Crypto

Cryptographic services provide comprehensive security capabilities including Public Key Infrastructure (PKI), IPsec VPN tunnels, and Internet Key Exchange version 2 (IKEv2) for secure communication between network devices and endpoints. These services enable encryption, authentication, and integrity protection for data in transit, supporting both site-to-site and remote access VPN scenarios. The crypto subsystem manages certificates, trust relationships, encryption policies, and security associations necessary for establishing and maintaining secure communications across untrusted networks.

Diagram

Classes

configuration (iosxe.devices)

Name	Type	Constraint	Mandatory	Default Value
crypto	Class	`[crypto]`	No

crypto (iosxe.devices.configuration)

Name	Type	Constraint	Mandatory
ipsec_profiles	List	`[ipsec_profiles]`	No
ipsec_transform_sets	List	`[ipsec_transform_sets]`	No
ikev2	Class	`[ikev2]`	No
pki	Class	`[pki]`	No

ipsec_profiles (iosxe.devices.configuration.crypto)

Name	Type	Constraint	Mandatory
name	String		Yes
set_transform_set	List	String	No
set_ikev2_profile	String		No
set_isakmp_profile	String		No

ipsec_transform_sets (iosxe.devices.configuration.crypto)

Name	Type	Constraint	Mandatory
name	String		Yes
esp	Choice	`esp-3des`, `esp-aes`, `esp-des`, `esp-gcm`, `esp-gmac`, `esp-null`, `esp-seal`	Yes
esp_hmac	Choice	`esp-md5-hmac`, `esp-sha-hmac`, `esp-sha256-hmac`, `esp-sha384-hmac`, `esp-sha512-hmac`	Yes
mode_tunnel	Boolean	`true`, `false`	No

ikev2 (iosxe.devices.configuration.crypto)

Name	Type	Constraint	Mandatory
nat_keepalive	Integer	min: `5`, max: `3600`	No
dpd_interval	Integer	min: `10`, max: `3600`	No
dpd_query	Choice	`on-demand`, `periodic`	No
dpd_retry	Integer	min: `2`, max: `60`	No
http_url_certificate_lookup	Boolean	`true`, `false`	No
profiles	List	`[profiles]`	No
keyrings	List	`[keyrings]`	No
policies	List	`[policies]`	No
proposals	List	`[proposals]`	No

pki (iosxe.devices.configuration.crypto)

Name	Type	Constraint	Mandatory	Default Value
trustpoints	List	`[trustpoints]`	No

profiles (iosxe.devices.configuration.crypto.ikev2)

Name	Type	Constraint	Mandatory
name	String		Yes
authentication_local_pre_share	Boolean	`true`, `false`	No
authentication_remote_pre_share	Boolean	`true`, `false`	No
config_exchange_request	Boolean	`true`, `false`	No
description	String		No
dpd_interval	Integer	min: `10`, max: `3600`	No
dpd_query	Choice	`on-demand`, `periodic`	No
dpd_retry	Integer	min: `2`, max: `60`	No
identity_local_address	String		No
identity_local_key_id	String		No
ivrf	String		No
keyring_local	String		No
match_address_local_ip	String		No
match_fvrf	String		No
match_fvrf_any	Boolean	`true`, `false`	No
match_identity_remote_ipv4_addresses	List	`[match_identity_remote_ipv4_addresses]`	No
match_identity_remote_ipv6_prefixes	List	String	No
match_identity_remote_keys	List	String	No
match_inbound_only	Boolean	`true`, `false`	No

keyrings (iosxe.devices.configuration.crypto.ikev2)

Name	Type	Constraint	Mandatory	Default Value
name	String		Yes
peers	List	`[peers]`	No

policies (iosxe.devices.configuration.crypto.ikev2)

Name	Type	Constraint	Mandatory
name	String		Yes
proposals	List	String	Yes
device	String		No
match_address_local_ip	List	String	No
match_fvrf	String		No
match_fvrf_any	Boolean	`true`, `false`	No
match_inbound_only	Boolean	`true`, `false`	No

proposals (iosxe.devices.configuration.crypto.ikev2)

