VPNGlobal Config

crypto ikev1 enable [intf]

Enables IKEv1 (ISAKMP) on a specified interface for IPsec VPN negotiations.

Overview

The 'crypto ikev1 enable' command is used on Cisco ASA firewalls to activate Internet Key Exchange version 1 (IKEv1) on a specific interface. IKEv1 is a protocol used to establish security associations (SAs) for IPsec VPNs. It handles authentication, key exchange, and negotiation of security parameters. This command is essential for any IPsec VPN configuration, as it allows the ASA to listen for and initiate IKEv1 traffic on the designated interface. Typically, this is applied to the outside interface for site-to-site or remote access VPNs. Without this command, the ASA will not respond to IKEv1 packets on that interface, causing VPN negotiations to fail. The command is simple and does not require additional parameters; it just needs the interface name. It is often one of the first steps in configuring a VPN on an ASA. In troubleshooting, verifying that IKEv1 is enabled on the correct interface is a common check. The command can be removed with the 'no' form to disable IKEv1 on an interface. Note that IKEv2 is the newer standard and is preferred for new deployments, but many legacy environments still use IKEv1.

Syntax·Global Config
crypto ikev1 enable [interface-name]

When to Use This Command

  • Enable IKEv1 on an outside interface to allow site-to-site VPN connections.
  • Enable IKEv1 on a DMZ interface for remote access VPN termination.
  • Enable IKEv1 on a management interface for VPN management traffic.
  • Enable IKEv1 on a backup interface for failover VPN scenarios.

Parameters

ParameterSyntaxDescription
interface-namestringThe name of the interface on which to enable IKEv1. This must be a valid interface configured on the ASA, such as 'outside', 'inside', or a custom name.

Command Examples

Enable IKEv1 on outside interface

crypto ikev1 enable outside

No output is displayed upon successful execution. Use 'show crypto ikev1 sa' to verify.

Enable IKEv1 on DMZ interface

crypto ikev1 enable dmz

Enables IKEv1 on the dmz interface. Verify with 'show run crypto ikev1'.

Understanding the Output

This command does not produce direct output. To verify that IKEv1 is enabled on an interface, use 'show running-config crypto ikev1' or 'show crypto ikev1 sa'. The running config will show lines like 'crypto ikev1 enable outside' if enabled. The 'show crypto ikev1 sa' command displays active IKEv1 security associations; if no SAs are present, it indicates no current VPN negotiations. A healthy state shows active SAs with status 'ACTIVE'. Problem states may show 'MM_NO_STATE' or 'MM_WAIT_MSG' indicating negotiation issues.

Configuration Scenarios

Basic Site-to-Site VPN with IKEv1

Enable IKEv1 on the outside interface for a site-to-site VPN between two ASAs.

Topology

[ASA1]---(outside)---Internet---(outside)---[ASA2]

Steps

  1. 1.Configure the outside interface with an IP address.
  2. 2.Enable IKEv1 on the outside interface: crypto ikev1 enable outside
  3. 3.Configure IKEv1 policy: crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 2
  4. 4.Configure IPsec transform set and crypto map.
Configuration
! Enable IKEv1 on outside
crypto ikev1 enable outside
! IKEv1 policy
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

Verify: Use 'show crypto ikev1 sa' to see active SAs. Use 'show crypto isakmp sa detail' for more details.

Watch out: Ensure that the interface is not already configured with 'no crypto ikev1 enable' and that the interface is up/up.

Troubleshooting with This Command

When troubleshooting IKEv1 issues, first verify that IKEv1 is enabled on the correct interface using 'show running-config crypto ikev1'. If the command is missing, add it. Next, check the interface status with 'show interface' to ensure it is up. If VPN negotiations fail, use 'debug crypto ikev1 127' to see IKEv1 messages. Common issues include mismatched IKEv1 policies, incorrect pre-shared keys, or ACLs blocking UDP port 500. Also verify that the ASA is not behind NAT without proper NAT traversal configuration. The 'show crypto ikev1 sa' command shows the state of IKEv1 SAs; a state of 'MM_NO_STATE' indicates no negotiation, while 'MM_WAIT_MSG' indicates waiting for a response. Use 'clear crypto ikev1 sa' to reset SAs if needed.

CCNA Exam Tips

1.

Remember that IKEv1 must be enabled on the interface used for VPN termination.

2.

IKEv1 is the legacy protocol; IKEv2 is preferred in newer deployments.

3.

Use 'no crypto ikev1 enable' to disable IKEv1 on an interface.

Common Mistakes

Forgetting to enable IKEv1 on the interface, causing VPN negotiation to fail.

Enabling IKEv1 on the wrong interface (e.g., inside instead of outside).

Not saving the configuration after enabling IKEv1.

Platform Notes

On Cisco ASA, the command is 'crypto ikev1 enable' while on Cisco IOS routers, it is 'crypto isakmp enable'. The ASA uses 'crypto ikev1' for IKEv1 and 'crypto ikev2' for IKEv2. On ASA version 9.x and later, IKEv2 is the default for new configurations. The command is not available on ASA 5505 models running older software. On other platforms like Palo Alto, the equivalent is 'set network ike gateway' configuration. Always check the ASA version and documentation for exact syntax.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions