crypto isakmp policy (2024)

crypto isakmp policy <priority>

authentication {pre-share|rsa-sig|ecdsa-256|ecdsa-384}

disable

enable [bypass|secret]

Description

This command configures Internet Key Exchange (IKE) policy parameters for the Internet Security Association and Key Management Protocol (ISAKMP). To define settings for a ISAKMP policy, issue the command crypto isakmp policy <priority> then press Enter. The CLI will enter config-isakmp mode, which allows you to configure the policy values.

Parameter	Description
<priority>	Specifies a number from 1 to 10,000 to define a priority level for the policy. The higher the number, the higher the priority level.
authentication	Configures the IKE authentication method: pre-share: Preshared key rsa-sig: RSAsignatures ecdsa-256: ECDSA-256-bit signatures ecdsa-384: ECDSA-384-bit signatures
disable	Disables the IKE policy.
enable [bypass\|secret]	Enables the IKE policy using the bypass or secret. Bypass prompts for the enable mode login and password. Secret prompts for the enable password.
encryption	Configures the IKE encryption algorithm: 3DES: 168-bit 3DES-CBC encryption algorithm AES128: 128-bit AES-CBC encryption algorithm AES192: 192-bit AES-CBC encryption algorithm AES256: 256-bit AES-CBC encryption algorithm DES: 56-bit DES-CBCencryption algorithm
group	Configures the IKE Diffie Hellman group: 1: 768-bit Diffie Hellman prime modulus group. This is the default group setting. 2: 1024-bit Diffie Hellman prime modulus group 14: 2048-bit Diffie Hellman DDH prime modulus group 19: 256-bit random Diffie Hellman ECP modulus group 20: 384-bit random Diffie Hellman ECP modulus group
hash	Configures the IKEhash algorithm: md5: MD5 (HMAC variant) hash algorithm sha: SHA1-160 (HMAC variant) hash algorithm sha1-96: SHA1-96 (HMAC variant) hash algorithm sha2-256-128: SHA2-256-128 (HMAC variant) hash algorithm sha2-384-192: SHA2-384-192 (HMAC variant) hash algorithm
prf	Sets one of the following pseudo-random function (PRF) values for an IKEv2 policy: PRF-HMAC-MD5 (default):MD5 (HMAC variant) PRF PRF-HMAC-SHA1: SHA1-160 (HMAC variant) PRF PRF-HMAC-SHA256:SHA2-256 PRF PRF-HMAC-SHA384: SHA2-384 PRF
lifetime <seconds>	Specifies the lifetime of the IKE security association (SA), from 300 - 86400 seconds.
no disable	Disables the IKE policy.
version	Specifies the version of IKE protocol for the IKE policy: v1: IKEv1 v2: IKEv2

Example

The following command configures the RSAsignature authentication method for the given IKE policy:

(host) [mynode] (config) #crypto isakmp policy 1

(host) [mynode] (config-isakmp) #authentication rsa-sig

Key:*******Re-Type Key:*******

Related Commands

Command	Description
show crypto isakmp	Displays IKEpolicies configured for ISAKMP.

Command History

Release	Modification
ArubaOS 8.0.0.0	Command introduced.

Command Information

Platforms	License	Command Mode
All platforms	The following settings require the Advanced Cryptogram (ACR) license: hash algorithm: SHA-256-128, SHA-384-192 Diffie-Hellman (DH) Groups: 19 and 20 Pseudo-Random Function (PRF): PRF-HMAC-SHA256, PRF-HMAC-SHA384 Authentication: ecdsa-256 and ecdsa-384 All other parameters are supported in the base OS.	Config mode on Mobility Conductor.

Platforms

License

Command Mode

All platforms

The following settings require the Advanced Cryptogram (ACR) license:

hash algorithm: SHA-256-128, SHA-384-192
Diffie-Hellman (DH) Groups: 19 and 20
Pseudo-Random Function (PRF): PRF-HMAC-SHA256, PRF-HMAC-SHA384
Authentication: ecdsa-256 and ecdsa-384

All other parameters are supported in the base OS.

Config mode on Mobility Conductor.