If a key label is not specified, the fully qualified domain name FQDN of the router is used. Optional IP size of the key modulus in a range from to If you do not enter the modulus keyword and specify a size, you will be prompted. The key-pair-label argument was added.
Use this command to generate RSA key pairs for your Cisco device such as a router. If your router already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys. Note Before issuing this command, ensure that your router has a host name and IP domain name configured with the hostname and ip domain-name commands.
You will be unable to complete the crypto key generate rsa command without a host name and IP domain name. This situation is not true when you only generate a named key pair. This command is not saved in the router configuration; however, the RSA keys generated by this command are saved in the private configuration in NVRAM which is never displayed to the user or backed up to another device the next time the configuration is written to NVRAM.
There are two mutually exclusive types of RSA key pairs: special-usage keys and general-purpose keys. When you generate RSA key pairs, you will be prompted to select either special-usage keys or general-purpose keys. If you generate special-usage keys, two pairs of RSA keys will be generated. If you plan to have both types of RSA authentication methods in your IKE policies, you may prefer to generate special-usage keys. With special-usage keys, each key is not unnecessarily exposed.
Without special-usage keys, one key is used for both authentication methods, increasing the exposure of that key. If you generate general-purpose keys, only one pair of RSA keys will be generated. Therefore, a general-purpose key pair might get used more frequently than a special-usage key pair.
If you generate a named key pair using the key-pair-label argument, you must also specify the usage-keys keyword or the general-keys keyword. Named key pairs allow you to have multiple RSA key pairs, enabling the Cisco IOS software to maintain a different key pair for each identity certificate. When you generate RSA keys, you will be prompted to enter a modulus length.
A longer modulus could offer stronger security but takes longer to generate see Table 24 for sample times and takes longer to use. The Cisco IOS software does not support a modulus greater than bits. A length of less than is normally not recommended. In certain situations, the shorter modulus may not function properly with IKE, so Cisco recommends using a minimum modulus of Note You cannot generate both special-usage and general-purpose keys; you can generate only one or the other.
Defines a default domain name to complete unqualified host names names without a dotted-decimal domain name. To enter public key configuration mode so you can manually specify other devices' RSA public keys , use the crypto key pubkey-chain rsa global configuration command. Use this command to enter public key chain configuration mode.
You need to specify other peers' keys when you configure RSA encrypted nonces as the authentication method in an Internet Key Exchange policy at your peer router. The remote peers use their IP address as their identity. Specifies the IP address of the remote RSA public key of the remote peer you will manually configure. To configure Internet Key Exchange extended authentication Xauth on your router, use the crypto map client authentication list global configuration command.
Character string used to name the list of authentication methods activated when a user logs in. The list-name must match the list-name defined during AAA configuration. After enabling Xauth, you should apply the crypto map on which Xauth is configured to the router interface. The following example configures user authentication a list of authentication methods called xauthlist on an existing static crypto map called xauthmap:. The following example configures user authentication a list of authentication methods called xauthlist on a dynamic crypto map called xauthdynamic that has been applied to a static crypto map called xauthmap:.
Defines a transform set, which is an acceptable combination of security protocols and algorithms, and enters crypto transform configuration mode. Creates or modify a crypto map entry, and enters the crypto map configuration mode. To configure IKE Mode Configuration on your router, use the crypto map client configuration address global configuration command. Optional A keyword that indicates the router will attempt to set IP addresses for each peer.
Optional A keyword that indicates the router will accept requests for IP addresses from any requesting peer. At the time of this publication, this feature is an IETF draft with limited support. Therefore this feature was not designed to enable the configuration mode for every IKE connection by default.
Creates or modifies a crypto map entry and enters the crypto map configuration mode. To enable Internet Key Exchange IKE querying of authentication, authorization, and accounting AAA for tunnel attributes in aggressive mode, use the crypto map isakmp authorization list global configuration command. Character string used to name the list of authorization methods activated when a user logs in. The list name must match the list name defined during AAA configuration.
