By default SecGW (WSG
service) only responds to a setup request for an IKEv2
session. However, an SecGW can also be configured
to initiate an IKEv2 session setup request when the peer does not
initiate a setup request within a specified time interval.
is only applicable for site-to-site (S2S) based
tunnels within a WSG service. For remote access tunnels
the peer is always the initiator.
The following is the
general event sequence for an SecGW acting as an initiator.
The SecGW waits for the peer to
initiate a tunnel within a configurable time interval during which it is in
responder mode. The default responder mode interval is 10 seconds.
Upon expiry of the responder mode
timer, the SecGW switches to initiator mode for a configurable time interval.
The default initiator mode interval is 10 seconds.
The SecGW retries the call if there is
no response from the peer during the initiator mode interval.
When the SecGW is in initiator mode
and the peer does not respond to the IKE messages or fails to establish the
call, SecGW reverts to responder mode and waits for the peer to initiate the
If call creation
is successful, the SecGW stops initiating any further calls to that peer.
If the SecGW and
peer initiate a session call simultaneously (possible collision), the SecGW
defers to the peer initiated call and drops any incoming packets.
When the SecGW as
initiator feature is enabled, the SecGW only supports up to 1,000 peer
addresses. This restriction is applied when configuring a crypto peer list. See
Create a crypto peer-list.
The following limitations
apply when the SecGW as initiator feature is enabled:
The SecGW will only
support up to 1,000 peers. This restriction is
applied when configuring a crypto peer list.
SecGW will not support
the modification of an IPv4/IPv6 peer list on the fly (call
sessions in progress). The modification will be
allowed only after all the calls are removed.
The SecGW does support
wild card peer address provisioning along with subnets.
Configuring SecGW as
The following is the
general sequence for configuring this feature:
specified as an alphanumeric string of 1 through 32 characters.
peer-list command moves you to the Peer List Configuration mode where you
have access to the
peer_address command to add up to 1,000 peer IP
addresses. The IP addresses in the list can only be entered in either IPv4 or
IPv6 notation, depending on the address type specified when the list was
peer_address command to remove a peer address from the
Configure the Peer
List in the WSG Service
The following CLI
command sequence configures the previously created peer list for use in the WSG
command to remove the peer-list and disable the SecGW as initiator feature.
Any changes made to a WSG service
require that the service must be restarted to apply any changed parameters. You
restart the service by unbinding and binding the IP address to the service
Mode and Responder Mode Durations
When a peer list has
been configured in the WSG service, the initiator and responder mode timer
intervals each default to 10 seconds. The SecGW will wait for 10 seconds in the
responder mode for a peer session initiation request before switching to the
initiator mode and waiting 10 seconds for a peer response.
You can change the
default settings for the initiator and/or responder mode intervals using the
following CLI command sequence.