Crypto Template Configuration Mode Commands


Crypto Template Configuration Mode Commands
 
 
The Crypto Template Configuration Mode is used to configure an IKEv2 IPsec policy. It includes most of the IPsec parameters and IKEv2 parameters for cryptographic and authentication algorithms etc. A security gateway service will not function without a configured crypto template. Only one crypto template can be configured per service.
 
Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
 
authentication
Configures the subscriber authentication method used for the PDIF service.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
authentication { eap-profile name [ second-phase eap-profile name ] | gateway { encrypted key value | key value } | pre-shared-key { encrypted key value | key value } }
eap-profile name [ second-phase eap-profile name ]
Specifies that authentication is to be performed using a named EAP profile. name must be from 1 to 127 alpha and/or numeric characters. Entering this keyword places the CLI in the EAP Authentication Configuration Mode.
A second-phase eap profile name is only required for installations using multiple authentication. name must be from 1 to 127 alpha and/or numeric characters.
gateway { encrypted key value | key value }
Specifies the pre-shared gateway key used for gateway authentication.
encrypted key value: Specifies that the pre-shared key used for authentication is encrypted. value must be between 1 and 255 alpha and/or numeric characters.
key value: Specifies that the pre-shared key used for authentication is clear text. value must be between 1 and 255 alpha and/or numeric characters.
pre-shared-key { encrypted key value | key value }
Specifies that a pre-shared key is to be used for authenticating a subscriber in the service.
encrypted key value: Specifies that the pre-shared key used for authentication is encrypted. value must be between 1 and 255 alpha and/or numeric characters.
key value: Specifies that the pre-shared key used for authentication is clear text. value must be between 1 and 255 alpha and/or numeric characters.
Usage
Use this command to specify the type of authentication performed for subscribers attempting to access the service using this crypto template.
Entering the authentication eap-profile command results in the following prompt:
[context_name]hostname(cfg-crypto-tmpl-eap-key)#
EAP Authentication Configuration Mode commands are defined in the “EAP Authentication Configuration Mode Commands” chapter.
Example
The following command enables authentication via an EAP profile named eap23 for subscribers using the service with this crypto template:
authentication eap-profile eap23
 
certificate
Used to bind an X.509 trusted certificate to a crypto template.
Product
PDIF
PDG/TTG
Privilege
Security Administrator, Administrator
Syntax
certificate name name
no certificate
no
Removes any applied certificate or prevents the certificate from being included in the Auth Exchange response payload.
name name
An alpha and/or numeric string of 1 - 127 characters.
Usage
Can be used to bind an X.509 certificate to a template, or include or exclude it from the Auth Exchange response payload.
Example
Use the following example to prevent a certificate from being included in the Auth Exchange payload:
no certificate
 
control-dont-fragment
Controls the don’t fragment (DF) bit in the outer IP header of the IPsec tunnel data packet.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
control-dont-fragment { clear-bit | copy-bit | set-bit }
Usage
Options are:
clear-bit: Clears the DF bit from the outer IP header (sets it to 0).
copy-bit: Copies the DF bit from the inner IP header to the outer IP header. This is the default action.
set-bit: Sets the DF bit in the outer IP header (sets it to 1).
Usage
A packet is encapsulated in IPsec headers at both ends. The new packet can copy the DF bit from the original unencapsulated packet into the outer IP header, or it can set the DF bit if there is not one in the original packet. It can also clear a DF bit that it does not need.
Example
The following command sets the DF bit in the outer IP header:
control-dont-fragment set-bit
 
default
Restores the default values for the selected parameter.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
default { authentication gateway | certificate | dns-handling | dos cookie-challenge detect-dos-attack | ikev2-ikesa { ignore-rekeying-requests | keepalive-user-activity | max-retransmission | mobike | policy error-notification | rekey | retransmission-timeout | setup-timer } | keepalive | nai | natt }
authentication gateway
Configures the default pre-shared gateway key used for authentication.
certificate
Configures the system to remove the certificate for a given crypto template.
dns-handling
Configures the system to use normal dns handling.
dos cookie-challenge detect-dos-attack
Configures the system to disable any Denial of Service attacks.
Ikev2-ikesa { ignore-rekeying-requests | keepalive | max-retransmission | mobike | policy error-notification | rekey | retransmission-timeout | setup-timer }
Configures the system to use the following ikev2-ikesa defaults:
ignore-rekeying-requests: Ignore any IKE_SA rekeying requests received.
keepalive-user-activity: Keepalive messages received from peer will not reset the user inactivity timer.
max-retransmission: Set the number of IKEv2 IKE exchange request retransmissions if the corresponding response has not been received. Deault is 5.
mobike. Set MOBIKE to disable.
policy error-notification: Set the default policy error notification method to send error notify messages to the MS.
rekey: Set the default rekeying of IKE_SA to disabled.
retransmission-timeout: Set the maximum number of milliseconds to elapse before an IKEv2 IKE exchange request is retransmitted if the corresponding IKEv2 IKE exchange response has not been received to 500.
setup timer: Set the number of seconds to elapse before a non-fully-established IKEv2 IKE SA is terminated to 60.
keepalive
Enable Dead Peer Detection for all SAs derived from this crypto template.
nai
Set the default NAI parameters to be used for the crypto template (IDr) to none
natt
Enable NAT-T initiation for all SAs derived from this crypto template.
Usage
Use these commands to restore default parameters.
Example
Use the following command to disable MOBIKE by default:
default mobike
 
dns-handling
Adds a custom option to define the ways a DNS address is returned based on proscribed circumstances described below.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
[ default ] dns-handling { normal | custom }
default
Configures the default condition as normal. By default, PDIF always returns the DNS address in the config payload in the second authentication phase if one is received from either the configuration or the HA.
normal
This is the default action. PDIF always returns the DNS address in the config payload in the second authentication phase if one is received from either the configuration or the HA.
custom
Configures the PDIF to behave as described in the Usage section below.
Usage
During IKEv2 session setup, MS may or may not include INTERNAL_IP4_DNS in the Config Payload (CP). PDIF may obtain one or more DNS addresses for the subscriber in DNS NVSE from a proxy-MIP Registration Reply message. If Multiple Authentication is used, these DNS addresses may be also received in Diameter AVPs during the first authentication phase, or in RADIUS attributes in the Access Accept messages during the second authentication phase.
In normal mode, by default PDIF always returns the DNS address in the config payload in the second authentication phase if one is received from either the configuration or the HA.
In custom mode, depending on the number of INTERNAL_IP4_DNS, PDIF supports the following behaviors:
Example
The following configuration applies the custom dns-handling mode:
dns-handling custom
 
dos cookie-challenge notify-payload
Configure the cookie challenge params for IKEv2 INFO Exchange notify payloads for the given crypto template.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
dos cookie-challenge notify-payload [ half-open-sess-count { start integer | stop integer } ] default cookie-challenge detect-dos-attack
no cookie-challenge detect-dos-attack
default
Default is to disabled condition.
no
Prevents Denial of Service cookie transmission. This is the default condition.
half-open-sess-count start | stop
The half-open-sess-count is the number of half-open sessions per IPsec
manager. A session is defined as half-open if a PDIF has responded to an IKEv2 INIT Request with an IKEv2 INIT Response, but no further message was received on that particular IKE SA.
Important: The start count value 0 is a special case whereby this feature is always enabled. In this event, both Start and Stop must be 0.
Usage
This feature (which is disabled by default) helps prevent malicious Denial of Service attacks against the server by sending a challenge cookie. If the response from the sender does not incorporate the expected cookie data, the packets are dropped.
Example
The following example configures the cookie challenge to begin when the half-open-sess-count reaches 50000 and stops when it drops below 20000:
dos cookie-challenge notify-payload half-open-sess-count start 50000 stop 20000
 
end
Exits the current mode and returns to the Exec Mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
end
Usage
Change the mode back to the Exec Mode.
 
exit
Exits the current mode and returns to the previous mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
exit
Usage
Returns to the previous mode.
 
ikev2-ikesa
Configures parameters for the IKEv2 IKE Security Associations within this crypto template.
Product
PDIF
PDG/TTG
Privilege
Security Administrator, Administrator
Syntax
ikev2-ikesa { keepalive-user-activity | max-retransmissions number | retransmission-timeout msec | policy error-notification [ invalid-message-id | invalid-syntax ] rekey | setup-timer sec | transform-set list name }
default ikev2-ikesa { max-retransmissions | policy error-notification [ invalid-message-id | invalid-syntax ] rekey | retransmission-timeout | setup-timer }
no ikev2-ikesa { keepalive-user-activity | list name | policy error-notification [ invalid-message-id | invalid-syntax ] | rekey }
no ikev2-ikesa
Disables a previously enabled parameter.
keepalive-user-activity
Default is no keepalive-user-activity. Activate to reset the user inactivity timer when keepalive messages are received from peer.
max-retransmissions number
Default: 5
Specifies the maximum number of retransmissions of an IKEv2 IKE exchange request if a response has not been received. number must be an integer from 1 to 8.
policy error-notification
Default is to enable. Default policy is to generate an IKEv2 Invalid Message ID error when PDIF receives an out-of-sequence packet.
retransmission-timeout msec
Default: 500
Specifies the timeout period in milliseconds before a retransmission of an IKEv2 IKE exchange request is sent (if the corresponding response has not been received). msec must be and integer from 300 to 15000.
rekey
Specifies if IKESA rekeying should occur before the configured lifetime expires (at approximately 90% of the lifetime interval). Default is not to re-key.
setup-timer sec
Default: 16
Specifies the number of seconds before a IKEv2 IKE Security Association, that is not fully established, is terminated. sec must be an integer from 1 to 3600.
transform-set list name
Specifies the name of context-level configured IKEv2 IKE Security Association transform set. name must be an existing IKEv2 IKESA Transform Set and be from 1 to 127 alpha and/or numeric characters.
list
A space-separated list of IKEv2-IKESA SA transform sets to be used for deriving IKEv2 IKE Security Associations from this crypto template. A minimum of one transform-set is required; maximum configurable is six.
Usage
Use this command to configure parameters for the IKEv2 IKE Security Associations within this crypto template.
Example
The following command configures the maximum number of IKEv2 IKESA request retransmissions to 7:
ikev2-ikesa max-retransmissions 7
The following command configures the IKEv2 IKESA request retransmission timeout to 400:
ikev2-ikesa retransmission-timeout 400
The following command configures the IKEv2 IKESA transform set list name to ikesa43:
ikev2-ikesa transform-set list ikesa43
 
keepalive
Configures keepalive or dead peer detection for security associations used within this crypto template.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
keepalive [ interval sec ] [ timeout sec ] [ num-retry num ]
default keepalive [ interval ] [ timeout ] [ num-retry ]
no keepalive
no
Disables keepalive messaging.
interval sec
Default: 10
Specifies the amount of time in seconds that must elapse before the next keepalive request is sent. sec must be an integer from 10 to 3600.
timeout sec
Default: 10
Specifies the amount of time in seconds that the system will wait without receiving a reply before retrying the keepalive request. sec must be an integer from 10 to 3600.
num-retry num
Default: 2
Specifies the number of times the system will retry a non-responsive peer before defining the peer as off-line or out-of-service. num must be an integer from 1 to 100.
Usage
Use this command to set parameters associated with determining the availability of peer servers.
Example
The following command sets a keepalive interval to three minutes, the timeout to 30 seconds, and the retry attempts number to 5:
keepalive interval 180 timeout 30 num-retry 5
 
nai
Configures the NAI parameters to be used for the crypto template IDr.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
[ default | no ] nai idr nameid-type {rfc822-addr | fqdn | ip-addr | key-id }
Default
Configures the default command no nai idr. As a result, the default behavior is for the PDIF-service IP address to be sent as the IDr value of type ID_IP_ADDR.
no
no nai idr configures the value whereby the PDIF service IP address is sent as the IDr value with the type ID_IP_ADDR. This is the default condition.
idr name
name is a string of up to 79 alpha and/or numeric characters.
id-type { rfc822-addr | fqdn | ip-addr | key-id }
Configures the NAI IDr id-type parameter. If no id-type is specified, then rfc822-addr is assumed.
rfc822-addr configures NAI Type ID_RFC822_ADDR
fqdn configures NAI Type ID_FQDN
ip-addr configures NAI Type ID_IP_ADDR
key-id configures NAI Type ID_KEY_ID
Usage
The configured IDr is sent from the PDIF to the MS in the first IKEv2 AUTH response.
Example
The following command configures the NAI IDr to the default condition.
no naiidr
 
natt
Configures Network Address Translation - Traversal (NAT-T) for all security associations associated with this crypto template. This feature is disabled by default.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
[ default | no ] natt [ send-keepalive ]
no
Disables NAT-T for all security associations associated with this crypto template.
send-keepalive
Sends NAT-Traversal keepalive messages.
Usage
Use this command to configure NAT-T for security associations within this crypto template.
Example
The following command disables NAT-T for this crypto template:
no natt
 
payload
Creates a new, or specifies an existing, crypto template payload and enters the Crypto Template Payload Configuration Mode.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
payload name match childsa [ match { ipv4 | ipv6 } ]
no payload name
name
Specifies the name of a new or existing crypto template payload. name must be from 1 to 127 alpha and/or numeric characters.
match childsa [ match { ipv4 | ipv6 }
Filters IPSec Child Security Association creation requests for subscriber calls using this payload. Further filtering can be performed by applying the following:
ipv4: Configures this payload to be applicable to IPSec Child Security Association requests for IPv4.
ipv6: Configures this payload to be applicable to IPSec Child Security Association requests for IPv6.
Usage
Use this command to create a new or enter an existing crypto template payload. The payload mechanism is a means of associating parameters for the Security Association (SA) being negotiated.
Two payloads are required: one each for MIP and IKEv2. The first payload is used for establishing the initial Child SA Tunnel Inner Address (TIA) which will be torn down. The second payload is used for establishing the remaining Child SAs. Note that if there is no second payload defined with home-address as the ip-address-allocation then no MIP call can be established, just a Simple IP call.
Currently, the only available match is for ChildSA, although other matches are planned for future releases. Omitting the second match parameter for either IPv4 or IPv6 will make the payload applicable to all IP address pools.
Entering this command results in the following prompt:
[context_name]hostname(cfg-crypto-tmpl-ikev2-tunnel-payload)#
Crypto Template Payload Configuration Mode commands are defined in the Crypto Template Payload Configuration Mode Commands chapter.
Example
The following command configures a crypto template payload called payload5 and enters the Crypto Template Payload Configuration Mode:
payload payload5 match childsa
 
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883