ike-config
The ike-config subelement defines a single, global Internet Key Exchange (IKE) configuration object.
Parameters
- state
- Enter the state (enabled or disabled) of the ike-config configuration element.
- Default: enabled
- Values: disabled | disabled
- ike-version
- Enter an integer value that specifies IKE version.
- log-level
- Enter the IKE log level; events of this level and other events deemed more critical are written to the system log.
- Default: info
- Values: emergency | critical | major | minor | warning | notice | info | trace | debug | detail
- udp-port
- Enter the UDP port used for IKEv1 protocol traffic.
- Default: 500
- Values: Min: 1025 / Max: 65535
- negotiation-timeout
- Enter the maximum interval between Diffie-Hellman message exchanges.
- Default: 15 (seconds)
- Values: Min: 1 / Max:4294967295 (seconds)
Note:
In the event of timer expiration, the IKE initiator must restart the Diffie-Hellman exchange.
- event-timeout
- Enter the maximum time allowed for the duration of an IKEv1 event, defined as the successful establishment of an IKE or IPsec Security Association (SA).
- Default: 60 (seconds)
- Values: Min: 1 / Max:4294967295 (seconds)
Note:
In the event of timer expiration, the IKE initiator must restart the Phase 1 (IKE SA) or Phase 2 (IPsec SA) process.
- phase1-mode
- Enter the IKE phase 1 exchange mode: aggressive or main.
- Default: main
- Values:
- aggressive—is less verbose (requiring only three messages), but less secure in providing no identity protection, and less flexible in IKE SA negotiation
- main—is more verbose, but provides greater security in that it does not reveal the identity of the IKE peers. Main mode requires six messages (3 requests and corresponding responses) to (1) negotiate the IKE SA, (2) perform a Diffie-Hellman exchange of cryptographic material, and (3) authenticate the remote peer
- phase1-dh-mode
- Enter the Diffie-Hellman group used during IKE phase 1 negotiation.
- Default: first-supported
- Values:
- dh-group1 — as initiator, propose Diffie-Hellman group 1 (768-bit primes, less secure )
- dh-group2 — as initiator, propose Diffie-Hellman group 2 (1024-bit primes, more secure)
- first-supported — as responder, use the first supported
Diffie-Hellman group proposed by initiator
Note:
Diffie-Hellman groups determine the lengths of the prime numbers exchanged during the symmetric key generation process.
- v2-ike-life-secs
- Enter the default IKEv2 SA lifetime in seconds.
- Default: 86400 (24 hours)
- Values: Min: 1 / Max: 4294967295 (seconds)
Note:
This global default can be over-ridden at the IKEv2 interface level.
- v2-ipsec-life-secs
- Enter the default IPsec SA lifetime in seconds.
- Default: 28800 (8 hours)
- Values: Min: 1 / Max:4294967295 (seconds)
Note:
This global default can be over-ridden at the IKEv2 interface level.
- phase1-life-seconds
- Set the time (in seconds) proposed for IKE SA expiration during IKE Phase 1 negotiations.
- Default: 3600 (1 hour)
- Values: Min: 1 / Max: 4294967295 (seconds)
Note:
Relevant only when the Oracle Communications Session Border Controller is acting in the IKE initiator role.
- phase2-life-seconds
- relevant only when the
Oracle Communications Session Border Controller is acting in the IKE initiator role, contains the time proposed (in seconds) for IPsec SA expiration during IKE Phase 2 negotiations.
- Default: 28800 (8 hours)
- Values: Min: 1 / Max:4294967295 (seconds)
Note:
During IKE Phase 2, the IKE initiator and responder establish the IPsec SA.
- phase2-life-seconds-max
- Set the maximum time (in seconds) accepted for IPsec SA expiration during IKE Phase 2 negotiations.
- Default: 86400 (24 hours)
- Values: Min: 1 / Max: 4294967295 (seconds)
Note:
Relevant only when the Oracle Communications Session Border Controller is acting in the IKE responder role.
