Enables support for a certificate encoding type other than the default. When enabled hash and URL encoding type are supported in CERT and CERTREQ payloads.

no

Disables support for hash and URL encoding type in CERT and CERTREQ payloads.

Allows non-standard FQDN (Fully Qualified Domain Name) strings in the IDr (Identification - Responder) payload of IKE_AUTH messages received from the UE with the payload type as FQDN.

no

Does not allow non-standard FQDN strings in the IDr payload of IKE_AUTH messages received from the UE with the payload type as FQDN.

default

Restores the default setting, which does not allow non-standard FQDN strings in the IDr payload of IKE_AUTH messages received from the UE with the payload type as FQDN.

You can chain multiple CA-CRLs in a single command instance.

Configures the gateway and subscriber authentication methods to be used by this crypto template.

default

Returns the command to its default setting.

no

Removes the authentication parameters from the configuration.

eap-profile name [ second-phase eap-profile name ]

Specifies that authentication is to be performed using a named Extensible Authentication Protocol (EAP) profile. name is an alphanumeric string of 1 through 127 characters. Entering this keyword places the CLI in the EAP Authentication Configuration Mode.

The second-phase eap-profile name is only required for installations using multiple authentications. name must be an alphanumeric string of 1 through 127 characters.

local { certificate | pre-shared-key { encrypted key value | key clear_text }

Specifies the local authentication method required for services using the crypto template.

certificate : Specifies that the certificate method of authentication must be used for services using the crypto template.

min-key-size : Sets minimum certificate key size. min_key_size must be an integer between 255 to 8192. Default is 255.

pre-shared-key { encrypted key value | key clear_text } : Specifies that a pre-shared key is to be used for services using the crypto template. encrypted key value configures an encrypted pre-shared key used for authentication. value must be an alphanumeric string of 16 through 255 characters for releases prior to 15.0, or 15 through 444 characters for release 15.0 and higher. key clear_text configures a clear text pre-shared key used for authentication. clear_text must be an alphanumeric string of 1 through 255 characters.

pre-shared-key { encrypted key value | key clear_text }

Specifies that a pre-shared key is to be used for services using the crypto template.

encrypted key value : Specifies that the pre-shared key used for authentication is encrypted. value must be an alphanumeric string of 1 through 255 characters for releases prior to 15.0, or 15 through 444 characters for release 15.0 and higher.

key clear_text : Specifies that the pre-shared key used for authentication is clear text. clear_text must be an alphanumeric string of 1 through 255 characters.

remote { certificate | eap-profile name [ second-phase eap-profile name ] | pre-shared-key { encrypted key value | key clear_text }

Specifies the remote authentication method required for services using the crypto template.

certificate : Specifies that the certificate method of remote authentication must be used for services using the crypto template.

eap-profile name [ second-phase eap-profile name ] : Specifies that remote authentication is to be performed using a named EAP profile. name must be an alphanumeric string of 1 through 127 characters. Entering this keyword places the CLI in the EAP Authentication Configuration Mode.

The second-phase eap-profile name is only required for installations using multiple authentications. name must be an alphanumeric string of 1 through 127 characters.

pre-shared-key { encrypted key value | key clear_text } : Specifies that a pre-shared key is to be used for services using the crypto template. encrypted key value configures an encrypted pre-shared key used for authentication. value must be an alphanumeric string of 1 through 255 characters for releases prior to 15.0, or 15 through 444 characters for release 15.0 and higher. key value configures a clear text pre-shared key used for authentication. clear_text must be an alphanumeric string of 1 through 255 characters.

Enables the use of a blacklist (access denied) file to be used by a security gateway.

no

Disables the use of a blacklist.

Used to bind an X.509 Certificate Authority (CA) certificate to a crypto template.

no

Unbinds the ca-certificate(s) bound to the crypto template.

ca-cert-name name

Binds the named X.509 Certificate Authority (CA) root certificate to a crypto template. name is an alphanumeric string of 1 through 129 characters.

