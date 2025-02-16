On This Page
Cryptography (X.509, IPSec)
crypto ipsec ike {clear sa [peer {any | <ipv4v6-address>} local <ip-address>] | restart}
Manage the IKE (ISAKMP) process or database state.
Syntax Description
clear
Clears IKE (ISAKMP) peering state
sa
Clears IKE generated ISAKMP and IPSec security associations (remote peers are affected)
peer
Clears security associations for the specified IKE peer (remote peers are affected).
local
Clear security associations for the specified/all IKE peering (remote peer is affected)
restart
Restarts the IKE (ISAKMP) daemon (clears all IKE state, peers may be affected)
crypto ipsec peer <ipv4v6-address> local <ipv4v6-address> {enable | keying {ike [auth {hmac-md5 | hmac-sha1 | hmac-sha256 | null} | dh-group | disable | encrypt | exchange-mode | lifetime | local-identity | mode | peer-identity | pfs-group | preshared-key | prompt-preshared-key | transform-set] | manual [auth | disable | encrypt | local-spi | mode | remote-spi]}}
Configures ipsec in the system.
Syntax Description
enable
Enables IPSec peering
ike
Configures IPSec peering using IKE ISAKMP to manage SA keys.
keying
Configures key management for this IPSec peering:
manual
Configures IPSec peering using manual keys
crypto certificate ca-list [default-ca-list {name {<CA list name> | system-self-signed}}]
no crypto certificate ca-list [default-ca-list {name {<cert-name> | system-self-signed}}]
Adds the specified CA certificate to the default CA certificate list.
The no form of the command removes the certificate from the default CA certificate list.
Syntax Description
cert-name
Name of the certificate
crypto certificate default-cert [{name {<cert-name> | system-self-signed}}]
no crypto certificate default-cert [{name {<cert-name> | system-self-signed}
Designates the named certificate as the global default certificate role for authentication of this system to clients.
The no form of the command reverts the default-cert name to "system-self-signed" (the "cert-name" value is optional and ignored).
Syntax Description
cert-name
Name of the certificate
crypto certificate generation {default {country-code | days-valid | email-addr | key-size-bits | locality | org-unit | organization | state-or-prov}
Configures default values for certificate generation.
Syntax Description
country-code
Configures the default certificate value for country code with a two-alphanumeric-character code or – for none
days-valid
Configures the default certificate valid days. Default: 365 days.
email-addr
Configures the default certificate value for email address
key-size-bits
Configures the default certificate value for private key size. (Private key length in bits – at least 1024, but 2048 is strongly recommended.)
locality
Configures the default certificate value for locality
org-unit
Configures the default certificate value for organizational unit
organization
Configures the default certificate value for the organization name
state-or-prov
Configures the default certificate value for state or province
crypto certificate name {<name> | system-self-signed} {comment <new comment> | generate self-signed [comment <cert-comment> | common-name <domain> | country-code <code> | days-valid <days> | email-addr <address> | key-size-bits <bits> | locality <name> | org-unit <name> | organization <name> | serial-num <number> | state-or-prov <name>]} | private-key pem <PEM string> | prompt-private-key | public-cert [comment <comment string> | pem <PEM string>] | regenerate days-valid <days> | rename <new name>}
no crypto certificate name <cert-name>
Configures default values for certificate generation.
The no form of the command clears/deletes certain certificate settings.
Syntax Description
cert-name
Unique name by which the certificate is identified
comment
Specifies a certificate comment
generate self-signed
Generates certificates. This option has the following parameters which may be entered sequentially in any order:
private-key pem
Specifies certificate contents in PEM format
prompt-private-key
Prompts for certificate private key with secure echo
public-cert
Installs a certificate
regenerate
Regenerates the named certificate using configured certificate generation default values for the specified validity period
rename
Renames the certificate
crypto certificate system-self-signed regenerate [days-valid <days>]
Configures default values for certificate generation.
Syntax Description
days-valid
Specifies the number of days the certificate is valid
show crypto certificate [detail | public-pem | default-cert [detail | public-pem] | [name <cert-name> [detail | public-pem] | ca-list [default-ca-list]]
Displays information about all certificates in the certificate database.
Syntax Description
ca-list
Specifies the number of days the certificate is valid
default-ca-list
Displays information about the currently configured default certificates of the CA list
default-cert
Displays information about the currently configured default certificate
detail
Displays all attributes related to the certificate
name
Displays information about the certificate specified
public-pem
Displays the uninterpreted public certificate as a PEM formatted data string
show crypto ipsec [brief | configured | ike | policy | sa]
Displays information ipsec configuration.
Syntax Description
