Ipsec Dead Peer Detection Periodic Message Option - Cisco CRS-1 - Carrier Routing System Router Configuration Manual

Ios xr system security configuration guide

Hide thumbs Also See for CRS-1 - Carrier Routing System Router:

Administration manual (436 pages)

Getting started manual (289 pages)

Troubleshooting manual (264 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

page of 232

/ 232
Contents
Table of Contents
Bookmarks

Table of Contents

Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software

(for data traffic—one per each direction). There may be duplicated IKE security associations (SAs) and

IPSec SAs or duplicated IKE SAs or IPSec SAs for the same session during rekeying or because of

simultaneous setup requests from both sides.

Per-IKE Peer Description

The Per-IKE Peer Description function allows you to enter a description of your choice for an IKE peer.

The unique peer description, which includes up to 80 characters, is used whenever you are referencing

that particular IKE peer. To add the peer description, use the description (ISAKMP peer) command.

The primary application of this description field is for monitoring purposes (for example, when using

show commands or for logging [syslog messages]). The description field is purely informational.

Summary Listing of Crypto Session Status

You can obtain a list of status information for active crypto sessions by using the show crypto session

command. The listing includes the following summary status of the crypto session:

•

Up to two IKE SAs and multiple IPSec SAs can be established for the same peer (for the same session),

in which case IKE peer descriptions are repeated with different values for the IKE SAs that are

associated with the peer and for the IPSec SAs that are serving the flows of the session.

In addition, you can use the show crypto session command with the detail keyword to obtain more

detailed information about the sessions.

IKE and IPSec Security Exchange Clear Command

The clear crypto session command allows you to clear both IKE and IPSec. To clear a specific crypto

session or a subset of all the sessions (for example, a single tunnel to one remote site), you need to

provide session-specific parameters, such as a local or remote IP address, a local or remote port, a front

door VPN routing and forwarding (FVRF) name, or an inside VRF (IVRF) name. Typically, the remote

IP address is used to specify a single tunnel to be deleted.

If a local IP address is provided as a parameter when you use the clear crypto session command, all the

sessions (and their IKE SAs and IPSec SAs) that share the IP address as a local crypto endpoint (IKE

local address) are cleared. If you do not provide a parameter, all IPSec SAs and IKE SAs that are in the

router are deleted.