isakmp
Negotiate IPSec security associations and enable IPSec secure communications.
[no] isakmp client configuration address-pool local pool-name [interface-name] [no] isakmp enable interface-name [no] isakmp identity address | hostname isakmp keepalive seconds [retry seconds] [no] isakmp key keystring address peer-address [netmask mask] [no-xauth] [no-config-mode] [no] isakmp peer fqdn fqdn no-xauth no-config-mode isakmp policy priority authentication pre-share | rsa-sig [no] isakmp policy priority encryption des | 3des [no] isakmp policy priority group1 | 2 [no] isakmp policy priority hash md5 | sha isakmp policy priority lifetime seconds show isakmp policy show isakmp sa clear [crypto] isakmp sa clear isakmp
Syntax
pool-name Specify the name of a local address pool to allocate the dynamic client IP. interface-name The name of the interface on which to enable ISAKMP negotiation. peer-address Specify the IP address of the IPSec peer. peer-hostname Specify the host name of the IPSec peer. key keystring Specify the authentication pre-share key. Use any combination of alphanumeric characters up to 128 bytes. This pre-shared key must be identical at both peers. address peer-address Specify the IPSec peer's IP address for the pre-share key. netmask mask (Optional) The netmask of 0.0.0.0. can be entered as a wildcard indicating the key could be used for any peer that does not have a key associated with its specific IP address. no-xauth This is only to be used if you enabled the Xauth feature, and you have an IPSec peer that is a gateway. This option associates a given pre-share key with a gateway and allows an exception to the Xauth feature enabled by the crypto map client authentication command. no-config-mode This is only to be used if you enabled the IKE Mode Config feature, and you have an IPSec peer that is a gateway. This option associates a given pre-share key with a gateway and allows an exception to the IKE Mode Configuration feature enabled by the crypto map client configuration address command. fqdn fqdn The fully qualified domain name of the peer. This is used to identify a peer that is a security gateway. policy priority Uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 65,534, with 1 being the highest priority and 65,534 the lowest. authentication pre-share Specify pre-shared keys as the authentication method. authentication rsa-sig Specify RSA signatures as the authentication method. RSA signatures provide non-repudiation for the IKE negotiation. This basically means you can prove to a third party whether you had an IKE negotiation with the peer.
encryption des Specify 56-bit DES-CBC as the encryption algorithm to be used in the IKE policy. encryption 3des Specify that the Triple DES encryption algorithm is to be used in the IKE policy. group 1 Specify that the 768-bit Diffie-Hellman group is to be used in the IKE policy. This is the default value. group 2 Specify that the 1024-bit Diffie-Hellman group is to be used in the IKE policy. hash md5 Specify MD5 (HMAC variant) as the hash algorithm to be used in the IKE policy. hash sha Specify SHA-1 (HMAC variant) as the hash algorithm to be used in the IKE policy. This is the default hash algorithm. lifetime seconds Specify how many seconds each security association should exist before expiring. Use an integer from 60 to 86,400 seconds (one day).
isakmp client configuration address-pool local
Configure an IP address local pool to reference IKE. Before executing, run ip local pool to define a pool of local addresses to be assigned to a remote IPSec peer.
isakmp client configuration address-pool local poolname outsideTo restore the default value:
no crypto isakmp client configuration address-pool local
isakmp enable
Enable ISAKMP negotiation on the interface on which the IPSec peer will communicate with the firewall. ISAKMP is enabled by default.
To disable IKE on the inside interface:
no isakmp enable inside
isakmp identity address | hostname
Define the ISAKMP identity the firewall uses when participating in the IKE protocol.
When two peers use IKE to establish IPSec security associations, each peer sends its ISAKMP identity to the remote peer. It will send either its IP address or host name depending on how each has its ISAKMP identity set. By default, the firewall unit's ISAKMP identity is set to the IP address. As a general rule, set the firewall and its peer's identities in the same way to avoid an IKE negotiation failure. This failure could be due to either the firewall or its peer not recognizing its peer's identity.
If you are using RSA signatures as the authentication method in the IKE policies, we recommend that you set each participating peer's identity to hostname. Otherwise, the ISAKMP security association to be established during Phase 1 of IKE may fail.
The following example uses pre-share keys between the two firewall units (firewall 1 and firewall 2) that are peers, and sets both their ISAKMP identities to host name.
At the firewall 1, the ISAKMP identity is set to hostname:
isakmp identity hostnameAt the firewall 2, the ISAKMP identity is set to hostname:
isakmp identity hostnameUse no isakmp identity address | hostname to reset the ISAKMP identity to the default value of IP address.
isakmp keepalive seconds [retry seconds]
The keepalive interval can be between 10 and 3600 seconds. The retry interval can be between 2 and 10 seconds, with the default being 2 seconds. The retry interval is the interval between retries after a keepalive response has not been received. You can specify the keepalive interval without specifying the retry interval, but cannot specify the retry interval without specifying the keepalive interval.
isakmp key address
Configure a pre-share authentication key and associate the key with an IPSec peer address or host name.
You would configure the pre-shared key at both peers whenever you specify pre-shared key in an IKE policy. Otherwise, the policy cannot be used because it will not be submitted for matching by the IKE process.
