crypto-auto-ipsec-tunnel commands

Defines the IKE version used for auto IPSEC tunnel negotiation with the IPSec remote gateway other than the controller

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000


remotegw ike-version [ikev1-aggr|ikev1-main|ikev2] {uniqueid}


remotegw ike-version [ikev1-aggr|ikev1-main|ikev2] {uniqueid}
remotegw ike-version Configures the IKE version used for initiating auto IPSec tunnel with secure gateways other than the controller
ikev1-aggr Aggregation mode is used by the auto IPSec tunnel initiator to set up the connection
ikev1-main Main mode is used by the auto IPSec tunnel initiator to establish the connection
ikev2 IKEv2 is the preferred method when wireless controller/AP only is used
uniqueid This keyword is common to all of the above parameters.
  • uniqueid – Optional. Enables the assigning of a unique ID to APs (using this profile) behind a router by prefixing the MAC address to the group ID

Providing a unique ID enables the access point, wireless controller, or service platform to uniquely identify the destination device. This is essential in networks where there are multiple APs behind a router, or when two (or more) APs behind two (or more) different routers have the same IP address. For example, let us consider a scenario where there are two APs (A and B) behind two routers (1 and 2). AP ‘A‘ is behind router ‘1‘. And AP ‘B‘ is behind router ‘2‘. Both these APs have the same IP address ( In such a scenario, the controller fails to establish an Auto IPSec VPN tunnel to either APs, because it is unable to uniquely identify them.

After enabling unique ID assignment, enable IKE unique ID check. For more information, see crypto.


ike-version ikev2 uniqueid

nx9500-6C8809(config-profile-default-rfs4000-crypto-auto-ipsec-secure)#show context
 crypto auto-ipsec-secure
  remotegw ike-version ikev2 uniqueid