Configures
parameters for the IKEv2 IKE Security Associations within this crypto template.
Product
All IPSec-related
services
Privilege
Security
Administrator
Mode
Exec > Global
Configuration > Context Configuration > Crypto Template Configuration
configure > context
context_name
> crypto template
template_name
ikev2-dynamic
Entering the above
command sequence results in the following prompt:
[context_name]host_name(crf-crypto-tmp1-ikev2-tunnel)#
Syntax
ikev2-ikesa { allow-empty-ikesa | cert-sign { pkcs1.5 | pkcs2.0 } | configuration-attribute p-cscf-v6 { iana | private } length { 16 | 17 } | emergency { keepalive [ interval interval ] timeout seconds num-retry val } | fragmentation | idi peer_idi_value { common-id | request-eap-identity } | ignore-notify-protocol-id | ignore-rekeying-requests | keepalive-user-activity | max-retransmissions number | mobike [ cookie-challenge ] | policy { congestion-rejection { notify-status-value value | notify-error-value value } | error-notification [ invalid-major-version ] [ invalid-message-id [ invalid-major-version | invalid-syntax ] ] | invalid-syntax [ invalid-major-version ] | use-rfc5996-notification } | rekey [ disallow-param-change ] | retransmission-timeout msec | setup-timer sec | transform-set list name1 name2 name3 name4 name5 name6 }
default ikev2-ikesa { allow-empty-ikesa | cert-sign | configuration-attribute p-cscf-v6 { iana | private } length | fragmentation | ignore-notify-protocol-id | ignore-rekeying-requests | keepalive-user-activity | max-retransmissions | mobike | policy error-notification | rekey [ disallow-param-change ] | retransmission-timeout | setup-timer }
no ikev2-ikesa { allow-empty-ikesa | auth-method-set | fragmentation | idi peer_idi_value | ignore-notify-protocol-id | ignore-rekeying-requests | keepalive-user-activity | list name | mobike | policy error-notification | rekey }
default
Restores the
configuration to its default value.
no
Disables a
previously enabled parameter.
allow-empty-ikesa
Default is not to
allow-empty-ikesa. Activate to have the IKEv2 stack keep the IKE SA when all
the Child SAs have been deleted.
cert-sign { pkcs1.5 | pkcs2.0 }
Specifies the
certificate sign to be used. Default: pkcs1.5
pkcs1.5 : Use the Public-Key Cryptography Standards
(PKCS) version 1.5, RSA Encryption Standard.
pkcs2.0: : Use the PKCS version 2.0, RSA Encryption
Standard.
configuration-attribute p-cscf-v6 { iana | private } length { 16
| 17 }
Specifies the
P-CSCF IPv6 configuration attribute length for both IANA and private attribute
values. As per RFC 7651, the configuration attribute length for IANA is 16
bytes.
Default (iana): 16
bytes
Default (private):
17 bytes
emergency { keepalive [ interval
interval ] timeout
seconds num-retry
val }
Configures
emergency call related parameters.
Keepalive :
Configures Keepalive Functionality (Dead Peer Detection) to be enabled for all
emergency Security Associations derived from this Crypto Template and this will
override generic keep alive configuration for emergency calls.
interval : The number
of seconds which must elapse during which no traffic is received from the given
IKE_SA peer or any CHILD_SAs derived from the IKE_SA for Dead Peer Detection to
be initiated (Default: 3). - integer 2..3600
timeout : Configures the Keepalive (Dead Peer Detection) Timeout in
seconds. This value configures the number of seconds which must elapse after a
Keepalive has been sent, and no response has been received before another
keepalive is sent.
seconds : The number of seconds which must elapse after a
Keepalive has been sent, and no response has been received, before another
Keepalive is send. Default is 3 seconds and the Interval should be between 2
and 3600 seconds.
num-retry : Configure the number of Keepalive (Dead Peer Detection)
Retry attempts. If Keepalive (Dead Peer Detection) has been initiated this
value configures the number of retry attempts which will be made if no response
is received from the peer, before the peer is declared dead.
val : The number of retry attempts which will be made if no
response is received from the peer before the peer is declared dead Default is
2 seconds and the Interval should be between 1 and 30 seconds.
fragmentation
Enables IKESA
fragmentation (Tx) and re-assembly (Rx).
