Pre shared key length error

accounting
list-name

no
accounting

Command Default

The default value is no accounting.

Command Modes

ISAKMP profile configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

The following example shows how to create an accounting list:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp profile vpnprofile
RP/0/RP0/CPU0:router(config-isa-prof)# accounting aaalist

Related Commands

To configure split tunneling, use the acl command in ISAKMP group configuration mode. To remove this command from your configuration and restore the default value, use the no form of this command.

Command Default

Split tunneling is not enabled; all data is sent through the Virtual Private Network (VPN) tunnel.

Command Modes

ISAKMP group configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the acl command to specify which groups of ACLs represent protected subnets for split tunneling. Split tunneling is the ability to have a secure tunnel to the central site and simultaneous clear-text tunnels to the Internet.

Examples

The following example shows how to correctly apply split tunneling for the group name cisco. In this example, all traffic sourced from the client and destined to the subnet 192.168.1.0 are sent through the VPN tunnel.

RP/0/RP00/CPU0:router# configure
RP/0/RP00/CPU0:router(config)# crypto isakmp client configuration group cisco
RP/0/RP00/CPU0:router(config-group)# key cisco
RP/0/RP00/CPU0:router(config-group)# acl group1
RP/0/RP00/CPU0:router(config)# access-list 199 permit ip 192.168.1.0 0.0.0.255 any

Related Commands

To specify the IP address for the Rivest, Shamir, and Adelman (RSA) public key of the remote peer you manually configure, use the address command in public key configuration mode. To remove the IP address of the remote peer, use the no form of this command.

Command Modes

None

Public key configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the address command to specify the RSA public key for the IP Security (IPSec) peer you manually configure next.

When you finish specifying the RSA key, you must return to global configuration mode by entering quit at the public key configuration mode prompt.

Examples

The following example manually specifies the RSA public keys of an IPSec peer:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto keyring vpnkey
RP/0/RP0/CPU0:router(config-keyring)# rsa-pubkey name host.vpn.com
RP/0/RP0/CPU0:router(config-pubkey)# address 10.5.5.1
RP/0/RP0/CPU0:router(config-pubkey)# key-string 005C300D 06092A86 4886F70D 01010105
005C300D 06092A86 4886F70D 01010105
00034B00 30480241 00C5E23B 55D6AB22
04AEF1BA A54028A6 9ACC01C5 129D99E4
64CAB820 847EDAD9 DF0B4E4C 73A05DD2
BD62A8A9 FA603DD2 E2A8A6F8 98F76E28
D58AD221 B583D7A4 71020301 0001
quit

Related Commands

To specify the authentication method within an Internet Key Exchange (IKE) policy, use the authentication command in ISAKMP policy configuration mode. To reset the authentication method to the default value, use the no form of this command.

Command Default

RSA signatures

Command Modes

ISAKMP policy configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

IKE policies define a set of parameters during IKE negotiation. Use the authentication command to specify the authentication method in an IKE policy. If you specify preshared keys, you must also separately configure these preshared keys.

If you specify RSA encrypted nonces, you must ensure that each peer has the RSA public keys of the other peers. (See the address, rsa-pubkey, and key-string commands.)

If you specify RSA signatures, you must configure your peer routers to obtain certificates from a certification authority (CA).

Examples

The following example shows how to configure an IKE policy with preshared keys as the authentication method (and with all other parameters set to the defaults):

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp policy 15
RP/0/RP0/CPU0:router(config-isakmp)# authentication pre-share

The following example shows how to configure an IKE policy with RSA encrypted keys as the authentication method (and with all other parameters set to the defaults):

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp policy 15
RP/0/RP0/CPU0:router(config-isakmp)# authentication rsa-encr

The following example configures an IKE policy with RSA signatures as the authentication method (and with all other parameters set to the defaults):

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp policy 15
RP/0/RP0/CPU0:router(config-isakmp)# authentication rsa-sig

Related Commands

To clear active Internet Key Exchange (IKE) connections, use the clear crypto isakmp command in EXEC mode.

clear
crypto
isakmp
[connection-id]

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Note	If the connection-id argument is not used, all existing IKE connections are cleared when this command is issued.

Examples

The following example shows how to clear an IKE connection between two peers connected by interfaces 172.21.114.123 and 172.21.114.67:

RP/0/RP0/CPU0:router# show crypto isakmp sa
vrf             dst             src             state           conn-id    nodeid
----------      ------------    ------------    ---------       -------    ------
default         172.21.114.123  172.21.114.67   QM_IDLE         1          0
default         172.0.0.2       172.0.0.1       QM_IDLE         8          0

RP/0/RP0/CPU0:router# configure
Enter configuration commands, one per line.  End with CNTL/Z.

RP/0/RP0/CPU0:router# clear crypto isakmp 1
RP/0/RP0/CPU0:router# show crypto isakmp sa

vrf             dst             src             state           conn-id    nodeid
----------      ------------    ------------    ---------       -------    ------
default         172.0.0.2       172.0.0.1       QM_IDLE         8          0

Related Commands

To clear ISAKMP call admission statistics, use the clear crypto isakmp call admission statistics command in EXEC mode.

clear
crypto
isakmp
call
isakmp
call
admission
statistics

Syntax Description

This command has no keywords or arguments.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

The following example shows how to clear call admission statistics:

RP/0/RP0/CPU0:router# clear crypto isakmp call admission statistics

Related Commands

To clear the statistics for Internet Security Association and Key Management Protocol (ISAKMP) errors, use the clear crypto isakmp errors command in EXEC mode.

clear
crypto
isakmp
error

Syntax Description

This command has no keywords or arguments.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

The following example shows how to clear ISAKMP error statistics:

RP/0/RP0/CPU0:router# show crypto isakmp errors

Control Plane Errors
---------------------
ERR NO MEMORY.....................................0
INVALID CERT......................................0
CRYPTO FAILURE....................................0
SA NOT AUTH.......................................0
AUTHENTICATION FAILED.............................0
GROUP AUTHOR FAILED...............................0
USER AUTHEN REJECTED..............................0
LOCAL ADDRESS FAILURE.............................0
FAILED TO CREATE SKEYID...........................0
RSA PUBLIC KEY NOT FOUND..........................0
RETRANSMITION LIMIT...............................0
MALFORMED MESSAGE.................................0
QUICK MODE TIMER EXPIRED..........................0
KEY NOT FOUND IN PROFILE..........................0
PROFILE NOT FOUND.................................0
PRESHARED KEY NOT FOUND...........................0
PHASE2 PROPOSAL NOT CHOSEN........................0
POLICY MISMATCH...................................0
NO POLICY FOUND...................................0
PACKET PROCESS FAILURE............................0

