3.2.32. ike

Note

requires a IPsec Application License.

IKE configuration.

vsr running config# vrf <vrf> ike

enabled (pushed)

Enable or disable the IKE protocol and indicate whether the system should negotiate Security Associations for the IPsec protocol.

vsr running config# vrf <vrf> ike
vsr running ike# enabled true|false
Default value
true

pool

List of virtual address pools.

vsr running config# vrf <vrf> ike pool <pool>

<pool>

IKE object name type.

address (mandatory)

Virtual addresses in the pool.

vsr running config# vrf <vrf> ike pool <pool>
vsr running pool <pool># address ADDRESS

ADDRESS values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

<ipv4-prefix>

An IPv4 prefix: address and CIDR mask.

<ipv6-prefix>

An IPv6 prefix: address and CIDR mask.

<ipv4-range>

An IPv4 address range, in the form addr4-addr4.

<ipv6-range>

An IPv6 address range, in the form addr6-addr6.

dns

List of DNS (Domain Name Service) servers IP addresses.

vsr running config# vrf <vrf> ike pool <pool>
vsr running pool <pool># dns DNS

DNS values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

nbns

List of NBNS (NetBIOS Name Service) servers IP addresses.

vsr running config# vrf <vrf> ike pool <pool>
vsr running pool <pool># nbns NBNS

NBNS values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

dhcp

List of DHCP servers IP addresses.

vsr running config# vrf <vrf> ike pool <pool>
vsr running pool <pool># dhcp DHCP

DHCP values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

subnet

List of sub-networks that this device protects (attributes INTERNAL_IP4_SUBNET/INTERNAL_IP6_SUBNET).

vsr running config# vrf <vrf> ike pool <pool>
vsr running pool <pool># subnet SUBNET

SUBNET values

Description

<subnet-ip-address>

The ipv4-prefix type represents an IPv4 address prefix. The prefix length is given by the number following the slash character and must be less than or equal to 32. A prefix length value of n corresponds to an IP address mask that has n contiguous 1-bits from the most significant bit (MSB) and all other bits set to 0. The canonical format of an IPv4 prefix has all bits of the IPv4 address set to zero that are not part of the IPv4 prefix.

<subnet-ip-address>

The ipv6-prefix type represents an IPv6 address prefix. The prefix length is given by the number following the slash character and must be less than or equal to 128. A prefix length value of n corresponds to an IP address mask that has n contiguous 1-bits from the most significant bit (MSB) and all other bits set to 0. The IPv6 address should have all bits that do not belong to the prefix set to zero. The canonical format of an IPv6 prefix has all bits of the IPv6 address set to zero that are not part of the IPv6 prefix. Furthermore, the IPv6 address is represented as defined in Section 4 of RFC 5952.

netmask

The internal network’s netmask. This attribute should only be used with IPv4 pools.

vsr running config# vrf <vrf> ike pool <pool>
vsr running pool <pool># netmask NETMASK

NETMASK

An IPv4 address.

certificate

List of X509 certificates.

vsr running config# vrf <vrf> ike certificate <certificate>

<certificate>

IKE object name type.

certificate (mandatory) (hidden)

PEM-encoded X509 certificate.

vsr running config# vrf <vrf> ike certificate <certificate>
vsr running certificate <certificate># certificate <string>

private-key (mandatory) (hidden)

PEM-encoded X509 private key.

vsr running config# vrf <vrf> ike certificate <certificate>
vsr running certificate <certificate># private-key <string>

certificate-authority

List of X509 CA certificates.

vsr running config# vrf <vrf> ike certificate-authority <certificate-authority>

<certificate-authority>

IKE object name type.

certificate (mandatory)

PEM-encoded X509 certificate.

vsr running config# vrf <vrf> ike certificate-authority <certificate-authority>
vsr running certificate-authority <certificate-authority># certificate <string>

crl

PEM-encoded X509 certificate revocation list.

vsr running config# vrf <vrf> ike certificate-authority <certificate-authority>
vsr running certificate-authority <certificate-authority># crl <string>

crl-uri

List of CRL distribution points (ldap or http URIs).

vsr running config# vrf <vrf> ike certificate-authority <certificate-authority>
vsr running certificate-authority <certificate-authority># crl-uri CRL-URI

CRL-URI

An ASCII-encoded Uniform Resource Identifier (URI) as defined in RFC 3986.

pre-shared-key

List of pre-shared keys.

vsr running config# vrf <vrf> ike pre-shared-key <pre-shared-key>

<pre-shared-key>

IKE object name type.

id

List of IKE identities the IKE pre-shared secret belongs to.

vsr running config# vrf <vrf> ike pre-shared-key <pre-shared-key>
vsr running pre-shared-key <pre-shared-key># id ID

ID values

Description

<ike-id>

An IPv4 address.

<ike-id>

An IPv6 address.

<ike-id>{1,253}

The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.

<ike-id>

IKE ID (IP address, fqdn, e-mail address or distinguished name).

<ike-id>

IKE ID (IP address, fqdn, e-mail address or distinguished name).

secret (mandatory) (hidden)

Value of the IKE pre-shared secret.

vsr running config# vrf <vrf> ike pre-shared-key <pre-shared-key>
vsr running pre-shared-key <pre-shared-key># secret SECRET

SECRET values

Description

<0x-hex-string>

Pre-shared key secret.

<0s-base64-string>

Pre-shared key secret.

<ascii-string>

Pre-shared key secret.

eap-key

List of EAP keys.

vsr running config# vrf <vrf> ike eap-key <eap-key>

<eap-key>

IKE object name type.

id

List of EAP identities the EAP secret belongs to.

vsr running config# vrf <vrf> ike eap-key <eap-key>
vsr running eap-key <eap-key># id ID

ID

EAP ID.

secret (mandatory) (hidden)

Value of the EAP secret.

vsr running config# vrf <vrf> ike eap-key <eap-key>
vsr running eap-key <eap-key># secret SECRET

SECRET values

Description

<0x-hex-string>

Pre-shared key secret.

<0s-base64-string>

Pre-shared key secret.

<ascii-string>

Pre-shared key secret.

eap-radius

EAP RADIUS parameters.

vsr running config# vrf <vrf> ike eap-radius

nas-identifier

Network Access Server identifier.

vsr running config# vrf <vrf> ike eap-radius
vsr running eap-radius# nas-identifier <string>
Default value
6WINDvRouter

auth-port

RADIUS server port number for EAP authentication.

vsr running config# vrf <vrf> ike eap-radius
vsr running eap-radius# auth-port <uint16>
Default value
1812

sockets

Maximum simultaneous authentication sessions with the RADIUS server.

vsr running config# vrf <vrf> ike eap-radius
vsr running eap-radius# sockets <1-1024>
Default value
1

retransmit-tries

Number of times to retransmit a packet before giving up.

vsr running config# vrf <vrf> ike eap-radius
vsr running eap-radius# retransmit-tries <0..100>
Default value
4

retransmit-timeout

Timeout in seconds before sending first retransmit.

vsr running config# vrf <vrf> ike eap-radius
vsr running eap-radius# retransmit-timeout <0.000 .. 60.000>
Default value
2.0

retransmit-base

Base to use for calculating retransmit exponential back off.

vsr running config# vrf <vrf> ike eap-radius
vsr running eap-radius# retransmit-base <0.000 .. 10.000>
Default value
1.4

source

Source address.

vsr running config# vrf <vrf> ike eap-radius
vsr running eap-radius# source SOURCE

SOURCE values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

server

List of RADIUS servers.

vsr running config# vrf <vrf> ike eap-radius server <server>

<server>

IKE object name type.

address (mandatory)

RADIUS server IP address.

vsr running config# vrf <vrf> ike eap-radius server <server>
vsr running server <server># address ADDRESS

ADDRESS values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

vrf

RADIUS server VRF.

vsr running config# vrf <vrf> ike eap-radius server <server>
vsr running server <server># vrf VRF

VRF values

Description

main

The main vrf.

