Cisco Cisco Packet Data Gateway (PDG)
SecGW Changes in Release 16
SecGW Enhancements for 16.1 ▀
Release Change Reference, StarOS Release 16 ▄
449
StarOS supports ESN for ESP packets using ikev2 negotiation; ESN is not supported for ikev1. The configuration and
processing sequence is as follows:
processing sequence is as follows:
Enable ESN in an IPSec transform set via a StarOS CLI command.
Negotiate ESN (IPSec Domain of Interpretation (DOI) for Ikev2.
Send ESN in the proposal based on configuration.
Accept and process ESN in the proposal based on configuration.
Configure data-path to use ESN.
Read and checkpoint ESN.
Command Changes
esn
The IPSec Transform Set Configuration mode includes an esn command that enables ESN support.
configure
context ipsec_ctx_name
ipsec transform-set tset_name
esn
end
Notes:
ipsec_ctx_name>
is the StarOS context associated with IPSec.
tset_name
is the name of the transform set in the current context that you want to configure for ESN.
For more information on command parameters, see the Extended Sequence Number chapter in the IPSec
Reference.
By default ESN support is disabled.
Enabling the esn command is the equivalent of sending ESN Transform = 0 and 1; support both 32-bit and 64-bit
sequence numbers. If the esn command is not enabled, support only 32-bit sequence numbers (default
behavior).
behavior).
Performance Indicator Changes
show crypto ipsec transform-set
This command displays the IPSec transform set parameters as configured in a specific context and includes ESN status.
ESN: Enabled/Disabled
show crypto template
This command displays ESN status under IPSec SA Payload.