Password: userid Password: ************crypto ipsec transform-set default
To enable default IP Security (IPsec) transform sets, use the crypto ipsec transform-set default command in global configuration mode. To disable the default IPsec transform sets, use the no form of this command.
Usage Guidelines
NoteSecurity threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the Next Generation Encryption (NGE) white paper.
A default transform set will be used by any crypto map or ipsec profile where no other transform set has been configured if the following is true:
- The default transform sets have not been disabled with the no crypto ipsec default transform-set command.
- The crypto engine in use supports the encryption algorithm.
Each default transform set defines both an Encapsulation Security Protocol (ESP) encryption transform type and an ESP authentication transform type as shown in the table below.
Table 2 Default Transform Sets and Parameters Default Transform Name
ESP Encryption Transform and Description
ESP Authentication Transform and Description
#$!default_transform_set_0
esp-3des
(ESP with the 168-bit Triple Data Encryption Standard [3DES or Triple DES] encryption algorithm)
esp-sha-hmac
(ESP with the Secure Hash Algorithm [SHA-1, HMAC variant] authentication algorithm)
#$!default_transform_set_1
esp-aes
(ESP with the 128-bit Advanced Encryption Standard [AES] encryption algorithm)
esp-sha-hmac
Examples
The following example displays output from the show crypto ipsec transform-set default command when the default transform sets are enabled, the default setting. Router# show crypto ipsec transform-set default Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac } will negotiate = { Transport, }, Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac } will negotiate = { Transport, }, The following example displays output from the show crypto ipsec transform-set default command when the default transform sets have been disabled with the no crypto ipsec default transform-set command. Router(config)# no crypto ipsec default transform-set Router(config)# exit Router# Router# show crypto ipsec transform-set default ! There is no output. Router#The following is example system log message that is generated whenever IPsec security associations (SAs) have negotiated with a default transform set.
%CRYPTO-5-IPSEC_DEFAULT_TRANSFORM: Using Default IPSec transform-setcrypto ipsec df-bit (global)
To set the DF bit for the encapsulating header in tunnel mode to all interfaces, use the crypto ipsec df-bit command in global configuration mode.
Syntax Description
clear
Outer IP header will have the DF bit cleared, and the router may fragment the packet to add the IP Security (IPSec) encapsulation.
set
Outer IP header will have the DF bit set; however, the router may fragment the packet if the original packet had the DF bit cleared.
copy
The router will look in the original packet for the outer DF bit setting. The copy keyword is the default setting.
Usage Guidelines
Use the crypto ipsec df-bit command in global configuration mode to configure your router to specify the DF bit in an encapsulated header.
You may want use the clear setting for the DF bit when encapsulating tunnel mode IPSec traffic so you can send packets larger than the available maximum transmission unit (MTU) size or if you do not know what the available MTU size is.
If this command is enabled without a specified setting, the router will use the copy setting as the default.
crypto ipsec df-bit (interface)
To set the DF bit for the encapsulating header in tunnel mode to a specific interface, use the crypto ipsec df-bit command in interface configuration mode.
Syntax Description
clear
Outer IP header has the DF bit cleared, and the router may fragment the packet to add the IP Security (IPSec) encapsulation.
set
Outer IP header has the DF bit set; however, the router may fragment the packet if the original packet had the DF bit cleared.
copy
The router looks in the original packet for the outer DF bit setting.
Command Default
The default setting is the same as the crypto ipsec df-bit command setting in global configuration mode.
Usage Guidelines
Use the crypto ipsec df-bit command in interface configuration mode to configure your router to specify the DF bit in an encapsulated header. This command overrides any existing DF bit global settings.
You may want use the clear setting for the DF bit when encapsulating tunnel mode IPSec traffic so you can send packets larger than the available maximum transmission unit (MTU) size or if you do not know what the available MTU size is.
If this command is enabled without a specified setting, the router uses the crypto ipsec df-bit command setting in global configuration mode.
