crypto

Use the crypto command to define a system-level local ID for ISAKMP negotiation and enter the ISAKMP policy, ISAKMP client, or ISAKMP peer configuration mode.

A crypto map entry is a single policy that describes how certain traffic is secured. There are two types of crypto map entries: ipsec-manual and ipsec-ike entries. Each entry is given an index (used to sort the ordered list).

When a non-secured packet arrives on an interface, the crypto map associated with that interface is processed (in order). If a crypto map entry matches the non-secured traffic, the traffic is discarded.

When a packet is transmitted on an interface, the crypto map associated with that interface is processed. The first crypto map entry that matches the packet is used to secure the packet. If a suitable SA (Security Association) exists, it is used for transmission. Otherwise, IKE is used to establish a SA with the peer. If no SA exists (and the crypto map entry is “respond only”), the packet is discarded.

When a secured packet arrives on an interface, its SPI (Security Parameter Index) is used to look up a SA. If a SA does not exist (or if the packet fails any of the security checks), it is discarded. If all checks pass, the packet is forwarded normally.

Supported in the following platforms:

Access Points — AP505i, AP510i/e, AP560i/h
Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

crypto [auto-ipsec-secure|enable-ike-uniqueids|ike-version|ikev1|ikev2|ipsec|
load-management|map|pki|plain-text-deny-acl-scope|remote-vpn-client]

crypto [auto-ipsec-secure|enable-ike-uniqueids|load-management]

crypto ike-version [ikev1-only|ikev2-only]

crypto ikev1 [dpd-keepalive <10-3600>|dpd-retries <1-100>|nat-keepalive <10-3600>|
peer <IKEV1-PEER>|policy <IKEV1-POLICY-NAME>|remote-vpn]

crypto ikev2 [cookie-challenge-threshold <1-100>|dpd-keepalive <10-3600>|dpd-retries <1-100>|
nat-keepalive <10-3600>|peer <IKEV2-PEER>|policy <IKEV2-POLICY-NAME>|remote-vpn]

crypto ipsec [df-bit|security-association|transform-set]

crypto ipsec df-bit [clear|copy|set]

crypto ipsec security-association lifetime [kilobytes <500-2147483646>|seconds <120-86400>]

crypto ipsec transform-set <TRANSFORM-SET-TAG> [esp-3des|esp-aes|esp-aes-192|esp-aes-256|
esp-des|esp-null] [esp-aes-xcbc-mac|esp-md5-hmac|esp-sha-hmac|esp-sha256-hmac]

crypto map <CRYPTO-MAP-TAG> <1-1000> [ipsec-isakmp {dynamic}|ipsec-manual]

crypto pki import crl <TRUSTPOINT-NAME> URL <1-168>

crypto plain-text-deny-acl-scope [global|interface]

crypto remote-vpn-client

Parameters

crypto [auto-ipsec-secure|enable-ike-uniqueids|load-management]

auto-ipsec-secure	Configures the Auto IPSec Secure parameter settings. For Auto IPSec tunnel configuration commands, see crypto-auto-ipsec-tunnel commands.
enable-ike-uniqueids	Enables IKE (Internet Key Exchange) unique ID check. For more information on IKE unique IDs, see remotegw.
load-management	Configures load management for platforms using software cryptography

crypto ike-version [ikev1-only|ikev2-only]

ike-version [ikev1-only|ikev2-only]

Selects and starts the IKE daemon

ikev1-only – Enables support for IKEv1 tunnels only
ikev2-only – Enables support for IKEv2 tunnels only

crypto ikev1 [dpd-keepalive <10-3600>|dpd-retries <1-100>|nat-keepalive <10-3600>|peer <IKEV1-PEER>|policy <IKEV1-POLICY-NAME>|remote-vpn]

ikev1	Configures the IKE version 1 parameters
dpd-keepalive <10-3600>	Sets the global DPD (Dead Peer Detection) keep alive interval from 10 - 3600 seconds. This is the interval between successive IKE keep alive messages sent to detect if a peer is dead or alive. The default is 30 seconds.
dpd-retries <1-1000>	Sets the global DPD retries count from 1 - 1000. This is the number of keep alive messages sent to a peer before the tunnel connection is declared as dead. The default is 5.
nat-keepalive <10-3600>	Sets the global NAT keep alive interval from 10 - 3600 seconds. This is the interval between successive NAT keep alive messages sent to detect if a peer is dead or alive. The default is 20 seconds.
peer <IKEV1-PEER>	Specify the name/Identifier for the IKEv1 peer. For IKEV1 peer configuration commands, see crypto-ikev1/ikev2-peer commands.
policy <IKEV1-POLICY-NAME>	Configures an ISKAMP policy. Specify the name of the policy. The local IKE policy and the peer IKE policy must have matching group settings for successful negotiations. For IKEV1 policy configuration commands, see crypto-ikev1/ikev2-policy commands.
remote-vpn	Specifies the IKEV1 remote-VPN server configuration (responder only)

