crypto-ikev1/ikev2-policy commands

Configures ISAKMP proposals and their parameters

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000


isakmp-proposal <WORD> encryption [3des|aes|aes-192|aes-256] group [14|2|5] hash [aes-xcbc-mac|md5|sha|sha256]


isakmp-proposal <WORD> encryption [3des|aes|aes-192|aes-256] group [14|2|5] hash [aes-xcbc-mac|md5|sha|sha256]
<WORD> Assigns the target peer (tunnel destination) a 32 character maximum name to distinguish it from others with a similar configuration.
encryption [3des|aes|aes-192| aes-256] Configures the encryption method used by the tunneled peers to securely inter-operate
  • 3des – Configures triple data encryption standard
  • aes – Configures AES (128 bit keys)
  • aes-192 – Configures AES (192 bit keys)
  • aes-256 – Configures AES (256 bit keys). This is the default setting.
group [14|2|5] Specifies the DH (Diffie-Hellman) group identifier used by VPN peers to derive a shared secret password without having to transmit. DH groups determine the strength of the key used in key exchanges. The higher the group number, the stronger and more secure the key. Options include 2, 5 and 14.
  • 14 – Configures DH group 14
  • 2 – Configures DH group 2. This is the default setting.
  • 5 – Configures DH group 5
hash [maes-xcbc-mac| md5|sha|sha256] Specifies the hash algorithm used to authenticate data transmitted over the IKE SA. The hash algorithm specified here is used by VPN peers to exchange credential information.
  • aes-xcbc-mac – Uses AES XCBC Auth hash algorithm. This option is applicable only to the IKEv2 policy configuration context.
  • md5 – Uses MD5 (Message Digest 5) hash algorithm
  • sha – Uses SHA (Secure Hash Authentication) hash algorithm. This is the default setting.
  • sha256 – Uses Secure Hash Standard 2 algorithm


nx9500-6C8809(config-profile-default-rfs4000-ikev1-policy-ikev1-testpolicy)#isakmp-proposal testproposal encryption aes group 2 hash sha

nx9500-6C8809(config-profile-default-rfs4000-ikev1-policy-ikev1-testpolicy)#show context
 crypto ikev1 policy testpolicy
  dpd-keepalive 11
  dpd-retries 10
  isakmp-proposal default encryption aes-256 group 2 hash sha
  isakmp-proposal testpraposal encryption aes group 2 hash sha