end
Exits the current configuration mode and returns to the Exec mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
end
Usage Guidelines
Use this command to return to the Exec mode.
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Modification(s) to an existing IKEv1 crypto map configuration will not take effect until the related security association has been cleared. Refer to the description of the clear crypto security-association command in the Exec Mode Commands chapter for more information.
The Crypto Map IPSec IKEv1 Configuration Mode is used to configure properties for IPSec tunnels that will be created using the Internet Key Exchange (IKE) that operates within the framework of the Internet Key Exchange version 1 (IKEv1).
Exec > Global Configuration > Context Configuration > Crypto Map IPSec IKEv1 Configuration
configure > context context_name > crypto map policy_name ipsec-ikev1
Entering the above command sequence results in the following prompt:
[context_name]host_name(config-crypto-map)#
Important |
The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s). |
Exits the current configuration mode and returns to the Exec mode.
All
Security Administrator, Administrator
end
Use this command to return to the Exec mode.
Exits the current mode and returns to the parent configuration mode.
All
Security Administrator, Administrator
exit
Use this command to return to the parent configuration mode.
Enable spawning of IPSec manager for this Crypto map on Demux Card.
IPSec (IKEv1/IKEv2 ACL Mode)
Security Administrator
Exec > Global Configuration > Context Configuration > Crypto Map IPSec IKEv1 Configuration
configure > context context_name > crypto map policy_name ipsec-ikev1
Entering the above command sequence results in the following prompt:
[context_name]host_name(config-crypto-map)#
[ no ] ipsec-on-demux
Disables the spawning of IPSec manager for Crypto map on Demux Card.
Enables the spawning of IPSec manager for this Crypto map on Demux Card.
Important |
If the configuration is removed using no option, then this Crypto map must be removed and added again for this configuration to work. |
ipsec-on-demux
Matches or associates the crypto map to an access control list (ACL) configured in the same context.
Important |
HNBGW is not supported from Release 20 and later, and HeNBGW is not supported in Releases 20, 21.0 and 21.1. This command must not be used for HNBGW and HeNBGW in these releases. For more information, contact your Cisco account representative. |
ePDG
FA
GGSN
HA
HeNBGW
HNBGW
HSGW
MME
P-GW
PDSN
S-GW
SAEGW
SCM
SecGW
SGSN
Security Administrator
Exec > Global Configuration > Context Configuration > Crypto Map IPSec IKEv1 Configuration
configure > context context_name > crypto map policy_name ipsec-ikev1
Entering the above command sequence results in the following prompt:
[context_name]host_name(config-crypto-map)#
[ no ] match address acl_name priority
Removes a previously matched ACL.
Specifies the name of the ACL with which the crypto map is to be matched as an alphanumeric string of 1 through 79 characters that is case sensitive.
Specifies the preference of the ACL. The ACL preference is factored when a single packet matches the criteria of more than one ACL.
The preference is an integer value from 0 to 4294967295; 0 is the highest priority. Default: 0
Important |
The priorities are only compared for ACLs matched to other crypto maps or to policy ACLs (those applied to the entire context). |
ACLs matched to crypto maps are referred to as crypto ACLs. Crypto ACLs define the criteria that must be met in order for a subscriber data packet to routed over an IPSec tunnel.
Prior to routing, the system examines the properties of each subscriber data packet. If the packet properties match the criteria specified in the crypto ACL, the system will initiate the IPSec policy dictated by the crypto map.
match address ACLlist1 0
Matches or associates the crypto map a crypto group configured in the same context.
Important |
HNBGW is not supported from Release 20 and later, and HeNBGW is not supported in Releases 20, 21.0 and 21.1. This command must not be used for HNBGW and HeNBGW in these releases. For more information, contact your Cisco account representative. |
ePDG
FA
GGSN
HA
HeNBGW
HNBGW
HSGW
MME
P-GW
PDSN
S-GW
SAEGW
SCM
SecGW
SGSN
Security Administrator
Exec > Global Configuration > Context Configuration > Crypto Map IPSec IKEv1 Configuration
configure > context context_name > crypto map policy_name ipsec-ikev1
Entering the above command sequence results in the following prompt:
[context_name]host_name(config-crypto-map)#
[ no ] match crypto group group_name { primary | secondary }
Deletes a previously configured crypto group association.
Specifies the name of the crypto group entered as an alphanumeric string of 1 through 127 characters that is case sensitive.
Specifies that the policies configured as part of this crypto map will be used for the primary tunnel in the Redundant IPSec Tunnel Failover feature.
Specifies that the policies configured as part of this crypto map will be used for the secondary tunnel in the Redundant IPSec Tunnel Failover feature.
Use this command to dictate the primary and secondary tunnel policies used for the Redundant IPSec Tunnel Failover feature.
At least two policies must be configured to use this feature. One policy must be configured as the primary, the other as the secondary.
match crypto group group1 primary
Matches the specified IP pool to the current IKEv1 crypto map. This command can be used multiple times to change more than one IP pool.
Important |
HNBGW is not supported from Release 20 and later, and HeNBGW is not supported in Releases 20, 21.0 and 21.1. This command must not be used for HNBGW and HeNBGW in these releases. For more information, contact your Cisco account representative. |
Important |
The match ip pool command is not supported on the ASR 5500 platform. |
ePDG
FA
GGSN
HA
HeNBGW
HNBGW
HSGW
MME
P-GW
PDSN
S-GW
SAEGW
SCM
SecGW
SGSN
Security Administrator
Exec > Global Configuration > Context Configuration > Crypto Map IPSec IKEv1 Configuration
configure > context context_name > crypto map policy_name ipsec-ikev1
Entering the above command sequence results in the following prompt:
[context_name]host_name(config-crypto-map)#
[ no ] match ip pool pool-name pool_name [ destination-network ip_address [ / mask ]
Delete the matching statement for the specified IP pool from the crypto map.
