для Cisco Cisco Packet Data Gateway (PDG)
If a DER encoded IKE-ID contains a common name, the common name is sent as the client-id. The
common name is limited to 64 characters to comply with the X.509 ASN.1 specification.
common name is limited to 64 characters to comply with the X.509 ASN.1 specification.
Important
StarOS also needs an IP pool to setup flows for the range of addresses which may be assigned by the DHCP
server. Without the IP pool definition, the tunnel is setup but does not pass traffic. The IP pool must be defined
in either the WSG or DHCP context. See the sample configuration below.
server. Without the IP pool definition, the tunnel is setup but does not pass traffic. The IP pool must be defined
in either the WSG or DHCP context. See the sample configuration below.
configure
context dhcp
ip pool p1v4 35.35.34.0 255.255.255.0 public 0
Characteristics and Limitations
The following factors characterize WSG service configuration:
• A WSG service configuration has precedence over the equivalent configuration in subscriber mode or
the template payload.
• Any changes made to a WSG service require that the service be restarted to apply any changed parameters.
You restart the service by unbinding and binding the IP address to the service context.
• Up to 16 named IPv4 pools can be configured. The list is sorted, and the addresses are allocated from
the first pool in the list with available addresses.
• Multiple IPv6 pools can be configured.
• Multiple IPv4 and IPv6 ACLs can be configured under the context but only one ACL list is allowed
under WSG service.
• IPv4 pools are only used for IPv4 calls; IPv6 pools are only used for IPv6 calls.
Lookup Priority
The Wireless Security Gateway Lookup Priority List Configuration Mode is used to set the priority (1–6) of
subnet combinations for site-to-site tunnels.
subnet combinations for site-to-site tunnels.
The following command sequence sets the lookup priority:
config
config
wsg-lookup
priority priority_level source-netmask subnet_size destination netmask subnet_size
For the packet lookup to work optimally, the top bits in the negotiated TSi for all the tunnels should be unique.
The top number of bits that must be unique is equal to the lowest "destination-netmask" configured under all
lookup priorities.
The top number of bits that must be unique is equal to the lowest "destination-netmask" configured under all
lookup priorities.
For example, if the lowest destination-netmask configured under any priority is 16:
priority 1 source-netmask 20 destination-netmask 18
priority 2 source-netmask 22 destination-netmask 16
priority 2 source-netmask 22 destination-netmask 16
A valid set of traffic selectors for the configured set of lookup priorities would be:
IPSec Tunnel 1: 10.11.1.0(tsi) - 20.20.1.0(tsr)
IPSec Tunnel 2: 10.10.2.0(tsi) - 20.20.2.0(tsr)
An invalid set of traffic selectors would be:
SecGW Administration Guide, StarOS Release 19
22
SecGW Service Creation
Lookup Priority