Cisco Cisco ASR 5000
IPSec Transform Set Configuration Mode Commands
▀ esn
▄ Command Line Interface Reference, StarOS Release 18
6648
esn
Enables support for the use of 64-bit Extended Sequence Numbers (ESNs) in ikev2 Encapsulating Security Payload
(ESP) and Authentication Header (AH) packets. The ESN transform is included in an ikev2 proposal used in the
negotiation of IKE SAs as part of the IKE_SA_INIT exchange.
(ESP) and Authentication Header (AH) packets. The ESN transform is included in an ikev2 proposal used in the
negotiation of IKE SAs as part of the IKE_SA_INIT exchange.
Product
SecGW
Privilege
Security Administrator, Administrator
Mode
Exec > Global Configuration > Context Configuration > IPSec Transform Set Configuration
configure > context context_name > ipsec transform-set set_name
Entering the above command sequence results in the following prompt:
[context_name]host_name(config-context-vrf)#
Syntax
esn
Usage
Use this command to enable support for the use of 64-bit ESNs for ikev2. The ESN transform is included in
an ikev2 proposal used in the negotiation of IKE SAs as part of the IKE_SA_INIT exchange.
The ESN transform has the following meaning:
an ikev2 proposal used in the negotiation of IKE SAs as part of the IKE_SA_INIT exchange.
The ESN transform has the following meaning:
A proposal containing one ESN transform with value 0 means “do not use extended sequence
numbers”.
A proposal containing one ESN transform with value 1 means “use extended sequence numbers”.
A proposal containing two ESN transforms with values 0 and 1 means “I support both normal and
extended sequence numbers, you choose”. This case is only allowed in requests; the response will
contain only one ESN transform.
contain only one ESN transform.
In most cases, the exchange initiator will include either the first or third alternative in its SA payload. The
second alternative is rarely useful for the initiator: it means that using normal sequence numbers is not
acceptable (so if the responder does not support ESNs, the exchange will fail with
NO_PROPOSAL_CHOSEN.
Enabling the esn command is the equivalent of sending ESN Transform = 0 and 1; support both 32-bit and
64-bit sequence numbers. If the esn command is not enabled, support only 32-bit sequence numbers (default
behavior).
Including the ESN transform is mandatory when creating ESP or AH SAs.
For additional information, see the IPSec Reference.
second alternative is rarely useful for the initiator: it means that using normal sequence numbers is not
acceptable (so if the responder does not support ESNs, the exchange will fail with
NO_PROPOSAL_CHOSEN.
Enabling the esn command is the equivalent of sending ESN Transform = 0 and 1; support both 32-bit and
64-bit sequence numbers. If the esn command is not enabled, support only 32-bit sequence numbers (default
behavior).
Including the ESN transform is mandatory when creating ESP or AH SAs.
For additional information, see the IPSec Reference.
Important:
ESN is only supported on ASR 5500 and ASR 9000 Virtualized Services Modules (VSMs). It is not
supported on the ASR 5000 or VPC-SI.
Example