A netmask of 0.0.0.0. can be entered as a wildcard indicating that any IPSec peer with a given valid pre-shared key is a valid peer.
The firewall or any IPSec peer can use the same authentication key with multiple peers, but this is not as secure as using a unique authentication key between each pair of peers.
To configure a pre-shared key associated with a given security gateway to be distinct from a wildcard, pre-shared key (pre-shared key plus a netmask of 0.0.0.0) used to identify and authenticate the remote VPN clients.
The no-xauth or no-config-mode command options are to be used only if the following criteria are met:
- You are using the pre-shared key authentication method within the IKE policy.
- The security gateway and VPN client peers terminate on the same interface.
- The Xauth or IKE Mode Configuration feature is enabled for VPN client peers.
The isakmp key keystring address ip-address [no-xauth] [no-config-mode] command allows you to configure a pre-shared authentication key, associate the key with a given security gateway's address, and make an exception to the enabled Xauth feature, IKE Mode Configuration feature, or both (the most common case) for this peer.
Both the Xauth and IKE Mode Configuration features are specifically designed for remote VPN clients. The Xauth feature allows the firewall to challenge the peer for a username and password during IKE negotiation. The IKE Mode Configuration enables the firewall to download an IP address to the peer for dynamic IP address assignment. Most security gateways do not support the Xauth and IKE Mode Configuration features.
If you have the no-xauth command option configured, the firewall will not challenge the peer for a username and password. Similarly, if you have the no-config-mode command option configured, the firewall will not attempt to download an IP address to the peer for dynamic IP address assignment.
Use no key keystring address ip-address [no-xauth] [no-config-mode] to disable the key keystring address ip-address [no-xauth] [no-config-mode] command that you previously enabled.
See the crypto map client authentication command for more information about the Xauth feature. See the crypto map client configuration address for more information about the IKE Mode Config feature.
The following example shows "sharedkeystring" as the authentication key to share between the firewall and its peer specified by an IP address of 10.1.0.0:
isakmp key sharedkeystring address 10.1.0.0The following example shows use of a wildcard, pre-share key. The "sharedkeystring" is the authentication key to share between the firewall and its peer (in this case a VPN client) specified by an IP address of 0.0.0.0. and a netmask of 0.0.0.0.
isakmp key sharedkeystring address 0.0.0.0 netmask 0.0.0.0The following example shows use of the command options no-xauth and no-config-mode in relation to three firewall peers that are security gateways. These security gateways terminate IPSec on the same interface as the VPN clients. Both the Xauth and IKE Mode Configuration features are enabled. This means there is a need to make an exception to these two features for each security gateway. The example shows each security gateway peer has a unique pre-share key to share with the firewall. The peers' IP addresses are 10.1.1.1, 10.1.1.2, 10.1.1.3, and the netmask of 255.255.255.255 is specified.
Use no isakmp key address to delete a pre-shared authentication key and its associated IPSec peer address.isakmp key secretkey1234 address 10.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key secretkey4567 address 10.1.1.2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key secretkey7890 address 10.1.1.3 netmask 255.255.255.255 no-xauth no-config-mode
isakmp peer fqdn no-xauth | no-config-mode
Use only if the following criteria are met:
- You are using RSA signatures authentication within the IKE policy.
- The security gateway and VPN client peers terminate on the same interface.
- The Xauth or IKE Mode Configuration feature is enabled for VPN client peers.
The isakmp peer fqdn fqdn no-xauth | no-config-mode command allows you identify a peer that is a security gateway and make an exception to the enabled Xauth feature, IKE Mode Configuration feature, or both (the most common case) for this peer.
Both the Xauth and IKE Mode Configuration features are specifically designed for remote VPN clients. The Xauth feature allows the firewall to challenge the peer for a username and password during IKE negotiation. The IKE Mode Configuration feature enables the firewall to download an IP address to the peer for dynamic IP address assignment. Most security gateways do not support the Xauth and IKE Mode Configuration features.
If you have the no-xauth command option configured, the firewall will not challenge the peer for a username and password. Similarly, if you have the no-config-mode command option configured, the firewall will not attempt to download an IP address to the peer for dynamic IP address assignment.
If you are using RSA signatures as the authentication method in the IKE policies, we recommend that you set each participating peer's identity to hostname using the isakmp identity hostname command. Otherwise, the ISAKMP security association to be established during Phase 1 of IKE may fail.
Use no isakmp peer fqdn fqdn no-xauth | no-config-mode to disable the isakmp peer fqdn fqdn no-xauth | no-config-mode command that you previously enabled.
See the crypto map client authentication command for more information about the Xauth feature. See the crypto map client configuration address command for more information about the IKE Mode Config feature.
The following example shows use of the command options no-xauth and no-config-mode in relation to three firewall peers that are security gateways. These security gateways terminate IPSec on the same interface as the VPN clients. Both the Xauth and IKE Mode Config features are enabled. This means there is a need to make an exception to these two features for each security gateway. Each security gateway peer's fully qualified domain name is specified.
isakmp peer fqdn hostname1.example.com no-xauth no-config-mode
isakmp peer fqdn hostname2.example.com no-xauth no-config-mode
isakmp peer fqdn hostname3.example.com no-xauth no-config-mode
isakmp policy authentication
Specify the authentication method within an IKE policy. IKE policies define a set of parameters to be used during IKE negotiation.