You can chain multiple certificates (maximum 4) in a single command instance.

Binds one or more Certificate Authority-Certificate Revocation Lists (CA-CRLs) to this crypto template.

no

Removes the CA-CRL configuration from this template.

ca-crl-name name

Specifies the CA-CRL to associate with this crypto template. name must be the name of an existing CA-CRL expressed as an alphanumeric string of 1 through 129 characters. Multiple lists (maximum 4) can be configured for a crypto template.

You can chain multiple CA-CRLs in a single command instance.

Used to bind a single X.509 trusted certificate to a crypto template.

no

Removes any applied certificate or prevents the certificate from being included in the Auth Exchange response payload.

name

Specifies the name of a X.509 trusted certificate to bind to a crypto template. name is an alphanumeric string of 1 through 129 characters.

validate

Enable validations for the self-certificate.

This command is used to configure mapping of the configuration payload attributes.

no

Removes mapping of the configuration payload attributes.

default

Restores the defuat value for mapping of the configuration payload attributes.

private-attribute-type

Defines the private payload attribute.

imei integer

Defines an International Mobile Equipemnt Identity number as an integer from 16384 to 32767.

p-cscf-v4 v4_value

Defines the IPv4 pcscf payload attribute value. Default value is 16384.

v4_value is an integer from 16384 to 32767.

p-cscf-v6 v6_value

Defines IPv6 pcscf payload attribute value. Default value is 16390.

v6_value is an integer from 16384 to 32767.

Controls the Don't Fragment (DF) bit in the outer IP header of the IPSec tunnel data packet.

clear-bit

Clears the DF bit from the outer IP header (sets it to 0).

copy-bit

Copies the DF bit from the inner IP header to the outer IP header. This is the default action.

set-bit

Sets the DF bit in the outer IP header (sets it to 1).

Adds a custom option to define the ways a DNS address is returned based on proscribed circumstances described below.

default

Configures the default condition as normal . By default, PDIF always returns the DNS address in the config payload in the second authentication phase if one is received from either the configuration or the HA.

dns-handling custom

Configures the PDIF to behave as described in the Usage section below.

dns-handling normal

This is the default action. The service always returns the DNS address in the config payload in the second authentication phase if one is received from either the configuration or the HA.

Configure the cookie challenge parameters for IKEv2 INFO Exchange notify payloads for the given crypto template.

default

Default is to disabled condition.

no

Prevents Denial of Service cookie transmission. This is the default condition.

half-open-sess-count start integer stop integer

The half-open-sess-count is the number of half-open sessions per IPSec manager.

Important

The start count value 0 is a special case whereby this feature is always enabled. In this event, both start and stop must be 0.

This command enables explicit congestion notification (ECN) in normal mode or compatible mode for the IPsec tunnel over the SWu interface.

no

Enables ECN in compatible mode for IPsec tunnel over SWu interface. The default mode is the compatible mode, supported for backward compatibility.

ecn

Specifies ECN over IPsec tunnel in normal mode.

Exits the current configuration mode and returns to the Exec mode.

Exits the current mode and returns to the parent configuration mode.

Configures the identity of the local IPSec Client (IKE ID).

no

Resets the ID to the IP address of the interface to which the crypto template is associated (type = IPv4 or IPv6).

id-type type

id name

Specifies the identifier for the local IKE client as an alphanumeric string of 1 through 127 characters.

Configures parameters for the IKEv2 IKE Security Associations within this crypto template.

default

Restores the configuration to its default value.

no

Disables a previously enabled parameter.

allow-empty-ikesa

Default is not to allow-empty-ikesa. Activate to have the IKEv2 stack keep the IKE SA when all the Child SAs have been deleted.

cert-sign { pkcs1.5 | pkcs2.0 }

Specifies the certificate sign to be used. Default: pkcs1.5

pkcs1.5 : Use the Public-Key Cryptography Standards (PKCS) version 1.5, RSA Encryption Standard.

pkcs2.0: : Use the PKCS version 2.0, RSA Encryption Standard.

configuration-attribute p-cscf-v6 { iana | private } length { 16 | 17 }

Specifies the P-CSCF IPv6 configuration attribute length for both IANA and private attribute values. As per RFC 7651, the configuration attribute length for IANA is 16 bytes.

