Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).authentication { eap-profile name [ second-phase eap-profile name ] | gateway { encrypted key value | key clear_text } | local { certificate | pre-shared-key { encrypted key value | key clear_text } | pre-shared-key { encrypted key value | key clear_text } | remote { certificate | eap-profile name [ second-phase eap-profile name ] | pre-shared-key { encrypted key value | key clear_text } }
Specifies that authentication is to be performed using a named Extensible Authentication Protocol (EAP) profile. name is an alphanumeric string of 1 through 127 characters. Entering this keyword places the CLI in the EAP Authentication Configuration Mode.
The second-phase eap-profile name is only required for installations using multiple authentications. name must be an alphanumeric string of 1 through 127 characters.
encrypted key value: Specifies that the pre-shared key used for authentication is encrypted. value must be an alphanumeric string of 1 through 255 characters.
key clear_text: Specifies that the pre-shared key used for authentication is clear text. clear_text must be an alphanumeric string of 1 through 255characters.
certificate: Specifies that the certificate method of authentication must be used for services using the crypto template.
pre-shared-key { encrypted key value | key clear_text }: Specifies that a pre-shared key is to be used for services using the crypto template. encrypted key value configures an encrypted pre-shared key used for authentication. value must be an alphanumeric string of 1 through 255characters. key clear_text configures a clear text pre-shared key used for authentication. clear_text must be an alphanumeric string of 1 through 255characters.
encrypted key value: Specifies that the pre-shared key used for authentication is encrypted. value must be an alphanumeric string of 1 through 255 characters.
key clear_text: Specifies that the pre-shared key used for authentication is clear text. clear_text must be an alphanumeric string of 1 through 255 characters.
remote { certificate | eap-profile name [ second-phase eap-profile name ] | pre-shared-key { encrypted key value | key clear_text }
certificate: Specifies that the certificate method of remote authentication must be used for services using the crypto template.
eap-profile name [ second-phase eap-profile name ]: Specifies that remote authentication is to be performed using a named EAP profile. name must be an alphanumeric string of 1 through 127 characters. Entering this keyword places the CLI in the EAP Authentication Configuration Mode.
The second-phase eap-profile name is only required for installations using multiple authentications. name must be an alphanumeric string of 1 through 127 characters.
pre-shared-key { encrypted key value | key clear_text }: Specifies that a pre-shared key is to be used for services using the crypto template. encrypted key value configures an encrypted pre-shared key used for authentication. value must be an alphanumeric string of 1 through 255 characters. key value configures a clear text pre-shared key used for authentication. clear_text must be an alphanumeric string of 1 through 255 characters.
Entering the authentication eap-profile command results in the following prompt:
EAP Authentication Configuration Mode commands are defined in the EAP Authentication Configuration Mode Commands chapter.
The following command enables authentication via an EAP profile named eap23 for subscribers using the service with this crypto template:
Binds the named X.509 Certificate Authority (CA) root certificate to a crypto template. name is an alphanumeric string of 1 through 127 characters.
Specifies the CA-CRL to associate with this crypto template. name must be the name of an existing CA-CRL expressed as an alphanumeric string of 1 through 129 characters. Multiple lists can be configured for a crypto template.
CA-CRLs are configured in the Global Configuration Mode. For more information about configuring CA-CRLs, refer to the ca-crl name command in the Global Configuration Mode Commands chapter.
name name
Binds the named X.509 trusted certificate to a crypto template. name is an alphanumeric string of 1 through 127 characters.
Use the following example to prevent a certificate from being included in the Auth Exchange payload:
|
•
|
clear-bit: Clears the DF bit from the outer IP header (sets it to 0).
|
|
•
|
copy-bit: Copies the DF bit from the inner IP header to the outer IP header. This is the default action.
|
|
•
|
set-bit: Sets the DF bit in the outer IP header (sets it to 1).
|
|
•
|
ignore-rekeying-requests: Ignore any IKE_SA rekeying requests received.
|
|
•
|
keepalive-user-activity: Keepalive messages received from peer will not reset the user inactivity timer.
|
|
•
|
max-retransmission: Set the number of IKEv2 IKE exchange request retransmissions if the corresponding response has not been received. Default is 5.
|
|
•
|
mobike: Set MOBIKE to disable.
|
|
•
|
policy error-notification: Set the default policy error notification method to send error notify messages to the MS.
|
|
•
|
rekey: Set the default rekeying of IKE_SA to disabled.
|
|
•
|
retransmission-timeout: Set the maximum number of milliseconds to elapse before an IKEv2 IKE exchange request is retransmitted if the corresponding IKEv2 IKE exchange response has not been received to 500.
|
|
•
|
setup timer: Set the number of seconds to elapse before a non-fully-established IKEv2 IKE SA is terminated to 60.
|
Configures the default condition as normal. By default, PDIF always returns the DNS address in the config payload in the second authentication phase if one is received from either the configuration or the HA.
In normal mode, by default PDIF always returns the DNS address in the config payload in the second authentication phase if one is received from either the configuration or the HA.
