Crypto

Diagram

Classes

configuration (iosxe.devices)

Name	Type	Constraint	Mandatory	Default Value
crypto	Class	`[crypto]`	No

crypto (iosxe.devices.configuration)

Name	Type	Constraint	Mandatory
ipsec_profiles	List	`[ipsec_profiles]`	No
ipsec_transform_sets	List	`[ipsec_transform_sets]`	No
ikev2	Class	`[ikev2]`	No

ipsec_profiles (iosxe.devices.configuration.crypto)

Name	Type	Constraint	Mandatory
name	String		Yes
set_transform_set	List	String	No
set_ikev2_profile	String		No
set_isakmp_profile	String		No

ipsec_transform_sets (iosxe.devices.configuration.crypto)

Name	Type	Constraint	Mandatory
name	String		Yes
esp	Choice	`esp-3des`, `esp-aes`, `esp-des`, `esp-gcm`, `esp-gmac`, `esp-null`, `esp-seal`	Yes
esp_hmac	Choice	`esp-md5-hmac`, `esp-sha-hmac`, `esp-sha256-hmac`, `esp-sha384-hmac`, `esp-sha512-hmac`	Yes
mode_tunnel	Boolean	`true`, `false`	No

ikev2 (iosxe.devices.configuration.crypto)

Name	Type	Constraint	Mandatory
nat_keepalive	Integer	min: `5`, max: `3600`	No
dpd_interval	Integer	min: `10`, max: `3600`	No
dpd_query	Choice	`on-demand`, `periodic`	No
dpd_retry	Integer	min: `2`, max: `60`	No
profiles	List	`[profiles]`	No
keyrings	List	`[keyrings]`	No
policies	List	`[policies]`	No
proposals	List	`[proposals]`	No

profiles (iosxe.devices.configuration.crypto.ikev2)

Name	Type	Constraint	Mandatory
name	String		Yes
authentication_local_pre_share	Boolean	`true`, `false`	No
authentication_remote_pre_share	Boolean	`true`, `false`	No
config_exchange_request	Boolean	`true`, `false`	No
description	String		No
dpd_interval	Integer	min: `10`, max: `3600`	No
dpd_query	Choice	`on-demand`, `periodic`	No
dpd_retry	Integer	min: `2`, max: `60`	No
identity_local_address	String		No
identity_local_key_id	String		No
ivrf	String		No
keyring_local	String		No
match_address_local_ip	String		No
match_fvrf	String		No
match_fvrf_any	Boolean	`true`, `false`	No
match_identity_remote_ipv4_addresses	List	`[match_identity_remote_ipv4_addresses]`	No
match_identity_remote_ipv6_prefixes	List	String	No
match_identity_remote_keys	List	String	No
match_inbound_only	Boolean	`true`, `false`	No

keyrings (iosxe.devices.configuration.crypto.ikev2)

Name	Type	Constraint	Mandatory	Default Value
name	String		Yes
peers	List	`[peers]`	No

policies (iosxe.devices.configuration.crypto.ikev2)

Name	Type	Constraint	Mandatory
name	String		Yes
proposals	List	`[proposals]`	Yes
device	String		No
match_address_local_ip	List	String	No
match_fvrf	String		No
match_fvrf_any	Boolean	`true`, `false`	No
match_inbound_only	Boolean	`true`, `false`	No

proposals (iosxe.devices.configuration.crypto.ikev2)

Name	Type	Constraint	Mandatory
name	String		Yes
encryption	List	Choice[`aes_cbc_128`, `aes_cbc_192`, `aes_cbc_256`, `aes_gcm_128`, `aes_gcm_256`, `en_3des`]	No
group	List	Choice[`1`, `2`, `14`, `15`, `16`, `19`, `20`, `21`, `24`]	No
integrity	List	Choice[`md5`, `sha1`, `sha256`, `sha384`, `sha512`]	No
prf	List	Choice[`md5`, `sha1`, `sha256`, `sha384`, `sha512`]	No

match_identity_remote_ipv4_addresses (iosxe.devices.configuration.crypto.ikev2.profiles)

Name	Type	Constraint	Mandatory	Default Value
address	String		Yes
mask	String		No

peers (iosxe.devices.configuration.crypto.ikev2.keyrings)

Name	Type	Constraint	Mandatory
name	String		Yes
description	String		No
hostname	String		No
identity_address	String		No
identity_email_domain	String		No
identity_email_name	String		No
identity_fqdn_domain	String		No
identity_fqdn_name	String		No
identity_key_id	String		No
ipv4_address	String		No
ipv4_mask	String		No
ipv6_prefix	String		No
pre_shared_key	String		No
pre_shared_key_encryption	Choice	`0`, `6`	No
pre_shared_key_local	String		No
pre_shared_key_local_encryption	Choice	`0`, `6`	No
pre_shared_key_remote	String		No
pre_shared_key_remote_encryption	Choice	`0`, `6`	No

proposals (iosxe.devices.configuration.crypto.ikev2.policies)

Name	Type	Constraint	Mandatory	Default Value
proposals	String		Yes

Examples

iosxe:
  devices:
    - name: Device1
      configuration:
        crypto:
          ipsec_profiles:
          - name: vpn200
            set_transform_set: [TEST]
            set_isakmp_profile_ikev2_profile_ikev2_profile_case_ikev2_profile: PROFILE1
          ipsec_transform_sets:
            - name: TEST
              esp: esp-aes
              esp_hmac: esp-sha-hmac
              mode_tunnel: true
          ikev2:
            nat_keepalive: 20
            dpd_interval: 10
            dpd_query: periodic
            dpd_retry: 5
            profiles:
              - name: PROFILE1
                description: My description
                authentication_remote_pre_share: true
                authentication_local_pre_share: true
                identity_local_key_id: KEY1
                match_address_local_ip: 1.2.3.4
                match_fvrf_any: true
                match_identity_remote_ipv4_addresses:
                  - address: 1.2.3.4
                    mask: 255.255.255.0
                match_identity_remote_keys: [key1]
                keyring_local: KEYRING1
                dpd_interval: 10
                dpd_retry: 2
                dpd_query: periodic
                config_exchange_request: false
            keyrings:
              - name: KEYRING1
                peers:
                  - name: PEER1
                    description: My description
                    ipv4_address: 1.2.3.4
                    ipv4_mask: 255.255.255.248
                    identity_key_id: key1
                    pre_shared_key_local_encryption: "6"
                    pre_shared_key_local: cisco123
                    pre_shared_key_remote_encryption: "6"
                    pre_shared_key_remote: cisco123
                  - name: PEER2
                    description: temp
                    hostname: gateway1
                    ipv6_prefix: 2001::1/128
                    identity_email_domain: cisco.com
                    pre_shared_key_encryption: "6"
                    pre_shared_key: cisco123
                  - name: PEER3
                    description: temp2
                    hostname: gateway4
                    ipv6_prefix: 2001::2/128
                    identity_email_name: abc
            policies:
              - name: POLICY1
                proposals:
                  - proposals: PROPOSAL1
                match_address_local_ip: [1.2.3.4]
                match_fvrf_any: true
            proposals:
              - name: PROPOSAL1
                encryption_aes_cbc_256: true
                group_sixteen: true
                integrity_sha256: true
              - name: PROPOSAL2
                encryption_aes_gcm_256: true
                group_twenty: true
                integrity_sha384: true