Configuring ISAKMP peer information

Last Updated : Apr 10, 2018 |

About this task

ISAKMP peer information defines the remote peer identification, the pre-shared key used for peer authentication, and the ISAKMP policy to be used for IKE phase 1 negotiations between the peers.

Note:

You can define up to 100 ISAKMP peers.

Important:

Define at least one ISAKMP peer.

Procedure

  1. Enter crypto isakmp peer, followed by the address of the ISAKMP peer or its Fully Qualified Domain Name (FQDN), to enter the context of an ISAKMP peer and to create the peer if it does not exist.
    Note:

    If you want to specify the ISAKMP peer by its FQDN name, configure the Branch Gateway as a DNS client. and verify that the peer’s name is listed in a DNS server. See DNS resolver.

    Note:

    Do not specify an ambiguous ISAKMP peer. In other words, do not configure an FQDN that translates to an IP address which is already associated with another ISAKMP peer.

    For example:

    Gxxx-001# crypto isakmp peer address 149.49.70.1
Gxxx-001(config-peer:149.49.70.1)#
    Gxxx-001# crypto isakmp peer fqdn vpn.lnd.ny.avaya.com
Gxxx-001(config-peer:vpn.lnd.ny.avaya.com)#
  2. Use the description command to enter a description for the peer.

    For example:

    Gxxx-001(config-peer:149.49.70.1)# description New York office
Done!
  3. Specify an ISAKMP policy to be used with the peer, using the isakmp policy command.
    Important:

    isakmp policy is a mandatory command.

    For example:

    Gxxx-001(config-peer:149.49.70.1)# isakmp-policy 1
Done!
  4. Enter the preshared key for peer authentication using the pre-shared-key command.
    Important:

    pre-shared-key is a mandatory command.

    For example:

    Gxxx-001(config-peer:149.49.70.1)# pre-shared-key GNpi1odGNBrB5z4GJL
Done!

    Alternatively, you can obtain a cryptographic-grade random key from the Branch Gateway with the suggest-key command, and then enter it using the pre-shared-key command. The suggested key-length can vary from 8 to 127 alphanumeric characters, or from 8 to 64 bytes represented in hexadecimal notation. The default length is 32 characters.

    For example:

    Gxxx-001(config-peer:149.49.70.1)# suggest-key 24
The suggest key: yjsYIz9ikcwaq0FUPTF3CIrw
Gxxx-001(config-peer:149.49.70.1) pre-shared-key yjsYIz9ikcwaq0FUPTF3CIrw
Done!
  5. If you wish to work in IKE aggressive mode, use the initiate mode aggressive command.
    Note:

    Aggressive mode is one of the prerequisites for working with dynamic local peer IP addresses. For more information about working with dynamic local peer IP addresses, see Dynamic local peer IP.

    For example:

    Gxxx-001(config-peer:149.49.70.1)# initiate mode aggressive
Done!
  6. If you want to listen in to communication from a remote peer that has a dynamic IP address, use the initiate mode none command.

    In this mode, the device can only accept inbound IKE Aggressive Mode connections from the peer, and is not able to initiate IKE phase-1 (Main Mode or Aggressive Mode) to the peer, nor is the peer able to participate as part of a peer-group. In addition, specifying the continuous-channel command when configuring the crypto ISAKMP peer information has no effect in this mode. For more information on continuous-channel, see Continuous channel.

  7. Specify the branch device (Branch Gateway) by its address or by the FQDN name that identifies the Branch Gateway in the remote peer, using the self-identity command.
    Note:

    Specifying self-identity as a name is one of the prerequisites for working with dynamic local peer IP addresses. For more information about working with dynamic local peer IP addresses, see Dynamic local peer IP.

    For example:

    Gxxx-001(config-peer:149.49.70.1)# self-identity address
Done!
    Gxxx-001(config-peer:149.49.70.1)# self-identity fqdn vpn.avaya.com
Done!
  8. Enable Dead Peer Detection (DPD) keepalives that check whether the remote peer is up using the keepalive command, followed by the number of seconds between DPD keepalive probes, and the number of seconds between retries if keepalive fails.

    The following example sets DPD keepalive to send probes every 10 seconds, and to send retries every two seconds if DPD keepalive fails.

    Gxxx-001(config-peer:149.49.70.1)# keepalive 10 retry 2
Done!
  9. Bind peer status to an object tracker that can monitor hosts inside the remote peer’s protected network.

    To do so, use the keepalive-track command. For more information on object trackers, see Object tracking.

    For example:

    Gxxx-001(config-peer:149.49.70.1)# keepalive-track 5
Done!
    Note:

    DPD and object tracking can coexist and augment each other. However, object tracking does not impose any requirements on the remote peer. You can, therefore, use object tracking rather than DPD keepalives if the remote peer does not support DPD.

  10. Specify whether to enable continuous-channel IKE phase 1, with the continuous-channel command.

    The default setting is no continuous-channel that disables continuous-channel IKE phase 1. For more information on continuous-channel see Continuous channel.

    For example:

    Gxxx-001(config-peer:149.49.70.1)# continuous-channel
Done!
  11. Exit the peer context with the exit command.

    For example:

    Gxxx-001(config-peer:149.49.70.1)# exit
Gxxx-001#
Related information
Site-to-site IPSec VPN