Command:  

crypto isakmp key


Mode:

Router(config)#


Syntax:

crypto isakmp key keystring address peer-address [ mask]

 

crypto isakmp keykeystring hostnamepeer-hostname

 

no crypto isakmp key keystring addresspeer-address

 

no crypto isakmp keykeystring hostnamepeer-hostname

Syntax Description:

address

Use this keyword if the remote peer Internet Security Association Key Management Protocol identity was set with its IP address.

hostname

Use this keyword if the remote peer ISAKMP identity was set with its hostname.

keystring

Specify the preshared key. Use any combination of alphanumeric characters up to 128 bytes. This preshared key must be identical at both peers.

peer-address

Specify the IP address of the remote peer.

peer-hostname

Specify the host name of the remote peer. This is the peer's host name concatenated with its domain name (for example, myhost.example.com).

mask

(Optional) Specify the subnet address of the remote peer. (The argument can be used only if the remote peer ISAKMP identity was set with its IP address.)

 

Command Description:

To configure a preshared authentication key, use the crypto isakmp keyglobal configuration command. You must configure this key whenever you specify preshared keys in an Internet Key Exchange policy. To delete a preshared authentication key, use the noform of this command.


Example:

In the following example, the remote peer "RemoteRouter" specifies an ISAKMP identity by address:

crypto isakmp identity address

In the following example, the local peer "LocalRouter" also specifies an ISAKMP identity, but by host name:

crypto isakmp identity hostname

Now, the preshared key must be specified at each peer.

In the following example, the local peer specifies the preshared key and designates the remote peer by its IP address and a mask:

crypto isakmp key sharedkeystring address 172.21.230.33  255.255.255.255

In the following example, the remote peer specifies the same preshared key and designates the local peer by its host name:

crypto isakmp key sharedkeystring hostname LocalRouter.example.com

The remote peer also maps multiple IP addresses to the same host name for the local peer because the local peer has two interfaces which both might be used during an IKE negotiation with the local peer. These two interfaces' IP addresses (10.0.0.1 and 10.0.0.2) are both mapped to the remote peer's host name.

ip host LocalRouter.example.com 10.0.0.1 10.0.0.2

(This mapping would not have been necessary if LocalRouter.example.com was already mapped in DNS.)

In this example, a remote peer specifies its ISAKMP identity by address, and the local peer specifies its ISAKMP identity by host name. Depending on the circumstances in your network, both peers could specify their ISAKMP identity by address, or both by host name.


Misconceptions:

None


Related commands:

 

crypto isakmp identity


© Cisco Systems, Inc. 2001, 2002
World Wide Education






Converted from CHM to HTML with chm2web Pro 2.85 (unicode)