IPSec Commands
14-106 Configuring the VPN

Parameters Descriptions

Main Mode Exchange

Aggressive Mode Exchange

Quick Mode Exchange

IPSec Commands

ThissectiondescribescommandsthatconfiguretheIPSecprotocolwhichprovidesantireplay
protectionaswellasdataauthenticationandencryption.

access-list

ThiscommandcreatesanaccesslistwhichisusedtodefinewhichIPtrafficwillandwillnotbe
protectedbythecryptoprocess.ACLsassociatedwithIPSeccryptomapentrieshavethese
primaryfunctions:
•SelectoutboundtraffictobeprotectedbyIPSec:thekeywordpermitequateswithprotected
traffic.
• IndicatethedataflowtobeprotectedbythenewSecurityAssociations(SAs)‐specifiedbya
singlepermitentry‐wheninitiatingnegotiationsforIPSecSAs.
•Processinboundtraffictofilteroutanddiscardtrafficthatshouldhavebeenprotectedby
IPSec.
• DeterminewhetherornottoacceptrequestsforIPSecSAsonbehalfoftherequesteddata
flowswhenprocessingIKEnegotiationfromtheIPSecpeer(negotiationisdoneonlyforipsec
isakmpcryptomapentries.)Inordertobeaccepted,ifthepeerinitiatesIPSecnegotiation,it
mustspecifyadataflowthatis���“permitted”byacryptoaccesslistassociatedwithanipsec
isakmpcryptomapentry.
MM_NO_STATE ISAKMPSAhasonlyjustbeencreatedandnostateisyetestablished.
MM_SA_SETUP PeershaveagreedonsettingsfortheISAKMPSA.
MM_KEY_EXCH PeershaveexchangedDiffieHellmanpublickeysandbuiltasharedsecret.
TheISAKMPSAisnotauthenticated.
MM_KEY_AUTH ISAKMPSAisauthenticated.IftheXSRbeganthisexchange,thisstate
transitionsimmediatelytoQM_IDLEandaQuickModeexchangebegins.
AG_NO_STATE ISAKMPSAhasonlyjustbeencreatedandnostateisyetestablished.
AG_INIT_EXCH PeershavemadethefirstexchangeinAggressiveModebuttheSAis
notauthenticated.
AG_AUTH ISAKMPSAhasbeenauthenticated.IftheXSRbeganthisexchange,
thisstatetransitionsimmediatelytoQM_IDLEandaQuickMode
exchangebegins.
QM_IDLE ISAKMPSAisquiescent.Itremainsauthenticatedwithitspeerand
maybeusedforlaterQuickModeexchanges.