Examples
In following example, the router is configured to globally clear the setting for the DF bit and copy the DF bit on the interface named Ethernet0. Thus, all interfaces except Ethernet0 allows the router to send packets larger than the available MTU size; Ethernet0 allows the router to fragment the packet.
crypto isakmp policy 1 encr aes hash sha authentication pre-share group 14 crypto isakmp key Delaware address 192.168.10.66 crypto isakmp key Key-What-Key address 192.168.11.19 ! ! crypto ipsec transform-set BearMama ah-sha-hmac esp-aes crypto ipsec df-bit clear ! ! crypto map armadillo 1 ipsec-isakmp set peer 192.168.10.66 set transform-set BearMama match address 101 ! crypto map basilisk 1 ipsec-isakmp set peer 192.168.11.19 set transform-set BearMama match address 102 ! ! interface Ethernet0 ip address 192.168.10.38 255.255.255.0 ip broadcast-address 0.0.0.0 media-type 10BaseT crypto map armadillo crypto ipsec df-bit copy ! interface Ethernet1 ip address 192.168.11.75 255.255.255.0 ip broadcast-address 0.0.0.0 media-type 10BaseT crypto map basilisk ! interface Serial0 no ip address ip broadcast-address 0.0.0.0 no ip route-cache no ip mroute-cachecrypto ipsec fragmentation (global)
To enable prefragmentation for IP Security (IPSec) Virtual Private Networks (VPNs) on a global basis, use the crypto ipsec fragmentationcommand in global configuration mode. To disable a manually configured command, use the no form of this command.
crypto ipsec fragmentation { before-encryption | after-encryption }
no crypto ipsec fragmentation { before-encryption | after-encryption }
Usage Guidelines
Use the before-encryptionkeywordto enable prefragmentation for IPSec VPNs; use the after-encryption keyword to disable prefragmentation for IPSec VPNs. This command allows an encrypting router to predetermine the encapsulated packet size from information available in transform sets, which are configured as part of the IPSec security association (SA). If it is predetermined that the packet will exceed the maximum transmission unit (MTU) of the output interface, the packet is fragmented before encryption.
NoteThis command does not show up in the a running configuration if the default global command is enabled. It shows in the running configuration only when you explicitly enable the command on an interface.
crypto ipsec fragmentation (interface)
To enable prefragmentation for IP Security (IPSec) Virtual Private Networks (VPNs) on an interface, use the crypto ipsec fragmentationcommand in interface configuration mode. To disable a manually configured command, use the no form of this command.
crypto ipsec fragmentation { before-encryption | after-encryption }
no crypto ipsec fragmentation { before-encryption | after-encryption }
Command Default
If no other prefragmentation for IPSec VPNs commands are in the configuration, the router will revert to the default global configuration.
Command History
Release
Modification
12.1(11b)E
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
Use the before-encryption keyword to enable prefragmentation for IPSec VPNs per interface; use the after-encryption keyword to disable prefragmentation for IPSec VPNs. This command allows an encrypting router to predetermine the encapsulated packet size from information available in transform sets, which are configured as part of the IPSec security association (SA). If it is predetermined that the packet will exceed the maximum transmission unit (MTU) of output interface, the packet is fragmented before encryption.
Examples
The following example shows how to enable prefragmentation for IPSec VPNs on an interface and then how to display the output of the show running configuration command:
NoteThis command shows in the running configuration only when you explicitly enable it on the interface.
Router(config-if)# crypto ipsec fragmentation before-encryption Router(config-if)# exit Router# show running-config crypto isakmp policy 10 encryption aes authentication pre-share group 14 crypto isakmp key abcd123 address 209.165.202.130 ! crypto ipsec transform-set fooprime esp-aes esp-sha-hmac ! crypto map bar 10 ipsec-isakmp set peer 209.165.202.130 set transform-set fooprime match address 102crypto ipsec ipv4-deny
To configure deny address ranges at the global (IPSec VPN SPA) level, use the crypto ipsec ipv4 deny-policy command in global configuration mode.
Syntax Description
jump
Causes the search to jump to the beginning of the ACL associated with the next sequence in the crypto map and continues the search when a deny address is hit.
clear
Allows traffic to pass through in the clear (unencrypted) state when a deny address is hit.
drop
Causes traffic to be dropped when a deny address is hit.
Usage Guidelines
Use this command to prevent repeated address ranges from being programmed in the hardware, resulting in more efficient TCAM space utilization.
Specifying a deny address range in an ACL results in “jump” behavior. When a denied address range is hit, it forces the search to “jump” to the beginning of the ACL associated with the next sequence in a crypto map and continue the search.
The clear keyword allows a deny address range to be programmed in hardware. The deny addresses are then filtered out for encryption and decryption. If the voice private network (VPN) mode is crypto-connect, when a deny address is hit, the search is stopped and traffic is allowed to pass in the clear (unencrypted) state.
If the VPN mode is VRF mode, the deny address matching traffic is dropped.
If you want to pass clear traffic on an address, you must insert a deny address range for each sequence in a crypto map.