<string>

The vrf name.

secret (mandatory) (hidden)

Secret shared with the RADIUS server.

vsr running config# vrf <vrf> ike eap-radius server <server>
vsr running server <server># secret SECRET

SECRET values

Description

<0x-hex-string>

Pre-shared key secret.

<0s-base64-string>

Pre-shared key secret.

<ascii-string>

Pre-shared key secret.

nas-identifier

Network Access Server identifier.

vsr running config# vrf <vrf> ike eap-radius server <server>
vsr running server <server># nas-identifier <string>

auth-port

RADIUS server port number for EAP authentication.

vsr running config# vrf <vrf> ike eap-radius server <server>
vsr running server <server># auth-port <uint16>

sockets

Maximum simultaneous authentication sessions with the RADIUS server.

vsr running config# vrf <vrf> ike eap-radius server <server>
vsr running server <server># sockets <1-1024>

retransmit-tries

Number of times to retransmit a packet before giving up.

vsr running config# vrf <vrf> ike eap-radius server <server>
vsr running server <server># retransmit-tries <0..100>

retransmit-timeout

Timeout in seconds before sending first retransmit.

vsr running config# vrf <vrf> ike eap-radius server <server>
vsr running server <server># retransmit-timeout <0.000 .. 60.000>

retransmit-base

Base to use for calculating retransmit exponential back off.

vsr running config# vrf <vrf> ike eap-radius server <server>
vsr running server <server># retransmit-base <0.000 .. 10.000>

source

Source address.

vsr running config# vrf <vrf> ike eap-radius server <server>
vsr running server <server># source SOURCE

SOURCE values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

psk-radius

PSK RADIUS parameters.

vsr running config# vrf <vrf> ike psk-radius

password (mandatory) (hidden)

Password used to authenticate users on RADIUS servers.

vsr running config# vrf <vrf> ike psk-radius
vsr running psk-radius# password <string>

nas-identifier

Network Access Server identifier.

vsr running config# vrf <vrf> ike psk-radius
vsr running psk-radius# nas-identifier <string>
Default value
6WINDvRouter

auth-port

RADIUS server port number for EAP authentication.

vsr running config# vrf <vrf> ike psk-radius
vsr running psk-radius# auth-port <uint16>
Default value
1812

sockets

Maximum simultaneous authentication sessions with the RADIUS server.

vsr running config# vrf <vrf> ike psk-radius
vsr running psk-radius# sockets <1-1024>
Default value
1

retransmit-tries

Number of times to retransmit a packet before giving up.

vsr running config# vrf <vrf> ike psk-radius
vsr running psk-radius# retransmit-tries <0..100>
Default value
4

retransmit-timeout

Timeout in seconds before sending first retransmit.

vsr running config# vrf <vrf> ike psk-radius
vsr running psk-radius# retransmit-timeout <0.000 .. 60.000>
Default value
2.0

retransmit-base

Base to use for calculating retransmit exponential back off.

vsr running config# vrf <vrf> ike psk-radius
vsr running psk-radius# retransmit-base <0.000 .. 10.000>
Default value
1.4

source

Source address.

vsr running config# vrf <vrf> ike psk-radius
vsr running psk-radius# source SOURCE

SOURCE values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

server

List of RADIUS servers.

vsr running config# vrf <vrf> ike psk-radius server <server>

<server>

IKE object name type.

address (mandatory)

RADIUS server IP address.

vsr running config# vrf <vrf> ike psk-radius server <server>
vsr running server <server># address ADDRESS

ADDRESS values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

vrf

RADIUS server VRF.

vsr running config# vrf <vrf> ike psk-radius server <server>
vsr running server <server># vrf VRF

VRF values

Description

main

The main vrf.

<string>

The vrf name.

secret (mandatory) (hidden)

Secret shared with the RADIUS server.

vsr running config# vrf <vrf> ike psk-radius server <server>
vsr running server <server># secret SECRET

SECRET values

Description

<0x-hex-string>

Pre-shared key secret.

<0s-base64-string>

Pre-shared key secret.

<ascii-string>

Pre-shared key secret.

nas-identifier

Network Access Server identifier.

vsr running config# vrf <vrf> ike psk-radius server <server>
vsr running server <server># nas-identifier <string>

auth-port

RADIUS server port number for EAP authentication.

vsr running config# vrf <vrf> ike psk-radius server <server>
vsr running server <server># auth-port <uint16>

sockets

Maximum simultaneous authentication sessions with the RADIUS server.

vsr running config# vrf <vrf> ike psk-radius server <server>
vsr running server <server># sockets <1-1024>

retransmit-tries

Number of times to retransmit a packet before giving up.

vsr running config# vrf <vrf> ike psk-radius server <server>
vsr running server <server># retransmit-tries <0..100>

retransmit-timeout

Timeout in seconds before sending first retransmit.

vsr running config# vrf <vrf> ike psk-radius server <server>
vsr running server <server># retransmit-timeout <0.000 .. 60.000>

retransmit-base

Base to use for calculating retransmit exponential back off.

vsr running config# vrf <vrf> ike psk-radius server <server>
vsr running server <server># retransmit-base <0.000 .. 10.000>

source

Source address.

vsr running config# vrf <vrf> ike psk-radius server <server>
vsr running server <server># source SOURCE

SOURCE values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

logging

Logs configuration.

vsr running config# vrf <vrf> ike logging

daemon

Max level of messages logged in the system daemons facility.

vsr running config# vrf <vrf> ike logging daemon

default

Default max log level.

vsr running config# vrf <vrf> ike logging daemon
vsr running daemon# default DEFAULT

DEFAULT values

Description

disable

No log.

0

Very basic auditing logs, (e.g. SA up/SA down).

1

Generic control flow with errors, a good default to see whats going on.

2

More detailed debugging control flow.

3

Including RAW data dumps in hex.

4

Also include sensitive material in dumps, e.g. keys.

Default value
0

asn1

Low-level encoding/decoding (ASN.1, X.509 etc.).

vsr running config# vrf <vrf> ike logging daemon
vsr running daemon# asn1 ASN1

ASN1 values

Description

disable

No log.

0

Very basic auditing logs, (e.g. SA up/SA down).

1

Generic control flow with errors, a good default to see whats going on.

2

More detailed debugging control flow.

3

Including RAW data dumps in hex.

4

Also include sensitive material in dumps, e.g. keys.

config

Configuration management and plugins.

vsr running config# vrf <vrf> ike logging daemon
vsr running daemon# config CONFIG

CONFIG values

Description

disable

No log.

0

Very basic auditing logs, (e.g. SA up/SA down).

1

Generic control flow with errors, a good default to see whats going on.

2

More detailed debugging control flow.

3

Including RAW data dumps in hex.

4

Also include sensitive material in dumps, e.g. keys.

child

CHILD_SA/IPsec SA processing.

vsr running config# vrf <vrf> ike logging daemon
vsr running daemon# child CHILD

CHILD values

Description

disable

No log.

0

Very basic auditing logs, (e.g. SA up/SA down).

1

Generic control flow with errors, a good default to see whats going on.

2

More detailed debugging control flow.

3

Including RAW data dumps in hex.

4

Also include sensitive material in dumps, e.g. keys.

daemon

Main daemon setup/cleanup/signal handling.

vsr running config# vrf <vrf> ike logging daemon
vsr running daemon# daemon DAEMON

DAEMON values

Description

disable

No log.

0

Very basic auditing logs, (e.g. SA up/SA down).

1

Generic control flow with errors, a good default to see whats going on.

2

More detailed debugging control flow.

3

Including RAW data dumps in hex.

4

Also include sensitive material in dumps, e.g. keys.

encoding

Packet encoding/decoding encryption/decryption operations.

vsr running config# vrf <vrf> ike logging daemon
vsr running daemon# encoding ENCODING

ENCODING values

Description

disable

No log.

0

Very basic auditing logs, (e.g. SA up/SA down).

1

Generic control flow with errors, a good default to see whats going on.

2

More detailed debugging control flow.

3

Including RAW data dumps in hex.

4

Also include sensitive material in dumps, e.g. keys.

ipsec

Libipsec library messages.

vsr running config# vrf <vrf> ike logging daemon
vsr running daemon# ipsec IPSEC

IPSEC values

Description

disable

No log.

0

Very basic auditing logs, (e.g. SA up/SA down).

1

Generic control flow with errors, a good default to see whats going on.

2

More detailed debugging control flow.

3

Including RAW data dumps in hex.

4

Also include sensitive material in dumps, e.g. keys.

ike

IKE_SA/ISAKMP SA processing.

vsr running config# vrf <vrf> ike logging daemon
vsr running daemon# ike IKE

IKE values

Description

disable

No log.

0

Very basic auditing logs, (e.g. SA up/SA down).

1

Generic control flow with errors, a good default to see whats going on.

2

More detailed debugging control flow.

3

Including RAW data dumps in hex.

4

Also include sensitive material in dumps, e.g. keys.

job

Jobs queuing/processing and thread pool management.

vsr running config# vrf <vrf> ike logging daemon
vsr running daemon# job JOB

JOB values

Description

disable

No log.

0

Very basic auditing logs, (e.g. SA up/SA down).

1

Generic control flow with errors, a good default to see whats going on.

2

More detailed debugging control flow.

3

Including RAW data dumps in hex.

4

Also include sensitive material in dumps, e.g. keys.

kernel

IPsec/Networking kernel interface.

vsr running config# vrf <vrf> ike logging daemon
vsr running daemon# kernel KERNEL

KERNEL values

Description

disable

No log.

0

Very basic auditing logs, (e.g. SA up/SA down).

1

Generic control flow with errors, a good default to see whats going on.

2

More detailed debugging control flow.

3

Including RAW data dumps in hex.

4

Also include sensitive material in dumps, e.g. keys.

library

Libstrongwan library messages.

vsr running config# vrf <vrf> ike logging daemon
vsr running daemon# library LIBRARY

LIBRARY values

Description

disable

No log.

0

Very basic auditing logs, (e.g. SA up/SA down).

1

Generic control flow with errors, a good default to see whats going on.

2

More detailed debugging control flow.

3

Including RAW data dumps in hex.

4

Also include sensitive material in dumps, e.g. keys.

manager

IKE_SA manager, handling synchronization for IKE_SA access.

vsr running config# vrf <vrf> ike logging daemon
vsr running daemon# manager MANAGER

MANAGER values

Description

disable

No log.

0

Very basic auditing logs, (e.g. SA up/SA down).

1

Generic control flow with errors, a good default to see whats going on.

2

More detailed debugging control flow.

3

Including RAW data dumps in hex.

4

Also include sensitive material in dumps, e.g. keys.

network

IKE network communication.

vsr running config# vrf <vrf> ike logging daemon
vsr running daemon# network NETWORK

NETWORK values

Description

disable

No log.

0

Very basic auditing logs, (e.g. SA up/SA down).

1

Generic control flow with errors, a good default to see whats going on.

2

More detailed debugging control flow.

3

Including RAW data dumps in hex.

4

Also include sensitive material in dumps, e.g. keys.

authpriv

Max level of messages logged in the private security/authorization messages facility.

vsr running config# vrf <vrf> ike logging authpriv

default

Default max log level.

vsr running config# vrf <vrf> ike logging authpriv
vsr running authpriv# default DEFAULT

DEFAULT values

Description

disable

No log.

0

Very basic auditing logs, (e.g. SA up/SA down).

1

Generic control flow with errors, a good default to see whats going on.

2

More detailed debugging control flow.

3

Including RAW data dumps in hex.

4

Also include sensitive material in dumps, e.g. keys.

Default value
disable

asn1

Low-level encoding/decoding (ASN.1, X.509 etc.).

vsr running config# vrf <vrf> ike logging authpriv
vsr running authpriv# asn1 ASN1

ASN1 values

Description

disable

No log.

0

Very basic auditing logs, (e.g. SA up/SA down).

1

Generic control flow with errors, a good default to see whats going on.

2

More detailed debugging control flow.

3

Including RAW data dumps in hex.

4

Also include sensitive material in dumps, e.g. keys.

config

Configuration management and plugins.

vsr running config# vrf <vrf> ike logging authpriv
vsr running authpriv# config CONFIG

CONFIG values

Description

disable

No log.

0

Very basic auditing logs, (e.g. SA up/SA down).

1

Generic control flow with errors, a good default to see whats going on.

2

More detailed debugging control flow.

3

Including RAW data dumps in hex.

4

Also include sensitive material in dumps, e.g. keys.

child

CHILD_SA/IPsec SA processing.

vsr running config# vrf <vrf> ike logging authpriv
vsr running authpriv# child CHILD

CHILD values

Description

disable

No log.

0

Very basic auditing logs, (e.g. SA up/SA down).

1

Generic control flow with errors, a good default to see whats going on.

2

More detailed debugging control flow.

3

Including RAW data dumps in hex.

4

Also include sensitive material in dumps, e.g. keys.

daemon

Main daemon setup/cleanup/signal handling.

vsr running config# vrf <vrf> ike logging authpriv
vsr running authpriv# daemon DAEMON

DAEMON values

Description

disable

No log.

0

Very basic auditing logs, (e.g. SA up/SA down).

1

Generic control flow with errors, a good default to see whats going on.

2

More detailed debugging control flow.

3

Including RAW data dumps in hex.

4

Also include sensitive material in dumps, e.g. keys.

encoding

Packet encoding/decoding encryption/decryption operations.

vsr running config# vrf <vrf> ike logging authpriv
vsr running authpriv# encoding ENCODING

ENCODING values

Description

disable

No log.

0

Very basic auditing logs, (e.g. SA up/SA down).

