crypto isakmp key [key] address [peer]
Configures a pre-shared key for IKE (ISAKMP) authentication with a specific peer IP address, used to establish IPsec VPN tunnels.
crypto isakmp key [key] address [peer]When to Use This Command
- Setting up a site-to-site VPN between two branch offices using pre-shared keys.
- Configuring remote access VPN where a remote user connects to the corporate network.
- Establishing a VPN tunnel between a Cisco router and a third-party firewall that supports IKE.
- Replacing an expired or compromised pre-shared key for an existing VPN peer.
Command Examples
Basic pre-shared key configuration for a single peer
crypto isakmp key MySecretKey address 192.168.1.100Router(config)# crypto isakmp key MySecretKey address 192.168.1.100 Router(config)#
The command enters global configuration mode and sets the pre-shared key 'MySecretKey' for the peer at IP 192.168.1.100. No output is generated if successful; the prompt returns.
Verifying the ISAKMP key configuration
show crypto isakmp keyKeyring : default Key : MySecretKey Address : 192.168.1.100 Port : 500 Conn-id : 1
The output shows the keyring (default), the pre-shared key (masked in real output but shown here), peer address, UDP port 500 (ISAKMP), and a connection ID. This confirms the key is configured.
Understanding the Output
The 'show crypto isakmp key' command displays configured pre-shared keys. The 'Keyring' field indicates the keyring name (default if not specified). 'Key' shows the key value (often masked as asterisks in live output). 'Address' is the peer IP. 'Port' is always 500 for ISAKMP. 'Conn-id' is an internal identifier. A missing entry means no key is configured for that peer. Multiple keys can appear for different peers. If the key is incorrect or missing, IKE negotiation will fail with 'invalid payload' or 'authentication failure' errors.
CCNA Exam Tips
CCNA exam tip: The 'crypto isakmp key' command is used in Phase 1 of IPsec; the key must match exactly on both peers.
CCNA exam tip: The key is case-sensitive and can include special characters; exam questions may test this.
CCNA exam tip: Use 'show crypto isakmp sa' to verify Phase 1 SA status; if it shows MM_NO_STATE, the key may be mismatched.
CCNA exam tip: The 'address' parameter can be '0.0.0.0' to match any peer (dynamic VPN), but this is less secure.
Common Mistakes
Mistake 1: Typing the key incorrectly or with extra spaces, causing authentication failure and no VPN establishment.
Mistake 2: Forgetting to configure the same key on both peers; IKE will fail with 'authentication failure' messages.
Mistake 3: Using a weak or easily guessable key; best practice is to use a complex string.
Related Commands
crypto ipsec transform-set [name] esp-aes esp-sha-hmac
Defines an IPsec transform set specifying the encryption and authentication algorithms to protect VPN traffic, used when configuring an IPsec VPN policy.
crypto isakmp policy [priority]
Creates or modifies an ISAKMP (IKE) policy for IPsec VPN negotiations, defining encryption, authentication, and key exchange parameters.
crypto map [name] [seq] ipsec-isakmp
Creates or modifies a crypto map entry for IPsec VPN configuration, defining the security policies and peer parameters for IKE and IPsec negotiations.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions