ike-config

The ike-config subelement defines a single, global Internet Key Exchange (IKE) configuration object.

Parameters

state

Enter the state (enabled or disabled) of the ike-config configuration element.

Default: enabled
Values: disabled | disabled

ike-version

Enter an integer value that specifies IKE version.

Select 1 for IKEV1 protocol implementation.

Select 2 for IKEV2 protocol implementation.

Default: 2
Values: 1 | 2

log-level

Enter the IKE log level; events of this level and other events deemed more critical are written to the system log.

Default: info
Values: emergency | critical | major | minor | warning | notice | info | trace | debug | detail

udp-port

Enter the UDP port used for IKEv1 protocol traffic.

Default: 500
Values: Min: 1025 / Max: 65535

negotiation-timeout

Enter the maximum interval between Diffie-Hellman message exchanges.

Default: 15 (seconds)
Values: Min: 0 / Max:4294967295 (seconds)

Note:

In the event of timer expiration, the IKE initiator must restart the Diffie-Hellman exchange.

event-timeout

Enter the maximum time allowed for the duration of an IKEv1 event, defined as the successful establishment of an IKE or IPsec Security Association (SA).

Default: 60 (seconds)
Values: Min: 0 / Max:4294967295 (seconds)

Note:

In the event of timer expiration, the IKE initiator must restart the Phase 1 (IKE SA) or Phase 2 (IPsec SA) process.

phase1-mode

Enter the IKE phase 1 exchange mode: aggressive or main.

Default: main
Values:
- aggressive—is less verbose (requiring only three messages), but less secure in providing no identity protection, and less flexible in IKE SA negotiation
- main—is more verbose, but provides greater security in that it does not reveal the identity of the IKE peers. Main mode requires six messages (3 requests and corresponding responses) to (1) negotiate the IKE SA, (2) perform a Diffie-Hellman exchange of cryptographic material, and (3) authenticate the remote peer

phase1-dh-mode

Enter the Diffie-Hellman group used during IKE phase 1 negotiation.

Default: first-supported
Values:
- first-supported — as responder, use the first supported  Diffie-Hellman group proposed by initiator
  
  Note:
  Diffie-Hellman groups determine the lengths of the prime numbers exchanged during the symmetric key generation process.
- dh-group2 — as initiator, propose Diffie-Hellman group 2 (1024-bit)
- dh-group5 — as initiator, propose Diffie-Hellman group 5 (1536-bit)
- dh-group14 — as initiator, propose Diffie-Hellman group 14 (2048-bit)
- dh-group15 — as initiator, propose Diffie-Hellman group 15 (3072-bit)
- dh-group16 — as initiator, propose Diffie-Hellman group 16 (4096-bit)

phase2-exchange-mode

Enter the Diffie-Hellman group used during IKE Phase 2 negotiation.

Default: phase1-group
Values:
- phase1-group — use the same group as in phase1
- no-forward-secrecy — use the same key as used during Phase 1 negotiation
  
  Note:
  During IKE Phase 2, the IKE initiator and responder establish the IPsec SA.
  Diffie-Hellman groups determine the lengths of the prime numbers exchanged during the symmetric key generation process.
- dh-group2 — use Diffie-Hellman group 2 (1024-bit)
- dh-group5 — use Diffie-Hellman group 5 (1536-bit)
- dh-group14 — use Diffie-Hellman group 14 (2048-bit)
- dh-group15 — use Diffie-Hellman group 15 (3072-bit)
- dh-group16 — use Diffie-Hellman group 16 (4096-bit)

v2-ike-life-secs

Enter the default IKEv2 SA lifetime in seconds.

Default: 86400 (24 hours)
Values: Min: 1800 / Max: 999999999 (seconds)

Note:

This global default can be over-ridden at the IKEv2 interface level.

v2-ipsec-life-secs

Enter the default IPsec SA lifetime in seconds.

Default: 28800 (8 hours)
Values: Min: 1 / Max:4294967295 (seconds)

Note:

This global default can be over-ridden at the IKEv2 interface level.

v2-rekey

Enable to initiate new negotiations to restore expired IKEv2 or IPsec SAs. The SBC makes a maximum of three retransmission attempts before abandoning the re-keying effort.

anti-replay

Enable anti-replay protection on IPsec SAs.

phase1-life-seconds

Set the time (in seconds) proposed for IKE SA expiration during IKE Phase 1 negotiations.

Default: 3600 (1 hour)
Values: Min: 0 / Max: 4294967295 (seconds)

Note:

Relevant only when the SBC is acting in the IKE initiator role.

phase1-life-secs-max

Set the maximum time (in seconds) accepted for IPsec SA expiration during IKE Phase 1 negotiations.

Default: 86400 (24 hours)
Values: Min: 0 / Max: 4294967295 (seconds)

Note:

Relevant only when the SBC is acting in the IKE responder role.

phase2-life-seconds

relevant only when the SBC is acting in the IKE initiator role, contains the time proposed (in seconds) for IPsec SA expiration during IKE Phase 2 negotiations.

Default: 28800 (8 hours)
Values: Min: 0 / Max:4294967295 (seconds)

Note:

During IKE Phase 2, the IKE initiator and responder establish the IPsec SA.

phase2-life-secs-max

Set the maximum time (in seconds) accepted for IPsec SA expiration during IKE Phase 2 negotiations.

Default: 86400 (24 hours)
Values: Min: 0 / Max: 4294967295 (seconds)

Note:

Relevant only when the SBC is acting in the IKE responder role.

shared-password

Enter the default PSK used during IKE SA authentication.

This global default can be over-ridden at the IKE interface level.

Default: None
Values: A string of ACSII-printable characters no longer than 255 characters (not displayed by the ACLI)

eap-protocol

Enter the EAP protocol used with IKEv2.

Default: eap-radius-passthru
Values: eap-radius-passthru

Note:
The current software performs EAP operations by a designated RADIUS server or server group; retain the default value.

eap-bypass-identity

Contains a value specifying whether or not to bypass the EAP (Extensible Authentication Protocol) identity phase

EAP, defined in RFC 3748, provides an authentication framework widely used in wireless networks.

An Identity exchange is optional within the EAP protocol exchange. Therefore, it is possible to omit the Identity exchange entirely, or to use a method-specific identity exchange once a protected channel has been established.

Default: disabled (requires an identity exchange)
Values: disabled | enabled

red-port

Enter the port number monitored for IKEv2 synchronization messages; used in high-availability environments.

The default value (0) disables redundant high-availability configurations. Select port 1995 to enable high-availability operations.

Default: 0
Values: 0 | 1995

red-max-trans

For HA nodes, set the maximum number of retained IKEv2 synchronization message.

Default: 10000 (messages)
Values: Min: 0 / Max: 50000 (messages)

red-sync-start-time

For HA nodes, set the timer value for transitioning from standby to active role — the amount of time (in milliseconds) that a standby device waits for a heartbeat signal from the active device before transitioning to the active role.

Default: 5000 (milliseconds)
Values: Min: 0 / Max:4294967295 (milliseconds)

red-sync-comp-time

For HA nodes, set the interval between synchronization attempts after the completion of an IKEv2 redundancy check.

Default: 1000 (milliseconds)
Values: Min: 0 / Max:4294967295 (milliseconds)

dpd-time-interval

Set the maximum period of inactivity (in seconds) before the Dead Peer Detection (DPD) protocol is initiated on a specific endpoint.

The default value, 0, disables the DPD protocol; setting this parameter to a  non-zero value globally enables the protocol and sets the inactivity timer.

Default: 0 (DPD disabled)
Values: Min: 0 / Max:4294967295 (seconds)

overload-threshold

Set the percentage of CPU usage that triggers an overload state.

Default: 100 (disabling overload processing)
Values: Min: 10 / Max: 100

Note:

The value of overload-threshold must be less than the value of overload-critical-threshold.

overload-interval

Set the interval (in seconds) between CPU load measurements while in the overload state.

Default: 1
Values: Min: 1 / Max: 60

overload-action

Select the action to take when the SBC (as a SG) CPU enters an overload state. The overload state is reached when CPU usage exceeds the percentage threshold specified by the overload-threshold

Default: none
Values:
- drop-new-connection—use to implement call rejection
- none—use to retain default behavior (no action)

overload-critical-threshold

Set the percentage of CPU usage that triggers a critical overload state. This value must be greater than the value of overload-threshold.

Default: 100 (disabling overload processing)
Values: Min: 10 / Max: 100

overload-critical-interval

Set the interval (in seconds) between CPU load measurements while in the critical overload state.

Default: shared-password
Values: Min: 1 / Max: 60

sd-authentication-method

Select the method used to authenticate the IKEv2 SA. Two authentication methods are supported.

This global default can be over-ridden at the IKEv2 interface level.

Default: shared-password
Values:
- certificate—uses an X.509 certificate to digitally sign a block of data
- shared-password—uses a PSK that is used to calculate a hash over a block of data

certificate-profile-id

When sd-authentication-method is certificate , identifies the default ike-certificate-profile configuration element that contains identification and validation credentials required for certificate-based IKEv2 authentication.

This parameter can be over-ridden at the IKEv2 interface level.
Default: None
Values: Name of an existing ike-certificate-profile configuration element.

id-auth-type

(Optional) Specify that the PSK used while authenticating the remote IKEv2 peer is associated with the asserted identity contained within an IKEv2 Identification payload.

idi—use IDi KEY_ID for authentication
idr—use IDr KEY_ID for authentication

Path

ike-config is a subelement under the ike element. The full path from the topmost ACLI prompt is: configure-terminal, and then security, and then ike, and then ike-config.

Note:

This is a single instance configuration element.