crypto aaa attribute list through crypto ipsec transform-set

crypto aaa attribute list

To define an authentication, authorization, and accounting (AAA) attribute list of per-user attributes on a local Easy VPN server, use the crypto aaa attribute list command in crypto isakmp group configuration mode. To remove the AAA attribute list, use the no form of this command.

crypto aaa attribute list list-name

no crypto aaa attribute list list-name

Syntax Description

list-name

Name of the local attribute list.

Command Default

A local attribute list is not defined.

Command Modes


Crypto isakmp group configuration

Command History

Release

Modification

12.4(9)T

This command was introduced.

Usage Guidelines


Note


Security threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the Next Generation Encryption (NGE) white paper.


There is no limit to the number of lists that can be defined (except for NVRAM storage limits).

Examples

The following example shows that per-user attributes have been defined on a local Easy VPN AAA server:


!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login noAAA none
aaa authorization network default local 
!
aaa attribute list per-group
 attribute type inacl "per-group-acl" service ike protocol ip mandatory
!
aaa session-id common
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
username example password 0 example
!
!
crypto isakmp policy 3
 encr aes
 authentication pre-share
 group 14
crypto isakmp xauth timeout 90
!
crypto isakmp client configuration group PerUserAAA
 key cisco
 pool dpool
 crypto aaa attribute list per-group
!
crypto isakmp profile vi
 match identity group PerUserAAA
 isakmp authorization list default
 client configuration address respond
 client configuration group PerUserAAA
 virtual-template 1
!
!
crypto ipsec transform-set set esp-aes esp-sha-hmac 
!
crypto ipsec profile vi
 set transform-set set 
 set isakmp-profile vi
!
!
interface GigabitEthernet0/0
 description 'EzVPN Peer'
 ip address 192.168.1.1 255.255.255.128
 duplex full
 speed 100
 media-type rj45
 no negotiation auto
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
 no negotiation auto
interface Virtual-Template1 type tunnel
 ip unnumbered GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile vi
!
ip local pool dpool 10.5.0.1 10.5.0.10
ip classless
!
no ip http server
no ip http secure-server
!
!
ip access-list extended per-group-acl
 permit tcp any any
 deny   icmp any any
logging alarm informational
logging trap debugging
!
control-plane
!
gatekeeper
 shutdown
!
line con 0
line aux 0
 stopbits 1
line vty 0 4
!
!
end

crypto ca authenticate


Note


This command was replaced by the crypto pki authenticate command effective with Cisco IOS Release 12.3(7)T and 12.2(18)SXE.


To authenticate the certification authority (by getting the certificate of the CA), use the crypto ca authenticate command in global configuration mode.

crypto ca authenticate name

Syntax Description

name

Specifies the name of the CA. This is the same name used when the CA was declared with the crypto ca identity command .

Command Default

No default behavior or values.

Command Modes


Global configuration

Command History

Release

Modification

11.3 T

This command was introduced.

Usage Guidelines

This command is required when you initially configure CA support at your router.

This command authenticates the CA to your router by obtaining the self-signed certificate of the CA that contains the public key of the CA. Because the CA signs its own certificate, you should manually authenticate the public key of the CA by contacting the CA administrator when you perform this command.

If you are using RA mode (using the enrollment mode ra command) when you issue the crypto ca authenticate command, then registration authority signing and encryption certificates will be returned from the CA as well as the CA certificate.

This command is not saved to the router configuration. However. the public keys embedded in the received CA (and RA) certificates are saved to the configuration as part of the RSA public key record (called the “RSA public key chain”).

If the CA does not respond by a timeout period after this command is issued, the terminal control will be returned so it will not be tied up. If this happens, you must re-enter the command. Cisco IOS software will not recognize CA certificate expiration dates set for beyond the year 2038. If the validity period of the CA certificate is set to expire after the year 2038, the following error message will be displayed when authentication with the CA server is attempted:

error retrieving certificate :incomplete chain

The following messages are displayed when you attempt to debug the error:

CRYPTO_PKI: Unable to read CA/RA certificates.

PKI-3-GETCARACERT Failed to receive RA/CA certificates.

If you receive an error message similar to this one, check the expiration date of your CA certificate. If the expiration date of your CA certificate is set after the year 2038, you must reduce the expiration date by a year or more.

Examples

In the following example, the router requests the certificate of the CA. The CA sends its certificate and the router prompts the administrator to verify the certificate of the CA by checking the CA certificate’s fingerprint. The CA administrator can also view the CA certificate’s fingerprint, so you should compare what the CA administrator sees to what the router displays on the screen. If the fingerprint on the router’s screen matches the fingerprint viewed by the CA administrator, you should accept the certificate as valid.


Router(config)# 
crypto ca authenticate myca
Certificate has the following attributes:
Fingerprint: 0123 4567 89AB CDEF 0123
Do you accept this certificate? [yes/no] y
#

crypto ca cert validate


Note


This command was replaced by the crypto pki cert validate command effective with Cisco IOS Release 12.3(8)T and 12.2(18)SXE.


To determine if a trustpoint has been successfully authenticated, a certificate has been requested and granted, and if the certificate is currently valid, use the crypto ca cert validate command in global configuration mode.

crypto ca cert validate trustpoint

Syntax Description

trustpoint

The trustpoint to be validated.

Command Default

No default behavior or values.

Command Modes


Global configuration

Command History

Release

Modification

12.3(8)T

This command was introduced.

Usage Guidelines

The crypto ca cert validate command validates the router's own certificate for a given trustpoint. Use this command as a sanity check after enrollment to verify that the trustpoint is properly authenticated, a certificate has been requested and granted for the trustpoint, and that the certificate is currently valid. A certificate is valid if it is signed by the trustpoint certification authority (CA), not expired, and so on.

Examples

The following examples show the possible output from the crypto ca cert validate command:


Router(config)# crypto ca cert validate ka
Validation Failed: trustpoint not found for ka
Router(config)# crypto ca cert validate ka
Validation Failed: can't get local certificate chain
Router(config)# crypto ca cert validate ka
Certificate chain has 2 certificates.
Certificate chain for ka is valid
Router(config)# crypto ca cert validate ka
Certificate chain has 2 certificates.
Validation Error: no certs on chain
Router(config)# crypto ca cert validate ka
Certificate chain has 2 certificates.
Validation Error: unspecified error

crypto ca certificate chain


Note


This command was replaced by the crypto pki certificate chain command effective with Cisco IOS Release 12.3(7)T and 12.2(18)SXE.


To enter the certificate chain configuration mode, use the crypto ca certificate chain command in global configuration mode. (You need to be in certificate chain configuration mode to delete certificates.)

crypto ca certificate chain name

Syntax Description

name

Specifies the name of the CA. Use the same name as when you declared the CA using the crypto pki trustpoint command.

Command Default

No default behavior or values.

Command Modes


Global configuration

Command History

Release

Modification

11.3 T

This command was introduced.

Usage Guidelines

This command puts you into certificate chain configuration mode. When you are in certificate chain configuration mode, you can delete certificates using the certificate command.

Examples

The following example deletes the router’s certificate. In this example, the router had a general-purpose RSA key pair with one corresponding certificate. The show command is used to determine the serial number of the certificate to be deleted.


Router# show crypto ca certificates
Certificate
  Subject Name
    Name: myrouter.example.com
    IP Address: 10.0.0.1
  Status: Available
  Certificate Serial Number: 0123456789ABCDEF0123456789ABCDEF
  Key Usage: General Purpose
 
CA Certificate
  Status: Available
  Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F
  Key Usage: Not Set
Router# configure terminal
Rrouter(config)# crypto ca certificate chain myca
Router(config-cert-chain)# no certificate 0123456789ABCDEF0123456789ABCDEF
% Are you sure you want to remove the certificate [yes/no]? yes
% Be sure to ask the CA administrator to revoke this certificate.
Router(config-cert-chain)# exit

crypto ca certificate map


Note


This command was replaced by the crypto pki certificate map command effective with Cisco IOS Release 12.3(7)T, 12.2(18)SXD, and 12.2(18)SXE.


To define certificate-based access control lists (ACLs), use the crypto ca certificate map command in ca-certificate-map configuration mode. To remove the certificate-based ACLs, use the no form of this command.

crypto ca certificate map label sequence-number

no crypto ca certificate map label sequence-number

Syntax Description

label

A user-specified label that is referenced within the crypto ca trustpoint command.

sequence-number

A number that orders the ACLs with the same label. ACLs with the same label are processed from lowest to highest sequence number. When an ACL is matched, processing stops with a successful result.

Command Default

No default behavior or value.

Command Modes


Ca-certificate-map configuration

Command History

Release

Modification

12.2(15)T

This command was introduced.

Usage Guidelines

Issuing this command places the router in CA certificate map configuration mode where you can specify several certificate fields together with their matching criteria. The general form of these fields is as follows:


field-name match-criteria match-value

The field-name in the above example is one of the certificate fields. Field names are similar to the names used in the International Telecommunication Union Telecommunication Standardization Sector (ITU-T) X.509 standard. The name field is a special field that matches any subject name or related name field in the certificate, such as the alt-subject-name, subject-name , and unstructured-subject-name fields.

  • alt-subject-name -- Case-insensitive string.

  • expires-on --Date field in the format dd mm yyyy hh:mm:ss or mmm dd yyyy hh:mm:ss.

  • issuer-name -- Case-insensitive string.

  • name -- Case-insensitive string.

  • subject-name --Case-insensitive string.

  • unstructured-subject-name -- Case-insensitive string.

  • valid-start --Date field in the format dd mm yyyy hh:mm:ss or mmm dd yyyy hh:mm:ss.


Note


The time portion is optional in both the expires-on date and valid-start field and defaults to 00:00:00 if not specified. The time is interpreted according to the time zone offset configured for the router. The string utc can be appended to the date and time when they are configured as Universal Time, Coordinated (UTC) rather than local time.


The match-criteria in the example is one of the following logical operators:

  • eq --equal (valid for name and date fields)

  • ne --not equal (valid for name and date fields)

  • co --contains (valid only for name fields)

  • nc --does not contain (valid only for name fields)

  • lt --less than (valid only for date fields)

  • ge --greater than or equal to (valid only for date fields)

The match-value is a case-insensitive string or a date.

Examples

The following example shows how to configure a certificate-based ACL that will allow any certificate issued by Cisco Systems to an entity within the cisco.com domain. The label is Cisco, and the sequence is 10.


crypto ca certificate map Cisco 10
 issuer-name co Cisco Systems
 unstructured-subject-name co cisco.com

The following example accepts any certificate issued by Cisco Systems for an entity with DIAL or organizationUnit component ou=WAN. This certificate-based ACL consists of two separate ACLs tied together with the common label Group. Because the check for DIAL has a lower sequence number, it is performed first. Note that the string “DIAL” can occur anywhere in the subjectName field of the certificate, but the string WAN must be in the organizationUnit component.


crypto ca certificate map Group 10
 issuer-name co Cisco Systems
 subject-name co DIAL
crypto ca certificate map Group 20
 issuer-name co Cisco Systems
 subject-name co ou=WAN

Case is ignored in string comparisons; therefore, DIAL in the previous example will match dial, DIAL, Dial, and so on. Also note that the component identifiers (o=, ou=, cn=, and so on) are not required unless it is desirable that the string to be matched occurs in a specific component of the name. (Refer to the ITU-T security standards for more information about certificate fields and components such as ou=.)

If a component identifier is specified in the match string, the exact string, including the component identifier, must appear in the certificate. This requirement can present a problem if more than one component identifier is included in the match string. For example, “ou=WAN,o=Cisco Systems” will not match a certificate with the string “ou=WAN,ou=Engineering,o=Cisco Systems” because the “ou=Engineering” string separates the two desired component identifiers.

To match both “ou=WAN” and “o=Cisco Systems” in a certificate while ignoring other component identifiers, you could use this certificate map:


crypto ca certificate map Group 10
 subject-name co ou=WAN
 subject-name co o=Cisco

Any space character proceeding or following the equal sign (=) character in component identifiers is ignored. Therefore “o=Cisco” in the proceeding example will match “o = Cisco,” “o= Cisco,” “o =Cisco,” and so on.

crypto ca certificate query (ca-trustpoint)


Note


This command was replaced by the crypto pki certificate query (ca-trustpoint) command effective with Cisco IOS Release 12.3(7)T, 12.2(18)SXD, and 12.2(18)SXE.


To specify that certificates should not be stored locally but retrieved from a certification authority (CA) trustpoint, use the crypto ca certificate query command in ca-trustpoint configuration mode. To cause certificates to be stored locally per trustpoint, use the no form of this command.

crypto ca certificate query

no crypto ca certificate query

Syntax Description

This command has no arguments or keywords.

Command Default

CA trustpoints are stored locally in the router’s NVRAM.

Command Modes


Ca-trustpoint configuration

Command History

Release

Modification

12.2(8)T

This command was introduced.

Usage Guidelines

Normally, certain certificates are stored locally in the router’s NVRAM, and each certificate uses a moderate amount of memory. To save NVRAM space, you can use this command to put the router into query mode, preventing certificates from being stored locally; instead, they are retrieved from a specified CA trustpoint when needed. This will save NVRAM space but could result in a slight performance impact.

The crypto ca certificate query command is a subcommand for each trustpoint; thus, this command can be disabled on a per-trustpoint basis.

Before you can configure this command, you must enable the crypto pki trustpoint command , which puts you in ca-trustpoint configuration mode.


Note


This command replaces the crypto ca certificate query command in global configuration mode. Although you can still enter the global configuration command, the configuration mode and command will be written back as ca-trustpoint.