Default (iana): 16 bytes

Default (private): 17 bytes

emergency { keepalive [ interval interval ] timeout seconds num-retry val }

Configures emergency call related parameters.

Keepalive : Configures Keepalive Functionality (Dead Peer Detection) to be enabled for all emergency Security Associations derived from this Crypto Template and this will override generic keep alive configuration for emergency calls.

interval : The number of seconds which must elapse during which no traffic is received from the given IKE_SA peer or any CHILD_SAs derived from the IKE_SA for Dead Peer Detection to be initiated (Default: 3). - integer 2..3600

timeout : Configures the Keepalive (Dead Peer Detection) Timeout in seconds. This value configures the number of seconds which must elapse after a Keepalive has been sent, and no response has been received before another keepalive is sent.

seconds : The number of seconds which must elapse after a Keepalive has been sent, and no response has been received, before another Keepalive is send. Default is 3 seconds and the Interval should be between 2 and 3600 seconds.

num-retry : Configure the number of Keepalive (Dead Peer Detection) Retry attempts. If Keepalive (Dead Peer Detection) has been initiated this value configures the number of retry attempts which will be made if no response is received from the peer, before the peer is declared dead.

val : The number of retry attempts which will be made if no response is received from the peer before the peer is declared dead Default is 2 seconds and the Interval should be between 1 and 30 seconds.

fragmentation

Enables IKESA fragmentation (Tx) and re-assembly (Rx).

Default: IKESA fragmentation and re-assembly is allowed.

idi peer_idi_value { common-id | request-eap-identity }

Specifies the IDI related configuration to match IDI from peer which enables the ePDG to request the real identity using EAP-Identity Request. peer_idi_value is a string of 1 through 127 characters.

request-eap-identity : Requests the EAP-Identity from peer.

common-id : Requests the Common IDi from peer.

ignore-notify-protocol-id

Ignores IKEv2 Informational Exchange Notify Payload Protocol-ID values for strict RFC 4306 compliance.

ignore-rekeying-requests

Ignores received IKE_SA Rekeying Requests.

keepalive-user-activity

Default is no keepalive-user-activity. Activate to reset the user inactivity timer when keepalive messages are received from peer.

max-retransmissions number

Specifies the maximum number of retransmissions of an IKEv2 IKE Exchange Request if a response has not been received. number must be an integer from 1 through 8. Default: 5

mobike [ cookie-challenge ]

IKEv2 Mobility and Multihoming Protocol (MOBIKE) allows the IP addresses associated with IKEv2 and tunnel mode IPSec Security Associations to change. A mobile Virtual Private Network (VPN) client could use MOBIKE to keep the connection with the VPN gateway active while moving from one address to another. Similarly, a multi-homed host could use MOBIKE to move the traffic to a different interface if, for instance, the one currently being used stops working.

Default: Disabled

cookie-challenge : Use this keyword to enable the return routability check. The Gateway performs a return routability check when MOBIKE is enabled along with this keyword. A return routability check ensures that the other party can receive packets at the claimed address. Default: Disabled

policy { congestion-rejection { notify-status-value value | notify-error-value value } | error-notification [ invalid-major-version ] [ invalid-message-id [ invalid-major-version | invalid-syntax ] ] | invalid-syntax [ invalid-major-version ] | use-rfc5996-notification }

Specifies the default policy for generating an IKEv2 Invalid Message ID error when PDIF receives an out-of-sequence packet.

congestion-rejection : Sends an Error Notify Message to the MS as a reply to an IKE_SA_INIT Exchange when no more IKE_SA sessions can be established.