Warnings
---------
CERT DOESNT MATCH ID..............................0
CERT ISNT TRUSTED ROOT............................0
PACKET NOT ENCRYPTED..............................0
UNRELIABLE INFO MSG...............................0
NO SA.............................................0
BAD DOI SA........................................0
UNKNOWN EXCHANGE TYPE.............................0
OUTGOING PKT TOO BIG..............................0
INCOMING PKT TOO BIG..............................0

Informational
--------------
CAC DROPS.........................................0
DEFAULT POLICY ACCEPTED...........................0

RP/0/RP0/CPU0:router# clear crypto isakmp errors

Related Commands

clear
crypto
session
[ user
username | group
group | interface | ivrf
vrf-name | local
ip-address | fvrf
vrf-name | remote
ip-address ]

Command Default

If the clear crypto session command is entered without any keywords, all existing sessions are deleted. The IPSec SAs are deleted first. Then, the IKE SAs are deleted. The default value for the remote port is 500.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

To clear a specific crypto session or a subset of all the sessions, you need to provide session-specific parameters, such as local interface, local IP address, remote IP address (and port), FVRF name, or IVRF name.

If a local IP address is provided as a parameter, all the sessions (and their IKE SAs and IPSec SAs) that share the IP address as a local crypto endpoint (IKE local address) are deleted.

Examples

The following example shows how to delete all crypto sessions:

RP/0/RP0/CPU0:router# clear crypto session

The following example shows that the crypto session of the FVRF named “blue ” is deleted:

RP/0/RP0/CPU0:router# clear crypto session fvrf blue

The following example shows that the crypto session of the local endpoint 10.1.1.1 is deleted:

RP/0/RP0/CPU0:router# clear crypto session local 10.1.1.1

Related Commands

To globally enable Internet Key Exchange (IKE) at your peer router, use the crypto isakmp command in global configuration mode. To disable IKE at the peer, use the no form of this command.

Syntax Description

This command has no keywords or arguments.

Command Default

IKE is disabled.

Command Modes

Global configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

IKE need not be enabled for individual interfaces, but is enabled globally for all interfaces at the router.

Examples

The following example shows how to disable IKE at one peer:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp
RP/0/RP0/CPU0:router(config)# no crypto isakmp

crypto
isakmp
call
admission
limit
{ cpu
{ total
percent | ike
percent } | in-negotiation-sa
number | sa
number }

no
crypto
isakmp
call
admission
limit
{ cpu
{ total
percent | ike
percent } | in-negotiation-sa
number | sa
number }

Command Default

The default value for the in-negotiation-sa keyword is set to 1000 SAs.

Command Modes

Global configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

A request for an IKE SA is denied if insufficient system resources exist to handle the negotiation.

Examples

The following example shows how to use the crypto isakmp call admission limit command:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp call admission limit cpu ike 30

Related Commands

To include the configuration of a local group profile, use the crypto isakmp client configuration group command in global configuration mode. To disable the profile for this local group, use the no form of this command.

Command Modes

Global configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

The key command must be enabled if the client identifies itself with a preshared key.

The following commands are available in the IKE group policy configuration mode:

• acl—Configures split tunneling. The acl-name argument specifies a group of access control list (ACL) rules that represent protected subnets for split tunneling purposes.
• key—Specifies the Internet Key Exchange (IKE) preshared key for group policy attribute definition. The key command must be enabled if the client identifies itself with a preshared key.

Use the crypto isakmp client configuration group command to enter group configuration mode.

Examples

The following example shows how to include the configuration of a local group profile with the group name marketing:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group marketing
RP/0/RP0/CPU0:router(config-group)#

Related Commands

crypto
isakmp
identity
{ address | hostname }

no
crypto
isakmp
identity

Command Default

The IP address is used for the ISAKMP identity.

Command Modes

Global configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the crypto isakmp identity command to specify an ISAKMP identity either by IP address or by hostname. As a general rule, you should set all identities for peers in the same way—either by IP address or by hostname.

Set an ISAKMP identity whenever you specify preshared keys.

Use the address keyword when only one interface (and therefore only one IP address) is used by the peer for IKE negotiations, and the IP address is known.

Use the hostname keyword if more than one interface on the peer might be used for IKE negotiations, or if the IP address for the interface is unknown (such as with dynamically assigned IP addresses).

Examples

The following example shows how to use preshared keys at two peers and set both their ISAKMP identities to the IP address.

At the local peer (at 10.0.0.1), the ISAKMP identity is set and the preshared key is specified.

RP/0/RP0/CPU0:router(config)# crypto isakmp identity address
RP/0/RP0/CPU0:router(config)# crypto keyring keyring1
RP/0/RP0/CPU0:router(config-keyring)# pre-shared-key address 192.168.1.33 key presharedkey

At the remote peer (at 192.168.1.33), the ISAKMP identity is set and the same preshared key is specified.

RP/0/RP0/CPU0:router(config)# crypto isakmp identity address
RP/0/RP0/CPU0:router(config)# crypto keyring keyring1
RP/0/RP0/CPU0:router(config-keyring)# pre-shared-key address 10.0.0.1 key presharedkey

Note	In the preceding example, if the crypto isakmp identity command had not been performed, the ISAKMP identities would still have been set to the IP address, the default identity.

The following example shows how to use preshared keys at two peers and set both their ISAKMP identities to the host name.

At the local peer, the ISAKMP identity is set and the preshared key is specified.

RP/0/RP0/CPU0:router(config)# crypto isakmp identity hostname
RP/0/RP0/CPU0:router(config)# crypto keyring keyring1
RP/0/RP0/CPU0:router(config-keyring)# pre-shared-key hostname remoterouter.example.com key presharedkey

At the remote peer, the ISAKMP identity is set and the same preshared key is specified.

RP/0/RP0/CPU0:router(config)# crypto isakmp identity hostname
RP/0/RP0/CPU0:router(config)# crypto keyring keyring1
RP/0/RP0/CPU0:router(config-keyring)# pre-shared-key hostname localrouter.example.com key presharedkey

Related Commands

To use the Internet Key Exchange (IKE) security association (SA) feature for providing a mechanism for detecting loss of connectivity between two IP Security (IPSec) peers, use the crypto isakmp keepalive command in global configuration mode. To disable this feature, use the no form of this command.

Command Default

IKE does not send keepalive messages until specified by this command.

Command Modes

Global configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

If IKE does not receive the keepalive acknowledge message from the peer after four tries, IKE concludes that it has lost connectivity with its peer.

Examples

The following example shows how to set the number of seconds between keepalive messages to 20 seconds, and the number of seconds between retries to 20 seconds if keepalive fails:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp keepalive 20 20 on-demand

Related Commands

To enable an IP Security (IPSec) peer for Internet Key Exchange (IKE), use the crypto isakmp peer command in global configuration mode. To disable this functionality, use the no form of this command.

Command Modes

Global configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the crypto isakmp peer command to enter ISAKMP peer configuration mode.

You can give a peer that is identified by an IP address a meaningful name or description.

Examples

The following example shows that the peer address is 40.40.40.2 and named citeA:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp peer address 40.40.40.2
RP/0/RP0/CPU0:router(config-isakmp-peer)# description citeA
RP/0/RP0/CPU0:router(config-isakmp-peer)# commit

RP/0/RP0/CPU0:router# show crypto isakmp peers
Peer: 60.60.60.2   Port: 500   Local: 70.70.70.2   vrf: default
  UDP encapsulate: False
  SA information:
    Connection ID: 2
    State: QM_IDLE
    Phase 1 ID: IPV4_ADDR 60.60.60.2

Peer: 40.40.40.2   Port: 500   Local: 50.50.50.2   vrf: default
  Description: peerA
  UDP encapsulate: False
  SA information:
    Connection ID: 1
    State: QM_IDLE
    Phase 1 ID: IPV4_ADDR 40.40.40.2

Related Commands

crypto
isakmp
policy
priority

no
crypto
isakmp
policy
priority

Command Default

There is a default policy, which always has the lowest priority. The default policy contains default values for the encryption, hash, authentication, Diffie-Hellman group, and lifetime parameters. (The parameter defaults are listed in the “Usage Guidelines” section.) When you create an IKE policy, the default for a particular parameter is used if no value is specified.

Command Modes

Global configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the crypto isakmp policy command to specify the parameters to use during an IKE negotiation. (These parameters create the IKE security association [SA].)

The crypto isakmp policy command enters ISAKMP policy configuration mode. The following commands are available in this mode to specify the parameters in the policy:

• authentication (IKE policy) command—Specifies that the default values are Rivest, Shamir, and Adelman (RSA) signatures.
• description (IKE policy) command—Creates a description of an IKE policy.
• encryption (IKE policy) command— Sets the encryption algorithm for protection suite according to one of the following standards.
• group (IKE policy) command—Specifies that the default value is 768-bit Diffie-Hellman.
• hash (IKE policy) command—Specifies that the default value is SHA-1.
• lifetime (IKE policy) command—Specifies that the default value is 86,400 seconds (1 day).

If you do not specify one of these commands for a policy, the default value is used for that parameter.

You can configure multiple IKE policies on each peer participating in IP Security (IPSec). When the IKE negotiation begins, it tries to find a common policy configured on both peers, starting with the highest priority policies as specified on the remote peer.

Examples

The following example shows how to configure two policies for the peer:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp policy 15
RP/0/RP0/CPU0:router(config-isakmp)# hash md5
RP/0/RP0/CPU0:router(config-isakmp)# authentication rsa-sig
RP/0/RP0/CPU0:router(config-isakmp)# group 2
RP/0/RP0/CPU0:router(config-isakmp)# lifetime 5000
RP/0/RP0/CPU0:router(config-isakmp)# exit

RP/0/RP0/CPU0:router(config)# crypto isakmp policy 20
RP/0/RP0/CPU0:router(config-isakmp)# authentication pre-share
RP/0/RP0/CPU0:router(config-isakmp)# lifetime 10000
RP/0/RP0/CPU0:router(config-isakmp)# exit

The configuration results in the following policies:

Protection suite priority 15
  encryption algorithm: DES - Data Encryption Standard (56 bit keys)
  hash algorithm: Message Digest 5
  authentication method: Rivest-Shamir-Adelman Signature
  Diffie-Hellman Group: #2 (1024 bit)
  lifetime: 5000 seconds, no volume limit
Protection suite priority 20
  encryption algorithm: DES - Data Encryption Standard (56 bit keys)
  hash algorithm: Secure Hash Standard
  authentication method: Pre-Shared Key
  Diffie-Hellman Group: #1 (768 bit)
  lifetime: 10000 seconds, no volume limit
Default protection suite
  encryption algorithm: DES - Data Encryption Standard (56 bit keys)
  hash algorithm: Secure Hash Standard
  authentication method: Rivest-Shamir-Adleman Signature
  Diffie-Hellman Group: #1 (768 bit)
  lifetime: 86400 seconds, no volume limit

IKE policy 15 is the highest priority, and the default policy is the lowest priority.

Related Commands

To define a policy set for an ISAKMP protection suite, use the crypto isakmp policy-set command in global configuration mode. To cancel a previously configured policy set, use the no variant to the command.

Command Modes

Global configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use of this command takes you to ISAKMP policy set configuration mode.

Examples

The following example shows how to define an ISAKMP policy set, based on the local address, to restrict users with remote access from accessing certain ISAKMP policies:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp policy-set mypolicy
RP/0/RP0/CPU0:router(config-isakmp-pol-set)# 

Related Commands

To define an ISAKMP profile and audit IPSec user sessions, use the crypto isakmp profile command in global configuration mode. To delete a crypto ISAKMP profile, use the no form of this command.

Command Modes

Global configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

The local keyword is used in the ISAKMP profile to define locally sourced or destined traffic. This traffic is decrypted or encrypted by the route processor (RP) rather than by the Cisco IPSec VPN SPA.

The peers are mapped to an ISAKMP profile when their identities are matched (as given in the identification [ID] payload of the Internet Key Exchange [IKE]) against the identities defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid. At least one match identity command must also be defined in the ISAKMP profile for the profile to be complete.

