crypto

crypto

Use the crypto command to define a system-level local ID for ISAKMP negotiation and enter the ISAKMP policy, ISAKMP client, or ISAKMP peer configuration mode.

A crypto map entry is a single policy that describes how certain traffic is secured. There are two types of crypto map entries: ipsec-manual and ipsec-ike entries. Each entry is given an index (used to sort the ordered list).

When a non-secured packet arrives on an interface, the crypto map associated with that interface is processed (in order). If a crypto map entry matches the non-secured traffic, the traffic is discarded.

When a packet is transmitted on an interface, the crypto map associated with that interface is processed. The first crypto map entry that matches the packet is used to secure the packet. If a suitable SA (Security Association) exists, it is used for transmission. Otherwise, IKE is used to establish a SA with the peer. If no SA exists (and the crypto map entry is “respond only”), the packet is discarded.

When a secured packet arrives on an interface, its SPI (Security Parameter Index) is used to look up a SA. If a SA does not exist (or if the packet fails any of the security checks), it is discarded. If all checks pass, the packet is forwarded normally.

Supported on the following devices:

Syntax

crypto [auto-ipsec-secure|enable-ike-uniqueids|ike-version|ikev1|ikev2|ipsec|
load-management|map|pki|plain-text-deny-acl-scope|remote-vpn-client]
crypto [auto-ipsec-secure|enable-ike-uniqueids|load-management]
crypto ike-version [ikev1-only|ikev2-only]
crypto ikev1 [dpd-keepalive <10-3600>|dpd-retries <1-100>|nat-keepalive <10-3600>|
peer <IKEV1-PEER>|policy <IKEV1-POLICY-NAME>|remote-vpn]
crypto ikev2 [cookie-challenge-threshold <1-100>|dpd-keepalive <10-3600>|dpd-retries <1-100>|
nat-keepalive <10-3600>|peer <IKEV2-PEER>|policy <IKEV2-POLICY-NAME>|remote-vpn]
crypto ipsec [df-bit|security-association|transform-set]
crypto ipsec df-bit [clear|copy|set]
crypto ipsec security-association lifetime [kilobytes <500-2147483646>|seconds <120-86400>]
crypto ipsec transform-set <TRANSFORM-SET-TAG> [esp-3des|esp-aes|esp-aes-192|esp-aes-256|
esp-des|esp-null] [esp-aes-xcbc-mac|esp-md5-hmac|esp-sha-hmac|esp-sha256-hmac]
crypto map <CRYPTO-MAP-TAG> <1-1000> [ipsec-isakmp {dynamic}|ipsec-manual]
crypto pki import crl <TRUSTPOINT-NAME> URL <1-168>
crypto plain-text-deny-acl-scope [global|interface]
crypto remote-vpn-client

Parameters

crypto [auto-ipsec-secure|enable-ike-uniqueids|load-management]
auto-ipsec-secure Configures the Auto IPSec Secure parameter settings. For Auto IPSec tunnel configuration commands, see crypto-auto-ipsec-tunnel commands.
enable-ike-uniqueids Enables IKE (Internet Key Exchange) unique ID check. For more information on IKE unique IDs, see remotegw.
load-management Configures load management for platforms using software cryptography 
crypto ike-version [ikev1-only|ikev2-only]
ike-version [ikev1-only|ikev2-only] Selects and starts the IKE daemon
  • ikev1-only – Enables support for IKEv1 tunnels only
  • ikev2-only – Enables support for IKEv2 tunnels only
 
crypto ikev1 [dpd-keepalive <10-3600>|dpd-retries <1-100>|nat-keepalive <10-3600>|peer <IKEV1-PEER>|policy <IKEV1-POLICY-NAME>|remote-vpn]
ikev1 Configures the IKE version 1 parameters
dpd-keepalive <10-3600> Sets the global Dead Peer Detection (DPD) keep alive interval from 10 - 3600 seconds. This is the interval between successive IKE keep alive messages sent to detect if a peer is dead or alive. The default is 30 seconds.
dpd-retries <1-1000> Sets the global DPD retries count from 1 - 1000. This is the number of keep alive messages sent to a peer before the tunnel connection is declared as dead. The default is 5.
nat-keepalive <10-3600> Sets the global NAT keep alive interval from 10 - 3600 seconds. This is the interval between successive NAT keep alive messages sent to detect if a peer is dead or alive. The default is 20 seconds.
peer <IKEV1-PEER> Specify the name/Identifier for the IKEv1 peer. For IKEV1 peer configuration commands, see crypto-ikev1/ikev2-peer commands.
policy <IKEV1-POLICY-NAME> Configures an ISKAMP policy. Specify the name of the policy.

The local IKE policy and the peer IKE policy must have matching group settings for successful negotiations.

For IKEV1 policy configuration commands, see crypto-ikev1/ikev2-policy commands.
remote-vpn Specifies the IKEV1 remote-VPN server configuration (responder only) 
crypto ikev2 [cookie-challenge-threshold <1-100>|dpd-keepalive <10-3600>|dpd-retries <1-100>|nat-keepalive <10-3600>|peer <IKEV2-PEER>|policy <IKEV2-POLICY-NAME>|remote-vpn]
ikev2 Configures the IKE version 2 parameters
cookie-challenge-threshold <1-100> Starts the cookie challenge mechanism after the number of half open IKE SAs exceeds the specified limit. Specify the limit from 1 - 100. The default is 5.
dpd-keepalive <10-3600> Sets the global DPD keepalive interval from 10 - 3600 seconds. The default is 30 seconds.
dpd-retries <1-100> Sets the global DPD retries count from 1 - 100. The default is 5.
nat-keepalive <10-3600> Sets the global NAT keepalive interval from 10 - 3600 seconds. The default is 20 seconds.
peer <IKEV2-PEER> Specify the name/Identifier for the IKEv2 peer
policy <IKEV2-POLICY-NAME> Configures an ISKAMP policy. Specify the policy name.

The local IKE policy and the peer IKE policy must have matching group settings for successful negotiations.
remote-vpn Specifies an IKEv2 remote-VPN server configuration (responder only) 
crypto ipsec df-bit [clear|copy|set]
ipsec Configures the IPSec policy parameters
df-bit [clear|copy|set] Configures Don‘t-Fragment (DF) bit handling for encapsulating header. The options are:
  • clear – Clears the DF bit in the outer header and ignores in the inner header
  • copy – Copies the DF bit from the inner header to the outer header. This is the default setting.
  • set – Sets the DF bit in the outer header
 
crypto ipsec security-association lifetime [kilobytes <500-2147483646>|seconds <120-86400>]
ipsec Configures the IPSec policy parameters
security-association Configures the IPSec SAs parameters
lifetime [kilobyte |seconds] Defines the IPSec SAs lifetime (in kilobytes and/or seconds). Values can be entered in both kilobytes and seconds, which ever limit is reached first, ends the SA. When the SA lifetime ends it is renegotiated as a security measure.
  • kilobytes – Specifies a volume-based key duration (minimum is 500 KB and maximum is 2147483646 KB)
    • <500-2147483646> – Specify a value from 500 - 2147483646 KB. The default is 4608000 KB.
  • seconds – Specifies a time-based key duration (minimum is 120 seconds and maximum is 86400 seconds)
    • <120-86400> – Specify a value from 120 - 86400 seconds. The default is 3600 seconds.

The security association lifetime can be overridden under crypto maps.

 
crypto ipsec transform-set <TRANSFORM-SET-TAG> [esp-3des|esp-aes|esp-aes-192| esp-aes-256|esp-des|esp-null] [esp-aes-xcbc-mac|esp-md5-hmac|esp-sha-hmac|			esp-sha256-hmac]
ipsec Configures the IPSec policy parameters
transform-set <TRANSFORM-SET-TAG> Defines the transform set configuration (authentication and encryption) for securing data. A transform set is a combination of security protocols, algorithms and other settings applied to IPSec protected traffic.
  • <TRANSFORM-SET-TAG> – Specify the transform set name.

After specifying the transform set used by the IPSec transport connection, set the encryption method and the authentication scheme used with the transform set.

The encryption methods are: DES, 3DES, AES, AES-192 and AES-256.

Note: The authentication schemes available are: esp-md5-hmac and esp-sha-hmac.
esp-3des Configures the ESP transform using 3DES cipher (168 bits). The transform set is assigned to a crypto map using the map‘s set > transform-set command.
esp-aes Configures the ESP transform using AES (Advanced Encryption Standard) cipher. The transform set is assigned to a crypto map using the map‘s set > transform-set command.
esp-aes-192 Configures the ESP transform using AES cipher (192 bits). The transform set is assigned to a crypto map using the map‘s set > transform-set command.
esp-aes-256 Configures the ESP transform using AES cipher (256 bits). The transform set is assigned to a crypto map using the map‘s set > transform-set command. This is the default setting.
esp-des Configures the ESP transform using Data Encryption Standard (DES) cipher (56 bits). The transform set is assigned to a crypto map using the map‘s set > transform-set command.
esp-null Configures the ESP transform with no encryption
[esp-aes-xcbc-mac| esp-md5-hmac| esp-sha-hmac| esp-sha256-hmac] The following keywords are common to all of the above listed transform sets.