1

Generic control flow with errors, a good default to see whats going on.

2

More detailed debugging control flow.

3

Including RAW data dumps in hex.

4

Also include sensitive material in dumps, e.g. keys.

ipsec

Libipsec library messages.

vsr running config# vrf <vrf> ike logging authpriv
vsr running authpriv# ipsec IPSEC

IPSEC values

Description

disable

No log.

0

Very basic auditing logs, (e.g. SA up/SA down).

1

Generic control flow with errors, a good default to see whats going on.

2

More detailed debugging control flow.

3

Including RAW data dumps in hex.

4

Also include sensitive material in dumps, e.g. keys.

ike

IKE_SA/ISAKMP SA processing.

vsr running config# vrf <vrf> ike logging authpriv
vsr running authpriv# ike IKE

IKE values

Description

disable

No log.

0

Very basic auditing logs, (e.g. SA up/SA down).

1

Generic control flow with errors, a good default to see whats going on.

2

More detailed debugging control flow.

3

Including RAW data dumps in hex.

4

Also include sensitive material in dumps, e.g. keys.

job

Jobs queuing/processing and thread pool management.

vsr running config# vrf <vrf> ike logging authpriv
vsr running authpriv# job JOB

JOB values

Description

disable

No log.

0

Very basic auditing logs, (e.g. SA up/SA down).

1

Generic control flow with errors, a good default to see whats going on.

2

More detailed debugging control flow.

3

Including RAW data dumps in hex.

4

Also include sensitive material in dumps, e.g. keys.

kernel

IPsec/Networking kernel interface.

vsr running config# vrf <vrf> ike logging authpriv
vsr running authpriv# kernel KERNEL

KERNEL values

Description

disable

No log.

0

Very basic auditing logs, (e.g. SA up/SA down).

1

Generic control flow with errors, a good default to see whats going on.

2

More detailed debugging control flow.

3

Including RAW data dumps in hex.

4

Also include sensitive material in dumps, e.g. keys.

library

Libstrongwan library messages.

vsr running config# vrf <vrf> ike logging authpriv
vsr running authpriv# library LIBRARY

LIBRARY values

Description

disable

No log.

0

Very basic auditing logs, (e.g. SA up/SA down).

1

Generic control flow with errors, a good default to see whats going on.

2

More detailed debugging control flow.

3

Including RAW data dumps in hex.

4

Also include sensitive material in dumps, e.g. keys.

manager

IKE_SA manager, handling synchronization for IKE_SA access.

vsr running config# vrf <vrf> ike logging authpriv
vsr running authpriv# manager MANAGER

MANAGER values

Description

disable

No log.

0

Very basic auditing logs, (e.g. SA up/SA down).

1

Generic control flow with errors, a good default to see whats going on.

2

More detailed debugging control flow.

3

Including RAW data dumps in hex.

4

Also include sensitive material in dumps, e.g. keys.

network

IKE network communication.

vsr running config# vrf <vrf> ike logging authpriv
vsr running authpriv# network NETWORK

NETWORK values

Description

disable

No log.

0

Very basic auditing logs, (e.g. SA up/SA down).

1

Generic control flow with errors, a good default to see whats going on.

2

More detailed debugging control flow.

3

Including RAW data dumps in hex.

4

Also include sensitive material in dumps, e.g. keys.

global-options

Global ike options.

vsr running config# vrf <vrf> ike global-options

threads

Number of worker threads in IKE daemon.

vsr running config# vrf <vrf> ike global-options
vsr running global-options# threads <uint32>
Default value
16

acquire-timeout

Lifetime of SA acquire messages created when traffic matches a trap policy (seconds).

vsr running config# vrf <vrf> ike global-options
vsr running global-options# acquire-timeout <uint32>
Default value
30

half-open-timeout

Timeout for connecting an IKE SA (seconds).

vsr running config# vrf <vrf> ike global-options
vsr running global-options# half-open-timeout <uint32>
Default value
30

sa-table-size

Size of the IKE SA hash table.

vsr running config# vrf <vrf> ike global-options
vsr running global-options# sa-table-size <uint32>
Default value
1

sa-table-segments

Number of locks to use for the IKE SA hash table.

vsr running config# vrf <vrf> ike global-options
vsr running global-options# sa-table-segments <uint32>
Default value
1

install-routes

If true, install routes into a separate routing table for established IPsec tunnels.

vsr running config# vrf <vrf> ike global-options
vsr running global-options# install-routes true|false
Default value
false

routing-table

Numerical routing table to install routes to.

vsr running config# vrf <vrf> ike global-options
vsr running global-options# routing-table <uint32>
Default value
220

routing-table-prio

Priority of the routing table.

vsr running config# vrf <vrf> ike global-options
vsr running global-options# routing-table-prio <uint32>
Default value
220

retransmit-tries

Number of times to retransmit a packet before giving up.

vsr running config# vrf <vrf> ike global-options
vsr running global-options# retransmit-tries <0..100>
Default value
5

retransmit-timeout

Timeout in seconds before sending first retransmit.

vsr running config# vrf <vrf> ike global-options
vsr running global-options# retransmit-timeout <0.000 .. 60.000>
Default value
4.0

retransmit-base

Base to use for calculating retransmit exponential back off.

vsr running config# vrf <vrf> ike global-options
vsr running global-options# retransmit-base <0.000 .. 10.000>
Default value
1.8

delete-rekeyed

Whether to immediately delete the old child SAs after an IKEv1 rekey. If false, old child SAs will be deleted after their hard lifetime, or on reception of a delete notification from the IKE peer.

vsr running config# vrf <vrf> ike global-options
vsr running global-options# delete-rekeyed true|false
Default value
false

delete-rekeyed-delay

Delay in seconds before deleting the old inbound child SAs after an IKEv2 rekey as initiator.

vsr running config# vrf <vrf> ike global-options
vsr running global-options# delete-rekeyed-delay DELETE-REKEYED-DELAY

DELETE-REKEYED-DELAY values

Description

never

Keep the inbound child SA until its lifetime.

<uint32>

No description.

Default value
5

make-before-break

During reauthentication, whether to recreate all new SAs before deleting the old ones. This implies to use overlapping IKE and child SAs, which must be supported by the IKE peer.

vsr running config# vrf <vrf> ike global-options
vsr running global-options# make-before-break true|false
Default value
false

interface-use

List of network interfaces that should be used. All other interfaces are ignored.

vsr running config# vrf <vrf> ike global-options
vsr running global-options# interface-use INTERFACE-USE

INTERFACE-USE

An interface name.

interface-ignore

List of network interfaces that should be ignored, if interfaces-use is specified this option has no effect.

vsr running config# vrf <vrf> ike global-options
vsr running global-options# interface-ignore INTERFACE-IGNORE

INTERFACE-IGNORE

An interface name.

snmp

Enable or disable the IKE SNMP agent (default false).

vsr running config# vrf <vrf> ike global-options
vsr running global-options# snmp true|false
Default value
false

mobike-prefer-best-path

Dynamically update SAs with MOBIKE on routing changes using the cheapest path.

vsr running config# vrf <vrf> ike global-options
vsr running global-options# mobike-prefer-best-path true|false
Default value
false

install-vip

Whether the virtual IP addresses should be installed.

vsr running config# vrf <vrf> ike global-options
vsr running global-options# install-vip true|false
Default value
true

install-vip-on

The name of the interface on which virtual IP addresses should be installed. If not specified the addresses will be installed on the outbound interface.

vsr running config# vrf <vrf> ike global-options
vsr running global-options# install-vip-on INSTALL-VIP-ON

INSTALL-VIP-ON

An interface name.

retry-initiate-interval

unit: seconds

Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if DNS resolution failed), 0 to disable retries.

vsr running config# vrf <vrf> ike global-options
vsr running global-options# retry-initiate-interval <uint8>
Default value
0

dn-matching

Distinguished Name matching policy when checking if a remote peer identity matches a vpn remote-id.

vsr running config# vrf <vrf> ike global-options
vsr running global-options# dn-matching DN-MATCHING

DN-MATCHING values

Description

strict

The number, type, order and value of all RDNs must match. Wildcards (*) for RDN values are allowed.

reordered

The number, type and value of all RDNs must match, but the RDNs may appear in different order. Wildcards (*) for RDN values are allowed.

relaxed

The type and value of all RDNs have to match. The IKE identity may contain more RDNs than the filter. Wildcards (*) for RDN values are allowed.

Default value
strict

dos-protection

Denial of Service protection using cookies and aggressiveness checks.

vsr running config# vrf <vrf> ike global-options dos-protection

block-threshold

Maximum number of half-open IKE SAs for a single peer IP. 0 disables this limit.

vsr running config# vrf <vrf> ike global-options dos-protection
vsr running dos-protection# block-threshold <uint32>
Default value
5

init-limit-half-open

Refuse new connections if the current number of half open IKE SAs reaches this limit. 0 disables the limit.

vsr running config# vrf <vrf> ike global-options dos-protection
vsr running dos-protection# init-limit-half-open <uint32>
Default value
0

init-limit-job-load

Refuse new connections if the current number of pending jobs waiting for an available thread reaches this limit. 0 disables the limit.

vsr running config# vrf <vrf> ike global-options dos-protection
vsr running dos-protection# init-limit-job-load <uint32>
Default value
0

ike-sa-limit

Number of established IKE SAs after which new connection attempts are blocked. 0 disables the limit.

vsr running config# vrf <vrf> ike global-options dos-protection
vsr running dos-protection# ike-sa-limit <uint32>
Default value
0

sp-hash-ipv4

Thresholds for hashing IPv4 Security Policies in IPsec stack.

vsr running config# vrf <vrf> ike global-options
vsr running global-options# sp-hash-ipv4 local <0-32> remote <0-32>

local

Number of sp local address bits to include in hash key.

local <0-32>
Default value
32

remote

Number of sp remote address bits to include in hash key.

remote <0-32>
Default value
32

sp-hash-ipv6

Thresholds for hashing IPv6 Security Policies in IPsec stack.

vsr running config# vrf <vrf> ike global-options
vsr running global-options# sp-hash-ipv6 local <0-128> remote <0-128>

local

Number of sp local address bits to include in hash key.

local <0-128>
Default value
128

remote

Number of sp remote address bits to include in hash key.

remote <0-128>
Default value
128

ha

IKE High Availability parameters.

vsr running config# vrf <vrf> ike ha

enabled

Enable or disable IKE High Availability.

vsr running config# vrf <vrf> ike ha
vsr running ha# enabled true|false
Default value
true

listen-ha-group (mandatory)

The HA group to be monitored. If the state of this group changes, it will trigger a failover of the IKE service to/from another IKE HA node.

vsr running config# vrf <vrf> ike ha
vsr running ha# listen-ha-group <string>

node-id (deprecated)

Attention

Deprecated since: 2024-02-12
Obsolete in release: 24q3
Description: Sequence numbers are now synchronized by the main IKE daemon. Set node-id and interface to use the legacy external daemon instead, typically for compatibility with an ha peer running an old version.
Replacement: none

Local identifier in the IKE HA Cluster (if sequence numbers and statistics synchronization are handled by a legacy external daemon).

vsr running config# vrf <vrf> ike ha
vsr running ha# node-id <1-15>

interface (deprecated)

Attention

Deprecated since: 2024-02-12
Obsolete in release: 24q3
Description: Sequence numbers are now synchronized by the main IKE daemon. Set node-id and interface to use the legacy external daemon instead, typically for compatibility with an ha peer running an old version.
Replacement: none

Interface on which to perform HA peer discovery (if sequence numbers and statistics synchronization are handled by a legacy external daemon).

vsr running config# vrf <vrf> ike ha
vsr running ha# interface INTERFACE

INTERFACE

An interface name.

local-address (mandatory)

Local IP address to communicate with the HA peer.

vsr running config# vrf <vrf> ike ha
vsr running ha# local-address LOCAL-ADDRESS

LOCAL-ADDRESS values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

remote-address (mandatory)

Remote IP address to communicate with the HA peer.

vsr running config# vrf <vrf> ike ha
vsr running ha# remote-address REMOTE-ADDRESS

REMOTE-ADDRESS values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

dscp

DSCP of HA synchronization messages.

vsr running config# vrf <vrf> ike ha
vsr running ha# dscp <0-63>
Default value
0

seqnum-sync

SA sequence number synchronization.

vsr running config# vrf <vrf> ike ha seqnum-sync

oseq-shift

SA output sequence number advance on backup node.

vsr running config# vrf <vrf> ike ha seqnum-sync
vsr running seqnum-sync# oseq-shift <uint64>
Default value
65536

sync-period-time

SA sequence number synchronization period in time. State is always printed in seconds.

vsr running config# vrf <vrf> ike ha seqnum-sync
vsr running seqnum-sync# sync-period-time SYNC-PERIOD-TIME

SYNC-PERIOD-TIME

IKE duration, with optional unit (s|m|h|d).

Default value
10s

sync-period-packets

SA sequence number synchronization period in packets.

vsr running config# vrf <vrf> ike ha seqnum-sync
vsr running seqnum-sync# sync-period-packets <0-2147483647>
Default value
2

pool

List of virtual address pools synchronized via HA.

vsr running config# vrf <vrf> ike ha pool <pool>

<pool>

IKE object name type.

address (mandatory)

Virtual addresses in the pool.

vsr running config# vrf <vrf> ike ha pool <pool>
vsr running pool <pool># address ADDRESS

ADDRESS values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

<ipv4-prefix>

An IPv4 prefix: address and CIDR mask.

<ipv6-prefix>

An IPv6 prefix: address and CIDR mask.

<ipv4-range>

An IPv4 address range, in the form addr4-addr4.

