Ikev2/Ipsec Restrictions - Cisco ASR 5000 Series Administration Manual

▀ IKEv2/IPSec Restrictions

IKEv2/IPSec Restrictions
The following is a list of known restrictions for IKEv2 and IPSec:
• Each FNG service must specify one crypto template.
• The FNG supports traffic selectors with IPv4 address values only. IPv6 address values are not supported.
• The FNG supports IKEv2 only between the FAP and the FNG.
• IKEv2 does not support Perfect Forward Secrecy (PFS) of individual Child SAs. While the PFS for FAP-
initiated IKE SA rekeying will be implemented, the rate for rekeying (with PFS enabled) shall not exceed the
rate of the IKEv2 call setup rate. This is because PFS would require performing a new D-H exchange each time
a rekey is negotiated, and a performance impact is expected. Also, note that the call setup rate and the rekeying
rate are mutually exclusive.
• All IKEv2 packets are sent over IPv4.
• Per RFC 4306 and RFC 4718, the following known restrictions apply with respect to the payload and its order.
Violations result in INVALID_SYNTAX being returned which is being enabled or disabled through a
configurable parameter, except when the processing is noted below.
• While RFC 4306 Section 2.19 specifies "CP payload MUST be inserted before the SA payload," the FNG does
not force strict ordering of this. The FNG processes these payloads as long as the FAP sends a Configuration
Payload (CP) anywhere inside the encrypted data.
• While RFC 4306 Section 2.23 specifies "The location of the payloads (Notify payloads of type
NAT_DETECTION_SOURCE_IP and NAT_DETECTION_DESTINATION_IP) in the IKE_SA_INIT
packets are just after the Ni and Nr payloads (before the optional CERTREQ payload)," The FNG does not
force strict ordering of this and still can process these NOTIFY payloads.
• The FNG supports transform selector payloads with only one traffic selector. The TS field must be set to "1".
• Traffic selector payloads from the FAP support only traffic selectors by IP address range. In other words, the IP
protocol ID must be 0. The start port must be 0 and the end port must be 65535.
• The CP is specified in RFC 4306, Section 2.19 (Requesting an Internal Address on a Remote Network) for the
situation where dynamic IP address assignment is required. Since the FNG does not support
INTERNAL_IP6_ADDRESS, the CP must include at least the attribute INTERNAL_IP4_ADDRESS.
• As described above, when the FNG receives IKEv2 messages, the FNG does not enforce the payloads to be in
order. However, when the FNG sends the response or generates any IKEv2 messages, the FNG will ensure that
payloads are ordered according to RFC 4306.
• Only IKE and ESP protocol IDs are supported. AH is not supported since AH is deprecated in RFC 4306.
• The IKE Protocol ID specification may not use the NONE algorithm for authentication or the ENCR_NULL
algorithm for encryption as specified in Section 5 (Security Considerations) of RFC 4306.
• In ESP, ENCR_NULL encryption and NONE authentication cannot be simultaneously used.
• Only one single proposal number can be used. Because RFC 4306 states that the first proposal must be numbered
1, this implies that only proposals with the proposal number value of 1 are supported. The FAP must send a list
of transforms within this single proposal number.
• No more than 16 transform types may be present in a single IKE_SA_INIT or IKE_AUTH Request message. If a
deviation from this format is used in the proposal format, the FNG returns an error of INVALID_SYNTAX.
▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide
70
Femto Network Gateway Engineering Rules
OL-24872-01