Crypto Template Configuration Mode Commands

The Crypto Template Configuration Mode is used to configure an IKEv2 IPSec policy. It includes most of the IPSec parameters and IKEv2 dynamic parameters for cryptographic and authentication algorithms. A security gateway service will not function without a configured crypto template. Only one crypto template can be configured per service.

IMPORTANT:

Available commands or keywords/variables vary based on platform type, product version, and installed license(s).

ca-certificate list

Used to bind an X.509 Certificate Authority (CA) root certificate to a crypto template.

Platform:

ASR 5000

Product:

All IPSec-related services


Privilege:

Security Administrator, Administrator


Syntax
ca-certificate list
ca-cert-name name[ ca-cert-name  name ]
no ca-certificate
no

Removes a CA root certificate from the list.

ca-cert-name name

Binds the named X.509 Certificate Authority (CA) root certificate to a crypto template. name is an alphanumeric string of 1 through 129 characters.

You can chain multiple certificates in a single command instance.


Usage:

Used to bind an X.509 CA root certificate to a template.


Example:
Use the following example to add a CA root certificate to a list:
ca-certificate list CA_list1
ca-crl list

Binds one or more Certificate Authority-Certificate Revocation Lists (CA-CRLs) to this crypto template.

Platform:

ASR 5000

Product:

All IPSec-related services


Privilege:

Security Administrator, Administrator


Syntax
ca-crl list ca-crl-name name [ ca-crl-name name ] +no ca-crl
no

Removes the CA-CRL configuration from this template.

ca-crl-name name

Specifies the CA-CRL to associate with this crypto template. name must be the name of an existing CA-CRL expressed as an alphanumeric string of 1 through 129 characters. Multiple lists can be configured for a crypto template.

You can chain multiple CA-CRLs in a single command instance.


Usage:

Use this command to associate a CA-CRL name with this crypto template.

CA-CRLs are configured in the Global Configuration Mode. For more information about configuring CA-CRLs, refer to the ca-crl name command in the Global Configuration Mode Commands chapter.


Example:
The following example binds CA-CRLs named CRL-5 and CRL-7 to this crypto template:
ca-crl list ca-crl-name
CRL-5 ca-crl-name CRL-7 
certificate

Used to bind a single X.509 trusted certificate to a crypto template.

Platform:

ASR 5000

Product:

All IPSec-related services


Privilege:

Security Administrator, Administrator


Syntax
[ no ] certificate name
no

Removes any applied certificate or prevents the certificate from being included in the Auth Exchange response payload.

name

Specifies the name of a X.509 trusted certificate to bind to a crypto template. name is an alphanumeric string of 1 through 127 characters.


Usage:

Can be used to bind an X.509 certificate to a template, or include or exclude it from the Auth Exchange response payload.


Example:
Use the following example to prevent a certificate from being included in the Auth Exchange payload:
no certificate
control-dont-fragment

Controls the Don’t Fragment (DF) bit in the outer IP header of the IPSec tunnel data packet.

Platform:

ASR 5000

Product:

All IPSec-related services


Privilege:

Security Administrator, Administrator


Syntax
control-dont-fragment { clear-bit | copy-bit | set-bit }

Configures the option to perform on the DF bit.
  • clear-bit: Clears the DF bit from the outer IP header (sets it to 0).
  • copy-bit: Copies the DF bit from the inner IP header to the outer IP header. This is the default action.
  • set-bit: Sets the DF bit in the outer IP header (sets it to 1).

Usage:

A packet is encapsulated in IPSec headers at both ends. The new packet can copy the DF bit from the original unencapsulated packet into the outer IP header, or it can set the DF bit if there is not one in the original packet. It can also clear a DF bit that it does not need.


Example:
The following command sets the DF bit in the outer IP header:
control-dont-fragment
set-bit
default

Restores the default values for the selected parameter.

Platform:

ASR 5000

Product:

All IPSec-related services


Privilege:

Security Administrator, Administrator


Syntax
default { authentication | certificate | control-dont-fragment| dns-handling | dos
cookie-challenge detect-dos-attack | | keepalive | nai
idr | natt }
authentication gateway

Configures the default pre-shared gateway key used for authentication.

certificate

Configures the system to remove the certificate for a given crypto template.

dns-handling

Configures the system to use normal DNS handling.

dos cookie-challenge detect-dos-attack

Configures the system to disable any Denial of Service attacks.

keepalive

Enables Dead Peer Detection for all SAs derived from this crypto template.

nai idr

Sets the default NAI parameters to be used for the crypto template (IDr) to none.

natt

Enables NAT-T initiation for all SAs derived from this crypto template.


