You can configure the IPSec keys manually. This section provides a brief overview of how this is done and why manual key use isn’t generally recommended.
Use the set session-key command in Crypto Map Configuration mode to specify the IPSec session keys manually within a crypto map entry. The command is only available for ipsec-manual crypto map entries. They aren’t used with ipsec-isakmp entries because the SAs and corresponding keys are automatically established via the IKE negotiation. Use the no form of this command to remove IPSec session keys from a crypto map entry. The command uses the following syntax:
Rtr1(config)#crypto map map-name seq-num ipsec-manual
Rtr1(config-crypto-map)#set session-key {inbound | outbound} ah spi hex-key-string|
Rtr1(config-crypto-map)#set session-key {inbound | outbound} esp spi cipher hex-key-string [authenticator hex-key-string]
Rtr1(config-crypto-map)#no set session-key {inbound | outbound} ah
Rtr1(config-crypto-map)#no set session-key {inbound | outbound} esp
inbound |
Sets the inbound IPSec session key. Both inbound and outbound must be set. |
outbound |
Sets the outbound IPSec session key. Both inbound and outbound must be set. |
ah |
Sets the IPSec session key for the AH protocol. Use if the crypto map entry transform set includes an AH transform. |
esp |
Sets the IPSec session key for the ESP. Use if the crypto map entry transform set includes an ESP transform. |
spi |
Specifies the security parameter index (SPI), a number used to uniquely identify a security association. SPI is an arbitrary value assigned by the admin between 256 and 4,294,967,295 (FFFF FFFF). |
hex-key-string |
The session key in HEX format. The key is an arbitrary HEX string of 8, 16, or 20 bytes. If the crypto map’s transform set includes ?A DES algorithm—use at least 8 bytes per key ?An MD5 algorithm—use at least 16 bytes per key ?An SHA algorithm—use at least 20 bytes per key Keys longer than the previous sizes are truncated. |
cipher |
Indicates the key string is to be used with the ESP encryption transform. |
authenticator |
(Optional) Indicates the key string is to be used with the ESP authentication transform. This argument is required only when the crypto map entry’s transform set includes an ESP authentication transform. |
Use the following rules to determine when to create keys:
If the crypto map transform set includes an AH protocol, IPSec keys must be defined for AH for both inbound and outbound traffic.
If the crypto map transform set includes an ESP encryption protocol, IPSec keys must be defined for ESP encryption for both inbound and outbound traffic.
If the crypto map transform set includes an ESP authentication protocol, IPSec keys must be defined for ESP authentication for inbound and outbound traffic.
The SPI is used to identify the security association used with the crypto map. When defining multiple IPSec session keys within a single crypto map, it’s permissible to assign the same SPI number to all keys. Session keys must be the same for both peers. Before assigning a SPI, confirm with the peer’s admin that the same SPI isn’t used more than once for the same destination address/protocol combination.
If a session key is changed, the SA using the key will be deleted and reinitialized.
Rtr1(config)#crypto map testmap2 50 ipsec-manual Rtr1(config-crypto-map)#set peer 10.0.10.133 Rtr1(config-crypto-map)#match address 100 Rtr1(config-crypto-map)#set transform-set encrypt-des Rtr1(config-crypto-map)#set session-key inbound esp 300 32a87b445c98701c Rtr1(config-crypto-map)#set session-key outbound esp 300 32a87b445c98701c
Cisco recommends using IKE to set up the SAs because it’s difficult to ensure the SA values match between peers and D-H is a more secure method for generating secret keys between peers. Other reasons not to configure IPSec manually include the following:
Manual keying doesn’t scale well.
The result can be insecure because of difficulty in creating secure keying material manually.
Manually established SAs never expire.
ACLs used for crypto map entries using ipsec-manual are restricted to a single permit statement. Any other entries are ignored.