Each permit list of addresses inherits all the deny address ranges specified in the ACL. A deny address range causes the software to do a subtraction of the deny address range from a permit list, and creates multiple permit address ranges that need to be programmed in hardware. This behavior can cause repeated address ranges to be programmed in the hardware for a single deny address range, resulting in multiple permit address ranges in a single ACL.
If you apply the specified keyword (jump, clear, or drop) when crypto maps are already configured on the IPSec VPN SPA, all existing IPSec sessions are temporarily removed and restarted, which impacts traffic on your network.
The number of deny entries that can be specified in an ACL are dependent on the keyword specified:
- jump --Supports up to 8 deny entries in an ACL.
- clear --Supports up to 1000 deny entries in an ACL.
- drop --Supports up to 1000 deny entries in an ACL.
crypto ipsec nat-transparency
To enable security parameter index (SPI) matching or User Datagram Protocol (UDP) encapsulation between two Virtual Private Network (VPN) devices, use the crypto ipsec nat-transparencycommand on both devices in global configuration mode. To disable both SPI matching and UDP encapsulation, use the no form of this command with each keyword.
crypto ipsec nat-transparency { spi-matching | udp-encaps }
no crypto ipsec nat-transparency { spi-matching | udp-encaps }
Usage Guidelines
You can use this command to resolve issues that arise when Network Address Translation (NAT) is configured in an IP Security (IPsec)-aware network. This command has two mutually exclusive options:
- The default option is UDP encapsulation of the IPsec protocols.
- The alternative is to match the inbound SPI to the outbound SPI.
When you enter the crypto ipsec nat-transparency command, UDP encapsulation is configured unless you either specifically disable it or configure SPI matching. You can disable both options, but doing so might cause problems if the device you are configuring uses NAT and is part of a VPN.
To disable SPI matching, configure UDP encapsulation or use the no form of this command with the keyword spi-matching. To disable UDP encapsulation, configure SPI matching or use the no form of this command with the keyword udp-encaps. To disable both SPI matching and UDP encapsulation, first disable UDP encapsulation, and then disable SPI matching. If you disable both options, the show running-config command displays: no crypto ipsec nat-transparency udp-encaps.
Examples
The following example enables SPI matching on the endpoint routers:
crypto ipsec nat-transparency spi-matchingRelated Commands
Command
Description
clear ip nat translation
Clears dynamic NAT translations from the translation table.
ip nat
Designates that traffic originating from or destined for the interface is subject to NAT.
ip nat inside destination
Enables NAT of the inside destination address.
ip nat inside source
Enables NAT of the inside source address.
ip nat outside source
Enables NAT of the outside source address.
show ip nat statistics
Displays NAT statistics.
show ip nat translations
Displays active NAT translations.
show crypto isakmp sa detail nat
Displays NAT translations of source and destination addresses.
crypto ipsec optional
To enable IP Security (IPSec) passive mode, use the crypto ipsec optional command in global configuration mode. To disable IPSec passive mode, use the no form of this command.
Usage Guidelines
Use the crypto ipsec optionalcommand to implement an intermediate mode (IPSec passive mode) that allows a router to accept unencrypted and encrypted data. IPSec passive mode is valuable for users who wish to migrate existing networks to IPSec because all routers will continue to interact with routers that encrypt data (that is, that have been upgraded with IPSec) and also with routers that have yet to be upgraded.
After this feature is disabled, all active connections that are sending unencrypted packets are cleared, and a message that reminds the user to enter the write memory command is sent.
NoteBecause a router in IPSec passive mode is insecure, ensure that no routers are accidentally left in this mode after upgrading a network.
Examples
The following example shows how to enable IPSec passive mode:
crypto map xauthmap 10 ipsec-isakmp set peer 209.165.202.145 set transform-set xauthtransform match address 192 ! crypto ipsec optional ! interface Ethernet1/0 ip address 209.165.202.147 255.255.255.224 crypto map xauthmap ! access-list 192 permit ip host 209.165.202.147 host 209.165.202.145crypto ipsec optional retry
To adjust the amount of time that a packet can be routed in the clear (unencrypted), use the crypto ipsec optional retrycommand in global configuration mode. To return to the default setting (5 minutes), use the no form of this command.
Usage Guidelines
You must enable the crypto ipsec optional command, which enables IPSec passive mode, before you can use this command.
Examples
The following example shows how to enable IPSec passive mode:
crypto map xauthmap 10 ipsec-isakmp set peer 209.165.202.145 set transform-set xauthtransform match address 192 ! crypto ipsec optional crypto ipsec optional retry 60 ! interface Ethernet1/0 ip address 209.165.202.147 255.255.255.224 crypto map xauthmap ! access-list 192 permit ip host 209.165.202.147 host 209.165.202.145crypto ipsec profile
To define the IP Security (IPsec) parameters that are to be used for IPsec encryption between two IPsec routers and to enter IPsec profile configuration mode, use the crypto ipsec profile command in global configuration mode. To delete an IPsec profile, use the no form of this command. To return the IPsec profile to its default value, use the default form of this command.
