1. ACLI Reference Guide
  2. ACLI Configuration Elements A-M
  3. ike-config

ike-config

The ike-config subelement defines a single, global Internet Key Exchange (IKE) configuration object.

Parameters

state
Enter the state (enabled or disabled) of the ike-config configuration element.
  • Default: enabled
  • Values: disabled | disabled
ike-version
Enter an integer value that specifies IKE version.
Select 1 for IKEV1 protocol implementation.
Select 2 for IKEV2 protocol implementation.
  • Default: 2
  • Values: 1 | 2
log-level
Enter the IKE log level; events of this level and other events deemed more critical are written to the system log.
  • Default: info
  • Values: emergency | critical | major | minor | warning | notice | info | trace | debug | detail
udp-port
Enter the UDP port used for IKEv1 protocol traffic.
  • Default: 500
  • Values: Min: 1025 / Max: 65535
negotiation-timeout
Enter the maximum interval between Diffie-Hellman message exchanges.
  • Default: 15 (seconds)
  • Values: Min: 1 / Max:4294967295 (seconds)

    Note:

    In the event of timer expiration, the IKE initiator must restart the Diffie-Hellman exchange.
event-timeout
Enter the maximum time allowed for the duration of an IKEv1 event, defined as the successful establishment of an IKE or IPsec Security Association (SA).
  • Default: 60 (seconds)
  • Values: Min: 1 / Max:4294967295 (seconds)

    Note:

    In the event of timer expiration, the IKE initiator must restart the Phase 1 (IKE SA) or Phase 2 (IPsec SA) process.
phase1-mode
Enter the IKE phase 1 exchange mode: aggressive or main.
  • Default: main
  • Values:
    • aggressive—is less verbose (requiring only three messages), but less secure in providing no identity protection, and less flexible in IKE SA negotiation
    • main—is more verbose, but provides greater security in that it does not reveal the identity of the IKE peers. Main mode requires six messages (3 requests and corresponding responses) to (1) negotiate the IKE SA, (2) perform a Diffie-Hellman exchange of cryptographic material, and (3) authenticate the remote peer
phase1-dh-mode
Enter the Diffie-Hellman group used during IKE phase 1 negotiation.
  • Default: first-supported
  • Values:
    • dh-group1 — as initiator, propose Diffie-Hellman group 1 (768-bit primes, less secure )
    • dh-group2 — as initiator, propose Diffie-Hellman group 2 (1024-bit primes, more secure)
    • first-supported — as responder, use the first supported 
Diffie-Hellman group proposed by initiator

      Note:

      Diffie-Hellman groups determine the lengths of the prime numbers exchanged during the symmetric key generation process.
v2-ike-life-secs
Enter the default IKEv2 SA lifetime in seconds.
  • Default: 86400 (24 hours)
  • Values: Min: 1 / Max: 4294967295 (seconds)

    Note:

    This global default can be over-ridden at the IKEv2 interface level.
v2-ipsec-life-secs
Enter the default IPsec SA lifetime in seconds.
  • Default: 28800 (8 hours)
  • Values: Min: 1 / Max:4294967295 (seconds)

    Note:

    This global default can be over-ridden at the IKEv2 interface level.
phase1-life-seconds
Set the time (in seconds) proposed for IKE SA expiration during IKE Phase 1 negotiations.
  • Default: 3600 (1 hour)
  • Values: Min: 1 / Max: 4294967295 (seconds)

    Note:

    Relevant only when the Oracle Communications Session Border Controller is acting in the IKE initiator role.
phase2-life-seconds
relevant only when the Oracle Communications Session Border Controller is acting in the IKE initiator role, contains the time proposed (in seconds) for IPsec SA expiration during IKE Phase 2 negotiations.
  • Default: 28800 (8 hours)
  • Values: Min: 1 / Max:4294967295 (seconds)

    Note:

    During IKE Phase 2, the IKE initiator and responder establish the IPsec SA.
phase2-life-seconds-max
Set the maximum time (in seconds) accepted for IPsec SA expiration during IKE Phase 2 negotiations.
  • Default: 86400 (24 hours)
  • Values: Min: 1 / Max: 4294967295 (seconds)

    Note:

    Relevant only when the Oracle Communications Session Border Controller is acting in the IKE responder role.
phase2-exchange-mode
Enter the Diffie-Hellman group used during IKE Phase 2 negotiation.
  • Default: phase1-group
  • Values:
    • dh-group1 — use Diffie-Hellman group 1 (768-bit primes, less secure)
    • dh-group2 — use Diffie-Hellman group 2 (1024-bit primes, more secure)
    • no-forward-secrecy — use the same key as used during Phase 1 negotiation

      Note:

      During IKE Phase 2, the IKE initiator and responder establish the IPsec SA.

      Diffie-Hellman groups determine the lengths of the prime numbers exchanged during the symmetric key generation process.

shared-password
Enter the default PSK used during IKE SA authentication.
This global default can be over-ridden at the IKE interface level.
  • Default: None
  • Values: A string of ACSII-printable characters no longer than 255 characters (not displayed by the ACLI)
eap-protocol
Enter the EAP protocol used with IKEv2.
  • Default: eap-radius-passthru
  • Values: eap-radius-passthru

    Note:

    The current software performs EAP operations by a designated RADIUS server or server group; retain the default value.
addr-assignment
Set the method used to assign addresses in response to an IKEv2 Configuration Payload request.
  • Default: local
  • Values:
    • local — use local address pool
    • radius-only — obtain local address from RADIUS server
    • radius-local — try RADIUS server first, then local address pool

      Note:

      This parameter specifies the source of the returned IP address, and can be 
over-ridden at the IKE interface level.
eap-bypass-identity
Contains a value specifying whether or not to bypass the EAP (Extensible Authentication Protocol) identity phase
EAP, defined in RFC 3748, provides an authentication framework widely used in wireless networks.
An Identity exchange is optional within the EAP protocol exchange. Therefore, it is possible to omit the Identity exchange entirely, or to use a method-specific identity exchange once a protected channel has been established.
  • Default: disabled (requires an identity exchange)
  • Values: disabled | enabled
red-port
Enter the port number monitored for IKEv2 synchronization messages; used in high-availability environments.
The default value (0) effectively disables redundant high-availability configurations. Select a port value other than 0 (for example, 1995) to enable high-availability operations.
  • Default: 0
  • Values: Min: 1024 / Max: 65535
red-max-trans
For HA nodes, set the maximum number of retained IKEv2 synchronization message.
  • Default: 10000 (messages)
  • Values: Min: 1 / Max: 4294967295 (messages)
red-sync-start-time
For HA nodes, set the timer value for transitioning from standby to active role — the amount of time (in milliseconds) that a standby device waits for a heartbeat signal from the active device before transitioning to the active role.
  • Default: 5000 (milliseconds)
  • Values: Min: 1 / Max:4294967295 (milliseconds)
red-sync-comp-time
For HA nodes, set the interval between synchronization attempts after the completion of an IKEv2 redundancy check.
  • Default: 1000 (milliseconds)
  • Values: Min: 1 / Max:4294967295 (milliseconds)
dpd-time-interval
Set the maximum period of inactivity (in seconds) before the Dead Peer Detection (DPD) protocol is initiated on a specific endpoint.
The default value, 0, disables the DPD protocol; setting this parameter to a 
non-zero value globally enables the protocol and sets the inactivity timer.
  • Default: 0 (DPD disabled)
  • Values: Min: 1 / Max:4294967295 (seconds)
overload-threshold
Set the percentage of CPU usage that triggers an overload state.
  • Default: 100 (disabling overload processing)
  • Values: An integer from 1 to 100, and less than the value of 
 overload-critical-threshold
overload-interval
Set the interval (in seconds) between CPU load measurements while in the overload state.
  • Default: 1
  • Values: Min: 0 / Max: 60
overload-action
Select the action to take when the Oracle Communications Session Border Controller (as a SG) CPU enters an overload state. The overload state is reached when CPU usage exceeds the percentage threshold specified by the overload-threshold
  • Default: none
  • Values: • drop-new-connection—use to implement call rejection
  • none—use to retain default behavior (no action)
overload-critical-threshold
Set the percentage of CPU usage that triggers a critical overload state. This value must be greater than the value of overload-threshold.
  • Default: 100 (disabling overload processing)
  • Values: Min: 0 / Max: 100
overload-critical-interval
Set the interval (in seconds) between CPU load measurements while in the critical overload state.
  • Default: shared-password
  • Values: Min: 0 / Max: 60
sd-authentication-method
Select the method used to authenticate the IKEv2 SA. Two authentication methods are supported.
This global default can be over-ridden at the IKEv2 interface level.
  • Default: shared-password
  • Values:
    • certificate—uses an X.509 certificate to digitally sign a block of data
    • shared-password—uses a PSK that is used to calculate a hash over a block of data
certificate-profile-id
When sd-authentication-method is certificate , identifies the default ike-certificate-profile configuration element that contains identification and validation credentials required for certificate-based IKEv2 authentication.
  • This parameter can be over-ridden at the IKEv2 interface level.
  • Default: None
  • Values: Name of an existing ike-certificate-profile configuration element.

Path

ike-config is a subelement under the ike element. The full path from the topmost ACLI prompt is: configure-terminal, and then security, and then ike, and then ike-config.

Note:

This is a single instance configuration element.