IPsec and IKEv2 conguration
Create a VTI interface by creating a tunnel interface and setting the mode of the tunnel to IPsec IPv4.
To create a tunnel interface and set the mode of the tunnel to IPsec IPv4, perform the following task.
1. Create a VTI interface by completing the following steps:
a) Create a VTI interface by entering the interface tunnel x command, where x is the tunnel number.
b) Set the mode of the tunnel to IPsec IPv4 by entering the tunnel mode ipsec ipv4command.
2. Congure the following values, if the default values are not acceptable.
• IKE Proposal
• IKE Policy
• IKE Prole
• IKE Authentication
• IPSEC Proposal
• IPSEC Prole
3. Bind the IPsec Prole to the VTI interface using the tunnel protection ipsec prole prolename command.
Conguring Global IKEv2 Options
Congure global IKEv2 options that are independent of peers. All the global IKE commands start with prex ikev2.
IKEv2 Option Description
ikev2 retry-count <number> Maximum number of attempts to retransmit a message. Default 5.
NOTE
Range is 1 to 10.
ikev2 exchange-max-time
<seconds>
Maximum setup time for an exchange, in seconds. Default 30 seconds.
NOTE
Range is 0 to 300 seconds.
ikev2 retransmit-interval <time> IKEv2 message resend delay, in seconds. This is the time that the IKEv2 task is to wait before attempting the rst
resend of a packet. Default is 5 seconds. Retransmit interval will increase exponentially.
NOTE
Range is 1 to 60 seconds.
ikev2 http-url-cert Enables the HTTP CERT support. HTTP CERT is disabled by default. If enabled then
HTTP_CERT_LOOKUP_SUPPORTED should be send along with the CERT_REQ payload. Default is disabled.
ikev2 cookie-challenge <number
>
Enabled an IKEv2 cookie challenge only when the number of half-open IKE SAs crosses the congured number.
Default is disabled.
NOTE
Range is 1 to 2000 (max number of SA supported).
ikev2 limit { max-in-negotiation-
sa limit | max - sa limit }
max-in-negotiation-sa limit — Limits the total number of in negotiation IKEv2 SAs on the node. Default is 256.
max-sa limit — Limits the total number of IKEv2 SAs on the LP. Default is 256.
NOTE
For both limits the range is 1 to 256 (max SAs supported).
ikev2 Allow duplicate ike-sa For a given source/destination and IKE Prole, if multiple IKE SA can be created. This will be applicable only for
incoming IKE session. Default is disabled. This will be used for inter-op with other vendors.
Router modules
Brocade NetIron MLXe Series Hardware Installation Guide
53-1004203-04 47
To Next Page
Loading...
Need help?
General