notify-status-value value : Notify Message will be sent to MS as a reply to an IKE_SA_INIT Exchange when no more IKE_SA sessions can be established. value is RFC 4306 IKEv2 Private Use Status Range - integer 40960 through 65535.

notify-error-value value : Notify Message will be sent to MS as a reply to an IKE_SA_INIT Exchange when no more IKE_SA sessions can be established. value is RFC 4306 IKEv2 Private Use Error Range - integer 8192 through 16383.

error-notification : Sends an Error Notify Message to the MS for Invalid IKEv2 Exchange Message ID and Invalid IKEv2 Exchange Syntax for the IKE_SA_INIT Exchange.

invalid-major-version : Sends an Error Notify Message for Invalid Major Version

invalid-message-id : Sends an Error Notify Message for Invalid IKEv2 Exchange Message ID.

invalid-syntax : Sends an Error Notify Message for Invalid IKEv2 Exchange Syntax.

use-rfc5996-notification : Enable sending and receive processing for RFC 5996 notifications - TEMPORARY_FAILURE and CHILD_SA_NOT_FOUND

rekey [ disallow-param-change ]

Specifies if IKESA rekeying should occur before the configured lifetime expires (at approximately 90% of the lifetime interval). Default is not to re-key.

The disallow-param-change option prevents changes in negotiation parameters during rekey.

retransmission-timeout msec

Specifies the timeout period (in milliseconds) before a retransmission of an IKEv2 IKE exchange request is sent (if the corresponding response has not been received). msec must be an integer from 300 to 15000. Default: 500

setup-timer sec

Specifies the number of seconds before a IKEv2 IKE Security Association that is not fully established is terminated. sec must be an integer from 1 through 3600. Default: 16

transform-set list name1

Specifies the name of a context-level configured IKEv2 IKE Security Association transform set. name1 ...name6 must be an existing IKEv2 IKESA Transform Set expressed as an alphanumeric string of 1 through 127 characters.

The transform set is a space-separated list of IKEv2-IKESA SA transform sets to be used for deriving IKEv2 IKE Security Associations from this crypto template. A minimum of one transform-set is required; maximum configurable is six.

Configures distributed denial of service (DDoS) mitigation parameters for the IKEv2 IKE Security Associations within this crypto template.

default

Restores the configuration to its default value.

no

Disables a previously enabled configuration.

decrypt-fail-count failure_count

Specifies the maximum tolerable consecutive IKE_AUTH message decryption failure count. During session establishment, if IKE_AUTH decryption failure exceeds the configured threshold, the IKEv2 IKE SA tunnel is cleared. If IKE_AUTH decryption failure exceeds the configured threshold after the session is established, alarms are triggered.

Default: 30

failure_count must be an integer between 1 and 100.

half-open-sa-timer half_open_timer_duration

Specifies the half-open IKE SA timeout duration. The half-open IKE SA timer starts when an IKE_SA_INIT request is received. If an IKE_AUTH message is not received before the timer expires, the half-open IKEv2 IKE SA is cleared.

Default: 60

half_open_timer_duration must be an integer between 1 and 1800.

ikev2-req-rate ikev2_req_rate_count [ interval interval ]

ikev2-req-rate ikev2_req_rate_count : Configures the maximum number of IKEv2 requests allowed per configured interval. ikev2_req_rate_count must be an integer from 1 to 3000.

Default: 10

interval interval : Configures the interval for monitoring IKEv2 requests. interval must be an integer from 1 to 300.

Default: 1 second

max-cert-size cert_size

Specifies the maximum certificate size for IKE SA. Use this keyword to detect bad certificates from illegitimate URLs in earlier stages, and thus avoid downloading large certificates.

Default: 2048 bytes

cert_size must be an integer between 512 and 8192.

message-queue-size queue_size

Specifies the queue size for incoming IKE messages per IKE SA. When the incoming queued IKE messages (per IKE SA) exceeds the specified limit, the IKE messages exceeding the limit are dropped.

