Firewall commands - crypto ipsec


Create, view, or delete IPSec security associations, security association global lifetime values, and global transform set. (Configuration mode.)

[no] crypto ipsec security-association lifetime seconds seconds | Kb Kb

show crypto ipsec security-association lifetime

[no] crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]

show crypto ipsec transform-set [tag transform-set-name]

crypto ipsec transform-set transform-set-name mode transport

clear [crypto] ipsec sa

clear [crypto] ipsec sa counters

clear [crypto] ipsec sa entry destination-address protocol spi

clear [crypto] ipsec sa map map-name

clear [crypto] ipsec sa peer

show crypto ipsec sa [map map-name | address | identity] [detail]


Syntax Description

address (Optional) Show all of the existing security associations, sorted by the destination address (either the local address or the address of the remote IPSec peer) and then by protocol AH(or ESP).
destination-address Specify the IP address of the peer or the remote peer.
detail (Optional) Show detailed error counters. (The default is the high level send/receive error counters.)
identity (Optional) Show only the flow information. It does not show the security association information.
interface-name Specify the identifying interface (outside or external) to be used by the firewall to identify itself to remote peers.

If IKE is enabled, and you are using a certification authority (CA) to obtain certificates, this should be the interface with the address specified in the CA certificates.

ip-address Specify a remote peer's IP address.
ipsec-isakmp Indicate that IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.
ipsec-manual Indicate that IKE will not be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.
Kb Kb Specify the volume of traffic (in Kb) that can pass between IPSec peers using a given security association before that security association expires. The default is 4,608,000 Kb (10 megabytes per second for one hour).
map map-name The name of the crypto map set.
peer-name Specify a remote peer's name as the fully qualified domain name. For example, remotepeer.example.com.
protocol Specify either the AH or ESP protocol.
mode transport Specifies the transform set to accept transport mode requests in addition to the tunnel mode request.
seconds seconds Specify the number of seconds a security association will live before it expires. The default is 28,800 seconds (eight hours).
seq-num The number you assign to the crypto map entry.
spi Specify the security parameter index (SPI), a number that is used to uniquely identify a security association. The SPI is an arbitrary number you assign in the range of 256 to 4,294,967,295 (a hexidecimal value of FFFF FFFF).
tag transform-set-name (Optional) Show only the transform sets with the specified transform-set-name.
transform1
transform2
transform3
Specify up to three transforms. Transforms define the IPSec security protocol(s) and algorithm(s). Each transform represents an IPSec security protocol (ESP, AH, or both) plus the algorithm you want to use.
transform-set-name Specify the name of the transform set to create or modify.


crypto ipsec security-association lifetime

Used to change global lifetime values used when negotiating IPSec security associations. To reset a lifetime to the default value, use the no crypto ipsec security-association lifetime command. The show crypto ipsec security-association lifetime command allows you to view the security-association lifetime value configured for a particular crypto map entry.

The crypto ipsec security-association lifetime command is used to change global lifetime values used when negotiating IPSec security associations. To reset a lifetime to the default value, use the no crypto ipsec security-association lifetime command. The show crypto ipsec security-association lifetime command allows you to view the security-association lifetime value configured for a particular crypto map entry.

IPSec security associations use shared secret keys. These keys and their security associations time out together.

Assuming that the particular crypto map entry does not have lifetime values configured, when the firewall requests new security associations during security association negotiation, it will specify its global lifetime value in the request to the peer; it will use this value as the lifetime of the new security associations. When the firewall receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations.

There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The secuBity association expires after the first of these lifetimes is reached.

If you change a global lifetime, the change is only applied when the crypto map entry does not have a lifetime value specified. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear [crypto] ipsec sa command. See the clear [crypto] ipsec sa command for more information.

To change the global timed lifetime, use the crypto ipsec security-association lifetime seconds command. The timed lifetime causes the security association to time out after the specified number of seconds have passed.

To change the global traffic-volume lifetime, use the crypto ipsec security-association lifetime Kb command. The traffic-volume lifetime causes the security association to time out after the specified amount of traffic (in Kb) has been protected by the security associations' key.

Shorter lifetimes can make it harder to mount a successful key recovery attack, because the attacker has less data encrypted under the same key to work with. However, shorter lifetimes require more CPU processing time for establishing new security associations. The lifetime values are ignored for manually established security associations (security associations installed using an ipsec-manual crypto map command entry).

The security association (and corresponding keys) will expire according to whichever occurs sooner, either after the number of seconds has passed (specified by the seconds keyword) or after the amount of traffic in Kb has passed (specified by the Kb keyword).

