Skip to content

Crypto

Diagram

Diagram

Classes

configuration (iosxe.devices)

NameTypeConstraintMandatoryDefault Value
cryptoClass[crypto]No

crypto (iosxe.devices.configuration)

NameTypeConstraintMandatoryDefault Value
ipsec_profilesList[ipsec_profiles]No
ipsec_transform_setsList[ipsec_transform_sets]No
ikev2Class[ikev2]No

ipsec_profiles (iosxe.devices.configuration.crypto)

NameTypeConstraintMandatoryDefault Value
nameStringYes
set_transform_setListStringNo
set_ikev2_profileStringNo
set_isakmp_profileStringNo

ipsec_transform_sets (iosxe.devices.configuration.crypto)

NameTypeConstraintMandatoryDefault Value
nameStringYes
espChoiceesp-3des, esp-aes, esp-des, esp-gcm, esp-gmac, esp-null, esp-sealYes
esp_hmacChoiceesp-md5-hmac, esp-sha-hmac, esp-sha256-hmac, esp-sha384-hmac, esp-sha512-hmacYes
mode_tunnelBooleantrue, falseNo

ikev2 (iosxe.devices.configuration.crypto)

NameTypeConstraintMandatoryDefault Value
nat_keepaliveIntegermin: 5, max: 3600No
dpd_intervalIntegermin: 10, max: 3600No
dpd_queryChoiceon-demand, periodicNo
dpd_retryIntegermin: 2, max: 60No
profilesList[profiles]No
keyringsList[keyrings]No
policiesList[policies]No
proposalsList[proposals]No

profiles (iosxe.devices.configuration.crypto.ikev2)

NameTypeConstraintMandatoryDefault Value
nameStringYes
authentication_local_pre_shareBooleantrue, falseNo
authentication_remote_pre_shareBooleantrue, falseNo
config_exchange_requestBooleantrue, falseNo
descriptionStringNo
dpd_intervalIntegermin: 10, max: 3600No
dpd_queryChoiceon-demand, periodicNo
dpd_retryIntegermin: 2, max: 60No
identity_local_addressStringNo
identity_local_key_idStringNo
ivrfStringNo
keyring_localStringNo
match_address_local_ipStringNo
match_fvrfStringNo
match_fvrf_anyBooleantrue, falseNo
match_identity_remote_ipv4_addressesList[match_identity_remote_ipv4_addresses]No
match_identity_remote_ipv6_prefixesListStringNo
match_identity_remote_keysListStringNo
match_inbound_onlyBooleantrue, falseNo

keyrings (iosxe.devices.configuration.crypto.ikev2)

NameTypeConstraintMandatoryDefault Value
nameStringYes
peersList[peers]No

policies (iosxe.devices.configuration.crypto.ikev2)

NameTypeConstraintMandatoryDefault Value
nameStringYes
proposalsList[proposals]Yes
deviceStringNo
match_address_local_ipListStringNo
match_fvrfStringNo
match_fvrf_anyBooleantrue, falseNo
match_inbound_onlyBooleantrue, falseNo

proposals (iosxe.devices.configuration.crypto.ikev2)

NameTypeConstraintMandatoryDefault Value
nameStringYes
encryptionListChoice[aes_cbc_128, aes_cbc_192, aes_cbc_256, aes_gcm_128, aes_gcm_256, en_3des]No
groupListChoice[1, 2, 14, 15, 16, 19, 20, 21, 24]No
integrityListChoice[md5, sha1, sha256, sha384, sha512]No
prfListChoice[md5, sha1, sha256, sha384, sha512]No

match_identity_remote_ipv4_addresses (iosxe.devices.configuration.crypto.ikev2.profiles)

NameTypeConstraintMandatoryDefault Value
addressStringYes
maskStringNo

peers (iosxe.devices.configuration.crypto.ikev2.keyrings)

NameTypeConstraintMandatoryDefault Value
nameStringYes
descriptionStringNo
hostnameStringNo
identity_addressStringNo
identity_email_domainStringNo
identity_email_nameStringNo
identity_fqdn_domainStringNo
identity_fqdn_nameStringNo
identity_key_idStringNo
ipv4_addressStringNo
ipv4_maskStringNo
ipv6_prefixStringNo
pre_shared_keyStringNo
pre_shared_key_encryptionChoice0, 6No
pre_shared_key_localStringNo
pre_shared_key_local_encryptionChoice0, 6No
pre_shared_key_remoteStringNo
pre_shared_key_remote_encryptionChoice0, 6No

proposals (iosxe.devices.configuration.crypto.ikev2.policies)

NameTypeConstraintMandatoryDefault Value
proposalsStringYes

Examples

iosxe:
devices:
- name: Device1
configuration:
crypto:
ipsec_profiles:
- name: vpn200
set_transform_set: [TEST]
set_isakmp_profile_ikev2_profile_ikev2_profile_case_ikev2_profile: PROFILE1
ipsec_transform_sets:
- name: TEST
esp: esp-aes
esp_hmac: esp-sha-hmac
mode_tunnel: true
ikev2:
nat_keepalive: 20
dpd_interval: 10
dpd_query: periodic
dpd_retry: 5
profiles:
- name: PROFILE1
description: My description
authentication_remote_pre_share: true
authentication_local_pre_share: true
identity_local_key_id: KEY1
match_address_local_ip: 1.2.3.4
match_fvrf_any: true
match_identity_remote_ipv4_addresses:
- address: 1.2.3.4
mask: 255.255.255.0
match_identity_remote_keys: [key1]
keyring_local: KEYRING1
dpd_interval: 10
dpd_retry: 2
dpd_query: periodic
config_exchange_request: false
keyrings:
- name: KEYRING1
peers:
- name: PEER1
description: My description
ipv4_address: 1.2.3.4
ipv4_mask: 255.255.255.248
identity_key_id: key1
pre_shared_key_local_encryption: "6"
pre_shared_key_local: cisco123
pre_shared_key_remote_encryption: "6"
pre_shared_key_remote: cisco123
- name: PEER2
description: temp
hostname: gateway1
ipv6_prefix: 2001::1/128
identity_email_domain: cisco.com
pre_shared_key_encryption: "6"
pre_shared_key: cisco123
- name: PEER3
description: temp2
hostname: gateway4
ipv6_prefix: 2001::2/128
identity_email_name: abc
policies:
- name: POLICY1
proposals:
- proposals: PROPOSAL1
match_address_local_ip: [1.2.3.4]
match_fvrf_any: true
proposals:
- name: PROPOSAL1
encryption_aes_cbc_256: true
group_sixteen: true
integrity_sha256: true
- name: PROPOSAL2
encryption_aes_gcm_256: true
group_twenty: true
integrity_sha384: true