After specifying the transform set type, configure the authentication scheme used to validate identity credentials. The options are:

  • esp-aes-xcbc-mac – Configures ESP transform using AES-XCBC authorization
  • esp-md5-hmac – Configures ESP transform using HMAC-MD5 authorization
  • esp-sha-hmac – Configures ESP transform using HMAC-SHA authorization. This is the default setting.
  • esp-sha256-hmac – Configures ESP transform using HMAC-SHA256 authorization
 
crypto map <CRYPTO-MAP-TAG> <1-1000> [ipsec-isakmp {dynamic}|ipsec-manual]
map <CRYPTO-MAP-TAG> Configures the crypto map, a software configuration entity that selects data flows that require security processing. The crypto map also defines the policy for these data flows.
  • <CRYPTO-MAP-TAG> – Specify a name for the crypto map. The name should not exceed 32 characters. For crypto map configuration commands, see crypto-map-ipsec-manual-instance.
<1-1000> Defines the crypto map entry sequence. Each crypto map uses a list of entries, each entry having a specific sequence number. Specifying multiple sequence numbers within the same crypto map provides the flexibility to connect to multiple peers from the same interface. Specify a value from 1 - 1000.
ipsec-isakmp {dynamic} Configures IPSEC w/ISAKMP.
  • dynamic – Optional. Configures dynamic map entry (remote VPN configuration) for XAUTH with mode-config or ipsec-l2tp configuration
ipsec-manual Configures IPSEC w/manual keying. Remote configuration is not allowed for manual crypto map. 
crypto pki import crl <TRUSTPOINT-NAME> <URL> <1-168>
pki Configures certificate parameters. The Public Key Infrastructure (PKI) protocol creates encrypted public keys using digital certificates from certificate authorities.
import Imports a trustpoint related configuration
crl <TRUSTPOINT-NAME> Imports a Certificate Revocation List (CRL) . Imports a trustpoint including either a private key and server certificate or a certificate authority (CA) certificate or both.

A CRL is a list of revoked certificates that are no longer valid. A certificate can be revoked if the CA had improperly issued a certificate, or if a private-key is compromised. The most common reason for revocation is the user no longer being in sole possession of the private key.

  • <TRUSTPOINT-NAME> – Specify the trustpoint name.
<URL> Specify the CRL source address in the following format. Both IPv4 and IPv6 address formats are supported.

tftp://<hostname|IPv4 or IPv6>[:port]/path/file

ftp://<user>:<passwd>@<hostname|IPv4 or IPv6>[:port]/path/file

sftp://<user>:<passwd>@<hostname|IPv4 or IPv6>[:port]>/path/file

http://<hostname|IPv4 or IPv6>[:port]/path/file

cf:/path/file

usb<n>:/path/file
<1-168> Sets command replay duration from 1 - 168 hours. This is the interval (in hours) after which devices using this profile copy a CRL file from an external server and associate it with a trustpoint. 
crypto plain-text-deny-acl-scope [global|interface]
plain-text-deny-acl-scope Configures plain-text-deny-acl-scope parameters
global Applies the plain text deny ACL globally. This is the default setting.
interface Applies the plain text deny ACL to the interface only 
crypto remote-vpn-client
remote-vpn-client Configures remote VPN client settings. For more information, see crypto-remote-vpn-client commands.

Example

nx9500-6C8809(config-profile-default-ap8533)#crypto ipsec transform-set tpsec-tag1 esp-aes-256 esp-md5-hmac
nx9500-6C8809(config-profile-default-ap8533)#crypto map map1 10 ipsec-isakmp dynamic
nx9500-6C8809(config-profile-default-ap8533)#crypto plain-text-deny-acl-scope interface

nx9500-6C8809(config-profile-default-ap8533)#show context
profile ap8533 default-ap8533
  bridge vlan 1
  tunnel-over-level2
  ip igmp snooping
  ip igmp snooping querier
 no autoinstall configuration
 no autoinstall firmware
 device-upgrade persist-images
 crypto ikev1 dpd-retries 1
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ipsec transform-set tpsec-tag1 esp-aes-256 esp-md5-hmac
 crypto map map1 10 ipsec-isakmp dynamic
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto plain-text-deny-acl-scope interface
 interface radio1
 interface radio2
 interface up
nx9500-6C8809(config-profile-default-ap8533)#

nx9500-6C8809(config-profile-default-ap8533)#crypto ipsec transform-set tag1 esp-null esp-md5-hmac

nx9500-6C8809(config-profile-default-ap8533-transform-set-tag1)#?
Crypto Ipsec Configuration commands:
  mode     Encapsulation mode (transport/tunnel)
  no       Negate a command or set its defaults

  clrscr   Clears the display screen
  commit   Commit all changes made in this session
  end      End current mode and change to EXEC mode
  exit     End current mode and down to previous mode
  help     Description of the interactive help system
  revert   Revert changes
  service  Service Commands
  show     Show running system information
  write    Write running configuration to memory or terminal

nx9500-6C8809(config-profile-default-ap8533-transform-set-tag1)#

Related Commands

no Disables or reverts settings to their default
9037762-01 Rev AA