Cisco Cisco Packet Data Gateway (PDG)
SecGW Changes in Release 17
SecGW Enhancements for 17.0 ▀
Release Change Reference, StarOS Release 17 ▄
461
By default SecGW (WSG service) only responds to a setup request for an IKEv2 session. However, an SecGW can also
be configured to initiate an IKEv2 session setup request when the peer does not initiate a setup request within a
specified time interval.
be configured to initiate an IKEv2 session setup request when the peer does not initiate a setup request within a
specified time interval.
Previous Behavior: By default SecGW only responds to an IKE setup request for an IKEv2 session.
New Behavior: An SecGW can now be configured to initiate an IKEv2 session setup request when the peer does not
initiate a setup request within a specified time interval.
initiate a setup request within a specified time interval.
The following is the general event sequence for an SecGW acting as an initiator.
1. The SecGW waits for the peer to initiate a tunnel within a configurable time interval during which it is in
responder mode. The default responder mode interval is 10 seconds.
2. Upon expiry of the responder mode timer, the SecGW switches to initiator mode for a configurable time interval.
The default initiator mode interval is 10 seconds.
3. The SecGW retries the call if there is no response from the peer during the initiator mode interval.
4. When the SecGW is in initiator mode and the peer does not respond to the IKE messages or fails to establish the
4. When the SecGW is in initiator mode and the peer does not respond to the IKE messages or fails to establish the
call, SecGW reverts to responder mode and waits for the peer to initiate the IKEv2 session.
5. If call creation is successful, the SecGW stops initiating any further calls to that peer.
6. If the SecGW and peer initiate a session call simultaneously (possible collision), the SecGW defers to the peer
6. If the SecGW and peer initiate a session call simultaneously (possible collision), the SecGW defers to the peer
initiated call and drops any incoming packets.
When the SecGW as initiator feature is enabled, the SecGW only supports up to 1,000 peer addresses. This restriction is
applied when configuring a crypto peer list.
applied when configuring a crypto peer list.
The following is the general sequence for configuring this feature:
Create a crypto peer-list
Configure the Peer List in the WSG Service
Configure Initiator Mode and Responder Mode Durations
See the Security Gateway as Initiator chapter of the IPSec Reference for additional information on this feature.
Command Changes
crypto peer-list
Creating a crypto peer list enables WSG as IKEv2 Initiator. The CLI command sequence for creating a crypto peer list
is shown below.
is shown below.
configure
context context_name
crypto peer-list { ipv4 | ipv6 } peer_list_name
address peer_address
exit
Notes:
Repeat the address peer_address command to add up to 1,000 peer IP addresses.
Use the no address peer_address command to remove a peer address from the peer list.
peer-list