1. Administrative Security Guide
  2. Configuring IKEv2 Interfaces
  3. Configure an IKEv2 Interface

Configure an IKEv2 Interface

Global values set in the ike-config configuration element can be overridden by values set at the ike-interface level.

  1. Access the ike-interface configuration element. 
    ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# ike
ORACLE(ike)# ike-interface
ORACLE(ike-interface)#
  2. state—Enable the IKEv2 interface.
  3. ike-version—Set this attribute to 2.
  4. address—Specify the IPv4 or IPv6 address of the interface. 
    ORACLE(ike-interface)# address 10.0.0.10
  5. realm-id—Specify the realm that contains the IP address assigned to this IKEv2 interface. 
    ORACLE(ike-interface)# realm-id access-10
  6. ike-mode—Specify whether the OCSBC will act as a responder or initiator.
  7. sd-authentication-method—Select the interface-specific method used by IKEv2 peers to authenticate to each other.
    • shared-password—Use a pre-shared-secret to authenticate the remote IKEv2 peer.
    • certificate—Use an X.509 certificate to authenticate the remote IKEv2 peer.

    Note:

    sd-authentication-method can be safely ignored, if authentication utilizes any of the methods described in EAP-based Authentication. 
    ORACLE(ike-interface)# sd-authentication-method shared-password
  8. shared-password—If using the shared-password authentication method, set the shared password.
  9. certificate-profile-id-list—If using the certificate authentication method, identify the ike-certificate-profile configuration element that contains identification and validation credentials required for certificate-based IKEv2 authentication.
  10. multiple-authentication—Enable or disable multiple authentication as defined in RFC 4739 on this IKEv2 interface.
    The default is disabled.
  11. v2-ike-life-seconds—(Optional) Specify the lifetime (in seconds) for the IKEv2 SAs supported by this IKEv2 interface.
    The default is 86400 (24 hours).
    • Min: 1
    • Max: 999999999
  12. v2-ipsec-life-seconds—(Optional) Specify the lifetime (in seconds) for the IPsec SAs supported by this IKEv2 interface.
    The default is 28800 (8 hours).
    • Min: 1
    • Max: 999999999
  13. v2-rekey—(Optional) Enable or disable the automatic re-keying of expired IKEv2 or IPsec SAs on this IKEv2 interface.

    With automatic re-keying enabled, and with the global dpd-time-interval parameter set to a non-zero value, the OCSBC retransmits the re-keying request if it does not receive a response from the remote IPsec peer within the interval specified by the ike-config dpd-time-interval parameter. The OCSBC makes a maximum of three retransmission attempts before abandoning the re-keying effort.

  14. dpd-params-name—Enable the Dead Peer Detection Protocol on this IKEv2 interface.

    The protocol is initially enabled by setting a non-zero value to the dpd-time-interval parameter during IKEv2 global configuration process. The protocol is enabled at the local level by assigning an existing dpd-params configuration element to this IKEv2 interface.

    Refer to Dead Peer Detection Protocol Configuration in this chapter for information on configuring dpd-params configuration elements. 

    ORACLE(ike-interface)# dpd-params-name ikeDPD
  15. cert-status-check—(Optional) Enable certificate status checking using either Online Certificate Status Profile (OCSP) or a local copy of a Certificate Revocation List.
    The default is disabled.
  16. cert-status-profile-list—(Optional) Assign one or more cert-status-profile configuration elements to this IKEv2 interface.

    Each assigned cert-status-profile provides the information needed to access either an OCSP responder or a CRL source.

    Note:

    Use quotation marks to assign multiple OCSP responders. 
    ORACLE(ike-interface)# cert-status-profile-list "VerisignClass3Designate Verisign-1 Thawte-1"
  17. access-control-name—(Optional) Assign an existing access control white or black list to this IKEv2 interface.

    This parameter is meaningful only when authentication uses a RADIUS server to implement the EAP-based authentication, and can otherwise be safely ignored. White lists and black lists specify IMSI prefixes or MAC addresses that are allowed through or denied access to the RADIUS authentication server. 

    ORACLE(ike-interface)# access-control-name white_01
  18. addr-assignment—(Optional) Specify the method used to assign addresses in response to an IKEv2 Configuration Payload request.

    The Configuration payload supports the exchange of configuration information between IKEv2 peers. Typically, a remote IKEv2 peer initiates the exchange by requesting an IP address on the gateway’s protected network. In response, the OCSBC returns a local address for the peer’s temporary use.

    Supported values are:

    • local—(the default) use local address pool
    • radius-only—obtain local address from RADIUS server
    • radius-local —try RADIUS server first, then local address pool 
    ORACLE(ike-interface)# addr-assignment local
  19. local-address-pool-id-list—(Optional) Assign one or more existing address pools to the current interface, if addr-assignment is local or radius-local.

    Local address pools provide a group of IP address that can be temporarily leased to remote endpoints who request an IP address on a OCSBC subnet, and also specify DNS information sources made available to remote endpoints.

    During the IKE_AUTH exchange, the IKEv2 initiator (the remote endpoint) often requests an internal IP address from an IPsec responder (the OCSBC). Refer to Section 2.19 of RFC 4306, Internet Key Exchange (IKEv2) Protocol, for a description of the request process. Procuring such a local IP address ensures that traffic returning to the endpoint is routed to the OCSBC, and then tunneled back to the endpoint. Local address pools provide the source of these addresses available for temporary endpoint assignment.

    After address assignment from the local address pool, the endpoint retains rights to that address for the tunnel lifetime, which is terminated either by an INFORMATIONAL exchange as defined in Section 1.4 of RFC4306, or by expiration of the tunnel SAs as specified by the v2-ike-life-seconds and v2-ipsec-life-seconds parameters. In either case, a subsequent request for an assigned IP address results, in all likelihood, with the assignment of a new IP address. However, if the remote endpoint is prematurely terminated by, for example an unscheduled reset or re-boot, a subsequent request for an assigned IP address (assuming that SA timers have not expired) results in the assignment of the previously issued IP address. 

    ORACLE(ike-interface)# local-address-pool-id-list ikePool
  20. eap-protocol—(Optional) Set the EAP protocol.
    Available values are:
    • eap-md5
    • eap-tls
    • eap-leap
    • eap-sim
    • eap-srp
    • eap-ttls
    • eap-aka
    • eap-peap
    • eap-mschapv2
    • eap-fast
    • eap-psk
    • eap-radius-passthru
  21. Type done to save your configuration.
  22. Configure additional IKEv2 interfaces if required.