Default: 20

queue_size must be an integer between 1 and 50.

rekey-rate rekey_rate_value

Specifies the rate at which the rekey request will be processed per second. When the specified number of Child SA rekey requests per second is exceeded, a TEMPORARY_FAILURE notification will be sent to the peer to indicate that the peer must slow down their requests.

Default: 5

rekey_rate_value must be an integer between 1 and 50.

Configures the Differentiated Services Code Point (DSCP) value in the IPv4 and IPv6 headers of the IKEv2 packets sent to the peer for this crypto template.

default

Restores the configuration to its default value.

dscp dscp_hex_value

Specifies the DSCP value in the IKEv2 packets sent to the peer.

Default: 0x00

dscp_hex_value must be an hexa-decimal value between 0x00 and 0x3F.

Configures IPv4 related information.

default

Sets / Restores default value assigned for IPv4 related information. The default value for fragment is outer. The default value for ikev2-mtu is 1384. The default value for mtu is 1438.

fragment { inner | outer }

Configures the fragment type when User Payload is IPv4 type and DF bit not set.

Default: outer

inner : Fragments the IPv4 payload and encapsulate in the IPSec tunnel.

outer : Fragment to happen after the IPSec encapsulation.

ikev2-mtu mtu_size

Configures MTU size of the IKEv2 Payload for IPv4 tunnel.

mtu_size is an integer between 460 and 1932.

mtu size

Configures MTU of the User Payload for IPv4 tunnel.

size is an integer between 576 and 2048.

Configures the MTU (Maximum Transmission Unit) of the user payload for IPv6 tunnels in bytes.

default

Sets the IPv6 tunnel MTU to its default size.

mtu size

Specifies the MTU size of a packet to accommodate IPSec headers added to a packet.

Default:1422

size must be an integer from 1280 through 2048.

ikev2-mtu mtu_size

Configures MTU size of the IKEV2 Payload for IPv6 tunnel.

Default: 1364

mtu_size must be an integer from 1144 through 1912.

Configures keepalive or dead peer detection for security associations used within this crypto template.

no

Disables keepalive messaging.

interval sec

Specifies the amount of time (in seconds) that must elapse before the next keepalive request is sent. sec must be an integer from 10 through 3600. Default: 10

Defines a soft limit for the number of child Security Associations (SAs) per IKEv2 policy.

max-childsa integer

Specifies a soft limit for the maximum number of Child SAs per IKEv2 policy as an integer from 1 to 4 for releases prior to 15.0, or 1 to 5 for 15.0 and higher. Default = 2.

overload-action { ignore | terminate }

Configures the Network Access Identifier (NAI) parameters to be used for the crypto template IDr (recipient's identity).

Product

Important

This command is deprecated from 15.0 and later releases.

All Security Gateway products

default

Configures the default command no nai idr . As a result, the default behavior is for the PDIF-service IP address to be sent as the IDr value of type ID_IP_ADDR.

no

no nai idr configures the value whereby the service IP address is sent as the IDr value with the type ID_IP_ADDR. This is the default condition.

idr name

Specifies the name of the IDr crypto template as an alphanumeric string of 1 through 79 characters.

id-type { der-asn1-dn | der-asn1-gn | fqdn | ip-addr | key-id | rfc822-addr }

use-received-idr

Specifies that the received IDr be used in the crypto template.

Configures Network Address Translation - Traversal (NAT-T) for all security associations associated with this crypto template. This feature is disabled by default.

Important

IKEv2 ACL with NAT-T is not supported.

default

Disables NAT-T for all security associations associated with this crypto template.

no

Disables NAT-T for all security associations associated with this crypto template.

include-header

Includes the NAT-T header in IPSec packets.

send-keepalive [ idle-interval idle_secs ] [ interval interval_secs ]

Sends NAT-Traversal keepalive messages.

idle-interval idle_secs : Specifies the number of seconds that can elapse without sending NAT keepalive packets before sending NAT keepalive packets is started. idle_secs is an integer from 20 to 86400. Default: 60.

interval interval_secs : Specifies the number of seconds between the sending of NAT keepalive packets. interval_secs is an integer from 60 to 86400. Default: 240.