Default: IKESA
fragmentation and re-assembly is allowed.
idi
peer_idi_value { common-id | request-eap-identity }
Specifies the IDI related configuration to match IDI from peer which enables the ePDG to request the real identity using EAP-Identity
Request. peer_idi_value is a string of 1 through 127 characters.
request-eap-identity : Requests the EAP-Identity from peer.
common-id : Requests the Common IDi from peer.
ignore-notify-protocol-id
Ignores IKEv2
Informational Exchange Notify Payload Protocol-ID values for strict RFC 4306
compliance.
ignore-rekeying-requests
Ignores received
IKE_SA Rekeying Requests.
keepalive-user-activity
Default is no
keepalive-user-activity. Activate to reset the user inactivity timer when
keepalive messages are received from peer.
max-retransmissions
number
Specifies the
maximum number of retransmissions of an IKEv2 IKE Exchange Request if a
response has not been received.
number must be
an integer from 1 through 8. Default: 5
mobike
[ cookie-challenge ]
IKEv2 Mobility and
Multihoming Protocol (MOBIKE) allows the IP addresses associated with IKEv2 and
tunnel mode IPSec Security Associations to change. A mobile Virtual Private
Network (VPN) client could use MOBIKE to keep the connection with the VPN
gateway active while moving from one address to another. Similarly, a
multi-homed host could use MOBIKE to move the traffic to a different interface
if, for instance, the one currently being used stops working.
Default: Disabled
cookie-challenge : Use this keyword to enable the
return routability check. The Gateway performs a return routability check when
MOBIKE is enabled along with this keyword. A return routability check ensures
that the other party can receive packets at the claimed address. Default:
Disabled
policy { congestion-rejection { notify-status-value
value
| notify-error-value
value
} | error-notification [
invalid-major-version ] [ invalid-message-id [ invalid-major-version |
invalid-syntax ] ] | invalid-syntax [ invalid-major-version ]
| use-rfc5996-notification }
Specifies the
default policy for generating an IKEv2 Invalid Message ID error when PDIF
receives an out-of-sequence packet.
congestion-rejection : Sends an Error Notify
Message to the MS as a reply to an IKE_SA_INIT Exchange when no more IKE_SA
sessions can be established.
notify-status-value
value : Notify
Message will be sent to MS as a reply to an IKE_SA_INIT Exchange when no more
IKE_SA sessions can be established.
value is RFC
4306 IKEv2 Private Use Status Range - integer 40960 through 65535.
notify-error-value
value : Notify Message will be sent to MS as a
reply to an IKE_SA_INIT Exchange when no more IKE_SA sessions can be
established.
value is RFC 4306 IKEv2 Private Use Error Range - integer
8192 through 16383.
error-notification : Sends an Error Notify Message
to the MS for Invalid IKEv2 Exchange Message ID and Invalid IKEv2 Exchange
Syntax for the IKE_SA_INIT Exchange.
invalid-major-version : Sends an Error Notify
Message for Invalid Major Version
invalid-message-id : Sends an Error Notify Message
for Invalid IKEv2 Exchange Message ID.
invalid-syntax : Sends an Error Notify Message for
Invalid IKEv2 Exchange Syntax.
use-rfc5996-notification : Enable sending and
receive processing for RFC 5996 notifications - TEMPORARY_FAILURE and
CHILD_SA_NOT_FOUND
rekey
[
disallow-param-change ]
Specifies if IKESA
rekeying should occur before the configured lifetime expires (at approximately
90% of the lifetime interval). Default is not to re-key.
The
disallow-param-change option prevents changes in negotiation
parameters during rekey.
retransmission-timeout
msec
Specifies the
timeout period (in milliseconds) before a retransmission of an IKEv2 IKE
exchange request is sent (if the corresponding response has not been received).
msec must be
an integer from 300 to 15000. Default: 500
setup-timer
sec
Specifies the
number of seconds before a IKEv2 IKE Security Association that is not fully
established is terminated.
sec must be
an integer from 1 through 3600. Default: 16
transform-set list
name1
Specifies the name
of a context-level configured IKEv2 IKE Security Association transform set.
name1
...name6 must be
an existing IKEv2 IKESA Transform Set expressed as an alphanumeric string of 1
through 127 characters.
The transform set
is a space-separated list of IKEv2-IKESA SA transform sets to be used for
deriving IKEv2 IKE Security Associations from this crypto template. A minimum
of one transform-set is required; maximum configurable is six.
Usage Guidelines
Use this command
to configure parameters for the IKEv2 IKE Security Associations within this
crypto template.
Example
The following command enables IKESA fragmentation and
re-assembly:
ikev2-ikesa fragmentation
The following
command configures the maximum number of IKEv2 IKESA request re-transmissions
to
7 :
ikev2-ikesa max-retransmissions 7
The following
command configures the IKEv2 IKESA request retransmission timeout to
400 milli
seconds:
ikev2-ikesa retransmission-timeout 400
The following
command configures the IKEv2 IKESA list, consisting of a transform set named as
ikesa43 :
ikev2-ikesa transform-set list ikesa43