You are here: Home > CLI Commands > Just_CLI_Topics > crypto isakmp

crypto isakmp

crypto isakmp

block-aruba-ca {enable|disable}

eap-passthrough {eap-gtc|eap-mschapv2|eap-peap|eap-tls}

groupname <name>

key {key <keystring>|key-hex <keystring-hex>}

udpencap-behind-natdevice {enable|disable}

Description

This command configures Internet Key Exchange (IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard.) parameters for the Internet Security Association and Key Management Protocol (ISAKMPInternet Security Association and Key Management Protocol. ISAKMP is used for establishing Security Associations and cryptographic keys in an Internet environment.).

Syntax

Parameter

Description

block-aruba-ca

Configures the managed device to accept or reject Aruba-certified clients:

enable: Accepts Aruba-certified client certificates

disable: Rejects Aruba-certified client certificates and uses custom certificates instead

eap-passthrough

Select one of the following authentication types for IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. user authentication using EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. .

eap-gtc: EAP-GTCEAP – Generic Token Card. (non-tunneled). authentication method

eap-mschapv2: EAP-MSCHAPv2EAP Microsoft Challenge Handshake Authentication Protocol Version 2. authentication method

eap-peapEAP-PEAPEAP–Protected EAP. A widely used protocol for securely transporting authentication data across a network (tunneled). authentication method

eap-tls: EAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. authentication method

NOTE: The eap-passthrough parameter allows IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. module to forward the EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  messages between VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. client and external authentication server during tunnel establishment. It is recommended to have a secure channel between ArubaOS and external authentication server to protect sensitive data.

groupname <name>

Configures the IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Aggressive group name. Aggressive-mode IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. is a 3-packet IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. exchange that does not provide identity-protection, but is faster, because fewer messages are exchanged.

key {key <keystring>|

key-hex <keystring-hex>}

Configures the IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. preshared key, which must be 6-64 characters in length:

key: Configures the IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. preshared key using text-based characters.

key-hex: Configures the IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. preshared key using hex-based characters (0-9, a-f, A-F).

udpencap-behind-natdevice

Configures NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.-T if the managed device is behind an NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. device (for Windows VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. Dialer only):

enable: Enables NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.-T

disable: Disables NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.-T

Usage Guidelines

Use this command to configure the IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. pre-shared key, set the EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  authentication method for IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. clients using EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  user authentication, and enable source NATSource NAT changes the source address of the packets passing through the router. Source NAT is typically used when an internal (private) host initiates a session to an external (public) host. if the IP addresses of clients need to be translated to access the network.

Example

The following command configures an ISAKMPInternet Security Association and Key Management Protocol. ISAKMP is used for establishing Security Associations and cryptographic keys in an Internet environment. peer IP address and subnetSubnet is the logical division of an IP network. mask. After configuring an ISAKMPInternet Security Association and Key Management Protocol. ISAKMP is used for establishing Security Associations and cryptographic keys in an Internet environment. address and netmaskNetmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses., you will be prompted to enter the IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. preshared key.

(host) [mynode] (config) #crypto isakmp address 10.3.14.21 netmask 255.255.255.0

Key:*******Re-Type Key:*******

Related Commands

Command

Description

show crypto isakmp

Displays IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. parameters configured for ISAKMPInternet Security Association and Key Management Protocol. ISAKMP is used for establishing Security Associations and cryptographic keys in an Internet environment..


Command History

Release

Modification

ArubaOS 8.5.0.0

A new sub-parameter, eap-gtc was added to the eap-passthrough parameter.

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

Licensing

Command Mode

All platforms

Base operating system.

Config mode on Mobility Master.

/*]]>*/