This command configures the parameters to be sent in NOTIFY payload.

default

Sets / restores default value assigned for the parameters to be sent in NOTIFY payload.

no

If previously configured, removes the configuration.

device-id

Enables ePDG to request for the IMEI or IMEI SV information using the DEVICE_IDENTITY notify payload in the IKE_AUTH_RESP message from the UE, if the UE does not share this information in the first IKE_AUTH_REQ message in the configuration attributes.

Default: Enabled

error-message-type

This command configures the type of notify error message.

Error Categories:

• network-permanent : Configures the value for permanent network errors. Default is 11000.

• network-transient-major : Configures the value for major transient network errors. Default is 10500.

• network-transient-minor : Configures the value for minor transient network errors. Default is 10000.

• ue : Configures the value for UE related errors. Default is 9000.

base value : Configures the base value for the chosen error category. Only private range supported 8192-16383.

value must be an integer between 8192 and 16383.

Enables use of Online Certificate Status Protocol (OCSP) from a crypto template. OCSP provides a facility to obtain timely information on the status of a certificate.

no

Disables the use of OCSP.

default

Restores the default value assigned for ocsp nonce.

nonce

Enables sending nonce (unique identifier) in OCSP requests.

responder-address ipv4_address

Configures the OCSP responder address that is used when absent in the peer (device) certificate.

ipv4_address is an IPv4 address specified in dotted decimal format.

port port_value

Configures the port for OCSP responder.

port_value is an integer value between 1 and 65535. The default port is 8889.

Creates a new, or specifies an existing, crypto template payload and enters the Crypto Template Payload Configuration Mode.

no

Removes a currently configured crypto template payload.

payload name

Specifies the name of a new or existing crypto template payload as an alphanumeric string of 1 through 127 characters.

match { any | ipv4 | ipv6 }

Configures a list of allowed peer addresses on this crypto template.

no

Removes the specified peer network IP address from this crypto template.

peer network ip_address [ / mask ]

Specifies the IP address of the peer network in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.

Maximum of four peer networks can be configured per template.

/ mask specifies the subnet mask bits. mask is an integer value from 1 to 32 for IPv4 addresses and 1 to 128 for IPv6 addresses (CIDR notation).

encrypted pre-shared-key encrypt_key

Specifies that an encrypted pre-shared key is to be used for IPSec authentication for the address range. encrypt_key must be an alphanumeric string or hexadecimal sequence from 16 to 212.

pre-shared-key key

Specifies that a clear text pre-shared key is to be used for IPSec authentication for the address range. key must be an alphanumeric string or hexadecimal sequence from 1 to 32.

Enables the use of a Remote Secret List containing up to 1000 pre-shared keys.

no

Disables use of a Remote Secret List.

list_name

Specifies the name of an existing Remote Secret List as an alphanumeric string of 1 through127 characters.

Configure server certificate for a given Crypto Template.

certificate_name

configures server certificate for a given Crypto Template, certificate name should a string of size between 1 and 128.

ca_certificate_list_name

configures server certificate list name for a given Crypto Template, certificate name should a string of size between 1 and 128.

Sets the OCSP Certificate Server timeout interval in seconds. This is the interval within which the response from an external OCSP or HASH-url server should be received.

default

Sets / Restores default value assigned for Certificate Server timeout in seconds. Default is 20 seconds.

timeout_value

Specifies the timeout value in seconds which is an integer between 1 through 60.

Associate a vendor policy to this crypto template.

no

Removes association of the vendor policy to this crypto template.

policy_name

policy_name must be an alphanumeric string of 1 through 127 characters.

Enables the use of an existing whitelist (access permitted) file by a security gateway.

no

Disables the use of a whitelist.