Examples

The following example shows how to prevent certificates and certificate revocation lists (CRLs) from being stored locally on the router; instead, they are retrieved from the “ka” trustpoint when needed.


crypto ca trustpoint ka
 .
 .
 .
 crypto ca certificate query

crypto ca certificate query (global)

The crypto ca certificate query command in global configuration mode is replaced by the crypto ca certificate query command in ca-trustpoint configuration mode. See the crypto ca certificate query command for more information.

crypto ca crl request


Note


Effective with Cisco IOS Release 12.3(7)T and 12.2(18)SXE, this command was replaced by the crypto pki crl request command.


To request that a new certificate revocation list (CRL) be obtained immediately from the certification authority, use the crypto ca crl request command in global configuration mode.

crypto ca crl request name

Syntax Description

name

Specifies the name of the CA. This is the same name used when the CA was declared with the crypto pki trustpoint command.

Command Default

Normally, the router requests a new CRL when it is verifying a certificate and there is no CRL cached.

Command Modes


Global configuration

Command History

Release

Modification

11.3 T

This command was introduced.

12.3(7)T

This command was replaced by the crypto pki crl request command.

Usage Guidelines

A CRL lists all the certificates of the network device that have been revoked. Revoked certificates will not be honored by your router; therefore, any IPSec device with a revoked certificate cannot exchange IP Security traffic with your router.

The first time your router receives a certificate from a peer, it will download a CRL from the CA. Your router then checks the CRL to make sure the certificate of the peer has not been revoked. (If the certificate appears on the CRL, it will not accept the certificate and will not authenticate the peer.)

A CRL can be reused with subsequent certificates until the CRL expires. If your router receives the certificate of a peer after the applicable CRL has expired, it will download the new CRL.

If your router has a CRL which has not yet expired, but you suspect that the contents of the CRL are out of date, use the crypto ca crl request command to request that the latest CRL be immediately downloaded to replace the old CRL.

This command is not saved to the configuration.


Note


This command should be used only after the trustpoint is enrolled.


Examples

The following example immediately downloads the latest CRL to your router:


crypto ca crl request

crypto ca enroll


Note


This command was replaced by the crypto pki enroll command effective with Cisco IOS Release 12.3(7)T and 12.2(18)SXE.


To obtain the certificate(s) of your router from the certification authority, use the crypto ca enroll command in global configuration mode. To delete a current enrollment request, use the no form of this command.

crypto ca enroll name

no crypto ca enroll name

Syntax Description

name

Specifies the name of the CA. Use the same name as when you declared the CA using the crypto pki trustpoint command.

Command Default

No default behavior or values.

Command Modes


Global configuration

Command History

Release

Modification

11.3 T

This command was introduced.

Usage Guidelines

This command requests certificates from the CA for all of your router’s RSA key pairs. This task is also known as enrolling with the CA. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when this command is issued.)

Your router needs a signed certificate from the CA for each RSA key pairs of your router; if you previously generated general purpose keys, this command will obtain the one certificate corresponding to the one general purpose RSA key pair. If you previously generated special usage keys, this command will obtain two certificates corresponding to each of the special usage RSA key pairs.

If you already have a certificate for your keys you will be unable to complete this command; instead, you will be prompted to remove the existing certificate first. (You can remove existing certificates with the no certificate command.)

The crypto ca enroll command is not saved in the router configuration.


Note


If your router reboots after you issue the crypto ca enroll command but before you receive the certificate(s), you must reissue the command.


Responding to Prompts

When you issue the crypto ca enroll command, you are prompted a number of times.

First, you are prompted to create a challenge password. This password can be up to 80 characters in length. This password is necessary in the event that you ever need to revoke your router’s certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.


Note


This password is not stored anywhere, so you need to remember this password.


If you lose the password, the CA administrator may still be able to revoke the router’s certificate but will require further manual authentication of the router administrator identity.

You are also prompted to indicate whether or not your router’s serial number should be included in the obtained certificate. The serial number is not used by IP Security or Internet Key Exchange but may be used by the CA to either authenticate certificates or to later associate a certificate with a particular router. (Note that the serial number stored is the serial number of the internal board, not the one on the enclosure.) Ask your CA administrator if serial numbers should be included. If you are in doubt, include the serial number.

Normally, you would not include the IP address because the IP address binds the certificate more tightly to a specific entity. Also, if the router is moved, you would need to issue a new certificate. Finally, a router has multiple IP addresses, any of which might be used with IPSec.

If you indicate that the IP address should be included, you will then be prompted to specify the interface of the IP address. This interface should correspond to the interface that you apply your crypto map set to. If you apply crypto map sets to more than one interface, specify the interface that you name in the crypto map local-address command.

Examples

In the following example, a router with a general-purpose RSA key pair requests a certificate from the CA. When the router displays the certificate fingerprint, the administrator verifies this number by calling the CA administrator, who checks the number. The fingerprint is correct, so the router administrator accepts the certificate.

There can be a delay between when the router administrator sends the request and when the certificate is actually received by the router. The amount of delay depends on the CA method of operation.


Router(config)# crypto ca enroll myca
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.
Password: <mypassword>
Re-enter password: <mypassword>
% The subject name in the certificate will be: myrouter.example.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 03433678
% Include an IP address in the subject name [yes/no]? yes
Interface: ethernet0/0
Request certificate from CA [yes/no]? yes
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
% The ’show crypto pki certificates’ command will also show the fingerprint.

Some time later, the router receives the certificate from the CA and displays the following confirmation message:


Router(config)#   Fingerprint: 01234567 89ABCDEF FEDCBA98 75543210
%CRYPTO-6-CERTRET: Certificate received from Certificate Authority
Router(config)#

If necessary, the router administrator can verify the displayed Fingerprint with the CA administrator.

If there is a problem with the certificate request and the certificate is not granted, the following message is displayed on the console instead:


%CRYPTO-6-CERTREJ: Certificate enrollment request was rejected by Certificate Authority

The subject name in the certificate is automatically assigned to be the same as the RSA key pair’s name. In the above example, the RSA key pair was named “myrouter.example.com.” (The router assigned this name.)

Requesting certificates for a router with special usage keys would be the same as the previous example, except that two certificates would have been returned by the CA. When the router received the two certificates, the router would have displayed the same confirmation message:


%CRYPTO-6-CERTRET: Certificate received from Certificate Authority

crypto ca export pem


Note


This command was replaced by the crypto pki export pem command effective with Cisco IOS Release 12.3(7)T and 12.2(18)SXE.


To export certificates and Rivest, Shamir, and Adelman (RSA) keys that are associated with a trustpoint in a privacy-enhanced mail (PEM)-formatted file, use the crypto ca export pem command in global configuration mode.

crypto ca export trustpoint pem {terminal | url url} {3des | des} passphrase

Syntax Description

trustpoint

Name of the trustpoint that the associated certificate and RSA key pair will export.

The trustpoint argument must match the name that was specified via the crypto pki trustpoint command.

terminal

Certificate and RSA key pair that will be displayed in PEM format on the console terminal.

url url

URL of the file system where your router should export the certificate and RSA key pairs.

3des

Export the trustpoint using the Triple Data Encryption Standard (3DES) encryption algorithm.

des

Export the trustpoint using the DES encryption algorithm.

passphrase

Passphrase that is used to encrypt the PEM file for import.

Note

 

The passphrase can be any phrase that is at least eight characters in length; it can include spaces and punctuation, excluding the question mark (?), which has special meaning to the Cisco IOS parser.

Command Default

No default behavior or values

Command Modes


Global configuration

Command History

Release

Modification

12.3(4)T

This command was introduced.

Usage Guidelines


Note


Security threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the Next Generation Encryption (NGE) white paper.


The crypto ca export pem command allows you to export certificate and RSA key pairs in PEM-formatted files. The PEM files can then be imported back into the Cisco IOS router (via the crypto pki import pem command) or other public key infrastructure (PKI) applications.

Examples

The following example shows how to generate and export the RSA key pair “aaa” and certificates of the router in PEM files that are associated with the trustpoint “mycs”:


Router(config)# crypto key generate rsa general-keys label aaa exportable
 
The name for the keys will be:aaa
Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. 
!
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys ...[OK]
!
Router(config)# crypto pki trustpoint mycs
Router(ca-trustpoint)# enrollment url http://mycs
Router(ca-trustpoint)# rsakeypair aaa
Router(ca-trustpoint)# exit
Router(config)# crypto pki authenticate mycs
Certificate has the following attributes:
Fingerprint:C21514AC 12815946 09F635ED FBB6CF31 
% Do you accept this certificate? [yes/no]:y
Trustpoint CA certificate accepted.
! 
Router(config)# crypto pki enroll mycs
%
% Start certificate enrollment .. 
% Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
 
Password:
Re-enter password:
 
% The fully-qualified domain name in the certificate will be:Router
% The subject name in the certificate will be:bizarro.cisco.com
% Include the router serial number in the subject name? [yes/no]:n
% Include an IP address in the subject name? [no]:n
Request certificate from CA? [yes/no]:y
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
% The 'show crypto ca certificate' command will also show the fingerprint.
 
Router(config)# Fingerprint: 8DA777BC 08477073 A5BE2403 812DD157 
 
00:29:11:%CRYPTO-6-CERTRET:Certificate received from Certificate Authority
 
Router(config)# crypto ca export aaa pem terminal 3des cisco123
% CA certificate:
-----BEGIN CERTIFICATE-----
MIICAzCCAa2gAwIBAgIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzES
<snip>
waDeNOSI3WlDa0AWq5DkVBkxwgn0TqIJXJOCttjHnWHK1LMcMVGn
-----END CERTIFICATE-----
 
% Key name:aaa
    Usage:General Purpose Key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type:4,ENCRYPTED
DEK-Info:DES-EDE3-CBC,ED6B210B626BC81A
 
Urguv0jnjwOgowWVUQ2XR5nbzzYHI2vGLunpH/IxIsJuNjRVjbAAUpGk7VnPCT87
<snip>
kLCOtxzEv7JHc72gMku9uUlrLSnFH5slzAtoC0czfU4=
-----END RSA PRIVATE KEY-----
 
% Certificate:
-----BEGIN CERTIFICATE-----
MIICTjCCAfigAwIBAgICIQUwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx
<snip>
6xlBaIsuMxnHmr89KkKkYlU6
-----END CERTIFICATE-----

crypto ca export pkcs12


Note


This command was replaced by the crypto pki export pkcs12 command effective with Cisco IOS Release 12.3(7)T and 12.2(18)SXE.


To export Rivest, Shamir, and Adelman (RSA) keys within a PKCS12 file at a specified location, use the crypto ca export pkcs12 command in global configuration mode.

crypto ca export trustpointname pkcs12 destination url passphrase

Syntax Description

trustpointname

Name of the trustpoint who issues the certificate that a user is going to export. When you export the PKCS12 file, the trustpoint name is the RSA key name.

destination url

Location of the PKCS12 file to which a user wants to import the RSA key pair.

passphrase

Passphrase that is used to encrypt the PKCS12 file for export.

Command Default

No default behavior or values

Command Modes


Global configuration

Command History

Release

Modification

12.2(15)T

This command was introduced.

Usage Guidelines

The crypto ca export pkcs12 command creates a PKCS 12 file that contains an RSA key pair. The PKCS12 file, along with a certificate authority (CA), is exported to the location that you specify with the destination URL. If you decide not to import the file to another router, you must delete the file.

Security Measures

Keep the PKCS12 file stored in a secure place with restricted access.

An RSA keypair is more secure than a passphrase because the private key in the key pair is not known by multiple parties. When you export an RSA key pair to a PKCS#12 file, the RSA key pair now is only as secure as the passphrase.

To create a good passphrase, be sure to include numbers, as well as both lowercase and uppercase letters. Avoid publicizing the passphrase by mentioning it in e-mail or cell phone communications because the information could be accessed by an unauthorized user.

Examples

The following example exports an RSA key pair with a trustpoint name “mytp” to a Flash file:


Router(config)# crypto ca export mytp pkcs12 flash:myexport mycompany

crypto ca identity

The crypto ca identity command is replaced by the crypto ca trustpoint command. See the crypto ca trustpoint command for more information.

crypto ca import


Note


This command was replaced by the crypto pki import command effective with Cisco IOS Release 12.3(7)T and 12.2(18)SXD.


To import a certificate manually via TFTP or as a cut-and-paste at the terminal, use the crypto ca import command in global configuration mode.

crypto ca import name certificate

Syntax Description

name certificate

Name of the certification authority (CA). This name is the same name used when the CA was declared with the crypto pki trustpoint command.

Command Default

No default behavior or values

Command Modes


Global configuration

Command History

Release

Modification

12.2(13)T

This command was introduced.

Usage Guidelines

You must enter the crypto ca import command twice if usage keys (signature and encryption keys) are used. The first time the command is entered, one of the certificates is pasted into the router; the second time the command is entered, the other certificate is pasted into the router. (It does not matter which certificate is pasted first.)

Examples

The following example shows how to import a certificate via cut-and-paste. In this example, the CA trustpoint is “MS.”


crypto pki trustpoint MS
 enroll terminal
 crypto pki authenticate MS
!
crypto pki enroll MS
crypto ca import MS certificate

crypto ca import pem


Note


This command was replaced by the crypto pki import pem command effective with Cisco IOS Release 12.3(7)T and 12.2(18)SXE.


