Configures
parameters for the IKEv2 IKE Security Associations within this crypto template.
Important |
HNBGW is not supported from Release 20 and later, and HeNBGW is not supported in Releases 20, 21.0 and 21.1. This command
must not be used for HNBGW and HeNBGW in these releases. For more information, contact your Cisco account representative.
|
Product
ePDG
FA
GGSN
HA
HeNBGW
HNBGW
HSGW
MME
P-GW
PDSN
S-GW
SAEGW
SCM
SecGW
SGSN
Privilege
Security
Administrator
Syntax
ikev2-ikesa { allow-empty-ikesa | max-retransmissions number | policy { error-notification [ invalid-major-version ] [ invalid-message-id [ invalid-major-version | invalid-syntax ] ] | invalid-syntax [ invalid-major-version ] | use-rfc5996-notification } | rekey [ disallow-param-change ] | retransmission-timeout msec [ exponential ] | setup-timer sec | transform-set list name1 name2 name3 name4 name5 name6 }
default ikev2-ikesa { allow-empty-ikesa | max-retransmissions | policy error-notification | rekey [ disallow-param-change ] | setup-timer }
no ikev2-ikesa { allow-empty-ikesa name | policy { error-notification | use-rfc5996-notification } | rekey sec | transform-set list }
no ikev2-ikesa
Disables a
previously enabled parameter.
allow-empty-ikesa
Default is not to
allow-empty-ikesa. Activate to have the IKEv2 stack keep the IKE SA when all
the Child SAs have been deleted.
max-retransmissions
number
Specifies the
maximum number of retransmissions of an IKEv2 IKE Exchange Request if a
response has not been received.
number must be
an integer from 1 through 8. Default: 5
policy { error-notification [
invalid-major-version ] [ invalid-message-id [ invalid-major-version |
invalid-syntax ] ] | invalid-syntax [ invalid-major-version ] |
use-rfc5996-notification }
Specifies the
default policy for generating an IKEv2 Invalid Message ID error when PDIF
receives an out-of-sequence packet.
error-notification : Sends an Error Notify Message
to the MS for Invalid IKEv2 Exchange Message ID and Invalid IKEv2 Exchange
Syntax for the IKE_SA_INIT Exchange.
[invalid-major-version] : Sends an Error Notify
Message for Invalid Major Version
[invalid-message-id] : Sends an Error Notify
Message for Invalid IKEv2 Exchange Message ID.
[invalid-syntax] : Sends an Error Notify Message
for Invalid IKEv2 Exchange Syntax.
use-rfc5996-notification : Enables support for
TEMPORARY_FAILURE and CHILDSA_NOT_FOUND notify payloads.
rekey
[ disallow-param-change
]
Specifies if IKESA
rekeying should occur before the configured lifetime expires (at approximately
90% of the lifetime interval). Default is not to re-key.
The
disallow-param-change option does not allow changes in
negotiation parameters during rekey.
retransmission-timeout
msec
Specifies the
timeout period (in milliseconds) before a retransmission of an IKEv2 IKE
exchange request is sent (if the corresponding response has not been received).
msec must be
an integer from 300 to 15000. Default: 500
exponential
Specifies that the
subsequent retransmission delays are exponentially increased with a maximum
limit of 15000ms.
setup-timer
sec
Specifies the
number of seconds before a IKEv2 IKE Security Association that is not fully
established is terminated.
sec must be
an integer from 1 through 3600. Default: 16
transform-set list
name1
Specifies the name
of a context-level configured IKEv2 IKE Security Association transform set.
name1
...name6 must be
an existing IKEv2 IKESA Transform Set expressed as an alphanumeric string of 1
through 127 characters.
The transform set
is a space-separated list of IKEv2-IKESA SA transform sets to be used for
deriving IKEv2 IKE Security Associations from this crypto template. A minimum
of one transform-set is required; maximum configurable is six.
Usage Guidelines
Use this command
to configure parameters for the IKEv2 IKE Security Associations within this
crypto template.
Example
The following
command configures the maximum number of IKEv2 IKESA request retransmissions to
7 :
ikev2-ikesa max-retransmissions 7
The following
command configures the IKEv2 IKESA request retransmission timeout to
400
milliseconds:
ikev2-ikesa retransmission-timeout 400
The following
command configures the IKEv2 IKESA transform set
ikesa43 :
ikev2-ikesa transform-set list ikesa43