для Cisco Cisco Packet Data Gateway (PDG)
Security Gateway as Initiator
▀ Overview
▄ IPSec Reference, StarOS Release 17
176
Overview
By default SecGW (WSG service) only responds to a setup request for an IKEv2 session. However, an SecGW can also
be configured to initiate an IKEv2 session setup request when the peer does not initiate a setup request within a
specified time interval.
be configured to initiate an IKEv2 session setup request when the peer does not initiate a setup request within a
specified time interval.
Important:
This functionality is only applicable for site-to-site (S2S) based tunnels within a WSG service. For
remote access tunnels the peer is always the initiator.
Responder-Initiator Sequence
The following is the general event sequence for an SecGW acting as an initiator.
1. The SecGW waits for the peer to initiate a tunnel within a configurable time interval during which it is in
responder mode. The default responder mode interval is 10 seconds.
2. Upon expiry of the responder mode timer, the SecGW switches to initiator mode for a configurable time interval.
The default initiator mode interval is 10 seconds.
3. The SecGW retries the call if there is no response from the peer during the initiator mode interval.
4. When the SecGW is in initiator mode and the peer does not respond to the IKE messages or fails to establish the
call, SecGW reverts to responder mode and waits for the peer to initiate the IKEv2 session.
5. If call creation is successful, the SecGW stops initiating any further calls to that peer.
6. If the SecGW and peer initiate a session call simultaneously (possible collision), the SecGW defers to the peer
initiated call and drops any incoming packets.
When the SecGW as initiator feature is enabled, the SecGW only supports up to 1,000 peer addresses. This restriction is
applied when configuring a crypto peer list. See
applied when configuring a crypto peer list. See
Limitations
The following limitations apply when the SecGW as initiator feature is enabled:
The SecGW will only support up to 1,000 peers. This restriction is applied when configuring a crypto peer list.
SecGW will not support the modification of an IPv4/IPv6 peer list on the fly (call sessions in progress). The
modification will be allowed only after all the calls are removed.
The SecGW does support wild card peer address provisioning along with subnets.