Command History
Release
Modification
12.2(13)T
This command was introduced.
12.2(18)SXE
This command was integrated into Cisco IOS Release 12.2(18)SXE.
12.4(4)T
Support for IPv6 was added.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Cisco IOS XE Release 2.1
This command was introduced on Cisco ASR 1000 Series Routers.
Usage Guidelines
NoteSecurity threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the Next Generation Encryption (NGE) white paper.
An IPsec profile abstracts the IPsec policy settings into a single profile that can be used in other parts of the Cisco IOS configuration.
The IPsec profile shares most of the same commands with the crypto map configuration, but only a subset of the commands are valid in an IPsec profile. Only commands that pertain to an IPsec policy can be issued under an IPsec profile; you cannot specify the IPsec peer address or the access control list (ACL) to match the packets that are to be encrypted.
After this command has been enabled, the following commands can be configured under an IPsec profile:
- default —Lists the commands that can be configured under the crypto ipsec profile command.
- description —Describes the crypto map statement policy.
- dialer —Specifies dialer-related commands.
- redundancy —Specifies a redundancy group name.
- set-identity —Specifies identity restrictions.
- set isakmp-profile —Specifies an ISAKMP profile.
- set pfs —Specifies perfect forward secrecy (PFS) settings.
- set security-association —Defines security association parameters.
- set-transform-set —Specifies a list of transform sets in order of priority.
After enabling this command, the only parameter that must be defined under the profile is the transform set via the set transform-set command.
You can modify the default IPsec profile using the crypto ipsec profile default command. You can disable the default IPsec profile using the no crypto ipsec profile default command.
For more information on transform sets, refer to the section “Defining Transform Sets” in the chapter “Configuring IPSec Network Security” in the Cisco IOS Security Configuration Guide.
Examples
The following example shows how to configure a crypto map that uses an IPsec profile:
crypto ipsec transform-set cat-transforms esp-aes esp-sha-hmac mode transport ! crypto ipsec profile cat-profile set transform-set cat-transforms set pfs group14 ! interface Tunnel1 ip address 192.168.1.1 255.255.255.252 tunnel source FastEthernet2/0 tunnel destination 10.13.7.67 tunnel protection ipsec profile cat-profileRelated Commands
Command
Description
crypto ipsec transform-set
Defines a transform set.
set pfs
Specifies that IPsec should ask for PFS when requesting new security associations for a crypto map entry.
set transform-set
Specifies which transform sets can be used with the crypto map entry.
tunnel protection
Associates a tunnel interface with an IPsec profile.
crypto ipsec security-association dummy
To enable the generation and transmission of dummy packets in an IPsec traffic flow, use the crypto ipsec security-association dummy command in global configuration mode. To disable this generation and transmission, use the no form of this command.
crypto ipsec security-association dummy { pps rate | seconds seconds }
no crypto ipsec security-association dummy
Usage Guidelines
RFC 4303 specifies a method to hide packet data in an IPsec traffic flow by adding dummy packets in the traffic flow. Use the crypto ipsec security-association dummy command to generate and transmit dummy packets to hide data in the IPsec traffic flow. The dummy packet is designated by setting the next header field in the Encapsulating Security Payload (ESP) packet to a value of 59. When a crypto engine receives such packets, it discards them.
Use the pps rate keyword/argument pair to specify a rate greater than one packet per second.
crypto ipsec security-association idle-time
To configure the IP Security (IPSec) security association (SA) idle timer, use the crypto ipsec security-association idle-time command in global configuration mode or crypto map configuration mode. To inactivate the IPSec SA idle timer, use the no form of this command.
Usage Guidelines
Use the crypto ipsec security-association idle-time command to configure the IPSec SA idle timer. This timer controls the amount of time that an SA will be maintained for an idle peer.
Use the crypto ipsec security-association lifetimecommand to configure global lifetimes for IPSec SAs. There are two lifetimes: a timed lifetime and a traffic-volume lifetime. A security association expires after the first of these lifetimes is reached.
The IPSec SA idle timers are different from the global lifetimes for IPSec SAs. The expiration of the global lifetimes is independent of peer activity. The IPSec SA idle timer allows SAs associated with inactive peers to be deleted before the global lifetime has expired.
