Cisco Cisco ASR 5000
Crypto Map IKEv2-IPv4 Configuration Mode Commands
ikev2-ikesa ▀
Command Line Interface Reference, StarOS Release 18 ▄
2915
max-retransmissions
number
Specifies the maximum number of retransmissions of an IKEv2 IKE Exchange Request if a response has not
been received.
been received.
number
must be an integer from 1 through 8. Default: 5
policy { error-notification [ invalid-major-version ] [ invalid-message-id [
invalid-major-version | invalid-syntax ] ] | invalid-syntax [ invalid-major-
version ] | use-rfc5996-notification }
invalid-major-version | invalid-syntax ] ] | invalid-syntax [ invalid-major-
version ] | use-rfc5996-notification }
Specifies the default policy for generating an IKEv2 Invalid Message ID error when PDIF receives an out-of-
sequence packet.
sequence packet.
error-notification
: Sends an Error Notify Message to the MS for Invalid IKEv2 Exchange Message ID
and Invalid IKEv2 Exchange Syntax for the IKE_SA_INIT Exchange.
[invalid-major-version]
: Sends an Error Notify Message for Invalid Major Version
[invalid-message-id]
: Sends an Error Notify Message for Invalid IKEv2 Exchange Message ID.
[invalid-syntax]
: Sends an Error Notify Message for Invalid IKEv2 Exchange Syntax.
use-rfc5996-notification
: Enables support for TEMPORARY_FAILURE and
CHILDSA_NOT_FOUND notify payloads.
rekey
[ disallow-param-change ]
Specifies if IKESA rekeying should occur before the configured lifetime expires (at approximately 90% of
the lifetime interval). Default is not to re-key.
The disallow-param-change option does not allow changes in negotiation parameters during rekey.
the lifetime interval). Default is not to re-key.
The disallow-param-change option does not allow changes in negotiation parameters during rekey.
retransmission-timeout
msec
Specifies the timeout period (in milliseconds) before a retransmission of an IKEv2 IKE exchange request is
sent (if the corresponding response has not been received).
sent (if the corresponding response has not been received).
msec
must be an integer from 300 to 15000.
Default: 500
exponential
Specifies that the subsequent retransmission delays are exponentially increased with a maximum limit of
15000ms.
15000ms.
setup-timer
sec
Specifies the number of seconds before a IKEv2 IKE Security Association that is not fully established is
terminated.
terminated.
sec
must be an integer from 1 through 3600. Default: 16
transform-set list
name1
Specifies the name of a context-level configured IKEv2 IKE Security Association transform set.
name1
...
name6
must be an existing IKEv2 IKESA Transform Set expressed as an alphanumeric string of 1 through
127 characters.
The transform set is a space-separated list of IKEv2-IKESA SA transform sets to be used for deriving IKEv2
IKE Security Associations from this crypto template. A minimum of one transform-set is required; maximum
configurable is six.
The transform set is a space-separated list of IKEv2-IKESA SA transform sets to be used for deriving IKEv2
IKE Security Associations from this crypto template. A minimum of one transform-set is required; maximum
configurable is six.
Usage
Use this command to configure parameters for the IKEv2 IKE Security Associations within this crypto
template.
template.
Example