crypto ikev2 [cookie-challenge-threshold <1-100>|dpd-keepalive <10-3600>|dpd-retries <1-100>|nat-keepalive <10-3600>|peer <IKEV2-PEER>|policy <IKEV2-POLICY-NAME>|remote-vpn]

ikev2	Configures the IKE version 2 parameters
cookie-challenge-threshold <1-100>	Starts the cookie challenge mechanism after the number of half open IKE SAs exceeds the specified limit. Specify the limit from 1 - 100. The default is 5.
dpd-keepalive <10-3600>	Sets the global DPD keepalive interval from 10 - 3600 seconds. The default is 30 seconds.
dpd-retries <1-100>	Sets the global DPD retries count from 1 - 100. The default is 5.
nat-keepalive <10-3600>	Sets the global NAT keepalive interval from 10 - 3600 seconds. The default is 20 seconds.
peer <IKEV2-PEER>	Specify the name/Identifier for the IKEv2 peer
policy <IKEV2-POLICY-NAME>	Configures an ISKAMP policy. Specify the policy name. The local IKE policy and the peer IKE policy must have matching group settings for successful negotiations.
remote-vpn	Specifies an IKEv2 remote-VPN server configuration (responder only)

crypto ipsec df-bit [clear|copy|set]

ipsec	Configures the IPSec policy parameters
df-bit [clear\|copy\|set]	Configures DF (Don‘t-Fragment) bit handling for encapsulating header. The options are: clear – Clears the DF bit in the outer header and ignores in the inner header copy – Copies the DF bit from the inner header to the outer header. This is the default setting. set – Sets the DF bit in the outer header

crypto ipsec security-association lifetime [kilobytes <500-2147483646>|seconds <120-86400>]

ipsec

Configures the IPSec policy parameters

security-association

Configures the IPSec SAs parameters

lifetime [kilobyte |seconds]

Defines the IPSec SAs lifetime (in kilobytes and/or seconds). Values can be entered in both kilobytes and seconds, which ever limit is reached first, ends the SA. When the SA lifetime ends it is renegotiated as a security measure.

kilobytes – Specifies a volume-based key duration (minimum is 500 KB and maximum is 2147483646 KB)
- <500-2147483646> – Specify a value from 500 - 2147483646 KB. The default is 4608000 KB.
seconds – Specifies a time-based key duration (minimum is 120 seconds and maximum is 86400 seconds)
- <120-86400> – Specify a value from 120 - 86400 seconds. The default is 3600 seconds.

The security association lifetime can be overridden under crypto maps.

crypto ipsec transform-set <TRANSFORM-SET-TAG> [esp-3des|esp-aes|esp-aes-192| esp-aes-256|esp-des|esp-null] [esp-aes-xcbc-mac|esp-md5-hmac|esp-sha-hmac|			esp-sha256-hmac]

ipsec	Configures the IPSec policy parameters
transform-set <TRANSFORM-SET-TAG>	Defines the transform set configuration (authentication and encryption) for securing data. A transform set is a combination of security protocols, algorithms and other settings applied to IPSec protected traffic. <TRANSFORM-SET-TAG> – Specify the transform set name. After specifying the transform set used by the IPSec transport connection, set the encryption method and the authentication scheme used with the transform set. The encryption methods are: DES, 3DES, AES, AES-192 and AES-256. Note: The authentication schemes available are: esp-md5-hmac and esp-sha-hmac.
esp-3des	Configures the ESP transform using 3DES cipher (168 bits). The transform set is assigned to a crypto map using the map‘s `set > transform-set` command.
esp-aes	Configures the ESP transform using AES (Advanced Encryption Standard) cipher. The transform set is assigned to a crypto map using the map‘s set > transform-set command.
esp-aes-192	Configures the ESP transform using AES cipher (192 bits). The transform set is assigned to a crypto map using the map‘s `set > transform-set`command.
esp-aes-256	Configures the ESP transform using AES cipher (256 bits). The transform set is assigned to a crypto map using the map‘s `set > transform-set` command. This is the default setting.
esp-des	Configures the ESP transform using DES (Data Encryption Standard) cipher (56 bits). The transform set is assigned to a crypto map using the map‘s `set > transform-set` command.
esp-null	Configures the ESP transform with no encryption
[esp-aes-xcbc-mac\| esp-md5-hmac\| esp-sha-hmac\| esp-sha256-hmac]	The following keywords are common to all of the above listed transform sets. After specifying the transform set type, configure the authentication scheme used to validate identity credentials. The options are: esp-aes-xcbc-mac – Configures ESP transform using AES-XCBC authorization esp-md5-hmac – Configures ESP transform using HMAC-MD5 authorization esp-sha-hmac – Configures ESP transform using HMAC-SHA authorization. This is the default setting. esp-sha256-hmac – Configures ESP transform using HMAC-SHA256 authorization

