Полезная информация

cc/td/doc/product/software/ios120/12cgcr/secur_r
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Cisco Encryption Technology Commands

Cisco Encryption Technology Commands

This chapter describes Cisco Encryption Technology (CET) commands. Cisco provides network data encryption as a means to safeguard network data that travels from one Cisco router to another, across unsecured networks.

Refer to the Command Reference Master Index or search online to find complete descriptions of other commands used when configuring CET.

For configuration information, refer to the chapter "Configuring Cisco Encryption Technology" in the Security Configuration Guide.

access-list (encryption)

To define an encryption access list by number, use the extended IP access-list global configuration command. Use the no form of this command to remove a numbered encryption access list.

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
protocol source source-wildcard destination destination-wildcard [precedence precedence]
[tos tos] [log]
no access-list access-list-number

For Internet Control Message Protocol (ICMP), you can also use the following syntax:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] |
icmp-message] [precedence precedence] [tos tos] [log]

For Internet Group Management Protocol (IGMP), you can also use the following syntax:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
igmp source source-wildcard destination destination-wildcard [igmp-type]
[precedence precedence] [tos tos] [log]

For TCP, you can also use the following syntax:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
tcp source source-wildcard [operator port [port]] destination destination-wildcard
[operator port [port]] [established] [precedence precedence] [tos tos] [log]

For User Datagram Protocol (UDP), you can also use the following syntax:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
udp source source-wildcard [operator port [port]] destination destination-wildcard
[operator port [port]] [precedence precedence] [tos tos] [log]

Syntax Description

access-list-number

Number of an encryption access list. This is a decimal number from 100 to  199.

dynamic dynamic-name

(Optional) Identifies this encryption access list as a dynamic encryption access list. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Security Configuration Guide.

timeout minutes

(Optional) Specifies the absolute length of time (in minutes) that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Security Configuration Guide.

deny

Does not encrypt/decrypt IP traffic if the conditions are matched.

permit

Encrypts/decrypts IP traffic if the conditions are matched.

protocol

Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip. Some protocols allow further qualifiers, as described in text that follows.

source

Number of the network or host from which the packet is being sent. There are three other ways to specify the source:

  • Use a 32-bit quantity in four-part dotted-decimal format.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines").

  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

source-wildcard

Wildcard bits (mask) to be applied to source. There are three other ways to specify the source wildcard:

  • Use a 32-bit quantity in four-part dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines").

  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

destination

Number of the network or host to which the packet is being sent. There are three other ways to specify the destination:

  • Use a 32-bit quantity in four-part dotted-decimal format.

  • Use the keyword any as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines").

  • Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

destination-wildcard

Wildcard bits to be applied to the destination. There are three other ways to specify the destination wildcard:

  • Use a 32-bit quantity in four-part dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines").

  • Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

precedence precedence

(Optional) Packets can be matched for encryption by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines."

tos tos

(Optional) Packets can be matched for encryption by type of service level, as specified by a number from 0 to 15 or by name as listed in the section "Usage Guidelines."

icmp-type

(Optional) ICMP packets can be matched for encryption by ICMP message type. The type is a number from 0 to 255.

icmp-code

(Optional) ICMP packets that are matched for encryption by ICMP message type can also be matched by the ICMP message code. The code is a number from 0 to 255.

icmp-message

(Optional) ICMP packets can be matched for encryption by an ICMP message type name or ICMP message type and code name. The possible names are discussed in the section "Usage Guidelines."

igmp-type

(Optional) IGMP packets can be matched for encryption by IGMP message type or message name. A message type is a number from 0  to 15. IGMP message names are listed in the section "Usage Guidelines."

operator

(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the source and source-wildcard, it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port.

The range operator requires two port numbers. All other operators require one port number.

port

(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535.

TCP port names are listed in the section "Usage Guidelines." TCP port names can be used only when filtering TCP.

UDP port names are listed in the section "Usage Guidelines." UDP port names can be used only when filtering UDP.

established

(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message includes the access list number, whether the packet was encrypted/decrypted or not; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets encrypted/decrypted or not in the prior 5-minute interval.

Default

No numbered encryption access lists are defined, and therefore no traffic will be encrypted/decrypted. After being defined, all encryption access lists contain an implicit "deny" ("do not encrypt/decrypt") statement at the end of the list.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Use encryption access lists to control which packets on an interface are encrypted/decrypted, and which are transmitted as plain text (unencrypted).

When a packet is examined for an encryption access list match, encryption access list statements are checked in the order that the statements were created. After a packet matches the conditions in a statement, no more statements will be checked. This means that you need to carefully consider the order in which you enter the statements.

To use the encryption access list, you must first specify the access list in a crypto map and then apply the crypto map to an interface, using the crypto map (global configuration) and crypto map (interface configuration) commands.

Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended access lists used to control virtual terminal line access or restrict contents of routing updates must not match the TCP source port, the type of service value, or the packet's precedence.


Note After an access list is created initially, any subsequent additions (possibly entered from the terminal) are placed at the end of the list. You cannot selectively add or remove access list command lines from a specific access list.
Caution When creating encryption access lists, we do not recommend using the any keyword to specify source or destination addresses. Using the any keyword with a permit statement could cause extreme problems if a packet enters your router and is destined for a router that is not configured for encryption. This would cause your router to attempt to set up an encryption session with a nonencrypting router.
If you incorrectly use the any keyword with a deny statement, you might inadvertently prevent all packets from being encrypted, which could present a security risk.

Note If you view your router's access lists by using a command such as show ip access-lists, all extended IP access lists will be shown in the command output. This includes extended IP access lists that are used for traffic filtering purposes as well as those that are used for encryption. The show command output does not differentiate between the two uses of the extended access lists.

The following is a list of precedence names:

The following is a list of type of service (TOS) names:

The following is a list of ICMP message type names and code names:

The following is a list of IGMP message names:

The following is a list of TCP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.

The following is a list of UDP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.

Example

The following example creates a numbered encryption access list that specifies a class C subnet for the source and a class C subnet for the destination of IP packets. When the router uses this encryption access list, all TCP traffic that is exchanged between the source and destination subnets will be encrypted.

Router1(config)# access-list 101 permit tcp 172.21.3.0 0.0.0.255 172.22.2.0 
0.0.0.255

This encryption access list will be applied to an interface as an outbound encryption access list after the router administrator defines a crypto map and applies the crypto map to the interface.

Related Commands

You can use the master indexes or search online to find documentation of related commands.

access-list (extended) (used for traffic filtering purposes)
crypto map (global configuration)
crypto map (interface configuration)
ip access-list extended (encryption)
show ip access-lists

clear crypto connection

To terminate an encrypted session in progress, use the clear crypto connection global configuration command.

clear crypto connection connection-id [slot | rsm | vip]

Syntax Description

connection-id

Identifies the encrypted session to terminate.

slot

(Optional) Identifies the crypto engine. This argument is available only on Cisco 7200, RSP7000, and 7500 series routers.

If no slot is specified, the Cisco IOS crypto engine will be selected.

Use the chassis slot number of the crypto engine location. For the Cisco IOS crypto engine, this is the chassis slot number of the Route Switch Processor (RSP). For the VIP2 crypto engine, this is the chassis slot number of the VIP2. For the ESA crypto engine, this is the chassis slot number of the ESA (Cisco  7200) or of the VIP2 (Cisco  RSP7000 and 7500).

rsm

(Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. It identifies the Route Switch Module on the Cisco Catalyst 5000 series switch.

vip

(Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. It identifies the Versatile Interface Processor on the Cisco Catalyst  5000 series switch.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2. The slot argument and rsm and vip keywords were added in Cisco IOS Release 12.0.

Use this command to terminate an encrypted session currently in progress. Encrypted sessions will normally terminate when the session times out. Use the show crypto cisco connections command to learn the connection-id value.

Example

The following example clears a pending encrypted session. (You could also clear an established encrypted session in the same way.)

Router1# show crypto cisco connections
Pending Connection Table
PE              UPE             Timestamp                    Conn_id
192.168.3.10    192.168.204.100 Mar 01 1993 00:01:09    -1
 
Connection Table
PE              UPE             Conn_id New_id  Alg     Time                Slot
192.168.3.10    192.168.204.100 -1      1       0             Not Set          4
                flags:PEND_CONN 
Router1# clear crypto connection -1
Router1# show crypto cisco connections
Connection Table
PE              UPE             Conn_id New_id  Alg     Time
192.168.3.10    192.168.204.100 0       0       0             Mar 01 1993 00:02:00
                flags:BAD_CONN 
Router1#

First, the show crypto cisco connections command is issued to learn the connection-id for the pending connection (-1). This value is then used to specify which connection to clear.

Notice that after the connection is cleared, the Pending Connection Table containing the connection entry (connection-id of -1) has disappeared from the show crypto cisco connections output. Also, the Connection Table no longer shows a -1 Conn_id.

Related Commands

You can use the master indexes or search online to find documentation of related commands.

show crypto cisco connections

crypto algorithm 40-bit-des

The crypto cisco algorithm 40-bit-des command replaces this command. Refer to the description of the crypto cisco algorithm 40-bit-des command for more information.

crypto algorithm des

The crypto cisco algorithm des command replaces this command. Refer to the description of the crypto cisco algorithm des command for more information.

crypto card

To enable (select) either the ESA crypto engine or the Cisco IOS crypto engine in Cisco 7200 series routers, use the crypto card global configuration command.

crypto card {enable | shutdown} slot

Syntax Description

enable

Selects the ESA crypto engine by enabling the ESA.

shutdown

Selects the Cisco IOS crypto engine by shutting down the ESA.

slot

The ESA chassis slot number.

Default

The Cisco IOS crypto engine is the selected (active) crypto engine.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2 P.

This command only applies to Cisco 7200 series routers with an installed ESA.

Until the ESA is enabled, the Cisco  IOS crypto engine will function as the crypto engine.

If you want to select the ESA crypto engine with this command, all other encryption configuration must already have been completed for the ESA.

If you select a crypto engine (either the ESA or the Cisco IOS crypto engine) that has not been completely configured for encryption, the router will not be able to encrypt any traffic. Any existing encryption sessions will abruptly terminate. Therefore, you must complete all encryption configuration for before you enable a crypto engine with this command.


Note If any encryption session is in progress when you switch from one crypto engine to the other, the session will be torn down, and a new session will be established using the newly selected crypto engine. This could cause a momentary delay for encrypted traffic.

Examples

The following example enables an ESA in the router chassis slot 2:

Router1(config)# crypto card enable 2
...switching to HW crypto engine
Router1(config)#

The following example switches from the Cisco  IOS crypto engine to the ESA crypto engine. The ESA crypto engine is in the router chassis slot 4.

Router1(config)# crypto card enable 4
...switching to HW crypto engine
Router1(config)#

The following example switches from the ESA crypto engine to the Cisco  IOS crypto engine. The ESA crypto engine is in the router chassis slot 4.

Router1(config)# crypto card shutdown 4
...switching to SW crypto engine
Router1(config)

crypto card clear-latch

To reset an Encryption Service Adapter (ESA), use the crypto card clear-latch global configuration command. This command resets the ESA by clearing a hardware extraction latch that is set when an ESA is removed and reinstalled in the chassis.

crypto card clear-latch {slot | vip}

Syntax Description

slot

Identifies the ESA to reset. This argument is available only on Cisco 7200, RSP7000, and 7500 series routers.

On a Cisco 7200 series router, this is the ESA chassis slot number. On a Cisco  RSP7000 or 7500 series router, this is the chassis slot number of the ESA's second-generation Versatile Interface Processor (VIP2).

vip

This keyword is only available on the Cisco Catalyst 5000 series switch. Identifies the Versatile Interface Processor on the Cisco Catalyst 5000 series switch.

Default

The ESA latch is not cleared.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2. The vip keyword was added in Cisco IOS Release 12.0.

If an ESA is installed for the first time, or removed and reinstalled, the ESA will not function unless you reset it by using this command. Before the ESA is reset, the hardware extraction latch is set and the Tampered LED is on.

To complete this command, you must enter the ESA password. If the ESA does not have a password, you must create one at this time. (The ESA might not have a password if has never been previously used, or if the crypto key zeroize dss command was previously issued for the ESA.)

