Internet Secret Key Exchange Security Protocol Command Directory

authentication (IKE policy)

clear crypto isakmp

crypto isakmp key

crypto isakmp policy

debug crypto isakmp

encryption (IKE policy)

group (IKE policy)

hash (IKE policy)

lifetime (IKE policy)

show crypto isakmp policy

show crypto isakmp sa

 

This chapter discusses the commands for Internet Secret Key Exchange Security Protocol (IKE).

IKE is a kind of the standard of secret key management protocol and is used together with IPSec protocol.

IPSec is allowed not to use IKE. However, IKE advances the function of IPSec by offering extra functions, flexibility and the simplification of IPSec standard configuration.

IKE is a kind of mixed protocol, it realizes Oakley secret key exchange and Skeme Secret Key Exchange within the framework of Internet Security Association and Secret Key Management Protocol ((ISAKMP)(ISAKMP,Oakley and Skeme are the security protocol realized by IKE).

 

authentication(IKE policy)

ISAKMP policy configuration command can be used for designating authentication method in IKE policy that defines a group of parameters used during IKE negotiation. The “no” format of the command can be used for restoring the default value of authentication method.

authentication { pre-share|rsa-sig|rsa-encr}

no authentication { pre-share|rsa-sig|rsa-encr}

parameter:

pre-share  Designating pre-shared secret key as authentication method

rsa-sig    Designating RSA signature as authentication method

rsa-encr   : Designating RAS real time encryption as authentication method

Default:

Authentication method of pre-shared secret key

Command mode:

Configuration mode of ISAKMP Policy

Explanation:

The command is used for designating the authentication method in IKE policy

In order to designate pre-shared secret key, these pre-shared secret key shall be configured simultaneously. (Command “crypto isakmp key is used)

Example:

The pre-shared secret key is used as its authentication method for configuring IKE policy in this example.

router_config#crypto isakmp policy 10

router_config_isakmp# authentication pre-share

router_config_isakmp# exit

router_config #

Relevant command:

crypto isakmp key

crypto isakmp policy

encryption(IKE policy)

group(IKE policy)

hash(IKE policy)

lifetime(IKE policy)

show crypto isakmp policy

clear crypto isakmp

The global configuration command “clear crypto isakmp is used for clearing the running IKE linkage.

clear crypto isakmp [map map-name | peer ip-address]

parameter:

map map-name(optional) Clearing IKE linkage of encrypted map named map-name

peer ip-address(optional) Clearing ip-addressIKE linkage of the opposite terminal

Default:

If the parameters of map and peer are not used, all the existing IKE linkage is cleared when the command is issued.

Command mode:

Supervisor mode

Explanation:

The command is used for clearing the active IKE linkage.

Example:

This example clears isakmp linkage

Router# show crypto isakmp sa

    dst            src           state            state-id       conn

192.2.2.19     192.2.2.199    <I>M_SA_SETUP        1          aaa 100

Route# clear crypto isakmp

Router# exit

Router#show crypto isakmp sa

Router#

Relevant command:

show crypto isakmp sa

crypto isakmp key

The global configuration command “crypto isakmp key is used for configuring pre-shared authentication secret key. The secret key shall be configured for designating pre-shared secret key in IKE policy at any time. The no format of the command can be used for deleting pre-shared authentication secret key.

crypto isakmp key keystring peer-address

no crypto isakmp key keystring peer-address

parameter:

keystring

Designating pre-shared secret key by using letter, number and character to form a random mix with 128 bytes at the most.

peer-address

Designating IP address of remote terminal

Default:

Pre-shared authentication secret key without default

Command mode:

global configuration mode

Explanation:

If IKE policy includes pre-shared secret key that is used as authentication method, these pre-shared secret key shall be configured on the two terminals. Otherwise, the policy shall not be adopted (The policy will not be submitted in IKE process for configuration).

Example:

Designating pre-shared secret key and designating remote terminal by using IP address.

crypto isakmp key abcdefghijkl 192.2.2.1

Relevant command:

authentication (IKE policy)

crypto isakmp policy

The global configuration command “crypto isakmp policy is used for defining IKE policy. IKE policy defines a set of parameters used during IKE negotiation. The no format of the command is used for deleting IKE policy.

 

crypto isakmp policy priority

no crypto isakmp policy priority

parameter:

priority      Identifying the priority level of IKE policy by employing the integer from 1 to 10000. 1 represents top priority level and 10000 represents bottom priority level.

Default:

There is a default policy. The policy is always on the bottom priority level. In this default policy, encryption, hash, authentication, Diffie-Hellman group and lifetime parameter are all set as default value.

If no value is designated for the specific parameter in creating an IKE policy, the default value will be applied to the parameter.

Command mode:

global configuration mode

Explanation:

The command is used for designating the parameter that is to be used during IKE negotiation (These parameters are used for creating IKE SA).

The command is used for accessing the configuration status of ISAKMP. Under the configuration status of ISAKMP policy, the following commands are effective in designating parameter value in the policy.

l         encryption(IKE policy); default value =56 byte DES-CBC

l         hash(IKE policy); default value =SHA-1

l         authentication(IKE policy); default value =Pre-Shared Key

l         group(IKE policy); default value =768 byte Diffie-Hellman

l         lifetime(IKE policy); default value =86400 seconds.

 

If one of these commands are not designated for the policy, the default value of the parameter will be employed.

Multiple IKE policies can be configured to the two terminals of IPSec. When IKE negotiation starts in an attempt to find the common policy configured on the two terminals, it will set out from the policy of top priority level designated on the opposite terminal.

Example:

The example below configures two ISAKMP policies 

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

lifetime 5000

crypto isakmp policy 20

authentication pre-share

lifetime 10000

The result of above configuration is the policy below:

Router# show crypto isakmp policy

Protection suite of priority 10

     encryption algorithm:    DES  - Data Encryption Standard (56 bit keys).

     hash algorithm:          Message Digest 5

     authentication method:   Pre-Shared Key

     Diffie-Hellman group:    #1 (768 bit)

     lifetime:                5000 seconds

Protection suite of priority 20

     encryption algorithm:    DES  - Data Encryption Standard (56 bit keys).

     hash algorithm:          Secure Hash Standard

     authentication method:   Pre-Shared Key

     Diffie-Hellman group:    #1 (768 bit)

     lifetime:                10000 seconds

Default protection suite

     encryption algorithm:    DES  - Data Encryption Standard (56 bit keys).

     hash algorithm:          Secure Hash Standard

     authentication method:   Pre-Shared Key

     Diffie-Hellman group:    #1 (768 bit)

     lifetime:                86400 seconds

Relevant command:

authentication(IKE policy)

encryption(IKE policy)

group(IKE policy)

hash(IKE policy)

lifetime(IKE policy)

show crypto isakmp policy

 

debug crypto isakmp

Examining the information of related message interactive processing in IKE negotiation.

parameter:

none

Default:

 

The related information is not shown under default status.

Command mode:

Supervisor mode

Explanation:

Some important information related to IKE negotiation is shown in the form below

Showing Information

Connotation of Information

ISAKMP(xxx): no acceptable Oakley Transform

ISAKMP(xxx):negotiate error NO_PROPOSAL_CHOSEN

ISAKMP policies configured by two terminals are not matchable.( The opposite terminal starts negotiation)

ISAKMP(xxx): no acceptable Proposal in IPsec SA

ISAKMP(xxx):negotiate error NO_PROPOSAL_CHOSEN

IPSec policies configured by two terminals do not match. (The opposite terminal starts negotiation.) 

ISAKMP(xxx): ISAKMP: not found matchable policy

IP Sec rules configured by two terminals do not match.

ISAKMP(xxx): dealing with Notify Payload

ISAKMP:     Notify-Message: NO_PROPOSAL_CHOSEN

ISAKMP policies configured by two terminals do not match. (The local terminal starts negotiation, in the first phase)

ISAKMP(xxx): dealing with Notify Payload

ISAKMP:     Notify-Message: NO_PROPOSAL_CHOSEN

IPSec strategies configured by two terminals do not match, or the configured rules do not match (access-list). (The local terminal starts negotiation, in the second phase.

ISAKMP(xxx): negotiate error ATTRIBUTES-NOT-SUPPORTED 

The local terminal does not support the attribute suggested by the opposite terminal.

ISAKMP(xxx): dealing with Notify Payload 

ISAKMP:Notify-Message: ATTRIBUTES-NOT-SUPPORTED

The opposite terminal does not support the attribute suggested by the local terminal.

Relevant command:

show crypto ipsec sa

show crypto isakmp sa

debug crypto packet

encryption(IKE policy)

The configuration command of ISAKMP policy “encryption(IKE policy) is used for designating encryption algorithm in IKE policy. IKE policy defines a set of parameters that are used during IKE negotiation. The no format of the command can be used for restoring encryption algorithm as the default value.

encryption {des|3des}

no encryption {des|3des}

parameter:

des     Designating DES as encryption algorithm

3des       Designating 3DES as encryption algorithm 

Default:

DES encryption algorithm

Command mode:

Configuration mode of ISAKMP policy 

Explanation:

The command is used for designating encryption algorithm used in IKE policy

Example:

This example configures encryption algorithm as DES encryption algorithm in IKE policy (All the other parameters are set as default value)

router_config# crypto isakmp policy 10

router_config_isakmp# encryption des

router_config_isakmp# exit

router_config#

Relevant command:

authentication(IKE policy)

crypto isakmp policy

group(IKE policy)

hash(IKE policy)

lifetime(IKE policy)

show crypto isakmp policy

group(IKE policy)

The configuration command of ISAKMP strategy “group (IKE policy)” is used for designating Diffie-Hellman group in IKE policy. IKE policy defines a set of parameters that are used during IKE negotiation. The “no” format of the command can be used for restoring Diffie-Hellman group as default value.

group {1|2}

no group {1|2}

parameter:

1      Designating 768 byte Diffie-Hellman group

2                      Designating 1024 byte Diffie-Hellman group

Default:

768 byte Diffie-Hellman group (group 1)

Command mode:

Configuration mode of ISAKMP policy

Explanation:

The command is used for designating Diffie-Hellman group used in IKE policy

Example:

This example configure IKE policy as 1024 byte Diffie-Hellman group (all the other parameters are set as default value)

router_config# crypto isakmp policy 10

router_config _isakmp# group 2

router_config _isakmp# exit

router_config#

Relevant command:

authentication(IKE policy)

crypto isakmp policyen

cryption(IKE policy)

hash(IKE policy)

lifetime(IKE policy)

show crypto isakmp policy

hash(IKE policy)

The configuration command of ISAKMP policy “hash(IKEpolicy)” is used for designating hash algorithm in IKE policy IKE policy defines a set of parameters that are used during IKE negotiation. The “no” format of the command can be used for restoring hash algorithm as default SHA-1 hash algorithm.

hash {sha|md5}

no hash {sha|md5}

parameter:

sha    Designating SHA-1(HMAC variant) as hash algorithm. 

md5    Designating MD5(HMAC variant)as hash algorithm

Default:

SHA-1 hash algorithm 

Command mode:

Configuration Status of ISAKMP policy

Explanation:

The command is used for designating hash algorithm used in IKE policy

Example:

The Example configures IKE policy as using MD5 hash algorithm (all the other parameters are set as default value):

router_config # crypto isakmp policy 10

router_config _isakmp# hash md5

router_config _isakmp# exit

router_config#

Relevant command:

authentication(IKE policy)

crypto isakmp policy encryption(IKE policy)

group(IKE policy)

lifetime(IKE policy)

show crypto isakmp policy

lifetime(IKE policy)

The configuration command of ISAKMP policy “lifetime(IKE policy)” is used for describing lifetime of IKE SA. The “no” format of the command can be used for restoring SA lifetime as default value.   

lifetime seconds

no lifetime seconds

parameter:

seconds   Designating the lasting seconds before IKE SA is disabled.

Default:

86400 seconds

Command mode:

Configuration mode of ISAKMP policy

Explanation:

The command is used for designating the existing time of IKE SA before IKE SA is disabled. 

When IKE starts negotiation, the agreement is reached first on the security parameters for its dialogue. These accordant parameters is referred by SA. IKE SA is reserved till the lifetime loses effect. Before IKE SA loses effect, it can be re-used by the consequent IKE negotiation, which can save time in setting new IPSec SA. New IKE SA is negotiated before IKE SA loses effect. In order to save the time of setting IPSec, the relative long IKE SA lifetime shall be set. The shorter the configured lifetime is, the more secure the IKE negotiation is.

Note: When the local terminal starts IKE negotiation with the opposite terminal, the policy can be chosen only on the condition that the lifetime of opposite terminal policy is shorter than or equals to that of local terminal policy.

If the lifetime is unequal,choose the shorter one.

Example:

The Example configures the lifetime of security association of IKE policy as 600 seconds (all the other parameters are set as default value)

router_config# crypto isakmp policy 10

router_config_isakmp# lifetime 600

router_config_isakmp# exit

router_config#

Relevant command:

authentication(IKE policy)

crypto isakmp policy

encryption(IKE policy)

group(IKE policy)

hash(IKE policy)

show crypto isakmp policy

show crypto isakmp policy

The command “show crypto isakmp policyis used for browsing each parameter of IKE policy.

show crypto isakmp policy

parameter:

none

Command mode:

Supervisor mode

Explanation:

Example:

The following is the output of the command “show crypto isakmp policy” after two IKE policies are configured (priority level 10 and 20 separately)

router# show crypto isakmp policy

Protection suite of priority 10

     encryption algorithm:    DES  - Data Encryption Standard (56 bit keys).

     hash algorithm:          Message Digest 5

     authentication method:   Pre-Shared Key

     Diffie-Hellman group:    #1 (768 bit)

     lifetime:                5000 seconds

Protection suite of priority 20

     encryption algorithm:    3DES - Triple Data Encryption Standard.

     hash algorithm:          Secure Hash Standard

     authentication method:   Pre-Shared Key

     Diffie-Hellman group:    #2 (1024 bit)

     lifetime:                10000 seconds

Default protection suite

     encryption algorithm:    DES  - Data Encryption Standard (56 bit keys).

     hash algorithm:          Secure Hash Standard

     authentication method:   Pre-Shared Key

     Diffie-Hellman group:    #1 (768 bit)

     lifetime:                86400 seconds

Relevant command:

authentication(IKE policy)

crypto isakmp policy

encryption(IKE policy)

group(IKE policy)

hash(IKE policy)

lifetime(IKE policy)

show crypto isakmp sa

The command “show crypto isakmp sa is used for showing all the current IKE SA.

show crypto isakmp sa

parameter:

none

Command mode:

Supervisor mode

Explanation:

The following is output example of the command “show crypto isakmp sa” after two terminal hosts have successfully accomplish IKE negotiation.

MyPeerRouter# show crypto isakmp sa

    dst            src           state            state-id       conn

192.2.2.19     192.2.2.199    <I>Q_SA_SETUP        2          aaa 100

192.2.2.19     192.2.2.199    <I>M_SA_SETUP        1          aaa 100

The form below shows the possible different status in the output of the command “show crypto isakmp sa. When ISAKMP SA exists, it is under quiet state in most time (Q_SA_SETUP)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The status in master model exchange

Status

Explanation

M_NO_STATE

The phase is initial stages and no status exist.

M_SA_EXCH

The terminal has formed the parameter of ISAKMP SA.

M_KEY_EXCH

The terminal has exchanged common secret key of Diffie-Hellman and generated shared secret.ISAKMP SA is not authenticated.

M_SA_SETUP

ISAKMP SA has been authenticated. Quick model exchange starts

 

The Status in quick model exchange

Status

Explanation

Q_IDLE_1

Quick model Status 1

Q_IDLE_2

Quick Model Status 2

Q_SA_SETUP

IPSec SA negotiation succeeds.

 

Relevant command:

crypto isakmp policy

lifetime(IKE policy)