Before you configure an ISAKMP profile, the key rings that are used for the profile should be configured.

Examples

The following example shows how to define an ISAKMP profile and match the peer identities:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp profile local vpnprofile
RP/0/RP0/CPU0:router(config-isa-prof)# match identity local group vpngroup
RP/0/RP0/CPU0:router(config-isa-prof-match)# set interface tunnel-ipsec 1

Related Commands

crypto
keyring
keyring-name
[ vrf
fvrf-name ]

no
crypto
keyring
keyring-name
[ vrf
fvrf-name ]

Command Default

If the vrf keyword is not defined, the keyring is referenced to the global VRF.

Command Modes

Global configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

A keyring is a repository of preshared and RSA public keys. The keyring is used in global configuration mode. The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile.

Use the crypto keyring command to enter keyring configuration mode.

Examples

The following example shows how to use the crypto keyring command:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto keyring vpnkey
RP/0/RP0/CPU0:router(config-keyring)# pre-shared-key address 10.72.23.11 key vpnsecret

Related Commands

crypto
logging
tunnel-status

no
crypto
logging
tunnel-status

Command Default

The default is disabled.

Command Modes

Global configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

The following example shows how to use the crypto logging command:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto logging tunnel-status

To create a description for an Internet Key Exchange (IKE) policy, use the description command in ISAKMP policy configuration mode. To delete an IKE policy description, use the no form of this command.

Command Modes

Global configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

The following example shows the creation of an IKE policy description:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp policy 15
RP/0/RP0/CPU0:router(config-isakmp)# description this is a sample IKE policy

To create a description for an ISAKMP policy set, use the description command in ISAKMP policy configuration mode. To delete an ISAKMP policy-set description, use the no form of this command.

Command Modes

ISAKMP policy configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the description command inside the ISAKMP policy-set configuration submode to create a description for an IKE policy set.

Examples

The following example shows the creation of an IKE policy description:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp policy-set pol1
RP/0/RP0/CPU0:router(config-isakmp-pol-set)# description this is a sample IKE policy-set

Related Commands

To add the description of an Internet Key Exchange (IKE) peer, use the description command in ISAKMP peer configuration mode. To delete the description, use the no form of this command.

Command Modes

ISAKMP peer configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

IKE peers that “sit” behind a Network Address Translation (NAT) device cannot be uniquely identified; therefore, they have to share the same peer description.

Examples

The following example shows that the description «connection from site A» is added for an IKE peer:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp peer address 10.2.2.9
RP/0/RP0/CPU0:router(config-isakmp-peer)# description connection from site A

Related Commands

description
string

no
description

Command Default

The default description is blank.

Command Modes

Keyring configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

The following example shows the creation of a keyring description:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto keyring vpnkey
RP/0/RP0/CPU0:router(config-keyring)# description this is a sample keyring

Related Commands

encryption
{ des | 3des | aes | aes
192 | aes
256 }

no
encryption

Command Default

The 56-bit DES-CBC encryption algorithm (des).

Command Modes

ISAKMP policy configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

IKE policies define a set of parameters during IKE negotiation. Use the encryption command to specify the encryption algorithm in an IKE policy.

Examples

The following example shows how to configure an IKE policy with the 3DES encryption algorithm (and with all other parameters set to the defaults):

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp policy 15
RP/0/RP0/CPU0:router(config-isakmp)# encryption 3des

Related Commands

group
{ 1 | 2 | 5 }

no
group

Command Default

The default is 768-bit Diffie-Hellman (group 1).

Command Modes

ISAKMP policy configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

IKE policies define a set of parameters during IKE negotiation. Use the group (IKE policy) command to specify the Diffie-Hellman group in an IKE policy.

Examples

The following example shows how to configure an IKE policy with the 1024-bit Diffie-Hellman group (all other parameters are set to the defaults):

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp policy 15
RP/0/RP0/CPU0:router(config-isakmp)# group 2

Related Commands

hash
{ sha | md5 }

no
hash

Command Default

SHA-1 hash algorithm

Command Modes

ISAKMP policy configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the hash command to specify the hash algorithm in an IKE policy. IKE policies define a set of parameters during IKE negotiation.

Examples

The following example shows how to configure an IKE policy with the MD5 hash algorithm (all other parameters are set to the defaults):

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp policy 15
RP/0/RP0/CPU0:router(config-isakmp)# hash md5

Related Commands

To let the gateway send dead peer detection (DPD) messages to the peer, use the keepalive command in ISAKMP profile configuration mode. To return to the default, use the no form of this command.

Command Default

Keepalive is enabled.

Command Modes

ISAKMP profile configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

The following example shows how to use the keepalive command:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp profile vpnprofile
RP/0/RP0/CPU0:router(config-isa-prof)# keepalive disable
 

Related Commands

To specify the Internet Key Exchange (IKE) preshared key for group policy attribute definition, use the key command in ISAKMP group configuration mode. To remove a preshared key, use the no form of this command.

Command Modes

ISAKMP group configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the key command to specify the IKE preshared key when defining group policy information for mode configuration push. (It follows the crypto isakmp client configuration group command.) You must configure the key command if the client identifies itself to the router with a preshared key. (You need not enable this command if the client uses a certificate for identification.)

Examples

The following example shows how to specify the preshared key named cisco:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp client configuration group default
RP/0/RP0/CPU0:router(config-group)# key cisco
RP/0/RP0/CPU0:router(config-group)# acl group1

Related Commands

To configure a keyring with an ISAKMP profile, use the keyring command in ISAKMP profile configuration mode. To remove the keyring from the ISAKMP profile, use the no form of this command.

Command Modes

ISAKMP profile configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile. You must define at least one keyring.

An ISAKMP profile can define one or more keyrings. For example, multiple keyrings can be used when few IKE peer endpoints are in the public address space; whereas, others are in the front door virtual routing and forwarding (FVRF) space as the IKE local endpoints.

Examples

The following example shows how to configure vpnkeyring as the keyring name:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp profile vpnprofile
RP/0/RP0/CPU0:router(config-isa-prof)# keyring vpnkeyring

Related Commands

To manually specify the Rivest, Shamir, and Adelman (RSA) public key of a remote peer, use the key-string command in public key configuration mode.

