OcNOS-RON : System Management Guide : System Management Command Reference : Internet Protocol Security Commands
Internet Protocol Security Commands
This chapter is a reference for the Internet Protocol Security (IPsec) commands.
mode
crypto ipsec transform-set
Use this command to configure a transform set that defines protocols and algorithm settings to apply to IPSec protected traffic.
During the IPSec security association negotiation, the peers agree to use a particular transform-set to be used for protecting a particular data flow.
Several transform-sets can be specified and associated with a crypto map entry.
A transform set defines the IPSec security protocols: Encapsulation Security Protocol (ESP) or Authentication Header (AH), and also specifies which algorithms to use with the selected security protocol.
Command Syntax
crypto ipsec transform-set NAME mode (transport|tunnel)
crypto ipsec transform-set NAME ah (none|ah-md5|ah-sha1|ah-sha256|ah-sha384|ah-sha512)
crypto ipsec transform-set NAME esp-auth (none|esp-md5|esp-sha1|esp-sha256|esp-sha384|esp-sha512) esp-enc (esp-null|esp-3des|esp-aes|esp-aes192|esp-aes256|esp-blf|esp-blf192|esp-blf256|esp-cast)
Parameters
NAME
Name of the transform set.
mode
Change the transform-set mode to tunnel or transport.
ah
Authentication Header protocol provides data authentication.
none
No authentication.
ah-md5
Authentication Header with Message Digest 5 (MD5) Hashed Message Authentication Code (HMAC) variant.
ah-sha1
Authentication Header with Secure Hash Algorithm 1 (SHA-1) Hashed Message Authentication Code (HMAC) variant.
ah-sha256
Authentication Header with Secure Hash Algorithm 256 (SHA-256) Hashed Message Authentication Code (HMAC) variant.
ah-sha384
Authentication Header with Secure Hash Algorithm 384 (SHA-384) Hashed Message Authentication Code (HMAC) variant.
ah-sha512
Authentication Header with Secure Hash Algorithm 512 (SHA-512) Hashed Message Authentication Code (HMAC) variant.
esp-auth
Encapsulating Security Payload authentication protocol provides data authentication.
none
No authentication.
esp-md5
Encapsulating Security Payload with Message Digest 5 (MD5) Hashed Message Authentication Code (HMAC) variant.
esp-sha1
Encapsulating Security Payload with Secure Hash Algorithm 1 (SHA-1) Hashed Message Authentication Code (HMAC) variant.
esp-sha256
Encapsulating Security Payload with Secure Hash Algorithm 256 (SHA-256) Hashed Message Authentication Code (HMAC) variant.
esp-sha384
Encapsulating Security Payload with Secure Hash Algorithm 384 (SHA-384) Hashed Message Authentication Code (HMAC) variant.
esp-sha512
Encapsulating Security Payload with Secure Hash Algorithm 512 (SHA-512) Hashed Message Authentication Code (HMAC) variant.
esp-enc
Encapsulating Security Payload encryption protocol
esp-null
Encapsulating Security Payload null encryption.
esp-3des
Encapsulating Security Payload with 168-bit DES encryption (3DES or Triple DES).
esp-aes
Alternative AES.
esp-aes192
Alternative AES192.
esp-aes256
Alternative AES256.
esp-blf
Alternative Blowfish.
esp-blf192
Alternative Blowfish192.
esp-blf256
Alternative Blowfish256.
esp-cast
Alternative Cast (IKEv1 not supported).
Command Mode
Configure mode
Example
#configure terminal
(config)#crypto ipsec transform-set TEST_ESP esp-auth esp-md5 esp-enc esp-3des
(config)#crypto ipsec transform-set TEST_AH ah ah-sha512
 
