3.2.21. ike

IKE configuration.

vrouter running config# vrf <vrf> ike

enabled

Enable or disable the IKE protocol and indicate whether the system should negotiate Security Associations for the IPsec protocol.

vrouter running config# vrf <vrf> ike
vrouter running ike# enabled true|false
Default value
true

pool

List of virtual address pools.

vrouter running config# vrf <vrf> ike pool <string>

address (mandatory)

Virtual addresses in the pool.

vrouter running config# vrf <vrf> ike pool <string>
vrouter running pool <string># address ADDRESS
ADDRESS values Description
<ipv4-address> An IPv4 address.
<ipv6-address> An IPv6 address.
<ipv4-prefix> An IPv4 prefix: address and CIDR mask.
<ipv6-prefix> An IPv6 prefix: address and CIDR mask.
<ipv4-range> IPv4 address range, in the form addr4-addr4.
<ipv6-range> IPv6 address range, in the form addr6-addr6.

dns

List of DNS (Domain Name Service) servers IP addresses.

vrouter running config# vrf <vrf> ike pool <string>
vrouter running pool <string># dns DNS
DNS values Description
<ipv4-address> An IPv4 address.
<ipv6-address> An IPv6 address.

nbns

List of NBNS (NetBIOS Name Service) servers IP addresses.

vrouter running config# vrf <vrf> ike pool <string>
vrouter running pool <string># nbns NBNS
NBNS values Description
<ipv4-address> An IPv4 address.
<ipv6-address> An IPv6 address.

dhcp

List of DHCP servers IP addresses.

vrouter running config# vrf <vrf> ike pool <string>
vrouter running pool <string># dhcp DHCP
DHCP values Description
<ipv4-address> An IPv4 address.
<ipv6-address> An IPv6 address.

name (state only)

Name of the virtual address pool.

vrouter> show state vrf <vrf> ike pool <string> name

certificate

List of X509 certificates.

vrouter running config# vrf <vrf> ike certificate <string>

certificate (mandatory)

PEM-encoded X509 certificate.

vrouter running config# vrf <vrf> ike certificate <string>
vrouter running certificate <string># certificate <string>

private-key (mandatory)

PEM-encoded X509 private key.

vrouter running config# vrf <vrf> ike certificate <string>
vrouter running certificate <string># private-key <string>

name (state only)

Name of the X509 certificate.

vrouter> show state vrf <vrf> ike certificate <string> name

certificate-authority

List of X509 CA certificates.

vrouter running config# vrf <vrf> ike certificate-authority <string>

certificate (mandatory)

PEM-encoded X509 certificate.

vrouter running config# vrf <vrf> ike certificate-authority <string>
vrouter running certificate-authority <string># certificate <string>

crl

PEM-encoded X509 certificate revocation list.

vrouter running config# vrf <vrf> ike certificate-authority <string>
vrouter running certificate-authority <string># crl <string>

crl-uri

List of CRL distribution points (ldap or http URIs).

vrouter running config# vrf <vrf> ike certificate-authority <string>
vrouter running certificate-authority <string># crl-uri CRL-URI
CRL-URI An ASCII-encoded Uniform Resource Identifier (URI) as defined in RFC 3986.

name (state only)

Name of Certificate Authority.

vrouter> show state vrf <vrf> ike certificate-authority <string> name

pre-shared-key

List of pre-shared keys.

vrouter running config# vrf <vrf> ike pre-shared-key <string>

id

List of IKE identities the IKE pre-shared secret belongs to.

vrouter running config# vrf <vrf> ike pre-shared-key <string>
vrouter running pre-shared-key <string># id ID
ID values Description
<ike-id> An IPv4 address.
<ike-id> An IPv6 address.
<ike-id> The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.
<ike-id> IKE ID (IP address, fqdn, e-mail address or distinguished name).
<ike-id> IKE ID (IP address, fqdn, e-mail address or distinguished name).

secret (mandatory)

Value of the IKE pre-shared secret.

vrouter running config# vrf <vrf> ike pre-shared-key <string>
vrouter running pre-shared-key <string># secret SECRET
SECRET values Description
<0x-hex-string> Pre-shared key secret.
<0s-base64-string> Pre-shared key secret.
<ascii-string> Pre-shared key secret.

name (state only)

Name of the pre-shared key.

vrouter> show state vrf <vrf> ike pre-shared-key <string> name

global-options

Global ike options.

vrouter running config# vrf <vrf> ike global-options

threads

Number of worker threads in IKE daemon.

vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# threads <uint32>
Default value
16

acquire-timeout

Lifetime of SA acquire messages created when traffic matches a trap policy (seconds).

vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# acquire-timeout <uint32>
Default value
30

sa-table-size

Size of the IKE SA hash table.

vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# sa-table-size <uint32>
Default value
1

sa-table-segments

Number of locks to use for the IKE SA hash table.

vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# sa-table-segments <uint32>
Default value
1

install-routes

If true, install routes into a separate routing table for established IPsec tunnels.

vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# install-routes true|false
Default value
false

routing-table

Numerical routing table to install routes to.

vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# routing-table <uint32>
Default value
220

routing-table-prio

Priority of the routing table.

vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# routing-table-prio <uint32>
Default value
220

retransmit-tries

Number of times to retransmit a packet before giving up.

vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# retransmit-tries <0..100>
Default value
5

retransmit-timeout

Timeout in seconds before sending first retransmit.

vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# retransmit-timeout <0.000 .. 60.000>
Default value
4.0

retransmit-base

Base to use for calculating retransmit exponential back off.

vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# retransmit-base <0.000 .. 10.000>
Default value
1.8

delete-rekeyed

Whether to immediately delete the old child SAs after an IKEv1 rekey. If false, old child SAs will be deleted after their hard lifetime, or on reception of a delete notification from the IKE peer.

vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# delete-rekeyed true|false
Default value
false

delete-rekeyed-delay

Delay in seconds before deleting the old inbound child SAs after an IKEv2 rekey as initiator.

vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# delete-rekeyed-delay DELETE-REKEYED-DELAY
DELETE-REKEYED-DELAY values Description
never Keep the inbound child SA until its lifetime.
<uint32> No description.
Default value
5

make-before-break

During reauthentication, whether to recreate all new SAs before deleting the old ones. This implies to use overlapping IKE and child SAs, which must be supported by the IKE peer.

vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# make-before-break true|false
Default value
false

interface-use

List of network interfaces that should be used. All other interfaces are ignored.

vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# interface-use INTERFACE-USE
INTERFACE-USE An interface name.

interface-ignore

List of network interfaces that should be ignored, if interfaces-use is specified this option has no effect.

vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# interface-ignore INTERFACE-IGNORE
INTERFACE-IGNORE An interface name.

snmp

Enable or disable the IKE SNMP agent (default false).

vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# snmp true|false
Default value
false

dos-protection

Denial of Service protection using cookies and aggressiveness checks.

vrouter running config# vrf <vrf> ike global-options dos-protection

block-threshold

Maximum number of half-open IKE SAs for a single peer IP. 0 disables this limit.

vrouter running config# vrf <vrf> ike global-options dos-protection
vrouter running dos-protection# block-threshold <uint32>
Default value
5

init-limit-half-open

Refuse new connections if the current number of half open IKE SAs reaches this limit. 0 disables the limit.

vrouter running config# vrf <vrf> ike global-options dos-protection
vrouter running dos-protection# init-limit-half-open <uint32>
Default value
0

sp-hash-ipv4

Thresholds for hashing IPv4 Security Policies in IPsec stack.

vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# sp-hash-ipv4 local <uint8> remote <uint8>

local

Number of sp local address bits to include in hash key.

local <uint8>
Default value
32

remote

Number of sp remote address bits to include in hash key.

remote <uint8>
Default value
32

sp-hash-ipv6

Thresholds for hashing IPv6 Security Policies in IPsec stack.

vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# sp-hash-ipv6 local <uint8> remote <uint8>

local

Number of sp local address bits to include in hash key.

local <uint8>
Default value
128

remote

Number of sp remote address bits to include in hash key.

remote <uint8>
Default value
128

ha

IKE High Availability parameters.

vrouter running config# vrf <vrf> ike ha

enabled

Enable or disable IKE High Availability.

vrouter running config# vrf <vrf> ike ha
vrouter running ha# enabled true|false
Default value
true

listen-ha-group (mandatory)

The HA group to be monitored. If the state of this group changes, it will trigger a failover of the IKE service to/from another IKE HA node.