If the IPSec SA idle timers are not configured with the crypto ipsec security-association idle-time command, only the global lifetimes for IPSec SAs are applied. SAs are maintained until the global timers expire, regardless of peer activity.
NoteIf the last IPSec SA to a given peer is deleted due to idle timer expiration, the Internet Key Exchange (IKE) SA to that peer will also be deleted.
Release 12.2(33)SRA or later releases Release 12.2(33)SXH or later releases
In a system using the IPSec VPN SPA with these software releases, the configured value for the seconds argument is rounded up to the next multiple of 600 seconds (ten minutes), and the rounded value becomes the polling interval for SA idle detection. Because the SA idle condition must be observed in two successive pollings, the period of inactivity may last up to twice the polling period before the SAs are deleted.
Examples
The following example configures the IPSec SA idle timer to drop SAs for inactive peers after at least 750 seconds:
Router# configure terminal Router(config)# crypto ipsec security-association idle-time 750With Cisco IOS Release 12.2(15)T or later releases, the SA will be deleted after an inactivity period of 750 seconds.
With Cisco IOS Release 12.2(33)SRA or 12.2(33)SXH or later releases, the configured value of 750 seconds will be rounded up to 1200 seconds (the next multiple of 600), which becomes the idle polling interval. The SA will be deleted after two successive idle pollings, resulting in an inactivity period of between 1200 and 2400 seconds before deletion.
crypto ipsec security-association lifetime
To change global lifetime values used when negotiating IPsec security associations, use the crypto ipsec security-association lifetimecommand in global configuration mode. To reset a lifetime to the default value, use the no form of this command.
crypto ipsec security-association lifetime { seconds seconds | kilobytes kilobytes | kilobytes disable }
no crypto ipsec security-association lifetime { seconds | kilobytes | kilobytes disable }
Syntax Description
seconds seconds
Specifies the number of seconds a security association will live before expiring. The default is 3600 seconds (one hour).
kilobytes kilobytes
Specifies the volume of traffic (in kilobytes) that can pass between IPsec peers using a given security association before that security association expires. The default is 4,608,000 kilobytes.
kilobytes disable
Disables the Internet Key Exchange (IKE) rekey based on volume only on the router on which it is configured.
- If the no form is used with this keyword, lifetime settings switch back to the default settings.
Command Default
3600 seconds (one hour) and 4,608,000 kilobytes (10 megabits per second for one hour).
Command History
Release
Modification
11.3T
This command was introduced.
12.2(13)T
The security association negotiation changed. Prior to Cisco IOS Release 12.2(13)T, the new security association was negotiated either 30 seconds before the seconds lifetime expired or when the volume of traffic through the tunnel reached 256 kilobytes less than the kilobytes lifetime. Effective with Cisco IOS Release 12.2(13)T, the negotiation is either 30 seconds before the seconds lifetime expires or when the volume of traffic through the tunnel reaches 90 percent of the kilobytes lifetime.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
12.2(33)SXI
The disable keyword was added.
Note This keyword addition is for only Cisco IOS Release 12.2(33)SXI.
15.0(1)M
The disable keyword was added.
Usage Guidelines
IPsec security associations use shared secret keys. These keys and their security associations time out together.
Assuming that the particular crypto map entry does not have lifetime values configured, when the router requests new security associations during security association negotiation, it will specify its global lifetime value in the request to the peer; it will use this value as the lifetime of the new security associations. When the router receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations.
There are two lifetimes: a “timed” lifetime and a “traffic-volume” lifetime. The security association expires after the first of these lifetimes is reached.
If you change a global lifetime, the change is only applied when the crypto map entry does not have a lifetime value specified. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command. Refer to the clear crypto sa command for more details.
To change the global timed lifetime, use the crypto ipsec security-association lifetime seconds form of the command. The timed lifetime causes the security association to time out after the specified number of seconds have passed.
To change the global traffic-volume lifetime, use the crypto ipsec security-association lifetime kilobytes form of the command. The traffic-volume lifetime causes the security association to time out after the specified amount of traffic (in kilobytes) has been protected by the key of the security association.
Shorter lifetimes can make it harder to mount a successful key recovery attack, since the attacker has less data encrypted under the same key to work with. However, shorter lifetimes require more CPU processing time for establishing new security associations.
The lifetime values are ignored for manually established security associations (security associations installed using an ipsec-manual crypto map entry).
How The Lifetimes Work
The security association (and corresponding keys) will expire according to whichever occurs sooner, either after the number of seconds has passed (specified by the secondskeyword) or after the amount of traffic in kilobytes has passed (specified by the kilobytes keyword).
