crypto isakmp policy

This command, when used in global configuration mode, defines an Internet Key Exchange (IKE) policy. IKE policies define a set of parameters to be used during the IKE negotiation. To delete an IKE policy, use the no form of this command.

This command invokes the Internet Security Association Key Management Protocol (ISAKMP) policy configuration (config-isakmp) command mode.

To exit config-isakmp command mode, type ‘exit'.

You can configure multiple IKE policies on each peer participating in IPSec. When the IKE negotiation begins, it tries to find a common policy configured on both peers.

Syntax

crypto isakmp policy <id>
no crypto isakmp policy <id>

Command	Description
id	Uniquely identifies the IKE policy

This command puts you into the config-isakmp command mode.

(config-isakmp)# authentication <authentication method>
(config-isakmp)# encryption <encryption algorithm>
(config-isakmp)# hash <authentication algorithm>
(config-isakmp)# lifetime <second>
(config-isakmp)# group {1|2|3}

Command

Description

authentication {pre-share| rsa-sig}

Specifies the authentication method.

encryption {3des|aes|aes-gcm}

Specifies the encryption algorithm within an IKE policy.

■

3des: Defines ESP with the 168-bit DES encryption algorithm (3DES or Triple DES).

■

aes {128|192|256}: Defines ESP with the 128-bit, 192-bit, or 256-bit AES encryption algorithm

■

aes-gcm {128|256}|: Defines AES-GCM with 128-bit or 256-bit secret keys with 16-byte ICV. This option is applicable to IKEv2 only.

group {1|14|15|16|19|2|20|21|5}

Specifies the Diffie-Hellman group identifier within an IKE policy.

hash {md5| sha|sha256|sha384|sha512}

Specifies the hash algorithm within an IKE policy.

■

md5: Defines MD5 with the SHA (HMAC variant) authentication algorithm

■

sha: Defines ESP with the SHA (HMAC variant) authentication algorithm

■

sha256: Defines ESP with the 256-bit SHA (HMAC variant) authentication algorithm

■

sha384: Defines ESP with the 384-bit SHA (HMAC variant) authentication algorithm

■

sha512: Defines ESP with the 512-bit SHA (HMAC variant) authentication algorithm

ike {v1|v2}

Defines the Internet Key Exchange (IKE) version.

lifetime <seconds>

Specifies the lifetime of an IKE SA.

prf {sha256|sha384|sha512}

Defines pseudo-random function (PRF) as the algorithm to derive keying material and hashing operations within an IKE policy.

■

sha256: Defines PRF with the 256-bit SHA (HMAC variant) authentication algorithm

■

sha384: Defines PRF with the 384-bit SHA (HMAC variant) authentication algorithm

■

sha512: Defines PRF with the 512-bit SHA (HMAC variant) authentication algorithm

Note: PRF is applicable only to IKEv2.

use-remote-id-any

Allows the device to accept any remote-id presented by the peer to connect.The default is disabled (no use-remote-id-any).

Default

This command has no defaults.

Command Mode

crypto isakmp key are defined in enabled configuration mode.

Example

This example demonstrates how to configure an IKE policy:

(config-data)# crypto isakmp policy 50
(config-isakmp)# encryption aes 128
(config-isakmp)# authentication pre-share
(config-isakmp)# hash sha
(config-isakmp)# group 2
(config-isakmp)# ike v1
(config-isakmp)# lifetime 3600