Crypto Map IKEv2-IPv6 Configuration Mode Commands

Crypto Map IKEv2-IPv6 Configuration Mode Commands
 
The Crypto Map IKEv2-IPv6 Configuration Mode is used to configure an IKEv2 IPsec policy for secure X3 interface tunneling between a P-GW and a lawful intercept server.
note_smallImportant: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
authentication
Configures the subscriber authentication method used for the P-GW lawful intercept service.
Product
P-GW
Privilege
Administrator
Syntax
authentication pre-shared-key { encrypted key value | key value }
authentication pre-shared-key { encrypted key value | key value }
Specifies that a pre-shared key is to be used for authenticating a subscriber in the PDIF service.
encrypted key value: Specifies that the pre-shared key used for authentication is encrypted and expressed as an alphanumeric string of 1 through 255 characters.
key value: Specifies that the pre-shared key used for authentication is clear text and expressed as an alphanumeric string of 1 through 255 characters.
Usage
Use this command to specify the type of authentication performed for subscribers attempting to access the P-GW service using this crypto map.
Example
The following command sets the authentication method to an open key value of 6d7970617373776f7264:
authentication pre-shared-key key 6d7970617373776f7264
control-dont-fragment
Controls the Don’t Fragment (DF) bit in the outer IP header of the IPSec tunnel data packet.
Product
P-GW
Privilege
Administrator
Syntax
control-dont-fragment { clear-bit | copy-bit | set-bit }
{ clear-bit | copy-bit | set-bit }
clear-bit: Clears the DF bit from the outer IP header (sets it to 0).
copy-bit: Copies the DF bit from the inner IP header to the outer IP header. This is the default action.
set-bit: Sets the DF bit in the outer IP header (sets it to 1).
Usage
A packet is encapsulated in IPsec headers at both ends. The new packet can copy the DF bit from the original unencapsulated packet into the outer IP header, or it can set the DF bit if there is not one in the original packet. It can also clear a DF bit that it does not need.
Example
The following command sets the DF bit in the outer IP header:
control-dont-fragment set-bit
end
Exits the current configuration mode and returns to the Exec mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
end
Usage
Use this command to return to the Exec mode.
exit
Exits the current mode and returns to the parent configuration mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
exit
Usage
Use this command to return to the parent configuration mode.
ikev2-ikesa
Configures parameters for the IKEv2 IKE Security Associations within this crypto template.
Product
P-GW
Privilege
Administrator
Syntax
ikev2-ikesa { max-retransmissions number | rekey | setup-timer sec }
default ikev2-ikesa { max-retransmissions | rekey | setup-timer }
no ikev2-ikesa rekey
default
Restores the selected keyword to its default value.
no ikev2-ikesa
Disables a previously enabled parameter.
ikev2-ikesa max-retransmissions number
Specifies the maximum number of retransmissions of an IKEv2 IKE exchange request if a response has not been received. number must be an integer from 1 to 8. Default: 5
ikev2-ikesa rekey
Specifies if IKESA rekeying should occur before the configured lifetime expires (at approximately 90% of the lifetime interval). Default is not to re-key.
ikev2-ikesa setup-timer sec
Specifies the number of seconds before an IKEv2 IKE Security Association that is not fully established is terminated. sec must be an integer from 1 to 3600. Default: 60
Usage
Use this command to configure parameters for the IKEv2 IKE Security Associations within this crypto template.
Example
The following command configures the maximum number of IKEv2 IKESA request retransmissions to 7:
ikev2-ikesa max-retransmissions 7
match
Matches or associates the crypto map to an access control list (ACL) configured in the same context.
Product
P-GW
Privilege
Administrator
Syntax
match address acl_name [ priority ]
no match address
no
Removes a previously matched ACL.
match address acl_name
Specifies The name of the ACL with which the crypto map is to be matched. acl_name is an alphanumeric string of 1 through 79 characters that is case sensitive.
priority
Specifies the preference of the ACL as integer from 0 through 4294967295. 0 is the highest priority. Default: 0
The ACL preference is factored when a single packet matches the criteria of more than one ACL.
note_smallImportant: The priorities are only compared for ACLs matched to other crypto maps or to policy ACLs (those applied to the entire context).
Usage
ACLs matched to crypto maps are referred to as crypto ACLs. Crypto ACLs define the criteria that must be met in order for a subscriber data packet to routed over an IPSec tunnel.
Prior to routing, the system examines the properties of each subscriber data packet. If the packet properties match the criteria specified in the crypto ACL, the system will initiate the IPSec policy dictated by the crypto map.
Example
The following command sets the crypto map ACL to the ACL named acl-list1 and sets the crypto maps priority to the highest level.
match address acl-list1 0
payload
Creates a new, or specifies an existing, crypto template payload and enters the Crypto Template Payload Configuration Mode.
Product
P-GW
Privilege
Administrator
Syntax
payload name match ipv6
no payload name
payload name
Specifies the name of a new or existing crypto template payload as an alphanumeric string of 1 through 127 characters.
match ipv6
Filters IPSec IPv6 Child Security Association creation requests for subscriber calls using this payload. Further filtering can be performed by applying the following:
Usage
Use this command to create a new or enter an existing crypto template payload. The payload mechanism is a means of associating parameters for the Security Association (SA) being negotiated.
Two payloads are required: one each for MIP and IKEv2. The first payload is used for establishing the initial Child SA Tunnel Inner Address (TIA) which will be torn down. The second payload is used for establishing the remaining Child SAs. Note that if there is no second payload defined with home-address as the ip-address-allocation then no MIP call can be established, just a Simple IP call.
Currently, the only available match is for ChildSA, although other matches are planned for future releases.
Entering this command results in the following prompt:
[ctxt_name]hostname(cfg-crypto-<name>-ikev2-tunnel-payload)#
Crypto Template IKEv2-IPv6 Payload Configuration Mode commands are defined in the Crypto Template IKEv2-IPv6 Payload Configuration Mode Commands chapter.
Example
The following command configures a crypto template payload called payload5 and enters the Crypto Template IKEv2-IPv6 Payload Configuration Mode:
payload payload5 match ipv6
peer
Configures the IP address of a peer IPSec server.
Product
P-GW
Privilege
Administrator
Syntax
peer ip_address
no peer
no
Removes the configured peer server IP address.
peer ip_address
Specifies the IP address of a peer IPSec server in IPv4 dotted-decimal or IPv6 colon-separated notation.
Usage
Use this command to specify a peer IPsec peer server. The IPsec peer server can also be the Lawful Intercept server.
Example
The following command configures the system to recognize an IPsec peer server with an IPv6 address of fe80::200:f8ff:fe21:67cf:
peer fe80::200:f8ff:fe21:67cf
 
 
Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883