To import certificates and Rivest, Shamir, and Adelman (RSA) keys to a trustpoint from privacy-enhanced mail (PEM)-formatted files, use the crypto ca import pem command in global configuration mode.

crypto ca import trustpoint pem [usage-keys] {terminal | url url} [exportable] passphrase

Syntax Description

trustpoint

Name of the trustpoint that is associated with the imported certificates and RSA key pairs.

The trustpoint argument must match the name that was specified via the crypto pki trustpoint command.

usage-keys

(Optional) Specifies that two RSA special usage key pairs will be imported (that is, one encryption pair and one signature pair), instead of one general-purpose key pair.

terminal

Certificates and RSA key pairs will be manually imported from the console terminal.

url url

URL of the file system where your router should import the certificates and RSA key pairs.

exportable

(Optional) Specifies that the imported RSA key pair can be exported again to another Cisco device such as a router.

passphrase

Passphrase that is used to encrypt the PEM file for import.

Note

 

The passphrase can be any phrase that is at least eight characters in length; it can include spaces and punctuation, excluding the question mark (?), which has special meaning to the Cisco IOS parser.

Command Default

No default behavior or values

Command Modes


Global configuration

Command History

Release

Modification

12.3(4)T

This command was introduced.

Usage Guidelines

The crypto ca import pem command allows you import certificates and RSA key pairs in PEM-formatted files. The files can be previously exported from another router or generated from other public key infrastructure (PKI) applications.

Examples

The following example shows how to import PEM files to trustpoint “ggg” via TFTP:


Router(config)# crypto ca import ggg pem url tftp://10.1.1.2/johndoe/msca cisco1234
% Importing CA certificate...
Address or name of remote host [10.1.1.2]? 
Destination filename [johndoe/msca.ca]? 
Reading file from tftp://10.1.1.2/johndoe/msca.ca
Loading johndoe/msca.ca from 10.1.1.2 (via Ethernet0):!
[OK - 1082 bytes]
% Importing private key PEM file...
Address or name of remote host [10.1.1.2]? 
Destination filename [johndoe/msca.prv]? 
Reading file from tftp://10.1.1.2/johndoe/msca.prv
Loading johndoe/msca.prv from 10.1.1.2 (via Ethernet0):!
[OK - 573 bytes]
% Importing  certificate PEM file...
Address or name of remote host [10.1.1.2]? 
Destination filename [johndoe/msca.crt]? 
Reading file from tftp://10.1.1.2/johndoe/msca.crt
Loading johndoe/msca.crt from 10.1.1.2 (via Ethernet0):!
[OK - 1289 bytes]
% PEM files import succeeded.
Router(config)#

crypto ca import pkcs12


Note


This command was replaced by the crypto pki import pkcs12 command effective with Cisco IOS Release 12.3(7)T and 12.2(18)SXE.


To import Rivest, Shamir, and Adelman (RSA) keys, use the crypto ca import pkcs12 command in global configuration mode.

crypto ca import trustpointname pkcs12 source url passphrase

Syntax Description

trustpointname

Name of the trustpoint who issues the certificate that a user is going to export or import. When importing, the trustpoint name will become the RSA key name.

source url

The location of the PKCS12 file to which a user wants to export the RSA key pair.

passphrase

Passphrase that must be entered to undo encryption when the RSA keys are imported.

Command Default

No default behavior or values

Command Modes


Global configuration

Command History

Release

Modification

12.2(15)T

This command was introduced.

Usage Guidelines

When you enter the cyrpto ca import pkcs12 command, a ke pair and a trustpoint are generated. If you then decide you want to remove the key pair and trustpoint that were generated, enter the crypto key zeroize rsa command to zeroize the key pair and enter the no crypto ca trustpoint command to remove the trustpoint.


Note


After you import RSA keys to a target router, you cannot export those keys from the target router to another router.


Examples

In the following example, an RSA key pair that has been associated with the trustpoint “forward” is to be imported:


Router(config)# crypto ca import forward pkcs12 flash:myexport mycompany

crypto ca profile enrollment


Note


This command was replaced with the crypto pki profile enrollment command effective with Cisco IOS Release 12.3(7)T and 12.2(18)SXE.


To define an enrollment profile, use the crypto ca profile enrollment command in global configuration mode. To delete all information associated with this enrollment profile, use the no form of this command.

crypto ca profile enrollment label

no crypto ca profile enrollment label

Syntax Description

label

Name for the enrollment profile; the enrollment profile name must match the name specified in the enrollment profile command.

Command Default

An enrollment profile does not exist.

Command Modes


Global configuration

Command History

Release

Modification

12.2(13)ZH

This command was introduced.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T.

Usage Guidelines

Before entering this command, you must specify a named enrollment profile using the enrollment profile in ca-trustpoint configuration mode.

After entering the crypto ca profile enrollment command, you can use any of the following commands to define the profile parameters:

  • authentication command --Specifies the HTTP command that is sent to the certification authority (CA) for authentication.

  • authentication terminal --Specifies manual cut-and-paste certificate authentication requests.

  • authentication url --Specifies the URL of the CA server to which to send authentication requests.

  • enrollment command --Specifies the HTTP command that is sent to the CA for enrollment.

  • enrollment terminal --Specifies manual cut-and-paste certificate enrollment.

  • enrollment url --Specifies the URL of the CA server to which to send enrollment requests.

  • parameter --Specifies parameters for an enrollment profile. This command can be used only if the authentication command or the enrollment command is used.


Note


The authentication url , enrollment url , authentication terminal , and enrollment terminal commands allow you to specify different methods for certificate authentication and enrollment, such as TFTP authentication and manual enrollment.


Examples

The following example shows how to define the enrollment profile named “E” and associated profile parameters:


crypto ca trustpoint Entrust
  enrollment profile E
  serial
crypto ca profile enrollment E
 authentication url  http://entrust:81
 authentication command  GET /certs/cacert.der
 enrollment url  http://entrust:81/cda-cgi/clientcgi.exe
 enrollment command  POST reference_number=$P2&authcode=$P1
&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQ
 parameter 1 value aaaa-bbbb-cccc
 parameter 2 value 5001

crypto ca trusted-root

The crypto ca trusted-root command is replaced by the crypto ca trustpoint command. See the crypto ca trustpoint command for more information.

crypto ca trustpoint


Note


Effective with Cisco IOS Release 12.3(8)T, 12.2(18)SXD, and 12.2(18)SXE, the crypto ca trustpoint command is replaced with the crypto pki trustpoint command. See the crypto pki trustpoint command for more information.


To declare the certification authority (CA) that your router should use, use the crypto ca trustpoint command in global configuration mode. To delete all identity information and certificates associated with the CA, use the no form of this command.

crypto ca trustpoint name

no crypto ca trustpoint name

Syntax Description

name

Creates a name for the CA. (If you previously declared the CA and just want to update its characteristics, specify the name you previously created.)

Command Default

Your router does not recognize any CAs until you declare a CA using this command.

Command Modes


Global configuration

Command History

Release

Modification

12.2(8)T

This command was introduced.

12.2(15)T

The match certificate subcommand was introduced.

12.3(7)T

This command was replaced by the crypto pki trustpoint command. You can still enter the crypto ca trusted-root or crypto ca trustpoint command, but the command will be written in the configuration as “crypto pki trustpoint.”

Usage Guidelines

Use the crypto ca trustpoint command to declare a CA, which can be a self-signed root CA or a subordinate CA. Issuing the crypto ca trustpoint command puts you in ca-trustpoint configuration mode.

You can specify characteristics for the trustpoint CA using the following subcommands:

  • crl --Queries the certificate revocation list (CRL) to ensure that the certificate of the peer has not been revoked.

  • default (ca-trustpoint) --Resets the value of ca-trustpoint configuration mode subcommands to their defaults.

  • enrollment --Specifies enrollment parameters (optional).

  • enrollment http-proxy --Accesses the CA by HTTP through the proxy server.

  • match certificate --Associates a certificate-based access control list (ACL) defined with the crypto ca certificate map command.

  • primary --Assigns a specified trustpoint as the primary trustpoint of the router.

  • root --Defines the Trivial File Transfer Protocol (TFTP) to get the CA certificate and specifies both a name for the server and a name for the file that will store the CA certificate.


Note


Beginning with Cisco IOS Release 12.2(8)T, the crypto ca trustpoint command unified the functionality of the crypto ca identity and crypto ca trusted-root commands, thereby replacing these commands. Although you can still enter the crypto ca identity and crypto ca trusted-root commands, the configuration mode and command will be written in the configuration as “crypto ca trustpoint .”


Examples

The following example shows how to declare the CA named “ka” and specify enrollment and CRL parameters:


crypto ca trustpoint ka
 enrollment url http://kahului:80

The following example shows a certificate-based access control list (ACL) with the label “Group” defined in a crypto ca certificate map command and included in the match certificate subcommand of the crypto ca | pki trustpoint command:


crypto ca certificate map Group 10
 subject-name co ou=WAN
 subject-name co o=Cisco
!
crypto ca trustpoint pki
 match certificate Group

crypto call admission limit

To specify the maximum number of Internet Key Exchange (IKE) security associations (SAs) that the device can establish before IKE begins rejecting new SA requests, use the crypto call admission limit command in global configuration mode. To disable this feature, use the no form of this command.

crypto call admission limit ike {in-negotiation-sa number | sa number}

no crypto call admission limit ike {in-negotiation-sa number | sa number}

Syntax Description

ike

Configures the crypto Call Admission Control active IKE SA limit.

in-negotiation-sa number

Specifies the maximum number of in-negotiation IKE SAs allowed. Range is from 10 to 99999.

sa number

Specifies the number of active IKE SAs allowed on the device. Range is from 0 to 99999.

Command Default

The maximum number of IKE SAs is not specified.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.3(8)T

This command was introduced.

12.2(18)SXD1

This command was integrated into Cisco IOS Release 12.2(18)SXD1 on the Cisco 6500 and Cisco 7600.

12.4(6)T

This command was modified. The in-negotiation-sa number keyword-argument pair was added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA on the Cisco 7600. The in-negotiation-sa number keyword-argument pair was not supported.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH. The in-negotiation-sa number keyword-argument pair was not supported.

Usage Guidelines

Use this command to limit the number of IKE SAs permitted to or from a device. By limiting the number of IKE SAs that can be created on the device, you can prevent the device from being impacted due to sudden inflow of IKE SA requests. The ideal limit depends on the particular platform, the network topology, the application, and traffic patterns. When the specified limit is reached, IKE rejects all new SA requests. If you specify an IKE SA limit that is less than the current number of active IKE SAs, a warning is displayed, but SAs are not terminated. New SA requests are rejected until the active SA count is below the configured limit.

Examples

The following example shows how to configure a maximum of 50 IKE SAs before IKE begins rejecting new SA requests.


Device(config)# crypto call admission limit ike sa 50

The following example shows how to configure a maximum of 100 in-negotiation IKE SAs before IKE begins rejecting new SA requests.


Device(config)# crypto call admission limit ike in-negotiation-sa 100

crypto connect vlan

To create an interface VLAN for an IPSec VPN SPA and enter crypto-connect mode, use the crypto connect vlan command in interface configuration mode. To remove the interface VLAN status from the VLAN, use the no form of this command.

crypto connect vlan vlan-id

no crypto connect [vlan vlan-id]

Syntax Description

vlan-id

VLAN ID number.

Command Default

No default behavior or values.

Command Modes


Interface configuration

Command History

Release

Modification

12.2(18)SXE2

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

Usage Guidelines

You can enter the crypto connect vlan command only from the following:

  • The associated port VLAN interface when the EtherChannel interface (port-channel interface) and participating interfaces are switch ports.

  • The EtherChannel interface when the EtherChannel interface (port-channel interface) and participant interfaces are routed ports.

The crypto engine subslot command is only available for VLANs prior to the VLANs being made interface VLANs by the crypto connect vlan command.

When you enter the crypto connect vlan command, a target VLAN is made an interface VLAN if and only if the target VLAN is not currently an interface VLAN, and the target VLAN has been added to an inside trunk port using the crypto engine subslot command. If the VLAN has been added to more than one inside trunk port, the crypto connect vlan command is rejected.

The no crypto engine subslot command is allowed only after you enter the no crypto connect vlan command, or before you enter the crypto connect vlan command.

When you remove an interface VLAN from an inside trunk port and a corresponding crypto engine subslot configuration state exists, then that crypto engine subslot configuration state is not removed. If you remove a VLAN that has a crypto engine subslot configuration state, you need to manually add it back to recover. While in this inconsistent state, any attempt to enter the no crypto connect vlan command is rejected.

When you enter the no crypto connect vlan command, the interface VLAN status is removed from a VLAN. Any associated crypto engine subslot configuration state is not altered.

Examples

The following example adds port 2/1 to the outside access port VLAN and connects the outside access port VLAN to the inside interface VLAN:

Router(config)# interface Vlan101
Router(config-if)# ip address 192.168.101.1 255.255.255.0
Router(config-if)# crypto map cmap
Router(config-if)# crypto engine subslot 3/0
Router(config-if)# interface GigabitEthernet2/1
Router(config-if)# crypto connect vlan 101

crypto ctcp

To configure Cisco Tunneling Control Protocol (cTCP) encapsulation for Easy VPN, use the crypto ctcp command in global configuration mode. To remove the cTCP encapsulation, use the no form of this command.

crypto ctcp [keepalive number-of-seconds | port port-number]

no crypto ctcp [keepalive number-of-seconds | port port-number]

Syntax Description

keepalive

(Optional) Sets the interval of cTCP keepalives that are sent by the remote device.

Note

 

This command is configured on the remote device.

number-of-seconds

(Optional) Number of seconds between the keepalives. Value = 5 through 3600. If the keepalive keyword is not configured, the default is 5.

port

(Optional) Port number that cTCP will listen to. Up to 10 numbers can be configured.