If you have forgotten a previously assigned password, you have to use the crypto key zeroize dss command instead of the crypto card clear-latch command to reset the ESA. After issuing the crypto key zeroize dss command, you must regenerate and re-exchange DSS keys. When you regenerate DSS keys you will be prompted to create a new password.

Example

The following example resets an ESA card. The ESA card is housed in a VIP2 that is in slot 1.

Router1(config)# crypto card clear-latch 1
% Enter the crypto card password.
Password: <passwd>
Router1(config)#

The following example resets an ESA card housed in a VIP2 on a Cisco Catalyst 5000 series switch:

Router1(config)# crypto card clear-latch vip
% Enter the crypto card password.
Password: <passwd>
Router1(config)#

Related Commands

You can use the master indexes or search online to find documentation of related commands.

crypto key generate dss
crypto key zeroize dss

crypto cisco algorithm 40-bit-des

To globally enable 40-bit Data Encryption Standard (DES) algorithm types, use the crypto cisco algorithm 40-bit-des global configuration command. Use the no form of this command to globally disable a 40-bit DES algorithm type.

crypto cisco algorithm 40-bit-des [cfb-8 | cfb-64]
no crypto cisco algorithm 40-bit-des [cfb-8 | cfb-64]

Syntax Description

cfb-8

(Optional) Selects the 8-bit Cipher FeedBack (CFB) mode of the 40-bit DES algorithm. If no CFB mode is specified when you issue the command, 64-bit CFB mode is the default.

cfb-64

(Optional) Selects the 64-bit CFB mode of the 40-bit DES algorithm. If no CFB mode is specified when you issue the command, 64-bit CFB mode is the default.

Default

One DES algorithm is enabled by default, even if you never issue this command. If you are running a nonexportable image, the basic DES algorithm with 8-bit CFB is enabled by default. (The basic DES algorithm uses a 56-bit DES key.) If you are running an exportable image, the 40-bit DES algorithm with 8-bit CFB is enabled by default.

If you do not know if your image is exportable or nonexportable, you can perform the show crypto cisco algorithms command to determine which DES algorithms are currently enabled.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Use this command to enable a 40-bit DES algorithm type. Enabling a DES algorithm type once allows it to be used by all crypto engines of a router.

You must enable all DES algorithms that will be used to communicate with any other peer encrypting router. If you do not enable a DES algorithm, you will not be able to use that algorithm, even if you try to assign the algorithm to a crypto map at a later time.

If your router tries to set up an encrypted communication session with a peer router, and the two routers do not have the same DES algorithm enabled at both ends, the encrypted session will fail. If at least one common DES algorithm is enabled at both ends, the encrypted session can proceed.

Forty-bit DES uses a 40-bit DES key, which is easier for attackers to "crack" than basic DES, which uses a 56-bit DES key. However, some international applications might require you to use 40-bit DES, because of export laws.


Note If you are running an exportable image, you can only enable and use 40-bit variations of DES. You cannot enable or use the basic DES algorithms, which are not available with exportable images.

Eight-bit CFB is more commonly used than 64-bit CFB, but requires more CPU processing time. If you do not specify 8-bit or 64-bit CFB, 64-bit CFB will be selected by default.

Example

The following example enables 40-bit DES with 8-bit CFB and 40-bit DES with 64-bit CFB:

crypto cisco algorithm 40-bit-des cfb-8
crypto cisco algorithm 40-bit-des cfb-64

Related Commands

You can use the master indexes or search online to find documentation of related commands.

crypto cisco algorithm des
show crypto cisco algorithms

crypto cisco algorithm des

To globally enable Data Encryption Standard (DES) algorithm types that use a 56-bit DES key, use the crypto cisco algorithm des global configuration command. Use the no form of this command to globally disable a DES algorithm type.

crypto cisco algorithm des [cfb-8 | cfb-64]
no crypto cisco algorithm des [cfb-8 | cfb-64]

Syntax Description

cfb-8

(Optional) Selects the 8-bit Cipher FeedBack (CFB) mode of the basic DES algorithm. If no CFB mode is specified when you issue the command, 64-bit CFB mode is the default.

cfb-64

(Optional) Selects the 64-bit CFB mode of the basic DES algorithm. If no CFB mode is specified when you issue the command, 64-bit CFB mode is the default.

Default

One DES algorithm is enabled by default, even if you never issue this command. If you are running a nonexportable image, the basic DES algorithm with 8-bit CFB is enabled by default. (The basic DES algorithm uses a 56-bit DES key.) If you are running an exportable image, the 40-bit DES algorithm with 8-bit CFB is enabled by default.

If you do not know if your image is exportable or nonexportable, you can perform the show crypto cisco algorithms command to determine which DES algorithms are currently enabled.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Use this command to enable a DES algorithm type that uses a 56-bit DES key. Enabling a DES algorithm type once allows it to be used by all crypto engines of a router.

You must enable all DES algorithms that will be used to communicate with any other peer encrypting router. If you do not enable a DES algorithm, you will not be able to use that algorithm, even if you try to assign the algorithm to a crypto map at a later time.

If your router tries to set up an encrypted communication session with a peer router, and the two routers do not have the same DES algorithm enabled at both ends, the encrypted session will fail. If at least one common DES algorithm is enabled at both ends, the encrypted session can proceed.


Note If you are running an exportable image, you can only enable and use 40-bit variations of DES. You cannot enable or use the basic DES algorithms, which are not available with exportable images.

Eight-bit CFB is more commonly used than 64-bit CFB, but requires more CPU processing time. If you do not specify 8-bit or 64-bit CFB, 64-bit CFB will be selected by default.

Example

The following example enables DES with 8-bit CFB and DES with 64-bit CFB:

crypto cisco algorithm des cfb-8
crypto cisco algorithm des cfb-64

Related Commands

You can use the master indexes or search online to find documentation of related commands.

crypto cisco algorithm 40-bit-des
show crypto cisco algorithms

crypto cisco connections

To change the maximum number of destinations (hosts or subnets) per source that you can define in encryption access list statements, use the crypto cisco connections global configuration command. Use the no form of the command to restore the default.

crypto cisco connections number
no crypto cisco connections [number]

Syntax Description

number

Specifies the maximum number of destinations per source. Use a value from
3 to 500.

This argument is not required when using the no form of the command.

Default

A maximum of 10 destinations can be paired with each source specified in encryption access list criteria statements.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3.

When you configure encryption access lists, you configure source and destination pairs in criteria statements. Any traffic that matches the criteria is then encrypted.

By default, the maximum number of distinct sources (host or subnets) that you can define in your encryption access lists is 100. Also, the maximum number of distinct destinations that you can define for any given source address is 10. For example, if you define six different source addresses, you can define up to 10 destination addresses for each of the six sources, for a total of 60 access list criteria statements.

Use this command if you need to specify more than 10 destinations for a particular source (host or subnet) in encryption access list statements.

For most situations, the defaults of 100 maximum sources and 10 maximum destinations per source are sufficient. Cisco recommends that you do not change the defaults unless you actually exceed the number of sources or destinations per source.


Note You must reboot the router before this command takes effect.
Memory Impact

The amount of memory reserved for encrypted connections changes if you change the defaults with this command.

When using this command, you should consider the amount of memory that will be allocated. In general, use the crypto cisco entities and crypto cisco connections commands together: if you increase one value, decrease the other value. This prevents your router from running out of memory because too much memory was preallocated.

For every additional source specified with the crypto cisco entities command, the following additional bytes of memory will be allocated:

64 + (68 x the specified number of maximum destinations)

For every additional destination specified with the crypto cisco connections, the following additional bytes of memory will be allocated:

68 x the specified number of maximum sources

For example, if you specify 5 maximum sources, and 250 maximum destinations per source, the memory allocated for encryption connections is calculated as follows:

{5 x [64 + (68 x 250)]} + {250 x (68 x 5)} = 170320 bytes

Example

In this example, there are 50 remote sites connecting to a single server. The connections between the server and each site need to be encrypted. The server is located behind the local router named Router1. Each of the remote sites connects through its own router.

Because of the large number of destination addresses that must be paired with the same source address in the local encryption access list, the default limits are changed.

Router1(config)# crypto cisco connections 60
%Please reboot for the new connection size to take effect
Router1(config)# crypto cisco entities 5
%Please reboot for the new table size to take effect

Note that the maximum number of sources is reduced to balance the increase in maximum destinations per source. This prevents too much memory from being preallocated to encryption connections.

Also note that even though there is only one server, and only 50 remote sites, this example defines 5  sources and 60 destinations. This allows room for future growth of the encryption access list. If another source or destination is added later, the limits will not have to be increased and the router rebooted again, which is a disruptive process.

Related Commands

You can use the master indexes or search online to find documentation of related commands.

crypto cisco entities

crypto cisco entities

To change the maximum number of sources (hosts or subnets) that you can define in encryption access list statements, use the crypto cisco entities global configuration command. Use the no form of the command to restore the default.

crypto cisco entities number
no crypto cisco entities [number]

Syntax Description

number

Specifies the maximum number of sources. Use a value from 3 to 500.

This argument is not required when using the no form of the command.

Default

A maximum of 100 sources can be specified in encryption access list criteria statements.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3.

When you configure encryption access lists, you configure source and destination pairs in criteria statements. Any traffic that matches the criteria is then encrypted.

By default, the maximum number of distinct sources (host or subnets) that you can define in your encryption access lists is 100. Also, the maximum number of distinct destinations that you can define for any given source address is 10. For example, if you define six different source addresses, you can define up to 10 destination addresses for each of the six sources, for a total of 60 access list criteria statements.

Use this command if you need to specify more than 100 sources (host or subnet) in encryption access list statements.

For most situations, the defaults of 100 maximum sources and 10 maximum destinations per source are sufficient. Cisco recommends that you do not change the defaults unless you actually exceed the number of sources or destinations per source.


Note You must reboot the router before this command takes effect.
Memory Impact

The amount of memory reserved for encrypted connections changes if you change the defaults with this command.

When using this command, you should consider the amount of memory that will be allocated. In general, use the crypto cisco entities and crypto cisco connections commands together: if you increase one value, decrease the other value. This prevents your router from running out of memory because too much memory was preallocated.

For every additional source specified with the crypto cisco entities command, the following additional bytes of memory will be allocated:

64 + (68 x the specified number of maximum destinations)

For every additional destination specified with the crypto cisco connections, the following additional bytes of memory will be allocated

68 x the specified number of maximum sources

For example, if you specify 5 maximum sources, and 250 maximum destinations per source, the memory allocated for encryption connections is calculated as follows:

{5 x [64 + (68 x 250)]} + {250 x (68 x 5)} = 170320 bytes

Example

In this example, there are 50 remote sites connecting to a single server. The connections between the server and each site need to be encrypted. The server is located behind the local router named Router1. Each of the remote sites connects through its own router.

Because of the large number of destination addresses that must be paired with the same source address in the local encryption access list, the default limits are changed.

Router1(config)# crypto cisco connections 60
%Please reboot for the new connection size to take effect
Router1(config)# crypto cisco entities 5
%Please reboot for the new table size to take effect

Note that the maximum number of sources is reduced to balance the increase in maximum destinations per source. This prevents too much memory from being preallocated to encryption connections.

Also note that even though there is only one server, and only 50 remote sites, this example defines 5  sources and 60 destinations. This allows room for future growth of the encryption access list. If another source or destination is added later, the limits will not have to be increased and the router rebooted again, which is a disruptive process.

Related Commands

You can use the master indexes or search online to find documentation of related commands.

crypto cisco connections

crypto cisco key-timeout

To specify the duration of encrypted sessions, use the crypto cisco key-timeout global configuration command. Use the no form to restore the duration of encrypted sessions to the default of 30  minutes.

crypto cisco key-timeout minutes
no crypto cisco key-timeout minutes

Syntax Description

minutes

Specifies the duration of encrypted sessions. Can be from 1 to 1440  minutes (24 hours) in 1 minute increments. Specified by an integer from 1 to 1440.

When the no form of the command is used, this argument is optional. Any value supplied for the argument is ignored by the router.