Command Modes

Public key configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the key-string command to manually specify the RSA public key of an IP Security (IPSec) peer. Before using this command, you must identify the remote peer.

To avoid mistakes, you should cut and paste the key data (instead of attempting to type in the data).

When you finish specifying the RSA key, you must return to global configuration mode by entering quit at the public key configuration mode prompt.

Examples

The following example shows how to manually specify the RSA public keys of an IPSec peer:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto keyring vpnkeyring
RP/0/RP0/CPU0:router(config-keyring)# rsa-pubkey address 10.5.5.1
RP/0/RP0/CPU0:router(config-pubkey)# key-string 005C300D 06092A86 4886F70D 01010105
00034B00 30480241 00C5E23B 55D6AB22
04AEF1BA A54028A6 9ACC01C5 129D99E4
64CAB820 847EDAD9 DF0B4E4C 73A05DD2
BD62A8A9 FA603DD2 E2A8A6F8 98F76E28
D58AD221 B583D7A4 71020301 0001
quit

Related Commands

lifetime
seconds

no
lifetime

Command Default

86400 seconds (1 day)

Command Modes

ISAKMP policy configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the lifetime command to specify how long an IKE SA exists before expiring.

When IKE begins negotiations, it first agrees upon the security parameters for its own session. The agreed-upon parameters are then referenced by an SA at each peer. The SA is retained by each peer until the lifetime of the SA expires. Before an SA expires, it can be reused by subsequent IKE negotiations, which can save time when new IP Security (IPSec) SAs are set up.

To save setup time for IPSec, configure a longer IKE SA lifetime. However, shorter lifetimes limit the exposure to attackers of this SA. The longer an SA is used, the more encrypted traffic can be gathered by an attacker and possibly used in an attack.

Note	When your local peer initiates an IKE negotiation between itself and a remote peer, if the lifetimes are not equal, an IKE policy with the shorter lifetime is selected.

Examples

The following example shows how to configure an IKE policy with an SA lifetime of 600 seconds (all other parameters are set to the defaults):

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp policy 15
RP/0/RP0/CPU0:router(config-isakmp)# lifetime 600

Related Commands

local-address
ip-address

no
local-address
ip-address

Command Default

If the local-address command is not configured, the ISAKMP keyring is available to all local addresses.

Command Modes

Keyring configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

The following example shows that the scope of the ISAKMP keyring is limited only to IP address 130.40.1.1:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto keyring vpnkeyring
RP/0/RP0/CPU0:router(config-keyring)# local-address 130.40.1.1
RP/0/RP0/CPU0:router(config-keyring)# pre-shared-key address 0.0.0.0 0.0.0.0 key mykey

Related Commands

To create an SVI tunnel source, use the match identity command in ISAKMP policy-set configuration mode. To remove the identity, use the no form of this command.

Command Modes

ISAKMP policy-set configuration mode

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

An ISAKMP profile configuration must have at least one match identity command. The peers are mapped to an ISAKMP profile when their identities are matched (as given in the ID payload of the IKE exchange) against the identities that are defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid.

The IP address identified in this command requires a particular preconfigured encryption algorithm and it should be the only one operational.

Examples

The following example shows how to configure the match identity (ISAKMP policy-set) command:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp policy-set ps2
RP/0/RP0/CPU0:router(config-isakmp-pol-set)# policy 60 61
RP/0/RP0/CPU0:router(config-isakmp-pol-set)# match identity local-address 12.13.51.1

Related Commands

To match the identity of a peer in an ISAKMP profile, use the match identity command in ISAKMP profile configuration mode. To remove the identity, use the no form of this command.

Command Default

No default behavior or values

Command Modes

ISAKMP profile configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

An ISAKMP profile configuration must have at least one match identity command. The peers are mapped to an ISAKMP profile when their identities are matched (as given in the ID payload of the IKE exchange) against the identities that are defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid.

Note	To configure a tunnel-ipsec interface, you must configure a local ISAKMP profile.

Examples

The following example shows how to configure matches on a local ISAKMP profile:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp profile local tunnel_ipsec
RP/0/RP0/CPU0:router(config-isa-prof)# match identity address 1.1.1.6/32 vrf default
RP/0/RP0/CPU0:router(config-isa-prof-match)# set interface tunnel-ipsec 3001

Related Commands

To specify the routing priority of a preconfigured policy, use the policy command within the ISAKMP policy-set submode. To cancel the priority, use the no variant of this command.

Command Modes

ISAKMP policy-set configuration mode

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

The following example shows how to configure a routing policy priority:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp policy-set p1
RP/0/RP0/CPU0:router(config-isakmp-pol-set)# policy pol2

Related Commands

To define a preshared key for IKE authentication, use the pre-shared-key command in keyring configuration mode. To disable, use the no form of this command.

Command Modes

Keyring configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

The following example shows how to configure a preshared key using an IP address and hostname:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto keyring vpnkeyring
RP/0/RP0/CPU0:router(config-keyring)# pre-shared-key address 10.72.23.11 key vpnkey
RP/0/RP0/CPU0:router(config-keyring)# pre-shared-key hostname www.vpn.com key vpnkey

Related Commands

To define the Rivest, Shamir, and Adelman (RSA) manual key to be used for encryption or signature during IKE authentication, use the rsa-pubkey command in keyring configuration mode. To disable the feature, use the no form of this command.

Command Default

The key is used for the signature.

Command Modes

Keyring configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the rsa-pubkey command to enter public key configuration mode. Use this command when you need to manually specify RSA public keys of other IP Security (IPSec) peers. You need to specify the keys of other peers when you configure RSA encrypted nonces as the authentication method in an IKE policy at your peer router.

When you finish specifying the RSA key, you must return to global configuration mode by entering quit .

Examples

The following example shows that the RSA manual key of an IPSec peer has been specified:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto keyring vpnkeyring
RP/0/RP0/CPU0:router(config-keyring)# rsa-pubkey name host.vpn.com
RP/0/RP0/CPU0:router(config-pubkey)# key-string 005C300D 06092A86 4886F70D 01010105
005C300D 06092A86 4886F70D 01010105
00034B00 30480241 00C5E23B 55D6AB22
04AEF1BA A54028A6 9ACC01C5 129D99E4
64CAB820 847EDAD9 DF0B4E4C 73A05DD2
BD62A8A9 FA603DD2 E2A8A6F8 98F76E28
D58AD221 B583D7A4 71020301 0001
quit

Related Commands

To define the identity that the local IKE uses to identify itself to the remote peer, use the self-identity command in ISAKMP profile configuration mode. To remove the ISAKMP identity that was defined for the IKE, use the no form of this command.

