Creating The Fng Service - Cisco ASR 5000 Series Administration Manual

Femto Network Gateway Configuration
payload <payload_name_2> match childsa
ikev2-ikesa keepalive-user-activity
ikev2-ikesa policy error-notification
You must create one crypto template per FNG service. The ikev2-subscriber keyword in the crypto
template command specifies that IKEv2 protocol is used for FAP authentication. The certificate command
binds the specified X.509 trusted certificate to the crypto template. The natt command enables NAT traversal
initiation for all security associations derived from the crypto template.
The ikev2-ikesa keepalive-user-activity command resets the user inactivity timer when keepalive
messages are received from the peer. The ikev2-ikesa policy error-notification command enables the
FNG to generate Error Notify messages for Invalid IKEv2 Exchange Message ID and Invalid IKEv2 Exchange Syntax
for the IKE_SA_INIT exchange.
In this FNG configuration example, the EAP method is used for FAP authentication. Alternately, the PSK (Pre-Shared
Key) method can be used, as shown here:
configure
context <fng_context_name>
crypto template <crypto_template_name> ikev2-subscriber
authentication pre-shared-key <value>
end
If the PSK method is used for FAP authentication, do not create an EAP Profile as described in
Profile above.

Creating the FNG Service

Use the following configuration example to do the following:
• Create the FNG service.
• Specify that the FNG service uses the selected AAA group for FAP authentication.
• Bind the FNG service to the IP address of the FNG loopback interface.
• Bind a crypto template to the FNG service.
configure
context <fng_context_name>
OL-24872-01
ipsec transform-set list <ipsec_tset1>
exit
end
Configuring the System to Perform as a Femto Network Gateway ▀
Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄
Creating the EAP
45