Default

Encrypted sessions time out in 30 minutes.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

After an encrypted communication session is established, it is valid for a specific length of time. After this length of time, the session times out. A new session must be negotiated, and a new Data Encryption Standard (DES) (session) key must be generated for encrypted communication to continue. Use this command to change the time that an encrypted communication session will last before it expires (times out).

Examples

The following example sets encrypted session timeouts to 2 hours:

crypto cisco key-timeout 120

The following example shows one way to restore the default session time of 30 minutes:

no crypto cisco key-timeout

The following example shows another way to restore the default session time of 30 minutes:

crypto cisco key-timeout 30

Related Commands

You can use the master indexes or search online to find documentation of related commands.

show crypto cisco key-timeout

crypto cisco pregen-dh-pairs

To enable pregeneration of Diffie-Hellman (DH) public numbers, use the crypto  cisco  pregen-dh-pairs global configuration command. Use the no form to disable pregeneration of DH public numbers for all crypto engines.

crypto cisco pregen-dh-pairs count [slot | rsm | vip]
no crypto cisco pregen-dh-pairs

Syntax Description

count

Specifies how many DH public numbers to pregenerate and hold in reserve. Specified by an integer from 0 to 10.

slot

(Optional) Identifies the crypto engine. This argument is available only on Cisco 7200, RSP7000, and 7500 series routers.

If no slot is specified, the Cisco IOS crypto engine will be selected.

Use the chassis slot number of the crypto engine location. For the Cisco IOS crypto engine, this is the chassis slot number of the Route Switch Processor (RSP). For the VIP2 crypto engine, this is the chassis slot number of the VIP2. For the ESA crypto engine, this is the chassis slot number of the ESA (Cisco  7200) or of the VIP2 (Cisco  RSP7000 and 7500).

rsm

(Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. Identifies the Route Switch Module on the Cisco Catalyst 5000 series switch.

vip

(Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. Identifies the Versatile Interface Processor on the Cisco Catalyst 5000 series switch.

Default

DH number pairs are generated only when needed, during encrypted session setup.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2. The rsm and vip keywords were added in Cisco IOS Release 12.0.

Each encrypted session uses a unique pair of DH numbers. Every time a new session is set up, new DH number pairs must be generated. When the session completes, these numbers are discarded. Generating new DH number pairs is a CPU-intensive activity, which can make session setup slow---especially for low-end routers.

To speed up session setup, you can choose to have a specified amount of DH number pairs pregenerated and held in reserve. Then, when an encrypted communication session is being set up, a DH number pair will be provided from that reserve. After a DH number pair is used, the reserve is automatically replenished with a new DH number pair, so there should always be a DH number pair ready for use.

It is usually not necessary to have more than one or two DH number pairs pregenerated, unless your router will be setting up multiple encrypted sessions so frequently that a pregenerated reserve of one or two DH number pairs will be depleted too quickly.

If you have a Cisco 7200, RSP7000, or 7500 series router or Cisco Catalyst 5000 series switch, you can perform this command for each crypto engine in service.

Setting the number of pregenerated pairs to be zero disables pregeneration but allows you to use the pairs already in reserve. Using the no form of the command disables pregeneration for all crypto engines of your router and deletes any DH number pairs currently in reserve. If you have a Cisco  7200, RSP7000, or 7500 series router or Cisco Catalyst 5000 series switch and wish to discontinue pregenerating DH numbers for only one crypto engine, set the count argument to 0, and specify the crypto engine with the slot argument.

Examples

The following example turns on pregeneration of DH public number pairs for a Cisco 2500 series router. Two DH number pairs will be held in constant reserve.

crypto cisco pregen-dh-pairs 2

The following example turns on pregeneration of DH public numbers for the ESA crypto engine of a VIP2 card in slot 3 of a Cisco 7500 series router. One DH number pair will be held in constant reserve.

crypto cisco pregen-dh-pairs 1 3

The following example turns on pregeneration of DH public numbers for a VIP on a Cisco Catalyst  5000 series switch:

crypto cisco pregen-dh-pairs 1 vip

Related Commands

You can use the master indexes or search online to find documentation of related commands.

show crypto cisco pregen-dh-pairs

crypto clear-latch

The crypto card clear-latch command replaces this command. Refer to the description of the crypto card clear-latch command for more information.

crypto esa

The crypto card command replaces this command. Refer to the description of the crypto card command for more information.

crypto gen-signature-keys

The crypto key generate dss command replaces this command. Refer to the description of the crypto key generate dss command for more information.

crypto key-exchange

The crypto key exchange dss command replaces this command. Refer to the description of the crypto key exchange dss command for more information.

crypto key exchange dss

To exchange Digital Signature Standard (DSS) public keys, the administrator of the peer encrypting router that is designated ACTIVE must use the crypto key exchange dss global configuration command.

crypto key exchange dss ip-address key-name [tcp-port]

Syntax Description

ip-address

The IP address of the peer router (designated PASSIVE) participating with you in the key exchange.

key-name

Identifies the crypto engine---either the Cisco IOS crypto engine, a second-generation Versatile Interface Processor (VIP2) crypto engine, or an Encryption Service Adapter (ESA) crypto engine. This name must match the key-name argument assigned when you generated DSS keys using the crypto key generate dss command.

tcp-port

(Optional) Cisco IOS software uses the unassigned1 TCP port number of 1964 to designate a key exchange. You may use this optional keyword to select a different number to designate a key exchange, if your system already uses the port number 1964 for a different purpose. If this keyword is used, you must use the same value as the PASSIVE router's tcp-port value.

11964 is a TCP port number that has not been preassigned by the Internetworking Engineering Task Force (IETF).

Default

No DSS keys are exchanged.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Peer encrypting routers must exchange DSS public keys before any encrypted communication can occur.

If you have a Cisco 7200, RSP7000, or 7500 series router, you will need to exchange DSS public keys for each crypto engine you plan to use.

To exchange DSS public keys, the two router administrators must call each other on the phone, and verbally assign one router to the PASSIVE role, and the other router to the ACTIVE role.

The PASSIVE administrator uses the crypto key exchange dss passive command to start the DSS key exchange. Then the ACTIVE administrator uses the crypto key exchange dss command to send the first DSS public key. During the key exchange sequence, the two administrators must remain on the phone to verify the receipt of DSS keys. To verify the receipt of DSS keys, the administrators should compare screens to match DSS key serial numbers and fingerprints. Screen prompts will guide both administrators through the exchange.

Example

The following example shows a DSS key exchange sequence from the point of view of a router named Router2. Router2 is designated ACTIVE. The other router is named Router1. Router1 is designated PASSIVE, and has previously generated DSS keys with the key-name Router1. Router2 has previously generated DSS keys with the key-name Router2ESA:

Router2(config)# crypto key exchange dss 172.21.114.68 Router2ESA 
Public key for Router2ESA:
   Serial Number 01461300
   Fingerprint   0F1D 373F 2FC1 872C D5D7
Wait for peer to send a key[confirm]<Return>
Waiting ....
Public key for Router1:
   Serial Number 01579312
   Fingerprint   BF1F 9EAC B17E F2A1 BA77 
 
Add this public key to the configuration? [yes/no]: y
Router2(config)#

Related Commands

You can use the master indexes or search online to find documentation of related commands.

crypto key exchange dss passive
crypto key pubkey-chain dss
show crypto key mypubkey dss
show crypto key pubkey-chain dss

crypto key exchange dss passive

To enable an exchange of Digital Signature Standard (DSS) public keys, the administrator of the peer encrypting router that is designated PASSIVE must use the crypto key exchange dss passive global configuration command.

crypto key exchange dss passive [tcp-port]

Syntax Description

tcp-port

(Optional) Cisco IOS software uses the unassigned1 TCP port number of 1964 to designate a key exchange. You may use this optional keyword to select a different number to designate a key exchange, if your system already uses the port number 1964 for a different purpose. If this keyword is used, you must use the same value as the ACTIVE router's tcp-port value.

11964 is a TCP port number that has not been preassigned by the Internetworking Engineering Task Force (IETF).

Default

No DSS keys are exchanged.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Peer encrypting routers must exchange DSS public keys before any encrypted communication can occur.

To exchange DSS public keys, the two router administrators must call each other on the phone, and verbally assign one router to the PASSIVE role, and the other router to the ACTIVE role.

Then the PASSIVE administrator should use the crypto key exchange dss passive command to start the DSS key exchange. During the key exchange sequence, the two administrators must remain on the phone to verify the receipt of DSS keys. To verify the receipt of DSS keys, the administrators should compare screens to match DSS key serial numbers and fingerprints. Screen prompts will guide both administrators through the exchange.

Example

The following example shows a DSS key exchange sequence from the point of view of a router named Router1. Router1 is designated PASSIVE, and has previously generated DSS keys with the key-name Router1. The other router is named Router2 and has previously generated DSS keys with the key-name Router2ESA:

Router1(config)# crypto key exchange dss passive
Enter escape character to abort if connection does not complete.
Wait for connection from peer[confirm]<Return>
Waiting ....
Public key for Router2ESA:
   Serial Number 01461300
   Fingerprint   0F1D 373F 2FC1 872C D5D7 
Add this public key to the configuration? [yes/no]: y 
Send peer a key in return[confirm]<Return>
Which one?
 
Router1? [yes]: <Return>
Public key for Router1:
   Serial Number 01579312
   Fingerprint   BF1F 9EAC B17E F2A1 BA77
 
Router1(config)#

Related Commands

You can use the master indexes or search online to find documentation of related commands.

crypto key exchange dss
crypto key pubkey-chain dss
show crypto key mypubkey dss
show crypto key pubkey-chain dss

crypto key-exchange passive

The crypto key exchange dss passive command replaces this command. Refer to the description of the crypto key exchange dss passive command for more information.

crypto key generate dss

To generate a Digital Signature Standard (DSS) public/private key pair, use the crypto key generate dss global configuration command.

crypto key generate dss key-name [slot | rsm | vip]

Syntax Description

key-name

A name you assign to the crypto engine. This will name either the Cisco IOS software crypto engine, a second-generation Versatile Interface Processor (VIP2) crypto engine, or an Encryption Service Adapter (ESA) crypto engine. Any character string is valid. Using a fully qualified domain name might make it easier to identify public keys.

slot

(Optional) Identifies the crypto engine. This argument is available only on Cisco 7200, RSP7000, and 7500 series routers.

If no slot is specified, the Cisco IOS crypto engine will be selected.

Use the chassis slot number of the crypto engine location. For the Cisco IOS crypto engine, this is the chassis slot number of the Route Switch Processor (RSP). For the VIP2 crypto engine, this is the chassis slot number of the VIP2. For the ESA crypto engine, this is the chassis slot number of the ESA (Cisco  7200) or of the VIP2 (Cisco  RSP7000 and 7500).

rsm

(Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. Identifies the Route Switch Module on the Cisco Catalyst 5000 series switch.

vip

(Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. Identifies the Versatile Interface Processor on the Cisco Catalyst 5000 series switch.

Default

No DSS public/private keys are defined.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2. The rsm and vip keywords were added in Cisco IOS Release 12.0.

Use this command to generate a DSS public/private key pair. This is the first configuration task required to set up a router for network data encryption.

If you have a Cisco 7200, RSP7000, or 7500 series router, use the slot argument. If you have a Cisco Catalyst 5000 series switch, use the rsm or vip keyword. You must perform this command once for each crypto engine you plan to use.


Note DSS keys of the Cisco IOS crypto engine are saved to a private portion of NVRAM when you perform a copy system:running-config nvram:startup-config (previously copy running-config startup-config) command. DSS keys are not saved with your configuration when you perform a copy sytem:running-config rcp: or copy system:running-config tftp: command.

If you are using a Cisco 7200, RSP7000, or 7500 series router or a Cisco Catalyst 5000 series switch with an ESA, DSS keys generated for the ESA crypto engine are automatically saved to tamper resistant memory of the ESA during the DSS key generation process.


Note If NVRAM fails, or if your ESA is tampered with or replaced, DSS public/private keys will no longer be valid. If this happens, you will need to regenerate and re-exchange DSS keys.
The ESA Password

If you are using a Cisco 7200, RSP7000, or 7500 series router or a Cisco Catalyst 5000 series switch with an ESA, you will be prompted to enter a password when you generate DSS keys for the ESA crypto engine.

