Cisco Cisco Packet Data Gateway (PDG) Nota De Lançamento
ePDG Changes in Release 15.0
ePDG Enhancements for September 30, 2013 ▀
Cisco ASR 5x00 Release Change Reference ▄
177
Staros IKEv2 stack currently complies to RFC 4306. In Release 15.0, Staros IKEv2 is enhanced to comply to newer
version of IKEV2 RFC 5996.
version of IKEV2 RFC 5996.
config
context context_name
crypto template crypto_map_name ikev2-dynamic ikev2-ikesa policy use-rfc5996-
notification
notification
RFC 5996 Support - child sa rekey changes
According to RFC 5996 on rekeying of a CHILD SA, the traffic selectors and algorithms match the ones negotiated
during the setting up of child SA. ePDG is enhanced to not send any new parameters in CREATE_CHILD_SA for a
childsa being rekeyed. However ePDG does not enforce any restrictions on the peer for the same. This is done to
minimize impact on IOT's with existing peer vendor products, which may not be complying to RFC 5996.
during the setting up of child SA. ePDG is enhanced to not send any new parameters in CREATE_CHILD_SA for a
childsa being rekeyed. However ePDG does not enforce any restrictions on the peer for the same. This is done to
minimize impact on IOT's with existing peer vendor products, which may not be complying to RFC 5996.
config
context context_name
crypto template name ikev2-dynamic ikev2-ikesa rekey disallow-param-change
RFC 5996 Support - HTTP_LOOKUP in CERTREQ
RFC 5996 mandates configurability for sending and receiving HTTP method for hash-and-URL lookup with
CERT/CERTREQ payloads. If configured and if peer requests for CERT using encoding type as "Hash and URL of
X.509 certificate" and send HTTP_CERT_LOOKUP_SUPPORTED using notify payload in the first IKE_AUTH, ASR
shall send the URL in the CERT payload instead of sending the entire certificate in the payload. If not configured and
CERTREQ is received with encoding type as "hash and URL for X.509 certificate", ePDG shall respond with entire
certificate as it in release 14.1, even if peer had sent HTTP_CERT_LOOKUP_SUPPORTED.
CERT/CERTREQ payloads. If configured and if peer requests for CERT using encoding type as "Hash and URL of
X.509 certificate" and send HTTP_CERT_LOOKUP_SUPPORTED using notify payload in the first IKE_AUTH, ASR
shall send the URL in the CERT payload instead of sending the entire certificate in the payload. If not configured and
CERTREQ is received with encoding type as "hash and URL for X.509 certificate", ePDG shall respond with entire
certificate as it in release 14.1, even if peer had sent HTTP_CERT_LOOKUP_SUPPORTED.
config
certificate name cert_name pem data pem_data private-key pem encrypted data pem_data
cert-enc cert-hash-url url url
cert-enc cert-hash-url url url
ePDG Command Changes as of September 30, 2013
This section provides information on system-level command changes in release 15.0.
Important:
For more information regarding commands in this section, refer to the Command Line Interface
Reference for this release.
New ePDG Commands
This section identifies new ePDG commands available in release 15.0.
no allow duplicate-prec-in-tft