Configure a Router for IKE Using Pre-shared Keys
Step 1 – Enable or disable IKE

IKE is enabled by default. IKE does not have to be enabled for individual interfaces, but it is enabled globally for all interfaces at the router.

If IKE is not used with an IPSec implementation, it can be disabled at all IPSec peers.

If IKE is disabled, the following concessions will have to be made at the peers:

  • All of the IPSec security associations in the crypto maps at all peers must be manually specified.
  • The IPSec security associations of the peers will never time out for a given IPSec session.
  • During IPSec sessions between the peers, the encryption keys will never change.
  • Anti-replay services will not be available between the peers.
  • Certificate authority (CA) support cannot be used.

To disable IKE, use the no isakmp enable command in global configuration mode. To re-enable IKE use the isakmp enable command .

NOTE:

ISAKMP can be blocked on interfaces not used for IPSec to prevent possible denial of service attacks. This can be done by using an ACL statement that blocks UDP port 500 on the interfaces.