Internet Secret Key Exchange Security Protocol Command Directory
This chapter discusses the commands for Internet Secret Key Exchange
Security Protocol (IKE).
IKE is a kind of the standard of secret key management
protocol and is used together with IPSec protocol.
IPSec is allowed not to use IKE. However, IKE
advances the function of IPSec by offering extra functions, flexibility and the
simplification of IPSec standard configuration.
IKE is a kind of mixed protocol, it realizes
Oakley secret key exchange and Skeme Secret Key Exchange within the framework
of Internet Security Association and Secret Key Management Protocol ((ISAKMP)(ISAKMP,Oakley
and Skeme are the security protocol realized by IKE).
ISAKMP policy configuration command can
be used for designating authentication method in IKE policy that defines a
group of parameters used during IKE negotiation. The “no” format of the command
can be used for restoring the default value of authentication method.
authentication {
pre-share|rsa-sig|rsa-encr}
no authentication {
pre-share|rsa-sig|rsa-encr}
parameter:
pre-share Designating pre-shared secret key as
authentication method
rsa-sig Designating RSA signature as
authentication method
rsa-encr :
Designating RAS real time encryption as authentication method
Default:
Authentication method of
pre-shared secret key
Command mode:
Configuration mode of ISAKMP
Policy
Explanation:
The command is used for designating the authentication method in
IKE policy
In order to designate pre-shared secret
key, these pre-shared secret key shall be configured simultaneously. (Command “crypto
isakmp key” is used)
Example:
The pre-shared secret key is used as its
authentication method for configuring IKE policy in this example.
router_config#crypto
isakmp policy 10
router_config_isakmp# authentication
pre-share
router_config_isakmp# exit
router_config #
Relevant command:
crypto isakmp key
crypto isakmp policy
encryption(IKE policy)
group(IKE policy)
hash(IKE policy)
lifetime(IKE policy)
show crypto isakmp policy
The global configuration
command “clear
crypto isakmp” is used for clearing the running IKE
linkage.
clear crypto isakmp [map map-name | peer ip-address]
parameter:
map map-name:(optional) Clearing IKE linkage
of encrypted map named map-name
peer ip-address:(optional) Clearing ip-addressIKE
linkage of the opposite terminal
Default:
If the parameters of map and peer are not
used, all the existing IKE linkage is cleared when the command is issued.
Command mode:
Supervisor
mode
Explanation:
The command is used for clearing the
active IKE linkage.
Example:
This example clears isakmp
linkage
Router# show crypto
isakmp sa
dst
src
state state-id conn
192.2.2.19 192.2.2.199 <I>M_SA_SETUP 1 aaa 100
Route# clear crypto
isakmp
Router# exit
Router#show crypto
isakmp sa
Router#
Relevant command:
show crypto isakmp sa
The global
configuration command “crypto isakmp key” is used for
configuring pre-shared authentication secret key. The secret key shall be
configured for designating pre-shared secret key in IKE policy at any time. The
“no” format of the command can be used for deleting pre-shared authentication
secret key.
crypto isakmp key keystring
peer-address
no crypto isakmp key keystring
peer-address
parameter:
keystring |
Designating pre-shared secret key by
using letter, number and character to form a random mix with 128 bytes at the
most. |
peer-address |
Designating IP address of remote
terminal |
Default:
Pre-shared authentication secret key
without default
Command mode:
global configuration mode
Explanation:
If IKE
policy includes pre-shared secret key that is used as authentication method,
these pre-shared secret key shall be configured on the two terminals. Otherwise,
the policy shall not be adopted (The policy will not be submitted in IKE
process for configuration).
Example:
Designating pre-shared
secret key and designating remote terminal by using IP address.
crypto isakmp key
abcdefghijkl 192.2.2.1
Relevant command:
authentication (IKE policy)
The global configuration command “crypto isakmp policy” is used for defining IKE policy. IKE policy
defines a set of parameters used during IKE negotiation. The “no” format of the command is used for deleting IKE policy.
crypto isakmp policy priority
no crypto isakmp policy priority
parameter:
priority Identifying
the priority level of IKE policy by employing the integer from 1 to 10000. 1
represents top priority level and 10000 represents bottom priority level.
Default:
There is a default policy. The policy is always
on the bottom priority level. In this default policy, encryption, hash, authentication, Diffie-Hellman group and lifetime parameter
are all set as default value.
If no value is designated for the specific
parameter in creating an IKE policy, the default value will be applied to the
parameter.
Command mode:
global configuration mode
Explanation:
The command is used for designating the
parameter that is to be used during IKE negotiation (These parameters are used
for creating IKE SA).
The command is used for accessing the
configuration status of ISAKMP. Under the configuration status of ISAKMP policy, the following
commands are effective in designating parameter value in the policy.
l
encryption(IKE policy); default value =56 byte DES-CBC
l
hash(IKE policy); default value =SHA-1
l
authentication(IKE policy); default value =Pre-Shared Key
l
group(IKE policy); default value =768 byte Diffie-Hellman
l
lifetime(IKE policy); default value =86400 seconds.
If one of these commands are not designated for
the policy, the default value of the parameter will be employed.
Multiple IKE policies can be configured to the
two terminals of IPSec. When IKE negotiation starts in an attempt to find the
common policy configured on the two terminals, it will set out from the policy
of top priority level designated on the opposite terminal.
Example:
The example below
configures two ISAKMP
policies
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
lifetime 5000
crypto isakmp policy 20
authentication pre-share
lifetime 10000
The result of above
configuration is the policy below:
Router# show crypto isakmp
policy
Protection suite
of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit
keys).
hash algorithm: Message
Digest 5
authentication
method: Pre-Shared Key
Diffie-Hellman
group: #1 (768 bit)
lifetime:
5000 seconds
Protection suite
of priority 20
encryption
algorithm: DES - Data Encryption Standard (56 bit
keys).
hash algorithm: Secure Hash
Standard
authentication
method: Pre-Shared Key
Diffie-Hellman
group: #1 (768 bit)
lifetime: 10000 seconds
Default
protection suite
encryption
algorithm: DES - Data Encryption Standard (56 bit
keys).
hash algorithm: Secure Hash
Standard
authentication
method: Pre-Shared Key
Diffie-Hellman
group: #1 (768 bit)
lifetime:
86400 seconds
Relevant command:
authentication(IKE policy)
encryption(IKE policy)
group(IKE policy)
hash(IKE policy)
lifetime(IKE policy)
show crypto isakmp policy
Examining the
information of related message interactive processing in IKE negotiation.
parameter::
none
The related information
is not shown under default status.
Supervisor
mode
Some important information related to IKE negotiation is shown in
the form below
Showing Information |
Connotation of Information |
ISAKMP(xxx): no acceptable Oakley Transform ISAKMP(xxx):negotiate error NO_PROPOSAL_CHOSEN |
ISAKMP policies configured by two terminals are not matchable.(
The opposite terminal starts negotiation) |
ISAKMP(xxx): no acceptable Proposal in IPsec SA ISAKMP(xxx):negotiate error NO_PROPOSAL_CHOSEN |
IPSec policies configured by two terminals do not match. (The
opposite terminal starts negotiation.)
|
ISAKMP(xxx): ISAKMP: not found matchable policy |
IP Sec rules configured by two terminals do not match. |
ISAKMP(xxx): dealing with Notify Payload ISAKMP:
Notify-Message: NO_PROPOSAL_CHOSEN |
ISAKMP policies configured by two terminals do not match. (The local
terminal starts negotiation, in the first phase) |
ISAKMP(xxx): dealing with Notify Payload ISAKMP:
Notify-Message: NO_PROPOSAL_CHOSEN |
IPSec strategies configured by two terminals do not match, or the
configured rules do not match (access-list). (The local terminal starts
negotiation, in the second phase. |
ISAKMP(xxx): negotiate error
ATTRIBUTES-NOT-SUPPORTED |
The local terminal does not support the
attribute suggested by the opposite terminal. |
ISAKMP(xxx): dealing with Notify Payload ISAKMP:Notify-Message:
ATTRIBUTES-NOT-SUPPORTED |
The opposite terminal does not support
the attribute suggested by the local terminal. |
Relevant command:
show crypto ipsec sa
show crypto isakmp sa
debug crypto packet
The configuration
command of ISAKMP policy “encryption(IKE policy)” is used for
designating encryption algorithm in IKE policy. IKE policy defines a set of
parameters that are used during IKE negotiation. The “no” format of the command can be used for restoring encryption algorithm as
the default value.
encryption {des|3des}
no encryption {des|3des}
parameter:
des Designating DES as encryption algorithm
3des Designating
3DES as encryption algorithm
Default:
DES encryption algorithm
Command mode:
Configuration mode of ISAKMP policy
Explanation:
The command is used for
designating encryption algorithm used in IKE policy
Example:
This example configures encryption
algorithm as DES encryption algorithm in IKE policy (All the other parameters
are set as default value)
router_config# crypto
isakmp policy 10
router_config_isakmp# encryption
des
router_config_isakmp# exit
router_config#
Relevant command:
authentication(IKE policy)
crypto isakmp policy
group(IKE policy)
hash(IKE policy)
lifetime(IKE policy)
show crypto isakmp policy
The
configuration command of ISAKMP strategy “group (IKE policy)” is used for
designating Diffie-Hellman group in IKE policy. IKE policy defines a set of
parameters that are used during IKE negotiation. The “no” format of the command
can be used for restoring Diffie-Hellman group as default value.
group {1|2}
no group {1|2}
parameter:
1 Designating
768 byte Diffie-Hellman group
2
Designating
1024 byte Diffie-Hellman group
Default:
768 byte Diffie-Hellman group (group 1)
Command mode:
Configuration mode of ISAKMP policy
Explanation:
The command is used for
designating Diffie-Hellman group used in IKE policy
Example:
This example configure
IKE policy as 1024 byte Diffie-Hellman group (all the other parameters are set
as default value)
router_config# crypto
isakmp policy 10
router_config _isakmp# group
2
router_config _isakmp# exit
router_config#
Relevant command:
authentication(IKE policy)
crypto isakmp policyen
cryption(IKE policy)
hash(IKE policy)
lifetime(IKE policy)
show crypto isakmp policy
The configuration command of ISAKMP policy
“hash(IKEpolicy)” is used for designating hash algorithm in IKE policy IKE
policy defines a set of parameters that are used during IKE negotiation. The
“no” format of the command can be used for restoring hash algorithm as default
SHA-1 hash algorithm.
hash {sha|md5}
no hash {sha|md5}
parameter:
sha Designating SHA-1(HMAC
variant) as hash algorithm.
md5 Designating MD5(HMAC
variant)as hash algorithm
Default:
SHA-1 hash
algorithm
Command mode:
Configuration Status of ISAKMP policy
Explanation:
The command is used for designating hash
algorithm used in IKE policy
Example:
The Example configures
IKE policy as using MD5 hash algorithm (all the other parameters are set as
default value):
router_config # crypto
isakmp policy 10
router_config _isakmp# hash
md5
router_config _isakmp# exit
router_config#
Relevant command:
authentication(IKE policy)
crypto isakmp policy
encryption(IKE policy)
group(IKE policy)
lifetime(IKE policy)
show crypto isakmp policy
The configuration command of ISAKMP policy
“lifetime(IKE policy)” is used for describing lifetime of IKE SA. The “no”
format of the command can be used for restoring SA lifetime as default value.
lifetime seconds
no lifetime seconds
parameter:
seconds Designating the
lasting seconds before IKE SA is disabled.
