Crypto Template IKEv2-Dynamic Payload Configuration Mode Commands

The Crypto Template IKEv2-Dynamic Payload Configuration Mode is used to assign the correct IPSec transform-set from a list of up to four different transform-sets, and to assign Mobile IP addresses. There should be two payloads configured. The first must have a dynamic addressing scheme from which the ChildSA gets a TIA address. The second payload supplies the ChildSA with a HoA, which is the default setting for ip-address-allocation.

IMPORTANT:

The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).

default

Sets or restores the default value for the specified parameter.

Platform:

ASR 5000

ASR 5500

Product:

ePDG, PDIF


Privilege:

Security Administrator, Administrator


Syntax 
default { ignore-rekeying-requests | ip-address-allocation
lifetime | maximum-child-sa | rekey | tsi | tsr }
ignore-rekeying-requests

Configures the system to ignore IPSec SA rekey requests.

ip-address-allocation

Configures the crypto map payload IP address allocation scheme to be the home address.

lifetime

Configures the default lifetime for IPSec Child SAs derived from this crypto template. lifetime: 86400 seconds.

maximum-child-sa

Configures the maximum number of IPSec Child SAs to be derived from an IKEv2 IKE SA by default.

rekey

Configures the system to disable Child SA rekeying.

tsi

Configures the default TSi payload to be that of the mobile endpoint.

tsr

Configures the default TSr payload option.


Usage:

Configures system defaults.


Example:
Use the following configuration to set the TSi payload start-address to be that of the mobile endpoint:
default tsi
end

Exits the current configuration mode and returns to the Exec mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax 
end

Usage:

Use this command to return to the Exec mode.

exit

Exits the current mode and returns to the parent configuration mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax 
exit

Usage:

Use this command to return to the parent configuration mode.

ignore-rekeying-requests

Ignores CHILD SA rekey requests from the Packet Data Interworking Function (PDIF).

Platform:

ASR 5000

ASR 5500

Product:

ePDG, PDIF


Privilege:

Security Administrator, Administrator


Syntax 
ignore-rekeying-requests

Usage:

Prevents creation of a CHILD SA based on this crypto template.


Example:
The following command prevents creation of a CHILD SA based on this crypto template:
ignore-rekeying-requests
ip-address-allocation

Configures IP address allocation for subscribers using this crypto template payload. Configure two payloads per crypto template. The first must have a dynamic address to assign a tunnel inner address (TIA) to the ChildSA. The second payload is configured after a successful MAnaged IP (MIP) initiation and can use the default Home Address (HoA) option.

Platform:

ASR 5000

ASR 5500

Product:

PDIF


Privilege:

Security Administrator, Administrator


Syntax 
ip-address-allocation { dynamic | home-address
 |  }default ip-address-allocation
ip-address-allocation dynamic

Specifies that the IP address for the subscriber is allocated from a dynamic IP pool.

ip-address-allocation home-address

The IP address for the subscriber is allocated by the Home Agent. This is the default setting for this command.


Usage:

Use this command to configure how ChildSA payloads are allocated IP addresses for this crypto template.


Example:
The following command is for the first ChildSA and will ensure that it gets a TIA address from an IP address pool:
ip-address-allocation dynamic
The following command is for the second ChildSA and will ensure that it gets a HoA address from the HA:
default ip-address-allocation
ipsec

Configures the IPSec transform set to be used for this crypto template payload.

Platform:

ASR 5000

ASR 5500

Product:

ePDG, PDIF


Privilege:

Security Administrator, Administrator


Syntax 
[ no ] ipsec
transform-set list name
no

Specifies the IPSec transform set to be deleted. This is a space-separated list. From 1 to 4 transform sets can be entered. name must be an alphanumeric string of 1 through 127 characters.

ipsec transform-set list name

Specifies the context configured IPSec transform set name to be used in the crypto template payload. This is a space-separated list. From 1 to 4 transform sets can be entered. name must be an alphanumeric string of 1 through 127 characters.


Usage:

Use this command to list the IPSec transform set(s) to use in this crypto template payload.


Example:
The following command configures IPSec transform sets named ipset1 and ipset2 to be used in this crypto template payload:
ipsec transform-set
list ipset1 ipset2
lifetime

Configures the number of seconds for IPSec Child SAs derived from this crypto template payload to exist.