Note

 

This keyword is configured only on the server.

port-number

(Optional) Actual port number. Value = 1 through 65535. If the port keyword is not configured, the default port number is 10000.

Command Default

cTCP encapsulation is not configured.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.4(9)T

The crypto ctcp command was introduced.

12.4(20)T

The keepalive keyword and number-of-seconds argument were added.

Usage Guidelines

If cTCP is enabled on a port, any application that uses that port will not function.

When cTCP encapsulation is enabled on the router, only packets less than or equal to 1407 in size can pass through the IPsec tunnel with the Don’t Fragment (DF) bit set. If an attempt is made to send a larger size packet, the following syslog message is generated:


CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1450, mtu=1407

Note


If a Cisco IOS device is acting as a remote device, it has to send keepalives periodically to keep Network Address Translation (NAT) or firewall sessions from timing out.


Examples

The following example shows that cTCP encapsulation has been configured on port 120:


Router (config)# crypto ctcp port 120

The following example shows that the cTCP keepalive interval has been set at 30 seconds:


Router (config)# crypto ctcp keepalive 30

crypto dynamic-map

To create a dynamic crypto map entry and enter crypto map configuration command mode, use the crypto dynamic-map command in global configuration mode. To delete a dynamic crypto map set or entry, use the no form of this command.

crypto dynamic-map dynamic-map-name dynamic-seq-num

no crypto dynamic-map dynamic-map-name [dynamic-seq-num]

Syntax Description

dynamic-map-name

Specifies the name of the dynamic crypto map set.

dynamic-seq-num

Specifies the number of the dynamic crypto map entry.

Command Default

No dynamic crypto maps exist.

Command Modes


Global configuration

Command History

Release

Modification

11.3 T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

12.4(15)T

This command was modified. All changes to PFS settings in the dynamic crypto map template are immediately passed on to the instantiated crypto map PFS settings.

Usage Guidelines

Use dynamic crypto maps to create policy templates that can be used when processing negotiation requests for new security associations from a remote IP security peer, even if you do not know all of the crypto map parameters required to communicate with the remote peer (such as the peer’s IP address). For example, if you do not know about all the IPsec remote peers in your network, a dynamic crypto map allows you to accept requests for new security associations from previously unknown peers. (However, these requests are not processed until the Internet Key Exchange authentication has completed successfully.)

When a router receives a negotiation request via IKE from another IPsec peer, the request is examined to see if it matches a crypto map entry. If the negotiation does not match any explicit crypto map entry, it will be rejected unless the crypto map set includes a reference to a dynamic crypto map.

The dynamic crypto map is a policy template; it will accept “wildcard” parameters for any parameters not explicitly stated in the dynamic crypto map entry. This allows you to set up IPsec security associations with a previously unknown IPsec peer. (The peer still must specify matching values for the nonwildcard IPsec security association negotiation parameters.)

If the router accepts the peer’s request, at the point that it installs the new IPsec security associations it also installs a temporary crypto map entry. This entry is filled in with the results of the negotiation. At this point, the router performs normal processing, using this temporary crypto map entry as a normal entry, even requesting new security associations if the current ones are expiring (based upon the policy specified in the temporary crypto map entry). Once the flow expires (that is, all of the corresponding security associations expire), the temporary crypto map entry is removed.

If changes are made to the Perfect Forward Secrecy (PFS) settings in the dynamic crypto map template,the changes are passed on to the PFS settings in the instantiated crypto map. During the next rekey process the new settings are used to negotiate with the remote peer.

Dynamic crypto map sets are not used for initiating IPsec security associations. However, they are used for determining whether or not traffic should be protected.

The only configuration required in a dynamic crypto map is the set transform-set command. All other configuration is optional.

Dynamic crypto map entries, like regular static crypto map entries, are grouped into sets. After you define a dynamic crypto map set (which commonly contains only one map entry) using this command, you include the dynamic crypto map set in an entry of the “parent” crypto map set using the crypto map (IPsec global configuration) command. The parent crypto map set is then applied to an interface.

You should make crypto map entries referencing dynamic maps the lowest priority map entries, so that negotiations for security associations will try to match the static crypto map entries first. Only after the negotiation request does not match any of the static map entries do you want it to be evaluated against the dynamic map.

To make a dynamic crypto map the lowest priority map entry, give the map entry referencing the dynamic crypto map the highest seq-num of all the map entries in a crypto map set.

For both static and dynamic crypto maps, if unprotected inbound traffic matches a permit statement in an access list, and the corresponding crypto map entry is tagged as “IPsec,” then the traffic is dropped because it is not IPsec protected. (This is because the security policy as specified by the crypto map entry states that this traffic must be IPsec protected.)

For static crypto map entries, if outbound traffic matches a permit statement in an access list and the corresponding security association (SA) is not yet established, the router will initiate new SAs with the remote peer. In the case of dynamic crypto map entries, if no SA existed, the traffic would simply be dropped (because dynamic crypto maps are not used for initiating new SAs).


Note


Use care when using the any keyword in permit entries in dynamic crypto maps. If it is possible for the traffic covered by such a permit entry to include multicast or broadcast traffic, the access list should include deny entries for the appropriate address range. Access lists should also include deny entries for network and subnet broadcast traffic, and for any other traffic that should not be IPsec protected.


Examples

The following example shows how to configure an IPsec crypto map set.

Crypto map entry “mymap 30” references the dynamic crypto map set “mydynamicmap,” which can be used to process inbound security association negotiation requests that do not match “mymap” entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in “mydynamicmap,” for a flow “permitted” by the access list 103, IPsec will accept the request and set up security associations with the remote peer without previously knowing about the remote peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the remote peer.

The access list associated with “mydynamicmap 10” is also used as a filter. Inbound packets that match a permit statement in this list are dropped for not being IPsec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPsec SA are also dropped.


crypto map mymap 10 ipsec-isakmp
 match address 101
 set transform-set my_t_set1
 set peer 10.0.0.1
 set peer 10.0.0.2
crypto map mymap 20 ipsec-isakmp
 match address 102
 set transform-set my_t_set1 my_t_set2
 set peer 10.0.0.3
crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap
!
crypto dynamic-map mydynamicmap 10
 match address 103
 set transform-set my_t_set1 my_t_set2 my_t_set3

crypto-engine

To enter the QoS policy map configuration mode for the IPsec VPN module, use the crypto-engine command in interface configuration mode.

crypto-engine

Syntax Description

This command has no arguments or keywords.

Command Default

This command has no default settings.

Command Modes


Interface configuration (config-if)

Command History

Release

Modification

12.2(33)SXI

Support for this command was introduced.

Usage Guidelines

Once you enter the crypto-engine command, the prompt changes to the following:

Router(config-crypto-engine)#


The following crypto engine configuration commands are available when you enter the crypto-engine command:

  • default --Sets a command to its defaults.

  • exit --Exit service-flow submode.

  • no --Negates a command or set its defaults.

  • service-policy output policy-map-name --Configures the service policy by assigning a policy map to the output of an interface.

Examples

The following example shows how to apply the policy map to tunnel egress traffic:


Router(config)# interface tunnel1
 
Router(config-if)# crypto-engine
Router(config-crypto-engine)# service-policy output crypto1

crypto engine accelerator


Note


Effective with Cisco IOS Release 12.3(11)T, this command is replaced by the crypto engine aim , crypto engine em , crypto engine nm , crypto engine onboard , and crypto engine slot commands. See these commands for more information.


To enable the onboard hardware accelerator of the router for IP security (IPsec) encryption, use the crypto engine accelerator command in global configuration mode. To disable the use of the onboard hardware IPsec accelerator, and thereby perform IPsec encryption or decryption in software, use the no form of this command.

crypto engine accelerator

no crypto engine accelerator

Syntax Description

This command has no arguments or keywords.

Command Default

The hardware accelerator for IPsec encryption is enabled.

Command Modes


Global configuration

Command History

Release

Modification

12.1(3)T

This command was introduced for the Cisco 1700 series router and other Cisco routers that support hardware accelerators for IPsec encryption.

12.1(3)XL

Support was added for the Cisco uBR905 cable access router.

12.2(2)XA

Support was added for the Cisco uBR925 cable access router.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T and implemented for the AIM-VPN/EPII and AIM-VPN/HPII on the following platforms: Cisco 2691, Cisco 3660, Cisco 3725, and Cisco 3745.

12.2(15)ZJ

This command was implemented for the AIM-VPN/BPII on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.

12.3(4)T

The AIM-VPN/BPII was integrated into Cisco IOS Release 12.3(4)T on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.

12.3(11)T

This command was replaced by the crypto engine aim , crypto engine em , crypto engine nm , crypto engine onboard , and crypto engine slot commands.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

This command is not normally needed for typical operations because the onboard hardware accelerator of the router is enabled for IPsec encryption by default. The hardware accelerator should not be disabled except on instruction from Cisco Technical Assistance Center (TAC) personnel.

Examples

The following example shows how to disable the onboard hardware accelerator of the router for IPsec encryption. This disabling is normally needed only after the accelerator has been disabled for testing or debugging purposes.


Router(config)# no crypto engine accelerator
Warning! all current connections will be torn down.
Do you want to continue? [yes/no]:

crypto engine aim

To reenable an advanced integration module (AIM), use the crypto engine aim command in global configuration mode. To disable an AIM encryption module, use the no form of this command.

crypto engine aim aim-slot-number

no crypto engine aim aim-slot-number

Syntax Description

aim-slot-number

Slot number to which an AIM is to be reenabled or disabled.

Command Default

An AIM is neither reenabled nor disabled.

Command Modes


Global configuration

Command History

Release

Modification

12.3(11)T

This command was introduced. This command replaces the crypto engine accelerator command.

Usage Guidelines

The crypto engine accelerator command will still be usable for a while, but if it is used, only the crypto engine aim command will be saved to the running and startup (nonvolatile memory) configuration.

Examples

The following example shows that the AIM in slot 0 is to be reenabled:


crypto engine aim 0

The following example shows that the AIM in slot 0 is to be disabled:


no crypto engine aim 0

crypto engine compliance shield disable

To effectively allow weak cryptographic algorithms such as Message Direct 5 (MD5), Data Encryption Standard (DES), or weak RSA keys to be enabled by various features, perform the crypto engine compliance shield disable command.

To prevent the weak crypto algorithms from being used by features, use the no form of this command.

crypto engine compliance sheild disable

no crypto engine compliance sheild disable

Syntax Description

This command has no arguments or keywords.

Command Default

Weak crypto algorithm check is enabled by default.

Command Modes

Global Configuration

Command History

Release

Modification

Cisco IOS XE Cupertino 17.7.1

This command was introduced.

Usage Guidelines

Weak cryptographic algorithms are insecure and do not provide adequate protection from modern threats when used with features such as IPsec, SSH, etc.

Cisco does not recommend using this command to bypass a weak crypto algorithm check and should only be used as last resort.

For more information on which cryptographic algorithms are considered weak, please refer to the sections on algorithms with a status of “Avoid” or “Legacy” in the Next Generation Cryptography document.

Changing the compliance shield status will require a device reboot to take effect.

Examples

The following example shows when the weak crypto algorithm check is disabled:

device(config)# crypto engine compliance shield disable
Disable compliance shield mode will take effect after reboot!

crypto engine em

To enable the hardware accelerator of an expansion slot for IP security (IPsec) encryption, use the crypto engine em command in global configuration mode. To disable the hardware accelerator of the expansion slot, use the no form of this command.

crypto engine em slot-number

no crypto engine em slot-number

Syntax Description

slot-number

Slot number to which the hardware accelerator of the expansion slot is to be enabled or disabled (applies to slots 0 through 3).

Command Default

The hardware accelerator is neither enabled nor disabled.

Command Modes


Global configuration

Command History

Release

Modification

12.3(11)T

This command was introduced. This command replaces the crypto engine accelerator command.

Usage Guidelines

The crypto engine accelerator command will still be usable for a while, but if it is used, only the crypto engine em command will saved to the running and startup (nonvolatile memory) configuration.

Examples

The following example shows that the hardware accelerator of expansion slot 1 is to be enabled:


crypto engine em 1

The following example shows that the hardware accelerator of expansion slot 1 is to be disabled:


no crypto engine em 1

crypto engine mode vrf

To enable VRF-Aware mode for the IPSec VPN SPA, use the crypto engine mode vrf command in global configuration mode. To disable VRF-aware mode, use the no form of this command.

crypto engine mode vrf

no crypto engine mode vrf

Command Default

No default behavior or values.

Command Modes


Global configuration

Command History

Release

Modification

12.2(18)SXE2

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

Usage Guidelines

The VRF-Aware IPSec feature introduces IPSec tunnel mapping to Multiprotocol Label Switching (MPLS) VPNs.

Using the VRF-Aware IPSec feature, you can map IPSec tunnels to VPN routing and forwarding instances (VRFs) using a single public-facing address.

Unlike other IPSec VPN SPA feature configurations, when configuring VRF-Aware features, you do not use the crypto connect vlan command.

