Cryptography (X.509, IPSec)
crypto ipsec ike {clear sa [peer {any | <ipv4v6-address>} local <ip-address>] | restart} Manage the IKE (ISAKMP) process or database state. |
||
Syntax Description |
clear |
Clears IKE (ISAKMP) peering state |
sa |
Clears IKE generated ISAKMP and IPSec security associations (remote peers are affected) |
|
peer |
Clears security associations for the specified IKE peer (remote peers are affected).
|
|
local |
Clear security associations for the specified/all IKE peering (remote peer is affected) |
|
restart |
Restarts the IKE (ISAKMP) daemon (clears all IKE state, peers may be affected) |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
1.1.0 |
|
Example |
|
|
Related Commands |
||
Notes |
crypto ipsec peer <ipv4v6-address> local <ipv4v6-address> {enable | keying {ike [auth {hmac-md5 | hmac-sha1 | hmac-sha256 | null} | dh-group | disable | encrypt | exchange-mode | lifetime | local-identity | mode | peer-identity | pfs-group | preshared-key | prompt-preshared-key | transform-set] | manual [auth | disable | encrypt | local-spi | mode | remote-spi]}} Configures ipsec in the system. |
||
Syntax Description |
enable |
Enables IPSec peering |
ike |
Configures IPSec peering using IKE ISAKMP to manage SA keys.
|
|
keying |
Configures key management for this IPSec peering:
|
|
manual |
Configures IPSec peering using manual keys |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
1.1.0 |
|
Example |
|
|
Related Commands |
||
Notes |
crypto certificate ca-list [default-ca-list {name {<CA list name> | system-self-signed}}] no crypto certificate ca-list [default-ca-list {name {<cert-name> | system-self-signed}}] Adds the specified CA certificate to the default CA certificate list. The no form of the command removes the certificate from the default CA certificate list. |
||
Syntax Description |
cert-name |
Name of the certificate |
Default |
N/A |
|
Configuration Mode |
config |
|
History |
1.1.0 |
|
Example |
|
|
Related Commands |
||
Notes |
|
crypto certificate default-cert [{name {<cert-name> | system-self-signed}}] no crypto certificate default-cert [{name {<cert-name> | system-self-signed} Designates the named certificate as the global default certificate role for authentication of this system to clients. The no form of the command reverts the default-cert name to "system-self-signed" (the "cert-name" value is optional and ignored). |
||
Syntax Description |
cert-name |
Name of the certificate |
Default |
N/A |
|
Configuration Mode |
config |
|
History |
1.1.0 |
|
Example |
|
|
Related Commands |
||
Notes |
|
crypto certificate generation {default {country-code | days-valid | email-addr | key-size-bits | locality | org-unit | organization | state-or-prov} Configures default values for certificate generation. |
||
Syntax Description |
country-code |
Configures the default certificate value for country code with a two-alphanumeric-character code or – for none |
days-valid |
Configures the default certificate valid days. Default: 365 days. |
|
email-addr |
Configures the default certificate value for email address |
|
key-size-bits |
Configures the default certificate value for private key size. (Private key length in bits – at least 1024, but 2048 is strongly recommended.) |
|
locality |
Configures the default certificate value for locality |
|
org-unit |
Configures the default certificate value for organizational unit |
|
organization |
Configures the default certificate value for the organization name |
|
state-or-prov |
Configures the default certificate value for state or province |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
1.1.0 |
|
Example |
|
|
Related Commands |
||
Notes |
crypto certificate name {<name> | system-self-signed} {comment <new comment> | generate self-signed [comment <cert-comment> | common-name <domain> | country-code <code> | days-valid <days> | email-addr <address> | key-size-bits <bits> | locality <name> | org-unit <name> | organization <name> | serial-num <number> | state-or-prov <name>]} | private-key pem <PEM string> | prompt-private-key | public-cert [comment <comment string> | pem <PEM string>] | regenerate days-valid <days> | rename <new name>} no crypto certificate name <cert-name> Configures default values for certificate generation. The no form of the command clears/deletes certain certificate settings. |
||
Syntax Description |
cert-name |
Unique name by which the certificate is identified |
comment |
Specifies a certificate comment |
|
generate self-signed |
Generates certificates. This option has the following parameters which may be entered sequentially in any order:
|
|
private-key pem |
Specifies certificate contents in PEM format |
|
prompt-private-key |
Prompts for certificate private key with secure echo |
|
public-cert |
Installs a certificate |
|
regenerate |
Regenerates the named certificate using configured certificate generation default values for the specified validity period |
|
rename |
Renames the certificate |
|
Default |
N/A |
|
Configuration Mode |
config |
|
History |
1.1.0 |
|
Example |
|
|
Related Commands |
||
Notes |
crypto certificate system-self-signed regenerate [days-valid <days>] Configures default values for certificate generation. |
||
Syntax Description |
days-valid |
Specifies the number of days the certificate is valid |
Default |
N/A |
|
Configuration Mode |
config |
|
History |
1.1.0 |
|
Example |
|
|
Related Commands |
||
Notes |
show crypto certificate [detail | public-pem | default-cert [detail | public-pem] | [name <cert-name> [detail | public-pem] | ca-list [default-ca-list]] Displays information about all certificates in the certificate database. |
||
Syntax Description |
ca-list |
Specifies the number of days the certificate is valid |
default-ca-list |
Displays information about the currently configured default certificates of the CA list |
|
default-cert |
Displays information about the currently configured default certificate |
|
detail |
Displays all attributes related to the certificate |
|
name |
Displays information about the certificate specified |
|
public-pem |
Displays the uninterpreted public certificate as a PEM formatted data string |
|
Default |
N/A |
|
Configuration Mode |
Any configuration mode |
|
History |
1.1.0 |
|
Example |
|
|
Related Commands |
||
Notes |
show crypto ipsec [brief | configured | ike | policy | sa] Displays information ipsec configuration. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any configuration mode |
|
History |
1.1.0 |
|
Example |
|
|
Related Commands |
||
Notes |