Related articles:

 

Use the IPsec window to delete a specific IPsec security association (SA) or all SAs.

SAs are created by successful IPsec negotiations between the SBC Core and protected peers. Each SA is the bundle of algorithms and parameters used to encrypt and authenticate a particular flow in one direction. Thus for normal bidirectional traffic, the flows are secured by a pair of security associations.

SAs are removable through notification by the peer that an SA is deleted, or as a result of Dead Peer Detection determining that a peer is unresponsive.

When necessary you can also remove SAs before their lifetime expires using the following methods:

  • Globally deleting every IKE SA
  • Deleting a specific IKE SA by its IKE handle identifier 
  • Deleting the IPsec SA pair with a given incoming Security Parameter Index value (LOCAL SPI)

If an SA is deleted by one of the above scenarios within 60 seconds of the time that it was initially established, then as a Denial-of-Service protection the SBC Core does not respond to new phase 1 IKE negotiations initiated by that peer for 60 seconds. Otherwise, phase 1 IKE re-negotiations may proceed immediately on a deleted SA.

To Delete Security Association Entries 

  1. On the SBC main screen, navigate to Monitoring > Security > IPsec or
    All > Address Context > IPsec

  2. Select an address context from the Address Context list. The Commands list appears as shown below.

    IPsec Delete SA Commands

  3. Use the following table to select a command option. Based on your selection, a pop-up window opens.

    IPsec/IKE SA Delete Parameters

    Parameter

    Description

    		Pop-up Window Entry/Action

    IKE SA Delete

    Deletes a specific IKE SA

    		In SA Index enter the specific SA index and click ikeSADelete to initiate the deletion.

    IKE SA Delete All

    Deletes all IKE SAs.

    • For IKEv1, this is an ungraceful delete message (peer is not notified).
    • For IKEv2, a tear-down message is sent to the peer.
    		Click ikeSaDeleteAll to initiate the deletion.

    IPsec SA Delete

    Deletes the IPsec SA pair Enter local SPI to delete the IPsec SA pair (local_SPI: incoming Security Parameter Index value).

    		In Local SPI, enter the incoming Security Parameter Index value and click ipsecSaDelete to initiate the deletion.

  4.  Confirm the deletion when prompted.

 

 



 

  • No labels