Cisco Cisco Packet Data Gateway (PDG)
SecGW Changes in Release 17
SecGW Enhancements for 17.0 ▀
Release Change Reference, StarOS Release 17 ▄
463
CSCum81454 - CLI to support Allow one tunnel per remote IKE_ID feature
Applicable Products: SecGW (WSG Service
Feature Changes
Duplicate Session Detection
RFC 5996 does not restrict the creation of multiple IKE SAs having the same remote IKE_ID (not necessarily from the
same peer). The remote IKE_ID specifies the remote peer ID: IDi when the gateway is the responder, and IDr when the
gateway is the initiator. In such implementations, a new IKE_SA is created for every IKE_SA_INIT/IKE_AUTH
exchanges, unless INITIAL_CONTACT is indicated. If an IKE_AUTH is received with INITIAL_CONTACT, the
node is expected to delete all IKE_SAs having the same authenticated identity.
same peer). The remote IKE_ID specifies the remote peer ID: IDi when the gateway is the responder, and IDr when the
gateway is the initiator. In such implementations, a new IKE_SA is created for every IKE_SA_INIT/IKE_AUTH
exchanges, unless INITIAL_CONTACT is indicated. If an IKE_AUTH is received with INITIAL_CONTACT, the
node is expected to delete all IKE_SAs having the same authenticated identity.
When enabled via the StarOS duplicate-session-detection command in a WSG service, only one IKE_SA is allowed
per remote IKE_ID. This feature is supported for WSG service, both RAS (Remote Access Service) and S2S (Site-to-
Site) tunnel types.
per remote IKE_ID. This feature is supported for WSG service, both RAS (Remote Access Service) and S2S (Site-to-
Site) tunnel types.
Command Changes
duplicate-session-detection
This new CLI command enables duplicate session detection.
configure
context wsg_ctx_name
wsg-servicewsg_srvc_name
duplicate-session-detection
[ no ] duplicate-session-detectionvariable
end
Notes:
wsg_ctx_name is the StarOS context associated with a WSG service.
wsg_srvc_name is the name of the WSG service in the current context that you want to configure for duplicate
session detection.
For more information on parameters, refer to the WSG Service Configuration Mode Commands chapter in the
Command Line Interface Reference.
By default duplicate session detection is disabled.
Performance Indicator Changes
show wsg-service all
The output of this command will include the following parameter: