Cisco Cisco Packet Data Gateway (PDG)
SecGW Service Creation
▀ WSG Service Configuration
▄ SecGW Administration Guide, StarOS Release 18
36
Deployment Mode
A given instance of the WSG service can either support Remote Access tunnels or Site-to-Site tunnels. In the WSG
Configuration mode, the following command sequence specifies the desired deployment mode.
Configuration mode, the following command sequence specifies the desired deployment mode.
deployment-mode { remote-access | site-to-site }
Important:
There is no default deployment mode. You must configure the deployment mode as either remote-
access or site-to-site before binding the service. Failure to specify a deployment mode will generate an error message
when attempting to bind the address.
when attempting to bind the address.
Access List
A WSG service that supports site-to-site tunnels should bind to an access list that specifies a single IP address for the
destination IP; the subnet should be “32” for IPv4 and “128” for IPv6.
destination IP; the subnet should be “32” for IPv4 and “128” for IPv6.
For the site-to-site scenario, the destination can be a subnet.
In the WSG Configuration mode, the following command sequence specifies the desired IPv4 access groups or address
pools:
pools:
ip { access-group acl_list_name | address ( alloc-method { dhcp-proxy | local } |
pool name pool_name
pool name pool_name
In the WSG Configuration mode, the following command sequence specifies the desired IPv6 access groups or prefix
pools:
pools:
ipv6 { access-group acl_list_name | address prefix-pool pool_name
Important:
Remote Access (RA) tunnels require address pools that can be specified under the service.
The dhcp command in the WSG service specifies the DHCPv4 context and service name to be used when the IP address
allocation method is set to dhcp-proxy. The specified DHCPv4 service is designated via the ip address alloc-method
dhcp-proxy command. See
allocation method is set to dhcp-proxy. The specified DHCPv4 service is designated via the ip address alloc-method
dhcp-proxy command. See
Duplicate Session Detection
The duplicate-session-detection command enables or disables allowing only one IKE-SA per remote IKE-ID. A new
request will overwrite the existing tunnel. For a complete description of this feature, refer to the IPSec Reference.
request will overwrite the existing tunnel. For a complete description of this feature, refer to the IPSec Reference.
Peer List
The peer-list command configures an SecGW to initiate an IKEv2 session setup request when the peer does not initiate
a setup request within a specified time interval. For a complete description of this feature, refer to the IPSec Reference.
a setup request within a specified time interval. For a complete description of this feature, refer to the IPSec Reference.
Pre-fragment MTU
You can specify the Maximum Transmission Unit (MTU) size (576–2048 bytes, default = 1400) which when exceeded
initiates pre-tunnel (before encryption) fragmentation of clear packets within this WSG service.
initiates pre-tunnel (before encryption) fragmentation of clear packets within this WSG service.