Crypto Map IKEv2-IPv6 Configuration Mode Commands


Crypto Map IKEv2-IPv6 Configuration Mode Commands
 
 
The Crypto Map IKEv2-IPv6 Configuration Mode is used to configure an IKEv2 IPsec policy for secure X3 interface tunneling between a P-GW and a lawful intercept server.
 
Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
 
authentication
Configures the subscriber authentication method used for the P-GW lawful intercept service.
Product
P-GW
Privilege
Administrator
Syntax
authentication pre-shared-key { encrypted key value | key value }
pre-shared-key { encrypted key value | key value }
Specifies that a pre-shared key is to be used for authenticating a subscriber in the PDIF service.
encrypted key value: Specifies that the pre-shared key used for authentication is encrypted. value must be between 1 and 255 alpha and/or numeric characters.
key value: Specifies that the pre-shared key used for authentication is clear text. value must be between 1 and 255 alpha and/or numeric characters.
Usage
Use this command to specify the type of authentication performed for subscribers attempting to access the P-GW service using this crypto map.
Example
The following command sets the authentication method to an open key value of 6d7970617373776f7264:
authentication pre-shared-key key 6d7970617373776f7264
 
control-dont-fragment
Controls the don’t fragment (DF) bit in the outer IP header of the IPsec tunnel data packet.
Product
P-GW
Privilege
Administrator
Syntax
control-dont-fragment { clear-bit | copy-bit | set-bit }
{ clear-bit | copy-bit | set-bit }
clear-bit: Clears the DF bit from the outer IP header (sets it to 0).
copy-bit: Copies the DF bit from the inner IP header to the outer IP header. This is the default action.
set-bit: Sets the DF bit in the outer IP header (sets it to 1).
Usage
A packet is encapsulated in IPsec headers at both ends. The new packet can copy the DF bit from the original unencapsulated packet into the outer IP header, or it can set the DF bit if there is not one in the original packet. It can also clear a DF bit that it does not need.
Example
The following command sets the DF bit in the outer IP header:
control-dont-fragment set-bit
 
end
Exits the current mode and returns to the Exec Mode.
Product
All
Privilege
Administrator
Syntax
end
Usage
Change the mode back to the Exec Mode.
 
exit
Exits the current mode and returns to the previous mode.
Product
All
Privilege
Administrator
Syntax
exit
Usage
Returns to the previous mode.
 
ikev2-ikesa
Configures parameters for the IKEv2 IKE Security Associations within this crypto template.
Product
P-GW
Privilege
Administrator
Syntax
ikev2-ikesa { max-retransmissions number | rekey | setup-timer sec }
default ikev2-ikesa { max-retransmissions | rekey | setup-timer }
no ikev2-ikesa rekey
default
Restores the selected keyword to its default value.
no ikev2-ikesa
Disables a previously enabled parameter.
max-retransmissions number
Default: 5
Specifies the maximum number of retransmissions of an IKEv2 IKE exchange request if a response has not been received. number must be an integer from 1 to 8.
rekey
Specifies if IKESA rekeying should occur before the configured lifetime expires (at approximately 90% of the lifetime interval). Default is not to re-key.
setup-timer sec
Default: 60
Specifies the number of seconds before a IKEv2 IKE Security Association, that is not fully established, is terminated. sec must be an integer from 1 to 3600.
Usage
Use this command to configure parameters for the IKEv2 IKE Security Associations within this crypto template.
Example
The following command configures the maximum number of IKEv2 IKESA request retransmissions to 7:
ikev2-ikesa max-retransmissions 7
 
match
Matches or associates the crypto map to an access control list (ACL) configured in the same context.
Product
P-GW
Privilege
Administrator
Syntax
match address acl_name [ priority ]
no match address
no
Removes a previously matched ACL.
acl_name
The name of the ACL that the crypto map is to be matched with.
acl_name can be from 1 to 79 alpha and/or numeric characters and is case sensitive.
priority
Default: 0
Specifies the preference of the ACL. The ACL preference is factored when a single packet matches the criteria of more than one ACL.
The preference can be configured to any integer value from 0 to 4294967295. “0” is the highest priority.
Important: The priorities are only compared for ACLs matched to other crypto maps or to policy ACLs (those applied to the entire context).
Usage
ACLs matched to crypto maps are referred to as crypto ACLs. Crypto ACLs define the criteria that must be met in order for a subscriber data packet to routed over an IPSec tunnel.
Prior to routing, the system examines the properties of each subscriber data packet. If the packet properties match the criteria specified in the crypto ACL, the system will initiate the IPSec policy dictated by the crypto map.
Example
The following command sets the crypto map ACL to the ACL named acl-list1 and sets the crypto maps priority to the highest level.
match address acl-list1 0
 
payload
Creates a new, or specifies an existing, crypto template payload and enters the Crypto Template Payload Configuration Mode.
Product
P-GW
Privilege
Administrator
Syntax
payload name match ipv6
no payload name
name
Specifies the name of a new or existing crypto template payload. name must be from 1 to 127 alpha and/or numeric characters.
match ipv6
Filters IPSec IPv6 Child Security Association creation requests for subscriber calls using this payload. Further filtering can be performed by applying the following:
Usage
Use this command to create a new or enter an existing crypto template payload. The payload mechanism is a means of associating parameters for the Security Association (SA) being negotiated.
Two payloads are required: one each for MIP and IKEv2. The first payload is used for establishing the initial Child SA Tunnel Inner Address (TIA) which will be torn down. The second payload is used for establishing the remaining Child SAs. Note that if there is no second payload defined with home-address as the ip-address-allocation then no MIP call can be established, just a Simple IP call.
Currently, the only available match is for ChildSA, although other matches are planned for future releases.
Entering this command results in the following prompt:
[ctxt_name]hostname(cfg-crypto-<name>-ikev2-tunnel-payload)#
Crypto Template IKEv2-IPv6 Payload Configuration Mode commands are defined in the Crypto Template IKEv2-IPv6 Payload Configuration Mode Commands chapter.
Example
The following command configures a crypto template payload called payload5 and enters the Crypto Template IKEv2-IPv6 Payload Configuration Mode:
payload payload5 match ipv6
 
peer
Configures the IP address of a peer IPsec server.
Product
P-GW
Privilege
Administrator
Syntax
peer ip_address
no peer
no
Removes the configured peer server IP address.
ip_address
Specifies the IP address of a peer IPsec server. ip_address must be specified in IPv4 dotted decimal notation or IPv6 colon separated notation.
Usage
Use this command to specify a peer IPsec peer server. The IPsec peer server can also be the Lawful Intercept server.
Example
The following command configures the system to recognize an IPsec peer server with an IPv6 address of fe80::200:f8ff:fe21:67cf:
peer fe80::200:f8ff:fe21:67cf
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883