1. ACLI Reference Guide
  2. ACLI Configuration Elements A-M
  3. ike-config

ike-config

The ike-config subelement defines a single, global Internet Key Exchange (IKE) configuration object.

Parameters

state
Enter the state (enabled or disabled) of the ike-config configuration element.
  • Default: enabled
  • Values: disabled | disabled
ike-version
Enter an integer value that specifies IKE version.
Select 1 for IKEV1 protocol implementation.
Select 2 for IKEV2 protocol implementation.
  • Default: 2
  • Values: 1 | 2
log-level
Enter the IKE log level; events of this level and other events deemed more critical are written to the system log.
  • Default: info
  • Values: emergency | critical | major | minor | warning | notice | info | trace | debug | detail
udp-port
Enter the UDP port used for IKEv1 protocol traffic.
  • Default: 500
  • Values: Min: 1025 / Max: 65535
negotiation-timeout
Enter the maximum interval between Diffie-Hellman message exchanges.
  • Default: 15 (seconds)
  • Values: Min: 0 / Max:4294967295 (seconds)

Note:

In the event of timer expiration, the IKE initiator must restart the Diffie-Hellman exchange.
event-timeout
Enter the maximum time allowed for the duration of an IKEv1 event, defined as the successful establishment of an IKE or IPsec Security Association (SA).
  • Default: 60 (seconds)
  • Values: Min: 0 / Max:4294967295 (seconds)

Note:

In the event of timer expiration, the IKE initiator must restart the Phase 1 (IKE SA) or Phase 2 (IPsec SA) process.
phase1-mode
Enter the IKE phase 1 exchange mode: aggressive or main.
  • Default: main
  • Values:
    • aggressive—is less verbose (requiring only three messages), but less secure in providing no identity protection, and less flexible in IKE SA negotiation
    • main—is more verbose, but provides greater security in that it does not reveal the identity of the IKE peers. Main mode requires six messages (3 requests and corresponding responses) to (1) negotiate the IKE SA, (2) perform a Diffie-Hellman exchange of cryptographic material, and (3) authenticate the remote peer
phase1-dh-mode
Enter the Diffie-Hellman group used during IKE phase 1 negotiation.
  • Default: first-supported
  • Values:
    • first-supported — as responder, use the first supported 
Diffie-Hellman group proposed by initiator

      Note:

      Diffie-Hellman groups determine the lengths of the prime numbers exchanged during the symmetric key generation process.
    • dh-group5 — as initiator, propose Diffie-Hellman group 5 (1536-bit)
    • dh-group14 — as initiator, propose Diffie-Hellman group 14 (2048-bit)
    • dh-group15 — as initiator, propose Diffie-Hellman group 15 (3072-bit)
    • dh-group16 — as initiator, propose Diffie-Hellman group 16 (4096-bit)
    • dh-group17 — as initiator, propose Diffie-Hellman group 17 (6144-bit)
    • dh-group18 — as initiator, propose Diffie-Hellman group 18 (8192-bit)

Note:

When you enable the FIPS entitlement, you cannot select dh-group5.
phase2-exchange-mode
Enter the Diffie-Hellman group used during IKE Phase 2 negotiation.
  • Default: phase1-group
  • Values:
    • phase1-group — use the same group as in phase1
    • no-forward-secrecy — use the same key as used during Phase 1 negotiation

      Note:

      During IKE Phase 2, the IKE initiator and responder establish the IPsec SA.

      Diffie-Hellman groups determine the lengths of the prime numbers exchanged during the symmetric key generation process.

    • dh-group5 — as initiator, propose Diffie-Hellman group 5 (1536-bit)
    • dh-group14 — as initiator, propose Diffie-Hellman group 14 (2048-bit)
    • dh-group15 — as initiator, propose Diffie-Hellman group 15 (3072-bit)
    • dh-group16 — as initiator, propose Diffie-Hellman group 16 (4096-bit)
    • dh-group17 — as initiator, propose Diffie-Hellman group 17 (6144-bit)
    • dh-group18 — as initiator, propose Diffie-Hellman group 18 (8192-bit)

Note:

When you enable the FIPS entitlement, you cannot select dh-group5.
v2-ike-life-secs
Enter the default IKEv2 SA lifetime in seconds.
  • Default: 86400 (24 hours)
  • Values: Min: 1800 / Max: 999999999 (seconds)

Note:

This global default can be over-ridden at the IKEv2 interface level.
v2-ipsec-life-secs
Enter the default IPsec SA lifetime in seconds.
  • Default: 28800 (8 hours)
  • Values: Min: 1 / Max:4294967295 (seconds)

Note:

This global default can be over-ridden at the IKEv2 interface level.
v2-rekey
Enable to initiate new negotiations to restore expired IKEv2 or IPsec SAs. The SBC makes a maximum of three retransmission attempts before abandoning the re-keying effort.
anti-replay
Enable anti-replay protection on IPsec SAs.
phase1-life-seconds
Set the time (in seconds) proposed for IKE SA expiration during IKE Phase 1 negotiations.
  • Default: 3600 (1 hour)
  • Values: Min: 0 / Max: 4294967295 (seconds)

Note:

Relevant only when the SBC is acting in the IKE initiator role.
phase1-life-secs-max
Set the maximum time (in seconds) accepted for IPsec SA expiration during IKE Phase 1 negotiations.
  • Default: 86400 (24 hours)
  • Values: Min: 0 / Max: 4294967295 (seconds)