crypto map <CRYPTO-MAP-TAG> <1-1000> [ipsec-isakmp {dynamic}|ipsec-manual]

map <CRYPTO-MAP-TAG>	Configures the crypto map, a software configuration entity that selects data flows that require security processing. The crypto map also defines the policy for these data flows. <CRYPTO-MAP-TAG> – Specify a name for the crypto map. The name should not exceed 32 characters. For crypto map configuration commands, see crypto-map-ipsec-manual-instance.
<1-1000>	Defines the crypto map entry sequence. Each crypto map uses a list of entries, each entry having a specific sequence number. Specifying multiple sequence numbers within the same crypto map provides the flexibility to connect to multiple peers from the same interface. Specify a value from 1 - 1000.
ipsec-isakmp {dynamic}	Configures IPSEC w/ISAKMP. dynamic – Optional. Configures dynamic map entry (remote VPN configuration) for XAUTH with mode-config or ipsec-l2tp configuration
ipsec-manual	Configures IPSEC w/manual keying. Remote configuration is not allowed for manual crypto map.

crypto pki import crl <TRUSTPOINT-NAME> <URL> <1-168>

pki	Configures certificate parameters. The PKI (Public Key Infrastructure) protocol creates encrypted public keys using digital certificates from certificate authorities.
import	Imports a trustpoint related configuration
crl <TRUSTPOINT-NAME>	Imports a CRL (Certificate Revocation List). Imports a trustpoint including either a private key and server certificate or a certificate authority (CA) certificate or both. A CRL is a list of revoked certificates that are no longer valid. A certificate can be revoked if the CA had improperly issued a certificate, or if a private-key is compromised. The most common reason for revocation is the user no longer being in sole possession of the private key. <TRUSTPOINT-NAME> – Specify the trustpoint name.
<URL>	Specify the CRL source address in the following format. Both IPv4 and IPv6 address formats are supported. tftp://<hostname\|IPv4 or IPv6>[:port]/path/file ftp://<user>:<passwd>@<hostname\|IPv4 or IPv6>[:port]/path/file sftp://<user>:<passwd>@<hostname\|IPv4 or IPv6>[:port]>/path/file http://<hostname\|IPv4 or IPv6>[:port]/path/file cf:/path/file usb<n>:/path/file
<1-168>	Sets command replay duration from 1 - 168 hours. This is the interval (in hours) after which devices using this profile copy a CRL file from an external server and associate it with a trustpoint.

crypto plain-text-deny-acl-scope [global|interface]

plain-text-deny-acl-scope	Configures plain-text-deny-acl-scope parameters
global	Applies the plain text deny ACL globally. This is the default setting.
interface	Applies the plain text deny ACL to the interface only

crypto remote-vpn-client

remote-vpn-client

Configures remote VPN client settings. For more information, see crypto-remote-vpn-client commands.

Example

nx9500-6C8809(config-profile-default-rfs4000)#crypto ipsec transform-set tpsec-tag1 esp-aes-256 esp-md5-hmac
nx9500-6C8809(config-profile-default-rfs4000)#crypto map map1 10 ipsec-isakmp dynamic
nx9500-6C8809(config-profile-default-rfs4000)#crypto plain-text-deny-acl-scope interface

nx9500-6C8809(config-profile-default-rfs4000)#show context
profile rfs4000 default-rfs4000
  bridge vlan 1
  tunnel-over-level2
  ip igmp snooping
  ip igmp snooping querier
 no autoinstall configuration
 no autoinstall firmware
 device-upgrade persist-images
 crypto ikev1 dpd-retries 1
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ipsec transform-set tpsec-tag1 esp-aes-256 esp-md5-hmac
 crypto map map1 10 ipsec-isakmp dynamic
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto plain-text-deny-acl-scope interface
 interface radio1
 interface radio2
 interface up
nx9500-6C8809(config-profile-default-rfs4000)#

nx9500-6C8809(config-profile-default-rfs4000)#crypto ipsec transform-set tag1 esp-null esp-md5-hmac

nx9500-6C8809(config-profile-default-rfs4000-transform-set-tag1)#?
Crypto Ipsec Configuration commands:
  mode     Encapsulation mode (transport/tunnel)
  no       Negate a command or set its defaults

  clrscr   Clears the display screen
  commit   Commit all changes made in this session
  end      End current mode and change to EXEC mode
  exit     End current mode and down to previous mode
  help     Description of the interactive help system
  revert   Revert changes
  service  Service Commands
  show     Show running system information
  write    Write running configuration to memory or terminal

nx9500-6C8809(config-profile-default-rfs4000-transform-set-tag1)#

Related Commands

no	Disables or reverts settings to their default

Published July 2019prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback