Create IKE Policies with the crypto isakmp Command

router(config) #

crypto isakmp policy priority router(config) #

crypto isakmp policy priority

Defines the parameters within the IKE policy 110.

RouterA(config)# crypto isakmp policy 110 RouterA(config-isakmp)# authentication pre-share RouterA(config-isakmp)# encryption des RouterA(config-isakmp)# group 1 RouterA(config-isakmp)# hash md5 RouterA(config-isakmp)# lifetime 86400

The crypto isakmp policy command invokes the ISAKMP policy configuration command mode (config-isakmp) where you can set ISAKMP parameters. If you do not specify one of these commands for a policy, the default value will be used for that parameter. The table lists the keywords available to specify the parameters in the policy while you are in the config-isakmp command mode.

Keywords for ISAKMP Parameters

Parameter

Keyword

Accepted Values

Default Value

Description

Encryption

des aes aes 192 aes 256

56-bit DES-CBC 128-bit AES 192-bit AES 256-bit AES

des

Message encryption algorithm.

Hash

sha md5

SHA-1 (HMAC variant) MD5 (HMAC variant)

sha

Message integrity (Hash) algorithm.

Authentication

rsa-sig rsa-encr pre-share

RSA signatures RSA encrypted nonces preshared keys

rsa-sig

Peer authentication method.

Group

1 2

768-bit Diffie-Hellman or 1024-bit Diffie-Hellman

1

Key exchange parameters (Diffie-Hellman group identifier).

Lifetime

seconds

Can specify any number of seconds

86,400 sec (one day)

ISAKMP-established SA lifetime. You can usually leave this value at the default.

exit

Exits the config-isakmp mode.

Multiple ISAKMP policies can be configured on each peer participating in IPSec. ISAKMP peers negotiate acceptable ISAKMP policies before agreeing upon the SA to be used for IPSec.

0 0

Post a comment