end
Exits the current configuration mode and returns to the Exec mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
end
Usage Guidelines
Use this command to return to the Exec mode.
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Crypto Template IKEv2-Dynamic Payload Configuration Mode is used to assign the correct IPSec transform-set from a list of up to four different transform-sets, and to assign Mobile IP addresses. There should be two payloads configured. The first must have a dynamic addressing scheme from which the ChildSA gets a TIA address. The second payload supplies the ChildSA with a HoA, which is the default setting for ip-address-allocation .
Exec > Global Configuration > Context Configuration > Crypto Template Configuration > Crypto Template IKEv2-Dynamic Payload Configuration
configure > context context_name > crypto template template_name ikev2-dynamic > payload payload_name match childsa match { any | ipv4 | ipv6 }
Entering the above command sequence results in the following prompt:
[context_name]host_name(cfg-crypto-tmpl-ikev2-tunnel-payload)#
Important |
The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s). |
Exits the current configuration mode and returns to the Exec mode.
All
Security Administrator, Administrator
end
Use this command to return to the Exec mode.
Exits the current mode and returns to the parent configuration mode.
All
Security Administrator, Administrator
exit
Use this command to return to the parent configuration mode.
Ignores CHILD SA rekey requests from the Packet Data Interworking Function (PDIF).
All Security Gateway products
Security Administrator
Exec > Global Configuration > Context Configuration > Crypto Template Configuration > Crypto Template IKEv2-Dynamic Payload Configuration
configure > context context_name > crypto template template_name ikev2-dynamic > payload payload_name match childsa match { any | ipv4 | ipv6 }
Entering the above command sequence results in the following prompt:
[context_name]host_name(cfg-crypto-tmpl-ikev2-tunnel-payload)#
ignore-rekeying-requests
Prevents creation of a CHILD SA based on this crypto template.
ignore-rekeying-requests
Configures IP address allocation for subscribers using this crypto template payload. Configure two payloads per crypto template. The first must have a dynamic address to assign a tunnel inner address (TIA) to the ChildSA. The second payload is configured after a successful MAnaged IP (MIP) initiation and can use the default Home Address (HoA) option.
All Security Gateway products
Security Administrator
Exec > Global Configuration > Context Configuration > Crypto Template Configuration > Crypto Template IKEv2-Dynamic Payload Configuration
configure > context context_name > crypto template template_name ikev2-dynamic > payload payload_name match childsa match { any | ipv4 | ipv6 }
Entering the above command sequence results in the following prompt:
[context_name]host_name(cfg-crypto-tmpl-ikev2-tunnel-payload)#
ip-address-allocation { dynamic | home-address }
default ip-address-allocation
Sets IP address allocation to the home-address.
Specifies that the IP address for the subscriber is allocated from a dynamic IP pool.
The IP address for the subscriber is allocated by the Home Agent. This is the default setting for this command.
Use this command to configure how ChildSA payloads are allocated IP addresses for this crypto template.
ip-address-allocation dynamic
default ip-address-allocation
Configures the IPSec transform set to be used for this crypto template payload.
All Security Gateway products
Security Administrator
Exec > Global Configuration > Context Configuration > Crypto Template Configuration > Crypto Template IKEv2-Dynamic Payload Configuration
configure > context context_name > crypto template template_name ikev2-dynamic > payload payload_name match childsa match { any | ipv4 | ipv6 }
Entering the above command sequence results in the following prompt:
[context_name]host_name(cfg-crypto-tmpl-ikev2-tunnel-payload)#
[ no ] ipsec transform-set list name [ name2 ] [ name3 ] [ name4 ]
Specifies the IPSec transform set to be deleted. This is a space-separated list. From 1 to 4 transform sets can be entered. name must be an alphanumeric string of 1 through 127 characters.
Specifies the context configured IPSec transform set name to be used in the crypto template payload. This is a space-separated list. From 1 to 4 transform sets can be entered. name must be an alphanumeric string of 1 through 127 characters.
Use this command to list the IPSec transform set(s) to use in this crypto template payload.
ipsec transform-set list ipset1 ipset2
Configures the number of seconds for IPSec Child SAs derived from this crypto template payload to exist.
All Security Gateway products
Security Administrator
Exec > Global Configuration > Context Configuration > Crypto Template Configuration > Crypto Template IKEv2-Dynamic Payload Configuration
configure > context context_name > crypto template template_name ikev2-dynamic > payload payload_name match childsa match { any | ipv4 | ipv6 }
Entering the above command sequence results in the following prompt:
[context_name]host_name(cfg-crypto-tmpl-ikev2-tunnel-payload)#
lifetime { sec [ kilo-bytes kbytes ] | kilo-bytes kbytes }
default lifetime
Specifies the number of seconds for IPSec Child Security Associations derived from this crypto template payload to exist. sec must be an integer from 60 through 604800. Default: 86400
Specifies lifetime in kilobytes for IPSec Child Security Associations derived from this crypto template payload. kbytes must be an integer from 1 through 2147483647.