<ipv6-range>

An IPv6 address range, in the form addr6-addr6.

dns

List of DNS (Domain Name Service) servers IP addresses.

vsr running config# vrf <vrf> ike ha pool <pool>
vsr running pool <pool># dns DNS

DNS values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

nbns

List of NBNS (NetBIOS Name Service) servers IP addresses.

vsr running config# vrf <vrf> ike ha pool <pool>
vsr running pool <pool># nbns NBNS

NBNS values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

dhcp

List of DHCP servers IP addresses.

vsr running config# vrf <vrf> ike ha pool <pool>
vsr running pool <pool># dhcp DHCP

DHCP values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

subnet

List of sub-networks that this device protects (attributes INTERNAL_IP4_SUBNET/INTERNAL_IP6_SUBNET).

vsr running config# vrf <vrf> ike ha pool <pool>
vsr running pool <pool># subnet SUBNET

SUBNET values

Description

<subnet-ip-address>

The ipv4-prefix type represents an IPv4 address prefix. The prefix length is given by the number following the slash character and must be less than or equal to 32. A prefix length value of n corresponds to an IP address mask that has n contiguous 1-bits from the most significant bit (MSB) and all other bits set to 0. The canonical format of an IPv4 prefix has all bits of the IPv4 address set to zero that are not part of the IPv4 prefix.

<subnet-ip-address>

The ipv6-prefix type represents an IPv6 address prefix. The prefix length is given by the number following the slash character and must be less than or equal to 128. A prefix length value of n corresponds to an IP address mask that has n contiguous 1-bits from the most significant bit (MSB) and all other bits set to 0. The IPv6 address should have all bits that do not belong to the prefix set to zero. The canonical format of an IPv6 prefix has all bits of the IPv6 address set to zero that are not part of the IPv6 prefix. Furthermore, the IPv6 address is represented as defined in Section 4 of RFC 5952.

netmask

The internal network’s netmask. This attribute should only be used with IPv4 pools.

vsr running config# vrf <vrf> ike ha pool <pool>
vsr running pool <pool># netmask NETMASK

NETMASK

An IPv4 address.

pool-lease (state only)

List of virtual address pool leases.

address (state only)

Base virtual address of the pool.

vsr> show state vrf <vrf> ike ha pool-lease name <pool-lease> address

size (state only)

Virtual address pool size.

vsr> show state vrf <vrf> ike ha pool-lease name <pool-lease> size

online (state only)

Number of online virtual addresses.

vsr> show state vrf <vrf> ike ha pool-lease name <pool-lease> online

offline (state only)

Number of offline virtual addresses.

vsr> show state vrf <vrf> ike ha pool-lease name <pool-lease> offline

ike-policy-template (config only)

List of IKE VPN policies.

vsr running config# vrf <vrf> ike ike-policy-template <ike-policy-template>

<ike-policy-template>

IKE object name type.

local-auth-method (config only)

Local IKE authentication method.

vsr running config# vrf <vrf> ike ike-policy-template <ike-policy-template>
vsr running ike-policy-template <ike-policy-template># local-auth-method LOCAL-AUTH-METHOD

LOCAL-AUTH-METHOD values

Description

pre-shared-key

Pre-shared key.

certificate

Public key signature with X509 Certificates.

eap-md5

Extensible Authentication Protocol - MD5-Challenge.

eap-mschapv2

Extensible Authentication Protocol - Microsoft Challenge-Handshake Authentication Protocol v2.

Default value
pre-shared-key

remote-auth-method (config only)

Remote IKE authentication method.

vsr running config# vrf <vrf> ike ike-policy-template <ike-policy-template>
vsr running ike-policy-template <ike-policy-template># remote-auth-method REMOTE-AUTH-METHOD

REMOTE-AUTH-METHOD values

Description

pre-shared-key

Pre-shared key.

certificate

Public key signature with X509 Certificates.

eap-md5

Extensible Authentication Protocol - MD5-Challenge.

eap-mschapv2

Extensible Authentication Protocol - Microsoft Challenge-Handshake Authentication Protocol v2.

eap-radius

Extensible Authentication Protocol delegated to a RADIUS server.

Default value
pre-shared-key

keying-tries (config only)

Number of times we should try to initiate an IKE connection if the responder does not answer (after a full sequence of retransmissions). A value of 0 initiates a new sequence forever, until the connection establishes or fails with a permanent error.

vsr running config# vrf <vrf> ike ike-policy-template <ike-policy-template>
vsr running ike-policy-template <ike-policy-template># keying-tries <uint32>
Default value
1

unique-sa (config only)

Connection uniqueness policy to enforce, to avoid multiple connections from the same user ID.

vsr running config# vrf <vrf> ike ike-policy-template <ike-policy-template>
vsr running ike-policy-template <ike-policy-template># unique-sa UNIQUE-SA

UNIQUE-SA values

Description

no

Do not enforce IKE SA uniqueness, except if a peer included INITIAL_CONTACT notify.

never

Never enforce IKE SA uniqueness, even if a peer included INITIAL_CONTACT notify. Never send INITIAL_CONTACT as initiator.

keep

Reject new connection attempts from same user.

replace

Delete any existing connection if a new one for the same user gets established.

Default value
no

reauth-time (config only)

Time to schedule IKE reauthentication, at least greather than 10% of the rekey-time.

vsr running config# vrf <vrf> ike ike-policy-template <ike-policy-template>
vsr running ike-policy-template <ike-policy-template># reauth-time REAUTH-TIME

REAUTH-TIME

IKE duration, with optional unit (s|m|h|d).

Default value
0s

rekey-time (config only)

Time to schedule IKE rekeying.

vsr running config# vrf <vrf> ike ike-policy-template <ike-policy-template>
vsr running ike-policy-template <ike-policy-template># rekey-time REKEY-TIME

REKEY-TIME

IKE duration, with optional unit (s|m|h|d).

Default value
4h

dpd-delay (config only)

Interval to check the liveness of a peer.

vsr running config# vrf <vrf> ike ike-policy-template <ike-policy-template>
vsr running ike-policy-template <ike-policy-template># dpd-delay DPD-DELAY

DPD-DELAY

IKE duration, with optional unit (s|m|h|d).

Default value
0s

aggressive (config only)

Enable or disable Aggressive Mode instead of Main Mode in IKEv1.

vsr running config# vrf <vrf> ike ike-policy-template <ike-policy-template>
vsr running ike-policy-template <ike-policy-template># aggressive true|false
Default value
false

udp-encap (config only)

If true, enforce UDP encapsulation of ESP packets.

vsr running config# vrf <vrf> ike ike-policy-template <ike-policy-template>
vsr running ike-policy-template <ike-policy-template># udp-encap true|false
Default value
false

mobike (config only)

If true, enable MOBIKE (IKEv2 Mobility and Multihoming Protocol).

vsr running config# vrf <vrf> ike ike-policy-template <ike-policy-template>
vsr running ike-policy-template <ike-policy-template># mobike true|false
Default value
false

revocation (config only)

Peer certificate revocation policy.

vsr running config# vrf <vrf> ike ike-policy-template <ike-policy-template>
vsr running ike-policy-template <ike-policy-template># revocation REVOCATION

REVOCATION values

Description

strict

Revocation check fails if a certificate is revoked or if no revocation information is available (no revocation URL or the revocation servers are unreachable).

if-url

Revocation check fails if a certificate is revoked or if the revocation servers are unreachable.

relaxed

Revocation check fails if a certificate is revoked, i.e. it is explicitly known that it is bad.

Default value
relaxed

ike-proposal (config only)

List of IKE phase 1 proposals.

vsr running config# vrf <vrf> ike ike-policy-template <ike-policy-template> ike-proposal <uint8>

<uint8>

Index in the list of IKE phase 1 proposals.

enc-alg (config only)

List of encryption algorithms for IKE SAs.

vsr running config# vrf <vrf> ike ike-policy-template <ike-policy-template> ike-proposal <uint8>
vsr running ike-proposal <uint8># enc-alg ENC-ALG

ENC-ALG values

Description

aes128-cbc

AES-CBC, 128 bit key.

aes192-cbc

AES-CBC, 192 bit key.

aes256-cbc

AES-CBC, 256 bit key.

des-cbc

DES-CBC, 56 bit key.

3des-cbc

3DES-CBC, 168 bit key.

aes128-ctr

AES-CTR, 128 bit key.

aes192-ctr

AES-CTR, 192 bit key.

aes256-ctr

AES-CTR, 256 bit key.

cast-cbc

CAST-CBC, 128 bit key.

blowfish128-cbc

Blowfish-CBC, 128 bit key.

blowfish192-cbc

Blowfish-CBC, 192 bit key.

blowfish256-cbc

Blowfish-CBC, 256 bit key.

camellia128-cbc

Camellia-CBC, 128 bit key.

camellia192-cbc

Camellia-CBC, 192 bit key.

camellia256-cbc

Camellia-CBC, 256 bit key.

camellia128-ctr

Camellia-CTR, 128 bit key.

camellia192-ctr

Camellia-CTR, 192 bit key.

camellia256-ctr

Camellia-CTR, 256 bit key.

auth-alg (config only)

List of auth algorithms for IKE SAs.

vsr running config# vrf <vrf> ike ike-policy-template <ike-policy-template> ike-proposal <uint8>
vsr running ike-proposal <uint8># auth-alg AUTH-ALG

AUTH-ALG values

Description

hmac-md5

HMAC-MD5-96.

hmac-sha1

HMAC-SHA1-96.

hmac-sha256

HMAC-SHA256-128.

hmac-sha384

HMAC-SHA384-192.

hmac-sha512

HMAC-SHA512-256.

aes-xcbc

AES-XCBC-96.

aead-alg (config only)

List of combined-mode (AEAD) algorithms for IKE SAs.

vsr running config# vrf <vrf> ike ike-policy-template <ike-policy-template> ike-proposal <uint8>
vsr running ike-proposal <uint8># aead-alg AEAD-ALG

AEAD-ALG values

Description

aes128-gcm-64

AES-GCM, 128 bit key, 64 bit ICV.

aes192-gcm-64

AES-GCM, 192 bit key, 64 bit ICV.

aes256-gcm-64

AES-GCM, 256 bit key, 64 bit ICV.

aes128-gcm-96

AES-GCM, 128 bit key, 96 bit ICV.

aes192-gcm-96

AES-GCM, 192 bit key, 96 bit ICV.

aes256-gcm-96

AES-GCM, 256 bit key, 96 bit ICV.

aes128-gcm-128

AES-GCM, 128 bit key, 128 bit ICV.

aes192-gcm-128

AES-GCM, 192 bit key, 128 bit ICV.

aes256-gcm-128

AES-GCM, 256 bit key, 128 bit ICV.

aes128-ccm-64

AES-CCM, 128 bit key, 64 bit ICV.

aes192-ccm-64

AES-CCM, 192 bit key, 64 bit ICV.

aes256-ccm-64

AES-CCM, 256 bit key, 64 bit ICV.

aes128-ccm-96

AES-CCM, 128 bit key, 96 bit ICV.

aes192-ccm-96

AES-CCM, 192 bit key, 96 bit ICV.

aes256-ccm-96

AES-CCM, 256 bit key, 96 bit ICV.

aes128-ccm-128

AES-CCM, 128 bit key, 128 bit ICV.

aes192-ccm-128

AES-CCM, 192 bit key, 128 bit ICV.

aes256-ccm-128

AES-CCM, 256 bit key, 128 bit ICV.

camellia128-ccm-64

Camellia-CCM, 128 bit key, 64 bit ICV.

camellia192-ccm-64

Camellia-CCM, 192 bit key, 64 bit ICV.

camellia256-ccm-64

Camellia-CCM, 256 bit key, 64 bit ICV.

camellia128-ccm-96

Camellia-CCM, 128 bit key, 96 bit ICV.

camellia192-ccm-96

Camellia-CCM, 192 bit key, 96 bit ICV.

camellia256-ccm-96

Camellia-CCM, 256 bit key, 96 bit ICV.

prf-alg (config only)

List of pseudo-random algorithms for IKE SAs.

vsr running config# vrf <vrf> ike ike-policy-template <ike-policy-template> ike-proposal <uint8>
vsr running ike-proposal <uint8># prf-alg PRF-ALG

PRF-ALG values

Description

hmac-md5

PRF-HMAC-MD5.

hmac-sha1

PRF-HMAC-SHA1.

aes-xcbc

AES-XCBC-PRF-128.

aes-cmac

AES-CMAC-PRF-128.

hmac-sha256

PRF-HMAC-SHA-256.

hmac-sha384

PRF-HMAC-SHA-384.

hmac-sha512

PRF-HMAC-SHA-512.

dh-group (config only) (mandatory)

List of Diffie Hellman groups for key exchange.

vsr running config# vrf <vrf> ike ike-policy-template <ike-policy-template> ike-proposal <uint8>
vsr running ike-proposal <uint8># dh-group DH-GROUP

DH-GROUP values

Description

modp768

Modulo Prime 768 bits (group 1).

modp1024

Modulo Prime 1024 bits (group 2).

modp1536

Modulo Prime 1536 bits (group 5).

modp2048

Modulo Prime 2048 bits (group 14).

modp3072

Modulo Prime 3072 bits (group 15).

modp4096

Modulo Prime 4096 bits (group 16).

modp6144

Modulo Prime 6144 bits (group 17).

modp8192

Modulo Prime 8192 bits (group 18).

modp1024s160

Modulo Prime 1024 bits, Subgroup 160 bits (group 22).

modp2048s224

Modulo Prime 2048 bits, Subgroup 224 bits (group 23).

modp2048s256

Modulo Prime 2048 bits, Subgroup 256 bits (group 24).

ecp192

Elliptic Curve 192 bits (group 25).

ecp224

Elliptic Curve 224 bits (group 26).

ecp256

Elliptic Curve 256 bits (group 19).

ecp384

Elliptic Curve 384 bits (group 20).

ecp521

Elliptic Curve 521 bits (group 21).

ecp224bp

Brainpool Elliptic Curve 224 bits (group 27).

ecp256bp

Brainpool Elliptic Curve 256 bits (group 28).

ecp384bp

Brainpool Elliptic Curve 384 bits (group 29).

ecp512bp

Brainpool Elliptic Curve 512 bits (group 30).

curve25519

Montgomery Elliptic Curve 256 bits (group 31).

curve448

Goldilocks Elliptic Curve 448 bits (group 32).

ipsec-policy-template (config only)

List of IPsec VPN policies.

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>

<ipsec-policy-template>

IKE object name type.

start-action (config only)

Action to perform for this CHILD_SA on DPD timeout.

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vsr running ipsec-policy-template <ipsec-policy-template># start-action START-ACTION

START-ACTION values

Description

none

Load the connection only, can be used as a responder configuration.

trap

Install a trap policy, which triggers the tunnel as soon as matching traffic has been detected.

start

Initiate the connection actively.