Note:

Relevant only when the SBC is acting in the IKE responder role.
phase2-life-seconds
relevant only when the SBC is acting in the IKE initiator role, contains the time proposed (in seconds) for IPsec SA expiration during IKE Phase 2 negotiations.
  • Default: 28800 (8 hours)
  • Values: Min: 0 / Max:4294967295 (seconds)

Note:

During IKE Phase 2, the IKE initiator and responder establish the IPsec SA.
phase2-life-secs-max
Set the maximum time (in seconds) accepted for IPsec SA expiration during IKE Phase 2 negotiations.
  • Default: 86400 (24 hours)
  • Values: Min: 0 / Max: 4294967295 (seconds)

Note:

Relevant only when the SBC is acting in the IKE responder role.
shared-password
Enter the default PSK used during IKE SA authentication.
This global default can be over-ridden at the IKE interface level.
  • Default: None
  • Values: A string of ACSII-printable characters no longer than 255 characters (not displayed by the ACLI)
eap-protocol
Enter the EAP protocol used with IKEv2.
  • Default: eap-radius-passthru
  • Values: eap-tls | eap-leap | eap-sim | eap-srp | eap-ttls | eap-aka | eap-peap | eap-mschapv2 | eap-fast | eap-psk | eap-radius-passthru

    Note:

    The current software performs EAP operations by a designated RADIUS server or server group; retain the default value.
eap-bypass-identity
Contains a value specifying whether or not to bypass the EAP (Extensible Authentication Protocol) identity phase
EAP, defined in RFC 3748, provides an authentication framework widely used in wireless networks.
An Identity exchange is optional within the EAP protocol exchange. Therefore, it is possible to omit the Identity exchange entirely, or to use a method-specific identity exchange once a protected channel has been established.
  • Default: disabled (requires an identity exchange)
  • Values: disabled | enabled
red-port
Enter the port number monitored for IKEv2 synchronization messages; used in high-availability environments.
The default value (0) disables redundant high-availability configurations. Select port 1995 to enable high-availability operations.
  • Default: 0
  • Values: 0 | 1995
red-max-trans
For HA nodes, set the maximum number of retained IKEv2 synchronization message.
  • Default: 10000 (messages)
  • Values: Min: 0 / Max: 50000 (messages)
red-sync-start-time
For HA nodes, set the timer value for transitioning from standby to active role — the amount of time (in milliseconds) that a standby device waits for a heartbeat signal from the active device before transitioning to the active role.
  • Default: 5000 (milliseconds)
  • Values: Min: 0 / Max:4294967295 (milliseconds)
red-sync-comp-time
For HA nodes, set the interval between synchronization attempts after the completion of an IKEv2 redundancy check.
  • Default: 1000 (milliseconds)
  • Values: Min: 0 / Max:4294967295 (milliseconds)
dpd-time-interval
Set the maximum period of inactivity (in seconds) before the Dead Peer Detection (DPD) protocol is initiated on a specific endpoint.
The default value, 0, disables the DPD protocol; setting this parameter to a 
non-zero value globally enables the protocol and sets the inactivity timer.
  • Default: 0 (DPD disabled)
  • Values: Min: 0 / Max:4294967295 (seconds)
overload-threshold
Set the percentage of CPU usage that triggers an overload state.
  • Default: 100 (disabling overload processing)
  • Values: Min: 10 / Max: 100

Note:

The value of overload-threshold must be less than the value of overload-critical-threshold.
overload-interval
Set the interval (in seconds) between CPU load measurements while in the overload state.
  • Default: 1
  • Values: Min: 1 / Max: 60
overload-action
Select the action to take when the SBC (as a SG) CPU enters an overload state. The overload state is reached when CPU usage exceeds the percentage threshold specified by the overload-threshold
  • Default: none
  • Values:
    • drop-new-connection—use to implement call rejection
    • none—use to retain default behavior (no action)
overload-critical-threshold
Set the percentage of CPU usage that triggers a critical overload state. This value must be greater than the value of overload-threshold.
  • Default: 100 (disabling overload processing)
  • Values: Min: 10 / Max: 100
overload-critical-interval
Set the interval (in seconds) between CPU load measurements while in the critical overload state.
  • Default: shared-password
  • Values: Min: 1 / Max: 60
sd-authentication-method
Select the method used to authenticate the IKEv2 SA. Two authentication methods are supported.
This global default can be over-ridden at the IKEv2 interface level.
  • Default: shared-password
  • Values:
    • certificate—uses an X.509 certificate to digitally sign a block of data
    • shared-password—uses a PSK that is used to calculate a hash over a block of data
certificate-profile-id
When sd-authentication-method is certificate , identifies the default ike-certificate-profile configuration element that contains identification and validation credentials required for certificate-based IKEv2 authentication.
  • This parameter can be over-ridden at the IKEv2 interface level.
  • Default: None
  • Values: Name of an existing ike-certificate-profile configuration element.
id-auth-type
(Optional) Specify that the PSK used while authenticating the remote IKEv2 peer is associated with the asserted identity contained within an IKEv2 Identification payload.
  • idi—use IDi KEY_ID for authentication
  • idr—use IDr KEY_ID for authentication

Path

ike-config is a subelement under the ike element. The full path from the topmost ACLI prompt is: configure-terminal, and then security, and then ike, and then ike-config.

Note:

This is a single instance configuration element.