crypto map (Configure Mode)
Use this command to create or change a crypto map entry and enter crypto map configuration mode.
Use the no form of this command to delete a crypto map entry or set.
Command Syntax
crypto map MAP-NAME ipsec-manual
no crypto map MAP-NAME
Parameters
MAP-NAME
Name of the crypto map set (maximum length 127).
ipsec-manual
Do not use IKE to establish IPSec security associations.
Command Mode
Configure mode
Example
(config)#crypto map MAP1 5 ipsec-manual
(config-crypto)#
mode
Use this command to set the mode of negotiation for a transform set.
Use the no form of this command to reset the mode to its default (tunnel).
Command Syntax
mode (tunnel|transport)
no mode
Parameter
tunnel
The entire original IP packet is protected (default).
transport
The payload (data) of the original IP packet is protected.
Defaults
Tunnel mode
Command Mode
Transform set mode
Example
(config)#crypto ipsec transform-set TEST_ESP mode transport
(config-transform)#mode transport
set peer (Sequence mode)
Use this command to specify an IPSec peer IPv4 or IPv6 for a crypto map.
Command syntax
set peer (A.B.C.D | X:X::X:X) (spi (<0-4096>)|)
Parameters
A.B.C.D
IPv4 peer address
X:X:X:X
IPv6 peer address
spi
Specifies the security parameter index (SPI), a number that is used to uniquely identify a security association.
<0-4096>
Security parameter index (SPI) range
Default
None
Command Mode
Crypto map sequence mode
Applicability
This command is introduced in OcNOS version 6.0.0
Examples
#configure terminal
(config)#crypto map MAP1 ipsec-manual
(config-crypto)#sequence 1
(config-crypto-seq)#set transform-set TEST_ESP
(config-crypto-seq)#set peer fe80::3617:ebff:fe0e:1222 spi 200
 
 
set session-key (Sequence mode)
Use this command to define IPSec keys for security associations via ipsec-manual crypto map entries.
When you define multiple IPSec session keys within a single crypto map, you can assign the same security parameter index (SPI) number to all the keys. The SPI is used to identify the security association used with the crypto map.
Session keys at one peer must match the session keys at the remote peer.
Command syntax
set session-key (inbound|outbound) esp SPI cipher HEX-KEY-DATA authenticator HEX-KEY-DATA
no set session-key (inbound|outbound) esp SPI
Parameters
inbound
Sets the inbound IPSec session key. Both inbound and outbound keys must be set.
outbound
Sets the outbound IPSec session key. Both inbound and outbound keys must be set.
esp
Sets the IPSec session key for the Encapsulation Security Protocol.
SPI
Specifies the security parameter index (SPI), a number that is used to uniquely identify a security association.
cipher
Indicates that the key string is to be used with the ESP encryption.
HEX-KEY-DATA
Specifies the session key in hexadecimal format.
authenticator
Indicates that the key string is to be used with the ESP authentication.
Default
None
Command Mode
Crypto map sequence mode
Applicability
This command is introduced in OcNOS version 6.0.0
Examples
#configure terminal
(config)#crypto map MAP1 ipsec-manual
(config-crypto)#sequence 1
(config-crypto-seq)#set session-key outbound esp 200 cipher 123456781234567812345678123456781234567812345678 authenticator 123456781234567812345678
(config-crypto-seq)#set session-key inbound esp 200 cipher 123456781234567812345678123456781234567812345678 authenticator 123456781234567812345678
 
set transform-set (Sequence mode)
Use this command to specify which transform sets to include in a crypto map entry.
Command syntax
set transform-set NAME
Parameters
NAME
Transform-set name
Default
None
Command Mode
Crypto map sequence mode
Applicability
This command is introduced in OcNOS version 6.0.0
Examples
#configure terminal
(config)#crypto map MAP1 ipsec-manual
(config-crypto)#sequence 1
(config-crypto-seq)#set transform-set TEST_ESP
 
sequence
The number you assign to the seq-num will be used to rank multiple crypto map entries within a crypto map set. This number defines the priority of crypto-map evaluation within a crypto map set.
Command syntax
sequence SEQ-NUM
Parameters
SEQ-NUM
Crypto map sequence number
Default
None
Command Mode
Crypto map mode
Applicability
This command is introduced in OcNOS version 6.0.0
Examples
#configure terminal
(config)#crypto map MAP1 ipsec-manual
(config-crypto)#sequence 1
(config-crypto-seq)#
 
show crypto ipsec transform-set
Use this command to show the IPsec transform-set entries.
Command syntax
show crypto ipsec transform-set NAME
Parameters
NAME
Transform-set name
Default
None
Command Mode
Exec mode and Privileged Exec mode
Applicability
This command is introduced in OcNOS version 6.0.0
Examples
#show crypto ipsec transform-set TEST_ESP
Transform set t3
Mode is Transport
Algorithm none esp-3des esp-md5