Name	Type	Constraint	Mandatory
name	String		Yes
encryption	List	Choice[`aes_cbc_128`, `aes_cbc_192`, `aes_cbc_256`, `aes_gcm_128`, `aes_gcm_256`, `en_3des`]	No
group	List	Choice[`1`, `2`, `14`, `15`, `16`, `19`, `20`, `21`, `24`]	No
integrity	List	Choice[`md5`, `sha1`, `sha256`, `sha384`, `sha512`]	No
prf	List	Choice[`md5`, `sha1`, `sha256`, `sha384`, `sha512`]	No

trustpoints (iosxe.devices.configuration.crypto.pki)

Name	Type	Constraint	Mandatory
id	String		Yes
enrollment_mode_ra	Boolean	`true`, `false`	No
enrollment_pkcs12	Boolean	`true`, `false`	No
enrollment_selfsigned	Boolean	`true`, `false`	No
enrollment_terminal	Boolean	`true`, `false`	No
revocation_check	List	String	No
rsakeypair	String		No
source_interface	String		No
subject_name	String		No
usage	Choice	`ike`, `ssl-client`, `ssl-server`	No

match_identity_remote_ipv4_addresses (iosxe.devices.configuration.crypto.ikev2.profiles)

Name	Type	Constraint	Mandatory	Default Value
address	String		Yes
mask	String		No

peers (iosxe.devices.configuration.crypto.ikev2.keyrings)

Name	Type	Constraint	Mandatory
name	String		Yes
description	String		No
hostname	String		No
identity_address	String		No
identity_email_domain	String		No
identity_email_name	String		No
identity_fqdn_domain	String		No
identity_fqdn_name	String		No
identity_key_id	String		No
ipv4_address	String		No
ipv4_mask	String		No
ipv6_prefix	String		No
pre_shared_key	String		No
pre_shared_key_encryption	Choice	`0`, `6`	No
pre_shared_key_local	String		No
pre_shared_key_local_encryption	Choice	`0`, `6`	No
pre_shared_key_remote	String		No
pre_shared_key_remote_encryption	Choice	`0`, `6`	No

Examples

iosxe:
  devices:
    - name: Device1
      configuration:
        crypto:
          ipsec_profiles:
          - name: vpn200
            set_transform_set: [TEST]
            set_isakmp_profile_ikev2_profile_ikev2_profile_case_ikev2_profile: PROFILE1
          ipsec_transform_sets:
            - name: TEST
              esp: esp-aes
              esp_hmac: esp-sha-hmac
              mode_tunnel: true
          ikev2:
            nat_keepalive: 20
            dpd_interval: 10
            dpd_query: periodic
            dpd_retry: 5
            profiles:
              - name: PROFILE1
                description: My description
                authentication_remote_pre_share: true
                authentication_local_pre_share: true
                identity_local_key_id: KEY1
                match_address_local_ip: 1.2.3.4
                match_fvrf_any: true
                match_identity_remote_ipv4_addresses:
                  - address: 1.2.3.4
                    mask: 255.255.255.0
                match_identity_remote_keys: [key1]
                keyring_local: KEYRING1
                dpd_interval: 10
                dpd_retry: 2
                dpd_query: periodic
                config_exchange_request: false
            keyrings:
              - name: KEYRING1
                peers:
                  - name: PEER1
                    description: My description
                    ipv4_address: 1.2.3.4
                    ipv4_mask: 255.255.255.248
                    identity_key_id: key1
                    pre_shared_key_local_encryption: "6"
                    pre_shared_key_local: cisco123
                    pre_shared_key_remote_encryption: "6"
                    pre_shared_key_remote: cisco123
                  - name: PEER2
                    description: temp
                    hostname: gateway1
                    ipv6_prefix: 2001::1/128
                    identity_email_domain: cisco.com
                    pre_shared_key_encryption: "6"
                    pre_shared_key: cisco123
                  - name: PEER3
                    description: temp2
                    hostname: gateway4
                    ipv6_prefix: 2001::2/128
                    identity_email_name: abc
            policies:
              - name: POLICY1
                proposals: [PROPOSAL1]
                match_address_local_ip: [1.2.3.4]
                match_fvrf_any: true
            proposals:
              - name: PROPOSAL1
                encryption_aes_cbc_256: true
                group_sixteen: true
                integrity_sha256: true
              - name: PROPOSAL2
                encryption_aes_gcm_256: true
                group_twenty: true
                integrity_sha384: true