Configures parameters
for the IKEv2 IKE Security Associations within this crypto template.
Product:
All IPSec-related services
Privilege:
Security Administrator,
Administrator
Syntax
ikev2-ikesa { allow-empty-ikesa | cert-sign { pkcs1.5 | pkcs2.0 } | ignore-notify-protocol-id | ignore-rekeying-requests | keepalive-user-activity | max-retransmissions number | policy { congestion-rejection [notify-status-value] | error-notification [invalid-major-version] [invalid-message-id [invalid-major-version|invalid-syntax]] | invalid-syntax [invalid-major-version] } | rekey | retransmission-timeout msec | setup-timer sec | transform-set
list name1 }
default ikev2-ikesa { allow-empty-ikesa | cert-sign | ignore-notify-protocol-id | ignore-rekeying-requests | keepalive-user-activity | max-retransmissions | mobike | policy
error-notification | rekey | retransmission-timeout | setup-timer }
no ikev2-ikesa { allow-empty-ikesa | ignore-notify-protocol-id | ignore-rekeying-requests | | keepalive-user-activity | list name | mobike | policy
error-notification | rekey }
no ikev2-ikesa
Disables a previously
enabled parameter.
allow-empty-ikesa
Default is not to
allow-empty-ikesa. Activate to have the IKEv2 stack keep the IKE
SA when all the Child SAs have been deleted.
cert-sign { pkcs1.5 | pkcs2.0 }
Specifies the certificate
sign to be used. Default: pkcs1.5
pkcs1.5:
Use the Public-Key Cryptography Standards (PKCS) version 1.5, RSA
Encryption Standard.
pkcs2.0::
Use the PKCS version 2.0, RSA Encryption Standard.
ignore-notify-protocol-id
Ignores IKEv2 Informational
Exchange Notify Payload Protocol-ID values for strict RFC 4306
compliance.
ignore-rekeying-requests
Ignores received IKE_SA
Rekeying Requests.
keepalive-user-activity
Default is no keepalive-user-activity.
Activate to reset the user inactivity timer when keepalive messages
are received from peer.
max-retransmissions number
Specifies the maximum
number of retransmissions of an IKEv2 IKE Exchange Request if a response
has not been received. number must
be an integer from 1 through 8. Default: 5
mobike
IKEv2 Mobility and
Multihoming Protocol: MOBIKE allows the IP addresses associated with
IKEv2 and tunnel mode IPSec Security Associations to change. A mobile
Virtual Private Network (VPN) client could use MOBIKE to keep the
connection with the VPN gateway active while moving from one address
to another. Similarly, a multihomed host could use MOBIKE to move
the traffic to a different interface if, for instance, the one currently
being used stops working. Default: disable
policy { congestion-rejection [ notify-status-value ] | error-notification [ invalid-major-version ] | invalid-message-id [ invalid-major-version | invalid-syntax ] | invalid-syntax [ invalid-major-version ] }
Specifies the default
policy for generating an IKEv2 Invalid Message ID error when PDIF receives
an out-of-sequence packet.
congestion-rejection:
Sends an Error Notify Message to the MS as a reply to an IKE_SA_INIT
Exchange when no more IKE_SA sessions can be established.
error-notification:
Sends an Error Notify Message to the MS for Invalid IKEv2 Exchange
Message ID and Invalid IKEv2 Exchange Syntax for the IKE_SA_INIT
Exchange.
[invalid-major-version]:
Sends an Error Notify Message for Invalid Major Version
[invalid-message-id]:
Sends an Error Notify Message for Invalid IKEv2 Exchange Message
ID.
[invalid-syntax]:
Sends an Error Notify Message for Invalid IKEv2 Exchange Syntax.
rekey
Specifies if IKESA
rekeying should occur before the configured lifetime expires (at approximately
90% of the lifetime interval). Default is not to re-key.
retransmission-timeout msec
Specifies the timeout
period (in milliseconds) before a retransmission of an IKEv2 IKE exchange
request is sent (if the corresponding response has not been received). msec must
be an integer from 300 to 15000. Default: 500
setup-timer sec
Specifies the number
of seconds before a IKEv2 IKE Security Association that is not fully established
is terminated. sec must
be an integer from 1 through 3600. Default: 16
transform-set list name1
The transform set is
a space-separated list of IKEv2-IKESA SA transform sets to be used
for deriving IKEv2 IKE Security Associations from this crypto template.
A minimum of one transform-set is required; maximum configurable
is six.
Usage:
Use this command to
configure parameters for the IKEv2 IKE Security Associations within
this crypto template.
Example:
The following command
configures the maximum number of IKEv2 IKESA request retransmissions
to
7:
ikev2-ikesa max-retransmissions
7
The following command
configures the IKEv2 IKESA request retransmission timeout to
400:
ikev2-ikesa retransmission-timeout 400
The following command
configures the IKEv2 IKESA transform set list name to
ikesa43:
ikev2-ikesa transform-set
list ikesa43