Default:
86400 seconds
Command mode:
Configuration mode of ISAKMP policy
Explanation:
The command is used for designating the
existing time of IKE
SA before IKE SA is disabled.
When IKE starts negotiation, the agreement is
reached first on the security parameters for its dialogue. These accordant
parameters is referred by SA. IKE SA is reserved till the lifetime loses
effect. Before IKE SA loses effect, it can be re-used by the consequent IKE
negotiation, which can save time in setting new IPSec SA. New IKE SA is
negotiated before IKE SA loses effect. In order to save the time of setting
IPSec, the relative long IKE SA lifetime shall be set. The shorter the
configured lifetime is, the more secure the IKE negotiation is.
Note: When the local
terminal starts IKE negotiation with the opposite terminal, the policy can be
chosen only on the condition that the lifetime of opposite terminal policy is
shorter than or equals to that of local terminal policy.
If the lifetime is
unequal,choose the shorter one.
Example:
The Example configures
the lifetime of security association of IKE policy as 600 seconds (all the
other parameters are set as default value)
router_config# crypto
isakmp policy 10
router_config_isakmp# lifetime
600
router_config_isakmp# exit
router_config#
Relevant command:
authentication(IKE policy)
crypto isakmp policy
encryption(IKE policy)
group(IKE policy)
hash(IKE policy)
show crypto isakmp policy
The command “show crypto isakmp policy”
is used for browsing each parameter of IKE policy.
show crypto isakmp policy
parameter:
none
Command mode:
Supervisor
mode
Explanation:
Example:
The
following is the output of the command “show crypto isakmp policy” after two
IKE policies are configured (priority level 10 and 20 separately)
router# show crypto
isakmp policy
Protection suite of
priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit
keys).
hash algorithm: Message
Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime:
5000 seconds
Protection suite of
priority 20
encryption algorithm: 3DES - Triple Data
Encryption Standard.
hash algorithm: Secure Hash
Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime:
10000 seconds
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit
keys).
hash algorithm: Secure Hash
Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime:
86400 seconds
Relevant command:
authentication(IKE policy)
crypto isakmp policy
encryption(IKE policy)
group(IKE policy)
hash(IKE policy)
lifetime(IKE policy)
The command “show crypto isakmp sa” is used for showing all the current IKE SA.
show crypto isakmp sa
parameter:
none
Command mode:
Supervisor
mode
Explanation:
The following is output example of the
command “show crypto isakmp sa” after two terminal hosts have successfully
accomplish IKE negotiation.
MyPeerRouter# show
crypto isakmp sa
dst
src
state state-id conn
192.2.2.19 192.2.2.199 <I>Q_SA_SETUP 2 aaa 100
192.2.2.19 192.2.2.199 <I>M_SA_SETUP 1 aaa 100
The form below shows the possible
different status in the output of the command “show crypto isakmp sa”. When ISAKMP SA exists, it is under quiet
state in most time (Q_SA_SETUP)
The status in master model exchange |
|
Status |
Explanation |
M_NO_STATE |
The
phase is “initial stages” and no status exist. |
M_SA_EXCH |
The terminal has formed the parameter
of ISAKMP SA. |
M_KEY_EXCH |
The terminal has exchanged common secret
key of Diffie-Hellman and generated shared secret.ISAKMP SA is not
authenticated. |
M_SA_SETUP |
ISAKMP SA has been authenticated. Quick
model exchange starts |
The Status in quick
model exchange |
|
Status |
Explanation |
Q_IDLE_1 |
Quick model Status 1 |
Q_IDLE_2 |
Quick Model Status 2 |
Q_SA_SETUP |
IPSec SA negotiation succeeds. |
Relevant command:
crypto isakmp policy
lifetime(IKE policy)