- IGMP Profile Configuration Mode Commands
- IKEv2 Security Association Configuration Mode Commands
- IMEI Profile Configuration Mode
- IMEI-TAC-Group Configuration Mode Commands
- IMS Authorization Service Configuration Mode Commands
- IMS Sh Service Configuration Mode Commands
- IPMS Client Configuration Mode Commands
- IPNE Endpoint Configuration Mode Commands
- IPNE Service Configuration Mode Commands
- IPSec Transform Set Configuration Mode Commands
- IPSG RADIUS Snoop Configuration Mode Commands
- IPSG RADIUS Server Configuration Mode Commands
- IPSP Configuration Mode Commands
- IPv6 ACL Configuration Mode Commands
- IPv6 to IPv4 Tunnel Interface Configuration Mode Commands
- IP VRF Context Configuration Mode Commands
- ISAKMP Configuration Mode Commands
- IuPS Service Configuration Mode Commands
- LAC Service Configuration Mode Commands
- Line Configuration Mode Commands
- Link Configuration Mode Commands
- Linkset Configuration Mode Commands
- LMA Service Configuration Mode Commands
- LNS Service Configuration Mode Commands
- Local Policy Actiondef Configuration Mode Commands
- Local Policy Eventbase Configuration Mode Commands
- Local Policy Ruledef Configuration Mode Commands
- Local Policy Service Configuration Mode Commands
- Location Service Configuration Mode Commands
- Logical eNode Configuration Mode Commands
- Loopback Interface Configuration Mode Commands
- LTE Custom TAI List Configuration Mode Commands
- LTE Emergency Profile Configuration Mode Commands
- LTE Forbidden Location Area Configuration Mode Commands
- LTE Forbidden Tracking Area Configuration Mode Commands
- LTE Foreign PLMN GUTI Management Database Configuration Mode Commands
- LTE HeNBGW MME Pool Configuration Mode Commands
- LTE Handover Restriction List Configuration Mode Commands
- LTE MME HeNB-GW Management Database Configuration Mode Commands
- LTE Network Global MME ID Management Database Configuration Mode Commands
- LTE Paging Map Configuration Mode Commands
- LTE Paging Profile Configuration Mode Commands
- LTE Peer Map Configuration Mode Commands
- LTE Policy Configuration Mode Commands
- LTE Subscriber Map Configuration Mode Commands
- LTE TAI Management Database Configuration Mode Commands
- LTE TAI Management Object Configuration Mode Commands
- MAG Service Configuration Mode Commands
- MAP Service Configuration Mode Commands
- MIP HA Assignment Table Configuration Mode Commands
- MPLS-LDP Configuration Mode Commands
- MIPv6 HA Service Configuration Mode Commands
- MME-eMBMS Service Configuration Mode Commands
- MME LAC Pool Area Configuration Mode Commands
- MME MSC Pool Area Configuration Mode
- MME SGs Service Configuration Mode Commands
- MME Service Configuration Mode Commands
- MPLS-IP Configuration Mode Commands
- MRME Service Configuration Mode Commands
- NETCONF Protocol Configuration Mode Commands
- Network Service Entity- IP Local Configuration Mode Commands
- Network Service Entity - Peer NSEI Configuration Mode Commands
- Network Service Virtual Connection Configuration Mode Commands
- Network Service Virtual Link Configuration Mode Commands
- NTP Configuration Mode Commands
- NTSR Pool Configuration Mode Commands
- Operator Policy Configuration Mode
- ORBEM Configuration Mode Commands
- OSPF Configuration Mode Commands
- OSPFv3 Configuration Mode Commands
- OSPF VRF Configuration Mode Commands
- Out-Address Configuration Mode Commands
- P2P Advertisement Server Group Configuration Mode Commands
- PCC-Action-Set Configuration Mode Commands
- PCC-AF-Service Configuration Mode Commands
- PCC-Condition-Group Configuration Mode Commands
- PCC-Data-Service Configuration Mode Commands
- PCC-Event-Notification-Interface-Endpoint Configuration Mode Commands
- PCC-Policy-Service Configuration Mode Commands
- PCC-Service-Profile Configuration Mode Commands
- PCC-QoS-Profile Configuration Mode Commands
- PCC-Quota Service Configuration Mode Commands
- PCC-Sp-Endpoint Configuration Mode Commands
- PCC-Service Addon Configuration Mode Commands
- PCC-TimeDef Configuration Mode Commands
- PCP Configuration Mode Commands
- PCP Policy Control Configuration Mode Commands
- PDIF Service Configuration Mode Commands
- PDG Service Configuration Mode Commands
- PDSN Service Configuration Mode Commands
- PDSN Service RoHC Configuration Mode Commands
- Peer List Configuration Mode Commands
- Peer Profile Configuration Mode Commands
- Peer-Server Configuration Mode Commands
- P-GW Service Configuration Mode Commands
- Policy Control Configuration Mode Commands
- Plugin Configuration Mode Commands
- PVC Configuration Mode Commands
- PVC Interface Configuration Mode Commands
- QCI - QoS Mapping Configuration Mode Commands
- QCI - RAN ID Mapping Configuration Mode Commands
- QoS L2 Mapping Configuration Mode Commands
- QoS Profile Configuration Mode Commands
- Index
Command Line Interface Reference, Modes I - Q, StarOS Release 21.2
- Updated:
- April 27, 2017
Chapter: IKEv2 Security Association Configuration Mode Commands
IKEv2 Security Association
Configuration Mode Commands
The IKEv2 Security Association Configuration Mode is used to configure a Security Association (SA) at the outset of an IPSec session. A security association is the collection of algorithms and parameters (such as keys) that is being used to encrypt and authenticate a particular flow in one direction. In normal bi-directional traffic, the flows are secured by a pair of security associations.