A new security association is negotiated before the lifetime threshold of the existing security association is reached, to ensure that a new security association is ready for use when the old one expires. The secondslifetime and the kilobyteslifetime each have a jitter mechanism to avoid security association rekey collisions. The new security association is negotiated either (30 plus a random number of) seconds before the seconds lifetime expires or when the traffic volume reaches (90 minus a random number of) percent of the kilobyteslifetime (whichever occurs first).
If no traffic has passed through the tunnel during the entire life of the security association, a new security association is not negotiated when the lifetime expires. Instead, a new security association will be negotiated only when IPsec sees another packet that should be protected.
Disabling the Volume Lifetime
The crypto ipsec security-association lifetime kilobytes disable form of the command disables the volume lifetime. Using this command form should result in a significant improvement in performance and reliability, and this option can be used to reduce packet loss in high traffic environments. It can be used to prevent frequent rekeys that are triggered by reaching the volume lifetimes.
NoteThe volume lifetime can also be disabled using the set security-association lifetime kilobytes disable command.
Examples
The following example shortens both lifetimes, because the administrator feels there is a higher risk that the keys could be compromised. The timed lifetime is shortened to 2700 seconds (45 minutes), and the traffic-volume lifetime is shortened to 2,304,000 kilobytes (10 megabits per second for one half hour).
crypto ipsec security-association lifetime seconds 2700 crypto ipsec security-association lifetime kilobytes 2304000The following example shows that the kilobytes disable keyword has been used to disable the volume lifetime.
crypto ipsec security-association lifetime kilobytes disableRelated Commands
Command
Description
set security-association lifetime
Overrides (for a particular crypto map entry) the global lifetime value, which is used when negotiating IPsec security associations.
show crypto ipsec security-association lifetime
Displays the security-association lifetime value configured for a particular crypto map entry.
crypto ipsec security-association replay disable
To disable anti-replay checking globally, use the crypto ipsec security-association replay disable command in global configuration mode. To reset the configuration to enable anti-replay checking, use the no form of this command.
crypto ipsec security-association replay window-size
To set the size of the security association (SA) anti-replay window globally, use the crypto ipsec security-association replay window-sizecommand in global configuration mode. To reset the window size to the default of 64, use the no form of this command.
crypto ipsec security-association replay window-size [N]
no crypto ipsec security-association replay window-size
crypto ipsec server send-update
To send auto-update notifications any time after an Easy VPN connection is “up,” use the crypto ipsec server send-update command in privileged EXEC mode.
Command History
Release
Modification
12.4(2T)
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific 12.2SX release is dependent on your feature set, platform, and platform hardware.
crypto ipsec transform-set
To define a transform se—an acceptable combination of security protocols and algorithms—use the crypto ipsec transform-set command in global configuration mode. To delete a transform set, use the no form of this command. To return the transform-set to its default value, use the default form of this command.
crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4]
no crypto ipsec transform-set transform-set-name
default crypto ipsec transform-set
Syntax Description
transform-set-name
Name of the transform set to create (or modify).
transform1 transform2 transform3 transform4
Type of transform set. You may specify up to four “transforms”: one Authentication Header (AH), one Encapsulating Security Payload (ESP) encryption, one ESP authentication, and one compression. These transforms define the IP Security (IPSec) security protocols and algorithms. Accepted transform values are described in the table below.
Command History
Release
Modification
11.3 T
This command was introduced.
12.2(13)T
The following transform set options were added: esp-aes, esp-aes 192, and esp-aes 256.
12.3(7)T
The esp-seal transform set option was added.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
15.1(2)T
This command was modified in Cisco IOS Release 15.1(2)T. The esp-gcm and esp-gmac transforms were added.
Usage Guidelines
NoteSecurity threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the Next Generation Encryption (NGE) white paper.
A transform set is an acceptable combination of security protocols, algorithms, and other settings to apply to IPSec-protected traffic. During the IPSec security association (SA) negotiation, the peers agree to use a particular transform set when protecting a particular data flow.
You can configure multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry is used in the IPSec SA negotiation to protect the data flows specified by the access list of that crypto map entry. During the negotiation, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and will be applied to the protected traffic as part of the IPSec SAs of both peers.
When Internet Key Exchange (IKE) is not used to establish SAs, a single transform set must be used. The transform set is not negotiated.
Before a transform set can be included in a crypto map entry, it must be defined using this command.
