Use the IPsec window to delete a specific IPsec security association (SA) or all SAs.
SAs are created by successful IPsec negotiations between the SBC Core and protected peers. Each SA is the bundle of algorithms and parameters used to encrypt and authenticate a particular flow in one direction. Thus for normal bidirectional traffic, the flows are secured by a pair of security associations.
SAs are removable through notification by the peer that an SA is deleted, or as a result of Dead Peer Detection determining that a peer is unresponsive.
When necessary you can also remove SAs before their lifetime expires using the following methods:
If an SA is deleted by one of the above scenarios within 60 seconds of the time that it was initially established, then as a Denial-of-Service protection the SBC Core does not respond to new phase 1 IKE negotiations initiated by that peer for 60 seconds. Otherwise, phase 1 IKE re-negotiations may proceed immediately on a deleted SA.
Select an address context from the Address Context list. The Commands list appears as shown below.
Figure 1: IPsec Delete SA Commands
Use the following table to select a command option. Based on your selection, a pop-up window opens.
Table 1: IPsec/IKE SA Delete Parameters
Parameter | Description | Pop-up Window Entry/Action |
---|---|---|
IKE SA Delete | Deletes a specific IKE SA | In SA Index enter the specific SA index and click ikeSADelete to initiate the deletion. |
IKE SA Delete All | Deletes all IKE SAs.
| Click ikeSaDeleteAll to initiate the deletion. |
IPsec SA Delete | Deletes the IPsec SA pair Enter local SPI to delete the IPsec SA pair (local_SPI: incoming Security Parameter Index value). | In Local SPI, enter the incoming Security Parameter Index value and click ipsecSaDelete to initiate the deletion. |
Confirm the deletion when prompted.