Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).authentication { eap-profile name [ second-phase eap-profile name ] | gateway { encrypted key value | key clear_text } | local { certificate | pre-shared-key { encrypted key value | key clear_text } | pre-shared-key { encrypted key value | key clear_text } | remote { certificate | eap-profile name [ second-phase eap-profile name ] | pre-shared-key { encrypted key value | key clear_text } }
Specifies that authentication is to be performed using a named EAP profile. name must be from 1 to 127 alpha and/or numeric characters. Entering this keyword places the CLI in the EAP Authentication Configuration Mode.
The second-phase eap-profile name is only required for installations using multiple authentications. name must be from 1 to 127 alpha and/or numeric characters.
encrypted key value: Specifies that the pre-shared key used for authentication is encrypted. value must be between 1 and 255 alpha and/or numeric characters.
key clear_text: Specifies that the pre-shared key used for authentication is clear text. clear_text must be between 1 and 255 alpha and/or numeric characters.
certificate: Specifies that the certificate method of authentication must be used for services using the crypto template.
pre-shared-key { encrypted key value | key clear_text }: Specifies that a pre-shared key is to be used for services using the crypto template. encrypted key value configures an encrypted pre-shared key used for authentication. value must be between 1 and 255 alpha and/or numeric characters. key clear_text configures a clear text pre-shared key used for authentication. clear_text must be between 1 and 255 alpha and/or numeric characters.
encrypted key value: Specifies that the pre-shared key used for authentication is encrypted. value must be between 1 and 255 alpha and/or numeric characters.
key clear_text: Specifies that the pre-shared key used for authentication is clear text. clear_text must be between 1 and 255 alpha and/or numeric characters.
remote { certificate | eap-profile name [ second-phase eap-profile name ] | pre-shared-key { encrypted key value | key clear_text }
certificate: Specifies that the certificate method of remote authentication must be used for services using the crypto template.
eap-profile name [ second-phase eap-profile name ]: Specifies that remote authentication is to be performed using a named EAP profile. name must be from 1 to 127 alpha and/or numeric characters. Entering this keyword places the CLI in the EAP Authentication Configuration Mode.
The second-phase eap-profile name is only required for installations using multiple authentications. name must be from 1 to 127 alpha and/or numeric characters.
pre-shared-key { encrypted key value | key clear_text }: Specifies that a pre-shared key is to be used for services using the crypto template. encrypted key value configures an encrypted pre-shared key used for authentication. value must be between 1 and 255 alpha and/or numeric characters. key value configures a clear text pre-shared key used for authentication. clear_text must be between 1 and 255 alpha and/or numeric characters.
Entering the authentication eap-profile command results in the following prompt:
The following command enables authentication via an EAP profile named eap23 for subscribers using the service with this crypto template:
ca-crl-name name
CA-CRLs are configured in the Global Configuration Mode. For more information about configuring CA-CRLs, refer to the ca-crl name command in the Global Configuration Mode Commands chapter.
name name
Use the following example to prevent a certificate from being included in the Auth Exchange payload:
|
•
|
clear-bit: Clears the DF bit from the outer IP header (sets it to 0).
|
|
•
|
copy-bit: Copies the DF bit from the inner IP header to the outer IP header. This is the default action.
|
|
•
|
set-bit: Sets the DF bit in the outer IP header (sets it to 1).
|
|
•
|
ignore-rekeying-requests: Ignore any IKE_SA rekeying requests received.
|
|
•
|
keepalive-user-activity: Keepalive messages received from peer will not reset the user inactivity timer.
|
|
•
|
max-retransmission: Set the number of IKEv2 IKE exchange request retransmissions if the corresponding response has not been received. Deault is 5.
|
|
•
|
mobike: Set MOBIKE to disable.
|
|
•
|
policy error-notification: Set the default policy error notification method to send error notify messages to the MS.
|
|
•
|
rekey: Set the default rekeying of IKE_SA to disabled.
|
|
•
|
retransmission-timeout: Set the maximum number of milliseconds to elapse before an IKEv2 IKE exchange request is retransmitted if the corresponding IKEv2 IKE exchange response has not been received to 500.
|
|
•
|
setup timer: Set the number of seconds to elapse before a non-fully-established IKEv2 IKE SA is terminated to 60.
|
Configures the default condition as normal. By default, PDIF always returns the DNS address in the config payload in the second authentication phase if one is received from either the configuration or the HA.
In normal mode, by default PDIF always returns the DNS address in the config payload in the second authentication phase if one is received from either the configuration or the HA.