If you previously reset the ESA with the crypto key zeroize dss command, you must create a new password at this time.

If you previously reset the ESA with the crypto card clear-latch command, you created a password at that time; use that same password now. If you have forgotten the password, the only workaround is to first use the crypto key zeroize dss command and then regenerate DSS keys.

If you need to regenerate DSS keys for the ESA, you will be required to enter the same ESA password to complete the DSS key regeneration.

Examples

The following example generates a DSS public/private key pair for the first time on a Cisco 2500 series router:

Router1(config)# crypto key generate dss Router1
Generating DSS keys .... [OK]
Router1(config)#

The following example generates DSS public/private key pairs for a Cisco 7500 series router with an RSP in slot 4 and a VIP2 (with an ESA) in slot 3. The ESA was previously reset with the crypto key zeroize dss command. Notice that when DSS keys are generated for the ESA, you must type a newly created password:

Router1(config)# crypto key generate dss Router1RSP 4
Generating DSS keys .... [OK]
Router1(config)# crypto key generate dss Router1ESA 3
% Initialize the crypto card password. You will need
   this password in order to generate new signature
   keys or clear the crypto card extraction latch.
Password: <passwd>
Re-enter password: <passwd>
Generating DSS keys .... [OK]
Router1(config)#

In the previous example, the ESA crypto engine provides encryption services for the VIP2 interfaces, and the Cisco IOS crypto engine (located in the RSP) provides encryption services for all other designated ports.

The next example shows DSS keys being generated a second time, for the same ESA crypto engine shown in the previous example (DSS keys already exist for this crypto engine). Notice that the password used in the previous example must be entered in this example to complete the DSS key regeneration.

Router1(config)# crypto key generate dss Router1ESA 3
% Generating new DSS keys will require re-exchanging
   public keys with peers who already have the public key
   named Router1ESA!
Generate new DSS keys? [yes/no]: y
% Enter the crypto card password.
Password: <passwd>
Generating DSS keys .... [OK]

Related Commands

You can use the master indexes or search online to find documentation of related commands.

show crypto key mypubkey dss

crypto key pubkey-chain dss

To manually specify the Digital Signature Standard (DSS) public key of a peer encrypting router, use the crypto key pubkey-chain dss global configuration command. Use the no form of this command to delete the DSS public key of a peer encrypting router.

crypto key pubkey-chain dss
named-key <key-name> [special-usage]
serial-number [special-usage]
key-string
<hex> <hex> <hex> ...
<hex> <hex> <hex> ...
quit
no crypto key pubkey-chain dss key-name [serial-number]

Syntax Description

key-name

Identifies the crypto engine of the peer encrypting router. If the device is a Cisco router, the name should be a fully qualified domain name.

special-usage

If the special-usage parameter is not specified, the key is considered a general-purpose key.

serial-number

The serial number of the peer encrypting router's public DSS key.

When the no form of the command is used, this argument is optional. Any value supplied for the argument is ignored by the router.

hex

The DSS public key of the peer encrypting router, in hexadecimal format.

quit

When you are done entering the public key, type quit to exit the hex input mode.

Default

No peer encrypting router DSS keys are known.

Command Mode

Global configuration

Performing this command invokes the hex input mode. To complete the command, you must return to the global configuration mode by typing quit at the config-pubkey prompt.

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Use this command to specify DSS public keys of peer encrypting routers, instead of using the crypto key exchange dss passive and crypto key exchange dss commands. The administrator of the peer router can provide the exact values for the key-name, serial-number, and hex-key-data command arguments. The administrator of the peer router can discover these values by performing the show crypto key mypubkey dss command at the peer router.

Example

The following example specifies the DSS public key of a peer encrypting router:

Router1(config)# crypto key pubkey-chain dss
Router1(config-pubkey)# named-key router.domain.com
Router1(config-pubkey)# serial-number 03259625
Router1(config-pubkey)# key-string 8F1440B9 4C860989 8791A12B 69746E27 307ACACB 
62915B02 0261B58F 1F7ABB10 90CE70A9 08F86652 16B52064 37C857D4 7066DAA3 7FC33212 
445275EE 542DCD06
Router1(config-pubkey)# quit
Router1(config)# exit
Router1#
%SYS-5-CONFIG_I: Configured from console by console
Router1# show crypto key pubkey-chain dss name router.domain.com
Key name: router.domain.com
Serial number: 03259625
Usage: Signature Key
Source: Manually entered
Data:
8F1440B9 4C860989 8791A12B 69746E27 307ACACB 62915B02 0261B58F 1F7ABB10
90CE70A9 08F86652 16B52064 37C857D4 7066DAA3 7FC33212 445275EE 542DCD06 Router1#

Related Commands

You can use the master indexes or search online to find documentation of related commands.

crypto key exchange dss
crypto key exchange dss passive
show crypto key mypubkey dss
show crypto key pubkey-chain dss

crypto key-timeout

The crypto cisco key-timeout command replaces this command. Refer to the description of the crypto cisco key-timeout command for more information.

crypto key zeroize dss

To delete the Digital Signature Standard (DSS) public/private key pair of a crypto engine, use the crypto key zeroize dss global configuration command.

crypto key zeroize dss [slot | rsm | vip]
Caution DSS keys cannot be recovered after they have been removed. Use this command only after careful consideration.

Syntax Description

slot

(Optional) Identifies the crypto engine. This argument is available only on Cisco 7200, RSP7000, and 7500 series routers.

If no slot is specified, the Cisco IOS crypto engine will be selected.

Use the chassis slot number of the crypto engine location. For the Cisco IOS crypto engine, this is the chassis slot number of the Route Switch Processor (RSP). For the VIP2 crypto engine, this is the chassis slot number of the VIP2. For the ESA crypto engine, this is the chassis slot number of the ESA (Cisco  7200) or of the VIP2 (Cisco  RSP7000 and 7500).

rsm

(Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. It identifies the Route Switch Module on the Cisco Catalyst 5000 series switch.

vip

(Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. It identifies the Versatile Interface Processor on the Cisco Catalyst  5000 series switch.

Default

DSS public/private keys will remain valid indefinitely.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2. The rsm and vip keywords were added in Cisco IOS Release 12.0.

If you choose to stop using encryption on a router, completely or for a specific crypto engine, you may delete the public/private DSS key pair(s) for your router's crypto engine(s). However, after you delete them, you cannot use that crypto engine for any encrypted sessions with peer routers, unless you regenerate and re-exchange new DSS keys. If only one crypto engine is configured at your router, issuing this command will prevent you from performing any encryption at the router.

Caution If you use this command on a Cisco 7200 series router, the current active crypto engine's DSS keys will be deleted. Be certain that the engine for which you want to delete keys is the engine that is currently selected. You can use the show crypto engine configuration command to verify the current crypto engine. If the current crypto engine is not the engine for which you want to delete DSS keys, you must select the correct crypto engine using the crypto esa command.

This command can be used if you lose the password required to complete the crypto card clear-latch or crypto key generate dss commands. After using the crypto key zeroize dss command, you will need to regenerate and re-exchange new DSS keys. You will be prompted to supply a new password when you regenerate new DSS keys with the crypto key generate dss command.

Examples

The following example deletes the DSS public/private key of a router named Router1, which is a Cisco 7500 series router with an RSP in slot 4:

Router1(config)# crypto key zeroize dss 4
Warning! Zeroize will remove your DSS signature keys.
Do you want to continue? [yes/no]: y
Keys to be removed are named Router1IOS.
Do you really want to remove these keys? [yes/no]: y
[OK]
Router1(config)#

The following example deletes the DSS public/private key on the RSM of a Cisco Catalyst 5000 series switch:

Router1(config)# crypto key zeroize dss rsm
Warning! Zeroize will remove your DSS signature keys.
Do you want to continue? [yes/no]: y
Keys to be removed are named Router1IOS.
Do you really want to remove these keys? [yes/no]: y
[OK]
Router1(config)#

Related Commands

You can use the master indexes or search online to find documentation of related commands.

crypto key generate dss

crypto map (global configuration)

To create or modify a crypto map entry and enter the crypto map configuration mode, use the crypto map global configuration command. Use the no form of this command to delete a crypto map entry or set.

crypto map map-name seq-num [cisco]
no crypto map
map-name [seq-num]

Note Issue the crypto map map-name seq-num command without a keyword to modify an existing crypto map entry.

Syntax Description

cisco

(Default value) Indicates that CET will be used instead of IPSec for protecting the traffic specified by this newly specified crypto map entry. If you use this keyword, none of the IPSec-specific crypto map configuration commands will be available. Instead, the CET-specific commands will be available.

map-name

The name you assign to the crypto map set.

seq-num

The number you assign to the crypto map entry. See additional explanation for using this argument in the "Usage Guidelines" section.

Default

No crypto maps exist.

Command Mode

Global configuration.

Performing this command invokes the crypto map configuration command mode.

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2. The cisco keyword was added in Cisco IOS Release 11.3  T.

This command is also documented in the chapter "IPSec Network Security Commands" where it has slightly different functionality.

Use this command to create a new crypto map definition, or to modify an existing crypto map definition. Crypto maps link together definitions of encryption access lists, peer routers, and Data Encryption Standard (DES) algorithms. A crypto map must later be applied to an interface for the definitions to take effect; this is done using the crypto map (interface configuration) command.

When you issue the crypto map (global configuration) command, the router will invoke the crypto map configuration command mode. While in this mode, you will specify the crypto map definitions. Crypto map configuration command mode commands are used to create these definitions.

A crypto map definition must have three parts. First, you specify which remote peer encrypting router (crypto engine) will provide the far-end encryption services (the remote encryption end-point). This is accomplished using the set peer command. Next, you specify which encryption access list(s) will participate in encryption services with the peer router. This is accomplished using the match address command. Finally, you specify which DES algorithm(s) to apply to the encrypted packets in the access list. This is accomplished using either the set algorithm 40-bit-des command or the set algorithm des command.

Because only one crypto map can be applied to a given interface, the seq-num argument provides a way to create several distinct definition sets that coexist within a single crypto map. Figure 3 illustrates the sequence number concept.


Figure 3: Crypto Map with Subdefinitions

Having multiple distinct definition sets is useful if one router port will provide the encryption interface to more than one peer router.

Multiple Crypto Maps Entries with the Same map-name Form a Crypto Map Set

A crypto map set is a collection of crypto map entries each with a different seq-num but the same map-name. Therefore, for a given interface, you could have certain traffic forwarded to one IPSec peer with specified security applied to that traffic, and other traffic forwarded to the same or a different IPSec peer with different IPSec security applied. To accomplish this you would create two crypto maps, each with the same map-name, but each with a different seq-num. A crypto map set can include a combination of CET and IPSec crypto map entries.

The seq-num Argument

The number you assign to the seq-num argument should not be arbitrary. This number is used to rank multiple crypto map entries within a crypto map set. Within a crypto map set, a crypto map entry with a lower seq-num is evaluated before a map entry with a higher seq-num; that is, the map entry with the lower number has a higher priority.

For example, imagine there is a crypto map set that contains three crypto map entries: mymap 10, mymap  20, and mymap  30. The crypto map set named mymap is applied to interface Serial 0. When traffic passes through the Serial 0 interface, the traffic is evaluated first for mymap 10. If the traffic matches a permit entry in the extended access list in mymap 10, the traffic will be processed according to the information defined in mymap 10 (including establishing IPSec security associations or CET connections when necessary). If the traffic does not match the mymap 10 access list, the traffic will be evaluated for mymap 20, and then mymap 30, until the traffic matches a permit entry in a map entry. If the traffic does not match a permit entry in any crypto map entry, it will be forwarded without any CET (or IPSec) security.

