- Introduction to FlexVPN
- Configuring Internet Key Exchange Version 2 and FlexVPN Site-to-Site
- Configuring the FlexVPN Server
- Configuring the FlexVPN Client
- Configuring FlexVPN Spoke to Spoke
- Configuring IKEv2 Load Balancer
- Configuring IKEv2 Fragmentation
- Configuring IKEv2 Reconnect
- Configuring MPLS over FlexVPN
- Configuring IKEv2 Packet of Disconnect
- Configuring IKEv2 Change of Authorization Support
- Configuring Aggregate Authentication
- Appendix: FlexVPN RADIUS Attributes
- Appendix: IKEv2 and Legacy VPNs
Configuring IKEv2
Packet of Disconnect
The IKEv2 Remote Access Change of Authorization (CoA)—Packet of Disconnect feature terminates an active crypto IKEv2 session on Cisco supported devices.
- Finding Feature Information
- Information About IKEv2 Packet of Disconnect
- How to Configure IKEv2 Packet of Disconnect
- Configuration Examples for IKEv2 Packet of Disconnect
- Additional References for IKEv2 Packet of Disconnect
- Feature Information for IKEv2 Packet of Disconnect
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About IKEv2 Packet of Disconnect
Disconnect Request
The Packet of Disconnect (POD) is a RADIUS disconnect_request packet and is intended to be used in situations where the authenticating agent server wants to disconnect a crypto session.
When the POD is Needed
The Packet of Disconnect is required in the following situations:
-
Enforce reauthentication—As a network administrator, you might want to terminate a user on FlexVPN server to forcefully reauthenticate if a session is connected for a very long duration.
-
Apply a new policy—As a network administrator, you may want to terminate an active crypto session and apply the new policy on the session when the client reconnects.
-
Free resources—A session may need to be terminated to free resources and exit rekey.
IKEv2 Packet of Disconnect
The IKEv2 Remote Access Change of Authorization (CoA)—Packet of Disconnect feature uses the RADIUS Packet of Disconnect (POD) feature to delete a crypto session. The crypto session is deleted to update VPN users to the new user or group policy on the AAA server.
-
AAA passes the attribute key-value pair list, provided by the RADIUS server, to IKEv2.
-
IKEv2 parses the list and locates the Audit-Session-ID, a Cisco AV pair, as a key and validates the pair value.
-
IKEv2 searches the session and deletes the specific session.
-
IKEv2 notifies AAA and AAA notifies the RADIUS server.
-
The session pertaining to the Audit-Session-ID is deleted.
Parameters in IKEv2 Packet of Disconnect
RFC 3576 specifies the following POD codes that are supported for IKEv2 Packet of Disconnect:
The Disconnect-ACK code indicates that a session existed for an audit-session-ID and that the session, pertaining to an audit-session-ID was terminated successfully. The Disconnect-NACK code indicates that there are no session corresponding to the audit-session-ID. No reply message is sent to the gateway.
How to Configure IKEv2 Packet of Disconnect
Configuring AAA on the FlexVPN Server
There is no IKEv2-specific configuration required on the FlexVPN server for the IKEv2 Remote Access Change of Authorization (CoA)—Packet of Disconnect feature. You only need to configure authentication, authorization, and accounting (AAA) on the FlexVPN server. For additional information on AAA configuration, see Authentication Authorization and Accounting Configuration Guide, Cisco IOS XE Release 3S.
1.
enable
2.
configure terminal
3.
aaa new-model
4.
aaa server radius dynamic-author
5.
client {hostname |
ip-address} [server-key
string |
vrf
vrf-id]
6.
port
number
7.
end
DETAILED STEPS
Configuration Examples for IKEv2 Packet of Disconnect
Example: Terminating an IKEv2 Session
The following is a sample output from the show aaa sessions command. This command must be executed to identify the IKEv2 session that needs to be terminated.
Device# show aaa sessions Total sessions since last reload: 32 Session Id: 3 Unique Id: 14 User Name: *not available* IP Address: 0.0.0.0 Idle Time: 0 CT Call Handle: 0 Session Id: 30 Unique Id: 41 User Name: pskuser2.g1.engdt.com IP Address: 0.0.0.0 Idle Time: 0 CT Call Handle: 0 Session Id: 32 Unique Id: 43 User Name: pskuser4.g2.engdt.com IP Address: 0.0.0.0 Idle Time: 0 CT Call Handle: 0
In the above output, ID 41 and 43 pertain to IKEv2 sessions. Optionally, you can run the show aaa user command to view detailed information about the session.
