IPSec Commands
Parameters Descriptions
Main Mode Exchange
MM_NO_STATE
MM_SA_SETUP
MM_KEY_EXCH
MM_KEY_AUTH
Aggressive Mode Exchange
AG_NO_STATE
AG_INIT_EXCH
AG_AUTH
Quick Mode Exchange
QM_IDLE
IPSec Commands
This section describes commands that configure the IPSec protocol which provides anti‐replay
protection as well as data authentication and encryption.
access-list
This command creates an access list which is used to define which IP traffic will and will not be
protected by the crypto process. ACLs associated with IPSec crypto map entries have these
primary functions:
•
Select outbound traffic to be protected by IPSec: the keyword permit equates with protected
traffic.
•
Indicate the data flow to be protected by the new Security Associations (SAs) ‐ specified by a
single permit entry‐ when initiating negotiations for IPSec SAs.
•
Process inbound traffic to filter out and discard traffic that should have been protected by
IPSec.
•
Determine whether or not to accept requests for IPSec SAs on behalf of the requested data
flows when processing IKE negotiation from the IPSec peer (negotiation is done only for ipsec‐
isakmp crypto map entries.) In order to be accepted, if the peer initiates IPSec negotiation, it
must specify a data flow that is "permitted" by a crypto access list associated with an ipsec‐
isakmp crypto map entry.
14-106 Configuring the VPN
ISAKMP SA has only just been created and no state is yet established.
Peers have agreed on settings for the ISAKMP SA.
Peers have exchanged Diffie‐Hellman public keys and built a shared secret.
The ISAKMP SA is not authenticated.
ISAKMP SA is authenticated. If the XSR began this exchange, this state
transitions immediately to QM_IDLE and a Quick Mode exchange begins.
ISAKMP SA has only just been created and no state is yet established.
Peers have made the first exchange in Aggressive Mode but the SA is
not authenticated.
ISAKMP SA has been authenticated. If the XSR began this exchange,
this state transitions immediately to QM_IDLE and a Quick Mode
exchange begins.
ISAKMP SA is quiescent. It remains authenticated with its peer and
may be used for later Quick Mode exchanges.