Specifies the name of an existing IP poolthat should be matched as an alphanumeric string of 1 through 31 characters.
Specifies the IP address of the destination network in IPv4 dotted-decimal or IPV6 colon-separated-hexadecimal notation.
/mask specifies the subnet mask bits (representing the subnet mask). This variable must be entered in IPv4 dotted-decimal or !Pv6 colon-separated-hexadecimal CIDR notation.
An IP pool attached to the crypto map can have multiple IPSec tunnels according to the destination of the packet being forwarded to internet.
Important |
Each invocation of this command will add another destination network to the IP pool, with a maximum of eight destination networks per crypto map. |
Use this command to set the names of IP pools that should be matched in the current crypto map.
Important |
If an IP address pool that is matched to a IKEv1 crypto map is resized, removed, or added, the corresponding security association must be cleared in order for the change to take effect. Refer to the clear crypto command in the Exec mode for information on clearing security associations. |
match ip pool pool-name ippool1
Configures parameters for the dynamic crypto map.
Important |
HNBGW is not supported from Release 20 and later, and HeNBGW is not supported in Releases 20, 21.0 and 21.1. This command must not be used for HNBGW and HeNBGW in these releases. For more information, contact your Cisco account representative. |
ePDG
FA
GGSN
HA
HeNBGW
HNBGW
HSGW
MME
P-GW
PDSN
S-GW
SAEGW
SCM
SecGW
SGSN
Security Administrator
Exec > Global Configuration > Context Configuration > Crypto Map IPSec IKEv1 Configuration
configure > context context_name > crypto map policy_name ipsec-ikev1
Entering the above command sequence results in the following prompt:
[context_name]host_name(config-crypto-map)#
set { bgp peer_address | control-dont-fragment { clear-bit | copy-bit | set-bit } | ikev1 natt [ keepalive sec ] | ip mtu bytes | ipv6 mtu bytes | mode { aggressive | main } | peer peer_address | pfs { group1 | group2 | group5 } | phase1-idtype { id-key-id | ipv4-address [ mode { aggressive | main } ] | phase2-idtype { ipv4-address | ipv4-address-subnet } | security-association lifetime { disable-phase2-rekey | keepalive | kilo-bytes kbytes | seconds secs } transform-set transform_name [ transform-set transform_name2 ... transform-set transform_name6 ]
no set { ikev1 natt | pfs | phase1-idtype | phase2-idtype | security-association lifetime { disable-phase2-rekey | keepalive | kilo-bytes | seconds } | transform-set transform_name [ transform-set transform_name2 ... transform-set transform_name6 ]
Specifies the IP address of the BGP peer in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.
clear-bit : Clears the DF bit from the outer IP header (sets it to 0).
copy-bit : Copies the DF bit from the inner IP header to the outer IP header. This is the default action.
set-bit : Sets the DF bit in the outer IP header (sets it to 1).
Important |
NAT Traversal (NATT) for IKEv1 IPSec session is not supported. |
Specifies IKE parameters.
natt : Enables IPSec NAT Traversal.
keepalive time : The time to keep the NAT connection alive in seconds. time must be an integer of from 1 through 3600.
Specifies the IPv4 Maximum Transmission Unit (MTU) in bytes as an integer from 576 to 2048.
Specifies the IPv6 Maximum Transmission Unit (MTU) in bytes as an integer from 576 to 2048.
Configures the IKE negotiation mode as AGRESSIVE or MAIN.
Specifies the peer IP address of a remote gateway in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.
group1 : Diffie-Hellman Group1 (768-bit modp)
group2 : Diffie-Hellman Group2 (1024-bit modp)
group5 : Diffie-Hellman Group5 (1536-bit modp)
Sets the IKE negotiations Phase 1 payload identifier. Default: id-key-id
id-key-id: ID KEY ID
mode : Configures IKE mode
aggressive : IKE negotiation mode: AGGRESSIVE
main : IKE negotiation mode: MAIN
Sets the IKE negotiations Phase 2 payload identifier.
ipv4-address : Use IPV4_ADDR as the Phase 2 payload identifier.
ipv4-address-subnet : Use IPV4_ADDR_SUBNET as the Phase 2 payload identifier.
disable-phase2-rekey : Rekeying is enabled by default
keepalive : Disabled
kilo-bytes : 4608000 kbytes
seconds : 28800 seconds
disable-phase2-rekey : If this keyword is specified, the Phase2 SA is not rekeyed when the lifetime expires.
keepalive : The SA lifetime expires only when a keepalive message is not responded to by the far end.
kilo-bytes : This specifies the amount of data (n kilobytes) to allow through the tunnel before the SA lifetime expires. kbytes must be an integer from 2560 through 4294967294.
seconds : The number of seconds to wait before the SA lifetime expires. secs must be an integer from 1200 through 86400.
Important |
If the dynamic crypto map is being used in conjunction with Mobile IP and the Mobile IP renewal timer is less than the crypto map's SA lifetime (either in terms of kilobytes or seconds), then the keepalive parameter must be configured. |
Specifies the name of a transform set configured in the same context that will be associated with the crypto map. Refer to the command crypto ipsec transform-set for information on creating transform sets.
You can repeat this keyword up to 6 times on the command line to specify multiple transform sets.
transform_name is the name of the transform set entered as an alphanumeric string of 1 through 127 characters that is case sensitive.
Deletes the specified parameter or resets the specified parameter to the default value.
Use this command to set parameters for a dynamic crypto map.
set pfs group1
set security-association lifetime kilo-bytes 50000
set security-association lifetime seconds 10000
set security-association lifetime keepalive
set transform-set tset1 transform-set tset2