Crypto key master – Enterasys Networks X-Pedition XSR CLI User Manual

IPSec Clear and Show Commands

XSR CLI Reference Guide 14-109

Default

If an access list number is not specified, all access lists are shown.

Mode

EXEC or Global configuration: 

XSR>

or

XSR(config)#

Examples

The following example displays configured access lists on the XSR:

XSR#show access-lists

Extended IP access list 100
permit ip any host 192.168.1.0

The following example displays  the log threshold:

XSR(config)#show access-lists log-update-threshold

access-list log-update-threshold 10000

crypto key master

This command creates, deletes, or specifies a master encryption key, which encodes all other keys 
on the XSR including AAA user database and private keys used by PKI (

user.dat

, 

cert.dat

and 

hostkey.dat

). Before configuring your VPN, you must generate this key.

Syntax

crypto key master {generate | remove | specify}

Mode

Global configuration: 

XSR(config)#

number

Access list number defined using the  

access-list

command.

log-update-threshold

Packet ceiling, when met, will trigger violations log.

Caution: The master encryption key is stored in hardware, not Flash, and you cannot read the
key - only overwrite the old key by writing a new one. To ensure router security, it is critical not to
compromise the key. There are situations where you may want to keep the key, for example, to
save the user database off-line in order to later download it to the XSR. In order to encrypt the
user database, you need the same master key, indicating the key designation with the master
key specify command. Be aware that if the XSR is inoperable and you press the Default
button, the master key is erased and you must generate a new one.

generate

Create a master encryption key.

remove

Delete the master encryption and host key pair (hostkey.dat).

specify

Specify a master encryption key.