170

Enhancements to IPsec/VPN

Release Note

This feature provides an alternative to using heartbeat exchanges. Heartbeat exchanges are more robust under denial of service attacks, and may be able to detect the problem before any network traffic is lost; however heartbeat exchanges may be incompatible with some third party equipment.

Command Changes

The following table summarises the modified commands:

Command

Change

 

 

create ipsec policy

New respondbadspi parameter.

 

 

set ipsec policy

New respondbadspi parameter.

 

 

show ipsec policy

New Respond Bad SPI parameter in the output for a

 

specific policy.

 

 

show ipsec policy counter

New inBadSpiResponse parameter in output.

 

 

show isakmp counters

New badSpiRequests, badSpiFromKnownPeer,

 

badSpiInAggrMode, badSpiSendNotifyUnset

 

parameters in output when counters is set to general.

 

 

Modifying the Message Retransmission Delay

This Software Version adds a new message retransmission option for ISAKMP policies, by adding a new msgbackoff parameter. This provides a choice of back-off patterns for ISAKMP policies which are configured to retransmit messages.

When incremental is specified, the delay between retransmissions increases in a linear manner, by twice the value set by the msgtimeout parameter. That is, every retransmitted message is delayed by the last delay time plus twice the msgtimeout value.

When none is specified, the delay between retransmissions is static. All retransmissions are sent after the delay specified by the msgtimeout parameter.

The default for the parameter is incremental. To set a back-off pattern for

ISAKMP messages, use the msgbackoff parameter in the commands:

create isakmp policy=name peer={ipv4addipv6addany} [msgbackoff={incrementalnone}] [msgretrylimit=0..1024] [msgtimeout=1..86400] [other parameters]

set isakmp policy=name [msgbackoff={incrementalnone}] [msgretrylimit=0..1024] [msgtimeout=1..86400] [other parameters]

The default value for the msgretrylimit is now 8, and the default for the msgtimeout limit is now 4. ISAKMP policies created without changing the defaults for these three parameters will have this message retransmission pattern:

1.The router or switch sends the initial message.

2.The router or switch retransmits the message 4 seconds later.

3.If a second retransmission is needed, this occurs 8 seconds (twice the value set by the msgtimeout parameter) after the first retransmission.

Software Version 2.8.1 C613-10477-00 REV B

Page 169 Page 171
Page 170
Image 170
Allied Telesis AT-8900, RAPIER I, X900-48FE, AT-8700XL, AT-9900, AT-8600, AT-9800 Modifying the Message Retransmission Delay
Page 169 Page 171
Top Page Image Contents