Cisco Cisco Packet Data Gateway (PDG)
encrypted secret enc_secret
| secret secret
Configures the shared-secret between the HA service and the FA. The secret can be either encrypted or
non-encrypted.
non-encrypted.
encrypted secret enc_secret: Specifies the encrypted shared key between the HA service and the FA. enc_secret
must be an alphanumeric string of 1 through 236 characters that is case sensitive.
must be an alphanumeric string of 1 through 236 characters that is case sensitive.
secret secret: Specifies the shared key between the HA service and the FA. secret must be an alphanumeric
string of 1 through 236 characters that is case sensitive.
string of 1 through 236 characters that is case sensitive.
allow-fa-ha-auth-extension
Allows validation of FA HA Authentication extension.
description string
This is a description for the SPI. string must be an alphanumeric string of 0 through 31 characters.
hash-algorithm { hmac-md5 | md5 | rfc2002-md5 }
Default: hmac-md5
Specifies the hash-algorithm used between the HA service and the FA.
hmac-md5: Configures the hash-algorithm to implement HMAC-MD5 per RFC 2002bis.
md5: Configures the hash-algorithm to implement MD5 per RFC 1321.
rfc2002-md5: Configures the hash-algorithm to implement keyed-MD5 per RFC 2002.
replay-protection { timestamp [ timestamp-tolerance tolerance ] | nonce }
Specifies the replay-protection scheme that should be implemented by the FA service for this SPI.
nonce: Configures replay protection to be implemented using NONCE per RFC 2002.
timestamp: Configures replay protection to be implemented using timestamps per RFC 2002.
timestamp-tolerance: Specifies the allowable difference (tolerance) in timestamps that is acceptable. If the
difference is exceeded, then the session will be rejected. tolerance is measured in seconds and can be configured
to an integer from 1 and 65535. The default is 60.
difference is exceeded, then the session will be rejected. tolerance is measured in seconds and can be configured
to an integer from 1 and 65535. The default is 60.
Usage Guidelines
An SPI is a security mechanism configured and shared by the HA service and the FA. Please refer to RFC
2002 for additional information.
2002 for additional information.
Though it is possible for FAs and HAs to communicate without SPIs being configured, the use of them is
recommended for security purposes. It is also recommended that a "default" SPI with a remote address of
0.0.0.0/0 be configured on both the HA and FA to prevent hackers from spoofing addresses.
recommended for security purposes. It is also recommended that a "default" SPI with a remote address of
0.0.0.0/0 be configured on both the HA and FA to prevent hackers from spoofing addresses.
The SPI configuration on the HA must match the SPI configuration for the FA service on the system in
order for the two devices to communicate properly.
order for the two devices to communicate properly.
Important
A maximum of 2,048 SPIs can be configured per HA service.
Use the no version of this command to delete a previously configured SPI.
Command Line Interface Reference, Modes G - H, StarOS Release 19
1255
HA Service Configuration Mode Commands
fa-ha-spi