Configuring IPSec Parameters

To configure IPSec:

For each endpoint, create a transform set that provides the desired encryption and authentication. host1(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha host1(config)#ipsec transform-set customerBprotection ah-hmac-md5
Add a preshared key that the routers use to authenticate each other.host1(config)#ipsec key manual pre-share 5.2.0.1 host1(config-manual-key)#key customerASecret
After you enter a preshared key, the router encrypts the key and displays it in masked form to increase the security of the key. If you need to reenter the key, you can enter it in its masked form using this command.

To see the masked form of the key:
host1#show config ipsec key manual pre-share 10.10.1.1 masked-key “ AAAAGAAAAAcAAAACfd+SAsaVQ6Qeopt2rJOP6LDg+0hX5cMO”
To enter the masked key:
host1(config-manual-key)#masked-key AAAAGAAAAAcAAAACfd+SAsaVQ6Qeopt2rJOP6LDg+0hX5cMO
Define the local endpoint used for ISAKMP/IKE negotiations for all IPSec tunnels in the router.host1(config)#ipsec local-endpoint 10.10.1.1 transport-virtual-router vr#8
(Optional) Set the global (default) lifetime for all SAs on the router.host1(config)#ipsec lifetime kilobytes 42000000

ipsec key manual pre-share

Use to specify that a peer use a preshared key for authentication during the tunnel establishment phase, and to display the prompt that lets you enter the preshared key. To enter a key, use the key command.
Specify the peer by using its IP address or fully qualified domain name (FQDN).
- FQDNs are supported only for signaled tunnels.
- The router must be in aggressive mode to use FQDNs with preshared keys.
- The identity string can include an optional user@ specification preceding the FQDN.
You must enter this command in the virtual router context where the IP address of the peer is defined.
Example 1—using an IP Addresshost1(config)#ipsec key manual pre-share ip address 10.10.1.1 host1(config-manual-key)#
Example 2—using an FQDNhost1(config)#ipsec key manual pre-share identity branch245.customer77.isp.net host1(config-manual-key)#
Example 3—using an FQDN with user@ specificationhost1(config)#ipsec key manual pre-share identity user4919@branch245.customer77.isp.net host1(config-manual-key)#
Use the no version to delete a manually configured key from the router.
See ipsec key manual pre-share.

ipsec lifetime

Use to set the global (default) lifetime in seconds or volume of traffic in kilobytes. The IPSec lifetime applies to tunnels that do not have a tunnel lifetime defined. When either limit is reached, the SA is renegotiated.
To set a lifetime for all SAs on a tunnel, use the tunnel lifetime command.
To set a lifetime for a specific SA, use the lifetime command.
Example 1host1(config)#ipsec lifetime kilobytes 42000000
Example 2host1(config)#ipsec lifetime seconds 8600
Use the no version to restore the default values of 4294967295 kilobytes and 28800 seconds (8 hours).
See ipsec lifetime.

ipsec local-endpoint

Use to define a default local endpoint for ISAKMP/IKE negotiations and all IPSec tunnels for a transport virtual router.
You must specify the IP address used as the local endpoint and the transport virtual router on which the IP address is defined.
Examplehost1(config)#ipsec local-endpoint 10.10.1.1 transport-virtual-router VR#8
Use the no version to delete a local endpoint. You cannot remove an endpoint if a tunnel is referencing the endpoint.
See ipsec local-endpoint.

ipsec transform-set

Use to create a transform set. Each transform in a set provides a different combination of data authentication and confidentiality.
Transform sets used for manually configured tunnels can have one transform.
Transform sets used for signaled tunnels can have up to six transforms. The actual transform used on the tunnel is negotiated with the peer. Transforms are numbered in a priority sequence in the order in which you enter them.
To display the names of the transforms that you can use in a transform set, issue the ipsec transform-set transformSetName ? command.
Examplehost1(config)#ipsec transform-set espSet esp-3des-hmac-md5 esp-3des-null-auth
Use the no version to delete a transform set. You cannot remove a transform set if a tunnel is referencing the transform set.
See ipsec transform-set.

key

Use to enter a manual preshared key.
Preshared keys can have up to 256 ASCII alphanumeric characters. To include spaces in the key, enclose the key in quotation marks.
Example 1host1(config-manual-key)#key dj5fe23owi8er49fdsa
Example 2host1(config-manual-key)#key “ my key with spaces”
There is no no version. To delete a key, use the no version of the ipsec key manual command.
See key.

masked-key

Use to enter the preshared key in masked form.
For security purposes, the router displays the key only in masked form. If you delete the key or reboot the router to factory defaults, you can use this command to reenter the key in its masked form so that the key is not visible while you enter it.
To see the masked key, use the show config command.
Examplehost1#show config ipsec key manual pre-share 10.10.1.1 masked-key “ AAAAGAAAAAcAAAACfd+SAsaVQ6Qeopt2rJOP6LDg+0hX5cMO” host1#configure terminal host1(config)#ipsec key manual pre-share 10.10.1.1 host1(config-manual-key)#masked-key AAAAGAAAAAcAAAACfd+SAsaVQ6Qeopt2rJOP6LDg+0hX5cMO
There is no no version. To delete a key, use the no version of the ipsec key manual command.
See masked-key.