Cisco CRS-1 - Carrier Routing System Router Configuration Manual page 134

How to Implement IKE Security Protocol Configurations for IPSec Networks
Configuring ISAKMP Preshared Keys in ISAKMP Keyrings
This task configures ISAKMP preshared keys in ISAKMP keyrings.
Prerequisites
To configure ISAKMP preshared keys in ISAKMP keyrings, perform these tasks at each peer that uses
preshared keys in an IKE policy:
•
•
•
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Command or Action
Step 1
configure
Example:
RP/0/RP0/CPU0:router# configure
Step 2
crypto keyring keyring-name [vrf fvrf-name]
Example:
RP/0/RP0/CPU0:router(config)# crypto keyring
vpnkeyring
RP/0/RP0/CPU0:router(config-keyring)#
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
SC-128
Set the ISAKMP identity of each peer. Each peer's identity should be set either to its hostname or
by its IP address. By default, a peer's identity is set to its IP address. Setting ISAKMP identities is
described in the "Configuring ISAKMP Identity" section on page
Specify the shared keys at each peer. Note that a given preshared key is shared between two peers.
At a given peer you could specify the same key to share with multiple remote peers; however, a more
secure approach is to specify different keys to share between different pairs of peers.
You must specify the support for masked preshared keys. Remember to repeat these tasks at each
peer that uses preshared keys in an IKE policy.
configure
crypto keyring keyring-name [vrf fvrf-name]
pre-shared-key {address address [mask] | hostname hostname} key key
end
or
commit
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software
Purpose
Enters global configuration mode.
Defines a crypto keyring during IKE authentication.
Use the keyring-name argument to specify the name of
•
the crypto keyring.
(Optional) Use the vrf keyword to specify that the front
•
door virtual routing and forwarding (FVRF) name is the
keyring that is referenced.
122.
OL-20382-01