Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

crypto

crypto—Configure standard IPsec for service VPNs on Cisco IOS XE routers. For full description of these command options, see Chapter: crypto aaa attribute list through crypto ipsec transform-set and Chapter: crypto isakmp aggressive-mode disable through crypto mib topn

 vManage Feature Template

Configuration ► Templates ► VPN Interface IPsec

Command Hierarchy

crypto
   keyring keyring_name
      pre-shared-key key_string
   isakmp
      aggressive-mode disable
      keepalive 60-86400 2-60 {on-demand | periodic}
      policy policy_num
         encryption {AES128-CBC-SHA1 | AES256-CBC-SHA1}
         hash {md5 | sha | sha256 | sha384 | sha512}
         authentication {remote | local} preshare
         group {20 | 16 | 19 | 14 | 21}
         lifetime 60-86400
      profile ikev1_profile_name
         match identity address ip_address [mask]
         keyring keyring_name
      profile ipsec_profile_name
         set transform-set transform_set_name
         set isakmp-profile ikev1_profile_name
         set security-association
            lifetime {kilobytes disable | seconds 120-2592000}
            replay disable window-size [64 | 128 | 256 | 512 | 1024]}
         set pfs {group{14 | 16 | 19 | 20 | 21}}
   ikev2
      proposal proposal_name
         encryption {3des | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des}
         integrity {sha256 | sha384 | sha512}
         group {20 | 16 | 19 | 14 | 21}
      policy policy_name
      keyring idev2_keyring_name
         peer peer_name
         address tunnel_dest_ip [mask]
         pre-shared-key key_string
      profile ikev2_profile_name
         authentication {remote | local} pre-share
         keyring local ikev2_keyring_name
         lifetime 120-86400   
         dpd 10-3600 2-60 {on-demand | periodic}
      match identity remote address tunnel_dest_ip_address
   ipsec
      profile ipsec_profile_name
         set ikev2-profile ikev2_profile_name
         set pfs group{14 | 16 | 19 | 20 | 21}
         set transform-set transform_set_name
         set security-association
            lifetime {seconds 120-2592000 | kilobytes disable}  
            replay {disable | window-size {64 | 128 | 256 | 512 | 1024}
      transform-set transform_set_name {esp-gcm 256 | esp-aes 256 | esp-null [esp-sha-hmac | esp-sha384-hmac | esp-sha256-hmac]}
      mode [tunnel | transport]
      pre-shared-key {address ip_address [mask] key key_string
   interface tunnel ifnum 
      no shutdown
      vrf forwarding vrf_id 
      ip address ipaddress [mask] 
      tunnel source wanif_ip 
      tunnel mode {ipsec {ipv4 | ipv6} | gre ipaddress} 
      tunnel destination gateway_ip 
      tunnel protection ipsec profile ipsec_profile_name

IPsec Tunnel Requirements

The following tunnel endpoint conditions are required to create an IPsec tunnel: 

  • tunnel-source and tunnel-destination should be reachable from tunnel endpoints
  • Identical pre-shared-key configuration
  • Identical Ike and IPsec ciphersuite 
  • Identical  Ike group (2, 4, 15, 16)
  • Identical  Ike version – IKEv1(main, Aggressive), IKEv2

Example

The following profile caters to peers that identify using the FQDN example.com and authenticate with rsa-signature using trustpoint-remote. The local node authenticates with pre-share using keyring-1.

Router(config)# crypto ikev2 profile profile2
Router(config-ikev2-profile)# match identity remote fqdn example.com
Router(config-ikev2-profile)# identity local email router2@example.com
Router(config-ikev2-profile)# authentication local pre-share
Router(config-ikev2-profile)# authentication remote rsa-sig
Router(config-ikev2-profile)# keyring keyring-1
Router(config-ikev2-profile)# pki trustpoint trustpoint-remote verify
Router(config-ikev2-profile)# lifetime 300
Router(config-ikev2-profile)# dpd 5 10 on-demand
Router(config-ikev2-profile)# virtual-template 1

Release Information

Introduced in vManage NMS Release 19.1.

Additional Information

To configure IPsec on vEdge routers, see ipsec.

 

 

 

  • Was this article helpful?