vrouter running config# vrf <vrf> ike ha
vrouter running ha# listen-ha-group <string>

node-id (mandatory)

Local identifier in the IKE HA Cluster.

vrouter running config# vrf <vrf> ike ha
vrouter running ha# node-id <int8>

interface (mandatory)

Interface on which to perform HA peer discovery.

vrouter running config# vrf <vrf> ike ha
vrouter running ha# interface INTERFACE
INTERFACE An interface name.

local-address (mandatory)

Local IP address to communicate with the HA peer.

vrouter running config# vrf <vrf> ike ha
vrouter running ha# local-address LOCAL-ADDRESS
LOCAL-ADDRESS values Description
<ipv4-address> An IPv4 address.
<ipv6-address> An IPv6 address.

remote-address (mandatory)

Remote IP address to communicate with the HA peer.

vrouter running config# vrf <vrf> ike ha
vrouter running ha# remote-address REMOTE-ADDRESS
REMOTE-ADDRESS values Description
<ipv4-address> An IPv4 address.
<ipv6-address> An IPv6 address.

ike-sync

IKE state synchronization.

vrouter running config# vrf <vrf> ike ha
vrouter running ha# ike-sync max-rate <uint32> max-burst <uint32>

max-rate

IKE state synchronization message maximum rate in pps.

max-rate <uint32>
Default value
0

max-burst

IKE state synchronization message maximum burst in packets.

max-burst <uint32>
Default value
32

seqnum-sync

SA sequence number synchronization.

vrouter running config# vrf <vrf> ike ha seqnum-sync

oseq-shift

SA output sequence number advance on backup node.

vrouter running config# vrf <vrf> ike ha seqnum-sync
vrouter running seqnum-sync# oseq-shift <uint64>
Default value
65536

sync-period-time

SA sequence number synchronization period in time. State is always printed in seconds.

vrouter running config# vrf <vrf> ike ha seqnum-sync
vrouter running seqnum-sync# sync-period-time SYNC-PERIOD-TIME
SYNC-PERIOD-TIME IKE duration, with optional unit (s|m|h|d).
Default value
10s

sync-period-packets

SA sequence number synchronization period in packets.

vrouter running config# vrf <vrf> ike ha seqnum-sync
vrouter running seqnum-sync# sync-period-packets <uint32>
Default value
2

pool

List of virtual address pools synchronized via HA.

vrouter running config# vrf <vrf> ike ha pool <string>

address (mandatory)

Virtual addresses in the pool.

vrouter running config# vrf <vrf> ike ha pool <string>
vrouter running pool <string># address ADDRESS
ADDRESS values Description
<ipv4-prefix> An IPv4 prefix: address and CIDR mask.
<ipv6-prefix> An IPv6 prefix: address and CIDR mask.

name (state only)

Name of the virtual address pool.

vrouter> show state vrf <vrf> ike ha pool <string> name

ike-policy-template (config only)

List of IKE VPN policies.

vrouter running config# vrf <vrf> ike ike-policy-template <string>

local-auth-method (config only)

Local IKE authentication method.

vrouter running config# vrf <vrf> ike ike-policy-template <string>
vrouter running ike-policy-template <string># local-auth-method LOCAL-AUTH-METHOD
LOCAL-AUTH-METHOD values Description
pre-shared-key Pre-shared key.
certificate Public key signature with X509 Certificates.
Default value
pre-shared-key

remote-auth-method (config only)

Remote IKE authentication method.

vrouter running config# vrf <vrf> ike ike-policy-template <string>
vrouter running ike-policy-template <string># remote-auth-method REMOTE-AUTH-METHOD
REMOTE-AUTH-METHOD values Description
pre-shared-key Pre-shared key.
certificate Public key signature with X509 Certificates.
Default value
pre-shared-key

keying-tries (config only)

Number of times we should try to initiate an IKE connection if the responder does not answer (after a full sequence of retransmissions). A value of 0 initiates a new sequence forever, until the connection establishes or fails with a permanent error.

vrouter running config# vrf <vrf> ike ike-policy-template <string>
vrouter running ike-policy-template <string># keying-tries <uint32>
Default value
1

unique-sa (config only)

Connection uniqueness policy to enforce, to avoid multiple connections from the same user ID.

vrouter running config# vrf <vrf> ike ike-policy-template <string>
vrouter running ike-policy-template <string># unique-sa UNIQUE-SA
UNIQUE-SA values Description
no Do not enforce IKE SA uniqueness, except if a peer included INITIAL_CONTACT notify.
never Never enforce IKE SA uniqueness, even if a peer included INITIAL_CONTACT notify. Never send INITIAL_CONTACT as initiator.
keep Reject new connection attempts from same user.
replace Delete any existing connection if a new one for the same user gets established.
Default value
no

reauth-time (config only)

Time to schedule IKE reauthentication.

vrouter running config# vrf <vrf> ike ike-policy-template <string>
vrouter running ike-policy-template <string># reauth-time REAUTH-TIME
REAUTH-TIME IKE duration, with optional unit (s|m|h|d).
Default value
0s

rekey-time (config only)

Time to schedule IKE rekeying.

vrouter running config# vrf <vrf> ike ike-policy-template <string>
vrouter running ike-policy-template <string># rekey-time REKEY-TIME
REKEY-TIME IKE duration, with optional unit (s|m|h|d).
Default value
4h

dpd-delay (config only)

Interval to check the liveness of a peer.

vrouter running config# vrf <vrf> ike ike-policy-template <string>
vrouter running ike-policy-template <string># dpd-delay DPD-DELAY
DPD-DELAY IKE duration, with optional unit (s|m|h|d).
Default value
0s

aggressive (config only)

Enable or disable Aggressive Mode instead of Main Mode in IKEv1.

vrouter running config# vrf <vrf> ike ike-policy-template <string>
vrouter running ike-policy-template <string># aggressive true|false
Default value
false

udp-encap (config only)

If true, enforce UDP encapsulation of ESP packets.

vrouter running config# vrf <vrf> ike ike-policy-template <string>
vrouter running ike-policy-template <string># udp-encap true|false
Default value
false

ike-proposal (config only)

List of IKE phase 1 proposals.

vrouter running config# vrf <vrf> ike ike-policy-template <string> ike-proposal <uint8>

enc-alg (config only)

List of encryption algorithms for IKE SAs.

vrouter running config# vrf <vrf> ike ike-policy-template <string> ike-proposal <uint8>
vrouter running ike-proposal <uint8># enc-alg ENC-ALG
ENC-ALG values Description
aes128-cbc AES-CBC, 128 bit key.
aes192-cbc AES-CBC, 192 bit key.
aes256-cbc AES-CBC, 256 bit key.
des-cbc DES-CBC, 56 bit key.
3des-cbc 3DES-CBC, 168 bit key.
aes128-ctr AES-CTR, 128 bit key.
aes192-ctr AES-CTR, 192 bit key.
aes256-ctr AES-CTR, 256 bit key.
cast-cbc CAST-CBC, 128 bit key.
blowfish128-cbc Blowfish-CBC, 128 bit key.
blowfish192-cbc Blowfish-CBC, 192 bit key.
blowfish256-cbc Blowfish-CBC, 256 bit key.
camellia128-cbc Camellia-CBC, 128 bit key.
camellia192-cbc Camellia-CBC, 192 bit key.
camellia256-cbc Camellia-CBC, 256 bit key.
camellia128-ctr Camellia-CTR, 128 bit key.
camellia192-ctr Camellia-CTR, 192 bit key.
camellia256-ctr Camellia-CTR, 256 bit key.

auth-alg (config only)

List of auth algorithms for IKE SAs.

vrouter running config# vrf <vrf> ike ike-policy-template <string> ike-proposal <uint8>
vrouter running ike-proposal <uint8># auth-alg AUTH-ALG
AUTH-ALG values Description
hmac-md5 HMAC-MD5-96.
hmac-sha1 HMAC-SHA1-96.
hmac-sha256 HMAC-SHA256-128.
hmac-sha384 HMAC-SHA384-192.
hmac-sha512 HMAC-SHA512-256.
aes-xcbc AES-XCBC-96.

aead-alg (config only)

List of combined-mode (AEAD) algorithms for IKE SAs.

