Cisco Cisco Packet Data Interworking Function (PDIF)
• secret secret: The pre-shared secret that will be used during the IKE negotiation. preshared_secret is
the secret expressed as an alphanumeric string of 1 through 127 characters.
default { crypto map map_name [ [ encrypted ] secret secret ] }
Specifies the default crypto map to use when there is no matching crypto map configured for an HA address.
• crypto map map_name: The name of a crypto map configured in the same context that defines the IPSec
tunnel properties. map_name is the name of the crypto map expressed as an alphanumeric string of 1
through 127 characters.
through 127 characters.
• encrypted: This keyword is intended only for use by the system while saving configuration scripts. The
system displays the encrypted keyword in the configuration file as a flag that the variable following
the secret keyword is the encrypted version of the plain text secret key. Only the encrypted secret key
is saved as part of the configuration file.
the secret keyword is the encrypted version of the plain text secret key. Only the encrypted secret key
is saved as part of the configuration file.
• secret secret: The pre-shared secret that will be used during the IKE negotiation. preshared_secret is
the secret expressed as an alphanumeric string of 1 through 127 characters.
Usage Guidelines
Use this command to configure the FA-service's per-HA IPSec parameters. These dictate how the FA service
is to establish an IPSec SA with the specified HA.
is to establish an IPSec SA with the specified HA.
For maximum security, the above command should be executed for every possible HA with which the
FA service communicates.
FA service communicates.
Important
A default crypto map can also be configured using the default keyword. The default crypto map is used in the
event that the AAA server returns an HA address that is not configured as an isakmp peer-ha.
event that the AAA server returns an HA address that is not configured as an isakmp peer-ha.
For maximum security, the default crypto map should be configured in addition to peer-ha crypto maps
instead of being used to provide IPSec SAs to all HAs.
instead of being used to provide IPSec SAs to all HAs.
Important
Note that once an IPSec tunnel is established between the FA and HA for a particular subscriber, all new
Mobile IP sessions using the same FA and HA are passed over the tunnel regardless of whether or not IPSec
is supported for the new subscriber sessions. Data for existing Mobile IP sessions is unaffected.
Mobile IP sessions using the same FA and HA are passed over the tunnel regardless of whether or not IPSec
is supported for the new subscriber sessions. Data for existing Mobile IP sessions is unaffected.
Examples
The following command creates a reference for an HA with the IP address 10.2.3.4 to a crypto map named
map1:
isakmp peer-ha 10.2.3.4 crypto map map1
map1:
isakmp peer-ha 10.2.3.4 crypto map map1
The following command deletes the crypto map reference for the HA with the IP address 10.2.3.4.
no isakmp peer-ha 10.2.3.4
no isakmp peer-ha 10.2.3.4
Command Line Interface Reference, Modes E - F, StarOS Release 19
1631
FA Service Configuration Mode Commands
isakmp