Crypto Template IKEv2-PDIF Payload Configuration Mode Commands


Crypto Template IKEv2-PDIF Payload Configuration Mode Commands
 
 
The Crypto Template IKEv2-PDIF Payload Configuration Mode is used to assign the correct IPsec transform-set from a list of up to four different transform-sets, and to assign Mobile IP addresses. There should be two payloads configured. The first must have a dynamic addressing scheme as this is how the ChildSA gets a TIA address. The second payload supplies the ChildSA with a HoA, which is the default setting for ip-address-allocation.
 
Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
 
default
Sets or restores the default value for the specified parameter.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
default { ignore-rekeying-requests | ip-address-allocation lifetime | maximum-child-sa | rekey | tsi | tsr }
ignore-rekeying-requests
Configures the system to ignore IPSec SA rekey requests.
ip-address-allocation
Configures the crypto map payload IP address allocation scheme to be the home address.
lifetime
Con figures the default lifetime for IPSec Child SAs derived from this crypto template. lifetime: 86400 seconds.
maximum-child-sa
Configures the maximum number of IPSec Child SAs to be derived from an IKEv2 IKE SA by default.
maximum-child-sa: 1
rekey
Configures the system to disable Child SA rekeying.
tsi
Configures the default TSi payload to be that of the mobile endpoint.
tsr
Configures the default IKEv2 Responder Traffic Selector payload options.
Usage
Configures system defaults
Example
Use the following configuration to set the TSi payload start-address to be that of the Mobile endpoint:
default tsi
 
end
Exits the current mode and returns to the Exec Mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
end
Usage
Change the mode back to the Exec Mode.
 
exit
Exits the current mode and returns to the previous mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
exit
Usage
Returns to the previous mode.
 
ignore-rekeying-requests
Ignores CHILD SA rekey requests from the PDIF.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
ignore-rekeying-requests
Usage
Prevents creation of a CHILD SA based on this crypto template.
 
ip-address-allocation
Configures IP address allocation for subscribers using this crypto template payload. Configure two payloads per crypto template. The first must have a dynamic address to assign a TIA to the ChildSA. The second payload is configured after a successful MIP initiation and can use the default HoA option.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
ip-address-allocation { dynamic | home-address | static }
default ip-address-allocation
dynamic
Specifies that the IP address for the subscriber is allocated from a dynamic IP pool.
home-address
Specifies that the IP address for the subscriber is allocated by the Home Agent. This is the default setting for this command.
static
Specifies that the IP address for the subscriber is a static simple IP address.
Usage
Use this command to configure how ChildSA payloads are allocated IP addresses for this crypto template.
Example
The following command is for the first ChildSA and will ensure that it gets a TIA address from an IP address pool:
ip-address-allocation dynamic
The following command is for the second ChildSA and will ensure that it gets a HoA address from the HA:
default ip-address-allocation
 
ipsec
Configures the IPsec transform set to be used for this crypto template payload.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
ipsec transform-set list name
no ipsec transform-set list
list name
Specifies the context configured IPsec transform set name to be used in the crypto template payload. This is a space-separated list. From 1 to 4 transform sets can be entered. name must be from 1 to 127 alpha and/or numeric characters.
Usage
Use this command to list the IPsec transform set(s) to use in this crypto template payload.
Example
The following command configures IPsec transform sets named ipset1 and ipset2 to be used in this crypto template payload:
ipsec transform-set list ipset1 ipset2
 
lifetime
Configures the number of seconds for IPsec Child SAs derived from this crypto template payload to exist.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
lifetime sec
default lifetime
sec
Default: 86400
Specifies the number of seconds for IPsec Child Security Associations derived from this crypto template payload to exist. sec must be an integer from 60 to 86400.
Usage
Use this command to configure the number of seconds for IPsec Child Security Associations derived from this crypto template payload to exist.
Example
The following command configures the IPsec child SA lifetime to be 120 seconds:
lifetime 120
 
maximum-child-sa
Configures the maximum number of IPsec child security associations that can be derived from a single IKEv2 IKE security association.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
maximum-child-sa num
default maximum-child-sa
num
Default: 1
Specifies the maximum number of IPsec child security associations that can be derived from a single IKEv2 IKE security association. num must be 1.
Usage
Use this command to configure the maximum number of IPsec child security associations that can be derived from a single IKEv2 IKE security association.
Example
The following command configures the maximum number of child SAs to 1:
maximum-child-sa 1
 
rekey
Configures Child security association rekeying.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
[ no ] rekey [ keepalive ]
no
Disables this feature.
keepalive
If specified, a session will be rekeyed even if there has been no data exchanged since the last rekeying operation. By default rekeying is only performed if there has been data exchanged since the previous rekey.
Usage
Use this command to enable or disable the ability to rekey IPsec Child SAs after approximately 90% of the Child SA lifetime has expired. The default, and recommended setting, is not to perform rekeying. No rekeying means the PDIF will not originate rekeying operations and will not process CHILD SA rekeying requests from the MS.
Example
The following command disables rekeying:
no rekey
 
tsi
Configures the IKEv2 Initiator Traffic Selector (TSI) payload address options.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
tsi start-address { any { end-address any } | endpoint { end-address endpoint } }
any { end-address any }
Configures the TSi payload to allow all all IP addresses.
endpoint { end-address endpoint }
Configures the TSi payload start-address to be that of the Mobile endpoint. This is the default value. endpoint is the mobile endpoint netmask.
Usage
On receiving a successful IKE_SA_INIT Response from PDIF, the MS sends an IKE_ AUTH Request for the first EAP-AKA authentication. If the MS is capable of doing multiple-authentication, it includes the MULTI_AUTH_SUPPORTED Notify payload in the IKE_AUTH Request. MS also includes an IDi payload containing the NAI, SA, TSi, TSr, and CP (requesting IP address and DNS address) payloads.
Example
Use the following example to configure a TSi payload that allows all addresses:
tsi start-address any end-address any
 
tsr
Configures the IKEv2 Responder Traffic Selector (TSr) payload address options.
Product
PDG/TTG
Privilege
Security Administrator, Administrator
Syntax
tsi start-address <ipv4 address> end-address<ipv4 address>
start-address<ipv4 address>
Configures the TSi payload to include the TSr start IPv4 address of an address range for the Phase 1 multiple traffic selector feature.
end-address <ipv4 address>
Configures the TSi payload start-address to include the TSr end IPv4 address of an address range for the Phase 1 multiple traffic selector feature.
Usage
As part of Phase 1 of the Multiple Traffic Selector feature, this command is used to specify an IPv4 address range in the single TSr payload that the PDG/TTG returns in the last IKE_AUTH message. This TSr is Child SA-specific.
Example
Use the following example to configure a TSr payload that specifies an IPv4 address range for the payload:
tsr start-address <ipv4 address> end-address <ipv4 address>
 
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883