Example

The following example creates a crypto map and defines the map parameters:

Router1(config)# crypto map Research 10
Router1(config-crypto-map)# set peer Router2ESA.HQ
Router1(config-crypto-map)# set algorithm des cfb-8
Router1(config-crypto-map)# match address 101
Router1(config-crypto-map)# exit
Router1(config)#

Related Commands

You can use the master indexes or search online to find documentation of related commands.

crypto map (interface configuration)
match address
set algorithm 40-bit-des
set algorithm des
set peer
show crypto map
show crypto mypubkey

crypto map (interface configuration)

To apply a previously defined crypto map to an interface, use the crypto map interface configuration command. Use the no form of the command to eliminate the crypto map from the interface.

crypto map map-name
no crypto map [map-name]

Syntax Description

map-name

The name which identifies the crypto map. This is the name assigned when the crypto map was created.

When the no form of the command is used, this argument is optional. Any value supplied for the argument is ignored.

Default

No crypto maps are assigned to interfaces.

Command Mode

Interface configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

This command is also documented in the chapter "IPSec Network Security Commands."

Use this command to assign a crypto map set to an interface. You must assign a crypto map set to an interface before that interface can provide CET or IPSec services. Only one crypto map set can be assigned to an interface. If multiple crypto map entries have the same map-name but a different seq-num, they are considered to be part of the same set and will all be applied to the interface. The crypto map entry with the lowest seq-num is considered the highest priority and will be evaluated first.

Example

The following example assigns crypto map set "mymap" to the S0 interface. When traffic passes through S0, the traffic will be evaluated against all the crypto map entries in the "mymap" set. When outbound traffic matches an access list in one of the "mymap" crypto map entries, a security association (if IPsec) or CET connection (if CET) will be established per that crypto map entry's configuration (if no security association or connection already exists).

interface S0
  crypto map mymap

Related Commands

You can use the master indexes or search online to find documentation of related commands.

crypto map (global configuration)
show crypto map

crypto pregen-dh-pairs

The crypto cisco pregen-dh-pairs command replaces this command. Refer to the description of the crypto cisco pregen-dh-pairs command for more information.

crypto public-key

The crypto key pubkey-chain dss command replaces this command. Refer to the description of the crypto key pubkey-chain dss command for more information.

crypto sdu connections

The crypto cisco connections command replaces this command. Refer to the description of the crypto cisco connections command for more information.

crypto sdu entities

The crypto cisco entities command replaces this command. Refer to the description of the crypto cisco entities command for more information.

crypto zeroize

The crypto key zeroize dss command replaces this command. Refer to the description of the crypto key zeroize dss command for more information.

deny

To set conditions for a named encryption access list, use the deny access-list configuration command. The deny command prevents IP traffic from being encrypted/decrypted if the conditions are matched. Use the no form of this command to remove a deny condition from an encryption access list.

deny source [source-wildcard]
no deny
source [source-wildcard]
deny protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log]
no deny protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log]

For ICMP, you can also use the following syntax:

deny icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] |
icmp-message] [precedence precedence] [tos tos] [log]

For IGMP, you can also use the following syntax:

deny igmp source source-wildcard destination destination-wildcard [igmp-type]
[precedence precedence] [tos tos] [log]

For TCP, you can also use the following syntax:

deny tcp source source-wildcard [operator port [port]] destination destination-wildcard
[operator port [port]] [established] [precedence precedence] [tos tos] [log]

For UDP, you can also use the following syntax:

deny udp source source-wildcard [operator port [port]] destination destination-wildcard
[operator port [port]] [precedence precedence] [tos tos] [log]

Syntax Description

source

Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source:

  • Use a 32-bit quantity in four-part, dotted-decimal format.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines").

source-wildcard

(Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines").

protocol

Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 through 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the keyword ip. Some protocols allow further qualifiers described later.

source

Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:

  • Use a 32-bit quantity in four-part, dotted-decimal format.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines").

  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

source-wildcard

Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines").

  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

destination

Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:

  • Use a 32-bit quantity in four-part, dotted-decimal format.

  • Use the keyword any as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines").

  • Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

destination-wildcard

Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines").

  • Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

precedence precedence

(Optional) Packets can be matched for encryption by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines" section of the access-list (encryption) command.

tos tos

(Optional) Packets can be matched for encryption by type of service level, as specified by a number from 0 to 15 or by name as listed in the "Usage Guidelines" section of the access-list (encryption) command.

icmp-type

(Optional) ICMP packets can be matched for encryption by ICMP message type. The type is a number from 0 to 255.

icmp-code

(Optional) ICMP packets which are matched for encryption by ICMP message type can also be matched by the ICMP message code. The code is a number from 0 to 255.

icmp-message

(Optional) ICMP packets can be matched for encryption by an ICMP message type name or ICMP message type and code name. The possible names are found in the "Usage Guidelines" section of the access-list (encryption) command.

igmp-type

(Optional) IGMP packets can be matched for encryption by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the "Usage Guidelines" section of the access-list (encryption) command.

operator

(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the source and source-wildcard, it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port.

The range operator requires two port numbers. All other operators require one port number.

port

(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65,535. TCP and UDP port names are listed in the "Usage Guidelines" section of the access-list (encryption) command. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.

established

(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

Default

There is no specific condition under which a packet is prevented from being encrypted/decrypted. However, if a packet does not match any deny or permit command statements, the packet will not be encrypted/decrypted. (See the "Usage Guidelines" section that follows for more information about matching encryption access list conditions.)

Command Mode

Access-list configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Use this command to specify conditions under which a packet will not be encrypted/decrypted. Use this command after you use the ip access-list extended (encryption) command.

After a named encryption access list is fully specified using permit and deny commands, the encryption access list must be specified in a crypto map, and the crypto map must be applied to an interface. After this is accomplished, packets will be either encrypted/decrypted or not encrypted/decrypted at the router depending on the conditions defined within the permit and deny commands.

If a packet matches the conditions in any deny command, the packet will not be encrypted/decrypted. Also, if a packet does not match any conditions in either a deny or a permit command, the packet will not be encrypted/decrypted. This occurs because all encryption access lists contain an implicit "deny" ("do not encrypt/decrypt") statement at the end of the list.

Caution When creating encryption access lists, we do not recommend using the any keyword to specify source or destination addresses for permit or deny commands. Using the any keyword with a permit command could cause extreme problems if a packet enters your router and is destined for a router that is not configured for encryption. This would cause your router to attempt to set up an encryption session with a nonencrypting router.

If you incorrectly use the any keyword with a deny command, you might inadvertently prevent all packets from being encrypted, which could present a security risk.

Examples

    1. Example of an Inappropriately Configured Access List

ip access-list extended Router1cryptomap10
  deny UDP any any
  permit UDP 192.168.33.145  0.0.0.15  172.31.0.0  0.0.255.255 
  permit UDP 192.168.33.145  0.0.0.15  10.0.0.0  0.255.255.255

    2. Another Example of an Inappropriately Configured Access List

ip access-list extended Router1cryptomap10
  permit UDP 192.168.33.145  0.0.0.15  172.31.0.0  0.0.255.255 
  permit UDP 192.168.33.145  0.0.0.15  10.0.0.0  0.255.255.255
  permit UDP any any

    3. Example of a Correctly Configured Access List

ip access-list extended Router1cryptomap10
  permit UDP 192.168.33.145  0.0.0.15  172.31.0.0  0.0.255.255 
  permit UDP 192.168.33.145  0.0.0.15  10.0.0.0  0.255.255.255

Related Commands

You can use the master indexes or search online to find documentation of related commands.

access-list (encryption)
ip access-list extended (encryption)
permit
show ip access-list

ip access-list extended (encryption)

To define an encryption access list by name, use the ip access-list extended global configuration command. Use the no form of this command to remove a named encryption access list.

ip access-list extended name
no ip access-list extended name

Syntax Description

name

Name of the encryption access list. Names cannot contain a space or quotation mark, and must begin with an alphabetic character to prevent ambiguity with numbered access lists.

Default

There is no named encryption access list.

Command Mode

Global configuration

This command invokes the access-list configuration command mode.

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Use this command to configure a named IP access list (as opposed to a numbered IP access list). This command will take you into access-list configuration mode. From this mode you use the deny and permit commands to define the conditions for which traffic will be encrypted/decrypted or not encrypted/decrypted.

To use the encryption access list, you must first specify the access list in a crypto map definition, and then apply the crypto map to an interface.

Examples

    1. Example of an Inappropriately Configured Access List

ip access-list extended Router1cryptomap10
  deny UDP any any
  permit UDP 192.168.33.145  0.0.0.15  172.31.0.0  0.0.255.255 
  permit UDP 192.168.33.145  0.0.0.15  10.0.0.0  0.255.255.255

    2. Another Example of an Inappropriately Configured Access List

ip access-list extended Router1cryptomap10
  permit UDP 192.168.33.145  0.0.0.15  172.31.0.0  0.0.255.255 
  permit UDP 192.168.33.145  0.0.0.15  10.0.0.0  0.255.255.255
  permit UDP any any

    3. Example of a Correctly Configured Access List

ip access-list extended Router1cryptomap10
  permit UDP 192.168.33.145  0.0.0.15  172.31.0.0  0.0.255.255 
  permit UDP 192.168.33.145  0.0.0.15  10.0.0.0  0.255.255.255

Related Commands

You can use the master indexes or search online to find documentation of related commands.

access-list (encryption)
crypto map (global configuration)
crypto map (interface configuration)
deny
ip access-list
(used for traffic filtering purposes)
permit
show ip access-list

match address

To specify an extended access list for a crypto map entry, use the match address crypto map configuration command. Use the no form of this command to remove the extended access list from a crypto map entry.

match address [access-list-id | name]
no match address [access-list-id | name]

Syntax Description

access-list-id

(Optional) Identifies the extended access list by its name or number. This value should match the access-list-number or name argument of the extended access list being matched.

name

(Optional) Identifies the named encryption access list. This name should match the name argument of the named encryption access list being matched.

Default

No access lists are matched to the crypto map entry.

Command Mode

Crypto map configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

This command is also documented in the chapter "IPSec Network Security Commands."

This command is required for all static crypto map entries. If you are defining a dynamic crypto map entry (with the crypto dynamic-map command), this command is not required but is strongly recommended.

Use this command to assign an extended access list to a crypto map entry. You also need to define this access list using the access-list or ip access-list extended commands.

The extended access list specified with this command will be used by IPSec (or CET, depending on the setting of the crypto map entry) to determine which traffic should be protected by crypto and which traffic does not need crypto protection. (Traffic that is permitted by the access list will be protected. Traffic that is denied by the access list will not be protected in the context of the corresponding crypto map entry.)


Note The crypto access list is not used to determine whether to permit or deny traffic through the interface. An access list applied directly to the interface makes that determination.

The crypto access list specified by this command is used when evaluating both inbound and outbound traffic. Outbound traffic is evaluated against the crypto access lists specified by the interface's crypto map entries to determine if it should be protected by crypto and if so (if traffic matches a permit entry) which crypto policy applies. (If necessary, in the case of static IPSec crypto maps, new security associations are established using the data flow identity as specified in the permit entry; in the case of CET, new connections are established; in the case of dynamic crypto map entries, if no SA exists, the packet is dropped.) After passing the regular access lists at the interface, inbound traffic is evaluated against the crypto access lists specified by the entries of the interface's crypto map set to determine if it should be protected by crypto and, if so, which crypto policy applies. (In the case of IPSec, unprotected traffic is discarded because it should have been protected by IPSec; in the case of CET, the traffic is decrypted even though it was never encrypted.)

In the case of IPSec, the access list is also used to identify the flow for which the IPSec security associations are established. In the outbound case, the permit entry is used as the data flow identity (in general), while in the inbound case the data flow identity specified by the peer must be "permitted" by the crypto access list.

Example

The following example creates a crypto map and defines an encryption access list for the map:

Router1(config)# crypto map Research 10
Router1(config-crypto-map)# match address 101

Related Commands

You can use the master indexes or search online to find documentation of related commands.

access-list (encryption)
crypto map (global configuration)
ip access-list extended (encryption)
show crypto map

permit

To set conditions for a named encryption access list, use the permit access-list configuration command. The permit command causes IP traffic to be encrypted/decrypted if the conditions are matched. Use the no form of this command to remove a permit condition from an encryption access list.

permit source [source-wildcard]
no permit
source [source-wildcard]
permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log]
no permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log]

For ICMP, you can also use the following syntax:

permit icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] |
icmp-message] [precedence precedence] [tos tos] [log]

For IGMP, you can also use the following syntax:

permit igmp source source-wildcard destination destination-wildcard [igmp-type]
[precedence precedence] [tos tos] [log]

For TCP, you can also use the following syntax:

permit tcp source source-wildcard [operator port [port]] destination destination-wildcard
[operator port [port]] [established] [precedence precedence] [tos tos] [log]

For UDP, you can also use the following syntax:

permit udp source source-wildcard [operator port [port]] destination destination-wildcard
[operator port [port]] [precedence precedence] [tos tos] [log]

Syntax Description

source

Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source:

  • Use a 32-bit quantity in four-part, dotted-decimal format.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines").

source-wildcard

(Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines").

protocol

Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 through 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the keyword ip. Some protocols allow further qualifiers described later.

source

Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:

  • Use a 32-bit quantity in four-part, dotted-decimal format.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines").

  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

source-wildcard

Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines").

  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

destination

Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:

  • Use a 32-bit quantity in four-part, dotted-decimal format.

  • Use the keyword any as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines").

  • Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

destination-wildcard

Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines").

  • Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

precedence precedence

(Optional) Packets can be matched for encryption by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines" section of the access-list (encryption) command.

tos tos

(Optional) Packets can be matched for encryption by type of service level, as specified by a number from 0 to 15 or by name as listed in the "Usage Guidelines" section of the access-list (encryption) command.

icmp-type

(Optional) ICMP packets can be matched for encryption by ICMP message type. The type is a number from 0 to 255.

icmp-code

(Optional) ICMP packets which are matched for encryption by ICMP message type can also be matched by the ICMP message code. The code is a number from 0 to 255.

icmp-message

(Optional) ICMP packets can be matched for encryption by an ICMP message type name or ICMP message type and code name. The possible names are found in the "Usage Guidelines" section of the access-list (extended) command.

igmp-type

(Optional) IGMP packets can be matched for encryption by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the "Usage Guidelines" section of the access-list (extended) command.

operator

(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the source and source-wildcard, it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port.

The range operator requires two port numbers. All other operators require one port number.

port

(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the "Usage Guidelines" section of the access-list (extended) command. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.

established

(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

Default

There is no specific condition under which a packet is caused to be encrypted/decrypted. However, if a packet does not match any deny or permit command statements, the packet will not be encrypted/decrypted. (See the "Usage Guidelines" section for more information about matching encryption access list conditions.)

Command Mode

Access-list configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Use this command following the ip access-list extended (encryption) command to specify conditions under which a packet will be encrypted/decrypted.

After a named encryption access list is fully specified using permit and deny commands, the encryption access list must be specified in a crypto map, and the crypto map must be applied to an interface. After this is accomplished, packets will be either encrypted/decrypted or not encrypted/decrypted at the router depending on the conditions defined within the permit and deny commands.

If a packet matches the conditions in any permit command, the packet will be encrypted/decrypted. If a packet does not match any conditions in either a deny or a permit command, the packet will not be encrypted/decrypted. This occurs because all encryption access lists contain an implicit "deny" ("do not encrypt/decrypt") statement at the end of the list.

Caution When creating encryption access lists, we do not recommend using the any keyword to specify source or destination addresses for permit or deny commands. Using the any keyword with a permit command could cause extreme problems if a packet enters your router and is destined for a router that is not configured for encryption. This would cause your router to attempt to set up an encryption session with a nonencrypting router.

If you incorrectly use the any keyword with a deny command, you might inadvertently prevent all packets from being encrypted, which could present a security risk.

Examples

    1. Example of an Inappropriately Configured Access List

ip access-list extended Router1cryptomap10
  deny UDP any any
  permit UDP 192.168.33.145  0.0.0.15  172.31.0.0  0.0.255.255 
  permit UDP 192.168.33.145  0.0.0.15  10.0.0.0  0.255.255.255

    2. Another Example of an Inappropriately Configured Access List

ip access-list extended Router1cryptomap10
  permit UDP 192.168.33.145  0.0.0.15  172.31.0.0  0.0.255.255 
  permit UDP 192.168.33.145  0.0.0.15  10.0.0.0  0.255.255.255
  permit UDP any any

    3. Example of a Correctly Configured Access List

ip access-list extended Router1cryptomap10
  permit UDP 192.168.33.145  0.0.0.15  172.31.0.0  0.0.255.255 
  permit UDP 192.168.33.145  0.0.0.15  10.0.0.0  0.255.255.255

Related Commands

You can use the master indexes or search online to find documentation of related commands.

access-list (encryption)
deny
ip access-list extended (encryption)
show ip access-list

set algorithm 40-bit-des

To specify a 40-bit Data Encryption Standard (DES) algorithm type within a crypto map definition, use the set algorithm 40-bit-des crypto map configuration command. Use the no form of this command to disable a 40-bit DES algorithm type within a crypto map definition.

set algorithm 40-bit-des [cfb-8 | cfb-64]
no set algorithm 40-bit-des [cfb-8 | cfb-64]

Syntax Description

cfb-8

(Optional) Selects the 8-bit Cipher FeedBack (CFB) mode of the 40-bit DES algorithm. If no CFB mode is specified when the command is issued, 64-bit CFB mode is the default.

cfb-64

(Optional) Selects the 64-bit CFB mode of the 40-bit DES algorithm. If no CFB mode is specified when the command is issued, 64-bit CFB mode is the default.

Default

If no DES algorithm is specified within a crypto map, all globally enabled DES algorithms will be matched to the map by default. Refer to the crypto cisco algorithm 40-bit-des or crypto cisco algorithm des command descriptions to learn about globally enabling DES algorithms.

Command Mode

Crypto map configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Use this command to specify 40-bit DES algorithm types for a given crypto map definition. Forty-bit DES algorithms use a 40-bit DES key. The DES algorithms specified within a crypto map definition will be used to encrypt/decrypt all traffic at an interface when the crypto map is applied to the interface.


Note If you are running an exportable image, you can only use 40-bit variations of DES. You cannot enable or use the basic DES algorithms, which are not available with exportable images.

Example

The following example defines a 40-bit DES algorithm type for a crypto map:

Router1(config)# crypto map Research 10
Router1(config-crypto-map)# set algorithm 40-bit-des cfb-8

Related Commands

You can use the master indexes or search online to find documentation of related commands.

crypto map (global configuration)
set algorithm des
show crypto map
show crypto mypubkey

set algorithm des

To enable basic Data Encryption Standard (DES) algorithm types within a crypto map definition, use the set algorithm des crypto map configuration command. Use the no form of this command to disable a basic DES algorithm type within a crypto map definition.

set algorithm des [cfb-8 | cfb-64]
no set algorithm des [cfb-8 | cfb-64]

Syntax Description

cfb-8

(Optional) Selects the 8-bit Cipher FeedBack (CFB) mode of the basic DES algorithm. If no CFB mode is specified when the command is issued, 64-bit CFB mode is the default.

cfb-64

(Optional) Selects the 64-bit CFB mode of the basic DES algorithm. If no CFB mode is specified when the command is issued, 64-bit CFB mode is the default.

Default

If no DES algorithm is specified within a crypto map, all globally enabled DES algorithms will be matched to the map by default. Refer to the crypto cisco algorithm 40-bit-des or crypto cisco algorithm des command descriptions to learn about globally enabling DES algorithms.

Command Mode

Crypto map configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Use this command to specify basic DES algorithm types for a given crypto map definition. Basic DES algorithms use a 56-bit DES key. The DES algorithms specified within a crypto map definition will be used to encrypt/decrypt all traffic at an interface when the crypto map is applied to the interface.


Note If you are running an exportable image, you can only use 40-bit variations of DES. You cannot enable or use the basic DES algorithms, which are not available with exportable images.

Example

The following example defines a DES algorithm type for a crypto map:

Router1(config)# crypto map Research 10
Router1(config-crypto-map)# set algorithm des cfb-8

Related Commands

You can use the master indexes or search online to find documentation of related commands.

crypto map (global configuration)
set algorithm 40-bit-des
show crypto map
show crypto mypubkey

set peer

To specify a peer encrypting router within a crypto map definition, use the set peer crypto map configuration command. Use the no form of this command to eliminate a peer encrypting router from a crypto map definition.

set peer key-name
no set peer key-name

Syntax Description

key-name

Identifies the crypto engine of the peer encrypting router.

Default

No peer is defined by default.

Command Mode

Crypto map configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

This command is also documented in the chapter "IPSec Network Security Commands" where it has slightly different functionality.

Use this command to specify a peer encrypting router as the remote encryption route endpoint for a given crypto map definition.

Example

The following example creates a crypto map and defines a peer router for the map:

Router1(config)# crypto map Research 10
Router1(config-crypto-map)# set peer Router2ESA.HQ

Related Commands

You can use the master indexes or search online to find documentation of related commands.

crypto map (global configuration)
show crypto map
show crypto mypubkey

show crypto algorithms

The show crypto cisco algorithms command replaces this command. Refer to the description of the show crypto cisco algorithms command for more information.

show crypto card

To view the operational status of an Encryption Service Adapter (ESA), use the show crypto card privileged EXEC command. This command is available only on Cisco 7200, RSP7000, or 7500  series routers with an installed ESA.

show crypto card [slot | vip]

Syntax Description

slot

(Optional) This argument is available only on Cisco 7200, RSP7000, and 7500 series routers.

Identifies the ESA to show. Use the chassis slot number of the VIP2 containing the ESA.

vip

(Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. It identifies the Versatile Interface Processor on the Cisco Catalyst  5000 series switch.

Command Mode

Privileged EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2. The vip keyword was added in Cisco IOS Release 12.0.

Sample Display

The following is sample output from the show crypto card command:

Router1# show crypto card 1
Crypto card in slot: 1
Tampered:        No
Xtracted:        No
Password set:    Yes
DSS Key set:     Yes
FW version:            5049702

The following is sample output from the show crypto card command for the Versatile Interface Processor on a Cisco Catalyst 5000 series switch:

Router1# show crypto card vip
Crypto card in slot: vip
Tampered:        No
Xtracted:        No
Password set:    Yes
DSS Key set:     Yes
FW version:            5049702

Table 20 explains each field.


Table 20: Show Crypto Card Field Descriptions
Field Description

Tampered

"Yes" indicates that somebody attempted to physically remove the tamper shield cover from the ESA card. Such an action causes the ESA card to clear its memory, similar to issuing the crypto key zeroize dss command for the ESA.

Xtracted

"Yes" indicates that the ESA card had been extracted (removed) from the router.

Password set

"Yes" indicates that the ESA card password has already been set. This password is set with the crypto card clear-latch or crypto key generate dss command, and is required for subsequent issues of the crypto card clear-latch and crypto key generate dss commands.

DSS Key set

"Yes" indicates that DSS keys are generated and ready for use. DSS keys are generated using the crypto key generate dss command.

FW version

Version number of the firmware running on the ESA card.

show crypto cisco algorithms

To view which Data Encryption Standard (DES) algorithm types are globally enabled for your router, use the show crypto cisco algorithms privileged EXEC command. This displays all basic DES and 40-bit DES algorithm types globally enabled.

show crypto cisco algorithms

Syntax Description

This command has no arguments or keywords.

Command Mode

Privileged EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Sample Display

The following is sample output from the show crypto cisco algorithms command:

Router1# show crypto cisco algorithms
  des cfb-8

Related Commands

You can use the master indexes or search online to find documentation of related commands.

crypto cisco algorithm 40-bit-des
crypto cisco algorithm des

show crypto cisco connections

To view current and pending encrypted session connections, use the show crypto cisco connections privileged EXEC command.

show crypto cisco connections

Syntax Description

This command has no arguments or keywords.

Command Mode

Privileged EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Sample Display

The following is sample output from the show crypto cisco connections command:

Router1# show crypto cisco connections
Pending Connection Table
PE              UPE             Timestamp                   Conn_id
172.21.115.22   172.21.115.18   Mar 01 1993 00:01:09   -1
 
Connection Table
PE              UPE             Conn_id New_id  Alg                   Time
172.21.115.22   172.21.115.18   -1      1              DES_56_CFB64     Not Set
                flags:PEND_CONN 

Table 21 explains each field.


