Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software
IPSec Dead Peer Detection Periodic Message Option
SC-115
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
OL-20382-01
(for data traffic—one per each direction). There may be duplicated IKE security associations (SAs) and
IPSec SAs or duplicated IKE SAs or IPSec SAs for the same session during rekeying or because of
simultaneous setup requests from both sides.
Per-IKE Peer Description
The Per-IKE Peer Description function allows you to enter a description of your choice for an IKE peer.
The unique peer description, which includes up to 80 characters, is used whenever you are referencing
that particular IKE peer. To add the peer description, use the description (ISAKMP peer) command.
The primary application of this description field is for monitoring purposes (for example, when using
show commands or for logging [syslog messages]). The description field is purely informational.
Summary Listing of Crypto Session Status
You can obtain a list of status information for active crypto sessions by using the show crypto session
command. The listing includes the following summary status of the crypto session:
• Interface
• IKE SAs that are associated with the peer by whom the IPSec SAs are created
• IPSec SAs serving the flows of a session
Up to two IKE SAs and multiple IPSec SAs can be established for the same peer (for the same session),
in which case IKE peer descriptions are repeated with different values for the IKE SAs that are
associated with the peer and for the IPSec SAs that are serving the flows of the session.
In addition, you can use the show crypto session command with the detail keyword to obtain more
detailed information about the sessions.
IKE and IPSec Security Exchange Clear Command
The clear crypto session command allows you to clear both IKE and IPSec. To clear a specific crypto
session or a subset of all the sessions (for example, a single tunnel to one remote site), you need to
provide session-specific parameters, such as a local or remote IP address, a local or remote port, a front
door VPN routing and forwarding (FVRF) name, or an inside VRF (IVRF) name. Typically, the remote
IP address is used to specify a single tunnel to be deleted.
If a local IP address is provided as a parameter when you use the clear crypto session command, all the
sessions (and their IKE SAs and IPSec SAs) that share the IP address as a local crypto endpoint (IKE
local address) are cleared. If you do not provide a parameter, all IPSec SAs and IKE SAs that are in the
router are deleted.
IPSec Dead Peer Detection Periodic Message Option
A peer is an IPSec-compliant node capable of establishing IKE channels and negotiating SAs between
itself and other peers. Peers can lose their IP connection to other peers due to routing problems, peer
reloading, or other situations, resulting in a loss of packet traffic (sometimes called a “black hole”).
To Next Page
Loading...
Need help?
General