vrouter running config# vrf <vrf> ike ike-policy-template <string> ike-proposal <uint8>
vrouter running ike-proposal <uint8># aead-alg AEAD-ALG
AEAD-ALG values Description
aes128-gcm-64 AES-GCM, 128 bit key, 64 bit ICV.
aes192-gcm-64 AES-GCM, 192 bit key, 64 bit ICV.
aes256-gcm-64 AES-GCM, 256 bit key, 64 bit ICV.
aes128-gcm-96 AES-GCM, 128 bit key, 96 bit ICV.
aes192-gcm-96 AES-GCM, 192 bit key, 96 bit ICV.
aes256-gcm-96 AES-GCM, 256 bit key, 96 bit ICV.
aes128-gcm-128 AES-GCM, 128 bit key, 128 bit ICV.
aes192-gcm-128 AES-GCM, 192 bit key, 128 bit ICV.
aes256-gcm-128 AES-GCM, 256 bit key, 128 bit ICV.
aes128-ccm-64 AES-CCM, 128 bit key, 64 bit ICV.
aes192-ccm-64 AES-CCM, 192 bit key, 64 bit ICV.
aes256-ccm-64 AES-CCM, 256 bit key, 64 bit ICV.
aes128-ccm-96 AES-CCM, 128 bit key, 96 bit ICV.
aes192-ccm-96 AES-CCM, 192 bit key, 96 bit ICV.
aes256-ccm-96 AES-CCM, 256 bit key, 96 bit ICV.
aes128-ccm-128 AES-CCM, 128 bit key, 128 bit ICV.
aes192-ccm-128 AES-CCM, 192 bit key, 128 bit ICV.
aes256-ccm-128 AES-CCM, 256 bit key, 128 bit ICV.
camellia128-ccm-64 Camellia-CCM, 128 bit key, 64 bit ICV.
camellia192-ccm-64 Camellia-CCM, 192 bit key, 64 bit ICV.
camellia256-ccm-64 Camellia-CCM, 256 bit key, 64 bit ICV.
camellia128-ccm-96 Camellia-CCM, 128 bit key, 96 bit ICV.
camellia192-ccm-96 Camellia-CCM, 192 bit key, 96 bit ICV.
camellia256-ccm-96 Camellia-CCM, 256 bit key, 96 bit ICV.

prf-alg (config only)

List of pseudo-random algorithms for IKE SAs.

vrouter running config# vrf <vrf> ike ike-policy-template <string> ike-proposal <uint8>
vrouter running ike-proposal <uint8># prf-alg PRF-ALG
PRF-ALG values Description
hmac-md5 PRF-HMAC-MD5.
hmac-sha1 PRF-HMAC-SHA1.
aes-xcbc AES-XCBC-PRF-128.
aes-cmac AES-CMAC-PRF-128.
hmac-sha256 PRF-HMAC-SHA-256.
hmac-sha384 PRF-HMAC-SHA-384.
hmac-sha512 PRF-HMAC-SHA-512.

dh-group (config only)

List of Diffie Hellman groups for key exchange.

vrouter running config# vrf <vrf> ike ike-policy-template <string> ike-proposal <uint8>
vrouter running ike-proposal <uint8># dh-group DH-GROUP
DH-GROUP values Description
modp768 Modulo Prime 768 bits (group 1).
modp1024 Modulo Prime 1024 bits (group 2).
modp1536 Modulo Prime 1536 bits (group 5).
modp2048 Modulo Prime 2048 bits (group 14).
modp3072 Modulo Prime 3072 bits (group 15).
modp4096 Modulo Prime 4096 bits (group 16).
modp6144 Modulo Prime 6144 bits (group 17).
modp8192 Modulo Prime 8192 bits (group 18).
modp1024s160 Modulo Prime 1024 bits, Subgroup 160 bits (group 22).
modp1024s224 Modulo Prime 1024 bits, Subgroup 224 bits (group 23).
modp1024s256 Modulo Prime 1024 bits, Subgroup 256 bits (group 24).
ecp192 Elliptic Curve 192 bits (group 25).
ecp224 Elliptic Curve 224 bits (group 26).
ecp256 Elliptic Curve 256 bits (group 19).
ecp384 Elliptic Curve 384 bits (group 20).
ecp521 Elliptic Curve 521 bits (group 21).
ecp224bp Brainpool Elliptic Curve 224 bits (group 27).
ecp256bp Brainpool Elliptic Curve 256 bits (group 28).
ecp384bp Brainpool Elliptic Curve 384 bits (group 29).
ecp512bp Brainpool Elliptic Curve 512 bits (group 30).

ipsec-policy-template (config only)

List of IPsec VPN policies.

vrouter running config# vrf <vrf> ike ipsec-policy-template <string>

start-action (config only)

Action to perform for this CHILD_SA on DPD timeout.

vrouter running config# vrf <vrf> ike ipsec-policy-template <string>
vrouter running ipsec-policy-template <string># start-action START-ACTION
START-ACTION values Description
none Load the connection only, can be used as a responder configuration.
trap Install a trap policy, which triggers the tunnel as soon as matching traffic has been detected.
start Initiate the connection actively.
Default value
trap

close-action (config only)

Action to perform when a CHILD_SA gets closed by a peer.

vrouter running config# vrf <vrf> ike ipsec-policy-template <string>
vrouter running ipsec-policy-template <string># close-action CLOSE-ACTION
CLOSE-ACTION values Description
none Close the Child SA and take no further action.
trap Install a trap policy matching traffic and try to re-negotiate the tunnel on-demand.
start Try to immediately re-create the CHILD_SA.
Default value
trap

dpd-action (config only)

Action to perform for a CHILD_SA on DPD timeout.

vrouter running config# vrf <vrf> ike ipsec-policy-template <string>
vrouter running ipsec-policy-template <string># dpd-action DPD-ACTION
DPD-ACTION values Description
clear Close the Child SA and take no further action.
trap Install a trap policy, which will catch matching traffic and tries to re-negotiate the tunnel on-demand action.
restart Immediately try to re-negotiate the CHILD_SA under a fresh IKE_SA.
Default value
restart

replay-window (config only)

Replay window size. 0 disables IPsec replay protection.

vrouter running config# vrf <vrf> ike ipsec-policy-template <string>
vrouter running ipsec-policy-template <string># replay-window <uint16>
Default value
32

rekey-time (config only)

Time before initiating CHILD_SA rekeying.

vrouter running config# vrf <vrf> ike ipsec-policy-template <string>
vrouter running ipsec-policy-template <string># rekey-time REKEY-TIME
REKEY-TIME IKE duration, with optional unit (s|m|h|d).
Default value
1h

life-time (config only)

Maximum lifetime before CHILD_SA gets closed (default rekey-time + 10%).

vrouter running config# vrf <vrf> ike ipsec-policy-template <string>
vrouter running ipsec-policy-template <string># life-time LIFE-TIME
LIFE-TIME IKE duration, with optional unit (s|m|h|d).

rand-time (config only)

Time range from which to choose a random value to subtract from rekey_time (default life_time - rekey_time).

vrouter running config# vrf <vrf> ike ipsec-policy-template <string>
vrouter running ipsec-policy-template <string># rand-time RAND-TIME
RAND-TIME IKE duration, with optional unit (s|m|h|d).

rekey-bytes (config only)

Number of bytes processed before initiating CHILD_SA rekeying.

vrouter running config# vrf <vrf> ike ipsec-policy-template <string>
vrouter running ipsec-policy-template <string># rekey-bytes <uint64>
Default value
0

life-bytes (config only)

Maximum bytes processed before CHILD_SA gets closed (default rekey- bytes + 10%).

vrouter running config# vrf <vrf> ike ipsec-policy-template <string>
vrouter running ipsec-policy-template <string># life-bytes <uint64>

rand-bytes (config only)

Byte range from which to choose a random value to subtract from rekey_bytes (default life_bytes - rekey_bytes).

vrouter running config# vrf <vrf> ike ipsec-policy-template <string>
vrouter running ipsec-policy-template <string># rand-bytes <uint64>

rekey-packets (config only)

Number of packets processed before initiating CHILD_SA rekeying.

vrouter running config# vrf <vrf> ike ipsec-policy-template <string>
vrouter running ipsec-policy-template <string># rekey-packets <uint64>
Default value
0

life-packets (config only)

Maximum packets processed before CHILD_SA gets closed (default rekey- bytes + 10%).

vrouter running config# vrf <vrf> ike ipsec-policy-template <string>
vrouter running ipsec-policy-template <string># life-packets <uint64>

rand-packets (config only)

Packet range from which to choose a random value to subtract from rekey_packets (default life_bytes - rekey_bytes).

vrouter running config# vrf <vrf> ike ipsec-policy-template <string>
vrouter running ipsec-policy-template <string># rand-packets <uint64>

encap-copy-dscp (config only)

