You are here: Home > CLI Commands > Just_CLI_Topics > crypto isakmp policy

crypto isakmp policy

crypto isakmp policy <priority>

authentication {pre-share|rsa-sig|ecdsa-256|ecdsa-384}

disable

enable [bypass|secret]

encryption {3DES|AES128|AES192|AES256|DES}

group {1|2|14|19|20}

hash {md5|sha|sha1-96|sha2-256-128|sha2-384-192}

prf {PRF-HMAC-MD5|PRF-HMAC-SHA1|PRF-HMAC-SHA256|PRF-HMAC-SHA384}

lifetime <seconds>

no disable

version {v1|v2}

Description

This command configures Internet Key Exchange (IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard.) policy parameters for the Internet Security Association and Key Management Protocol (ISAKMPInternet Security Association and Key Management Protocol. ISAKMP is used for establishing Security Associations and cryptographic keys in an Internet environment.).

Syntax

Parameter

Description

<priority>

Specifies a number from 1 to 10,000 to define a priority level for the policy. The higher the number, the higher the priority level.

authentication

Configures the IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. authentication method:

pre-share: Preshared key

rsa-sig: RSARivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. signatures

ecdsa-256: ECDSAElliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information.-256-bit signatures

ecdsa-384: ECDSAElliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information.-384-bit signatures

disable

Disables the IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. policy.

enable [bypass|secret]

Enables the IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. policy using the bypass or secret. Bypass prompts for the enable mode login and password. Secret prompts for the enable password.

encryption

Configures the IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. encryption algorithm:

3DES: 168-bit 3DESTriple Data Encryption Standard. 3DES is a symmetric-key block cipher that applies the DES cipher algorithm three times to each data block.-CBC encryption algorithm

AES128: 128-bit AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-CBC encryption algorithm

AES192: 192-bit AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-CBC encryption algorithm

AES256: 256-bit AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-CBC encryption algorithm

DES: 56-bit DESData Encryption Standard. DES is a common standard for data encryption and a form of secret key cryptography, which uses only one key for encryption and decryption.-CBC encryption algorithm

group

Configures the IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Diffie Hellman group:

1: 768-bit Diffie Hellman prime modulus group. This is the default group setting.

2: 1024-bit Diffie Hellman prime modulus group

14: 2048-bit Diffie Hellman DDH prime modulus group

19: 256-bit random Diffie Hellman ECP modulus group

20: 384-bit random Diffie Hellman ECP modulus group

hash

Configures the IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. hash algorithm:

md5: MD5Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. (HMAC variant) hash algorithm

sha: SHA1-160 (HMAC variant) hash algorithm

sha1-96: SHA1-96 (HMAC variant) hash algorithm

sha2-256-128: SHA2-256-128 (HMAC variant) hash algorithm

sha2-384-192: SHA2-384-192 (HMAC variant) hash algorithm

prf

Sets one of the following pseudo-random function (PRF) values for an IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. policy:

PRF-HMAC-MD5 (default)MD5Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. (HMAC variant) PRF

PRF-HMAC-SHA1: SHA1-160 (HMAC variant) PRF

PRF-HMAC-SHA256: SHA2-256 PRF

PRF-HMAC-SHA384: SHA2-384 PRF

lifetime <seconds>

Specifies the lifetime of the IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. security association (SASecurity Association. SA is the establishment of shared security attributes between two network entities to support secure communication.), from 300 - 86400 seconds.

no disable

Disables the IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. policy.

version

Specifies the version of IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. protocol for the IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. policy:

v1: IKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.

v2: IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306.

Usage Guidelines

To define settings for a ISAKMPInternet Security Association and Key Management Protocol. ISAKMP is used for establishing Security Associations and cryptographic keys in an Internet environment. policy, issue the command crypto isakmp policy <priority> then press Enter. The CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. will enter config-isakmp mode, which allows you to configure the policy values.

Example

The following command configures the RSARivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. signature authentication method for the given IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. policy:

(host) [mynode] (config) #crypto isakmp policy 1

(host) [mynode] (config-isakmp) #authentication rsa-sig

Key:*******Re-Type Key:*******

Related Commands

Command

Description

show crypto isakmp

Displays IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. policies configured for ISAKMPInternet Security Association and Key Management Protocol. ISAKMP is used for establishing Security Associations and cryptographic keys in an Internet environment..

Command History

Release

Modification

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

Licensing

Command Mode

All platforms

The following settings require the Advanced Cryptogram (ACR) license:

hash algorithm: SHA-256-128, SHA-384-192

Diffie-Hellman (DH) Groups: 19 and 20

Pseudo-Random Function (PRF): PRF-HMAC-SHA256, PRF-HMAC-SHA384

Authentication: ecdsa-256 and ecdsa-384

All other parameters are supported in the base OS.

Config mode on Mobility Master.

/*]]>*/