A new security association is negotiated before the lifetime threshold of the existing security association is reached, to ensure that a new security association is ready for use when the old one expires. The new security association is negotiated either 30 seconds before the seconds lifetime expires or when the volume of traffic through the tunnel reaches 256 Kb less than the Kb lifetime (whichever occurs first).

If no traffic has passed through the tunnel during the entire life of the security association, a new security association is not negotiated when the lifetime expires. Instead, a new security association will be negotiated only when IPSec sees another packet that should be protected.

Examples

This example shortens both lifetimes, because the administrator feels there is a higher risk that the keys could be compromised. The timed lifetime is shortened to 2700 seconds (45 minutes), and the traffic-volume lifetime is shortened to 2,304,000 Kb (10 megabytes per second for one half hour).

crypto ipsec security-association lifetime seconds 2700
crypto ipsec security-association lifetime Kb 2304000

The following is sample output for the show crypto ipsec security-association lifetime command:

show crypto ipsec security-association lifetime
Security-association lifetime: 4608000 Kb/120 seconds

The following configuration was in effect when the preceding show crypto ipsec security-association lifetime command was issued:

crypto ipsec security-association lifetime seconds 120


crypto ipsec transform-set

The crypto ipsec transform-set command defines a transform set. To delete a transform set, use the no crypto ipsec transform-set command. To view the configured transform sets, use the show crypto ipsec transform-set command.

A transform set specifies one or two IPSec security protocols (either ESP or AH or both) and specifies which algorithms to use with the selected security protocol. During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow.

You can configure multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry is used in the IPSec security association negotiation to protect the data flows specified by that crypto map entry's access list. During the negotiation, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and is applied to the protected traffic as part of both peer's IPSec security associations.

When security associations are established manually, a single transform set must be used. The transform set is not negotiated.

Before a transform set can be included in a crypto map entry, it must be defined using the crypto ipsec transform-set command.

To define a transform set, you specify one to three "transforms"—each transform represents an IPSec security protocol (ESP or AH) plus the algorithm you want to use. When the particular transform set is used during negotiations for IPSec security associations, the entire transform set (the combination of protocols, algorithms, and other settings) must match a transform set at the remote peer.

In a transform set you could specify the AH protocol, the ESP protocol, or both. If you specify an ESP protocol in a transform set, you can specify just an ESP encryption transform or both an ESP encryption transform and an ESP authentication transform.

Examples of acceptable transform combinations are as follows:

  1. ah-md5-hmac
  2. esp-des
  3. esp-des and esp-md5-hmac
  4. ah-sha-hmac and esp-des and esp-sha-hmac

If one or more transforms are specified in the crypto ipsec transform-set command for an existing transform set, the specified transforms will replace the existing transforms for that transform set.

If you change a transform set definition, the change is only applied to crypto map entries that reference the transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using clear [crypto] ipsec sa.

This example defines one transform set named("standard"), which will be used with an IPSec peer that supports the ESP protocol. Both an ESP encryption transform and an ESP authentication transform are specified in this example.

crypto ipsec transform-set standard esp-des esp-md5-hmac

The following is sample output for the show crypto ipsec transform-set command:

show crypto ipsec transform-set 

Transform set combined-des-sha: { esp-des esp-sha-hmac } 
   will negotiate = { Tunnel, }, 

Transform set combined-des-md5: { esp-des esp-md5-hmac } 
   will negotiate = { Tunnel, }, 

Transform set t1: { esp-des esp-md5-hmac } 
   will negotiate = { Tunnel, }, 

Transform set t100: { ah-sha-hmac } 
   will negotiate = { Tunnel, }, 

Transform set t2: { ah-sha-hmac } 
   will negotiate = { Tunnel, }, 
   { esp-des } 
   will negotiate = { Tunnel, },

The following configuration was in effect when the preceding show crypto ipsec transform-set command was issued:

crypto ipsec transform-set combined-des-sha esp-des esp-sha-hmac
crypto ipsec transform-set combined-des-md5 esp-des esp-md5-hmac
crypto ipsec transform-set t1 esp-des esp-md5-hmac
crypto ipsec transform-set t100 ah-sha-hmac
crypto ipsec transform-set t2 ah-sha-hmac esp-des

crypto ipsec transform-set transform-set-name mode transport

This command specifies IPSec transport mode for a transform set. The Windows 2000 L2TP/IPSec client uses IPSec transport mode, so transport mode must be selected on the transform set. The default is tunnel mode. For firewall version 6.0 and higher, L2TP is the only protocol that can use the IPSec transport mode. All other types of packets using IPSec transport mode will be discarded by the PIX Firewall. Use the no form of the command to reset the mode to the default value of tunnel mode.