Whether to copy DSCP from inner to outer IP header at IPsec encapsulation.

vrouter running config# vrf <vrf> ike ipsec-policy-template <string>
vrouter running ipsec-policy-template <string># encap-copy-dscp true|false
Default value
true

decap-copy-dscp (config only)

Whether to copy DSCP from outer to inner IP header at IPsec decapsulation.

vrouter running config# vrf <vrf> ike ipsec-policy-template <string>
vrouter running ipsec-policy-template <string># decap-copy-dscp true|false
Default value
false

encap-copy-df (config only)

Whether to copy the Don’t Fragment bit from outer to inner IP header at IPsec encapsulation.

vrouter running config# vrf <vrf> ike ipsec-policy-template <string>
vrouter running ipsec-policy-template <string># encap-copy-df true|false
Default value
true

esp-proposal (config only)

List of ESP proposals.

vrouter running config# vrf <vrf> ike ipsec-policy-template <string> esp-proposal <uint8>

enc-alg (config only)

List of encryption algorithms for IPsec SAs.

vrouter running config# vrf <vrf> ike ipsec-policy-template <string> esp-proposal <uint8>
vrouter running esp-proposal <uint8># enc-alg ENC-ALG
ENC-ALG values Description
null NULL.
aes128-cbc AES-CBC, 128 bit key.
aes192-cbc AES-CBC, 192 bit key.
aes256-cbc AES-CBC, 256 bit key.
des-cbc DES-CBC, 56 bit key.
3des-cbc 3DES-CBC, 168 bit key.

auth-alg (config only)

List of auth algorithms for IPsec SAs.

vrouter running config# vrf <vrf> ike ipsec-policy-template <string> esp-proposal <uint8>
vrouter running esp-proposal <uint8># auth-alg AUTH-ALG
AUTH-ALG values Description
none NONE.
hmac-md5 HMAC-MD5-96.
hmac-sha1 HMAC-SHA1-96.
hmac-sha256 HMAC-SHA256-128.
hmac-sha384 HMAC-SHA384-192.
hmac-sha512 HMAC-SHA512-256.
aes-xcbc AES-XCBC-96.

aead-alg (config only)

List of combined-mode (AEAD) algorithms for IPsec SAs.

vrouter running config# vrf <vrf> ike ipsec-policy-template <string> esp-proposal <uint8>
vrouter running esp-proposal <uint8># aead-alg AEAD-ALG
AEAD-ALG values Description
aes128-gcm-128 AES-GCM, 128 bit key, 128 bit ICV.
aes192-gcm-128 AES-GCM, 192 bit key, 128 bit ICV.
aes256-gcm-128 AES-GCM, 256 bit key, 128 bit ICV.
aes128-gmac AES-GMAC, 128 bit key, 128 bit ICV.
aes192-gmac AES-GMAC, 192 bit key, 128 bit ICV.
aes256-gmac AES-GMAC, 256 bit key, 128 bit ICV.

dh-group (config only)

List of Diffie Hellman groups for Perfect Forward Secrecy.

vrouter running config# vrf <vrf> ike ipsec-policy-template <string> esp-proposal <uint8>
vrouter running esp-proposal <uint8># dh-group DH-GROUP
DH-GROUP values Description
modp768 Modulo Prime 768 bits (group 1).
modp1024 Modulo Prime 1024 bits (group 2).
modp1536 Modulo Prime 1536 bits (group 5).
modp2048 Modulo Prime 2048 bits (group 14).
modp3072 Modulo Prime 3072 bits (group 15).
modp4096 Modulo Prime 4096 bits (group 16).
modp6144 Modulo Prime 6144 bits (group 17).
modp8192 Modulo Prime 8192 bits (group 18).
modp1024s160 Modulo Prime 1024 bits, Subgroup 160 bits (group 22).
modp1024s224 Modulo Prime 1024 bits, Subgroup 224 bits (group 23).
modp1024s256 Modulo Prime 1024 bits, Subgroup 256 bits (group 24).
ecp192 Elliptic Curve 192 bits (group 25).
ecp224 Elliptic Curve 224 bits (group 26).
ecp256 Elliptic Curve 256 bits (group 19).
ecp384 Elliptic Curve 384 bits (group 20).
ecp521 Elliptic Curve 521 bits (group 21).
ecp224bp Brainpool Elliptic Curve 224 bits (group 27).
ecp256bp Brainpool Elliptic Curve 256 bits (group 28).
ecp384bp Brainpool Elliptic Curve 384 bits (group 29).
ecp512bp Brainpool Elliptic Curve 512 bits (group 30).

esn (config only)

List of Extended Sequence Number modes.

vrouter running config# vrf <vrf> ike ipsec-policy-template <string> esp-proposal <uint8>
vrouter running esp-proposal <uint8># esn true|false

ah-proposal (config only)

List of AH proposals.

vrouter running config# vrf <vrf> ike ipsec-policy-template <string> ah-proposal <string>

auth-alg (config only)

List of auth algorithms for IPsec SAs.

vrouter running config# vrf <vrf> ike ipsec-policy-template <string> ah-proposal <string>
vrouter running ah-proposal <string># auth-alg AUTH-ALG
AUTH-ALG values Description
hmac-md5 HMAC-MD5-96.
hmac-sha1 HMAC-SHA1-96.
hmac-sha256 HMAC-SHA256-128.
hmac-sha384 HMAC-SHA384-192.
hmac-sha512 HMAC-SHA512-256.
aes-xcbc AES-XCBC-96.

dh-group (config only)

List of Diffie Hellman groups for Perfect Forward Secrecy.

vrouter running config# vrf <vrf> ike ipsec-policy-template <string> ah-proposal <string>
vrouter running ah-proposal <string># dh-group DH-GROUP
DH-GROUP values Description
modp768 Modulo Prime 768 bits (group 1).
modp1024 Modulo Prime 1024 bits (group 2).
modp1536 Modulo Prime 1536 bits (group 5).
modp2048 Modulo Prime 2048 bits (group 14).
modp3072 Modulo Prime 3072 bits (group 15).
modp4096 Modulo Prime 4096 bits (group 16).
modp6144 Modulo Prime 6144 bits (group 17).
modp8192 Modulo Prime 8192 bits (group 18).
modp1024s160 Modulo Prime 1024 bits, Subgroup 160 bits (group 22).
modp1024s224 Modulo Prime 1024 bits, Subgroup 224 bits (group 23).
modp1024s256 Modulo Prime 1024 bits, Subgroup 256 bits (group 24).
ecp192 Elliptic Curve 192 bits (group 25).
ecp224 Elliptic Curve 224 bits (group 26).
ecp256 Elliptic Curve 256 bits (group 19).
ecp384 Elliptic Curve 384 bits (group 20).
ecp521 Elliptic Curve 521 bits (group 21).
ecp224bp Brainpool Elliptic Curve 224 bits (group 27).
ecp256bp Brainpool Elliptic Curve 256 bits (group 28).
ecp384bp Brainpool Elliptic Curve 384 bits (group 29).
ecp512bp Brainpool Elliptic Curve 512 bits (group 30).

esn (config only)

List of Extended Sequence Number modes.

vrouter running config# vrf <vrf> ike ipsec-policy-template <string> ah-proposal <string>
vrouter running ah-proposal <string># esn true|false

vpn

List of IKE Virtual Private Networks.

vrouter running config# vrf <vrf> ike vpn <string>

description

Description of the VPN.

vrouter running config# vrf <vrf> ike vpn <string>
vrouter running vpn <string># description <string>

version

IKE version. 0 accepts both IKEv1 and IKEv2 as responder, and initiates the connection actively with IKEv2.

vrouter running config# vrf <vrf> ike vpn <string>
vrouter running vpn <string># version <uint8>
Default value
2

local-address

List of IKE local peer addresses.

vrouter running config# vrf <vrf> ike vpn <string>
vrouter running vpn <string># local-address LOCAL-ADDRESS
LOCAL-ADDRESS values Description
<domain-name> The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.
<ipv4-address> An IPv4 address.
<ipv6-address> An IPv6 address.
<ipv4-prefix> An IPv4 prefix: address and CIDR mask.
<ipv6-prefix> An IPv6 prefix: address and CIDR mask.
<ipv4-range> IPv4 address range, in the form addr4-addr4.
<ipv6-range> IPv6 address range, in the form addr6-addr6.

remote-address

List of IKE remote peer addresses.

