Use the IPsec window to delete a specific IPsec security association (SA) or all SAs.
SAs are created by successful IPsec negotiations between the SBC Core and protected peers. Each SA is the bundle of algorithms and parameters used to encrypt and authenticate a particular flow in one direction. Thus for normal bidirectional traffic, the flows are secured by a pair of security associations.
SAs are removable through notification by the peer that an SA is deleted, or as a result of Dead Peer Detection determining that a peer is unresponsive.
When necessary you can also remove SAs before their lifetime expires using the following methods:
- Globally deleting every IKE SA
- Deleting a specific IKE SA by its IKE handle identifier
- Deleting the IPsec SA pair with a given incoming Security Parameter Index value (LOCAL SPI)
If an SA is deleted by one of the above scenarios within 60 seconds of the time that it was initially established, then as a Denial-of-Service protection the SBC Core does not respond to new phase 1 IKE negotiations initiated by that peer for 60 seconds. Otherwise, phase 1 IKE re-negotiations may proceed immediately on a deleted SA.
To Delete Security Association Entries
- On the SBC main screen, navigate to Monitoring > Security > IPsec or
All > Address Context > IPsec Select an address context from the Address Context list. The Commands list appears as shown below.
Figure 1: IPsec Delete SA CommandsUse the following table to select a command option. Based on your selection, a pop-up window opens.
Table 1: IPsec/IKE SA Delete ParametersParameter
Description
Pop-up Window Entry/Action IKE SA Delete
Deletes a specific IKE SA
In SA Index enter the specific SA index and click ikeSADelete to initiate the deletion. IKE SA Delete All
Deletes all IKE SAs.
- For IKEv1, this is an ungraceful delete message (peer is not notified).
- For IKEv2, a tear-down message is sent to the peer.
Click ikeSaDeleteAll to initiate the deletion. IPsec SA Delete
Deletes the IPsec SA pair Enter local SPI to delete the IPsec SA pair (local_SPI: incoming Security Parameter Index value).
In Local SPI, enter the incoming Security Parameter Index value and click ipsecSaDelete to initiate the deletion. Confirm the deletion when prompted.