- Administrative Security Guide
- IKEv2 Support
- IKEv2 Global Configuration
IKEv2 Global Configuration
A parameter within the global ike-config element can be overridden by the same parameter within the ike-interface element.
- Access the
ike-config configuration element.
ORACLE# configure terminal ORACLE(configure)# security ORACLE(security)# ike ORACLE(ike)# ike-config
- state—Set to enable.
- ike-version—Select
the IKE protocol version
2.
WARNING:
Enabling version 2 in the ike-config element disables version 1 globally. - log-level—Specify
the level of the IKEv2-related logs.
Log messages are listed below in descending order of severity.
- emergency
- critical
- major
- minor
- warning
- notice
- info — (default)
- trace — (test/debug, not used in production environments)
- debug — (test/debug, not used in production environments)
- detail — (test/debug, not used in production environments)
- udp-port—Set to 500.
- v2-ike-life-secs—Specify
the default lifetime (in seconds) of the IKEv2 SA.
Allowable values are within the range 1 through 999999999.
- v2-ipsec-life-secs—Specify
the default lifetime (in seconds) for the IPsec SA.
Allowable values are within the range 1 through 999999999.
- v2-rekey
—Enable or disable the re-keying of expired IKEv2 or
IPsec SAs.
When v2-rekey is enabled, the OCSBC initiates a new negotiation to restore an expired IKEv2 or IPsec SA. The OCSBC makes a maximum of three retransmission attempts before abandoning the re-keying effort.
- sd-authentication-method—Select
the method used for local authentication of the IKEv2 peer.
Two authentication methods are supported:
- shared-password — (the default) uses a pre-shared key (PSK) to authenticate the IKEv2 peer.
- certificate — uses an
X.509 certificate to authenticate the IKEv2 peer.
Note:
If using a certificate for authentication, see the "Certificate Configuration Process" section in the Security chapter of the ACLI Configuration Guide.
The sd-authentication-method value can be overridden at the ike-interface level.
- certificate-profile-id—If
using a certificate, specify the
ike-certificate-profile
configuration element that contains identification and verification credentials
required for PKI certificate-based IKEv2 authentication.
The ike-certificate-profile value can be over-ridden at the ike-interface level.
- shared-password—If
using a shared password, provide the PSK used while authenticating the remote
IKEv2 peer.
Ensure the remote peer is configured with the same PSK.
The value of shared-password in the ike-interface configuration element takes precedence over this value.
- id-auth-type
—(Optional) Specify that the PSK used while
authenticating the remote IKEv2 peer is associated with the asserted identity
contained within an IKEv2 Identification payload.
Note:
This attribute can be safely ignored if the PSK is defined globally or at the IKEv2 Interface level.- idi—use IDi KEY_ID for authentication
- idr—use IDr KEY_ID for authentication
- addr-assignment—(Optional)
Select the method used to assign a local address in response to an IKEv2
configuration payload request.
Available values are:
- local—(the default) use local address pool
- radius-only—obtain local address from RADIUS server
- radius-local—try RADIUS server first, then local address pool
- eap-bypass-identity—(Optional) Specify whether or not to bypass the EAP identity phase.
- dpd-time-interval
—(Optional) Specify the maximum period of inactivity (in
seconds) before the DPD protocol is initiated on an endpoint.
Values are within the range 1 through 999999999 (seconds).
- anti-replay —(Optional) Enable or disable anti-replay protection on IPsec SAs.
- account-group-list—(Optional) Designate one or two existing IPsec accounting groups as available to support IPsec accounting transactions.
- Type done.