- phase2-exchange-mode
- Enter the Diffie-Hellman group used during IKE Phase 2 negotiation.
- Default: phase1-group
- Values:
- dh-group1 — use Diffie-Hellman group 1 (768-bit primes, less secure)
- dh-group2 — use Diffie-Hellman group 2 (1024-bit primes, more secure)
- no-forward-secrecy — use the same key as used during Phase 1 negotiation
Note:
During IKE Phase 2, the IKE initiator and responder establish the IPsec SA.Diffie-Hellman groups determine the lengths of the prime numbers exchanged during the symmetric key generation process.
- shared-password
- Enter the default PSK used during IKE SA authentication.
- eap-protocol
- Enter the EAP protocol used with IKEv2.
- Default: eap-radius-passthru
- Values: eap-radius-passthru
Note:
The current software performs EAP operations by a designated RADIUS server or server group; retain the default value.
- addr-assignment
- Set the method used to assign addresses in response to an IKEv2 Configuration Payload request.
- Default: local
- Values:
- local — use local address pool
- radius-only — obtain local address from RADIUS server
- radius-local — try RADIUS server first, then local address pool
Note:
This parameter specifies the source of the returned IP address, and can be over-ridden at the IKE interface level.
- eap-bypass-identity
- Contains a value specifying whether or not to bypass the EAP (Extensible Authentication Protocol) identity phase
- red-port
- Enter the port number monitored for IKEv2 synchronization messages; used in high-availability environments.
- red-max-trans
- For HA nodes, set the maximum number of retained IKEv2 synchronization message.
- Default: 10000 (messages)
- Values: Min: 1 / Max: 4294967295 (messages)
- red-sync-start-time
- For HA nodes, set the timer value for transitioning from standby to active role — the amount of time (in milliseconds) that a standby device waits for a heartbeat signal from the active device before transitioning to the active role.
- Default: 5000 (milliseconds)
- Values: Min: 1 / Max:4294967295 (milliseconds)
- red-sync-comp-time
- For HA nodes, set the interval between synchronization attempts after the completion of an IKEv2 redundancy check.
- Default: 1000 (milliseconds)
- Values: Min: 1 / Max:4294967295 (milliseconds)
- dpd-time-interval
- Set the maximum period of inactivity (in seconds) before the Dead Peer Detection (DPD) protocol is initiated on a specific endpoint.
- overload-threshold
- Set the percentage of CPU usage that triggers an overload state.
- Default: 100 (disabling overload processing)
- Values: An integer from 1 to 100, and less than the value of overload-critical-threshold
- overload-interval
- Set the interval (in seconds) between CPU load measurements while in the overload state.
- Default: 1
- Values: Min: 0 / Max: 60
- overload-action
- Select the action to take when the
Oracle Communications Session Border Controller (as a SG) CPU enters an overload state. The overload state is reached when CPU usage exceeds the percentage threshold specified by the overload-threshold
- Default: none
- Values: • drop-new-connection—use to implement call rejection
- none—use to retain default behavior (no action)
- overload-critical-threshold
- Set the percentage of CPU usage that triggers a critical overload state. This value must be greater than the value of overload-threshold.
- Default: 100 (disabling overload processing)
- Values: Min: 0 / Max: 100
- overload-critical-interval
- Set the interval (in seconds) between CPU load measurements while in the critical overload state.
- Default: shared-password
- Values: Min: 0 / Max: 60
- sd-authentication-method
- Select the method used to authenticate the IKEv2 SA. Two authentication methods are supported.
- certificate-profile-id
- When sd-authentication-method is certificate , identifies the default ike-certificate-profile configuration element that contains identification and validation credentials required for certificate-based IKEv2 authentication.
- This parameter can be over-ridden at the IKEv2 interface level.
- Default: None
- Values: Name of an existing ike-certificate-profile configuration element.
Path
ike-config is a subelement under the ike element. The full path from the topmost ACLI prompt is:
Note:
This is a single instance configuration element.