- Configuring Internet Key Exchange Version 2 (IKEv2)
- Call Admission Control for IKE
- Certificate to ISAKMP Profile Mapping
- Encrypted Preshared Key
- Fragmentation of IKE Packets
- IKE Responder-Only Mode
- Distinguished Name Based Crypto Maps
- IPsec and Quality of Service
- VRF-Aware IPsec
- IKE: Initiate Aggressive Mode (12.2(8)T FM)
- Configuring Internet Key Exchange for IPsec VPNs
- Finding Feature Information
- Contents
- Prerequisites for IKE Responder-Only Mode
- Restrictions for IKE Responder-Only Mode
- Information About IKE Responder-Only Mode
- How to Configure IKE Responder-Only Mode
- Configuration Examples for IKE Responder-Only Mode
- Additional References
- Feature Information for IKE Responder-Only Mode
IKE Responder-Only Mode
The IKE Responder-Only Mode feature provides support for controlling the initiation of Internet Key Exchange (IKE) negotiation and rekeying. When a device is configured as a responder-only device, it will not initiate IKE main, aggressive, or quick modes (for IKE and IP security [IPsec] security association [SA] establishment) nor will it rekey IKE and IPsec SAs. The device will respond to any negotiations initiated by its peers.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for IKE Responder-Only Mode" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Contents
•
Prerequisites for IKE Responder-Only Mode
•Restrictions for IKE Responder-Only Mode
•Information About IKE Responder-Only Mode
•How to Configure IKE Responder-Only Mode
•Configuration Examples for IKE Responder-Only Mode
•Feature Information for IKE Responder-Only Mode
Prerequisites for IKE Responder-Only Mode
•This feature is configurable only under an IPsec profile and is relevant only to a virtual interface scenario.
Restrictions for IKE Responder-Only Mode
•Neither static nor dynamic crypto maps are supported.
Information About IKE Responder-Only Mode
•Benefits of the IKE Responder-Only Mode Feature
Benefits of the IKE Responder-Only Mode Feature
Since the advent of virtual private network (VPN) features that allow simultaneous bidirectional IKE negotiations (with or without interesting traffic), issues with the handling and recovery of data from duplicate IKE SAs have occurred. IKE as a protocol has no ability to compare IKE negotiations to determine whether there is already an existing or in-process negotiation between two peers taking place. These duplicate negotiations can be costly in terms of resources and confusing to router administrators. When a device is configured as a responder-only device, it will not initiate IKE main, aggressive, or quick modes (for IKE and IPsec SA establishment), nor will it rekey IKE and IPsec SAs, thus the likelihood of duplicate SAs is reduced.
The other benefit of this feature is to allow controlled support for negotiating connections in one direction only in a load-balancing scenario. It is not recommended that the servers or hubs initiate VPN connections toward the clients or spokes because these devices are all being accessed by a single-facing IP address as advertised via the load balancer. If the hubs were to initiate the connection, they would be doing so using an individual IP address, thus circumventing the benefits of the load balancer. The same is true of rekeying requests being sourced from the hubs or servers behind the load balancer.
This feature is particularly relevant in static virtual interfaces where events such as routing protocol convergence can generate simultaneous tunnel negotiations.
How to Configure IKE Responder-Only Mode
•Configuring a Device As IKE Responder-Only
Configuring a Device As IKE Responder-Only
To configure your device as IKE responder-only, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto ipsec profile name
4. responder-only
DETAILED STEPS
Configuration Examples for IKE Responder-Only Mode
The following example shows that a device has been configured as responder-only:
crypto ipsec profile vti
set transform-set 3dessha
set isakmp-profile clients
responder-only
Additional References
The following sections provide references related to the IKE Responder-Only Mode feature.
Related Documents
|
|
|
|---|---|
Security commands |
Standards
|
|
|
|---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
MIBs
RFCs
|
|
|
|---|---|
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. |
— |
Technical Assistance
Feature Information for IKE Responder-Only Mode
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS, Catalyst OS, and Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.
Feedback