vrouter running config# vrf <vrf> ike vpn <string>
vrouter running vpn <string># remote-address REMOTE-ADDRESS
REMOTE-ADDRESS values Description
<domain-name> The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.
<ipv4-address> An IPv4 address.
<ipv6-address> An IPv6 address.
<ipv4-prefix> An IPv4 prefix: address and CIDR mask.
<ipv6-prefix> An IPv6 prefix: address and CIDR mask.
<ipv4-range> IPv4 address range, in the form addr4-addr4.
<ipv6-range> IPv6 address range, in the form addr6-addr6.

local-id

Local IKE identifier (IP address, fqdn, user-fqdn, ASN.1 Distinguished Name) (Default psk: IP address, certificates: SubjectName).

vrouter running config# vrf <vrf> ike vpn <string>
vrouter running vpn <string># local-id LOCAL-ID
LOCAL-ID values Description
<ike-id> An IPv4 address.
<ike-id> An IPv6 address.
<ike-id> The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.
<ike-id> IKE ID (IP address, fqdn, e-mail address or distinguished name).
<ike-id> IKE ID (IP address, fqdn, e-mail address or distinguished name).

remote-id

Remote IKE identifier (IP address, fqdn, user-fqdn, ASN.1 Distinguished Name) (Default psk: IP address, certificates: SubjectName).

vrouter running config# vrf <vrf> ike vpn <string>
vrouter running vpn <string># remote-id REMOTE-ID
REMOTE-ID values Description
<ike-id> An IPv4 address.
<ike-id> An IPv6 address.
<ike-id> The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.
<ike-id> IKE ID (IP address, fqdn, e-mail address or distinguished name).
<ike-id> IKE ID (IP address, fqdn, e-mail address or distinguished name).

certificate

List of local certificates to use for authentication.

vrouter running config# vrf <vrf> ike vpn <string>
vrouter running vpn <string># certificate <leafref>

vip-request

List of virtual IP addresses to request (0.0.0.0 for any IPv4 address, :: for any IPv6 address).

vrouter running config# vrf <vrf> ike vpn <string>
vrouter running vpn <string># vip-request VIP-REQUEST
VIP-REQUEST values Description
<ipv4-address> An IPv4 address.
<ipv6-address> An IPv6 address.

vip-pool

List of virtual IP pools, to assign a virtual IP to an IKE peer.

vrouter running config# vrf <vrf> ike vpn <string>
vrouter running vpn <string># vip-pool <leafref>

name (state only)

Name of IKE connection.

vrouter> show state vrf <vrf> ike vpn <string> name

ike-policy

IKE policy configuration.

vrouter running config# vrf <vrf> ike vpn <string> ike-policy

template (config only) (mandatory)

Template from which this IKE policy derives.

vrouter running config# vrf <vrf> ike vpn <string> ike-policy
vrouter running ike-policy# template <leafref>

local-auth-method

Local IKE authentication method.

vrouter running config# vrf <vrf> ike vpn <string> ike-policy
vrouter running ike-policy# local-auth-method LOCAL-AUTH-METHOD
LOCAL-AUTH-METHOD values Description
pre-shared-key Pre-shared key.
certificate Public key signature with X509 Certificates.

remote-auth-method

Remote IKE authentication method.

vrouter running config# vrf <vrf> ike vpn <string> ike-policy
vrouter running ike-policy# remote-auth-method REMOTE-AUTH-METHOD
REMOTE-AUTH-METHOD values Description
pre-shared-key Pre-shared key.
certificate Public key signature with X509 Certificates.

keying-tries

Number of times we should try to initiate an IKE connection if the responder does not answer (after a full sequence of retransmissions). A value of 0 initiates a new sequence forever, until the connection establishes or fails with a permanent error.

vrouter running config# vrf <vrf> ike vpn <string> ike-policy
vrouter running ike-policy# keying-tries <uint32>

unique-sa

Connection uniqueness policy to enforce, to avoid multiple connections from the same user ID.

vrouter running config# vrf <vrf> ike vpn <string> ike-policy
vrouter running ike-policy# unique-sa UNIQUE-SA
UNIQUE-SA values Description
no Do not enforce IKE SA uniqueness, except if a peer included INITIAL_CONTACT notify.
never Never enforce IKE SA uniqueness, even if a peer included INITIAL_CONTACT notify. Never send INITIAL_CONTACT as initiator.
keep Reject new connection attempts from same user.
replace Delete any existing connection if a new one for the same user gets established.

reauth-time

Time to schedule IKE reauthentication.

vrouter running config# vrf <vrf> ike vpn <string> ike-policy
vrouter running ike-policy# reauth-time REAUTH-TIME
REAUTH-TIME IKE duration, with optional unit (s|m|h|d).

rekey-time

Time to schedule IKE rekeying.

vrouter running config# vrf <vrf> ike vpn <string> ike-policy
vrouter running ike-policy# rekey-time REKEY-TIME
REKEY-TIME IKE duration, with optional unit (s|m|h|d).

dpd-delay

Interval to check the liveness of a peer.

vrouter running config# vrf <vrf> ike vpn <string> ike-policy
vrouter running ike-policy# dpd-delay DPD-DELAY
DPD-DELAY IKE duration, with optional unit (s|m|h|d).

aggressive

Enable or disable Aggressive Mode instead of Main Mode in IKEv1.

vrouter running config# vrf <vrf> ike vpn <string> ike-policy
vrouter running ike-policy# aggressive true|false

udp-encap

If true, enforce UDP encapsulation of ESP packets.

vrouter running config# vrf <vrf> ike vpn <string> ike-policy
vrouter running ike-policy# udp-encap true|false

ike-proposal

List of IKE phase 1 proposals.

vrouter running config# vrf <vrf> ike vpn <string> ike-policy ike-proposal <uint8>
enc-alg

List of encryption algorithms for IKE SAs.

vrouter running config# vrf <vrf> ike vpn <string> ike-policy ike-proposal <uint8>
vrouter running ike-proposal <uint8># enc-alg ENC-ALG
ENC-ALG values Description
aes128-cbc AES-CBC, 128 bit key.
aes192-cbc AES-CBC, 192 bit key.
aes256-cbc AES-CBC, 256 bit key.
des-cbc DES-CBC, 56 bit key.
3des-cbc 3DES-CBC, 168 bit key.
aes128-ctr AES-CTR, 128 bit key.
aes192-ctr AES-CTR, 192 bit key.
aes256-ctr AES-CTR, 256 bit key.
cast-cbc CAST-CBC, 128 bit key.
blowfish128-cbc Blowfish-CBC, 128 bit key.
blowfish192-cbc Blowfish-CBC, 192 bit key.
blowfish256-cbc Blowfish-CBC, 256 bit key.
camellia128-cbc Camellia-CBC, 128 bit key.
camellia192-cbc Camellia-CBC, 192 bit key.
camellia256-cbc Camellia-CBC, 256 bit key.
camellia128-ctr Camellia-CTR, 128 bit key.
camellia192-ctr Camellia-CTR, 192 bit key.
camellia256-ctr Camellia-CTR, 256 bit key.
auth-alg

List of auth algorithms for IKE SAs.

vrouter running config# vrf <vrf> ike vpn <string> ike-policy ike-proposal <uint8>
vrouter running ike-proposal <uint8># auth-alg AUTH-ALG
AUTH-ALG values Description
hmac-md5 HMAC-MD5-96.
hmac-sha1 HMAC-SHA1-96.
hmac-sha256 HMAC-SHA256-128.
hmac-sha384 HMAC-SHA384-192.
hmac-sha512 HMAC-SHA512-256.
aes-xcbc AES-XCBC-96.
aead-alg

List of combined-mode (AEAD) algorithms for IKE SAs.

