IPsec Keys

Inside config-ipsec-tun mode, the following commands are available for IPsec key management.

crypto config-type (ike|manual)

Configures the type of key management TNSR will use for this tunnel.


Internet Key Exchange (IKE). The most common method of key management. IPsec tunnels utilize IKE to dynamically handle key exchange when both parties are negotiating a security association.


Static key management.

crypto ike

Enters IKE config-ipsec-crypto-ike mode to configure IPsec IKE behavior, which is the bulk of the remaining work for most IPsec tunnels.

IKE Configuration

Inside config-ipsec-crypto-ike mode, the following commands are available to configure basic IKE behavior:

version <x>

Instructs TNSR to use either IKEv1 or IKEv2. Use 2 for IKEv2, which is more secure, or 1 for IKEv1 which is more common and more widely supported.

lifetime <x>

Sets the maximum time for this IKE session to be valid, in seconds within the range 120..214783647. Default value is 14400 seconds (4 hours). Commonly set to 28800 seconds (8 hours). This value should be longer than the IKE child lifetime, discussed later.

dpd-interval <x>

Optional time to wait between sending Dead Peer Detection (DPD) polls, given in seconds within the range 0-65535.

key-renewal (reauth|rekey)

Controls the method used to update keys on an established IKE security association (SA) before the lifetime expires.


TNSR performs a full teardown and re-establishment of IKE and child SAs.


Inline rekeying while SAs stay active. Only available in IKEv2.

proposal <name>

Configures a new IKE proposal and enters config-ike-proposal mode.

identity (local|remote)

Configures IKE identity validation and enters config-ike-identity mode.

authentication (local|remote)

Configures IKE authentication and enters config-ike-auth mode.


Forces UDP encapsulation for IKE, also known as NAT Traversal or NAT-T.

Under normal conditions, UDP encapsulation will be automatically activated when NAT is detected and automatically disabled otherwise. With udp-encapsulation set, UDP encapsulation is forcefully enabled.


UDP encapsulation cannot be disabled, it can only be automatically controlled or forcefully enabled.

Additional config-ipsec-crypto-ike mode commands are available to configure other aspects of the IPsec tunnel, such as proposals, identity, and authentication. These are covered next.

IKE Example

This example tells TNSR to use IKE for key management, and then sets the tunnel to IKEv2 and a lifetime of 8 hours.

tnsr(config-ipsec-tun)# crypto config-type ike
tnsr(config-ipsec-tun)# crypto ike
tnsr(config-ipsec-crypto-ike)# version 2
tnsr(config-ipsec-crypto-ike)# lifetime 28800