Mode
Exec > Global Configuration > Context Configuration > IKEv2 Security Association Configuration
configure > context context_name > ikev2-ikesa transform-set set_name
Entering the above command sequence results in the following prompt:
[context_name]host_name(cfg-ctx-ikev2ikesa-tran-set)#
The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
default
Sets the default properties for the selected parameter.
Product
ePDG
PDIF
Privilege
Security Administrator, Administrator
Mode
Exec > Global Configuration > Context Configuration > IKEv2 Security Association Configuration
configure > context context_name > ikev2-ikesa transform-set set_name
Entering the above command sequence results in the following prompt:
[context_name]host_name(cfg-ctx-ikev2ikesa-tran-set)#
Syntax
Syntax Description
default { encryption | group | hmac | lifetime | prf }
- encryption: Default algorithm for the IKEv2 IKE SA is AES-CBC-128.
- group: Default Diffie-Hellman group is Group 2.
- hmac: Default IKEv2 IKE SA hashing algorithm is SHA1-96.
- lifetime: Default lifetime for SAs derived from this transform-set is 86400 seconds.
- prf: Default PRF for the IKEv2 IKE SA is SHA1.
Usage Guidelines
Configure default parameters for the IKEv2 IKE SA transform-set.
Examples
default encryption
encryption
Configures the appropriate encryption algorithm and encryption key length for the IKEv2 IKE security association. AES-CBC-128 is the default.
Product
ePDG
PDIF
Privilege
Security Administrator, Administrator
Mode
Exec > Global Configuration > Context Configuration > IKEv2 Security Association Configuration
configure > context context_name > ikev2-ikesa transform-set set_name
Entering the above command sequence results in the following prompt:
[context_name]host_name(cfg-ctx-ikev2ikesa-tran-set)#
Syntax
Syntax Description
encryption { 3des-cbc | aes-cbc-128 | aes-cbc-256 | des-cbc | null } default encryption
3des-cbc
Data Encryption Standard Cipher Block Chaining encryption applied to the message three times using three different cypher keys (triple DES).
aes-cbc-128
Advanced Encryption Standard Cipher Block Chaining with a key length of 128 bits.
aes-cbc-256
Advanced Encryption Standard Cipher Block Chaining with a key length of 256 bits.
des-cbc
Data Encryption Standard Cipher Block Chaining. Encryption using a 56-bit key size. Relatively insecure.
null
Configures no IKEv2 IKE Security Association Encryption Algorithm. All IKEv2 IPsec Child Security Association protected traffic will be sent in the clear.
 Note | USE OF THIS ALGORITHM FOR IKE_SA ENCRYPTION IS A VIOLATION OF RFC 4306. THIS ALGORITHM SHOULD ONLY BE USED FOR TESTING PURPOSES. |
Usage Guidelines
IKEv2 requires a confidentiality algorithm to be applied in order to work.
In cipher block cryptography, the plaintext is broken into blocks usually of 64 or 128 bits in length. In cipher block chaining (CBC) each encrypted block is chained into the next block of plaintext to be encrypted. A randomly-generated vector is applied to the first block of plaintext in lieu of an encrypted block. CBC provides confidentiality, but not message integrity.
Because RFC 4307 calls for interoperability between IPSec and IKEv2, the IKEv2 confidentiality algorithms must be the same as those configured for IPSec in order for there to be an acceptable match during the IKE message exchange. Because of RFC4307, in IKEv2, there is no viable NULL option, it is available for testing only.
Examples
encryption aes-cbc-128
end
Exits the current configuration mode and returns to the Exec mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
Syntax Description
end
Usage Guidelines
Use this command to return to the Exec mode.
exit
Exits the current mode and returns to the parent configuration mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
Syntax Description
exit
Usage Guidelines
Use this command to return to the parent configuration mode.
group
Configures the appropriate key exchange cryptographic strength by applying a Diffie-Hellman group. Default is Group 2.
Product
ePDG
PDIF
Privilege
Security Administrator, Administrator
Mode
Exec > Global Configuration > Context Configuration > IKEv2 Security Association Configuration
configure > context context_name > ikev2-ikesa transform-set set_name
Entering the above command sequence results in the following prompt:
[context_name]host_name(cfg-ctx-ikev2ikesa-tran-set)#
Syntax
Syntax Description
group { 1 | 2 | 5 | 14 } default group
1
Configures crypto strength at the Group 1 level. Lowest security.