Command Default

If no ISAKMP identity is defined in the ISAKMP profile configuration, global configuration is the default.

Command Modes

ISAKMP profile configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

If the self-identity command is not defined, IKE uses the globally configured value.

Examples

The following example shows that the IKE identity is the user FQDN «user@vpn.com»:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp profile vpnprofile
RP/0/RP0/CPU0:router(config-isa-prof)# self-identity user-fqdn user@vpn.com

Related Commands

To predefine the virtual interface instance when IKE negotiates for tunnel mode IPSec service associations (SAs) for the traffic that is locally sourced or terminated, use the set interface tunnel-ipsec command in ISAKMP profile match configuration mode. To disable the feature, use the no form of this command.

Command Default

No default behavior or values

Command Modes

ISAKMP profile match configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

When the local endpoint is the IKE responder, the predefined interface is found according to the peer’s identity. When the local endpoint is the IKE initiator, the predefined interface is used to find the appropriate ISAKMP profile to be used. Therefore, a virtual interface cannot be predefined in more than one ISAKMP profile.

Note	The set interface tunnel-ipsec command is used only for local ISAKMP profiles.

Examples

The following example shows how to predefine the interface instance:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:routerr(config)# crypto isakmp profile local vpnprofile
RP/0/RP0/CPU0:router(config-isa-prof)# match identity group vpngroup
RP/0/RP0/CPU0:router(config-isa-prof-match)# set interface tunnel-ipsec 50

Related Commands

To predefine the IPSec profile instance when IKE negotiates for transport mode IPSec service associations (SAs) for the traffic that is locally sourced or terminated, use the set ipsec-profile command in ISAKMP profile match configuration mode. To disable the feature, use the no form of this command.

Command Modes

ISAKMP profile match configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

The IPSec profile must be predefined by using the set ipsec-profile or the set interface tunnel-ipsec command when transport mode IPSec SAs are negotiated. Otherwise, the IKE SA cannot be established.

When the local endpoint is the IKE responder, the predefined interface is found according to the peer’s identity. When the local endpoint is the IKE initiator, the predefined interface is used to find the appropriate ISAKMP profile to be used. Therefore, a virtual interface cannot be predefined in more than one ISAKMP profile.

Note	The profile for the identity is determined based on the selected virtual interface, which, in this case, can only be tunnel-ipsec, because only local ISAKMP profiles are supported.

When the local endpoint is the IKE initiator, the profile or interface configured is used to select the correct ISAKMP profile.

Examples

The following example shows how to predefine the IPSec profile instance:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# crypto isakmp profile local vpnprofile 
RP/0/RP0/CPU0:router(config-isa-prof)# match identity group vpngroup
RP/0/RP0/CPU0:router(config-isa-prof-match)# set ipsec-profile myprofile

Related Commands

To monitor the Call Admission Control (CAC) statistics of the IKE protocol, use the show crypto isakmp call admission statistics command in EXEC mode.

show
crypto
isakmp
call
admission
statistics

Syntax Description

This command has no keywords or arguments.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

The following example shows how to display the configuration for the show crypto isakmp call admission statistics command:

RP/0/RP0/CPU0:router# show crypto isakmp call admission statistics

---------------------------------------------------------------------
               Crypto Call Admission Control Statistics
---------------------------------------------------------------------
IKE Active SA Limit: 1, IKE In-Negotiation SA limit: 2
Total CPU usage limit: 100, IKE CPU usage limit: 100
Total IKE SA Count: 0, active: 0, negotiating: 0
Incoming IKE Calls: 24      , accepted 24      , rejected 0
Outgoing IKE Calls: 16      , accepted 6       , rejected 10
Total Calls: 40
Rejected IKE Calls: 10, resources low 0, limit exceeded 10

This table describes the significant fields shown in the display.

Related Commands

To display the Internet Security Association and Key Management Protocol (ISAKMP) error that occurred during tunnel establishment, use the show crypto isakmp errors command in EXEC mode.

show
crypto
isakmp
errors

Syntax Description

This command has no keywords or arguments.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

The following sample output is from the show crypto isakmp errors command:

RP/0/RP0/CPU0:router# show crypto isakmp errors

Control Plane Errors
---------------------
ERR NO MEMORY.....................................0
INVALID CERT......................................0
CRYPTO FAILURE....................................0
SA NOT AUTH.......................................0
AUTHENTICATION FAILED.............................0
GROUP AUTHOR FAILED...............................0
USER AUTHEN REJECTED..............................0
LOCAL ADDRESS FAILURE.............................0
FAILED TO CREATE SKEYID...........................0
RSA PUBLIC KEY NOT FOUND..........................0
RETRANSMITION LIMIT...............................0
MALFORMED MESSAGE.................................0
QUICK MODE TIMER EXPIRED..........................0
KEY NOT FOUND IN PROFILE..........................0
PROFILE NOT FOUND.................................0
PRESHARED KEY NOT FOUND...........................0
PHASE2 PROPOSAL NOT CHOSEN........................0
POLICY MISMATCH...................................0
NO POLICY FOUND...................................0
PACKET PROCESS FAILURE............................0

Warnings
---------
CERT DOESNT MATCH ID..............................0
CERT ISNT TRUSTED ROOT............................0
PACKET NOT ENCRYPTED..............................0
UNRELIABLE INFO MSG...............................0
NO SA.............................................0
BAD DOI SA........................................0
UNKNOWN EXCHANGE TYPE.............................0
OUTGOING PKT TOO BIG..............................0
INCOMING PKT TOO BIG..............................0

Informational
--------------
CAC DROPS.........................................0
DEFAULT POLICY ACCEPTED...........................0

This table describes the significant fields shown in the display.

Related Commands

To display the Internet Security Association and Key Management Protocol (ISAKMP) preshared keys for a router, use the show crypto isakmp key command in EXEC mode.