Device# show aaa user 41 Unique id 41 is currently in use. No data for type 0 No data for type EXEC No data for type CONN NET: Username=(n/a) Session Id=0000001E Unique Id=00000029 Start Sent=0 Stop Only=N stop_has_been_sent=N Method List=0 Attribute list: 7FBD9783CCF0 0 00000001 session-id(408) 4 30(1E) 7FBD9783CD30 0 00000001 start_time(418) 4 Nov 04 2014 00:20:23 -------- No data for type CMD No data for type SYSTEM No data for type VRRS No data for type RM CALL No data for type RM VPDN No data for type AUTH PROXY No data for type DOT1X No data for type CALL No data for type VPDN-TUNNEL No data for type VPDN-TUNNEL-LINK IPSEC-TUNNEL: Username=pskuser2.g1.engdt.com Session Id=0000001E Unique Id=00000029 Start Sent=1 Stop Only=N stop_has_been_sent=N Method List=7FBDA6E05A68 : Name = accnt_prof Attribute list: 7FBD9783CCF0 0 00000001 session-id(408) 4 30(1E) 7FBD9783CD30 0 00000001 start_time(418) 4 Nov 04 2014 00:20:23 7FBD9783CD70 0 00000082 formatted-clid(37) 13 192.168.202.2 7FBD9783CDB0 0 0000008A audit-session-id(819) 37 L2L433010101ZO2L4C0A8CA02ZH119404ZP37 7FBD9783CDF0 0 00000081 isakmp-phase1-id(737) 21 pskuser2.g1.engdt.com 7FBD9783BF80 0 00000002 isakmp-initator-ip(738) 4 192.168.202.2 -------- No data for type MCAST No data for type RESOURCE No data for type SSG No data for type IDENTITY No data for type ConnectedApps Accounting: log=0x400018041 Events recorded : CALL START ATTR REPLACE INTERIM START INTERIM STOP IPSEC TNL UP update method(s) : NONE update interval = 0 Outstanding Stop Records : 0 Dynamic attribute list: 7FBD9783BF80 0 00000001 connect-progress(75) 4 No Progress 7FBD9783BFC0 0 00000001 pre-session-time(334) 4 0(0) 7FBD9783C000 0 00000001 elapsed_time(414) 4 341(155) 7FBD9783C040 0 00000001 bytes_in(146) 4 0(0) 7FBD9783C080 0 00000001 bytes_out(311) 4 0(0) 7FBD9783CCF0 0 00000001 pre-bytes-in(330) 4 0(0) 7FBD9783CD30 0 00000001 pre-bytes-out(331) 4 0(0) 7FBD9783CD70 0 00000001 paks_in(147) 4 0(0) 7FBD9783CDB0 0 00000001 paks_out(312) 4 0(0) 7FBD9783CDF0 0 00000001 pre-paks-in(332) 4 0(0) 7FBD9783BA20 0 00000001 pre-paks-out(333) 4 0(0) Debg: No data available Radi: No data available Interface: TTY Num = -1 Stop Received = 0 Byte/Packet Counts till Call Start: Start Bytes In = 0 Start Bytes Out = 0 Start Paks In = 0 Start Paks Out = 0 Byte/Packet Counts till Service Up: Pre Bytes In = 0 Pre Bytes Out = 0 Pre Paks In = 0 Pre Paks Out = 0 Cumulative Byte/Packet Counts : Bytes In = 0 Bytes Out = 0 Paks In = 0 Paks Out = 0 StartTime = 00:20:23 IST Nov 4 2014 AuthenTime = 00:20:23 IST Nov 4 2014 Component = VPN IPSEC Authen: service=NONE type=NONE method=NONE Kerb: No data available Meth: No data available Preauth: No Preauth data. General: Unique Id = 00000029 Session Id = 0000001E Session Server Key = 1771D693 Attribute List: PerU: No data available Service Profile: No Service Profile data. Unkn: No data available Unkn: No data available
Note the audit-session-id in the above output, which is L2L433010101ZO2L4C0A8CA02ZH119404ZP37. The following sample output is displayed on the FlexVPN server on starting an accounting session starts with a RADIUS server.
