Refreshing SAs
To refresh ISAKMP/IKE or IPSec SAs:
host1(config)#
ipsec clear sa tunnel ipsec:Aottawa2boca phase 2
ipsec clear sa
■
Use to refresh ISAKMP/IKE or IPSec SAs.
■
To reinitialize all SAs, use the
all
keyword.
■
To reinitialize SAs on a specific tunnel, use the
tunnel
keyword.
■
To reinitialize SAs on tunnels that are in a specific state, use the
state
keyword.
■
To specify the type of SA to be reinitialized, ISAKMP/IKE or IPSEC, use the
phase
keyword.
■
Example
host1(config)#
ipsec clear sa all phase 2
■
There is no
no
version.
■
See ipsec clear sa.
Enabling Notification of Invalid Cookies
The IKE protocol enables peers to exchange informational messages. The payload
of these messages can be a notify type or a delete type. These messages are expected
to be protected (encrypted) by the keys negotiated by the peers when they establish
a security association as a result of the IKE phase 1 exchange.
If a responder peer does not recognize the initiator-responder cookie pair, it can send
an invalid cookie notification message to the initiator. The responder might fail to
recognize the cookie pair because it has lost the cookie, or because it deleted the
cookie and then the peer lost the delete notification. Upon receipt of the invalid
cookie notification, the initiator peer can delete the phase 1 state.
The ability to send the invalid cookie message is disabled by default. You can issue
the
ipsec option tx-invalid-cookie
command to enable the feature on a
per-transport-VR basis.
Even when you configure this feature, the E Series router does not respond when it
receives an invalid cookie notification. These notifications are unprotected by a phase
1 key exchange and therefore are subject to denial-of-service (DOS) attacks. Instead,
the E Series router can determine when a phase 1 relationship has gone stale by
timeouts or use of dead peer detection (DPD). For this reason, this feature is useful
only when the E Series router is a responding peer for non–E Series devices that
cannot detect when the phase 1 relationship goes stale.
ipsec option tx-invalid-cookie
Configuration Tasks
■
159
Chapter 5: Configuring IPSec
Summary of Contents for IP SERVICES - CONFIGURATION GUIDE V 11.1.X
Page 6: ...vi...
Page 8: ...viii JUNOSe 11 1 x IP Services Configuration Guide...
Page 18: ...xviii Table of Contents JUNOSe 11 1 x IP Services Configuration Guide...
Page 20: ...xx List of Figures JUNOSe 11 1 x IP Services Configuration Guide...
Page 22: ...xxii List of Tables JUNOSe 11 1 x IP Services Configuration Guide...
Page 28: ...2 Chapters JUNOSe 11 1 x IP Services Configuration Guide...
Page 138: ...112 Monitoring J Flow Statistics JUNOSe 11 1 x IP Services Configuration Guide...
Page 286: ...260 Monitoring IP Tunnels JUNOSe 11 1 x IP Services Configuration Guide...
Page 312: ...286 Monitoring IP Reassembly JUNOSe 11 1 x IP Services Configuration Guide...
Page 357: ...Part 2 Index Index on page 333 Index 331...
Page 358: ...332 Index JUNOSe 11 1 x IP Services Configuration Guide...