Skip to content

Crypto

Cryptographic services provide comprehensive security capabilities including Public Key Infrastructure (PKI), IPsec VPN tunnels, and Internet Key Exchange version 2 (IKEv2) for secure communication between network devices and endpoints. These services enable encryption, authentication, and integrity protection for data in transit, supporting both site-to-site and remote access VPN scenarios. The crypto subsystem manages certificates, trust relationships, encryption policies, and security associations necessary for establishing and maintaining secure communications across untrusted networks.

Diagram

Diagram

Classes

configuration (iosxe.devices)

NameTypeConstraintMandatoryDefault Value
cryptoClass[crypto]No

crypto (iosxe.devices.configuration)

NameTypeConstraintMandatoryDefault Value
ipsec_profilesList[ipsec_profiles]No
ipsec_transform_setsList[ipsec_transform_sets]No
ikev2Class[ikev2]No
pkiClass[pki]No

ipsec_profiles (iosxe.devices.configuration.crypto)

NameTypeConstraintMandatoryDefault Value
nameStringYes
set_transform_setListStringNo
set_ikev2_profileStringNo
set_isakmp_profileStringNo

ipsec_transform_sets (iosxe.devices.configuration.crypto)

NameTypeConstraintMandatoryDefault Value
nameStringYes
espChoiceesp-3des, esp-aes, esp-des, esp-gcm, esp-gmac, esp-null, esp-sealYes
esp_hmacChoiceesp-md5-hmac, esp-sha-hmac, esp-sha256-hmac, esp-sha384-hmac, esp-sha512-hmacYes
mode_tunnelBooleantrue, falseNo

ikev2 (iosxe.devices.configuration.crypto)

NameTypeConstraintMandatoryDefault Value
nat_keepaliveIntegermin: 5, max: 3600No
dpd_intervalIntegermin: 10, max: 3600No
dpd_queryChoiceon-demand, periodicNo
dpd_retryIntegermin: 2, max: 60No
profilesList[profiles]No
keyringsList[keyrings]No
policiesList[policies]No
proposalsList[proposals]No

pki (iosxe.devices.configuration.crypto)

NameTypeConstraintMandatoryDefault Value
trustpointsList[trustpoints]No

profiles (iosxe.devices.configuration.crypto.ikev2)

NameTypeConstraintMandatoryDefault Value
nameStringYes
authentication_local_pre_shareBooleantrue, falseNo
authentication_remote_pre_shareBooleantrue, falseNo
config_exchange_requestBooleantrue, falseNo
descriptionStringNo
dpd_intervalIntegermin: 10, max: 3600No
dpd_queryChoiceon-demand, periodicNo
dpd_retryIntegermin: 2, max: 60No
identity_local_addressStringNo
identity_local_key_idStringNo
ivrfStringNo
keyring_localStringNo
match_address_local_ipStringNo
match_fvrfStringNo
match_fvrf_anyBooleantrue, falseNo
match_identity_remote_ipv4_addressesList[match_identity_remote_ipv4_addresses]No
match_identity_remote_ipv6_prefixesListStringNo
match_identity_remote_keysListStringNo
match_inbound_onlyBooleantrue, falseNo

keyrings (iosxe.devices.configuration.crypto.ikev2)

NameTypeConstraintMandatoryDefault Value
nameStringYes
peersList[peers]No

policies (iosxe.devices.configuration.crypto.ikev2)

NameTypeConstraintMandatoryDefault Value
nameStringYes
proposalsListStringYes
deviceStringNo
match_address_local_ipListStringNo
match_fvrfStringNo
match_fvrf_anyBooleantrue, falseNo
match_inbound_onlyBooleantrue, falseNo

proposals (iosxe.devices.configuration.crypto.ikev2)

