Cisco Cisco ASR 5000
Crypto Template Configuration Mode Commands
ikev2-ikesa ▀
Command Line Interface Reference, StarOS Release 18 ▄
3033
max-retransmissions
number
Specifies the maximum number of retransmissions of an IKEv2 IKE Exchange Request if a response has not
been received.
been received.
number
must be an integer from 1 through 8. Default: 5
mobike
IKEv2 Mobility and Multihoming Protocol: MOBIKE allows the IP addresses associated with IKEv2 and
tunnel mode IPSec Security Associations to change. A mobile Virtual Private Network (VPN) client could
use MOBIKE to keep the connection with the VPN gateway active while moving from one address to
another. Similarly, a multihomed host could use MOBIKE to move the traffic to a different interface if, for
instance, the one currently being used stops working. Default: disable
tunnel mode IPSec Security Associations to change. A mobile Virtual Private Network (VPN) client could
use MOBIKE to keep the connection with the VPN gateway active while moving from one address to
another. Similarly, a multihomed host could use MOBIKE to move the traffic to a different interface if, for
instance, the one currently being used stops working. Default: disable
policy { congestion-rejection [ notify-status-value
value
] | error-
notification [ invalid-major-version ] [ invalid-message-id [ invalid-major-
version | invalid-syntax ] ] | invalid-syntax [ invalid-major-version ]
version | invalid-syntax ] ] | invalid-syntax [ invalid-major-version ]
| use-
rfc5996-notification }
Specifies the default policy for generating an IKEv2 Invalid Message ID error when PDIF receives an out-of-
sequence packet.
sequence packet.
congestion-rejection
: Sends an Error Notify Message to the MS as a reply to an IKE_SA_INIT
Exchange when no more IKE_SA sessions can be established.
notify-status-value
value
: Notify Message will be sent to MS as a reply to an IKE_SA_INIT
Exchange when no more IKE_SA sessions can be established.
value
is RFC 4306 IKEv2 Private Use Status
Range - integer 40960..65535.
error-notification
: Sends an Error Notify Message to the MS for Invalid IKEv2 Exchange Message ID
and Invalid IKEv2 Exchange Syntax for the IKE_SA_INIT Exchange.
[invalid-major-version]
: Sends an Error Notify Message for Invalid Major Version
[invalid-message-id]
: Sends an Error Notify Message for Invalid IKEv2 Exchange Message ID.
[invalid-syntax]
: Sends an Error Notify Message for Invalid IKEv2 Exchange Syntax.
use-rfc5996-notification
: Enable sending and receive processing for RFC 5996 notifications -
TEMPORARY_FAILURE and CHILD_SA_NOT_FOUND
rekey
[ disallow-param-change ]
Specifies if IKESA rekeying should occur before the configured lifetime expires (at approximately 90% of
the lifetime interval). Default is not to re-key.
The disallow-param-change option prevents changes in negotiation parameters during rekey.
the lifetime interval). Default is not to re-key.
The disallow-param-change option prevents changes in negotiation parameters during rekey.
retransmission-timeout
msec
Specifies the timeout period (in milliseconds) before a retransmission of an IKEv2 IKE exchange request is
sent (if the corresponding response has not been received).
sent (if the corresponding response has not been received).
msec
must be an integer from 300 to 15000.
Default: 500
setup-timer
sec
Specifies the number of seconds before a IKEv2 IKE Security Association that is not fully established is
terminated.
terminated.
sec
must be an integer from 1 through 3600. Default: 16
transform-set list
name1
Specifies the name of a context-level configured IKEv2 IKE Security Association transform set.
name1
...
name6
must be an existing IKEv2 IKESA Transform Set expressed as an alphanumeric string of 1 through
127 characters.