Cryptographic services provide comprehensive security capabilities including Public Key Infrastructure (PKI), IPsec VPN tunnels, and Internet Key Exchange version 2 (IKEv2) for secure communication between network devices and endpoints. These services enable encryption, authentication, and integrity protection for data in transit, supporting both site-to-site and remote access VPN scenarios. The crypto subsystem manages certificates, trust relationships, encryption policies, and security associations necessary for establishing and maintaining secure communications across untrusted networks.
Diagram Classes configuration (iosxe.devices) Name Type Constraint Mandatory Default Value crypto Class [crypto]
No
crypto (iosxe.devices.configuration) Name Type Constraint Mandatory Default Value ipsec_profiles List [ipsec_profiles]
No ipsec_transform_sets List [ipsec_transform_sets]
No ikev2 Class [ikev2]
No pki Class [pki]
No
ipsec_profiles (iosxe.devices.configuration.crypto) Name Type Constraint Mandatory Default Value name String Yes set_transform_set List String No set_ikev2_profile String No set_isakmp_profile String No
Name Type Constraint Mandatory Default Value name String Yes esp Choice esp-3des
, esp-aes
, esp-des
, esp-gcm
, esp-gmac
, esp-null
, esp-seal
Yes esp_hmac Choice esp-md5-hmac
, esp-sha-hmac
, esp-sha256-hmac
, esp-sha384-hmac
, esp-sha512-hmac
Yes mode_tunnel Boolean true
, false
No
ikev2 (iosxe.devices.configuration.crypto) Name Type Constraint Mandatory Default Value nat_keepalive Integer min: 5
, max: 3600
No dpd_interval Integer min: 10
, max: 3600
No dpd_query Choice on-demand
, periodic
No dpd_retry Integer min: 2
, max: 60
No profiles List [profiles]
No keyrings List [keyrings]
No policies List [policies]
No proposals List [proposals]
No
pki (iosxe.devices.configuration.crypto) Name Type Constraint Mandatory Default Value trustpoints List [trustpoints]
No
profiles (iosxe.devices.configuration.crypto.ikev2) Name Type Constraint Mandatory Default Value name String Yes authentication_local_pre_share Boolean true
, false
No authentication_remote_pre_share Boolean true
, false
No config_exchange_request Boolean true
, false
No description String No dpd_interval Integer min: 10
, max: 3600
No dpd_query Choice on-demand
, periodic
No dpd_retry Integer min: 2
, max: 60
No identity_local_address String No identity_local_key_id String No ivrf String No keyring_local String No match_address_local_ip String No match_fvrf String No match_fvrf_any Boolean true
, false
No match_identity_remote_ipv4_addresses List [match_identity_remote_ipv4_addresses]
No match_identity_remote_ipv6_prefixes List String No match_identity_remote_keys List String No match_inbound_only Boolean true
, false
No
keyrings (iosxe.devices.configuration.crypto.ikev2) Name Type Constraint Mandatory Default Value name String Yes peers List [peers]
No
policies (iosxe.devices.configuration.crypto.ikev2) Name Type Constraint Mandatory Default Value name String Yes proposals List String Yes device String No match_address_local_ip List String No match_fvrf String No match_fvrf_any Boolean true
, false
No match_inbound_only Boolean true
, false
No
proposals (iosxe.devices.configuration.crypto.ikev2) Name Type Constraint Mandatory Default Value name String Yes encryption List Choice[aes_cbc_128
, aes_cbc_192
, aes_cbc_256
, aes_gcm_128
, aes_gcm_256
, en_3des
] No group List Choice[1
, 2
, 14
, 15
, 16
, 19
, 20
, 21
, 24
] No integrity List Choice[md5
, sha1
, sha256
, sha384
, sha512
] No prf List Choice[md5
, sha1
, sha256
, sha384
, sha512
] No
trustpoints (iosxe.devices.configuration.crypto.pki) Name Type Constraint Mandatory Default Value id String Yes enrollment_mode_ra Boolean true
, false
No enrollment_pkcs12 Boolean true
, false
No enrollment_selfsigned Boolean true
, false
No enrollment_terminal Boolean true
, false
No revocation_check List String No rsakeypair String No source_interface String No subject_name String No usage Choice ike
, ssl-client
, ssl-server
No
match_identity_remote_ipv4_addresses (iosxe.devices.configuration.crypto.ikev2.profiles) Name Type Constraint Mandatory Default Value address String Yes mask String No
peers (iosxe.devices.configuration.crypto.ikev2.keyrings) Name Type Constraint Mandatory Default Value name String Yes description String No hostname String No identity_address String No identity_email_domain String No identity_email_name String No identity_fqdn_domain String No identity_fqdn_name String No identity_key_id String No ipv4_address String No ipv4_mask String No ipv6_prefix String No pre_shared_key String No pre_shared_key_encryption Choice 0
, 6
No pre_shared_key_local String No pre_shared_key_local_encryption Choice 0
, 6
No pre_shared_key_remote String No pre_shared_key_remote_encryption Choice 0
, 6
No
Examples set_transform_set : [ TEST ]
set_isakmp_profile_ikev2_profile_ikev2_profile_case_ikev2_profile : PROFILE1
description : My description
authentication_remote_pre_share : true
authentication_local_pre_share : true
identity_local_key_id : KEY1
match_address_local_ip : 1.2.3.4
match_identity_remote_ipv4_addresses :
match_identity_remote_keys : [ key1 ]
config_exchange_request : false
description : My description
ipv4_mask : 255.255.255.248
pre_shared_key_local_encryption : " 6 "
pre_shared_key_local : cisco123
pre_shared_key_remote_encryption : " 6 "
pre_shared_key_remote : cisco123
identity_email_domain : cisco.com
pre_shared_key_encryption : " 6 "
match_address_local_ip : [ 1.2.3.4 ]
encryption_aes_cbc_256 : true
encryption_aes_gcm_256 : true