K Commands

keepalive

To configure the message keepalive interval for the IKE protocol, use the keepalive command in IKE configuration submode. To revert to the default, use the no form of the command.

keepalive seconds

no keepalive seconds

Syntax Description

seconds

Specifies the number of seconds for the keepalive interval. The range is 120 to 86400.

Command Default

3600 seconds or 1 hour.

Command Modes


IKE configuration submode.

Command History

Release

Modification

2.0(x)

This command was introduced.

Usage Guidelines

The keepalive interface only applies to IKE version 2 tunnels.

To use this command, the IKE protocol must be enabled using the crypto ike enable command.

Examples

The following example shows how to configure the keepalive interval:


switch# config terminal
switch(config)# crypto ike domain ipsec
switch(config-ike-ipsec)# keepalive 7200

key

To configure the preshared key for the IKE protocol, use the key command in IKE configuration submode. To revert to the default, use the no form of the command.

key key-id { address ip-address | hostname name }

no key key-id { address ip-address | hostname name }

Syntax Description

key-id

Specifies the ID for the preshared key. The maximum length is 128 characters.

address ip-address

Specifies the peer IP address. The format is A . B . C . D .

hostname name

Specifies the peer host name. The maximum length is 128 characters.

Command Default

None.

Command Modes


IKE configuration submode.

Command History

Release

Modification

2.0(x)

This command was introduced.

3.0(1)

Added the hostname keyword.

Usage Guidelines

To use this command, the IKE protocol must be enabled using the crypto ike enable command.


Note

The key command supports only the IPv4 format for IP address.

Examples

The following example shows how to configure the key:


switch# config terminal
switch(config)# crypto ike domain ipsec
switch(config-ike-ipsec)# key ctct address 209.165.200.226
         

The following example shows how to delete the configured key:


switch(config-ike-ipsec)# no key ctct address 209.165.200.226
         

The following example shows how to set the preshared key for the specified peer:


switch(config-ike-ipsec)# key sample hostname node1
         

The following example shows how to delete the preshared key for the specified peer:


switch(config-ike-ipsec)# no key sample hostname node1
         

key (sa configuration submode)

To configure the key for the current Security Association[SA], use the key command. To delete the key from the current SA, use the no form of the command.

key key

no key key

Syntax Description

key

Specifies the key for encryption as a 16-byte hexadecimal string. The maximum size of the string is 34.

Command Default

None.

Command Modes


Configuration submode.

Command History

Release

Modification

NX-OS 4.2(1)

This command was introduced.

Usage Guidelines

None.

Examples

The following example shows how to configure the key for the current SA:


 switch# config t
switch(config)# fcsp esp sa 257
This is a Early Field Trial (EFT) feature.  Please do not use this in a producti
on environment. Continue Y/N ? [no] y
switch(config-sa)# key 0x1234
switch(config-sa)#

key-ontape

To configure keys on the tape mode and store the encrypted security keys on the backup tapes, use the key-ontape command. To disable this feature, use the no form of the command.

key-ontape

no key-ontape

Syntax Description

This command has no arguments or keywords.

Command Default

Disabled.

Command Modes


Cisco SME cluster configuration submode.

Command History

Release

Modification

3.2(2)

This command was introduced.

Usage Guidelines

This command allows the encrypted security keys to be stored on the backup tapes.


Note

This feature is supported only for unique keys.

Before using this command, automatic volume grouping should be disabled by using the auto-volgrp command.

Examples

The following example enables the key-ontape feature:


switch# config terminal
switch(config)# sme cluster clustername1
switch(config-sme-cl)# key-ontape

The following example disables the key-ontape feature:


switch# config terminal
switch(config)# sme cluster clustername1
switch(config-sme0-cl)# no key-ontape