vrouter running config# vrf <vrf> ike vpn <string> ike-policy ike-proposal <uint8>
vrouter running ike-proposal <uint8># aead-alg AEAD-ALG
AEAD-ALG values Description
aes128-gcm-64 AES-GCM, 128 bit key, 64 bit ICV.
aes192-gcm-64 AES-GCM, 192 bit key, 64 bit ICV.
aes256-gcm-64 AES-GCM, 256 bit key, 64 bit ICV.
aes128-gcm-96 AES-GCM, 128 bit key, 96 bit ICV.
aes192-gcm-96 AES-GCM, 192 bit key, 96 bit ICV.
aes256-gcm-96 AES-GCM, 256 bit key, 96 bit ICV.
aes128-gcm-128 AES-GCM, 128 bit key, 128 bit ICV.
aes192-gcm-128 AES-GCM, 192 bit key, 128 bit ICV.
aes256-gcm-128 AES-GCM, 256 bit key, 128 bit ICV.
aes128-ccm-64 AES-CCM, 128 bit key, 64 bit ICV.
aes192-ccm-64 AES-CCM, 192 bit key, 64 bit ICV.
aes256-ccm-64 AES-CCM, 256 bit key, 64 bit ICV.
aes128-ccm-96 AES-CCM, 128 bit key, 96 bit ICV.
aes192-ccm-96 AES-CCM, 192 bit key, 96 bit ICV.
aes256-ccm-96 AES-CCM, 256 bit key, 96 bit ICV.
aes128-ccm-128 AES-CCM, 128 bit key, 128 bit ICV.
aes192-ccm-128 AES-CCM, 192 bit key, 128 bit ICV.
aes256-ccm-128 AES-CCM, 256 bit key, 128 bit ICV.
camellia128-ccm-64 Camellia-CCM, 128 bit key, 64 bit ICV.
camellia192-ccm-64 Camellia-CCM, 192 bit key, 64 bit ICV.
camellia256-ccm-64 Camellia-CCM, 256 bit key, 64 bit ICV.
camellia128-ccm-96 Camellia-CCM, 128 bit key, 96 bit ICV.
camellia192-ccm-96 Camellia-CCM, 192 bit key, 96 bit ICV.
camellia256-ccm-96 Camellia-CCM, 256 bit key, 96 bit ICV.
prf-alg

List of pseudo-random algorithms for IKE SAs.

vrouter running config# vrf <vrf> ike vpn <string> ike-policy ike-proposal <uint8>
vrouter running ike-proposal <uint8># prf-alg PRF-ALG
PRF-ALG values Description
hmac-md5 PRF-HMAC-MD5.
hmac-sha1 PRF-HMAC-SHA1.
aes-xcbc AES-XCBC-PRF-128.
aes-cmac AES-CMAC-PRF-128.
hmac-sha256 PRF-HMAC-SHA-256.
hmac-sha384 PRF-HMAC-SHA-384.
hmac-sha512 PRF-HMAC-SHA-512.
dh-group

List of Diffie Hellman groups for key exchange.

vrouter running config# vrf <vrf> ike vpn <string> ike-policy ike-proposal <uint8>
vrouter running ike-proposal <uint8># dh-group DH-GROUP
DH-GROUP values Description
modp768 Modulo Prime 768 bits (group 1).
modp1024 Modulo Prime 1024 bits (group 2).
modp1536 Modulo Prime 1536 bits (group 5).
modp2048 Modulo Prime 2048 bits (group 14).
modp3072 Modulo Prime 3072 bits (group 15).
modp4096 Modulo Prime 4096 bits (group 16).
modp6144 Modulo Prime 6144 bits (group 17).
modp8192 Modulo Prime 8192 bits (group 18).
modp1024s160 Modulo Prime 1024 bits, Subgroup 160 bits (group 22).
modp1024s224 Modulo Prime 1024 bits, Subgroup 224 bits (group 23).
modp1024s256 Modulo Prime 1024 bits, Subgroup 256 bits (group 24).
ecp192 Elliptic Curve 192 bits (group 25).
ecp224 Elliptic Curve 224 bits (group 26).
ecp256 Elliptic Curve 256 bits (group 19).
ecp384 Elliptic Curve 384 bits (group 20).
ecp521 Elliptic Curve 521 bits (group 21).
ecp224bp Brainpool Elliptic Curve 224 bits (group 27).
ecp256bp Brainpool Elliptic Curve 256 bits (group 28).
ecp384bp Brainpool Elliptic Curve 384 bits (group 29).
ecp512bp Brainpool Elliptic Curve 512 bits (group 30).
index (state only)

Index in the list of IKE phase 1 proposals.

vrouter> show state vrf <vrf> ike vpn <string> ike-policy ike-proposal <uint8> index

ipsec-policy

IPsec policy configuration.

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy

template (config only) (mandatory)

Template from which this IPsec policy derives.

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy
vrouter running ipsec-policy# template <leafref>

start-action

Action to perform for this CHILD_SA on DPD timeout.

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy
vrouter running ipsec-policy# start-action START-ACTION
START-ACTION values Description
none Load the connection only, can be used as a responder configuration.
trap Install a trap policy, which triggers the tunnel as soon as matching traffic has been detected.
start Initiate the connection actively.

close-action

Action to perform when a CHILD_SA gets closed by a peer.

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy
vrouter running ipsec-policy# close-action CLOSE-ACTION
CLOSE-ACTION values Description
none Close the Child SA and take no further action.
trap Install a trap policy matching traffic and try to re-negotiate the tunnel on-demand.
start Try to immediately re-create the CHILD_SA.

dpd-action

Action to perform for a CHILD_SA on DPD timeout.

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy
vrouter running ipsec-policy# dpd-action DPD-ACTION
DPD-ACTION values Description
clear Close the Child SA and take no further action.
trap Install a trap policy, which will catch matching traffic and tries to re-negotiate the tunnel on-demand action.
restart Immediately try to re-negotiate the CHILD_SA under a fresh IKE_SA.

replay-window

Replay window size. 0 disables IPsec replay protection.

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy
vrouter running ipsec-policy# replay-window <uint16>

rekey-time

Time before initiating CHILD_SA rekeying.

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy
vrouter running ipsec-policy# rekey-time REKEY-TIME
REKEY-TIME IKE duration, with optional unit (s|m|h|d).

life-time

Maximum lifetime before CHILD_SA gets closed (default rekey-time + 10%).

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy
vrouter running ipsec-policy# life-time LIFE-TIME
LIFE-TIME IKE duration, with optional unit (s|m|h|d).

rand-time

Time range from which to choose a random value to subtract from rekey_time (default life_time - rekey_time).

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy
vrouter running ipsec-policy# rand-time RAND-TIME
RAND-TIME IKE duration, with optional unit (s|m|h|d).

rekey-bytes

Number of bytes processed before initiating CHILD_SA rekeying.

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy
vrouter running ipsec-policy# rekey-bytes <uint64>

life-bytes

Maximum bytes processed before CHILD_SA gets closed (default rekey- bytes + 10%).

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy
vrouter running ipsec-policy# life-bytes <uint64>

rand-bytes

Byte range from which to choose a random value to subtract from rekey_bytes (default life_bytes - rekey_bytes).

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy
vrouter running ipsec-policy# rand-bytes <uint64>

rekey-packets

Number of packets processed before initiating CHILD_SA rekeying.

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy
vrouter running ipsec-policy# rekey-packets <uint64>

life-packets

Maximum packets processed before CHILD_SA gets closed (default rekey- bytes + 10%).

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy
vrouter running ipsec-policy# life-packets <uint64>

rand-packets

Packet range from which to choose a random value to subtract from rekey_packets (default life_bytes - rekey_bytes).

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy
vrouter running ipsec-policy# rand-packets <uint64>

encap-copy-dscp

Whether to copy DSCP from inner to outer IP header at IPsec encapsulation.

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy
vrouter running ipsec-policy# encap-copy-dscp true|false

decap-copy-dscp

Whether to copy DSCP from outer to inner IP header at IPsec decapsulation.

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy
vrouter running ipsec-policy# decap-copy-dscp true|false

encap-copy-df

Whether to copy the Don’t Fragment bit from outer to inner IP header at IPsec encapsulation.

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy
vrouter running ipsec-policy# encap-copy-df true|false

esp-proposal

List of ESP proposals.

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy esp-proposal <uint8>
enc-alg

List of encryption algorithms for IPsec SAs.

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy esp-proposal <uint8>
vrouter running esp-proposal <uint8># enc-alg ENC-ALG
ENC-ALG values Description
null NULL.
aes128-cbc AES-CBC, 128 bit key.
aes192-cbc AES-CBC, 192 bit key.
aes256-cbc AES-CBC, 256 bit key.
des-cbc DES-CBC, 56 bit key.
3des-cbc 3DES-CBC, 168 bit key.
auth-alg

List of auth algorithms for IPsec SAs.

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy esp-proposal <uint8>
vrouter running esp-proposal <uint8># auth-alg AUTH-ALG
AUTH-ALG values Description
none NONE.
hmac-md5 HMAC-MD5-96.
hmac-sha1 HMAC-SHA1-96.
hmac-sha256 HMAC-SHA256-128.
hmac-sha384 HMAC-SHA384-192.
hmac-sha512 HMAC-SHA512-256.
aes-xcbc AES-XCBC-96.
aead-alg

List of combined-mode (AEAD) algorithms for IPsec SAs.

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy esp-proposal <uint8>
vrouter running esp-proposal <uint8># aead-alg AEAD-ALG
AEAD-ALG values Description
aes128-gcm-128 AES-GCM, 128 bit key, 128 bit ICV.
aes192-gcm-128 AES-GCM, 192 bit key, 128 bit ICV.
aes256-gcm-128 AES-GCM, 256 bit key, 128 bit ICV.
aes128-gmac AES-GMAC, 128 bit key, 128 bit ICV.
aes192-gmac AES-GMAC, 192 bit key, 128 bit ICV.
aes256-gmac AES-GMAC, 256 bit key, 128 bit ICV.
dh-group

List of Diffie Hellman groups for Perfect Forward Secrecy.

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy esp-proposal <uint8>
vrouter running esp-proposal <uint8># dh-group DH-GROUP
DH-GROUP values Description
modp768 Modulo Prime 768 bits (group 1).
modp1024 Modulo Prime 1024 bits (group 2).
modp1536 Modulo Prime 1536 bits (group 5).
modp2048 Modulo Prime 2048 bits (group 14).
modp3072 Modulo Prime 3072 bits (group 15).
modp4096 Modulo Prime 4096 bits (group 16).
modp6144 Modulo Prime 6144 bits (group 17).
modp8192 Modulo Prime 8192 bits (group 18).
modp1024s160 Modulo Prime 1024 bits, Subgroup 160 bits (group 22).
modp1024s224 Modulo Prime 1024 bits, Subgroup 224 bits (group 23).
modp1024s256 Modulo Prime 1024 bits, Subgroup 256 bits (group 24).
ecp192 Elliptic Curve 192 bits (group 25).
ecp224 Elliptic Curve 224 bits (group 26).
ecp256 Elliptic Curve 256 bits (group 19).
ecp384 Elliptic Curve 384 bits (group 20).
ecp521 Elliptic Curve 521 bits (group 21).
ecp224bp Brainpool Elliptic Curve 224 bits (group 27).
ecp256bp Brainpool Elliptic Curve 256 bits (group 28).
ecp384bp Brainpool Elliptic Curve 384 bits (group 29).
ecp512bp Brainpool Elliptic Curve 512 bits (group 30).
esn

List of Extended Sequence Number modes.

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy esp-proposal <uint8>
vrouter running esp-proposal <uint8># esn true|false
index (state only)

Index in list of ESP proposals.

vrouter> show state vrf <vrf> ike vpn <string> ipsec-policy esp-proposal <uint8> index

ah-proposal

List of AH proposals.

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy ah-proposal <string>
auth-alg

List of auth algorithms for IPsec SAs.

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy ah-proposal <string>
vrouter running ah-proposal <string># auth-alg AUTH-ALG
AUTH-ALG values Description
hmac-md5 HMAC-MD5-96.
hmac-sha1 HMAC-SHA1-96.
hmac-sha256 HMAC-SHA256-128.
hmac-sha384 HMAC-SHA384-192.
hmac-sha512 HMAC-SHA512-256.
aes-xcbc AES-XCBC-96.
dh-group

List of Diffie Hellman groups for Perfect Forward Secrecy.

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy ah-proposal <string>
vrouter running ah-proposal <string># dh-group DH-GROUP
DH-GROUP values Description
modp768 Modulo Prime 768 bits (group 1).
modp1024 Modulo Prime 1024 bits (group 2).
modp1536 Modulo Prime 1536 bits (group 5).
modp2048 Modulo Prime 2048 bits (group 14).
modp3072 Modulo Prime 3072 bits (group 15).
modp4096 Modulo Prime 4096 bits (group 16).
modp6144 Modulo Prime 6144 bits (group 17).
modp8192 Modulo Prime 8192 bits (group 18).
modp1024s160 Modulo Prime 1024 bits, Subgroup 160 bits (group 22).
modp1024s224 Modulo Prime 1024 bits, Subgroup 224 bits (group 23).
modp1024s256 Modulo Prime 1024 bits, Subgroup 256 bits (group 24).
ecp192 Elliptic Curve 192 bits (group 25).
ecp224 Elliptic Curve 224 bits (group 26).
ecp256 Elliptic Curve 256 bits (group 19).
ecp384 Elliptic Curve 384 bits (group 20).
ecp521 Elliptic Curve 521 bits (group 21).
ecp224bp Brainpool Elliptic Curve 224 bits (group 27).
ecp256bp Brainpool Elliptic Curve 256 bits (group 28).
ecp384bp Brainpool Elliptic Curve 384 bits (group 29).
ecp512bp Brainpool Elliptic Curve 512 bits (group 30).
esn

List of Extended Sequence Number modes.

vrouter running config# vrf <vrf> ike vpn <string> ipsec-policy ah-proposal <string>
vrouter running ah-proposal <string># esn true|false
index (state only)

Index in list of AH proposals.

vrouter> show state vrf <vrf> ike vpn <string> ipsec-policy ah-proposal <string> index

security-policy

List of IPsec bidirectional security policies.

vrouter running config# vrf <vrf> ike vpn <string> security-policy <string>

action

IPsec action.

vrouter running config# vrf <vrf> ike vpn <string> security-policy <string>
vrouter running security-policy <string># action ACTION
ACTION values Description
esp Protect traffic with Encapsulating Security Payload.
ah Protect traffic with Authentication Header.
pass Pass traffic in plain text.
drop Drop traffic.
Default value
esp

mode

IPsec mode if action is esp or ah.

vrouter running config# vrf <vrf> ike vpn <string> security-policy <string>
vrouter running security-policy <string># mode MODE
MODE values Description
tunnel Tunnel mode.
transport Transport mode.
beet Bound End to End Tunnel mode.
Default value
tunnel

priority

Security policy priority (0 stands for dynamically calculated).

vrouter running config# vrf <vrf> ike vpn <string> security-policy <string>
vrouter running security-policy <string># priority <uint32>
Default value
0

name (state only)

Name of IPsec security policy.

vrouter> show state vrf <vrf> ike vpn <string> security-policy <string> name

local-ts

Local traffic selector (default the tunnel outer address or the virtual IP, if negotiated).

vrouter running config# vrf <vrf> ike vpn <string> security-policy <string>
vrouter running security-policy <string># local-ts subnet SUBNET protocol <uint8> \
... port <uint16>
subnet

Private subnet or address (default: the tunnel outer address or virtual IP, if negotiated).

subnet SUBNET
SUBNET values Description
<ipv4-address> An IPv4 address.
<ipv6-address> An IPv6 address.
<ipv4-prefix> An IPv4 prefix: address and CIDR mask.
<ipv6-prefix> An IPv6 prefix: address and CIDR mask.
protocol

Protocol number (default any).

protocol <uint8>
port

Port number or ICMP type/code (default any).

port <uint16>

remote-ts

Remote traffic selector (default the tunnel outer address or the virtual IP, if negotiated).

vrouter running config# vrf <vrf> ike vpn <string> security-policy <string>
vrouter running security-policy <string># remote-ts subnet SUBNET protocol <uint8> \
... port <uint16>
subnet

Private subnet or address (default: the tunnel outer address or virtual IP, if negotiated).

subnet SUBNET
SUBNET values Description
<ipv4-address> An IPv4 address.
<ipv6-address> An IPv6 address.
<ipv4-prefix> An IPv4 prefix: address and CIDR mask.
<ipv6-prefix> An IPv6 prefix: address and CIDR mask.
protocol

Protocol number (default any).

protocol <uint8>
port

Port number or ICMP type/code (default any).

port <uint16>

ike-sas (state only)

Number of IKE SAs.

total (state only)

Total number of IKE SAs (half-open or established).

vrouter> show state vrf <vrf> ike ike-sas total

half-open (state only)

Number of half-open IKE SAs.

vrouter> show state vrf <vrf> ike ike-sas half-open

task-processing (state only)

Internal task processing statistics.

worker-threads (state only)

State of IKE daemon threads.

total (state only)

Total number of threads.

vrouter> show state vrf <vrf> ike task-processing worker-threads total

idle (state only)

Number of idle threads.

vrouter> show state vrf <vrf> ike task-processing worker-threads idle

critical (state only)

Number of threads executing critical priority tasks.

vrouter> show state vrf <vrf> ike task-processing worker-threads critical

high (state only)

