Cisco Cisco Packet Data Interworking Function (PDIF)
Crypto Templates
▀ Configuring a Crypto Template
▄ IPSec Reference, StarOS Release 18
80
Configuring a Crypto Template
The general command sequence for configuring a crypto template is as follows.
configure
context ctxt_name
crypto template template_name ikev2-dynamic
allow-cert-enc cert-hash-url
allow-custom-fqdn-idr
authentication { eap-profile name [ second-phase eap-profile name ] |
local { certificate | pre-shared-key { encrypted key value | key clear_text } } |
pre-shared-key { encrypted key value | key clear_text
[ second-phase eap-profile name ] } | remote { certificate | eap-profile name
[ second-phase eap-profile name ] | pre-shared-key { encrypted key value |
key clear_text [ second-phase eap-profile name ] } } }
local { certificate | pre-shared-key { encrypted key value | key clear_text } } |
pre-shared-key { encrypted key value | key clear_text
[ second-phase eap-profile name ] } | remote { certificate | eap-profile name
[ second-phase eap-profile name ] | pre-shared-key { encrypted key value |
key clear_text [ second-phase eap-profile name ] } } }
blacklist
ca-certificate list ca-cert-name name [ ca-cert-name name ]
ca-crl list ca-crl-name name [ ca-crl-name name ]
certificate name
control-dont-fragment { clear-bit | copy-bit | set-bit }
dns-handling { custom | normal }
dos cookie-challenge notify-payload [ half-open-sess-count { start
integer | stop integer } ]
integer | stop integer } ]
identity local id-type type id name
ikev2-ikesa { allow-empty-ikesa | cert-sign { pkcs1.5 | pkcs2.0 } |
ignore-notify-protocol-id | ignore-rekeying-requests | keepalive-user-activity |
max-retransmissions number | policy { congestion-rejection [notify-status-value]
| error-notification [invalid-major-version] [invalid-message-id
[invalid-major-version|invalid-syntax]] | invalid-syntax [invalid-major-version]
} | rekey | retransmission-timeout msec | setup-timer sec |
transform-set list name1 name2 name3 name4 name5 name6 }
ignore-notify-protocol-id | ignore-rekeying-requests | keepalive-user-activity |
max-retransmissions number | policy { congestion-rejection [notify-status-value]
| error-notification [invalid-major-version] [invalid-message-id
[invalid-major-version|invalid-syntax]] | invalid-syntax [invalid-major-version]
} | rekey | retransmission-timeout msec | setup-timer sec |
transform-set list name1 name2 name3 name4 name5 name6 }
keepalive [ interval sec ]
max-childsa numbr [ overload action { ignore | terminate } ]
nai { idr name [ id-type { der-asn1-dn | der-asn1-gn | fqdn | ip-addr |
key-id | rfc822-addr } ] | use-received-idr }
key-id | rfc822-addr } ] | use-received-idr }