IKE is enabled by default. IKE does not have to be enabled for individual
interfaces, but it is enabled globally for all interfaces at the router.
If IKE is not used with an IPSec implementation, it can be disabled at all
IPSec peers.
If IKE is disabled, the following concessions will have to
be made at the peers:
- All of the IPSec security associations in the crypto maps at all peers must
be manually specified.
- The IPSec security associations of the peers will never time out for a
given IPSec session.
- During IPSec sessions between the peers, the encryption keys will never
change.
- Anti-replay services will not be available between the peers.
- Certificate authority (CA) support cannot be used.
To disable IKE, use the no isakmp enable command in
global configuration mode. To re-enable IKE use the isakmp
enable command
.
 |
NOTE:
ISAKMP can be blocked on interfaces not used for IPSec to prevent
possible denial of service attacks. This can be done by using an ACL statement
that blocks UDP port 500 on the interfaces.
|