Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
Specifies that authentication is to be performed using a named EAP profile. name must be from 1 to 127 alpha and/or numeric characters. Entering this keyword places the CLI in the EAP Authentication Configuration Mode.
encrypted key value: Specifies that the pre-shared key used for authentication is encrypted.
value must be between 1 and 255 alpha and/or numeric characters.
key value: Specifies that the pre-shared key used for authentication is clear text.
value must be between 1 and 255 alpha and/or numeric characters.
encrypted key value: Specifies that the pre-shared key used for authentication is encrypted.
value must be between 1 and 255 alpha and/or numeric characters.
key value: Specifies that the pre-shared key used for authentication is clear text.
value must be between 1 and 255 alpha and/or numeric characters.
Entering the authentication eap-profile command results in the following prompt:
[context_name]
hostname(cfg-crypto-tmpl-eap-key)#
clear-bit: Clears the DF bit from the outer IP header (sets it to 0).
copy-bit: Copies the DF bit from the inner IP header to the outer IP header. This is the default action.
set-bit: Sets the DF bit in the outer IP header (sets it to 1).
ignore-rekeying-requests: Ignore any IKE_SA rekeying requests received.
keepalive-user-activity: Keepalive messages received from peer will not reset the user inactivity timer.
max-retransmission: Set the number of IKEv2 IKE exchange request retransmissions if the corresponding response has not been received. Deault is 5.
policy error-notification: Set the default policy error notification method to send error notify messages to the MS.
rekey: Set the default rekeying of IKE_SA to disabled.
retransmission-timeout: Set the maximum number of milliseconds to elapse before an IKEv2 IKE exchange request is retransmitted if the corresponding IKEv2 IKE exchange response has not been received to 500.
setup timer: Set the number of seconds to elapse before a non-fully-established IKEv2 IKE SA is terminated to 60.
Configures the default condition as normal. By default, PDIF always returns the DNS address in the config payload in the second authentication phase if one is received from either the configuration or the HA.
In normal mode, by default PDIF always returns the DNS address in the config payload in the second authentication phase if one is received from either the configuration or the HA.
In custom mode, depending on the number of INTERNAL_IP4_DNS, PDIF supports the following behaviors:
The half-open-sess-count is the number of half-open sessions per IPsec
Specifies the name of context-level configured IKEv2 IKE Security Association transform set. name must be an existing IKEv2 IKESA Transform Set and be from 1 to 127 alpha and/or numeric characters.
Configures the default command no nai idr. As a result, the default behavior is for the PDIF-service IP address to be sent as the IDr value of type ID_IP_ADDR.
no nai idr configures the value whereby the PDIF service IP address is sent as the IDr value with the type ID_IP_ADDR. This is the default condition.
name is a string of up to 79 alpha and/or numeric characters.
Configures the NAI IDr id-type parameter. If no id-type is specified, then rfc822-addr is assumed.
rfc822-addr configures NAI Type ID_RFC822_ADDR
fqdn configures NAI Type ID_FQDN
ip-addr configures NAI Type ID_IP_ADDR
key-id configures NAI Type ID_KEY_ID
ipv4: Configures this payload to be applicable to IPSec Child Security Association requests for IPv4.
ipv6: Configures this payload to be applicable to IPSec Child Security Association requests for IPv6.
[context_name]
hostname(cfg-crypto-tmpl-ikev2-tunnel-payload)#
The following command configures a crypto template payload called payload5 and enters the Crypto Template Payload Configuration Mode: