Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software
Information About Implementing IKE Security Protocol Configurations for IPSec Networks
SC-114
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
OL-20382-01
• Configure ISAKMP policy (required). For configuration details, see the “Configuring IKE Policies”
section on page 117.
Call Admission Control
The Call Admission Control (CAC) for IKE feature describes the application of CAC to the IKE protocol
in Cisco
IOS XR software. The main function of CAC is to protect the router from severe resource
depletion and to prevent crashes. Therefore, the CAC limits the number of simultaneous IKE security
associations (SAs, or calls to CAC) that a router can establish. IKE uses SAs to identify the parameters
of its connections.
Also, IKE can negotiate and establish its own SA. An IKE SA, which is bidirectional, is used only by
IKE.
You can configure a maximum number of active IKE SAs that you want to allow in the system, and
thereby limit the CPU resources consumed by the IKE process or global CPU by use of the crypto
isakmp call admission limit command.
When there is a new SA request from a peer router, IKE determines if the number of active IKE SAs
being negotiated meets or exceeds the configured SA limit. If the number is greater than or equal to the
limit, the new SA request is rejected and a system log is generated. This log contains the source
destination IP address of the SA request.
An IKE SA cannot limit IPSec.
Information About IP Security Monitoring
The IP Security (IPSec) monitoring feature provides session monitoring enhancements that allow you to
troubleshoot and monitor the end-user interface. Session monitoring includes the following
enhancements:
• Ability to specify an Internet Key Exchange (IKE) peer description in the configuration file.
• Summary listing of crypto session status.
• Ability to clear both IKE and IP Security (IPSec) security associations (SAs) using one
command-line interface (CLI).
• Ability to expend the filtering mechanism by using the options from the show crypto session
command.
To implement IPSec security monitoring, you must understand the following concepts:
• Crypto Sessions Background, page 114
• Per-IKE Peer Description, page 115
• Summary Listing of Crypto Session Status, page 115
• IKE and IPSec Security Exchange Clear Command, page 115
Crypto Sessions Background
A crypto session is a set of IPSec connections (flows) between two crypto endpoints. If the two crypto
endpoints use IKE as the keying protocol, they are IKE peers to each other. Typically, a crypto session
consists of one IKE security association (for control traffic) and at least two IPSec security associations
To Next Page
Loading...
Need help?
General