In custom mode, depending on the number of INTERNAL_IP4_DNS, PDIF supports the following behaviors:
The following configuration applies the custom dns-handling mode:
The half-open-sess-count is the number of half-open sessions per IPsec
|
•
|
start: The functionality will start when the current half-open-sess-count exceeds the start count. The start count is an integer from 0 to 100000.
|
|
•
|
stop: The functionality will stop when the current half-open-sess-count drops below the stop count. The stop count number is an integer from 0 to 100000. It is always less than or equal to the start count number
|
Important: The start count value 0 is a special case whereby this feature is always enabled. In this event, both Start and Stop must be 0.ikev2-ikesa { allow-empty-ikesa | keepalive-user-activity | max-retransmissions number | retransmission-timeout msec | policy error-notification [ invalid-message-id | invalid-syntax ] rekey | setup-timer sec | transform-set list name }
no ikev2-ikesa { allow-empty-ikesa | keepalive-user-activity | list name | policy error-notification [ invalid-message-id | invalid-syntax ] | rekey }
max-retransmissions number
Specifies the maximum number of retransmissions of an IKEv2 IKE exchange request if a response has not been received. number must be an integer from 1 to 8.
Specifies the timeout period in milliseconds before a retransmission of an IKEv2 IKE exchange request is sent (if the corresponding response has not been received). msec must be and integer from 300 to 15000.
setup-timer sec
Specifies the number of seconds before a IKEv2 IKE Security Association, that is not fully established, is terminated. sec must be an integer from 1 to 3600.
transform-set list name
Specifies the name of context-level configured IKEv2 IKE Security Association transform set. name must be an existing IKEv2 IKESA Transform Set and be from 1 to 127 alpha and/or numeric characters.
ikev2-ikesa transform-set list ikesa43
interval sec
Specifies the amount of time in seconds that must elapse before the next keepalive request is sent. sec must be an integer from 10 to 3600.
timeout sec
Specifies the amount of time in seconds that the system will wait without receiving a reply before retrying the keepalive request. sec must be an integer from 10 to 3600.
num-retry num
Specifies the number of times the system will retry a non-responsive peer before defining the peer as off-line or out-of-service. num must be an integer from 1 to 100.
|
•
|
ignore: The IKEv2 stack ignores the specified soft limit for Child SAs.
|
|
•
|
terminate: The IKEv2 stack rejects any new Child SAs if the specified soft limit is reached.
|
Configures the default command no nai idr. As a result, the default behavior is for the PDIF-service IP address to be sent as the IDr value of type ID_IP_ADDR.
no nai idr configures the value whereby the PDIF service IP address is sent as the IDr value with the type ID_IP_ADDR. This is the default condition.
idr name
name is a string of up to 79 alpha and/or numeric characters.
Configures the NAI IDr id-type parameter. If no id-type is specified, then rfc822-addr is assumed.
|
•
|
rfc822-addr: configures NAI Type ID_RFC822_ADDR.
|
|
•
|
fqdn: configures NAI Type ID_FQDN.
|
|
•
|
ip-addr: configures NAI Type ID_IP_ADDR.
|
|
•
|
key-id: configures NAI Type ID_KEY_ID.
|
Specifies the name of a new or existing crypto template payload. name must be from 1 to 127 alpha and/or numeric characters.
|
•
|
ipv4: Configures this payload to be applicable to IPSec Child Security Association requests for IPv4.
|
|
•
|
ipv6: Configures this payload to be applicable to IPSec Child Security Association requests for IPv6.
|
Two payloads are required: one each for MIP and IKEv2. The first payload is used for establishing the initial Child SA Tunnel Inner Address (TIA) which will be torn down. The second payload is used for establishing the remaining Child SAs. Note that if there is no second payload defined with home-address as the ip-address-allocation then no MIP call can be established, just a Simple IP call.
Crypto Template Payload Configuration Mode commands are defined in the Crypto Template IKEv2-Dynamic Payload Configuration Mode Commands chapter.
The following command configures a crypto template payload called payload5 and enters the Crypto Template Payload Configuration Mode:
peer network ip_address {/mask | mask ip_mask } [ encrypted pre-shared-key key | pre-shared-key key ]
/mask specifies the subnet mask bits. mask must be and integer value from 1 to 32 for IPv4 addresses and 1 to 128 for IPv6 addresses.
mask ip_mask specifies the subnet mask in dotted decimal notation for IPv4 addresses and colon-separated notation for IPv6 addresses.
encrypted preshared key key: Specifies that an encrypted pre-shared key is to be used for IPSec authentication for the address range. key must be a string or hexidecimal sequence from 16 to 64.
preshared key key: Specifies that a pre-shared key is to be used for IPSec authentication for the address range. key must be a string or hexidecimal sequence from 1 to 32.