If you specify RSA signatures, configure the firewall and its peer to obtain certificates from a CA. If you specify pre-share keys, separately configure these pre-shared keys within the firewall and its peer.
Use no isakmp policy authentication to reset the authentication method to the default value of RSA signatures.
The following example shows use of the isakmp policy authentication command. This example sets the authentication method of rsa-signatures to be used within the IKE policy with the priority number of 40.
isakmp policy 40 authentication rsa-sig
isakmp policy encryption
To specify the encryption algorithm within an IKE policy, use the isakmp policy encryption command. IKE policies define a set of parameters to be used during IKE negotiation.
DES and 3DES are the two encryption algorithm options available.
Use no isakmp policy encryption to reset the encryption algorithm to the default value, which is des.
The following example shows use of the isakmp policy encryption command. This example sets the 3DES algorithm to be used within the IKE policy with the priority number of 40.
isakmp policy 40 encryption 3des
isakmp policy group
Specify the Diffie-Hellman group to be used in an IKE policy. IKE policies define a set of parameters to be used during IKE negotiation.
There are two group options: 768-bit or 1024-bit. The 1024-bit Diffie Hellman provides stronger security, but it requires more CPU time to execute.
Use the no isakmp policy group to reset the Diffie-Hellman group identifier to the default value of group 1, 768-bit Diffie Hellman.
The following example shows use of the isakmp policy group command. This example sets group 2, the 1024-bit Diffie Hellman, to be used within the IKE policy with the priority number of 40.
isakmp policy 40 group2
isakmp policy hash
Specify the hash algorithm to be used in an IKE policy. IKE policies define a set of parameters to be used during IKE negotiation.
There are two hash algorithm options: SHA-1 and MD5. MD5 has a smaller digest and is considered to be slightly faster than SHA-1.
To reset the hash algorithm to the default value of SHA-1, use no isakmp policy hash .
The following example shows use of the isakmp policy hash command. This example sets the MD5 hash algorithm to be used within the IKE policy with the priority number of 40.
isakmp policy 40 hash md5
isakmp policy lifetime
Specify the lifetime of an IKE security association before it expires
When IKE begins negotiations, it looks to agree upon the security parameters for its own session. The agreed-upon parameters are then referenced by a security association at each peer. The security association is retained by each peer until the security association's lifetime expires. Before a security association expires, it can be reused by subsequent IKE negotiations, which can save time when setting up new IPSec security associations. New security associations are negotiated before current security associations expire.
To save setup time for IPSec, configure a longer IKE security association lifetime. However, the shorter the lifetime (up to a point), the more secure the IKE negotiation is likely to be.
When firewall initiates an IKE negotiation between itself and an IPSec peer, an IKE policy can be selected only if the lifetime of the peer's policy is shorter than or equal to the lifetime of its policy. Then, if the lifetimes are not equal, the shorter lifetime will be selected. The following example shows use of the isakmp policy lifetime command. This example sets the lifetime of the IKE security association to 50,400 seconds (14 hours) within the IKE policy with the priority number of 40.
isakmp policy 40 lifetime 50400Use the no isakmp policy lifetime to reset the security association lifetime to the default value of 86,400 seconds (one day).
show isakmp policy
View the parameters for each IKE policy including the default parameters
The following is sample output from the show isakmp policy command after two IKE policies were configured (with priorities 70 and 90 respectively):
show isakmp policy Protection suite priority 70 encryption algorithm:DES - Data Encryption Standard (56 bit keys) hash algorithm: Message Digest 5 authentication method:Rivest-Shamir-Adleman Signature Diffie-Hellman group:#2 (1024 bit) lifetime:5000 seconds, no volume limit Protection suite priority 90 encryption algorithm:DES - Data Encryption Standard (56 bit keys) hash algorithm: Secure Hash Standard authentication method:Pre-Shared Key Diffie-Hellman group:#1 (768 bit) lifetime:10000 seconds, no volume limit Default protection suite encryption algorithm:DES - Data Encryption Standard (56 bit keys) hash algorithm: Secure Hash Standard authentication method:Rivest-Shamir-Adleman Signature Diffie-Hellman group:#1 (768 bit) lifetime:86400 seconds, no volume limitAlthough the output shows "no volume limit" for the lifetimes, you can currently only configure a time lifetime (such as 86,400 seconds); volume limit lifetimes are not currently configurable.
show isakmp sa
View all current IKE security associations between the firewall and its peer.
The following is sample output from the show isakmp sa command after IKE negotiations were successfully completed between the firewall and its peer:
show isakmp sa dst src state pending created 16.132.40.2 16.132.30.2 QM_IDLE 0 1
clear isakmp
Remove all isakmp command statements from the configuration.
clear [crypto] isakmp sa
The clear [crypto] isakmp sa command deletes active IKE security associations. The keyword crypto is optional.