Syntax Description

This command has no keywords or arguments.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

The following example shows how to display the IP hostname and address preshared keys:

RP/0/RP0/CPU0:router# show crypto isakmp key

Keyring         Hostname/Address      Preshared Key
K1              3.3.3.1               rd26
K2              5.5.5.5               ex22
K2              tzvi.cisco.com        ppp

This table describes the significant fields shown in the display.

To display peer structures, use the show crypto isakmp peers command in EXEC mode.

show
crypto
isakmp
peers
[ ip-address | vrf
vrf-name ]

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

The following example shows sample output from the show crypto isakmp peers command:

RP/0/RP0/CPU0:router# show crypto isakmp peers

Peer: 10.0.83.1   Port: 4500   Local: 30.0.0.4   vrf: default
  UDP encapsulate: True
  SA information:
    Connection ID: 1
    State: QM_IDLE
    Phase 1 ID: DER_ASN1_DN srbu

This table describes the significant fields shown in the display.

Related Commands

To display the parameters for each Internet Key Exchange (IKE) policy, use the show crypto isakmp policy command in EXEC mode.

show
crypto
isakmp
policy

Syntax Description

This command has no keywords or arguments.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

The following sample output is from the show crypto isakmp policy command after two IKE policies have been configured (with priorities 15 and 20, respectively):

RP/0/RP0/CPU0:router# show crypto isakmp policy

Protection suite priority 15
    encryption algorithm: DES - Data Encryption Standard (56 bit keys)
    hash algorithm: Message Digest 5
    authentication method:  Rivest-Shamir-Adleman Signature
    Diffie-Hellman Group: #2 (1024 bit)
    lifetime: 5000 seconds, no volume limit
Protection suite priority 20
    encryption algorithm: DES - Data Encryption Standard (56 bit keys)
    hash algorithm: Secure Hash Standard
    authentication method: preshared Key
    Diffie-Hellman Group: #1 (768 bit)
    lifetime: 10000 seconds, no volume limit
Default protection suite
    encryption algorithm:  DES - Data Encryption Standard (56 bit keys)
    hash algorithm: Secure Hash Standard
    authentication method: Rivest-Shamir-Adleman Signature
    Diffie-Hellman Group: #1 (768 bit)
    lifetime: 86400 seconds, no volume limit

Note	Although the output shows “no volume limit” for the lifetimes, you can currently configure only a time lifetime (such as 86,400 seconds); volume limit lifetimes are not used.

This table describes the significant fields shown in the display.

Related Commands

To list all the ISAKMP profiles that are defined on a router, use the show crypto isakmp profile command in EXEC mode.

show
crypto
isakmp
profile
[ interface
intf-name | ipsec-profile
ipsec-prof-name | tag
isakmp-prof-name ]

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Examples

The following sample output is from the show crypto isakmp profile command:

RP/0/RP0/CPU0:router# show crypto isakmp profile

ISAKMP Profile: isakmp-prof2
   Keyring(s): kr2
   Identities matched are:
      Address: 10.0.2.1 255.255.255.255 fvrf: green
         Interface: service-ipsec2

ISAKMP Profile: isakmp-prof1
   Keyring(s): kr1
   Identities matched are:
      Group: srbu
         Interface: service-gre1

This table describes the fields for the show crypto isakmp profile command.

Related Commands

To display all current Internet Key Exchange (IKE) security associations (SAs) at a peer, use the show crypto isakmp sa command in EXEC mode.

show
crypto
isakmp
sa
[ connection
ID ]

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the connection ID argument to display the list of identifiers.’

Examples

The following sample output is from the show crypto isakmp sa command, after IKE negotiations have been successfully completed between two peers:

            RP/0/RP0/CPU0:router# show crypto isakmp sa vrf
            dst src state conn-id nodeid ---------- ------------ ------------ --------- -------
            ------ default 30.0.0.4 10.0.83.1 QM_IDLE 1 0 

This table describes the significant fields shown in the display.

This table shows the various states that may be displayed in the output of the show crypto isakmp sa command. When an Internet Security Association and Key Management Protocol (ISAKMP) SA exists, it is most likely in its quiescent state (QM_IDLE). For long exchanges, some MM_xxx states may be observed.

Related Commands

To display the information for ISAKMP global statistics, use the show crypto isakmp stats command in EXEC mode.

show
crypto
isakmp
stats
[ vrf
vrf-name ]

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the show crypto isakmp stats command to display the ISAKMP statistics per VRF instance. If the VRF instance is not specified, the default for the statistics of the VRF instance is shown.

The following global statistics are printed from the show crypto isakmp stats command:

• Active ISAKMP SAs
• ISAKMPs that are currently being negotiated
• Maximum number of concurrent ISAKMP SAs
• Maximum number of concurrent established SAs
• Number of expired SAs .

Examples

The following example displays sample output from the show crypto isakmp stats command:

RP/0/RP0/CPU0:router# show crypto isakmp stats

VRF ISAKMP statistics:

        Active Tunnels:                 0
        Previous Tunnels:               0

        In Octets:                      0
        In Packets:                     0
        In Drop Packets:                0
        In Notifys Messages:            0
        In Phase2 Exchanges:            0
        In Phase2 Exchange Invalids:    0
        In Phase2 Exchange Rejects:     0
        In Phase2 SA Delete Requests:   0

        Out Octets:                     0
        Out Packets:                    0
        Out Drop Packets:               0
        Out Notifys Messages:           0
        Out Phase2 Exchanges:           0
        Out Phase2 Exchange Invalids:   0
        Out Phase2 Exchange Rejects:    0
        Out Phase2 SA Delete Requests:  0
          
        Initiator Tunnels:              0
        Initiator Tunnel Setup Fails:   0
        Responder Tunnel Setup Fails:   0
        Sys Cap Fails:                  0
        Auth Failures:                  0
        Decryption Fails:               0
        Hash Valid Fails:               0
        No SA Fails:                    0

This table describes the significant fields shown in the display.

To display the Rivest, Shamir, and Adelman (RSA) public keys stored on your router for the peer, use the show crypto key pubkey-chain rsa command in EXEC mode.

show
crypto
key
pubkey-chain
rsa
[ name
key-name | address
key-address ]

Command Default

All RSA public keys stored on your router is displayed.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use this command to display RSA public keys stored on your router. The display includes the RSA public keys for the peer that were manually configured at your router and keys received by your router through other means (such as by a certificate, if certification authority support is configured).