Sets the lifetime to its default value of 86400 seconds.
Use this command to configure the number of seconds and/or kilobytes for IPSec Child Security Associations derived from this crypto template payload to exist.
lifetime 120
Configures the maximum number of IPSec child security associations that can be derived from a single IKEv2 IKE security association.
All Security Gateway products
Security Administrator
Exec > Global Configuration > Context Configuration > Crypto Template Configuration > Crypto Template IKEv2-Dynamic Payload Configuration
configure > context context_name > crypto template template_name ikev2-dynamic > payload payload_name match childsa match { any | ipv4 | ipv6 }
Entering the above command sequence results in the following prompt:
[context_name]host_name(cfg-crypto-tmpl-ikev2-tunnel-payload)#
maximum-child-sa num
default maximum-child-sa
Specifies the maximum number of IPSec child security associations that can be derived from a single IKEv2 IKE security association. num must be 1. Default: 1
Sets the maximum number of Child SAs to its default value of 1.
Use this command to configure the maximum number of IPSec child security associations that can be derived from a single IKEv2 IKE security association.
maximum-child-sa 1
Configures IPSec Child Security Association rekeying.
All Security Gateway products
Security Administrator
Exec > Global Configuration > Context Configuration > Crypto Template Configuration > Crypto Template IKEv2-Dynamic Payload Configuration
configure > context context_name > crypto template template_name ikev2-dynamic > payload payload_name match childsa match { any | ipv4 | ipv6 }
Entering the above command sequence results in the following prompt:
[context_name]host_name(cfg-crypto-tmpl-ikev2-tunnel-payload)#
[ no ] rekey [ keepalive ]
Disables this feature.
If specified, a session will be rekeyed even if there has been no data exchanged since the last rekeying operation. By default, rekeying is only performed if there has been data exchanged since the previous rekey.
Use this command to enable or disable the ability to rekey IPSec Child SAs after approximately 90% of the Child SA lifetime has expired. The default, and recommended setting, is not to perform rekeying. No rekeying means the PDIF will not originate rekeying operations and will not process CHILD SA rekeying requests from the UE.
no rekey
Configures the IKEv2 Traffic Selector-Initiator (TSi) payload address options.
All Security Gateway products
Security Administrator
Exec > Global Configuration > Context Configuration > Crypto Template Configuration > Crypto Template IKEv2-Dynamic Payload Configuration
configure > context context_name > crypto template template_name ikev2-dynamic > payload payload_name match childsa match { any | ipv4 | ipv6 }
Entering the above command sequence results in the following prompt:
[context_name]host_name(cfg-crypto-tmpl-ikev2-tunnel-payload)#
tsi start-address { any end-address any | endpoint end-address endpoint }
Configures the TSi payload to allow all IP addresses.
Configures the TSi payload to allow only the Mobile endpoint address. (Default)
On receiving a successful IKE_SA_INIT Response from PDIF, the MS sends an IKE_ AUTH Request for the first EAP-AKA authentication. If the MS is capable of doing multiple-authentication, it includes the MULTI_AUTH_SUPPORTED Notify payload in the IKE_AUTH Request. MS also includes an IDi payload containing the NAI, SA, TSi, TSr, and CP (requesting IP address and DNS address) payloads.
tsi start-address any end-address any
Configures the IKEv2 Traffic Selector-Responder (TSr) payload address options.
All Security Gateway products
Security Administrator
Exec > Global Configuration > Context Configuration > Crypto Template Configuration > Crypto Template IKEv2-Dynamic Payload Configuration
configure > context context_name > crypto template template_name ikev2-dynamic > payload payload_name match childsa match { any | ipv4 | ipv6 }
Entering the above command sequence results in the following prompt:
[context_name]host_name(cfg-crypto-tmpl-ikev2-tunnel-payload)#
[ no ] tsr start-address ip address end-address ip address
Disables the specified tsr address range.
Specifies the starting IP address of the TSr payload in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.
See the limitations listed in the Usage section.
Specifies the ending IP address of the TSr payload in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.
See the limitations listed in the Usage section.
This command is used to specify an IP address range in the single TSr payload that the PDG/TTG returns in the last IKE_AUTH message. This TSr is Child SA-specific.
tsr start-address 10.2.3.4 end-address 10.2.3.155