Table 21: Show Crypto Cisco Connections Field Descriptions
Field Description

PE

"Protected Entity." This shows a representative source IP address as specified in the crypto map's encryption access list. This IP address can be any host that matches a source in the encryption access list being used in the connection.

UPE

"Unprotected Entity." This shows a representative destination IP address as specified in the crypto map's encryption access list. This IP address can be any host that matches a destination in the encryption access list that is being used in the connection.

Timestamp

Identifies the time when the connection was initiated.

Conn_id

A number used to identify and track the connection. This can be a positive integer value from 1 to 299, or any negative integer value. Each connection is assigned a negative connection-id when the connection is pending (being set up). Once the connection is established, a positive connection-id is assigned to the connection.

New_id

Lists the connection-id number that will be assigned to a connection, after the connection is set up. The New_id value will be a positive number from 0 to 299.

If the New_id value is 0, there is no pending connection.

If the New_id value is a positive integer, a connection is pending.

As soon as the pending connection has been established, the New_id value will be transferred to the Conn_id for the established connection, and New_id will be reset to 0.

Alg

Identifies the DES encryption algorithm used for the current connection.

DES_56_CFB8 = basic DES (56 bit) with 8-bit Cipher FeedBack (CFB)

DES_56_CFB64 = basic DES (56 bit) with 64-bit CFB

DES_40_CFB8 = 40-bit DES with 8-bit CFB

DEC_40_CFB64 = 40-bit DES with 64-bit CFB

Unknown = no connection

Time

Identifies the time when the connection was initiated.

flags

PEND_CONN = identifies the table entry as a pending connection

XCHG_KEYS = the connection has timed out; for encrypted communication to occur again, the router must first exchange DH numbers and generated a new session (DES) key

TIME_KEYS = the encrypted communication session is currently in progress (a session key is currently installed, and the session is counting down to timeout)

BAD_CONN = no existing or pending connection exists for this table entry

UNK_STATUS = invalid status (error)

show crypto cisco key-timeout

To view the current setting for the duration of encrypted sessions, use the show crypto cisco key-timeout privileged EXEC command.

show crypto cisco key-timeout

Syntax Description

This command has no arguments or keywords.

Command Mode

Privileged EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Sample Display

The following is sample output from the show crypto cisco key-timeout command:

Router1# show crypto cisco key-timeout
Session keys will be re-negotiated every 120 minutes.

Related Commands

You can use the master indexes or search online to find documentation of related commands.

crypto cisco key-timeout

show crypto cisco pregen-dh-pairs

To view the number of Diffie-Hellman (DH) number pairs currently generated, use the show crypto cisco pregen-dh-pairs privileged EXEC command.

show crypto cisco pregen-dh-pairs [slot | rsm | vip]

Syntax Description

slot

(Optional) Identifies the crypto engine. This argument is available only on Cisco 7200, RSP7000, and 7500 series routers.

If no slot is specified, the Cisco  IOS crypto engine will be selected.

Use the chassis slot number of the crypto engine location. For the Cisco IOS crypto engine, this is the chassis slot number of the Route Switch Processor (RSP). For the VIP2 crypto engine, this is the chassis slot number of the VIP2. For the ESA crypto engine, this is the chassis slot number of the ESA (Cisco  7200) or of the VIP2 (Cisco  RSP7000 and 7500).

rsm

(Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. It identifies the Route Switch Module on the Cisco Catalyst 5000 series switch.

vip

(Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. It identifies the Versatile Interface Processor on the Cisco Catalyst  5000 series switch.

Command Mode

Privileged EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2. The rsm and vip keywords were added in Cisco IOS Release 12.0.

Sample Display

The following is sample output from the show crypto cisco pregen-dh-pairs command:

Router1# show crypto cisco pregen-dh-pairs
Number of pregenerated DH pairs: 1

The number one shown in the output indicates that there is one DH number pair ready and available for the next encrypted connection.

The following is sample output from the show crypto cisco pregen-dh-pairs command for a Cisco Catalyst 5000 series switch:

Router1# show crypto cisco pregen-dh-pairs rsm
Number of pregenerated DH pairs for slot rsm: 1

The following is sample output from the show crypto cisco pregen-dh-pairs command (using the slot argument) for a Cisco 7500 series router:

Router1# show crypto cisco pregen-dh-pairs 2
Number of pregenerated DH pairs for slot 2: 1

If you do not enter a slot number on a Cisco 7500 series router, the default is the slot number of the RSP.

Related Commands

You can use the master indexes or search online to find documentation of related commands.

crypto cisco pregen-dh-pairs

show crypto connections

The show crypto cisco connections command replaces this command. Refer to the description of the show crypto cisco connections command for more information.

show crypto engine brief

To view all crypto engines within a Cisco 7200, RSP7000, or 7500 series router, use the show crypto engine brief privileged EXEC command.

show crypto engine brief

Syntax Description

This command has no arguments or keywords.

Command Mode

Privileged EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

This command is only available on Cisco 7200, RSP7000, and 7500 series routers.

Sample Display

The following is sample output from the show crypto engine brief command. In this example, the router has two crypto engines: a Cisco IOS crypto engine and an Encryption Service Adapter (ESA) crypto engine. Both crypto engines have Digital Signature Standard (DSS) keys generated.

Router1# show crypto engine brief
crypto engine name:    Router1ESA
crypto engine type:    ESA
crypto engine state:   dss key generated
crypto firmware version:    5049702
crypto engine in slot: 1
crypto engine name:    Router1IOS
crypto engine type:    software
crypto engine state:   dss key generated
crypto lib version:     2.0.0
crypto engine in slot: 4

Table 22 explains each field.


Table 22: Show Crypto Engine Brief Field Descriptions
Field Description

crypto engine name

Name of the crypto engine as assigned with the key-name argument in the crypto key generate dss command.

crypto engine type

If "software" is listed, the crypto engine resides in either the Route Switch Processor (RSP) (the Cisco IOS crypto engine) or in a second-generation Versatile Interface Processor (VIP2).

If "crypto card" or "ESA" is listed, the crypto engine is associated with an Encryption Service Adapter (ESA).

crypto engine state

The state "installed" indicates that a crypto engine is located in the given slot, but is not configured for encryption.

The state "dss key generated" indicates the crypto engine found in that slot has DSS keys already generated.

In a Cisco 7200 series router, the state "installed (ESA pending)" indicates that the ESA crypto engine will be replaced with the Cisco  IOS crypto engine as soon as it becomes available.

crypto firmware version

Version number of the crypto firmware running on the ESA.

crypto lib version

Version number of the crypto library running on the router.

crypto engine in slot

Chassis slot number of the crypto engine. For the Cisco IOS crypto engine, this is the chassis slot number of the Route Switch Processor (RSP). For the VIP2 crypto engine, this is the chassis slot number of the VIP2. For the ESA crypto engine, this is the chassis slot number of the ESA (Cisco  7200) or of the VIP2 (Cisco  RSP7000 and 7500).

Related Commands

You can use the master indexes or search online to find documentation of related commands.

show crypto engine configuration

show crypto engine configuration

To view the Cisco IOS crypto engine of your router, use the show crypto engine configuration privileged EXEC command.

show crypto engine configuration

Syntax Description

This command has no arguments or keywords.

Command Mode

Privileged EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Sample Display

The following is sample output from the show crypto engine configuration command for a Cisco  2500 series router:

Router1# show crypto engine configuration
engine name:        Router1
engine type:        software
serial number:      01709642
platform:           rp crypto engine
Encryption Process Info:
input queue top:    75
input queue bot:    75
input queue count:  0

The following is sample output from the show crypto engine configuration command for a Cisco  7500 series router:

Router2# show crypto engine configuration
engine name:        Router2IOS
engine type:        software
serial number:      02863239
platform:           rsp crypto engine
Encryption Process Info:
input queue top:    44
input queue bot:    44
input queue count:  0

Table 23 explains each field.


Table 23: Show Crypto Engine Configuration Field Descriptions
Field Description

engine name

Name of the crypto engine as assigned with the key-name argument in the crypto key generate dss command.

engine type

Should always display "software."

serial number

Serial number of the Route Processor or Route Switch Processor.

platform

If the router is a Cisco RSP7000 or 7500 series router, this field will display "rsp crypto engine."

If the router is a Cisco 7200 series router, this field will display "rp crypto engine."

input queue top (Encryption Process Info)

The queue location of the (inbound) packet next in line to be processed (decrypted). This packet will come off the top of the circular queue next. (This field is useful for debugging purposes.)

input queue bot (Encryption Process Info)

The queue location of the (inbound) packet last in line to be processed (decrypted). The packet is the most recently received and queued at the bottom of the circular queue. (This field is useful for debugging purposes.)

input queue count (Encryption Process Info)

The total number of packets currently in the circular queue. These are inbound packets waiting for processing. (This field is useful for debugging purposes.)

Related Commands

You can use the master indexes or search online to find documentation of related commands.

show crypto engine brief

show crypto engine connections active

To view the current active encrypted session connections for all crypto engines, use the show crypto engine connections active privileged EXEC command.

show crypto engine connections active [slot | rsm | vip]

Syntax Description

slot

(Optional) Identifies the crypto engine. This argument is available only on Cisco 7200, RSP7000, and 7500 series routers.

If no slot is specified, the Cisco IOS crypto engine will be selected.

Use the chassis slot number of the crypto engine location. For the Cisco IOS crypto engine, this is the chassis slot number of the Route Switch Processor (RSP). For the VIP2 crypto engine, this is the chassis slot number of the VIP2. For the ESA crypto engine, this is the chassis slot number of the ESA (Cisco  7200) or of the VIP2 (Cisco  RSP7000 and 7500).

rsm

(Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. It identifies the Route Switch Module on the Cisco Catalyst 5000 series switch.

vip

(Optional) This keyword is only available on the Cisco Catalyst 5000 series switch. It identifies the Versatile Interface Processor on the Cisco Catalyst  5000 series switch.

Command Mode

Privileged EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2. The rsm and vip keywords were added in Cisco IOS Release 12.0.

Sample Display

The following is sample output from the show crypto engine connections active command:

Router1# show crypto engine connections active
Connection Interface  IP-Address    State Algorithm    Encrypt  Decrypt
2          Ethernet0  172.21.114.9  set   DES_56_CFB64 41       32
3          Ethernet1  172.29.13.2   set   DES_56_CFB64 110      65
4          Serial0    172.17.42.1   set   DES_56_CFB64 36       27

The following is sample output from the show crypto engine connections active command on a Cisco  7500 series router, where the VIP is in slot 4:

Router1# show crypto engine connections active 4
Connection Interface  IP-Address    State Algorithm    Encrypt  Decrypt
2          Ethernet0  172.21.114.9  set   DES_56_CFB64 41       32
3          Ethernet1  172.29.13.2   set   DES_56_CFB64 110      65
4          Serial0    172.17.42.1   set   DES_56_CFB64 36       27

If you do not enter a slot number on a Cisco 7500 series router, the default is the slot number of the RSP.

The following is sample output from the show crypto engine connections active command on a Cisco Catalyst 5000 series switch:

Router1# show crypto engine connections active vip
Connection Interface  IP-Address    State Algorithm    Encrypt  Decrypt
2          Ethernet0  172.21.114.9  set   DES_56_CFB64 41       32
3          Ethernet1  172.29.13.2   set   DES_56_CFB64 110      65
4          Serial0    172.17.42.1   set   DES_56_CFB64 36       27

If you do not enter a keyword on a Cisco Catalyst 5000 series switch, the default is rsm.

Table 24 explains each field.


Table 24: Show Crypto Engine Connections Active Field Descriptions
Field Description

Connection

Identifies the connection by its number. Each active encrypted session connection is identified by a positive number from 1 to 299. These connection numbers correspond to the table entry numbers.

Interface

Identifies the interface involved in the encrypted session connection. This will display only the actual interface, not a subinterface (even if a subinterface is defined and used for the connection).

IP-Address

Identifies the IP address of the interface.

Note that if a subinterface is used for the connection, this field will display "unassigned."

State

The state "set" indicates an active connection.

Algorithm

Identifies the Data Encryption Standard (DES) algorithm used to encrypt/decrypt packets at the interface.