If a router reboots, any public key derived by certificates are lost because the router asks for certificates again, at which time the public key is derived again.

Use the name or address keyword to display details about a particular RSA public key stored on your router.

If no keyword is used, this command displays a list of all RSA public keys stored on your router.

Examples

The following sample output is from the show crypto key pubkey-chain rsa command:

RP/0/RP0/CPU0:router# show crypto key pubkey-chain rsa

Codes: M - Manually Configured, C - Extracted from certificate

Code Usage      IP-Address        VRF             Keyring      Name
M    Encrypt                                      K1           example.cisco.com
M    Signing    5.5.5.5           green           K2

The following example shows manually configured special-usage RSA public keys for the peer named somerouter. This example also shows three keys obtained from peer certificates: two special-usage keys for peer routerA and a general-purpose key for peer routerB.

Certificate support is used in the example; if certificate support were not in use, none of the peer keys would show “C” in the Code column, and would all need to be manually configured.

This table describes the significant fields shown in the display.

The following sample output is from the show crypto key pubkey-chain rsa command for the name keyword that names the public key as somerouter.example.com:

RP/0/RP0/CPU0:router# show crypto key pubkey-chain rsa name somerouter.example.com

Key name: somerouter.example.com
Key address: 10.0.0.1
 Usage: Signature Key
 Source: Manual
 Data:
  305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B 55D6AB22 
  04AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9 DF0B4E4C 73A05DD2 
  BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4 71020301 0001

Key name: somerouter.example.com
Key address: 10.0.0.1
 Usage: Encryption Key
 Source: Manual
 Data:
  00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D5
  18242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB
  07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21

Note	The Source field in the example indicates “Manual,” meaning that the keys were manually configured on the router, not received in the certificate from the peer.

The following sample output is from the show crypto key pubkey-chain rsa command for address 192.168.10.3:

RP/0/RP0/CPU0:router# show crypto key pubkey-chain rsa address 192.168.10.3 

Key name: routerB.example.com
Key address: 192.168.10.3
 Usage: General Purpose Key
 Source: Certificate
 Data:
  0738BC7A 2BC3E9F0 679B00FE 53987BCC 01030201 42DD06AF E228D24C 458AD228
  58BB5DDD F4836401 2A2D7163 219F882E 64CE69D4 B583748A 241BED0F 6E7F2F16
  0DE0986E DF02031F 4B0B0912 F68200C4 C625C389 0BFF3321 A2598935 C1B1

The Source field in the example indicates “Certificate,” meaning that the keys were received by the router by way of the certificate from the other router.

To display status information for active crypto sessions, use the show crypto session command in EXEC mode.

show
crypto
session
[ detail | fvrf
fvrf-name
[detail] | group
group
name | groups | interface
interface-name | ivrf
ivrf-name | local
IP
address
[ fvrf
fvrf-name | detail ] | profile
profile
name
[detail] | remote
IP-address
[ detail | port
remote-port | fvrf
fvrf-name ] | user
username
[detail] | users ]

Command Default

If the show crypto session command is entered without any keywords, all existing sessions are displayed. Port default values are 500. The default interface is tunnel-ipsec.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.

You can get a list of all the active ISAKMP sessions and of the IKE and IPSec SAs for each session by using the show crypto session command. The following list is included:

• Interface
• IKE SAs that are associated with the peer by whom the IPSec SAs are created
• IPSec SAs serving the flows of a session

Multiple IKE or IPSec SAs are established for the same peer (for the same session), in which case, IKE peer descriptions are repeated with different values for the IKE SAs that are associated with the peer and for the IPSec SAs that are serving the flows of the session.

Examples

The following example shows the list of fields from the show crypto session command:

RP/0/RP0/CPU0:router# show crypto session

Interface:      service-ipsec1
Profile:        prof1
ISAKMP policy:  10
Fvrf:           default
Ivrf:           default
Peer:           21.21.21.21/500
Ike SAs:        1
  IKE SA : conn-id 1 local 100.100.100.1/500 remote 21.21.21.21/500  QM_IDLE
 
Interface:      service-ipsec4
Username:       cisco
InterfaceProfile:        tunnel-ipsec3001ezvpnIke
ProfileGroup:          TUNNEL_IPSECgroup-a
Assigned address:  10.0.0.1
ISAKMP policy:  1020
Fvrf:           default
Ivrf:           default
Peer:           10192.1168.110.52/500
Ike SAs:        1
IPsec FlowsSAs:      1
  IKE SA : conn-id 1 2 local 10135.135.1135.1.6/500 remote 10192.1168.110.52/500  QM_IDLE
  IPSEC FLOW 1510: permit ipv4 100.70.2080.20/2550.2550.2550.255 0 10.70.2080.21/255.255.255.255
        Active SAs 2

The following example shows the detailed information of the session:

Interface:      tunnelservice-ipsec3001gre1
Profile:        TUNNEL_IPSECisakmp-prof1
ISAKMP policy:  10
Fvrf:           default
Ivrf:           default
Peer:           1040.140.140.62/500
Ike SAs:        1
IPsec FlowsSAs:      1
  IKE SA : conn-id 2 1 local 1050.150.150.52/500 remote 1040.140.140.62/500  QM_IDLE
  IPSEC FLOW 2501: permit ipv4 10gre 50.750.20850.2/255.255.255.255 1040.740.20840.2/255.255.255.255
        Active SAs 2
        Inbound:  #pkts dec'ed 5 0 drop 0 life (KB/Sec) 10000000099354592/32492414
        Outbound: #pkts encdec'ed 5 655653 drop 0 life (KB/Sec) 10000000099354592/32492414

Interface:      service-ipsec100
Profile:        isakmp-prof1
ISAKMP policy:  10
Fvrf:           default
Ivrf:           default
Peer:           60.60.60.2/500
Ike SAs:        1
IPsec SAs:      1
  IKE SA : conn-id 3 local 70.70.70.2/500 remote 60.60.60.2/500  QM_IDLE
  IPSEC FLOW 503: permit ipv4 13.13.13.1/255.255.255.255 14.14.14.1/255.255.255.255
        Active SAs 2
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 87560496/3204
        Outbound: #pkts dec'ed 12738053 drop 0 life (KB/Sec) 87560496/3204

This table describes the significant fields shown in the display.

Related Commands