Usage:

Use these commands to restore default parameters.


Example:
Use the following command to disable MOBIKE by default:
default mobike
dns-handling

Adds a custom option to define the ways a DNS address is returned based on proscribed circumstances described below.

Platform:

ASR 5000

Product:

PDIF


Privilege:

Security Administrator, Administrator


Syntax
[ default ] dns-handling { custom | normal }
default

Configures the default condition as normal. By default, PDIF always returns the DNS address in the config payload in the second authentication phase if one is received from either the configuration or the HA.

dns-handling custom

Configures the PDIF to behave as described in the Usage section below.

dns-handling normal

This is the default action. The service always returns the DNS address in the config payload in the second authentication phase if one is received from either the configuration or the HA.


Usage:

During IKEv2 session setup, MS may or may not include INTERNAL_IP4_DNS in the Config Payload (CP). PDIF may obtain one or more DNS addresses for the subscriber in DNS NVSE from a proxy-MIP Registration Reply message. If Multiple Authentication is used, these DNS addresses may be also received in Diameter AVPs during the first authentication phase, or in RADIUS attributes in the Access Accept messages during the second authentication phase.

In normal mode, by default PDIF always returns the DNS address in the config payload in the second authentication phase if one is received from either the configuration or the HA.

In custom mode, depending on the number of INTERNAL_IP4_DNS, PDIF supports the following behaviors:
  • If MS includes no INTERNAL_IP4_DNS in Config Payload: PDIF does not return any INTERNAL_IP4_DNS option to MS, whether or not PDIF has received one in DNS NVSE from HA or from local configurations.
  • If MS requests one or more INTERNAL_IP4_DNS(s) in Config Payload, and if P-MIP NVSE doesn't contain any DNS address or DNS address not present in any config, PDIF omits INTERNAL_IP4_DNS option to MS in the Config Payload.
  • And if P-MIP NVSE includes one DNS address (a.a.a.a / 0.0.0.0), then PDIF sends one INTERNAL_IP4_DNS option in Config Payload back to the MS.
  • If the Primary DNS is a.a.a.a and the Secondary DNS is 0.0.0.0, then a.a.a.a is returned (only one instance of DNS attribute present in the config payload).
  • If the Primary DNS is 0.0.0.0 and the Secondary DNS is a.a.a.a, then a.a.a.a is returned (only one instance of DNS attribute present in the config payload). PDIF does not take 0.0.0.0 as a valid DNS address that can be assigned to the MS.
  • And if P-MIP NVSE includes two DNS addresses (a.a.a.a and b.b.b.b) or configurations exists for these two addresses, then PDIF sends two INTERNAL_IP4_DNSs in the CP for the MS (typically known as primary and secondary DNS addresses).

Example:
The following configuration applies the custom dns-handling mode:
dns-handling custom
dos cookie-challenge notify-payload

Configure the cookie challenge parameters for IKEv2 INFO Exchange notify payloads for the given crypto template.

Platform:

ASR 5000

Product:

All IPSec-related services


Privilege:

Security Administrator, Administrator


Syntax
dos cookie-challenge
notify-payload [ half-open-sess-count { start integer | stop integer } ] 
[ default | no ] cookie-challenge
detect-dos-attack
default

Default is to disabled condition.

no

Prevents Denial of Service cookie transmission. This is the default condition.

half-open-sess-count start | stop

The half-open-sess-count is the number of half-open sessions per IPSec manager.

A session is considered half-open if a PDIF has responded to an IKEv2 INIT Request with an IKEv2 INIT Response, but no further message was received on that particular IKE SA.
  • start: Starts when the current half-open-sess-count exceeds the start count. The start count is an integer from 0 to 100000.
  • stop: Stops when the current half-open-sess-count drops below the stop count. The stop count number is an integer from 0 to 100000. It is always less than or equal to the start count number

IMPORTANT:

The start count value 0 is a special case whereby this feature is always enabled. In this event, both Start and Stop must be 0.


Usage:

This feature (which is disabled by default) helps prevent malicious Denial of Service attacks against the server by sending a challenge cookie. If the response from the sender does not incorporate the expected cookie data, the packets are dropped.


Example:
The following example configures the cookie challenge to begin when the half-open-sess-count reaches 50000 and stops when it drops below 20000:
dos cookie-challenge
notify-payload half-open-sess-count start 50000 stop 20000
end

Exits the current configuration mode and returns to the Exec mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
end

Usage:

Use this command to return to the Exec mode.

exit

Exits the current mode and returns to the parent configuration mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
exit

Usage:

Use this command to return to the parent configuration mode.

ikev2-ikesa

Configures parameters for the IKEv2 IKE Security Associations within this crypto template.

Platform:

ASR 5000

Product:

All IPSec-related services


Privilege:

Security Administrator, Administrator


Syntax
ikev2-ikesa { allow-empty-ikesa | cert-sign { pkcs1.5 | pkcs2.0 } | ignore-notify-protocol-id | ignore-rekeying-requests | keepalive-user-activity | max-retransmissions number | policy { congestion-rejection [notify-status-value] | error-notification [invalid-major-version] [invalid-message-id [invalid-major-version|invalid-syntax]] | invalid-syntax [invalid-major-version] } | rekey   | retransmission-timeout msec | setup-timer sec | transform-set
list name1       }default ikev2-ikesa { allow-empty-ikesa | cert-sign | ignore-notify-protocol-id | ignore-rekeying-requests | keepalive-user-activity | max-retransmissions | mobike | policy
error-notification | rekey | retransmission-timeout | setup-timer }no ikev2-ikesa { allow-empty-ikesa | ignore-notify-protocol-id | ignore-rekeying-requests | | keepalive-user-activity | list name | mobike | policy
error-notification | rekey }
no ikev2-ikesa

Disables a previously enabled parameter.

allow-empty-ikesa

Default is not to allow-empty-ikesa. Activate to have the IKEv2 stack keep the IKE SA when all the Child SAs have been deleted.

cert-sign { pkcs1.5 | pkcs2.0 }

Specifies the certificate sign to be used. Default: pkcs1.5

pkcs1.5: Use the Public-Key Cryptography Standards (PKCS) version 1.5, RSA Encryption Standard.

pkcs2.0:: Use the PKCS version 2.0, RSA Encryption Standard.

ignore-notify-protocol-id

Ignores IKEv2 Informational Exchange Notify Payload Protocol-ID values for strict RFC 4306 compliance.

ignore-rekeying-requests

Ignores received IKE_SA Rekeying Requests.

keepalive-user-activity

Default is no keepalive-user-activity. Activate to reset the user inactivity timer when keepalive messages are received from peer.

max-retransmissions number

Specifies the maximum number of retransmissions of an IKEv2 IKE Exchange Request if a response has not been received. number must be an integer from 1 through 8. Default: 5

mobike

IKEv2 Mobility and Multihoming Protocol: MOBIKE allows the IP addresses associated with IKEv2 and tunnel mode IPSec Security Associations to change. A mobile Virtual Private Network (VPN) client could use MOBIKE to keep the connection with the VPN gateway active while moving from one address to another. Similarly, a multihomed host could use MOBIKE to move the traffic to a different interface if, for instance, the one currently being used stops working. Default: disable

policy { congestion-rejection [ notify-status-value ] | error-notification [ invalid-major-version ] | invalid-message-id [ invalid-major-version | invalid-syntax ] | invalid-syntax [ invalid-major-version ] }

Specifies the default policy for generating an IKEv2 Invalid Message ID error when PDIF receives an out-of-sequence packet.

congestion-rejection: Sends an Error Notify Message to the MS as a reply to an IKE_SA_INIT Exchange when no more IKE_SA sessions can be established.

error-notification: Sends an Error Notify Message to the MS for Invalid IKEv2 Exchange Message ID and Invalid IKEv2 Exchange Syntax for the IKE_SA_INIT Exchange.

[invalid-major-version]: Sends an Error Notify Message for Invalid Major Version

[invalid-message-id]: Sends an Error Notify Message for Invalid IKEv2 Exchange Message ID.

[invalid-syntax]: Sends an Error Notify Message for Invalid IKEv2 Exchange Syntax.

rekey

Specifies if IKESA rekeying should occur before the configured lifetime expires (at approximately 90% of the lifetime interval). Default is not to re-key.

retransmission-timeout msec

Specifies the timeout period (in milliseconds) before a retransmission of an IKEv2 IKE exchange request is sent (if the corresponding response has not been received). msec must be an integer from 300 to 15000. Default: 500

setup-timer sec

Specifies the number of seconds before a IKEv2 IKE Security Association that is not fully established is terminated. sec must be an integer from 1 through 3600. Default: 16

transform-set list name1

The transform set is a space-separated list of IKEv2-IKESA SA transform sets to be used for deriving IKEv2 IKE Security Associations from this crypto template. A minimum of one transform-set is required; maximum configurable is six.


Usage:

Use this command to configure parameters for the IKEv2 IKE Security Associations within this crypto template.


Example:
The following command configures the maximum number of IKEv2 IKESA request retransmissions to 7:
ikev2-ikesa max-retransmissions
7 
The following command configures the IKEv2 IKESA request retransmission timeout to 400:
ikev2-ikesa retransmission-timeout 400
The following command configures the IKEv2 IKESA transform set list name to ikesa43:
ikev2-ikesa transform-set
list ikesa43
keepalive

Configures keepalive or dead peer detection for security associations used within this crypto template.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
keepalive [ interval sec ] default keepalive [ interval ] no keepalive
no

Disables keepalive messaging.

interval sec

Specifies the amount of time (in seconds) that must elapse before the next keepalive request is sent. sec must be an integer from 10 through 3600. Default: 10


Usage:

Use this command to set parameters associated with determining the availability of peer servers.


Example:
The following command sets a keepalive interval to three minutes (180 seconds):
keepalive interval 180
max-childsa

Defines a soft limit for the number of Child SAs per IKEv2 policy.

Platform:

ASR 5000

Product:

FNG, TTG


Privilege:

Security Administrator, Administrator


Syntax
max-childsa <1
. . 4>  [ overload action { ignore | terminate } ]
max-childsa < 1 . . 4 >

Specifies a soft limit for the maximum number of Child SAs per IKEv2 policy, which can be from 1 to 4.

overload-action { ignore | terminate }
The action taken when the specified soft limit for the maximum number of Child SAs is reached, as follows:
  • ignore: The IKEv2 stack ignores the specified soft limit for Child SAs.
  • terminate: The IKEv2 stack rejects any new Child SAs if the specified soft limit is reached.

Usage:

The FNG maintains two maximum Child SA values per IKEv2 policy. The first is a system-enforced maximum value, which is four Child SAs per IKEv2 policy. The second is a configurable soft maximum value, which can be a value between one and four. This command defines the soft limit for the maximum number of Child SAs per IKEv2 policy.


Example:
The following command specifies a soft limit of 2 Child SAs with the overload action of terminate.
max-childsa 2 overload
action terminate
nai

Configures the Network Access Identifier (NAI) parameters to be used for the crypto template IDr (recipient’s identity).

Platform:

ASR 5000

Product:

ePDG, PDIF, TTG


Privilege:

Security Administrator, Administrator


Syntax
nai { idr name [ id-type { der-asn1-dn | der-asn1-gn | fqdn | ip-addr | key-id | rfc822-addr } ] | use-received-idr }  
default nai idr
no nai { idr | use-received-idr } 
default

Configures the default command no nai idr. As a result, the default behavior is for the PDIF-service IP address to be sent as the IDr value of type ID_IP_ADDR.

no

no nai idr configures the value whereby the service IP address is sent as the IDr value with the type ID_IP_ADDR. This is the default condition.

idr name

Specifies the name of the IDr crypto template as an alphanumeric string of 1 through 79 characters.

id-type { der-asn1-dn | der-asn1-gn | fqdn | ip-addr | key-id | rfc822-addr }
Configures the NAI IDr type parameter. If no id-type is specified, then rfc822-addr is assumed.
  • der-asn1-dn: configures NAI Type DER_ASN1_DN (Distinguished Encoding Rules, ASN.1 encoding, Distinguished Name)
  • der-asn1-gn: configures NAI Type DER_ASN1_GN (Distinguished Encoding Rules, ASN.1 encoding, General Name)
  • fqdn: configures NAI Type ID_FQDN (Internet Fully Qualified Domain Name).
  • ip-addr: configures NAI Type ID_IP_ADDR (IP Address).
  • key-id: configures NAI Type ID_KEY_ID (opaque octet string).
  • rfc822-addr: configures NAI Type ID_RFC822_ADDR (RFC 822 email address).
use-received-idr

Specifies that the received IDr be used in the crypto template.


Usage:

The configured IDr is sent to the MS in the first IKEv2 AUTH response.


Example:
The following command configures the NAI IDr to the default condition.
no naiidr
natt

Configures Network Address Translation - Traversal (NAT-T) for all security associations associated with this crypto template. This feature is disabled by default.

Platform:

ASR 5000

Product:

ePDG, PDIF


Privilege:

Security Administrator, Administrator


Syntax
[ default | no ] natt [ include-header ] [ send-keepalive [ idle-interval idle_secs ] [ interval interval_secs ] ]
default

Disables NAT-T for all security associations associated with this crypto template.

no

Disables NAT-T for all security associations associated with this crypto template.

include-header

Includes the NAT-T header in IPSec packets.

send-keepalive [ idle-interval idle_secs ] [ interval interval_secs ]

Sends NAT-Traversal keepalive messages.

idle-interval idle_secs: Specifies the number of seconds that can elapse without sending NAT keepalive packets before sending NAT keepalive packets is started. idle_secs is an integer from 20 to 86400. Default: 60.

interval interval_secs: Specifies the number of seconds between the sending of NAT keepalive packets. interval_secs is an integer from 20 to 86400. Default: 60.


Usage:

Use this command to configure NAT-T for security associations within this crypto template.


Example:
The following command disables NAT-T for this crypto template:
no natt
payload

Creates a new, or specifies an existing, crypto template payload and enters the Crypto Template Payload Configuration Mode.

Platform:

ASR 5000

Product:

ePDG, PDIF


Privilege:

Security Administrator, Administrator


Syntax
[ no ] payload name match childsa [ match { any | ipv4 | ipv6 } ]
no

Removes a currently configured crypto template payload.

payload name

Specifies the name of a new or existing crypto template payload as an alphanumeric string of 1 through 127 characters.

match childsa [ match { any |ipv4 | ipv6 }
Filters IPSec Child Security Association creation requests for subscriber calls using this payload. Further filtering can be performed by applying the following:
  • match any: Configures this payload to be applicable to IPSec Child Security Association requests for IPv4 and/or IPv6.
  • match ipv4: Configures this payload to be applicable to IPSec Child Security Association requests for IPv4 only.
  • match ipv6: Configures this payload to be applicable to IPSec Child Security Association requests for IPv6 only.

Usage:

Use this command to create a new or enter an existing crypto template payload. The payload mechanism is a means of associating parameters for the Security Association (SA) being negotiated.

Two payloads are required: one each for MIP and IKEv2. The first payload is used for establishing the initial Child SA Tunnel Inner Address (TIA) which will be torn down. The second payload is used for establishing the remaining Child SAs. Note that if there is no second payload defined with home-address as the ip-address-allocation then no MIP call can be established, just a Simple IP call.

Currently, the only available match is for ChildSA, although other matches are planned for future releases. Omitting the second match parameter for either IPv4 or IPv6 will make the payload applicable to all IP address pools.

Crypto Template Payload Configuration Mode commands are defined in the Crypto Template IKEv2-Dynamic Payload Configuration Mode Commands chapter.


Example:
The following command configures a crypto template payload called payload5 and enters the Crypto Template Payload Configuration Mode:
payload payload5 match childsa
peer network

Configures a list of allowed peer addresses on this crypto template.

Platform:

ASR 5000

Product:

All IPSec-related services


Privilege:

Security Administrator, Administrator


Syntax
peer network ip_address {/mask | mask ip_mask } [ encrypted
pre-shared-key key | pre-shared-key key ]
no peer network ip_address mask ip_mask
no

Removes the specified peer network IP address from this crypto template.

peer network ip_address {/mask | mask ip_mask }

Specifies the IP address of the peer network in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.

/mask specifies the subnet mask bits. mask must be and integer value from 1 to 32 for IPv4 addresses and 1 to 128 for IPv6 addresses (CIDR notation).

mask ip_mask specifies the subnet mask in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notations.

[ encrypted pre-shared-key key | pre-shared-key key ]

encrypted preshared key key: Specifies that an encrypted pre-shared key is to be used for IPSec authentication for the address range. key must be an alphanumeric string or hexadecimal sequence from 16 to 64.

preshared key key: Specifies that a clear text pre-shared key is to be used for IPSec authentication for the address range. key must be an alphanumeric string or hexadecimal sequence from 1 to 32.


Usage:

Use this command to configure a list or range of allowed peer network IP addresses for this template.


Example:
The following command configures a set of IP addresses with starting address of 10.2.3.4 and a bit mask of 8:
peer network 10.2.3.4/8