Nov 4 00:26:49.908 IST: RADIUS/ENCODE: Best Local IP-Address 192.168.202.1 for Radius-Server 9.45.15.144 Nov 4 00:26:49.908 IST: RADIUS(0000002C): Send Accounting-Request to 9.45.15.144:1813 id 1646/231, len 288 Nov 4 00:26:49.908 IST: RADIUS: authenticator 29 63 0C 79 C1 5E F2 0E - F3 CA 36 DD A3 55 C1 DE Nov 4 00:26:49.908 IST: RADIUS: Acct-Session-Id [44] 10 "00000021" Nov 4 00:26:49.908 IST: RADIUS: Calling-Station-Id [31] 15 "192.168.202.2" Nov 4 00:26:49.908 IST: RADIUS: Vendor, Cisco [26] 64 Nov 4 00:26:49.908 IST: RADIUS: Cisco AVpair [1] 58 "audit-session-id=L2L433010101ZO2L4C0A8CA02ZH11941194ZN3A" Nov 4 00:26:49.908 IST: RADIUS: Vendor, Cisco [26] 46 Nov 4 00:26:49.908 IST: RADIUS: Cisco AVpair [1] 40 "isakmp-phase1-id=pskuser1.g1.engdt.com" Nov 4 00:26:49.908 IST: RADIUS: Vendor, Cisco [26] 40 Nov 4 00:26:49.908 IST: RADIUS: Cisco AVpair [1] 34 "isakmp-initator-ip=192.168.202.2" Nov 4 00:26:49.908 IST: RADIUS: User-Name [1] 23 "pskuser1.g1.engdt.com" Nov 4 00:26:49.908 IST: RADIUS: Vendor, Cisco [26] 36 Nov 4 00:26:49.908 IST: RADIUS: Cisco AVpair [1] 30 "connect-progress=No Progress" Nov 4 00:26:49.908 IST: RADIUS: Acct-Authentic [45] 6 Local [2] Nov 4 00:26:49.908 IST: RADIUS: Acct-Status-Type [40] 6 Start [1] Nov 4 00:26:49.908 IST: RADIUS: NAS-IP-Address [4] 6 192.168.202.1 Nov 4 00:26:49.908 IST: RADIUS: home-hl-prefix [151] 10 "D33648D8" Nov 4 00:26:49.908 IST: RADIUS: Acct-Delay-Time [41] 6 0 Nov 4 00:26:49.908 IST: RADIUS(0000002C): Sending a IPv4 Radius Packet
The following output is displayed on the FlexVPN server when disconnecting a session for a specific audit-session-id. The terminate session request is sent to the RADIUS server via a RADIUS client. In this example, the session for the audit-session-ID, which is L2L433010101ZO2L4C0A8CA02ZH119404ZP37 is terminated and, hence, not visible in the output.
Nov 4 00:32:29.004 IST: RADIUS: POD received from id 216 9.45.15.144:50567, POD Request, len 84 Nov 4 00:32:29.004 IST: POD: 9.45.15.144 request queued Nov 4 00:32:29.004 IST: ++++++ POD Attribute List ++++++ Nov 4 00:32:29.004 IST: 7FBD9783D3A8 0 00000089 audit-session-id(819) 39 L2L433010101ZO2L4C0A8CA02ZH11941194ZN3B Nov 4 00:32:29.004 IST: Nov 4 00:32:29.004 IST: POD: Sending ACK from port 1812 to 9.45.15.144/50567 Nov 4 00:32:29.005 IST: IKEv2:(SESSION ID = 59,SA ID = 2):Check for existing active SA Nov 4 00:32:29.006 IST: IKEv2:in_octets 0, out_octets 0 Nov 4 00:32:29.006 IST: IKEv2:in_packets 0, out_packets 0 Nov 4 00:32:29.006 IST: IKEv2:(SA ID = 2):[IKEv2 -> AAA] Accounting stop request sent successfully Nov 4 00:32:29.006 IST: IKEv2:(SESSION ID = 59,SA ID = 2):Delete all IKE SAs Nov 4 00:32:29.010 IST: RADIUS/ENCODE(0000002D):Orig. component type = VPN IPSEC Nov 4 00:32:29.010 IST: RADIUS(0000002D): Config NAS IP: 0.0.0.0 Nov 4 00:32:29.010 IST: RADIUS(0000002D): Config NAS IPv6: :: Nov 4 00:32:29.010 IST: RADIUS(0000002D): sending Nov 4 00:32:29.011 IST: RADIUS/ENCODE: Best Local IP-Address 192.168.202.1 for Radius-Server 9.45.15.144 Nov 4 00:32:29.011 IST: RADIUS(0000002D): Send Accounting-Request to 9.45.15.144:1813 id 1646/246, len 356 Nov 4 00:32:29.011 IST: RADIUS: authenticator 52 88 5E CB 8B FA 1E C1 - CC EF 73 75 89 73 CA 95 Nov 4 00:32:29.011 IST: RADIUS: Acct-Session-Id [44] 10 "00000022" Nov 4 00:32:29.011 IST: RADIUS: Calling-Station-Id [31] 15 "192.168.202.2" Nov 4 00:32:29.011 IST: RADIUS: Vendor, Cisco [26] 64 Nov 4 00:32:29.011 IST: RADIUS: Cisco AVpair [1] 58 "audit-session-id=L2L433010101ZO2L4C0A8CA02ZH11941194ZN3B" Nov 4 00:32:29.011 IST: RADIUS: Vendor, Cisco [26] 46 Nov 4 00:32:29.011 IST: RADIUS: Cisco AVpair [1] 40 "isakmp-phase1-id=pskuser1.g1.engdt.com" Nov 4 00:32:29.011 IST: RADIUS: Vendor, Cisco [26] 40 Nov 4 00:32:29.011 IST: RADIUS: Cisco AVpair [1] 34 "isakmp-initator-ip=192.168.202.2" Nov 4 00:32:29.011 IST: RADIUS: User-Name [1] 23 "pskuser1.g1.engdt.com" Nov 4 00:32:29.011 IST: RADIUS: Acct-Authentic [45] 6 Local [2] Nov 4 00:32:29.011 IST: RADIUS: Vendor, Cisco [26] 36 Nov 4 00:32:29.011 IST: RADIUS: Cisco AVpair [1] 30 "connect-progress=No Progress" Nov 4 00:32:29.011 IST: RADIUS: Acct-Session-Time [46] 6 56 Nov 4 00:32:29.011 IST: RADIUS: Acct-Input-Octets [42] 6 0 Nov 4 00:32:29.011 IST: RADIUS: Acct-Output-Octets [43] 6 0 Nov 4 00:32:29.011 IST: RADIUS: Acct-Input-Packets [47] 6 0 Nov 4 00:32:29.011 IST: RADIUS: Acct-Output-Packets [48] 6 0 Nov 4 00:32:29.011 IST: RADIUS: Acct-Terminate-Cause[49] 6 none [0] Nov 4 00:32:29.011 IST: RADIUS: Vendor, Cisco [26] 32 Nov 4 00:32:29.011 IST: RADIUS: Cisco AVpair [1] 26 "disc-cause-ext=No Reason" Nov 4 00:32:29.011 IST: RADIUS: Acct-Status-Type [40] 6 Stop [2] Nov 4 00:32:29.011 IST: RADIUS: NAS-IP-Address [4] 6 192.168.202.1 Nov 4 00:32:29.011 IST: RADIUS: home-hl-prefix [151] 10 "E2F80C34" Nov 4 00:32:29.011 IST: RADIUS: Acct-Delay-Time [41] 6 0 Nov 4 00:32:29.011 IST: RADIUS(0000002D): Sending a IPv4 Radius Packet Nov 4 00:32:29.011 IST: RADIUS(0000002D): Started 5 sec timeout
The following output is displayed when there is no valid session for the specific audit-session-ID. This happens if there is no session pertaining to the specific audit-session-id when the session is terminated already. Note the NACK message that is sent back to the FlexVPN server
Nov 4 00:30:31.905 IST: RADIUS: POD received from id 131 9.45.15.144:52986, POD Request, len 84 Nov 4 00:30:31.905 IST: POD: 9.45.15.144 request queued Nov 4 00:30:31.905 IST: ++++++ POD Attribute List ++++++ Nov 4 00:30:31.905 IST: 7FBD9783BA20 0 00000089 audit-session-id(819) 39 L2L433010101ZO2L4C0A8CA02ZH11941194ZN3A Nov 4 00:30:31.905 IST: Nov 4 00:30:31.906 IST: POD: 9.45.15.144 Unsupported attribute type 26 for component Nov 4 00:30:31.906 IST: POD: 9.45.15.144 user 0.0.0.0i sessid 0x0 key 0x0 DROPPED Nov 4 00:30:31.906 IST: POD: Added Reply Message: No Matching Session Nov 4 00:30:31.906 IST: POD: Added NACK Error Cause: Invalid Request Nov 4 00:30:31.906 IST: POD: Sending NAK from port 1812 to 9.45.15.144/52986 Nov 4 00:30:31.906 IST: RADIUS: 18 21 4E6F204D61746368696E672053657373696F6E Nov 4 00:30:31.906 IST: RADIUS: 101 6 00000194
Additional References for IKEv2 Packet of Disconnect
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
|
RADIUS Packet of Disconnect |
Standards and RFCs
Standard/RFC |
Title |
---|---|
RFC 3576 |
Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) |
RFC 5176 |
Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for IKEv2 Packet of Disconnect
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
IKEv2 Remote Access Change of Authorization (CoA)—Packet of Disconnect |
Cisco IOS XE Release 3.14S |
The IKEv2 Remote Access Change of Authorization (CoA)—Packet of Disconnect feature terminates an active crypto IKEv2 session on Cisco supported devices. No commands were introduced by this feature. |