Install guide
Software Version 2.9.1 87
Software Version 2.9.1
C613-10486-00 REV C
IP Security (IPsec) Enhancements
This Software Version includes the following enhancements to IPsec:
■ Additional RFC and Draft Compliance for NAT-T
■ Increase to Maximum Number of IPsec SA Bundles
■ Improved Debugging Options for IPsec and ISAKMP
■ Improved Output for IPsec and ISAKMP Counters
■ Modified Expiry Timeout Limit for Security Associations
This section describes the enhancements. The modified commands to
implement them are described in Command Reference Updates.
Additional RFC and Draft Compliance for NAT-T
NAT-T is now compliant with the following RFC and IETF Internet Drafts:
■ RFC 3947 Negotiation of NAT-Traversal in the IKE
■ draft-ietf-ipsec-nat-t-ike-03, Negotiation of NAT-Traversal in the IKE, which
describes the modifications to IKE to support NAT detection and UDP
tunnel negotiation
■ draft-ietf-ipsec-udp-encaps-03, UDP Encapsulation of IPsec Packets, which
defines the method of UDP encapsulation of IPSec packets
This is in addition to the pre-existing support for these Internet Drafts:
■ draft-ietf-ipsec-nat-t-ike-02, Negotiation of NAT-Traversal in the IKE
■ draft-ietf-ipsec-udp-encaps-02, UDP Encapsulation of IPsec Packets
■ draft-ietf-ipsec-nat-t-ike-08, Negotiation of NAT-Traversal in the IKE
■ draft-ietf-ipsec-udp-encaps-08, UDP Encapsulation of IPsec Packets
Command Changes
This enhancement does not affect any commands.
Increase to Maximum Number of IPsec SA Bundles
This Software Version increases the maximum number of concurrent IPsec
Security Association bundles that each policy is allowed. The new limit is 100
concurrent bundles per policy. This enables IPsec to support up to 100 hosts
using the same traffic selectors. This is valuable for networks that support
roaming hosts, where minimal traffic selector information is known ahead of
time.
Command Changes
This enhancement does not affect any commands.