Defines crypto-IKEv1/IKEv2 commands in detail
IKE protocol is a key management protocol standard used in conjunction with IPSec. IKE enhances IPSec by providing additional features, flexibility, and configuration simplicity for the IPSec standard. IKE automatically negotiates IPSec SAs and enables secure communications without time consuming manual pre-configuration.
Use the (config) instance to configure IKEv1/IKEv2 policy configuration commands.
To navigate to the IKEv1/IKEv2 policy config instance, use the following commands:
<DEVICE>(config)#profile <DEVICE-TYPE> <PROFILE-NAME>
<DEVICE>(config-profile-<PROFILE-NAME>)#crypto ikev1/ikev2 policy <IKEV1/IKEV2-POLICY-NAME>
nx9500-6C8809(config-profile-default-nx5500)#crypto ikev1 policy ikev1-testpolicy
rfs7000-37FABE(config-profile-default-nx5500-ikev1-policy-ikev1-testpolicy)#?
Crypto IKEv1 Policy Configuration commands:
dpd-keepalive Set Dead Peer Detection interval in seconds
dpd-retries Set Dead Peer Detection retries count
isakmp-proposal Configure ISAKMP Proposals
lifetime Set lifetime for ISAKMP security association
mode IKEv1 mode (main/aggressive)
no Negate a command or set its defaults
clrscr Clears the display screen
commit Commit all changes made in this session
end End current mode and change to EXEC mode
exit End current mode and down to previous mode
help Description of the interactive help system
revert Revert changes
service Service Commands
show Show running system information
write Write running configuration to memory or terminal
nx9500-6C8809(config-profile-default-nx5500-ikev1-policy-ikev1-testpolicy)#
nx9500-6C8809(config-profile-test-ikev2-policy-ikev2-testpolicy)#?
Crypto IKEv2 Policy Configuration commands:
dpd-keepalive Set Dead Peer Detection interval in seconds
isakmp-proposal Configure ISAKMP Proposals
lifetime Set lifetime for ISAKMP security association
no Negate a command or set its defaults
sa-per-acl Setup single SA for all rules in the ACL (ONLY APPLICABLE
FOR SITE-TO-SITE VPN)
clrscr Clears the display screen
commit Commit all changes made in this session
do Run commands from Exec mode
end End current mode and change to EXEC mode
exit End current mode and down to previous mode
help Description of the interactive help system
revert Revert changes
service Service Commands
show Show running system information
write Write running configuration to memory or terminal
nx9500-6C8809(config-profile-test-ikev2-policy-ikev2-testpolicy)#
Note
IKEv2 being an improved version of the original IKEv1 design, is recommended in most deployments. IKEv2 provides enhanced cryptographic mechanisms, NAT and firewall traversal, attack resistance, etc.The following table summarizes crypto IKEv1/iKEv2 configuration mode commands:
| Command | Description |
|---|---|
| dpd-keepalive | Sets DPD keep alive packet interval |
| dpd-retries | Sets the maximum number of attempts for sending DPD keep alive packets (applicable only to the IKEv1 policy) |
| isakmp-proposal | Configures ISAKMP proposals |
| lifetime | Specifies how long an IKE SA is valid before it expires |
| mode | Sets the mode of the tunnels (applicable only to the IKEv1 policy) |
| no | Removes or reverts IKEv1/IKEv2 policy settings |