Number of threads executing high priority tasks.

vrouter> show state vrf <vrf> ike task-processing worker-threads high

medium (state only)

Number of threads executing medium priority tasks.

vrouter> show state vrf <vrf> ike task-processing worker-threads medium

low (state only)

Number of threads executing low priority tasks.

vrouter> show state vrf <vrf> ike task-processing worker-threads low

task-queues (state only)

Counters of pending tasks.

critical (state only)

Number of critical priority tasks waiting for an available thread.

vrouter> show state vrf <vrf> ike task-processing task-queues critical

high (state only)

Number of high priority tasks waiting for an available thread.

vrouter> show state vrf <vrf> ike task-processing task-queues high

medium (state only)

Number of medium priority tasks waiting for an available thread.

vrouter> show state vrf <vrf> ike task-processing task-queues medium

low (state only)

Number of low priority tasks waiting for an available thread.

vrouter> show state vrf <vrf> ike task-processing task-queues low

scheduled (state only)

Number of tasks waiting for a timer to expire.

vrouter> show state vrf <vrf> ike task-processing task-queues scheduled

vpn-counters (state only)

List of per-VPN IKE message counters.

ike-rekey-init (state only)

Initiated IKE_SA rekeyings.

vrouter> show state vrf <vrf> ike vpn-counters name <string> ike-rekey-init

ike-rekey-resp (state only)

Responded IKE_SA rekeyings.

vrouter> show state vrf <vrf> ike vpn-counters name <string> ike-rekey-resp

child-rekey (state only)

Completed CHILD_SA rekeyings.

vrouter> show state vrf <vrf> ike vpn-counters name <string> child-rekey

invalid (state only)

Messages with an invalid IKE SPI.

vrouter> show state vrf <vrf> ike vpn-counters name <string> invalid

invalid-spi (state only)

Messages with invalid types, length, or a value out of range.

vrouter> show state vrf <vrf> ike vpn-counters name <string> invalid-spi

ike-init-in-req (state only)

Received IKE_SA_INIT requests.

vrouter> show state vrf <vrf> ike vpn-counters name <string> ike-init-in-req

ike-init-in-resp (state only)

Received IKE_SA_INIT responses.

vrouter> show state vrf <vrf> ike vpn-counters name <string> ike-init-in-resp

ike-init-out-req (state only)

Sent IKE_SA_INIT requests.

vrouter> show state vrf <vrf> ike vpn-counters name <string> ike-init-out-req

ike-init-out-resp (state only)

Sent IKE_SA_INIT responses.

vrouter> show state vrf <vrf> ike vpn-counters name <string> ike-init-out-resp

ike-auth-in-req (state only)

Received IKE_AUTH requests.

vrouter> show state vrf <vrf> ike vpn-counters name <string> ike-auth-in-req

ike-auth-in-resp (state only)

Received IKE_AUTH responses.

vrouter> show state vrf <vrf> ike vpn-counters name <string> ike-auth-in-resp

ike-auth-out-req (state only)

Sent IKE_AUTH requests.

vrouter> show state vrf <vrf> ike vpn-counters name <string> ike-auth-out-req

ike-auth-out-resp (state only)

Sent IKE_AUTH responses.

vrouter> show state vrf <vrf> ike vpn-counters name <string> ike-auth-out-resp

create-child-in-req (state only)

Received CREATE_CHILD_SA requests.

vrouter> show state vrf <vrf> ike vpn-counters name <string> create-child-in-req

create-child-in-resp (state only)

Received CREATE_CHILD_SA responses.

vrouter> show state vrf <vrf> ike vpn-counters name <string> create-child-in-resp

create-child-out-req (state only)

Sent CREATE_CHILD_SA requests.

vrouter> show state vrf <vrf> ike vpn-counters name <string> create-child-out-req

create-child-out-resp (state only)

Sent CREATE_CHILD_SA responses.

vrouter> show state vrf <vrf> ike vpn-counters name <string> create-child-out-resp

info-in-req (state only)

Received INFORMATIONAL requests.

vrouter> show state vrf <vrf> ike vpn-counters name <string> info-in-req

info-in-resp (state only)

Received INFORMATIONAL responses.

vrouter> show state vrf <vrf> ike vpn-counters name <string> info-in-resp

info-out-req (state only)

Sent INFORMATIONAL requests.

vrouter> show state vrf <vrf> ike vpn-counters name <string> info-out-req

info-out-resp (state only)

Sent INFORMATIONAL responses.

vrouter> show state vrf <vrf> ike vpn-counters name <string> info-out-resp

ike-sa (state only)

List of IKE Security Associations.

name (state only)

Name of the VPN.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> name

version (state only)

IKE version.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> version

state (state only)

IKE SA state.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> state

local-address (state only)

Local IKE IP address.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> local-address

remote-address (state only)

Remote IKE IP address.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> remote-address

local-port (state only)

Local IKE UDP port.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> local-port

remote-port (state only)

Remote IKE UDP port.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> remote-port

initiator-spi (state only)

IKE initiator SPI.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> initiator-spi

responder-spi (state only)

IKE responder SPI.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> responder-spi

enc-alg (state only)

IKE encryption algorithm.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> enc-alg

auth-alg (state only)

IKE authentication algorithm.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> auth-alg

aead-alg (state only)

IKE combined-mode algorithm.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> aead-alg

prf-alg (state only)

IKE pseudo-random algorithm.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> prf-alg

dh-group (state only)

IKE Diffie Hellman group.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> dh-group

established-time (state only)

Seconds since IKE session was established.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> established-time

rekey-time (state only)

Seconds before IKE session is rekeyed.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> rekey-time

reauth-time (state only)

Seconds before IKE session is reauthenticated.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> reauth-time

udp-encap (state only)

UDP encapsulation state.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> udp-encap

local-vip (state only)

List of local virtual IP addresses.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> local-vip

remote-vip (state only)

List of local virtual IP addresses.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> remote-vip

child-sa (state only)

List of Child Security Associations.

name (state only)

Name of the policy.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> name

state (state only)

Child SA state.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> state

reqid (state only)

Request ID of the Child SA, that binds IPsec SAs to SPs.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> reqid

protocol (state only)

IPsec protocol.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> protocol

udp-encap (state only)

UDP encapsulation state.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> udp-encap

spi-in (state only)

Inbound Security Parameters Index.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> spi-in

spi-out (state only)

Outbound Security Parameters Index.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> spi-out

enc-alg (state only)

ESP encryption algorithm.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> enc-alg

auth-alg (state only)

ESP or AH authentication algorithm.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> auth-alg

aead-alg (state only)

ESP combined-mode algorithm.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> aead-alg

dh-group (state only)

Diffie Hellman group for Perfect Forward Secrecy.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> dh-group

esn (state only)

Extended Sequence Number state.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> esn

bytes-in (state only)

Input bytes processed by this Child SA.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> bytes-in

packets-in (state only)

Input packets processed by this Child SA.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> packets-in

bytes-out (state only)

Output bytes processed by this Child SA.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> bytes-out

packets-out (state only)

Output packets processed by this Child SA.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> packets-out

installed-time (state only)

Seconds since IPsec SAs were installed.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> installed-time

rekey-time (state only)

Seconds before IPsec SAs are rekeyed.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> rekey-time

life-time (state only)

Seconds before IPsec SAs are deleted.

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> life-time

local-ts (state only)

Local traffic selector.

subnet (state only)

Private subnet or address (default: the tunnel outer address or virtual IP, if negotiated).

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> local-ts subnet
protocol (state only)

Protocol number (default any).

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> local-ts protocol
port (state only)

Port number or ICMP type/code (default any).

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> local-ts port

remote-ts (state only)

Remote traffic selector.

subnet (state only)

Private subnet or address (default: the tunnel outer address or virtual IP, if negotiated).

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> remote-ts subnet
protocol (state only)

Protocol number (default any).

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> remote-ts protocol
port (state only)

Port number or ICMP type/code (default any).

vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> remote-ts port

pool-lease (state only)

List of virtual address pool leases.

address (state only)

First virtual address in the pool.

vrouter> show state vrf <vrf> ike pool-lease name <string> address

size (state only)

Virtual address pool size.

vrouter> show state vrf <vrf> ike pool-lease name <string> size

online (state only)

Number of online virtual addresses.

vrouter> show state vrf <vrf> ike pool-lease name <string> online

offline (state only)

Number of offline virtual addresses.

vrouter> show state vrf <vrf> ike pool-lease name <string> offline