Use the crypto map client authorization list command to enable key lookup from a AAA server. Thus, users have their own key, which is stored on an external AAA server. This allows for central management of the user database, linking it to an existing database, in addition to allowing every user to have their own unique, more secure pre-shared key. Before configuring the crypto map client authorization list command, you should perform the following tasks:.
After enabling the crypto map client authorization list command, you should apply the previously defined crypto map to the interface. The following example shows how to configure the crypto map client authorization list command:. To reset the encryption algorithm to the default value, use the no form of this command. Use this command to specify the encryption algorithm to be used in an IKE policy.
The following example configures an IKE policy with the 3DES encryption algorithm all other parameters are set to the defaults :. To reset the Diffie-Hellman group identifier to the default value, use the no form of this command. The following example configures an IKE policy with the bit Diffie-Hellman group all other parameters are set to the defaults :.
To reset the hash algorithm to the default SHA-1 hash algorithm, use the no form of this command. The following example configures an IKE policy with the MD5 hash algorithm all other parameters are set to the defaults :. To manually specify a remote peer's RSA public key, use the key-string public key configuration command. Enter the key in hexadecimal format. While entering the key data you can press Return to continue entering data. Before using this command, you must identify the remote peer using either the addressed-key or named-key command.
If possible, to avoid mistakes, you should cut and paste the key data instead of attempting to type in the data. To complete the command, you must return to the global configuration mode by typing quit at the config-pubkey prompt. To reset the SA lifetime to the default value, use the no form of this command. Number of many seconds for each each SA should exist before expiring. Use an integer from 60 to 86, seconds. When IKE begins negotiations, the first thing it does is agree upon the security parameters for its own session.
The agreed-upon parameters are then referenced by an SA at each peer. The SA is retained by each peer until the SA's lifetime expires. However, shorter lifetimes limit the exposure to attackers of this SA. The longer an SA is used, the more encrypted traffic can be gathered by an attacker and possibly used in an attack.
Note that when your local peer initiates an IKE negotiation between itself and a remote peer, an IKE policy can be selected only if the lifetime of the remote peer's policy is longer than or equal to the lifetime of the local peer's policy. Then, if the lifetimes are not equal, the shorter lifetime will be selected. To restate this behavior: If the two peer's policies' lifetimes are not the same, the initiating peer's lifetime must be shorter and the responding peer's lifetime must be longer, and the shorter lifetime will be used.
The following example configures an IKE policy with a security association lifetime of seconds 10 minutes , and all other parameters are set to the defaults:. To specify which peer's RSA public key you will manually configure, use the named-key public key chain configuration command. This command should only be used when the router has a single interface that processes IP Security.
Specifies the name of the remote peer's RSA keys. This is always the fully qualified domain name of the remote peer; for example, router. Optional Indicates that the RSA public key to be specified will be an encryption special-usage key. Optional Indicates that the RSA public key to be specified will be a signature special-usage key.
If neither the encryption nor the signature keyword is used, general-purpose keys will be specified. Use this command or the addressed-key command to specify which IPSec peer's RSA public key you will manually configure next. Follow this command with the key-string command to specify the key.
If you use the named-key command, you also need to use the address public key configuration command to specify the IP address of the peer. If the IPSec remote peer generated special usage keys, you must manually specify both keys: perform this command and the key-string command twice and use the encryption and signature keywords in turn. The following is sample output from the show crypto isakmp policy command, after two IKE policies have been configured with priorities 15 and 20 respectively :.
Note Although the output shows "no volume limit" for the lifetimes, you can currently only configure a time lifetime such as 86, seconds ; volume limit lifetimes are not used. The following is sample output from the show crypto isakmp sa command, after IKE negotiations have successfully completed between two peers:.
Table 25 through Table 27 show the various states that may be displayed in the output of the show crypto isakmp sa command. It is "larval" at this stage—there is no state. The peers have exchanged Diffie-Hellman public keys and have generated a shared secret. The peers have done the first exchange in Aggressive Mode, but the SA is not authenticated. It remains authenticated with its peer and may be used for subsequent Quick Mode exchanges.
It is in a quiescent state. The following is sample output from the show crypto key mypubkey rsa command. Special usage RSA keys were previously generated for this router using the crypto key generate rsa command. This command shows RSA public keys stored on your router. This includes peers' RSA public keys manually configured at your router and keys received by your router via other means such as by a certificate, if certification authority support is configured.