A transport mode transform can only be used on a dynamic crypto map, and the firewall CLI will display an error if you attempt to tie a transport-mode transform to a static crypto map.


clear [crypto] ipsec sa

The clear [crypto] ipsec sa command allows you to delete IPSec security associations. The keyword crypto is optional. If the security associations were established via IKE, they are deleted and future IPSec traffic will require new security associations to be negotiated. When IKE is used, the IPSec security associations are established only when needed.

If the security associations are manually established the security associations are deleted.

If the peer, map, entry, or counters keywords are not used, all IPSec security associations will be deleted. This command clears (deletes) IPSec security associations.

If the security associations were established via IKE, they are deleted and future IPSec traffic will require new security associations to be negotiated. (When IKE is used, the IPSec security associations are established only when needed.)

If the security associations are manually established the security associations are deleted and reinstalled. (When IKE is not used, the IPSec security associations are created as soon as the configuration is completed.)

If the peer, map, entry, or counters keywords are not used, all IPSec security associations will be deleted.

The peer keyword deletes any IPSec security associations for the specified peer.

The map keyword deletes any IPSec security associations for the named crypto map set.

The entry keyword deletes the IPSec security association with the specified address, protocol, and SPI.

If any of the previous commands cause a particular security association to be deleted, all the "sibling" security associations—that were established during the same IKE negotiation—are deleted as well.

The counters keyword simply clears the traffic counters maintained for each security association; it does not clear the security associations themselves.

If you make configuration changes that affect security associations, these changes will not apply to existing security associations but to negotiations for subsequent security associations. You can use the clear [crypto] ipsec sa command to restart all security associations so they will use the most current configuration settings. In the case of manually established security associations, if you make changes that affect security associations use the clear [crypto] ipsec sa command before the changes take effect.

If you make significant changes to an IPSec configuration such as access-list or peers, the clear [crypto] ipsec sa command will not be enough to activate the new configuration. In such a case, rebind the crypto map to the interface with the crypto map interface command.

If the firewall is processing active IPSec traffic, we recommend that you only clear the portion of the security association database that is affected by the changes to avoid causing active IPSec traffic to temporarily fail.

The clear [crypto] ipsec sa command only clears IPSec security associations; to clear IKE security associations, use the clear [crypto] isakmp sa command.

The following example clears (and re initializes if appropriate) all IPSec security associations at the firewall:

clear crypto ipsec sa

The following example clears (and reinitializes if appropriate) the inbound and outbound IPSec security associations established along with the security association established for address 10.0.0.1 using the AH protocol with the SPI of 256:

clear crypto ipsec sa entry 10.0.0.1 AH 256


show crypto ipsec sa

The show crypto ipsec sa command allows you to view the settings used by current security associations. If no keyword is used, all security associations are displayed. They are sorted first by interface, and then by traffic flow (for example, source/destination address, mask, protocol, port). Within a flow, the security associations are listed by protocol (ESP/AH) and direction (inbound/outbound).

While entering the show crypto ipsec sa command, if the screen display is stopped with the More prompt and the security association lifetime expires while the screen display is stopped, then the subsequent display information may refer to a stale security association. Assume that the security association lifetime values that display are invalid.

The following is sample output for the show crypto ipsec sa command:

show crypto ipsec sa

interface: outside
    Crypto map tag: firewall-alice, local addr. 172.21.114.123

   local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0)
   current_peer: 172.21.114.67
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10
    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10
    #send errors 10, #recv errors 0
 
     local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67
     path  mtu 1500, media  mtu 1500
     current  outbound spi: 20890A6F
 
     inbound esp sas:
      spi: 0x257A1039(628756537)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 26, crypto map: firewall-alice
        sa timing: remaining key lifetime (k/sec): (4607999/90)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
      outbound esp sas:
      spi: 0x20890A6F(545852015)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 27, crypto map: firewall-alice
        sa timing: remaining key lifetime (k/sec): (4607999/90)
        IV size: 8 bytes
        replay detection support: Y
      outbound ah sas:
interface: inside
    Crypto map tag: firewall-alice, local addr. 172.21.114.123
          
   local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0)
   current_peer: 172.21.114.67
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10
    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10
    #send errors 10, #recv errors 0
 
     local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67
     path  mtu 1500, media  mtu 1500
     current  outbound spi: 20890A6F
		inbound esp sas:
      spi: 0x257A1039(628756537)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 26, crypto map: firewall-alice
        sa timing: remaining key lifetime (k/sec): (4607999/90)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
      outbound esp sas:
      spi: 0x20890A6F(545852015)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 27, crypto map: firewall-alice
        sa timing: remaining key lifetime (k/sec): (4607999/90)
        IV size: 8 bytes
        replay detection support: Y
      outbound ah sas: