Crypto Map IKEv2-IPv6 Configuration Mode Commands

The Crypto Map IKEv2-IPv6 Configuration Mode is used to configure an IKEv2 IPsec policy for secure X3 interface tunneling between a P-GW and a lawful intercept server.

IMPORTANT:

The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).

authentication

Configures the subscriber authentication method used for the P-GW lawful intercept service.

Platform:

ASR 5000

Product:

P-GW


Privilege:

Administrator


Syntax
authentication pre-shared-key { encrypted
key value | key value }
authentication pre-shared-key { encrypted key value | key value }

Specifies that a pre-shared key is to be used for authenticating a subscriber in the P-GW service.

encrypted key value: Specifies that the pre-shared key used for authentication is encrypted and expressed as an alphanumeric string of 1 through 255 characters.

key value: Specifies that the pre-shared key used for authentication is clear text and expressed as an alphanumeric string of 1 through 255 characters.


Usage:

Use this command to specify the type of authentication performed for subscribers attempting to access the P-GW service using this crypto map.


Example:
The following command sets the authentication method to an open key value of 6d7970617373776f7264:
authentication pre-shared-key
key 6d7970617373776f7264
control-dont-fragment

Controls the Don’t Fragment (DF) bit in the outer IP header of the IPSec tunnel data packet.

Platform:

ASR 5000

Product:

P-GW


Privilege:

Administrator


Syntax
control-dont-fragment { clear-bit | copy-bit | set-bit }

clear-bit: Clears the DF bit from the outer IP header (sets it to 0).

copy-bit: Copies the DF bit from the inner IP header to the outer IP header. This is the default action.

set-bit: Sets the DF bit in the outer IP header (sets it to 1).


Usage:

A packet is encapsulated in IPsec headers at both ends. The new packet can copy the DF bit from the original unencapsulated packet into the outer IP header, or it can set the DF bit if there is not one in the original packet. It can also clear a DF bit that it does not need.


Example:
The following command sets the DF bit in the outer IP header:
control-dont-fragment
set-bit
end

Exits the current configuration mode and returns to the Exec mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
end

Usage:

Use this command to return to the Exec mode.

exit

Exits the current mode and returns to the parent configuration mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
exit

Usage:

Use this command to return to the parent configuration mode.

ikev2-ikesa

Configures parameters for the IKEv2 IKE Security Associations within this crypto map.

Platform:

ASR 5000

Product:

P-GW


Privilege:

Administrator


Syntax
ikev2-ikesa { allow-empty-ikesa | max-retransmissions number | rekey | retransmission-timeout msec | setup-timer sec | transform-set
list name }default ikev2-ikesa { allow-empty-ikesa | max-retransmissions | rekey | setup-timer }no ikev2-ikesa { allow-empty-ikesa | rekey | transform-set list }
default

Restores the selected keyword to its default value.

no

Disables a previously enabled parameter.

allow-empty-ikesa

Default is not to allow-empty-ikesa. Activate to have the IKEv2 stack keep the IKE SA when all the Child SAs have been deleted.

max-retransmissions number

Specifies the maximum number of retransmissions of an IKEv2 IKE exchange request if a response has not been received.

number must be an integer from 1 to 8.

Default: 5

rekey

Specifies if IKESA rekeying should occur before the configured lifetime expires (at approximately 90% of the lifetime interval).

Default is not to re-key.

retransmission-timeout msec

Specifies the timeout period in milliseconds before a retransmission of an IKEv2 IKE exchange request is sent (if the corresponding response has not been received).

msec must be an integer from 300 to 15000.

Default: 500

setup-timer sec

Specifies the number of seconds before an IKEv2 IKE Security Association that is not fully established is terminated.

sec must be an integer from 16 to 3600.

Default: 60

transform-set list name

A space-separated list of context-level configured IKEv2 IKE Security Association transform sets to be used for deriving IKEv2 IKE Security Associations from this crypto map.

name must be an existing IKEv2 IKESA Transform Set expressed as an alphanumeric string of 1 through 127 characters. A minimum of one transform set is required; maximum configurable is six.


Usage:

Use this command to configure parameters for the IKEv2 IKE Security Associations within this crypto map.


Example:
The following command configures the maximum number of IKEv2 IKESA request retransmissions to 7:
ikev2-ikesa max-retransmissions
7 
match

Matches or associates the crypto map to an access control list (ACL) configured in the same context.

Platform:

ASR 5000

Product:

P-GW


Privilege:

Administrator


Syntax
match address acl_name [ priority ]no match address
no

Removes a previously matched ACL.

match address acl_name

Specifies The name of the ACL with which the crypto map is to be matched. acl_name is an alphanumeric string of 1 through 79 characters that is case sensitive.

priority

Specifies the preference of the ACL as integer from 0 through 4294967295. 0 is the highest priority. Default: 0

The ACL preference is factored when a single packet matches the criteria of more than one ACL.

IMPORTANT:

The priorities are only compared for ACLs matched to other crypto maps or to policy ACLs (those applied to the entire context).


Usage:

ACLs matched to crypto maps are referred to as crypto ACLs. Crypto ACLs define the criteria that must be met in order for a subscriber data packet to routed over an IPSec tunnel.

Prior to routing, the system examines the properties of each subscriber data packet. If the packet properties match the criteria specified in the crypto ACL, the system will initiate the IPSec policy dictated by the crypto map.


Example:
The following command sets the crypto map ACL to the ACL named acl-list1 and sets the crypto maps priority to the highest level.
match address acl-list1 0
payload

Creates a new, or specifies an existing, crypto template payload and enters the Crypto Template Payload Configuration Mode.

Platform:

ASR 5000

Product:

P-GW


Privilege:

Administrator


Syntax
payload name match ipv6no payload name
payload name

Specifies the name of a new or existing crypto template payload as an alphanumeric string of 1 through 127 characters.

match ipv6

Filters IPSec IPv6 Child Security Association creation requests for subscriber calls using this payload. Further filtering can be performed by applying the following:


Usage:

Use this command to create a new or enter an existing crypto template payload. The payload mechanism is a means of associating parameters for the Security Association (SA) being negotiated.

Two payloads are required: one each for MIP and IKEv2. The first payload is used for establishing the initial Child SA Tunnel Inner Address (TIA) which will be torn down. The second payload is used for establishing the remaining Child SAs. Note that if there is no second payload defined with home-address as the ip-address-allocation then no MIP call can be established, just a Simple IP call.

Currently, the only available match is for ChildSA, although other matches are planned for future releases.

Entering this command results in the following prompt:

[ctxt_name]hostname(cfg-crypto-<name>-ikev2-tunnel-payload)#

Crypto Template IKEv2-IPv6 Payload Configuration Mode commands are defined in the Crypto Template IKEv2-IPv6 Payload Configuration Mode Commands chapter.


Example:
The following command configures a crypto template payload called payload5 and enters the Crypto Template IKEv2-IPv6 Payload Configuration Mode:
payload payload5 match ipv6
peer

Configures the IP address of a peer IPSec server.

Platform:

ASR 5000

Product:

P-GW


Privilege:

Administrator


Syntax
peer ip_addressno peer
no

Removes the configured peer server IP address.

peer ip_address

Specifies the IP address of a peer IPSec server in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.


Usage:

Use this command to specify a peer IPsec peer server. The IPsec peer server can also be the Lawful Intercept server.


Example:
The following command configures the system to recognize an IPsec peer server with an IPv6 address of fe80::200:f8ff:fe21:67cf:
peer fe80::200:f8ff:fe21:67cf