If a router reboots, any public key derived by certificates will be lost. This is because the router will ask for certificates again, at which time the public key will be derived again. Use the name or address keywords to display details about a particular RSA public key stored on your router. If no keywords are used, this command displays a list of all RSA public keys stored on your router. The following is sample output from the show crypto key pubkey-chain rsa command:.
This sample shows manually configured special usage RSA public keys for the peer "somerouter. Certificate support is used in the above example; if certificate support was not in use, none of the peers' keys would show "C" in the code column, but would all have to be manually configured.
The following is sample output when you issue the command show crypto key pubkey rsa name somerouter. Note The Source field in the above example indicates "Manual," meaning that the keys were manually configured on the router, not received in the peer's certificate.
The following is sample output when you issue the command show crypto key pubkey rsa address The Source field in the above example indicates "Certificate," meaning that the keys were received by the router by way of the other router's certificate.
Router config crypto key pubkey-chain rsa. Router config-pubkey-chain named-key otherpeer. Router config-pubkey-key address Router config-pubkey-key key-string. Router config-pubkey-chain addressed-key Caution If the connection-id argument is not used, all existing IKE connections will be cleared when this command is issued.
Enter configuration commands, one per line. Router config clear crypto isakmp 1. Router config crypto key generate rsa usage-keys. We need to specify the VPN client group settings. In this config we will identify the preshared key for this group. We also need to have this group use an access list that will allow us to implement a split tunnel. This will allow encryption of traffic sent between the VPN clients and the internal network but not encrypt everything else.
Traffic to the internet will not utilize the VPN tunnel. We must now create the access control list where we define the subnets for the internal network and the VPN client pool. Now it is time to create a dynamic crypto map entry. This is an empty shell of a map so we must also create a real map later. This will turn on server response to client configuration requests, such as when then client requests the DNS settings specified in the client configuration group earlier.
We must include the dynamic crypto map name as well. Again we are using the local database of users. Now we need to attach the dynamic crypto map template to the real crypto map. Our real crypto map may have other connections like site to site VPN included as well. Once completed launch the application:. Enter a connection entry name and type the external interface name of the router. Click Save. Highlight the connection you created and click Connect.
Hopefully you will now be connected! Thank for the guide, very useful. I have a question, is it possible to send udp broadcast helper-address in this vpn? You are commenting using your WordPress. You are commenting using your Twitter account. You are commenting using your Facebook account. Notify me of new comments via email. Notify me of new posts via email. Home About. Here is my network diagram, pretty basic configuration with an external and an internal network: Here is my starting configuration of the router.
This is more secure and will make decryption tougher: R1 config conf t R1 config username aaron secret p ssw0rd Now we need to activate the AAA new model to expose the new command set: R1 config aaa new-model We need to set up extended authentication Xauth. R1 config-isakmp encryption 3des We will use the SHA hashing algorithm which is used to check the integrity of the data transmitted in our secure tunnel.
R1 config-isakmp hash sha We will specify Diffie-Hellman group 2 for our method of establishing secure communication. R1 config-isakmp group 2 Optionally we can specify a lifetime when our symmetric key is regenerated, I believe the default is R1 config-isakmp lifetime R1 config-isakmp exit We need to specify the VPN client group settings. R1 config-isakmp-group key ClientVpnKey R1 config-isakmp-group dns R1 config-isakmp-group acl R1 config-isakmp-group exit We must now create the access control list where we define the subnets for the internal network and the VPN client pool.
R1 config access-list permit ip Okay we should finally be done. Once completed launch the application: Click New. Share this: Twitter Facebook. Like this: Like Loading
IKE, also called ISAKMP, is the negotiation protocol that lets two hosts agree on how to build an IPsec security association. To globally enable Internet Key Exchange (IKE) for your peer router, use the crypto isakmp enable command in global configuration mode. To disable IKE for the. on i disabled the crypto isakmp and now if I issue the command "crypto isakmp enable", even then in running config it shows me a line "no crypto isakmp.