1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. JUNOSE 11.0.X IP SERVICES
  6. Configuration manual

Refreshing Sas; Enabling Notification Of Invalid Cookies - Juniper JUNOSE 11.0.X IP SERVICES Configuration Manual

For e series broadband services routers - ip services configuration
Hide thumbs
Table of Contents

Advertisement

Refreshing SAs

To refresh ISAKMP/IKE or IPSec SAs:
ipsec clear sa

Enabling Notification of Invalid Cookies

The IKE protocol enables peers to exchange informational messages. The payload
of these messages can be a notify type or a delete type. These messages are expected
to be protected (encrypted) by the keys negotiated by the peers when they establish
a security association as a result of the IKE phase 1 exchange.
If a responder peer does not recognize the initiator-responder cookie pair, it can send
an invalid cookie notification message to the initiator. The responder might fail to
recognize the cookie pair because it has lost the cookie, or because it deleted the
cookie and then the peer lost the delete notification. Upon receipt of the invalid
cookie notification, the initiator peer can delete the phase 1 state.
The ability to send the invalid cookie message is disabled by default. You can issue
the ipsec option tx-invalid-cookie command to enable the feature on a
per-transport-VR basis.
Even when you configure this feature, the E Series router does not respond when it
receives an invalid cookie notification. These notifications are unprotected by a phase
1 key exchange and therefore are subject to denial-of-service (DOS) attacks. Instead,
the E Series router can determine when a phase 1 relationship has gone stale by
timeouts or use of dead peer detection (DPD). For this reason, this feature is useful
only when the E Series router is a responding peer for non–E Series devices that
cannot detect when the phase 1 relationship goes stale.
ipsec option tx-invalid-cookie
host1(config)#ipsec clear sa tunnel ipsec:Aottawa2boca phase 2
Use to refresh ISAKMP/IKE or IPSec SAs.
To reinitialize all SAs, use the all keyword.
To reinitialize SAs on a specific tunnel, use the tunnel keyword.
To reinitialize SAs on tunnels that are in a specific state, use the state keyword.
To specify the type of SA to be reinitialized, ISAKMP/IKE or IPSEC, use the phase
keyword.
Example
host1(config)#ipsec clear sa all phase 2
There is no no version.
See ipsec clear sa.
Chapter 5: Configuring IPSec
159
Configuration Tasks

Advertisement

Table of Contents
loading

Related Manuals for Juniper JUNOSE 11.0.X IP SERVICES

Related Content for Juniper JUNOSE 11.0.X IP SERVICES

This manual is also suitable for:

Junose 11.0.x

Table of Contents