Encrypt

Shows the total number of encrypted outbound IP packets.

Decrypt

Shows the total number of decrypted inbound IP packets.

Related Commands

You can use the master indexes or search online to find documentation of related commands.

show crypto engine connections dropped-packets

show crypto engine connections dropped-packets

To view information about packets dropped during encrypted sessions for all router crypto engines, use the show crypto engine connections dropped-packets privileged EXEC command.

show crypto engine connections dropped-packets

Syntax Description

This command has no arguments or keywords.

Command Mode

Privileged EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Sample Display

The following is sample output from the show crypto engine connections dropped-packets command:

Router1# show crypto engine connections dropped-packets
Interface     IP-Address     Drop Count
Ethernet0/0   172.21.114.165 4

The Drop Count number indicates the total number of dropped packets for the lifetime of the crypto engine.

Related Commands

You can use the master indexes or search online to find documentation of related commands.

show crypto engine connections active

show crypto key mypubkey dss

To view Digital Signature Standard (DSS) public keys (for all your router crypto engines) in hexadecimal form, use the show crypto key mypubkey dss EXEC command.

show crypto key mypubkey dss

Syntax Description

This command has no arguments or keywords.

Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Sample Display

The following is sample output from the show crypto key mypubkey dss command for a Cisco  2500 series router with a crypto engine called "Router1.branch":

Router1# show crypto key mypubkey dss
Key name: Router1
Serial number: 05706421
Usage: Signature Key
Key Data:
8F1440B9 4C860989 8791A12B 69746E27 307ACACB 62915B02 0261B58F 1F7ABB10
90CE70A9 08F86652 16B52064 37C857D4 7066DAA3 7FC33212 445275EE 542DCD06

Related Commands

You can use the master indexes or search online to find documentation of related commands.

show crypto key pubkey-chain dss

show crypto key pubkey-chain dss

To view peer router Digital Signature Standard (DSS) public keys known to your router, use the show crypto key pubkey-chain dss EXEC command.

show crypto key pubkey-chain dss [name key-name | serial serial-number]

Syntax Description

name

The name assigned when the DSS public key was created with the crypto key pubkey-chain dss command.

serial-number

The serial number of the encrypting router's public DSS key.

Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Sample Display

The following is sample output from the show crypto key pubkey-chain dss command:

Router1# show crypto key pubkey-chain dss
Codes: M - Manually configured
Code Usage        Serial Number        Name
M    Signing        03259625                  router1

The following is sample output from the show crypto key pubkey-chain dss command using the name keyword:

Router1# show crypto key pubkey-chain dss name router1
Key name: router1
Serial number: 03259625
Usage: Signature Key
Source: Manually entered
Data:
8F1440B9 4C860989 8791A12B 69746E27 307ACACB 62915B02 0261B58F 1F7ABB10
90CE70A9 08F86652 16B52064 37C857D4 7066DAA3 7FC33212 445275EE 542DCD06

The following is sample output from the show crypto key pubkey-chain dss command using the serial-number keyword:

Router1# show crypto key pubkey-chain dss serial 03259625
Key name: router1
Serial number: 03259625
Usage: Signature Key
Source: Manually entered
Data:
8F1440B9 4C860989 8791A12B 69746E27 307ACACB 62915B02 0261B58F 1F7ABB10
90CE70A9 08F86652 16B52064 37C857D4 7066DAA3 7FC33212 445275EE 542DCD06

Related Commands

You can use the master indexes or search online to find documentation of related commands.

crypto key exchange dss
crypto key generate dss
show crypto key pubkey-chain dss

show crypto key-timeout

The show crypto cisco key-timeout command replaces this command. Refer to the description of the show crypto cisco key-timeout command for more information.

show crypto map

To view the crypto map configuration, use the show crypto map privileged EXEC command.

show crypto map [interface interface | tag map-name]

Syntax Description

interface interface

(Optional) Shows only the crypto map set applied to the specified interface.

tag map-name

(Optional) Shows only the crypto map set with the specified map-name.

Default

If no keywords are used, all crypto maps configured at the router will be displayed.

Command Mode

Privileged EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

This command is also documented in the chapter "IPSec Network Security Commands" where it has slightly different functionality.

Sample Display

The following is sample output from the show crypto map command performed at a Cisco  2500  series router.

Router1# show crypto map
Crypto Map "Canada" 10
        Connection Id = UNSET    (2 established,    0 failed)
        Crypto Engine = Router1IOS (2)
        Algorithm = 40-bit-des cfb-64
        Peer = Router2
        PE = 172.21.114.9
        UPE = 192.168.23.116
        Extended IP access list 101
                access-list 101 permit ip host 10.0.0.1 host 192.168.15.0
                access-list 101 permit ip host 172.21.114.9 host 192.168.23.116

The following is sample output from the show crypto map command performed at a Cisco  7500  series router. Two crypto maps are shown: a crypto map named ResearchSite with subdefinitions 10 and 20, and another crypto map named HQ.

Router2# show crypto map
Crypto Map "ResearchSite" 10
        Connection Id = 6        (6 established,    0 failed)
        Crypto Engine = Router2IOS (4)
        Algorithm = 40-bit-des cfb-64
        Peer = Router1
        PE = 192.168.15.0
        UPE = 10.0.0.1
        Extended IP access list 102
                access-list 102 permit ip host 192.168.15.0 host 10.0.0.1
Crypto Map "ResearchSite" 20
        Connection Id = UNSET    (0 established,    0 failed)
        Crypto Engine = Router2IOS (4)
        Algorithm = 56-bit-des cfb-64
        Peer = Router3
        PE = 192.168.129.33
        UPE = 172.21.114.165
        Extended IP access list 103
                access-list 103 permit ip host 192.168.129.33 host 172.21.114.165
Crypto Map "HQ" 10
        Connection Id = UNSET    (3 established,    0 failed)
        Crypto Engine = Router2ESA (2)
        Algorithm = 56-bit-des cfb-64
        Peer = Eggplant
        PE = 192.168.129.10
        UPE = 10.1.2.3
        Extended IP access list 104
                access-list 104 permit ip host 192.168.129.10 host 10.1.2.3

The command output separately lists each crypto map subdefinition.

If more than one subdefinition exists for a crypto map, each subdefinition will be listed separately by sequence number (per the seq-num argument of the crypto map (global configuration) command). The sequence number is shown following the crypto map name.

Table 25 explains each field.


Table 25: Show Crypto Map Field Descriptions
Field Description

Connection Id

Identifies the connection by its number. Each active encrypted session connection is identified by a positive number from 1 to 299. A value of UNSET indicates that no connection currently exists and is using the crypto map.

established

Indicates the total number of encrypted connections that have been successfully established using the crypto map.

failed

Indicates the total number of attempted encrypted connections that failed to be established while using the crypto map.

Crypto Engine

Lists the name of the governing crypto engine, followed by the crypto engine slot number in parentheses.

The slot number could be the Route Switch Processor (RSP) slot number, indicating a Cisco IOS crypto engine, or a second-generation Versatile Interface Processor (VIP2) slot number, indicating a VIP2 or an ESA crypto engine, or (Cisco 7200 only) an ESA slot number, indicating an ESA crypto engine.

(Not displayed on routers other than Cisco 7200, RSP7000, or 7500  series routers.)

Algorithm

Indicates the type of DES encryption algorithm used by the crypto map.

Peer

Indicates the name of the crypto map of the remote peer encrypting router.

PE

"Protected Entity." This shows a representative source IP address as specified in the crypto map's encryption access list. This IP address can be any host that matches a source in the encryption access list that is being used in the connection.

UPE

"Unprotected Entity." This shows a representative destination IP address as specified in the crypto map's encryption access list. This IP address can be any host that matches a destination in the encryption access list that is being used in the connection.

Extended IP access list

Lists the access list associated with the crypto map. If no access list is associated, the message "No matching address list set" is displayed.

Related Commands

You can use the master indexes or search online to find documentation of related commands.

crypto map (global configuration)
crypto map (interface configuration)

show crypto mypubkey

The show crypto key mypubkey dss command replaces this command. Refer to the description of the show crypto key mypubkey dss command for more information.

show crypto pregen-dh-pairs

The show crypto cisco pregen-dh-pairs command replaces this command. Refer to the description of the show crypto cisco pregen-dh-pairs command for more information.

show crypto pubkey

The show crypto key pubkey-chain dss command replaces this command. Refer to the description of the show crypto key pubkey-chain dss command for more information.

show crypto pubkey name

The show crypto key pubkey-chain dss command replaces this command. Refer to the description of the show crypto key pubkey-chain dss command for more information.

show crypto pubkey serial

The show crypto key pubkey-chain dss command replaces this command. Refer to the description of the show crypto key pubkey-chain dss command for more information.

test crypto initiate-session

To set up a test encryption session, use the test crypto initiate-session privileged EXEC command.

test crypto initiate-session src-ip-addr dst-ip-addr map-name seq-num

Syntax Description

src-ip-addr

IP address of source host. Should be included in an encryption access list definition as a valid IP address source address.

dst-ip-addr

IP address of destination host. Should be included in an encryption access list definition as a valid IP address destination address.

map-name

Names the crypto map to be used.

seq-num

Names the crypto map sequence number.

Command Mode

Privileged EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Use this command to set up a test encryption session. This command can be used after you have completed all the essential encryption configuration tasks for your router. After issuing this command, use the show crypto cisco connections command to verify the status of the connection just created.

Example

The following example sets up and verifies a test encryption session.

"Router1" sets up a test encryption session with "Router2" and then views the connection status to verify a successful encrypted session connection.

Step 1 "Router1" sets up a test encryption connection with "Router2."

Router1# test crypto initiate-session 192.168.3.12 192.168.204.110 Router2ESA.TXbranch 
10
Sending CIM to: 192.168.204.110 from: 192.168.3.12.
Connection id: -1

Notice the connection-id value is -1. A negative value indicates that the connection is being set up. (CIM stands for Connection Initiation Message.)

Step 2 "Router1" issues the show crypto cisco connections command.

Router1# show crypto cisco connections
Pending Connection Table
PE              UPE             Timestamp                   Conn_id
192.168.3.10    192.168.204.100 Mar 01 1993 00:01:09    -1
Connection Table
PE              UPE             Conn_id New_id  Alg     Time
192.168.3.10    192.168.204.100 -1      1       0             Not Set
                flags:PEND_CONN 

Look in the Pending Connection Table for an entry with a Conn_id value equal to the previously shown connection-id value---in this case, look for an entry with a Conn_id value of -1. If this is the first time an encrypted connection has been attempted, there will only be one entry (as shown).

Note the PE and UPE addresses for this entry.

Step 3 Now, look in the Connection Table for an entry with the same PE and UPE addresses. In this case, there is only one entry in both tables, so finding the right Connection Table entry is easy.

Step 4 At the Connection Table entry, note the Conn_id and New_id values. In this case, Conn_id equals -1, and New_id equals 1. The New_id value of 1 will be assigned to the test connection when setup is complete. (Positive numbers are assigned to established, active connections.)

Step 5 "Router1" waits a moment for the test connection to set up, and then reissues the show crypto cisco connections command.

Router1# show crypto cisco connections
Connection Table
PE              UPE             Conn_id New_id  Alg     Time
192.168.3.10    192.168.204.100 1       0       10      Mar 01 1993 00:02:00
                flags:TIME_KEYS

Again, look for the Connection Table entry with the same PE and UPE addresses as shown before. In this entry, notice that the Conn_id value has changed to 1. This indicates that our test connection has been successfully established, because the Conn_id value has changed to match the New_id value of Step 4. Also, New_id has been reset to 0 at this point, indicating that there are no new connections currently being set up.

In the command output of Step 5, there is no longer a Pending Connection Table being displayed, which indicates that there are currently no pending connections. This is also indicates that the test connection was successfully established.

The show crypto cisco connections command is explained in greater detail previously in this chapter, including a description of how connection-ids are assigned during and following connection setup.

Related Commands

You can use the master indexes or search online to find documentation of related commands.

show crypto cisco connections



hometocprevnextglossaryfeedbacksearchhelp
Copyright 1989-1998 © Cisco Systems Inc.