The IKE policy groups together policy related parameters configured for the SA. Use the crypto ike-policy command in global VRF router configuration mode to create or modify an IKE policy. Specify the name of the IKE policy when entering the command. Upon entering the command you are placed in IKE policy configuration mode for the named policy. See IKE Policy Parameters for a description of IKE policy parameters.
Parameter | Description |
---|---|
Authentication Pre-shared Key | The authentication PSK is a pre-shared authentication key that is used to initiate the connection and exchange encryption keys during the session. Use the authentication psk command in IKE policy configuration mode to configure the authentication pre-shared key for the SA. |
Initial Contact | If the local host has rebooted, peers may have SAs that are no longer valid. If the initial contact feature is enabled, upon reboot an initial contact message is sent to a peer so that it will delete old SAs. Use the initial-contact command to enable the initial contact feature for the SA. The initial contact feature is disabled by default. |
Lifetime | The IKE policy lifetime specifies the life cycle of an ISAKMP SA and is configured in minutes. The policy lifetime determines when a policy times out. A lifetime renegotiation automatically occurs before the lifetime is to expire. If the renegotiation is unsuccessful, the policy expires. Use the lifetime time command in IKE policy configuration mode to configure an IKE policy timeout period. |
Passive Mode | Passive mode configures the IKE policy to wait for the peer to initiate the IKE session. By default a device is in active mode and constantly polls to see if the peer is up. Use the passive command in IKE policy configuration mode to configure the IKE policy for passive mode. |
Peer | An IPv4 or IPv6 peer is specified for the SA using the peer command in IKE policy configuration mode. The IKE policy peer configuration determines whether the associated map is IPv4 or IPv6 during the phase 1 main mode negotiation. The CLI allows you to enter an inconsistent configuration between the local and peer address IP types. Inconsistent local and peer configurations will cause the IKE map to not be programmed. |
Proposal (Quick Mode) | The quick mode proposal, used to establish and refresh user-level SAs, is assigned to an IKE policy using the proposal command in IKE policy configuration mode. |
Version | The S- K- and 7100-Series platforms support IKE version 1 for this release. Use the version command in IKE policy configuration mode to specify the IKE version used for the policy. This release does not support a default IKE version. You must manually enter an IKE version. |