Examples

The following example shows a VRF-Aware IPSec implementation:


ip vrf pepsi
 rd 1000:1
 route-target export 1000:1
 route-target import 1000:1
!
ip vrf coke
 rd 2000:1
 route-target export 2000:1
 route-target import 2000:1
crypto engine mode vrf
interface vlan 100
 ip vrf forwarding pepsi
 ip address 10.2.1.1 255.255.255.0
 crypto engine subslot 3/0
 crypto map map100
interface vlan 200
 ip vrf forwarding coke
 ip address 10.2.1.1 255.255.255.0
 crypto engine subslot 3/0
 crypto map map200
interface gi1/1 (hidden VLAN 1000)
 ip address 171.1.1.1
 crypto engine subslot 3/0
! BASIC MPLS CONFIGURATION
mpls label protocol ldp
tag-switching tdp router-id Loopback0
mls ip multicast flow-stat-timer 9
no mls flow ip
no mls flow ipv6
!
! CONFIGURE THE INTERFACE CONNECTED TO THE MPLS BACKBONE WITH LABEL/TAG SWITCHING
interface GigabitEthernet2/12
 ip address 20.1.0.34 255.255.255.252
 logging event link-status
 speed nonegotiate
 mpls label protocol ldp
tag-switching ip

crypto engine nm

To enable the onboard hardware accelerator of a network module for IP security (IPsec) encryption, use the crypto engine nm command in global configuration mode. To disable the accelerator of the network module, use the no form of this command.

crypto engine nm slot-number

no crypto engine nm slot-number

Syntax Description

slot-number

Slot number to which the hardware accelerator of a network module is to be enabled or disabled (applies to slots 0 through 5).

Command Default

The hardware accelerator is neither enabled nor disabled.

Command Modes


Global configuration

Command History

Release

Modification

12.3(11)T

This command was introduced. This command replaces the crypto engine accelerator command.

Usage Guidelines

The crypto engine accelerator command will still be usable for a while, but if it is used, only the crypto engine nm command will saved to the running and startup (nonvolatile memory) configuration.

Examples

The following example shows that the hardware accelerator of the network module in slot 0 is to be enabled:


crypto engine nm 0

The following example shows that the hardware accelerator of the network module in slot 0 is to be disabled:


no crypto engine nm 0

crypto engine onboard

To enable the hardware accelerator of an onboard module for IP security (IPsec) encryption, use the crypto engine onboard command in global configuration mode. To disable the hardware accelerator of the onboard module, use the no form of this command.

crypto engine onboard slot-number

no crypto engine onboard slot-number

Syntax Description

slot-number

Slot number to which the hardware accelerator of the onboard module is to be enabled or disabled (applies to slots 0 and 1).

Command Default

The hardware accelerator is neither enabled nor disabled.

Command Modes


Global configuration

Command History

Release

Modification

12.3(11)T

This command was introduced. This command replaces the crypto engine accelerator command.

Usage Guidelines

The crypto engine accelerator command will still be usable for a while, but if it is used, only the crypto engine onboard command will saved to the running and startup (nonvolatile memory) configuration.

Examples

The following example shows that the hardware accelerator of the onboard module in slot 1 is to be enabled:


crypto engine onboard 1

The following example shows that the hardware accelerator of the onboard module in slot 1 is to be disabled:


no crypto engine onboard 1

crypto engine slot

To enable a hardware accelerator, such ISM-VPN (supported by ISR G2 routers) in a service adapter, use the crypto engine slot command in global configuration mode. To disable the hardware accelerator in the service adapter, use the no form of this command.

crypto engine slot slot-number

no crypto engine slot slot-number

Syntax Description

slot-number

Slot number to which the hardware accelerator in a service adapter is to be reenabled or disabled (applies to slots 0 through 6).

Command Default

The hardware accelerator is neither enabled nor disabled.

Command Modes

Global configuration

Command History

Release

Modification

12.3(11)T

This command was introduced. This command replaces the crypto engine accelerator command.

Usage Guidelines

The crypto engine accelerator command will still be usable for a while, but if it is used, only the crypto engine slot command will be saved to the running and startup (nonvolatile memory) configuration.

Examples

The following example shows how to enable the hardware accelerator of the service adaptor in slot 2:


crypto engine slot 2

The following example shows how to disable the hardware accelerator of the service adaptor in slot 2:

no crypto engine slot 2

The following example shows how to enable ISM VPN in slot 0:

crypto engine slot 0

crypto engine slot (interface)

To assign an interface VLAN, Virtual Routing and Forwarding (VRF) tunnel interface, or Front-door VRF (FVRF) interface that requires encryption to the IPSec VPN Shared Port Adapter (SPA), use the crypto engine slot command in interface configuration mode. The command usage and syntax varies based on whether you are in crypto-connect mode or VRF mode. In crypto-connect mode, the command is applied to interface VLANs and only the slot /subslot arguments are specified; in VRF-mode, the command is applied to interface VLANs, tunnel interfaces, or FVRF interfaces and either the inside or outside keyword must also be specified. To remove the interface, use the corresponding no form of this command.

Crypto-Connect Mode Syntax

crypto engine slot slot

no crypto engine slot slot

VRF Mode Syntax

crypto engine slot slot {inside | outside}

no crypto engine slot slot {inside | outside}

Syntax Description

slot

Chassis slot number where the Cisco 7600 SSC-400 card is located. Refer to the appropriate hardware manual for slot information. For SIPs and SSCs, refer to the platform-specific SPA hardware installation guide or the corresponding “Identifying Slots and Subslots for SIPs and SPAs” topic in the platform-specific SPA software configuration guide.

inside

(VRF Mode Only) Identifies the interface as an interface VLAN or tunnel interface.

outside

(VRF Mode Only) Identifies the interface as an FVRF interface.

Command Default

No interface is assigned.

Command Modes


Interface configuration (config-if)

Command History

Release

Modification

12.2(33)SRA

This command was introduced into Cisco IOS Release 12.2(33)SRA to support the IPSec VPN SPA on Cisco 7600 series routers and Catalyst 6500 series switches.

12.2(33)SRE

This command was modified. The subslot argument was removed.

Usage Guidelines

Usage guidelines vary based on whether you are in crypto-connect mode or VRF mode:

Crypto-Connect Mode Usage Guidelines

With this command, you do not need to explicitly add interface VLANs to the IPSec VPN SPA inside trunk port.

It is strongly recommended that you use the crypto engine slot command instead of manually adding and removing VLANs from the inside trunk port.

When you add an interface VLAN to an inside trunk port and that interface VLAN is not already added to another inside trunk port, the crypto engine slot configuration state on the interface VLAN is combined. If the interface VLAN is already added to another inside trunk port, the command is rejected.

You should not try to add all VLANs at one time (If you attempt this, you can recover by manually removing the VLANs from the inside trunk port.)

In crypto-connect mode, the crypto engine slot command is used in conjunction with the crypto connect vlan command.

In crypto-connect mode, the crypto engine slot command is only available for VLANs prior to the VLANs being made interface VLANs by the crypto connect vlan command.

The crypto engine slot command is rejected if you enter it on a crypto-connected interface VLAN whose current crypto engine slot configuration is different from the subslot specified in the crypto engine slot command. To change the crypto engine slot configuration on an interface VLAN, you must ensure that the VLAN is not crypto-connected.

If you change the crypto engine slot configuration on an interface VLAN, any IPSec and IKE SAs that are currently active on that interface VLAN are deleted.

If you enter the no crypto engine slot command and the interface VLAN is crypto-connected, the no crypto engine slot command is rejected. The no crypto engine slot command is allowed only after you enter the no crypto connect vlan command, or before you enter the crypto connect vlan command.

When you remove an interface VLAN from an inside trunk port and a corresponding crypto engine slot configuration state exists, then that crypto engine slot configuration state is not removed. If you remove a VLAN that has a crypto engine slot configuration state, you need to manually add it back to recover. While in this inconsistent state, any attempt to enter the no crypto connect vlan command is rejected.

When you enter the no crypto connect vlan command, the interface VLAN status is removed from a VLAN. Any associated crypto engine slot configuration state is not altered.

When you write the configuration or show the configuration, the crypto engine slot configuration state is expressed in the context of the associated interface VLAN. The interface VLAN is also shown as having been added to the appropriate inside trunk port. This is the case even if the configuration was loaded from a legacy (pre-crypto engine slot) configuration file, or if VLANs were manually added instead of being added through the crypto engine slot command.

By editing the crypto engine slot commands and inside trunk port VLANs, it is possible to produce an inconsistent configuration file.

VRF Mode Usage Guidelines

When configuring an interface VLAN or tunnel interface in VRF mode, the crypto-engine slot inside command must be specified.

When configuring an FVRF interface in VRF mode, the crypto-engine slot outside command must be specified.

In VRF mode, the crypto-connect vlan command is not used.

In Cisco IOS Release 12.2(33)SRE and later releases the subslot argument was removed.

Examples

The following crypto-connect mode example shows how to assign VLAN interface 101 to the IPSec VPN SPA in slot 3, subslot 0:

Router(config)# interface Vlan101
Router(config-if)# ip address 192.168.101.1 255.255.255.0
Router(config-if)# crypto map cmap
Router(config-if)# crypto engine slot 3/0
Router(config)# interface GigabitEthernet2/1
Router(config-if)# crypto connect Vlan101

The following VRF mode example shows how to assign VLAN interface 101 to the IPSec VPN SPA in slot 3, subslot 0:

Router(config)# interface Vlan101
Router(config-if)# ip vrf forwarding abc
Router(config-if)# ip address 10.2.1.1 255.255.255.0
Router(config-if)# crypto engine slot 3/0 inside
Router(config-if)# crypto map map100

The following VRF mode example shows how to assign Tunnel interface 1 to the IPSec VPN SPA in slot 4, subslot 0:

Router(config)# interface Tunnel1
Router(config)# ip vrf forwarding abc
Router(config-if)# ip address 10.1.1.254 255.255.255.0
Router(config-if)# tunnel source 172.1.1.1 
Router(config-if)# tunnel destination 100.1.1.1
Router(config-if)# tunnel mode ipsec profile tp
Router(config-if)# crypto engine slot 4/0 inside

The following VRF mode example assigns the WAN-side interface GigabitEthernet1/1 to the IPSec VPN SPA in slot 3, subslot 0:

Router(config)# interface GigabitEthernet1/1
Router(config-if)# ip address 171.1.1.1 255.255.255.0
Router(config-if)# crypto engine slot 3/0 outside

crypto gdoi ks

To trigger a rekey of group members in a GET VPN network, use the crypto gdoi ks command in privileged EXEC mode.

crypto gdoi ks [group group-name] rekey [replace-now]

Syntax Description

group group-name

(Optional) Name of the group.

rekey

Sends a rekey message based on the latest security policy in the running configuration.

replace-now

(Optional) Removes the old TEKs and KEK from group members (GMs) immediately and installs the new TEKs and KEK.

Command Default

No rekey is triggered.

Command Modes


Privileged EXEC (#)

Command History

Release

Modification

15.2(1)T

This command was introduced.

Cisco IOS XE Release 3.8S

This command was integrated into Cisco IOS XE Release 3.8S.

Usage Guidelines

When you change the policy (for example, from DES to AES) on the key server (KS) and exit from global configuration mode, a syslog message appears on the primary KS indicating that the policy has changed and a rekey is needed. You can enter the crypto gdoi ks command to send a rekey based on the latest security policy in the running configuration.

When each GM receives this triggered rekey, it installs the new SAs (for example, for AES) and shortens the lifetimes of the old SAs (for example, for DES). The GM continues to encrypt and decrypt traffic using the old SAs until their shortened lifetimes expire.

For GMs that are running older versions that do not yet support the crypto gdoi ks command, the primary KS uses the software versioning feature to detect those versions and only triggers a rekey without sending instruction for policy replacement. Therefore, when a GM receives the rekey, it installs the new SAs but does not shorten the lifetimes of the old SAs. (This behavior is the same as the prior rekey method and ensures backward compatibility for devices that cannot support policy replacement.)

If the replace-now keyword is used, the GM that receives the rekey will immediately remove the old TEKs and KEK and install the new TEKs and KEK. Therefore, the new policy takes effect immediately without waiting for existing policy SAs to expire.

You must use this command on the KS or primary KS. If you try to use this command on the secondary KS, it rejects the command as shown below:


Device# crypto gdoi ks rekey

ERROR for group GET: This command must be executed on Pri-KS

Note


The replace-now keyword could cause a temporary traffic discontinuity, because all GMs may not receive the rekey message at the same time.


Examples

The following example shows how to trigger a rekey on all GMs:


Device# crypto gdoi ks rekey
Device#
*Jan 28 09:17:44.363: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey with 
policy-replace for group GET from address 10.0.8.1 with seq # 2

The following example shows how to remove the old TEKs and KEK from GMs immediately and install the new TEKs and KEK:


Device# crypto gdoi ks rekey replace-now

crypto gdoi gm

For group members to change the IP security (IPsec) security association (SA) status, use the crypto gdoi gm command in privileged EXEC mode.

crypto gdoi gm group group-name {ipsec direction inbound optional | ipsec direction inbound only | ipsec direction both}

Syntax Description

group group-name

Name of the group.

ipsec direction inbound optional

Allows a group member to change the IPsec SA status to inbound optional. IPsec SA will accept cipher or plain text or both and will encrypt the packet before forwarding it.

ipsec direction inbound only

Allows a group member to change the IPsec SA status to inbound only. IPsec SA will accept cipher or plain text or both and will forward the packet in clear text.

ipsec direction both

Allows a group member to change the IPsec SA status to both inbound and outbound. IPsec SA will accept only cipher text and will encrypt the packet before forwarding it.

Command Default

If the sa receive-only command is specified on the key server, the group member remains in receive-only mode.

Command Modes


Privileged EXEC

Command History

Release

Modification

12.4(11)T

This command was introduced.

Usage Guidelines

This command is executed on group members. This command and its various keywords aid in testing individual group members and verifies that the group members are encrypting or decrypting traffic. This command and its keywords can be used only after the sa receive-only command has been configured on the key server.

