Configuring IPSec Manually

You can configure the IPSec keys manually. This section provides a brief overview of how this is done and why manual key use isn’t generally recommended.

Use the set session-key command in Crypto Map Configuration mode to specify the IPSec session keys manually within a crypto map entry. The command is only available for ipsec-manual crypto map entries. They aren’t used with ipsec-isakmp entries because the SAs and corresponding keys are automatically established via the IKE negotiation. Use the no form of this command to remove IPSec session keys from a crypto map entry. The command uses the following syntax:

Rtr1(config)#crypto map map-name seq-num ipsec-manual
Rtr1(config-crypto-map)#set session-key {inbound | outbound} ah spi hex-key-string|
Rtr1(config-crypto-map)#set session-key {inbound | outbound} esp spi cipher hex-key-string [authenticator hex-key-string]
Rtr1(config-crypto-map)#no set session-key {inbound | outbound} ah
Rtr1(config-crypto-map)#no set session-key {inbound | outbound} esp

inbound	Sets the inbound IPSec session key. Both inbound and outbound must be set.
outbound	Sets the outbound IPSec session key. Both inbound and outbound must be set.
ah	Sets the IPSec session key for the AH protocol. Use if the crypto map entry transform set includes an AH transform.
esp	Sets the IPSec session key for the ESP. Use if the crypto map entry transform set includes an ESP transform.
spi	Specifies the security parameter index (SPI), a number used to uniquely identify a security association. SPI is an arbitrary value assigned by the admin between 256 and 4,294,967,295 (FFFF FFFF).
hex-key-string	The session key in HEX format. The key is an arbitrary HEX string of 8, 16, or 20 bytes. If the crypto map’s transform set includes A DES algorithm—use at least 8 bytes per key An MD5 algorithm—use at least 16 bytes per key An SHA algorithm—use at least 20 bytes per key Keys longer than the previous sizes are truncated.
cipher	Indicates the key string is to be used with the ESP encryption transform.
authenticator	(Optional) Indicates the key string is to be used with the ESP authentication transform. This argument is required only when the crypto map entry’s transform set includes an ESP authentication transform.

Use the following rules to determine when to create keys:

If the crypto map transform set includes an AH protocol, IPSec keys must be defined for AH for both inbound and outbound traffic.
If the crypto map transform set includes an ESP encryption protocol, IPSec keys must be defined for ESP encryption for both inbound and outbound traffic.
If the crypto map transform set includes an ESP authentication protocol, IPSec keys must be defined for ESP authentication for inbound and outbound traffic.

The SPI is used to identify the security association used with the crypto map. When defining multiple IPSec session keys within a single crypto map, it’s permissible to assign the same SPI number to all keys. Session keys must be the same for both peers. Before assigning a SPI, confirm with the peer’s admin that the same SPI isn’t used more than once for the same destination address/protocol combination.

If a session key is changed, the SA using the key will be deleted and reinitialized.

Rtr1(config)#crypto map testmap2 50 ipsec-manual
Rtr1(config-crypto-map)#set peer 10.0.10.133
Rtr1(config-crypto-map)#match address 100
Rtr1(config-crypto-map)#set transform-set encrypt-des 
Rtr1(config-crypto-map)#set session-key inbound esp 300 32a87b445c98701c 
Rtr1(config-crypto-map)#set session-key outbound esp 300 32a87b445c98701c

Configuring IPSec Manually

alperen