Cisco Cisco Packet Data Gateway (PDG)
SecGW Changes in Release 17
SecGW Enhancements for 17.0 ▀
Release Change Reference, StarOS Release 17 ▄
457
RFC 4304 outlines support for a 64-bit Extended Sequence Number (ESN) implemented for ikev2. The ESN transform
is included in an ikev2 proposal used in the negotiation of IKE SAs as part of the IKE_SA_INIT exchange.
is included in an ikev2 proposal used in the negotiation of IKE SAs as part of the IKE_SA_INIT exchange.
StarOS supports ESN for ESP packets using ikev2 negotiation; ESN is not supported for ikev1. The configuration and
processing sequence is as follows:
processing sequence is as follows:
Enable ESN in an IPSec transform set via a StarOS CLI command.
Negotiate ESN (IPSec Domain of Interpretation (DOI) for Ikev2.
Send ESN in the proposal based on configuration.
Accept and process ESN in the proposal based on configuration.
Configure data-path to use ESN.
Read and checkpoint ESN.
Command Changes
esn
The IPSec Transform Set Configuration mode includes an esn command that enables ESN support.
configure
context ipsec_ctx_name
ipsec transform-set tset_name
esn
end
Notes:
ipsec_ctx_name> is the StarOS context associated with IPSec.
tset_name is the name of the transform set in the current context that you want to configure for ESN.
For more information on command parameters, see the Extended Sequence Number chapter in the IPSec
Reference.
By default ESN support is disabled.
Enabling the esn command is the equivalent of sending ESN Transform = 0 and 1; support both 32-bit and 64-bit
sequence numbers. If the esn command is not enabled, support only 32-bit sequence numbers (default
behavior).
behavior).
Performance Indicator Changes
show crypto ipsec transform-set
This command displays the IPSec transform set parameters as configured in a specific context and includes ESN status.
ESN: Enabled/Disabled
show crypto template