crypto-ikev1/ikev2-policy commands

Defines crypto-IKEv1/IKEv2 commands in detail

IKE protocol is a key management protocol standard used in conjunction with IPSec. IKE enhances IPSec by providing additional features, flexibility, and configuration simplicity for the IPSec standard. IKE automatically negotiates IPSec SAs and enables secure communications without time consuming manual pre-configuration.

Use the (config) instance to configure IKEv1/IKEv2 policy configuration commands.

To navigate to the IKEv1/IKEv2 policy config instance, use the following commands:

<DEVICE>(config)#profile <DEVICE-TYPE> <PROFILE-NAME>
<DEVICE>(config-profile-<PROFILE-NAME>)#crypto ikev1/ikev2 policy <IKEV1/IKEV2-POLICY-NAME>

nx9500-6C8809(config-profile-default-nx5500)#crypto ikev1 policy ikev1-testpolicy
rfs7000-37FABE(config-profile-default-nx5500-ikev1-policy-ikev1-testpolicy)#?
Crypto IKEv1 Policy Configuration commands:
  dpd-keepalive    Set Dead Peer Detection interval in seconds
  dpd-retries      Set Dead Peer Detection retries count
  isakmp-proposal  Configure ISAKMP Proposals
  lifetime         Set lifetime for ISAKMP security association
  mode             IKEv1 mode (main/aggressive)
  no               Negate a command or set its defaults

  clrscr           Clears the display screen
  commit           Commit all changes made in this session
  end              End current mode and change to EXEC mode
  exit             End current mode and down to previous mode
  help             Description of the interactive help system
  revert           Revert changes
  service          Service Commands
  show             Show running system information
  write            Write running configuration to memory or terminal

nx9500-6C8809(config-profile-default-nx5500-ikev1-policy-ikev1-testpolicy)#

nx9500-6C8809(config-profile-test-ikev2-policy-ikev2-testpolicy)#?
Crypto IKEv2 Policy Configuration commands:
  dpd-keepalive    Set Dead Peer Detection interval in seconds
  isakmp-proposal  Configure ISAKMP Proposals
  lifetime         Set lifetime for ISAKMP security association
  no               Negate a command or set its defaults
  sa-per-acl       Setup single SA for all rules in the ACL (ONLY APPLICABLE
                   FOR SITE-TO-SITE VPN)

  clrscr           Clears the display screen
  commit           Commit all changes made in this session
  do               Run commands from Exec mode
  end              End current mode and change to EXEC mode
  exit             End current mode and down to previous mode
  help             Description of the interactive help system
  revert           Revert changes
  service          Service Commands
  show             Show running system information
  write            Write running configuration to memory or terminal

nx9500-6C8809(config-profile-test-ikev2-policy-ikev2-testpolicy)#

Note

IKEv2 being an improved version of the original IKEv1 design, is recommended in most deployments. IKEv2 provides enhanced cryptographic mechanisms, NAT and firewall traversal, attack resistance, etc.

The following table summarizes crypto IKEv1/iKEv2 configuration mode commands:


Command	Description
dpd-keepalive	Sets DPD keep alive packet interval
dpd-retries	Sets the maximum number of attempts for sending DPD keep alive packets (applicable only to the IKEv1 policy)
isakmp-proposal	Configures ISAKMP proposals
lifetime	Specifies how long an IKE SA is valid before it expires
mode	Sets the mode of the tunnels (applicable only to the IKEv1 policy)
no	Removes or reverts IKEv1/IKEv2 policy settings