Platform:

ASR 5000

ASR 5500

Product:

ePDG, PDIF


Privilege:

Security Administrator, Administrator


Syntax 
lifetime { sec [ kilo-bytes kbytes ] | kilo-bytes kbytes }default lifetime
sec

Specifies the number of seconds for IPSec Child Security Associations derived from this crypto template payload to exist. sec must be an integer from 60 through 604800. Default: 86400

kilo-bytes kbytes

Specifies lifetime in kilobytes for IPSec Child Security Associations derived from this crypto template payload. kbytes must be an integer from 1 through 2147483647.

default lifetime

Sets the lifetime to its default value of 86400 seconds.


Usage:

Use this command to configure the number of seconds and/or kilobytes for IPSec Child Security Associations derived from this crypto template payload to exist.


Example:
The following command configures the IPSec child SA lifetime to be 120 seconds:
lifetime 120
maximum-child-sa

Configures the maximum number of IPSec child security associations that can be derived from a single IKEv2 IKE security association.

Platform:

ASR 5000

ASR 5500

Product:

PDIF


Privilege:

Security Administrator, Administrator


Syntax 
maximum-child-sa numdefault maximum-child-sa
maximum-child-sa num

Specifies the maximum number of IPSec child security associations that can be derived from a single IKEv2 IKE security association. num must be 1. Default: 1

default maximum-child-sa

Sets the maximum number of Child SAs to its default value of 1.


Usage:

Use this command to configure the maximum number of IPSec child security associations that can be derived from a single IKEv2 IKE security association.


Example:
The following command configures the maximum number of child SAs to 1:
maximum-child-sa 1
rekey

Configures IPSec Child Security Association rekeying.

Platform:

ASR 5000

ASR 5500

Product:

ePDG, PDIF


Privilege:

Security Administrator, Administrator


Syntax 
[ no ] rekey [ keepalive ]
no

Disables this feature.

keepalive

If specified, a session will be rekeyed even if there has been no data exchanged since the last rekeying operation. By default, rekeying is only performed if there has been data exchanged since the previous rekey.


Usage:

Use this command to enable or disable the ability to rekey IPSec Child SAs after approximately 90% of the Child SA lifetime has expired. The default, and recommended setting, is not to perform rekeying. No rekeying means the PDIF will not originate rekeying operations and will not process CHILD SA rekeying requests from the UE.


Example:
The following command disables rekeying:
no rekey
tsi

Configures the IKEv2 Traffic Selector-Initiator (TSi) payload address options.

Platform:

ASR 5000

ASR 5500

Product:

PDIF


Privilege:

Security Administrator, Administrator


Syntax 
tsi start-address { any { end-address
any } | endpoint { end-address endpoint } }
any { end-address any }

Configures the TSi payload to allow all IP addresses.

endpoint { end-address endpoint }

Configures the TSi payload start-address to be that of the Mobile endpoint. This is the default value. endpoint is the mobile endpoint netmask.


Usage:

On receiving a successful IKE_SA_INIT Response from PDIF, the MS sends an IKE_ AUTH Request for the first EAP-AKA authentication. If the MS is capable of doing multiple-authentication, it includes the MULTI_AUTH_SUPPORTED Notify payload in the IKE_AUTH Request. MS also includes an IDi payload containing the NAI, SA, TSi, TSr, and CP (requesting IP address and DNS address) payloads.


Example:
Use the following example to configure a TSi payload that allows all addresses:
tsi start-address any
end-address any
tsr

Configures the IKEv2 Traffic Selector-Responder (TSr) payload address options.

Platform:

ASR 5000

Product:

PDG/TTG


Privilege:

Security Administrator, Administrator


Syntax 
tsr start-address ipv4 address end-address ipv4 address
start-address ipv4 address

Configures the TSr payload to include the TSr start IPv4 address of an address range for the Phase 1 multiple traffic selector feature.

end-address ipv4 address

Configures the TSr payload start-address to include the IPv4 address of the TSr end of an address range for the Phase 1 multiple traffic selector feature.


Usage:

As part of Phase 1 of the Multiple Traffic Selector feature, this command is used to specify an IPv4 address range in the single TSr payload that the PDG/TTG returns in the last IKE_AUTH message. This TSr is Child SA-specific.


Example:
Use the following example to configure a TSr payload that specifies an IPv4 address range for the payload:
tsr start-address ipv4
10.2.3.4 end-address 10.2.3.155