2
Configures crypto strength at the Group 2 (default) level. Medium security.
This is the default setting for this command.
5
Configures crypto strength at the Group 5 level. Higher security.
14
Configures crypto strength at the Group 14 level. Highest security
Usage Guidelines
Diffie-Hellman groups are used to determine the length of the base prime numbers used during the key exchange process in IKEv2. The cryptographic strength of any key derived depends, in part, on the strength of the Diffie-Hellman group upon which the prime numbers are based.
Group 1 provides 768 bits of keying strength, Group 2 provides 1024 bits, Group 5 provides 1536 bits and Group 14 provides 2048 bits of encryption strength.
Configuring a DH group also enables Perfect Forward Secrecy, which is disabled by default.
Examples
default group
hmac
Configures the IKEv2 IKE SA integrity algorithm. Default is SHA1-96.
Product
ePDG
PDIF
Privilege
Security Administrator, Administrator
Mode
Exec > Global Configuration > Context Configuration > IKEv2 Security Association Configuration
configure > context context_name > ikev2-ikesa transform-set set_name
Entering the above command sequence results in the following prompt:
[context_name]host_name(cfg-ctx-ikev2ikesa-tran-set)#
Syntax
Syntax Description
hmac { aes-xcbc-96 | md5-96 | sha1-96 | sha2-256-128 | sha2-384-192 | sha2-512-256 } default hmac
aes-xcbc-96
HMAC-AES-XCBC uses a 128-bit secret key and produces a 128-bit authenticator value.
md5-96
HMAC-MD5 uses a 128-bit secret key and produces a 128-bit authenticator value.
sha1-96
HMAC-SHA-1 uses a 160-bit secret key and produces a 160-bit authenticator value. This is the default setting for this command.
sha2-256-128
HMAC-SHA-256 uses a 256-bit secret key and produces a 128-bit authenticator value.
sha2-384-192
HMAC-SHA-384 uses a 384-bit secret key and produces a 192-bit authenticator value.
sha2-512-256
HMAC-SHA-512 uses a 512-bit secret key and produces a 256-bit authenticator value.
Usage Guidelines
IKEv2 requires an integrity algorithm be configured in order to work.
A keyed-Hash Message Authentication Code, or HMAC, is a type of message authentication code (MAC) calculated using a cryptographic hash function in combination with a secret key to verify both data integrity and message authenticity. A hash takes a message of any size and transforms it into a message of a fixed size: the authenticator value. This is truncated and transmitted. The authenticator value is reconstituted by the receiver and the first truncated bits are compared for a 100 percent match.
Examples
hmac md5-96
lifetime
Configures the lifetime of a security association (SA) in seconds.
Product
ePDG
PDIF
Privilege
Security Administrator, Administrator
Mode
Exec > Global Configuration > Context Configuration > IKEv2 Security Association Configuration
configure > context context_name > ikev2-ikesa transform-set set_name
Entering the above command sequence results in the following prompt:
[context_name]host_name(cfg-ctx-ikev2ikesa-tran-set)#
Syntax
Syntax Description
lifetime sec default lifetime
lifetime sec
Sets the value of the timeout parameter in seconds as an integer from 60 through 86400. Default: 86400
Usage Guidelines
The secret keys that are used for various aspects of a configuration should only be used for a limited amount of time before timing out. This exposes a limited amount of data to the possibility of hacking. If the SA expires, the options are then to either close the SA and open an new one, or renew the existing SA.
Examples
lifetime 120
prf
Selects one of the HMAC integrity algorithms to act as the IKE Pseudo-Random Function. A PRF produces a string of bits that an attacker cannot distinguish from random bit string without knowledge of the secret key. The default is SHA1.
Product
ePDG
PDIF
Privilege
Security Administrator, Administrator
Mode
Exec > Global Configuration > Context Configuration > IKEv2 Security Association Configuration
configure > context context_name > ikev2-ikesa transform-set set_name
Entering the above command sequence results in the following prompt:
[context_name]host_name(cfg-ctx-ikev2ikesa-tran-set)#
Syntax
Syntax Description
prf { aes-xcbc-128 | md5 | sha1 | sha2-256 | sha2-384 | sha2-512 } default prf
aes-xcbc-128
Configure IKEv2 IKE Security Association Pseudo Algorithm to be AES-XCBC-128.
md5
MD5 uses a 128-bit secret key and produces a 128-bit authenticator value.
sha1
SHA-1 uses a 160-bit secret key and produces a 160-bit authenticator value.
SHA-1 is considered cryptographically stronger than MD5, but it takes more CPU cycles to compute.
This is the default setting for this command.
sha2-256
PRF-HMAC-SHA-256 uses a 256-bit secret key.
sha2-384
PRF-HMAC-SHA-384 uses a 384-bit secret key.
sha2-512
PRF-HMAC-SHA-512 uses a 512-bit secret key.
Usage Guidelines
This command generates keying material for all the cryptographic algorithms used in both the IKE_SA and the CHILD_SAs.
Examples
prf sha2-256
Feedback