1. Administrative Security Guide
  2. IKEv2 Support
  3. IKEv2 Global Configuration

IKEv2 Global Configuration

A parameter within the global ike-config element can be overridden by the same parameter within the ike-interface element.

  1. Access the ike-config configuration element. 
    ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# ike
ORACLE(ike)# ike-config
  2. state—Set to enable.
  3. ike-version—Select the IKE protocol version 2.

    WARNING:

    Enabling version 2 in the ike-config element disables version 1 globally.
  4. log-level—Specify the level of the IKEv2-related logs.

    Log messages are listed below in descending order of severity.

    • emergency
    • critical
    • major
    • minor
    • warning
    • notice
    • info — (default)
    • trace — (test/debug, not used in production environments)
    • debug — (test/debug, not used in production environments)
    • detail — (test/debug, not used in production environments)
  5. udp-port—Set to 500.
  6. v2-ike-life-secs—Specify the default lifetime (in seconds) of the IKEv2 SA.

    Allowable values are within the range 1 through 999999999.

  7. v2-ipsec-life-secs—Specify the default lifetime (in seconds) for the IPsec SA.

    Allowable values are within the range 1 through 999999999.

  8. v2-rekey —Enable or disable the re-keying of expired IKEv2 or IPsec SAs.

    When v2-rekey is enabled, the OCSBC initiates a new negotiation to restore an expired IKEv2 or IPsec SA. The OCSBC makes a maximum of three retransmission attempts before abandoning the re-keying effort.

  9. sd-authentication-method—Select the method used for local authentication of the IKEv2 peer.
    Two authentication methods are supported:
    • shared-password — (the default) uses a pre-shared key (PSK) to authenticate the IKEv2 peer.
    • certificate — uses an X.509 certificate to authenticate the IKEv2 peer.

      Note:

      If using a certificate for authentication, see the "Certificate Configuration Process" section in the Security chapter of the ACLI Configuration Guide.

    The sd-authentication-method value can be overridden at the ike-interface level.

  10. certificate-profile-id—If using a certificate, specify the ike-certificate-profile configuration element that contains identification and verification credentials required for PKI certificate-based IKEv2 authentication.

    The ike-certificate-profile value can be over-ridden at the ike-interface level.

  11. shared-password—If using a shared password, provide the PSK used while authenticating the remote IKEv2 peer.

    Ensure the remote peer is configured with the same PSK.

    The value of shared-password in the ike-interface configuration element takes precedence over this value.

  12. id-auth-type —(Optional) Specify that the PSK used while authenticating the remote IKEv2 peer is associated with the asserted identity contained within an IKEv2 Identification payload.

    Note:

    This attribute can be safely ignored if the PSK is defined globally or at the IKEv2 Interface level.
    Available values are:
    • idi—use IDi KEY_ID for authentication
    • idr—use IDr KEY_ID for authentication
  13. addr-assignment—(Optional) Select the method used to assign a local address in response to an IKEv2 configuration payload request.
    Available values are:
    • local—(the default) use local address pool
    • radius-only—obtain local address from RADIUS server
    • radius-local—try RADIUS server first, then local address pool
  14. eap-bypass-identity—(Optional) Specify whether or not to bypass the EAP identity phase.
  15. dpd-time-interval —(Optional) Specify the maximum period of inactivity (in seconds) before the DPD protocol is initiated on an endpoint.

    Values are within the range 1 through 999999999 (seconds).

  16. anti-replay —(Optional) Enable or disable anti-replay protection on IPsec SAs.
  17. account-group-list—(Optional) Designate one or two existing IPsec accounting groups as available to support IPsec accounting transactions.
  18. Type done.