Although this command is similar to the crypto isakmp policy command, the IKEv2 proposal differs as follows:
A transform set specifies one or two IPSec security protocols (either AH, ESP, or both) and specifies which algorithms to use with the selected security protocol. The AH and ESP IPSec security protocols are described in the section “crypto ipsec transform-set.”
To define a transform set, you specify one to four “transforms”--each transform represents an IPSec security protocol (AH or ESP) plus the algorithm you want to use. When the particular transform set is used during negotiations for IPSec SAs, the entire transform set (the combination of protocols, algorithms, and other settings) must match a transform set at the remote peer.
In a transform set you can specify the AH protocol, the ESP protocol, or both. If you specify an ESP protocol in a transform set, you can specify just an ESP encryption transform set or both an ESP encryption transform set and an ESP authentication transform set.
The table below lists the acceptable transform set combination selections for the AH and ESP protocols.
Table 3 Allowed Transform Combinations Transform Type
Transform
Description
AH Transform >Pick only one.
ah-md5-hmac
AH with the MD5 (Message Digest 5) (a Hash-based Message Authentication Code [HMAC] variant) authentication algorithm. (No longer recommended).
ah-sha-hmac
AH with the SHA (Secure Hash Algorithm) (an HMAC variant) authentication algorithm.
ESP Encryption Transform ( >Pick only one.
esp-aes
ESP with the 128-bit Advanced Encryption Standard (AES) encryption algorithm.
esp-gcm
esp-gmac
The esp-gcm and esp-gmac transforms are ESPs with either a 128 or 256 bit encryption algorithm. The default for either of these transforms is 128 bits.
Note Both the esp-gcm and esp-gmac transforms cannot be configured together with any other ESP transform within the same crypto IPsec transform set using the crypto ipsec transform-set command.
esp-aes 192
ESP with the 192-bit AES encryption algorithm.
esp-aes 256
ESP with the 256-bit AES encryption algorithm.
esp-des
ESP with the 56-bit Data Encryption Standard (DES) encryption algorithm. (No longer recommended).
esp-3des
ESP with the 168-bit DES encryption algorithm (3DES or Triple DES). (No longer recommended).
esp-null
Null encryption algorithm.
esp-seal
ESP with the 160-bit SEAL encryption algorithm. (No longer recommended).
ESP Authentication Transform (Pick only one. )
esp-md5-hmac
ESP with the MD5 (HMAC variant) authentication algorithm. (No longer recommended).
esp-sha-hmac
ESP with the SHA (HMAC variant) authentication algorithm.
IP Compression Transform
comp-lzs
IP compression with the Lempel-Ziv-Stac (LZS) algorithm.
Examples of acceptable transform set combinations are as follows:
- ah-sha-hmac
- esp-gcm 256
- esp-aes
- esp-aes and esp-sha-hmac
- ah-sha-hmac and esp-aes and esp-sha-hmac
- comp-lzs and esp-sha-hmac and esp-aes (In general, the comp-lzs transform set can be included with any other legal combination that does not already include the comp-lzs transform.)
- esp-seal and esp-md5-hmac
The parser will prevent you from entering invalid combinations; for example, after you specify an AH transform set, it will not allow you to specify another AH transform set for the current transform set.
IPSec Protocols: AH and ESP
Both the AH and ESP protocols implement security services for IPSec.
AH provides data authentication and antireplay services.
ESP provides packet encryption and optional data authentication and antireplay services.
ESP encapsulates the protected data--either a full IP datagram (or only the payload)--with an ESP header and an ESP trailer. AH is embedded in the protected data; it inserts an AH header immediately after the outer IP header and before the inner IP datagram or payload. Traffic that originates and terminates at the IPSec peers can be sent in either tunnel or transport mode; all other traffic is sent in tunnel mode. Tunnel mode encapsulates and protects a full IP datagram, while transport mode encapsulates or protects the payload of an IP datagram. For more information about modes, see the mode(IPSec) command description.
The esp-seal Transform
There are three limitations on the use of the esp-seal transform set:
- The esp-seal transform set can be used only if no crypto accelerators are present. This limitation is present because no current crypto accelerators implement the SEAL encryption transform set, and if a crypto accelerator is present, it will handle all IPSec connections that are negotiated with IKE. If a crypto accelerator is present, the Cisco IOS software will allow the transform set to be configured, but it will warn that it will not be used as long as the crypto accelerator is enabled.
- The esp-seal transform set can be used only in conjunction with an authentication transform set, namely one of these: esp-md5-hmac, (not recommended) esp-sha-hmac, ah-md5-hmac (not recommended), or ah-sha-hmac. This limitation is present because SEAL encryption is especially weak when it comes to protecting against modifications of the encrypted packet. Therefore, to prevent such a weakness, an authentication transform set is required. (Authentication transform sets are designed to foil such attacks.) If you attempt to configure an IPSec transform set using SEAL but without an authentication transform set, an error is generated, and the transform set is rejected.
- The esp-seal transform set cannot be used with a manually keyed crypto map. This limitation is present because such a configuration would reuse the same keystream for each reboot, which would compromise security. Because of the security issue, such a configuration is prohibited. If you attempt to configure a manually keyed crypto map with a SEAL-based transform set, an error is generated, and the transform set is rejected.
Selecting Appropriate Transform Sets
The following tips may help you select transform sets that are appropriate for your situation:
- If you want to provide data confidentiality, include an ESP encryption transform set.
- If you want to ensure data authentication for the outer IP header as well as the data, include an AH transform set. (Some consider the benefits of outer IP header data integrity to be debatable.)
- If you use an ESP encryption transform set, also consider including an ESP authentication transform set or an AH transform set to provide authentication services for the transform set.
- If you want data authentication (either using ESP or AH), you can choose from the MD5 or SHA (HMAC keyed hash variants) authentication algorithms. The SHA algorithm is generally considered stronger than MD5 but is slower.
- Note that some transform sets might not be supported by the IPSec peer.
NoteIf a user enters an IPSec transform set that the hardware does not support, a warning message will be displayed immediately after the crypto ipsec transform-set command is entered.
- In cases where you need to specify an encryption transform set but do not actually encrypt packets, you can use the esp-null transform.
Suggested transform set combinations follow:
The Crypto Transform Configuration Mode
After you issue the crypto ipsec transform-set command, you are put into the crypto transform configuration mode. While in this mode, you can change the mode to tunnel or transport. (These are optional changes.) After you have made these changes, type exit to return to global configuration mode. For more information about these optional changes, see the match address (IPSec) and mode (IPSec) command descriptions.
Changing Existing Transform Sets
If one or more transform sets are specified in the crypto ipsec transform-set command for an existing transform set, the specified transform sets will replace the existing transform sets for that transform set.
If you change a transform set definition, the change is only applied to crypto map entries that reference the transform set. The change will not be applied to existing SAs but will be used in subsequent negotiations to establish new SAs. If you want the new settings to take effect sooner, you can clear all or part of the SA database by using the clear crypto sa command.
Default Transform Set
You can modify the default transform-set using the crypto ipsec transform-set default command. You can disable the default transform-set using the no crypto ipsec transform-set default command.
If you do not specify a transform-set, the default transform-set is used with the default profile.
Examples
The following example defines two transform sets. The first transform set will be used with an IPSec peer that supports the newer ESP and AH protocols. The second transform set will be used with an IPSec peer that supports only the older transforms.
Router (config)# crypto ipsec transform-set newer esp-aes esp-sha-hmac Router (config)# crypto ipsec transform-set older ah-md5-hmac esp-desThe following example is a sample warning message that is displayed when a user enters an IPSec transform set that the hardware does not support:
Router (config)# crypto ipsec transform transform-1 esp-aes 256 esp-sha-hmac WARNING:encryption hardware does not support transform esp-aes 256 within IPSec transform transform-1The following output example shows that SEAL encryption has been correctly configured with an authentication transform set:
Router (config)# crypto ipsec transform-set seal esp-seal esp-sha-hmacThe following example is a warning message that is displayed when SEAL encryption has been configured with a crypto accelerator present:
Router (config)# show running-config crypto ipsec transform-set seal esp-seal esp-sha-hmac ! Disabled because transform not supported by encryption hardwareThe following example is an error message that is displayed when SEAL encryption has been configured without an authentication transform set:
Router (config)# crypto ipsec transform seal esp-seal ERROR: Transform requires either ESP or AH authentication.The following example is an error message that is displayed when SEAL encryption has been configured within a manually keyed crypto map:
Router (config)# crypto map green 10 ipsec-manual %Note: This new crypto map will remain disabled until a peer and a valid access list have been configured. Router (config-crypto-map)# set transform seal ERROR: transform seal illegal for a manual crypto map.Related Commands
Command
Description
clear crypto sa
Deletes IPSec security associations.
crypto ipsec transform-set
Defines a transform set--an acceptable combination of security protocols and algorithms.
match address
Specifies an extended access list for a crypto map entry.
mode (IPSec)
Changes the mode for a transform set.
set transform-set
Specifies which transform sets can be used with the crypto map entry.
show crypto ipsec transform-set
Displays the configured transform sets.