In custom mode, depending on the number of INTERNAL_IP4_DNS, PDIF supports the following behaviors:
The following configuration applies the custom dns-handling mode:
The half-open-sess-count is the number of half-open sessions per IPSec manager.
|
•
|
start: Starts when the current half-open-sess-count exceeds the start count. The start count is an integer from 0 to 100000.
|
|
•
|
stop: Stops when the current half-open-sess-count drops below the stop count. The stop count number is an integer from 0 to 100000. It is always less than or equal to the start count number
|
Important: The start count value 0 is a special case whereby this feature is always enabled. In this event, both Start and Stop must be 0.The following example configures the cookie challenge to begin when the half-open-sess-count reaches 50000 and stops when it drops below 20000:
ikev2-ikesa { allow-empty-ikesa | keepalive-user-activity | max-retransmissions number | retransmission-timeout msec | policy error-notification [ invalid-message-id | invalid-syntax ] rekey | setup-timer sec | transform-set list name }
no ikev2-ikesa { allow-empty-ikesa | keepalive-user-activity | list name | policy error-notification [ invalid-message-id | invalid-syntax ] | rekey }
max-retransmissions number
Specifies the maximum number of retransmissions of an IKEv2 IKE exchange request if a response has not been received. number must be an integer from 1 through 8. Default: 5
Specifies the timeout period in milliseconds before a retransmission of an IKEv2 IKE exchange request is sent (if the corresponding response has not been received). msec must be an integer from 300 to 15000. Default: 500
setup-timer sec
Specifies the number of seconds before a IKEv2 IKE Security Association that is not fully established is terminated. sec must be an integer from 1 through 3600. Default: 16
transform-set list name
Specifies the name of context-level configured IKEv2 IKE Security Association transform set. name must be an existing IKEv2 IKESA Transform Set expressed as an alphanumeric string of 1 through 127 characters.
interval sec
Specifies the amount of time (in seconds) that must elapse before the next keepalive request is sent. sec must be an integer from 10 through 3600. Default: 10
timeout sec
Specifies the amount of time (in seconds) that the system will wait without receiving a reply before retrying the keepalive request. sec must be an integer from 10 through 3600. Default: 10
num-retry num
Specifies the number of times the system will retry a non-responsive peer before defining the peer as off-line or out-of-service. num must be an integer from 1 through 100. Default: 2
The following command sets a keepalive interval to three minutes (180 seconds), the timeout to 30 seconds, and the retry attempts number to 5:
|
•
|
ignore: The IKEv2 stack ignores the specified soft limit for Child SAs.
|
|
•
|
terminate: The IKEv2 stack rejects any new Child SAs if the specified soft limit is reached.
|
Configures the default command no nai idr. As a result, the default behavior is for the PDIF-service IP address to be sent as the IDr value of type ID_IP_ADDR.
no nai idr configures the value whereby the PDIF service IP address is sent as the IDr value with the type ID_IP_ADDR. This is the default condition.
nai idr name
Configures the NAI IDr type parameter. If no id-type is specified, then rfc822-addr is assumed.
|
•
|
rfc822-addr: configures NAI Type ID_RFC822_ADDR.
|
|
•
|
fqdn: configures NAI Type ID_FQDN.
|
|
•
|
ip-addr: configures NAI Type ID_IP_ADDR.
|
|
•
|
key-id: configures NAI Type ID_KEY_ID.
|
payload name
|
•
|
match ipv4: Configures this payload to be applicable to IPSec Child Security Association requests for IPv4.
|
|
•
|
match ipv6: Configures this payload to be applicable to IPSec Child Security Association requests for IPv6.
|
Two payloads are required: one each for MIP and IKEv2. The first payload is used for establishing the initial Child SA Tunnel Inner Address (TIA) which will be torn down. The second payload is used for establishing the remaining Child SAs. Note that if there is no second payload defined with home-address as the ip-address-allocation then no MIP call can be established, just a Simple IP call.
Crypto Template Payload Configuration Mode commands are defined in the Crypto Template IKEv2-Dynamic Payload Configuration Mode Commands chapter.
The following command configures a crypto template payload called payload5 and enters the Crypto Template Payload Configuration Mode:
peer network ip_address {/mask | mask ip_mask } [ encrypted pre-shared-key key | pre-shared-key key ]
/mask specifies the subnet mask bits. mask must be and integer value from 1 to 32 for IPv4 addresses and 1 to 128 for IPv6 addresses (CIDR notation).
mask ip_mask specifies the subnet mask in IPv4 dotted-decimal or IPv6 colon-separated notations.
encrypted preshared key key: Specifies that an encrypted pre-shared key is to be used for IPSec authentication for the address range. key must be an alphanumeric string or hexadecimal sequence from 16 to 64.
preshared key key: Specifies that a pre-shared key is to be used for IPSec authentication for the address range. key must be an alphanumeric string or hexadecimal sequence from 1 to 32.
The following command configures a set of IP addresses with starting address of 10.2.3.4 and a bit mask of 8:
