Cisco Cisco Packet Data Gateway (PDG)
IKEv2 RFC 5996 Compliance
▀ CLI Commands
▄ IPSec Reference, StarOS Release 18
156
Disable Change in Rekey Parameters in CHILDSA REKEY
Disabling of rekey parameters must be enabled in a crypto map or crypto template.
For a crypto map the configuration sequence is:
configure
context ctxt_name
crypto map template_name { ikev2-ipv4 | ikev2-ipv6 }
ikev2-ikesa
rekey disallow-param-change
For a crypto template the configuration sequence is:
configure
context ctxt_name
crypto template template_name ikev2-dynamic
ikev2-ikesa
rekey disallow-param-change
Refer to the Command Line Interface Reference for a complete description of these commands and their keywords.
Enable TSr Ranges
To support multiple traffic selectors, the tsr start-address command has been modified to process both IPv4 and IPv6
addresses.
addresses.
configure
context context_name
crypto templatetnplt_name ikev2-dynamic
payload payload_name match childsa match any
tsr start-address ipv4v6_address end-address ipv4v6_address
end
Notes:
The configuration is restricted to a maximum of four TSrs per payload and per childsa.
Overlapping TSrs are not allowed either inside the same payload or across different payloads.
When a TSr is configured via this command, only the configured TSr will be considered for narrowing-down.
For example, if one IPv4 TSr is configured, and the gateway receives an IPv6 TSr, the gateway will reject the
call with a TS_UNACCEPTABLE notification.
call with a TS_UNACCEPTABLE notification.