NameTypeConstraintMandatoryDefault Value
nameStringYes
encryptionListChoice[aes_cbc_128, aes_cbc_192, aes_cbc_256, aes_gcm_128, aes_gcm_256, en_3des]No
groupListChoice[1, 2, 14, 15, 16, 19, 20, 21, 24]No
integrityListChoice[md5, sha1, sha256, sha384, sha512]No
prfListChoice[md5, sha1, sha256, sha384, sha512]No

trustpoints (iosxe.devices.configuration.crypto.pki)

NameTypeConstraintMandatoryDefault Value
idStringYes
enrollment_mode_raBooleantrue, falseNo
enrollment_pkcs12Booleantrue, falseNo
enrollment_selfsignedBooleantrue, falseNo
enrollment_terminalBooleantrue, falseNo
revocation_checkListStringNo
rsakeypairStringNo
source_interfaceStringNo
subject_nameStringNo
usageChoiceike, ssl-client, ssl-serverNo

match_identity_remote_ipv4_addresses (iosxe.devices.configuration.crypto.ikev2.profiles)

NameTypeConstraintMandatoryDefault Value
addressStringYes
maskStringNo

peers (iosxe.devices.configuration.crypto.ikev2.keyrings)

NameTypeConstraintMandatoryDefault Value
nameStringYes
descriptionStringNo
hostnameStringNo
identity_addressStringNo
identity_email_domainStringNo
identity_email_nameStringNo
identity_fqdn_domainStringNo
identity_fqdn_nameStringNo
identity_key_idStringNo
ipv4_addressStringNo
ipv4_maskStringNo
ipv6_prefixStringNo
pre_shared_keyStringNo
pre_shared_key_encryptionChoice0, 6No
pre_shared_key_localStringNo
pre_shared_key_local_encryptionChoice0, 6No
pre_shared_key_remoteStringNo
pre_shared_key_remote_encryptionChoice0, 6No

Examples

iosxe:
devices:
- name: Device1
configuration:
crypto:
ipsec_profiles:
- name: vpn200
set_transform_set: [TEST]
set_isakmp_profile_ikev2_profile_ikev2_profile_case_ikev2_profile: PROFILE1
ipsec_transform_sets:
- name: TEST
esp: esp-aes
esp_hmac: esp-sha-hmac
mode_tunnel: true
ikev2:
nat_keepalive: 20
dpd_interval: 10
dpd_query: periodic
dpd_retry: 5
profiles:
- name: PROFILE1
description: My description
authentication_remote_pre_share: true
authentication_local_pre_share: true
identity_local_key_id: KEY1
match_address_local_ip: 1.2.3.4
match_fvrf_any: true
match_identity_remote_ipv4_addresses:
- address: 1.2.3.4
mask: 255.255.255.0
match_identity_remote_keys: [key1]
keyring_local: KEYRING1
dpd_interval: 10
dpd_retry: 2
dpd_query: periodic
config_exchange_request: false
keyrings:
- name: KEYRING1
peers:
- name: PEER1
description: My description
ipv4_address: 1.2.3.4
ipv4_mask: 255.255.255.248
identity_key_id: key1
pre_shared_key_local_encryption: "6"
pre_shared_key_local: cisco123
pre_shared_key_remote_encryption: "6"
pre_shared_key_remote: cisco123
- name: PEER2
description: temp
hostname: gateway1
ipv6_prefix: 2001::1/128
identity_email_domain: cisco.com
pre_shared_key_encryption: "6"
pre_shared_key: cisco123
- name: PEER3
description: temp2
hostname: gateway4
ipv6_prefix: 2001::2/128
identity_email_name: abc
policies:
- name: POLICY1
proposals: [PROPOSAL1]
match_address_local_ip: [1.2.3.4]
match_fvrf_any: true
proposals:
- name: PROPOSAL1
encryption_aes_cbc_256: true
group_sixteen: true
integrity_sha256: true
- name: PROPOSAL2
encryption_aes_gcm_256: true
group_twenty: true
integrity_sha384: true