Cisco Cisco Packet Data Gateway (PDG)
Crypto Templates
▀ Crypto Template Parameters
▄ IPSec Reference, StarOS Release 16
78
Crypto Template Parameters
A crypto template requires the configuration of the following parameters:
allow-cert-enc cert-hash-url – Enables support for certificate enclosure type other than default.
allow-custom-fqdn-idr – Allows non-standard FQDN (Fully Qualified Domain Name) strings in the IDr
(Identification - Responder) payload of IKE_AUTH messages received from the UE with the payload type as
FQDN.
FQDN.
authentication – Configures the gateway and subscriber authentication methods to be used by this crypto
template.
blacklist – Enables use of a blacklist file
ca-certificate list – Binds an X.509 Certificate Authority (CA) root certificate to a crypto template.
ca-crl list – Binds one or more Certificate Authority-Certificate Revocation Lists (CA-CRLs) to this crypto
template.
certificate – Binds a single X.509 trusted certificate to a crypto template.
control-dont-fragment – Controls the Don't Fragment (DF) bit in the outer IP header of the IPSec tunnel data
packet.
dns-handling – Adds a custom option to define the ways a DNS address is returned based on proscribed
circumstances described below.
dos cookie-challenge notify-payload – Configures the cookie challenge parameters for IKEv2 INFO Exchange
notify payloads for the given crypto template.
identity local – Configures the identity of the local IPSec Client (IKE ID).
ikev2-ikesa – Configures parameters for the IKEv2 IKE Security Associations within this crypto template.
keepalive – Configures keepalive or dead peer detection for security associations used within this crypto
template.
max-childsa – Defines a soft limit for the number of child Security Associations (SAs) per IKEv2 policy.
nai – Configures the Network Access Identifier (NAI) parameters to be used for the crypto template IDr
(recipient's identity).
natt – Configures Network Address Translation - Traversal (NAT-T) for all security associations associated with
this crypto template. This feature is disabled by default.
ocsp – Enables Online Certificate Store Protocol (OCSP) requests from the crypto map/template.
payload – Creates a new, or specifies an existing, crypto template payload and enters the Crypto Template
Payload Configuration Mode.
peer network – Configures a list of allowed peer addresses on this crypto template.
remote-secret-list – Configures Remote Secret List.
whitelist – Enables use of a whitelist file.