The ipsec direction inbound optional keyword is used for situations in which all group members have been instructed to install the IPsec SAs as inbound only but for which a group member wants to install the IPsec SAs as inbound optional.

The ipsec direction inbound only keyword is used when a group member wants to change a previously set IPsec SA status to inbound only.

The ipsec direction both keyword is used when a group member has to change a previously set IPsec SA status to both inbound and outbound. In this setting, the group member accepts only cipher text.

Examples

The following example shows how to determine whether a group member can accept cipher text.

On Group Member 1, configure the following:


crypto gdoi gm group groupexample ipsec direction inbound only

On Group Member 2, configure the following:


crypto gdoi gm group groupexample ipsec direction inbound optional

Then Ping Group Member 1.

Group Member 2 will have encrypted the packet and will send an encrypted packet to Group Member 1, which then decrypts that packet. If the traffic is from Group Member 1 to Group Member 2, Group Member 1 will forward the packet in clear text, and Group Member will accept it.

crypto gdoi group

To create a Group Domain of Interpretation (GDOI) group and enter GDOI group configuration mode, use the crypto gdoi group command in global configuration mode. To disable a GDOI group, use the no form of this command.

crypto gdoi group [ipv6] group-name

no crypto gdoi group [ipv6] group-name

Syntax Description

group-name

Name of the group. You can use up to 80 characters.

ipv6

Creates an IPv6 group.

Command Default

A GDOI group is not defined.

Command Modes


Global configuration

Command History

Release

Modification

12.4(6)T

This command was introduced.

15.2(3)T

This command was modified. The ipv6 keyword was added.

Usage Guidelines

There are more options for configuring a group on a key server than there are for configuring a group member. The group is identified by an identity and by the server. If the GDOI group is a group member, the address of the server is specified. If the GDOI group is a key server, “server local” is specified, which indicates that this is the key server.

Examples

The following example shows how to configure an IPv4 GDOI group for a key server:


crypto gdoi group mygroup
 identity number 4444
 server local

The following example shows how to configure an IPv6 GDOI group for a key server:


crypto gdoi group ipv6 mygroup2
 identity number 4444
 server local

The following example shows how to configure an IPv4 GDOI group for a group member:


crypto gdoi group mygroup3
 identity number 3333
 server address ipv4 10.0.5.2

crypto identity

To configure the identity of the router with a given list of distinguished names (DNs) in the certificate of the router, use the crypto identity command in global configuration mode. To delete all identity information associated with a list of DNs, use the no form of this command.

crypto identity name

no crypto identity name

Syntax Description

name

Identity of the router, which is associated with the given list of DNs.

Command Default

If this command is not enabled, the IP address is associated with the identity of the router.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.2(4)T

This command was introduced.

12.2(18)SXD

This command was integrated into Cisco IOS Release 12.2(18)SXD.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.4(20)T

Support for IPv6 was added.

Usage Guidelines

The crypto identity command allows you to configure the identity of a router with a given list of DNs. Thus, when used with the dn and fqdn commands, you can set restrictions in the router configuration that prevent peers with specific certificates, especially certificates with particular DNs, from having access to selected encrypted interfaces.


Note


The identity of the peer must be the same as the identity in the exchanged certificate.


Examples

The following example shows how to configure a DN-based crypto map:


! The following is an IPSec crypto map (part of IPSec configuration). It can be used only 
! by peers that have been authenticated by DN and if the certificate belongs to BigBiz.
crypto map map-to-bigbiz 10 ipsec-isakmp
 set peer 172.21.114.196
 set transform-set my-transformset 
 match address 124
 identity to-bigbiz
!
crypto identity to-bigbiz
 dn ou=BigBiz
!
!
! This crypto map can be used only by peers that have been authenticated by hostname
! and if the certificate belongs to little.com.
crypto map map-to-little-com 10 ipsec-isakmp
 set peer 172.21.115.119
 set transform-set my-transformset 
 match address 125
 identity to-little-com
!
crypto identity to-little-com
 fqdn little.com
!

crypto ikev2 authorization policy

To configure an IKEv2 authorization policy, use the crypto ikev2 authorization policy command in global configuration mode. To remove this command and all associated subcommands from your configuration, use the no form of this command. To return the authorization policy to its default value, use the default form of this command.

crypto ikev2 authorization policy policy-name

no crypto ikev2 authorization policy policy-name

default crypto ikev2 authorization policy

Syntax Description

policy-name

Group definition that identifies which policy is enforced for users.

Command Default

The default IKEv2 authorization policy is used.

Command Modes


Global configuration (config)

Command History

Release

Modification

15.1(3)T

This command was introduced.

Cisco IOS XE Release 3.3S

This command was integrated into Cisco IOS XE Release 3.3S.

Usage Guidelines

Use the crypto ikev2 authorization policy command to specify the group for which a policy profile must be defined and the group policy information that needs to be defined or changed. You may wish to change the group policy on your router if you decide to connect to the client using a group ID that does not match the policy-name argument. The authorization policy is referred from the IKEv2 profile using the aaa authorization group command where the group name can be directly specified or derived from the remote identities using a name mangler.

If AAA authorization is configured as local, AAA derives the authorization attributes from IKEv2 client configuration group through the callback to crypto component.

After enabling this command, which puts the networking device in IKEv2 group authorization policy mode, you can specify the characteristics for the authorization policy using the following commands:

  • dhcp-- Configures an IP address on the remote access client for the Dynamic Host Configuration Protocol (DHCP) to use.

  • dns --Specifies the primary and secondary Domain Name Service (DNS) servers for the group.

  • netmask --Subnet mask to be used by the client for local connectivity.

  • pool --Refers to the IP local pool address used to allocate internal IP addresses to clients.

  • subnet-acl --Configures split tunneling.

  • wins --Specifies the primary and secondary Windows Internet Naming Service (WINS) servers for the group.

You can modify the default authorization policy using the crypto ikev2 authorization policy default command. You can either modify the entire authorization policy or modify one of the above commands.

You can disable the default authorization policy using the no crypto ikev2 authorization policy default command. When disabled, the values in the default authorization policy are copied and the default proposal remains inactive.

Examples

The following example shows how the client configuration group is referred from IKEv2 profile using the aaa authorization group command where the group name is specified directly. In this example, the policy is enforced for users that matches the group name “abc.”


aaa new-model
aaa authorization network aaa-group-list default local
!
crypto ikev2 authorization policy 
abc
  pool pool1
  dns 198.51.100.1 198.51.100.100
  wins 203.0.113.1 203.0.113.115
  dhcp server 3.3.3.3
  dhcp giaddr 192.0.2.1
  dhcp timeout 10
  netmask 255.255.255.0
  subnet-acl acl-123
!
crypto ikev2 profile profile1
  authentication remote eap
aaa authorization group aaa-group-list abc
!
ip access-list extended acl-123
permit ip 209.165.200.225 0.0.0.31 any
permit ip 209.165.201.1 255.255.255.224 any

crypto ikev2 certificate-cache

To set the cache size to store certificates, use the crypto ikev2 certificate-cache command in global configuration mode. To delete the cache size, use the no form of this command.

crypto ikev2 certificate-cache number-of-certificates

no crypto ikev2 certificate-cache

Syntax Description

number-of-certificates

The maximum number of certificates that can be stored in the cache.

Command Default

The cache size is not set.

Command Modes


Global configuration (config)

Command History

Release

Modification

15.1(1)T

This command was introduced.

Cisco IOS XE Release 3.3S

This command was integrated into Cisco IOS XE Release 3.3S.

15.2(4)S

This command was integrated into Cisco IOS Release 15.2(4)S.

Usage Guidelines

Use this command to set the cache to store the maximum number of certificates fetched from the HTTP URLs.

Examples

The following example sets the cache size to store 500 certificates:


Router(config)# crypto ikev2 certificate-cache 500

crypto ikev2 cluster

To configure an Internet Key Exchange Version 2 (IKEv2) cluster policy in a Hot Standby Router Protocol (HSRP) cluster, use the crypto ikev2 cluster command in global configuration mode. To remove this command and all associated commands from your configuration, use the no form of this command.

crypto ikev2 cluster

no crypto ikev2 cluster

Syntax Description

This command has no keywords or arguments.

Command Default

An IKEv2 cluster policy is not configured.

Command Modes

Global configuration (config)

Command History

Release

Modification

15.2(4)M

This command was introduced.

Usage Guidelines

Use the crypto ikev2 cluster command to define an IKEv2 cluster policy and to enter IKEv2 cluster configuration mode.

After enabling this command, you can specify the characteristics for the cluster policy by using the following commands:

  • holdtime

  • master

  • port

  • slave

  • standby-group

To view the cluster configuration, use the show crypto ikev2 cluster command.

Examples

The following example shows how to configure an IKEv2 cluster policy:

Device(config)# crypto ikev2 cluster
Device(config-ikev2-cluster)# master crypto-load 10
Device(config-ikev2-cluster)# slave priority 90

crypto ikev2 cookie-challenge

To enable a cookie challenge for Internet Key Exchange Version 2 (IKEv2), use the crypto ikev2 cookie-challenge command in global configuration mode. To disable the cookie challenge, use the no form of this command.

crypto ikev2 cookie-challenge number

no crypto ikev2 cookie-challenge

Syntax Description

number

Enables the IKEv2 cookie challenge when the number of half-open security associations (SAs) crosses the configured number. The range is 1 to 1000.

Command Default

The cookie challenge is disabled.

Command Modes


Global configuration (config)

Command History

Release

Modification

15.1(1)T

This command was introduced.

Cisco IOS XE Release 3.3S

This command was integrated into Cisco IOS XE Release 3.3S.

15.2(4)S

This command was integrated into Cisco IOS Release 15.2(4)S.

Usage Guidelines

Use this command to enable the IKEv2 cookie challenge. A cookie challenge mitigates the effect of a DoS attack when an IKEv2 responder is flooded with session initiation requests from forged IP addresses.

Examples

The following example sets the cookie challenge to 450:


Router(config)# crypto ikev2 cookie-challenge 450

crypto ikev2 cts

To enable IPsec inline tagging globally, use the crypto ikev2 cts command in global configuration mode. To disable the SGT inline tagging, use the no form of this command.

crypto ikev2 cts sgt

no crypto ikev2 cts sgt

Syntax Description

sgt

Enables Security Group Tag (SGT) IPsec inline tagging.

Command Default

IPsec inline tagging is not enabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

15.2(2)T

This command was introduced.

Usage Guidelines


Note


Security threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the Next Generation Encryption (NGE) white paper.


This command applies to all sessions on the router. If IPsec inline tagging is disabled, the new negotiated sessions do not negotiate the vendor ID (VID). However, the current SA and the subsequent SA rekey are enabled with the feature until the lifetime of the SA. This applies to the new IPsec SA and the rekey of the IPsec SA established using the parent or rekeyed IKE SA.

Examples

The following example shows how to enable IPsec inline tagging on an sVTI initiator and dVTI responder.


crypto ikev2 proposal p1 
 encryption aes-cbc-128
 integrity sha1
 group 14
!
crypto ikev2 policy policy1 
 proposal p1
!
crypto ikev2 keyring key
 peer peer
  address ::/0
  pre-shared-key cisco
 !
 peer v4
  address 0.0.0.0 0.0.0.0
  pre-shared-key cisco
 !
!
!
crypto ikev2 profile prof3
 match identity remote address 0.0.0.0 
 authentication local pre-share
 authentication remote pre-share
 keyring key
!
crypto ikev2 cts sgt
!
crypto ipsec transform-set trans1 esp-aes esp-sha-hmac 
!
crypto map cmap 1 ipsec-isakmp 
 set peer 10.1.1.2
 set transform-set trans 
 set ikev2-profile prof3
 match address ipv4acl
!
!
interface Loopback1
 ip address 209.165.201.1 255.255.255.224
 ipv6 address 2001::4:1/112
!
interface Loopback2
 ip address 209.165.200.1 255.255.255.224
 ipv6 address 2001::40:1/112
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address 192.168.210.74 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 172.16.0.1 255.240.0.0
 duplex auto
 speed auto
 ipv6 address 2001::5:1/112
 ipv6 enable
 crypto map cmap
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.16.0.2
ip route 10.12.255.200 255.0.0.0 172.31.255.254
!
ip access-list extended ipv4acl
 permit ip host 209.165.201.1host 192.168.12.125
 permit ip host 209.165.200.1 host 172.18.0.1
 permit ip host 172.28.0.1 host 10.10.10.1
 permit ip host 10.12.255.200 host 192.168.14.1
!
logging esm config
ipv6 route ::/0 2001::5:2
!
!
!
!
!!
control-plane
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 login
 transport input all
!
exception data-corruption buffer truncate
scheduler allocate 20000 1000

crypto ikev2 proposal p1 
 encryption aes-cbc-192
 integrity sha1
 group 15
!
crypto ikev2 policy policy1 
 proposal p1
!
crypto ikev2 keyring key
 peer peer
  address 172.160.1.1 255.240.0.0
  pre-shared-key cisco
 !
 peer v4_p2
  address 172.31.255.1 255.240.0.0
  pre-shared-key cisco
 !
crypto ikev2 profile prof
 match identity remote address 0.0.0.0 
 authentication local pre-share
 authentication remote pre-share
 keyring key
 virtual-template 25
!
crypto ikev2 cts sgt
!
crypto ipsec transform-set trans esp-null esp-sha-hmac 
!
crypto ipsec profile prof_ipv4
 set transform-set trans 
 set ikev2-profile prof1_ipv4
!
!
interface Loopback0
 ip address 192.168.12.1 255.255.0.0
!
interface Loopback1
 no ip address
!
interface Loopback2
 ip address 172.18.0.1 255.240.0.0
!
interface Loopback10
 no ip address
 ipv6 address 2001::8:1/112
!
interface Loopback11
 no ip address
 ipv6 address 2001::80:1/112
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address 10.1.1.2 255.0.0.0
 duplex auto
 speed auto
 ipv6 address 2001::7:1/112
 ipv6 enable
!
interface GigabitEthernet0/1
 ip address 10.10.10.2 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 ip address 192.168.210.144 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/0/0
 no ip address
 shutdown
!
interface FastEthernet0/0/1
 no ip address
!
interface FastEthernet0/0/2
 no ip address
!
interface FastEthernet0/0/3
 no ip address
!
!
interface Virtual-Template25 type tunnel
 ip unnumbered GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile prof_ipv4
!
interface Vlan1
 no ip address
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route 172.17.0.0 255.240.0.0 10.10.10.1
!
logging esm config
ipv6 route ::/0 2001::7:2
!
control-plane
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 login
 transport input all
!
exception data-corruption buffer truncate
scheduler allocate 20000 1000
end

crypto ikev2 diagnose

To enable Internet Key Exchange Version 2 (IKEv2) error diagnostics, use the crypto ikev2 diagnose command in global configuration mode. To disable the error diagnostics, use the no form of this command.

crypto ikev2 diagnose error number

no crypto ikev2 diagnose error

Syntax Description

error

Enables the IKEv2 error path tracing.

number

Specifies the maximum number of errors allowed in the exit path entry. The range is 1 to 1000.

Command Default

IKEv2 error diagnostics is not enabled.

Command Modes


Global configuration (config)

Command History

Release

Modification

15.1(1)T

This command was introduced.

Cisco IOS XE Release 3.3S

This command was integrated into Cisco IOS XE Release 3.3S.

15.2(4)S

This command was integrated into Cisco IOS Release 15.2(4)S.

Usage Guidelines

Use this command to enable IKEv2 error path tracing and to specify the number of entries in the exit path database. When the number exceeds the specified number, new entries replace the old entries.

Examples

The following example sets the maximum number of entries that can be logged:


Router(config)# crypto ikev2 diagnose error 500

crypto ikev2 dpd

To configure Dead Peer Detection (DPD) for Internet Key Exchange Version 2 (IKEv2), use the crypto ikev2 dpd command in global configuration mode. To delete DPD, use the no form of this command.

crypto ikev2 dpd interval retry-interval {on-demand | periodic}

no crypto ikev2 dpd

Syntax Description

interval

Specifies the keepalive interval in seconds.

retry-interval

Specifies the retry interval in seconds when there is no reply from the peer.

on-demand

Specifies the on-demand mode to send keepalive only in the absence of any incoming data traffic, to check the liveness of the peer before sending any data.

periodic

Specifies the periodic mode to send keepalives regularly at a specified interval.

Command Default

DPD is disabled by default.

Command Modes


Global configuration (config)

Command History

Release

Modification

15.1(1)T

This command was introduced.

Cisco IOS XE Release 3.3S

This command was integrated into Cisco IOS XE Release 3.3S.

15.2(4)S

This command was integrated into Cisco IOS Release 15.2(4)S.

Usage Guidelines

Use this command to configure DPD globally for all peers. The DPD configuration in a Internet Key Exchange Version 2 (IKEv2) profile overrides the global DPD configuration.

Examples

The following example shows how to configure the periodic mode for DPD. In the example in this step, the first DPD is sent after 30 seconds when there is no incoming ESP traffic. After waiting for 6 seconds (which is the specified retry interval), DPD retries are sent agressively 5 times in intervals of 6 seconds each. So, a total of 66 seconds (30 + 6 + 6 * 5 = 66) elapses before a crypto session is torn down because of DPD.

Router(config)# crypto ikev2 dpd 30 6 on-demand

crypto ikev2 fragmentation

To configure Internet Key Exchange Version 2 (IKEv2) fragmentation, use the crypto ikev2 fragmentation command in global configuration mode. To disable the fragmentation, use the no form of this command.

crypto ikev2 fragmentation mtu mtu-size

no crypto ikev2 fragmentation

Syntax Description

mtu mtu-size

Specifies the maximum transmission unit in bytes. The range is from 68 to 1500 bytes.

Command Default

IKEv2 fragmentation is disabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

15.1(3)T

This command was introduced.

Cisco IOS XE Release 3.3S

This command was integrated into Cisco IOS XE Release 3.3S.

Usage Guidelines

Use this command to fragment the IKEv2 packets at IKEv2 layer and to avoid fragmentation after encryption. The MTU size refers to the IP or UDP encapsulated IKEv2 packets. The formula for fragmenting a packet is calculated as follows:

Specified MTU - UDP header - IP header = fragment packet size.

Using the above formula, if the MTU size is 100, specified in the command as crypto ikev2 fragmentation mtu 100 , an IKE packet is fragmented if the packet size is greater than 72 bytes.

100 (specified MTU) - 8 (UDP header) - 20 (IP header) = 72 bytes.

Examples

The following example shows how to configure IKEv2 fragmentation:

Router# enable
Router(config)# crypto ikev2 fragmentation mtu 200

crypto ikev2 http-url

To enable lookup based on HTTP URL, use the crypto ikev2 http-url command in global configuration mode. To disable the lookup based on HTTP URL, use the no form of this command.

crypto ikev2 http-url cert

no crypto ikev2 http-url cert

Syntax Description

cert

Enable certificate lookup based on the HTTP URL.

Command Default

HTTP CERT is enabled by default.

Command Modes


Global configuration (config)

Command History

Release

Modification

15.1.(1)T

This command was introduced.

Cisco IOS XE Release 3.3S

This command was integrated into Cisco IOS XE Release 3.3S.

15.2(4)S

This command was integrated into Cisco IOS Release 15.2(4)S.

Usage Guidelines

Use this command to enable certificate lookup based on the HTTP URL. HTTP CERT indicates that the node is capable of looking up certificates based on the URL. This avoids the fragmentation that results when transferring large certificates.

Examples

The following example shows how to configure HTTP CERT:


Router(config)# crypto ikev2 http-url cert

crypto ikev2 keyring

To configure an Internet Key Exchange version 2 (IKEv2) key ring, use the crypto ikev2 keyring command in the global configuration mode. To delete an IKEv2 keyring, use the no form of this command.

crypto ikev2 keyring keyring-name

no crypto ikev2 keyring keyring-name

Syntax Description

keyring-name

Name of the keyring.

Command Default

There is no default key ring.

Command Modes


Global configuration (config)

Command History

Release

Modification

15.1(1)T

This command was introduced.

Cisco IOS XE Release 3.3S

This command was integrated into Cisco IOS XE Release 3.3S.

15.2(4)S

This command was integrated into Cisco IOS Release 15.2(4)S.

Usage Guidelines

IKEv2 keyrings are independent of IKEv1 keyrings. The key differences are as follows:

  • IKEv2 keyrings support symmetric and asymmetric preshared keys.

  • IKEv2 keyrings do not support Rivest, Shamir and Adleman (RSA) public keys.

  • IKEv2 keyrings are specified in the IKEv2 profile and are not looked up, unlike IKEv1 where keys are looked up on receipt of MM1 to negotiate the preshared key authentication method. The authentication method is not negotiated in IKEv2.

  • IKEv2 keyrings are not associated with VPN routing and forwarding (VRF) during configuration. The VRF of an IKEv2 keyring is the VRF of the IKEv2 profile that refers the keyring.

  • A single keyring can be specified in an IKEv2 profile, unlike an IKEv1 profile, which can specify multiple keyrings.

  • A single keyring can be specified in more than one IKEv2 profile, if the same keys are shared across peers matching different profiles.

  • An IKEv2 keyring is structured as one or more peer subblocks.

On an IKEv2 initiator, IKEv2 keyring key lookup is performed using the peer’s hostname or the address, in that order. Use the hostname (ikev2 keyring) and address (ikev2 keyring) commands to configure the hostname and address in the IKEv2 keyring peer configuration mode.

On an IKEv2 responder, the key lookup is performed using the peer’s IKEv2 identity or the address, in that order. Use the address (ikev2 keyring) and identity (ikev2 keyring) command to configure the address and identity in IKEv2 keyring peer configuration mode.


Note


You cannot configure the same identity in more than one peer.


The best match is only performed for address configurations and a key lookup is performed for the remaining peer identification, including identity address.

Examples

The following example shows how to configure a keyring:


Router(config)# crypto ikev2 keyring keyring-1
Router(config-ikev2-keyring)# peer peer1
Router(config-ikev2-keyring-peer)# description example.com
Router(config-ikev2-keyring-peer)# address 0.0.0.0 0.0.0.0
 
Router(config-ikev2-keyring-peer)# pre-shared-key xyz-key

The following example shows how a keyring match is performed. In the example, the key lookup for peer 10.0.0.1 would first match the wildcard key abc-key, then the prefix key abc-key and finally the host key host1-abc-key and the best match host1-abc-key is used.


Router(config)# crypto ikev2 keyring keyring-1
Router(config-ikev2-keyring)# peer peer1
Router(config-ikev2-keyring-peer)# description example.com
Router(config-ikev2-keyring-peer)# address 0.0.0.0 0.0.0.0
 
Router(config-ikev2-keyring-peer)# pre-shared-key xyz-key
Router(config-ikev2-keyring)# peer peer1
Router(config-ikev2-keyring-peer)# description abc.example.com
Router(config-ikev2-keyring-peer)# address 10.0.0.0 255.255.0.0
 
Router(config-ikev2-keyring-peer)# pre-shared-key abc-key
Router(config-ikev2-keyring)# peer host1
Router(config-ikev2-keyring-peer)# description host1@abc.example.com
Router(config-ikev2-keyring-peer)# address 10.0.0.1
Router(config-ikev2-keyring-peer)# pre-shared-key host1-abc-key

In the following example, the key lookup for peer 10.0.0.1 would first match the host key host1-abc-key. Because, this is a specific match, no further lookup is performed.


Router(config)# crypto ikev2 keyring keyring-2
Router(config-ikev2-keyring)# peer host1
Router(config-ikev2-keyring-peer)# description host1 in abc.example.com sub-domain
Router(config-ikev2-keyring-peer)# address 10.0.0.1
Router(config-ikev2-keyring-peer)# pre-shared-key host1-abc-key
Router(config-ikev2-keyring)# peer host2
Router(config-ikev2-keyring-peer)# description example domain
Router(config-ikev2-keyring-peer)# address 0.0.0.0 0.0.0.0 
Router(config-ikev2-keyring-peer)# pre-shared-key xyz-key

crypto ikev2 limit

To enable call admission control in Internet Key Exchange Version 2 (IKEv2), use the crypto ikev2 limit command in the global configuration mode. To disable call admission control, use the no form of this command.

crypto ikev2 limit {max-in-negotiation-sa limit [incoming | outgoing] | max-sa limit | queue sa-init limit}

no crypto ikev2 limit {max-in-negotiation-sa limit [incoming | outgoing] | max-sa limit | queue sa-init}

Syntax Description

max-in-negotiation-sa limit

Limits the total number of in-negotiation IKEv2 security associations (SAs) on the node.

incoming

(Optional) Limits the total number of in-negotiation IKEv2 SAs on the incoming node.

outgoing

(Optional) Limits the total number of in-negotiation IKEv2 SAs on the outgoing node.

max-sa limit

Limits the total number of IKEv2 SAs on the node.

queue sa-init limit

Limits the incoming SA_INIT requests size.

Command Default

By default, there is no configured limit on the number of IKEv2 SAs.

Command Modes

Global configuration (config)

Command History

Release

Modification

15.1(1)T

This command was introduced.

Cisco IOS XE Release 3.3S

This command was integrated into Cisco IOS XE Release 3.3S.

15.2(4)S

This command was integrated into Cisco IOS Release 15.2(4)S.

Cisco IOS XE Release 3.12S

This command was modified. The incoming and outgoing keywords were added.

Cisco IOS XE Everest 16.5.1

This command was modified. The queue sa-init limit keyword-argument pair was added.

Cisco IOS XE Everest 16.6.1

The default queue sa-init limit of 5000 from being nvgen was stopped.

Usage Guidelines

Call admission control limits the in-negotiation and total number of IKEv2 SA on a node.


Note


In IKEv2, rekey is not a new security association (SA) unlike in IKEv1. Hence, the rekey SA is not counted.

The queue sa-init limit keyword-argument pair limits the queue size to improve performance if you encounter packet drops from the initiating client due to response timeout. The packets are dropped when a source device sends IKEv2 INIT packets to a destination device to establish a tunnel, and the destination device is unable to process IKEv2 INIT packets faster due to a large queue of packets for processing on the responder device.

Examples

The following example shows how to enable call admission control:

Device(config)# crypto ikev2 max-in-negotiation-sa limit 5000

crypto ikev2 name mangler

To configure the Internet Key Exchange version 2 (IKEv2) name mangler, use the crypto ikev2 name mangler command in global configuration mode. To delete the name mangler, use the no form of this command.

crypto ikev2 name mangler mangler-name

no crypto ikev2 name mangler mangler-name

Syntax Description

mangler-name

IKEv2 mangler name.

Command Default

IKEv2 name mangler is disabled.

Command Modes


Global configuration (config)

Command History

Release

Modification

15.1(3)T

This command was introduced.

Cisco IOS XE Release 3.3S

This command was integrated into Cisco IOS XE Release 3.3S.

Usage Guidelines

The IKEv2 name mangler is used to derive a name for the AAA group or user authorization requests. The name mangler contains multiple statements--one for each identity type. The name mangler is derived from the specified portions of different forms of remote IKE identities or EAP identity. The name mangler is referred in the IKEv2 profile using the aaa authorization command.

After enabling this command, which puts the networking device in IKEv2 name mangler configuration mode, you can specify the characteristics for the name mangler using the following commands:

  • dn-- Derives the name from the remote identity of type distinguished name (DN).

  • eap --Derives the name from remote identities of type Extensible Authentication Protocol (EAP).

  • email --Derives the name from the remote identity of type e-mail.

  • fqdn --Derives the name from the remote identity of type Fully Qualified Domain Name (FQDN).

Examples

The following example shows how to define name manglers based on identity of type FQDN:


crypto ikev2 name-mangler mangler1   
 fqdn domain
crypto ikev2 name-mangler mangler2
 fqdn hostname
crypto ikev2 name-mangler mangler3
 fqdn all

The following example shows how to define name manglers based on identity of type e-mail:


crypto ikev2 name-mangler mangler1   
 email domain
crypto ikev2 name-mangler mangler2
 email username
crypto ikev2 name-mangler mangler3
 email all

The following example shows how to define name manglers based on identity of type DN:


crypto ikev2 name-mangler mangler2
  DN country 
crypto ikev2 name-mangler mangler3
  DN state
crypto ikev2 name-mangler mangler4
  DN organization
crypto ikev2 name-mangler mangler5
  DN organization-unit 

The following example shows how to define name manglers based on identity of type EAP:


crypto ikev2 name-mangler mangler1   
  eap all
crypto ikev2 name-mangler mangler2
  eap prefix user123 delimiter @
crypto ikev2 name-mangler mangler3
  eap suffix cisco delimiter
crypto ikev2 name-mangler mangler4
 eap DN common-name

crypto ikev2 nat

To configure Network Address Translation (NAT) keepalive for Internet Key Exchange Version 2 (IKEv2), use the crypto ikev2 nat command in global configuration mode. To delete NAT keepalive configuration, use the no form of this command.

crypto ikev2 nat keepalive interval

no crypto ikev2 nat keepalive interval

Syntax Description

keepalive interval

Specifies the NAT keepalive interval in seconds.

Command Default

NAT keepalive is disabled by default.

Command Modes


Global configuration (config)

Command History

Release

Modification

15.1(1)T

This command was introduced.

Cisco IOS XE Release 3.3S

This command was integrated into Cisco IOS XE Release 3.3S.

15.2(4)S

This command was integrated into Cisco IOS Release 15.2(4)S.

Usage Guidelines

Use this command to configure NAT keepalive globally for all peers. The NAT keepalive configuration specified in the IKEv2 profile overrides the global configuration. NAT keepalive prevents the deletion of NAT translation entries in the absence of any traffic, when NAT is between IKEv2 peers.

Examples

The following example shows how to specify a NAT keepalive interval of 500 seconds:


Router(config)# crypto ikev2 nat keepalive 500

crypto ikev2 policy

To configure an Internet Key Exchange Version 2 (IKEv2) policy, use the crypto ikev2 policy command in global configuration mode. To delete a policy, use the no form of this command. To return the policy to its default value, use the default form of this command.

crypto ikev2 policy name

no crypto ikev2 policy name

default crypto ikev2 policy

Syntax Description

name

Name of the IKEv2 policy.

Command Default

A default IKEv2 policy is used only in the absence of any user-defined IKEv2 policy. The default IKEv2 policy will have the default IKEv2 proposal and will match all local addresses in a global VPN Routing and Forwarding (VRF).

Command Modes

Global configuration (config)

Command History

Release

Modification

15.1(1)T

This command was introduced.

Cisco IOS XE Release 3.3S

This command was integrated into Cisco IOS XE Release 3.3S.

15.2(4)S

This command was integrated into Cisco IOS Release 15.2(4)S.

Usage Guidelines

An IKEv2 policy contains the proposals that are used to negotiate the encryption, integrity, Psuedo-Random Function (PRF) algorithms and Diffie-Hellman (DH) group in SA_INIT exchange. IKEv2 policy can have match statements, which are used as selection criteria to select a policy for negotiation.

An IKEv2 policy must contain at least one proposal to be considered as complete, and can have more proposals and match statements.

A policy can have similar or different match statements. Match statements that are similar are logically ORed and match statements that are different are logically ANDed. There is no precedence between match statements of different types. Policy check will happen in a sequential order. To avoid unexpected or unpredictable behavior during IKEv2 policy selection, overlapping match statements must not be configured.

A policy is matched as follows:

  • If no IKEv2 policy is configured, the default policy is used for negotiating a SA that uses any local address in a global VRF.

  • If IKEv2 policies are configured, the policy with the best match is selected.

  • If none of the configured policies matches, the SA_INIT exchange does not start.

You can modify the default policy using the crypto ikev2 policy default command. You can modify the entire policy or one of the statements in the policy.

You can disable the default policy using the no crypto ikev2 policy default command. When disabled, the values in the default policy are copied and the default policy remains inactive.

Examples

The following examples show how to configure a policy and how a policy match is performed:

Router(config)# crypto ikev2 policy policy1
Router(config-ikev2-policy)# proposal pro1
Router(config-ikev2-policy)# match fvrf green
Router(config-ikev2-policy)# match address local 10.0.0.1

The policy policy1 is selected and proposal pro1 is used for negotiating IKEv2 SA with the local address as 10.0.0.1 and the FVRF as green:

Router(config)# crypto ikev2 policy policy1
Router(config-ikev2-policy)# proposal pro1
Router(config-ikev2-policy)# match address local 10.0.0.1

The policy policy1 is selected and proposal pro1 is used for negotiation of the IKEv2 SA that is negotiatied with the local address as 10.0.0.1 and the FVRF as global:


Router(config)# crypto ikev2 policy policy1
Router(config-ikev2-policy)# proposal pro1
Router(config-ikev2-policy)# match fvrf green

The policy policy1 is selected and proposal pro1 is used for negotiation of the IKEv2 SA that is negotiatied with any local address and the FVRF as green.

Examples

The following example shows how a policy is chosen out of two policies:


Router(config)# crypto ikev2 policy policy1
Router(config-ikev2-policy)# proposal1
Router(config-ikev2-policy)# match fvrf green
Router(config)# crypto ikev2 policy policy2
Router(config-ikev2-policy)# proposal1
Router(config-ikev2-policy)# match fvrf green
Router(config-ikev2-policy)# match local address 10.0.0.1

To negotiate the SA for local address 10.0.0.1 and FVRF as green, policy 2 is selected because policy 2 is the best match:


Router(config)# crypto ikev2 policy policy1
Router(config-ikev2-policy)# proposal2
Router(config-ikev2-policy)# match local address 10.0.0.1
Router(config-ikev2-policy)# match fvrf green
Router(config)# crypto ikev2 policy policy2
Router(config-ikev2-policy)# proposal1
Router(config-ikev2-policy)# match fvrf green
Router(config-ikev2-policy)# match local address 10.0.0.1

In this case, even though both the policies are the best match, policy1 is selected, because it was configured first.

crypto ikev2 profile

To configure an Internet Key Exchange Version 2 (IKEv2) profile, use the crypto ikev2 profile command in global configuration mode. To delete the profile, use the no form of this command.

crypto ikev2 profile profile-name

no crypto ikev2 profile profile-name dynamic

Syntax Description

profile-name

The name of the IKEv2 profile.

Command Default

There is no default IKEv2 profile. However, there are default values for some commands under the profile, such as lifetime.

Command Modes


Global configuration (config)

Command History

Release

Modification

15.1(1)T

This command was introduced.

Cisco IOS XE Release 3.3S

This command was integrated into Cisco IOS XE Release 3.3S.

15.2(4)S

This command was integrated into Cisco IOS Release 15.2(4)S.

17.2.1

The dynamic keyword was introduced.

Usage Guidelines

Use this command to define an IKEv2 profile. An IKEv2 profile is a repository of the nonnegotiable parameters of the IKE security associations (SAs) (such as local/remote identities and authentication methods) and the services that will be available to the authenticated peers that match the profile. The following are the characteristics of an IKEv2 profile:

  • It must be attached to either a crypto map or an IPsec profile on the IKEv2 initiator and responder.

  • It must contain a match identity or match certificate statement; otherwise the profile is considered incomplete and is unused.

  • The statements match VRF, local or remote authentication methods are optional.

The table below describes the differences between IKEv1 and IKEv2 profiles.

Table 1. Differences between IKEv1 and IKEv2 Profiles

IKEv1

IKEv2

The authentication method is a negotiable parameter and must be specified in the ISAKMP policy.

The authentication method is not a negotiable parameter, can be asymmetric, and must be specified in the profile.

Multiple keyrings can be specified in the profile.

A single keyring can be specified in the profile and is optional also.

The IKEv2 profile applied on the crypto interface must be the same as IKEv2 profile that matches the peer identity received in the IKE_AUTH exchange.

Examples

The following examples show an IKEv2 profile matched on a remote identity and an IKEv2 profile catering to two peers using different authentication method.

Examples

The following profile caters to peers that identify using fqdn example.com and authenticate with rsa-signature using trustpoint-remote. The local node authenticates with pre-share using keyring-1.


Router(config)# crypto ikev2 profile profile2
Router(config-ikev2-profile)# match identity remote fqdn example.com
Router(config-ikev2-profile)# identity local email router2@example.com
Router(config-ikev2-profile)# authentication local pre-share
Router(config-ikev2-profile)# authentication remote rsa-sig
Router(config-ikev2-profile)# keyring keyring-1
Router(config-ikev2-profile)# pki trustpoint trustpoint-remote verify
Router(config-ikev2-profile)# lifetime 300
Router(config-ikev2-profile)# dpd 5 10 on-demand
Router(config-ikev2-profile)# virtual-template 1

Examples

The following profile caters to two peers: user1@example.com that authenticate with pre-share using keyring-1, and user2@example.com authenticates with rsa-signature using trustpoint-remote. However, the local peer authenticates the remote peers with rsa-signature using trustpoint-local.


Router(config)# crypto ikev2 profile profile2
Router(config-ikev2-profile)# match identity remote email user1@example.com
Router(config-ikev2-profile)# match identity remote email user2@example.com
Router(config-ikev2-profile)# identity local email router2@abc.com
Router(config-ikev2-profile)# authentication local rsa-sig
Router(config-ikev2-profile)# authentication remote pre-share 
Router(config-ikev2-profile)# authentication remote rsa-sig
Router(config-ikev2-profile)# keyring keyring-1
Router(config-ikev2-profile)# pki trustpoint trustpoint-local sign
Router(config-ikev2-profile)# pki trustpoint trustpoint-remote verify
Router(config-ikev2-profile)# lifetime 300
Router(config-ikev2-profile)# dpd 5 10 on-demand
Router(config-ikev2-profile)# virtual-template 1

Examples

The following example shows how to configure the remote access server using the remote EAP authentication method with an external EAP server:


aaa new-model
aaa authentication login aaa-eap-list default group radius
!  
crypto ikev2 profile profile2
 authentication remote eap
 aaa authentication eap aaa-eap-list 

Examples

The following example shows how to configure the remote access server with local and external EAP server using the remote EAP authentication method:


aaa new-model
aaa authentication login aaa-eap-list default group radius
aaa authentication login aaa-eap-local-list default group tacacs
!  
crypto ikev2 profile profile2    
 authentication remote eap
 authentication remote eap-local
 aaa authentication eap aaa-eap-list
 aaa authentication eap-local aaa-eap-local-list

Examples

This example shows how to configure the AAA authorization for a local group policy:


aaa new-model
aaa authorization network aaa-group-list default local
!
 crypto ikev2 client configuration group cisco
  pool addr-pool1
  dns 198.51.100.1 198.51.100.100
  wins 203.0.113.1 203.0.113.115
 !
 crypto ikev2 profile profile1
  authentication remote eap
  aaa authorization group aaa-group-list abc

The aaa-group-list specifies that the group authorization is local and that the AAA username is abc. The authorization list name corresponds to the group policy defined in the crypto ikev2 client configuration group command.

Examples

This example shows how to configure an external AAA-based group policy. The aaa-group-list specifies that the group authorization is RADIUS based. The name mangler derives the group name from the domain part of ID-FQDN, which is abc.


 aaa new-model
 aaa authorization network aaa-group-list default group radius         
 !
 crypto ikev2 name-mangler mangler1
  fqdn domain
  !
 crypto ikev2 profile profile1
  identity remote fqdn host1.abc
  authentication remote eap
  aaa authorization group aaa-group-list name-mangler mangler1

Examples

This example shows how to configure an external AAA-based group policy. The aaa-user-list specifies that the user authorization is RADIUS based. The name mangler derives the username from the hostname part of ID-FQDN, which is host1.


aaa new-model
aaa authorization network aaa-user-list default group radius
!
crypto ikev2 name-mangler mangler2
 fqdn hostname
!
crypto ikev2 profile profile1
 match identity remote fqdn host1.abc 
  authentication remote eap
 aaa authorization user aaa-user-list name-mangler mangler2

crypto ikev2 proposal

To configure an Internet Key Exchange Version 2 (IKEv2) proposal, use the crypto ikev2 proposal command in global configuration mode. To delete an IKEv2 proposal, use the no form of this command. To return the proposal to its default value, use the default form of this command.

crypto ikev2 proposal name

no crypto ikev2 proposal name