Default value
trap

close-action (config only)

Action to perform when a CHILD_SA gets closed by a peer.

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vsr running ipsec-policy-template <ipsec-policy-template># close-action CLOSE-ACTION

CLOSE-ACTION values

Description

none

Close the Child SA and take no further action.

trap

Install a trap policy matching traffic and try to re-negotiate the tunnel on-demand.

start

Try to immediately re-create the CHILD_SA.

Default value
trap

dpd-action (config only)

Action to perform for a CHILD_SA on DPD timeout.

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vsr running ipsec-policy-template <ipsec-policy-template># dpd-action DPD-ACTION

DPD-ACTION values

Description

clear

Close the Child SA and take no further action.

trap

Install a trap policy, which will catch matching traffic and tries to re-negotiate the tunnel on-demand action.

restart

Immediately try to re-negotiate the CHILD_SA under a fresh IKE_SA.

Default value
restart

replay-window (config only)

Replay window size. 0 disables IPsec replay protection.

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vsr running ipsec-policy-template <ipsec-policy-template># replay-window <0-4096>
Default value
32

rekey-time (config only)

Time before initiating CHILD_SA rekeying.

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vsr running ipsec-policy-template <ipsec-policy-template># rekey-time REKEY-TIME

REKEY-TIME

IKE duration, with optional unit (s|m|h|d).

Default value
1h

inactivity (config only)

Timeout before closing CHILD_SA after inactivity. If no traffic has been processed in either direction for the configured timeout, the CHILD_SA gets closed due to inactivity (default value of 0 disables inactivity checks).

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vsr running ipsec-policy-template <ipsec-policy-template># inactivity INACTIVITY

INACTIVITY

IKE duration, with optional unit (s|m|h|d).

Default value
0

life-time (config only)

Maximum lifetime before CHILD_SA gets closed (default rekey-time + 10%).

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vsr running ipsec-policy-template <ipsec-policy-template># life-time LIFE-TIME

LIFE-TIME

IKE duration, with optional unit (s|m|h|d).

rand-time (config only)

Time range from which to choose a random value to subtract from rekey_time (default life_time - rekey_time).

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vsr running ipsec-policy-template <ipsec-policy-template># rand-time RAND-TIME

RAND-TIME

IKE duration, with optional unit (s|m|h|d).

rekey-bytes (config only)

Number of bytes processed before initiating CHILD_SA rekeying.

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vsr running ipsec-policy-template <ipsec-policy-template># rekey-bytes <uint64>
Default value
0

life-bytes (config only)

Maximum bytes processed before CHILD_SA gets closed (default rekey- bytes + 10%).

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vsr running ipsec-policy-template <ipsec-policy-template># life-bytes <uint64>

rand-bytes (config only)

Byte range from which to choose a random value to subtract from rekey_bytes (default life_bytes - rekey_bytes).

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vsr running ipsec-policy-template <ipsec-policy-template># rand-bytes <uint64>

rekey-packets (config only)

Number of packets processed before initiating CHILD_SA rekeying.

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vsr running ipsec-policy-template <ipsec-policy-template># rekey-packets <uint64>
Default value
0

life-packets (config only)

Maximum packets processed before CHILD_SA gets closed (default rekey- bytes + 10%).

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vsr running ipsec-policy-template <ipsec-policy-template># life-packets <uint64>

rand-packets (config only)

Packet range from which to choose a random value to subtract from rekey_packets (default life_bytes - rekey_bytes).

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vsr running ipsec-policy-template <ipsec-policy-template># rand-packets <uint64>

encap-copy-dscp (config only)

Whether to copy DSCP from inner to outer IP header at IPsec encapsulation.

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vsr running ipsec-policy-template <ipsec-policy-template># encap-copy-dscp true|false
Default value
true

decap-copy-dscp (config only)

Whether to copy DSCP from outer to inner IP header at IPsec decapsulation.

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vsr running ipsec-policy-template <ipsec-policy-template># decap-copy-dscp true|false
Default value
false

encap-copy-df (config only)

Whether to copy the Don’t Fragment bit from outer to inner IP header at IPsec encapsulation.

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vsr running ipsec-policy-template <ipsec-policy-template># encap-copy-df true|false
Default value
true

esp-proposal (config only)

List of ESP proposals.

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template> esp-proposal <uint8>

<uint8>

Index in list of ESP proposals.

enc-alg (config only)

List of encryption algorithms for IPsec SAs.

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template> esp-proposal <uint8>
vsr running esp-proposal <uint8># enc-alg ENC-ALG

ENC-ALG values

Description

null

NULL.

aes128-cbc

AES-CBC, 128 bit key.

aes192-cbc

AES-CBC, 192 bit key.

aes256-cbc

AES-CBC, 256 bit key.

des-cbc

DES-CBC, 56 bit key.

3des-cbc

3DES-CBC, 168 bit key.

auth-alg (config only)

List of auth algorithms for IPsec SAs.

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template> esp-proposal <uint8>
vsr running esp-proposal <uint8># auth-alg AUTH-ALG

AUTH-ALG values

Description

none

NONE.

hmac-md5

HMAC-MD5-96.

hmac-sha1

HMAC-SHA1-96.

hmac-sha256

HMAC-SHA256-128.

hmac-sha384

HMAC-SHA384-192.

hmac-sha512

HMAC-SHA512-256.

aes-xcbc

AES-XCBC-96.

aead-alg (config only)

List of combined-mode (AEAD) algorithms for IPsec SAs.

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template> esp-proposal <uint8>
vsr running esp-proposal <uint8># aead-alg AEAD-ALG

AEAD-ALG values

Description

aes128-gcm-128

AES-GCM, 128 bit key, 128 bit ICV.

aes192-gcm-128

AES-GCM, 192 bit key, 128 bit ICV.

aes256-gcm-128

AES-GCM, 256 bit key, 128 bit ICV.

aes128-gmac

AES-GMAC, 128 bit key, 128 bit ICV.

aes192-gmac

AES-GMAC, 192 bit key, 128 bit ICV.

aes256-gmac

AES-GMAC, 256 bit key, 128 bit ICV.

dh-group (config only)

List of Diffie Hellman groups for Perfect Forward Secrecy.

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template> esp-proposal <uint8>
vsr running esp-proposal <uint8># dh-group DH-GROUP

DH-GROUP values

Description

modp768

Modulo Prime 768 bits (group 1).

modp1024

Modulo Prime 1024 bits (group 2).

modp1536

Modulo Prime 1536 bits (group 5).

modp2048

Modulo Prime 2048 bits (group 14).

modp3072

Modulo Prime 3072 bits (group 15).

modp4096

Modulo Prime 4096 bits (group 16).

modp6144

Modulo Prime 6144 bits (group 17).

modp8192

Modulo Prime 8192 bits (group 18).

modp1024s160

Modulo Prime 1024 bits, Subgroup 160 bits (group 22).

modp2048s224

Modulo Prime 2048 bits, Subgroup 224 bits (group 23).

modp2048s256

Modulo Prime 2048 bits, Subgroup 256 bits (group 24).

ecp192

Elliptic Curve 192 bits (group 25).

ecp224

Elliptic Curve 224 bits (group 26).

ecp256

Elliptic Curve 256 bits (group 19).

ecp384

Elliptic Curve 384 bits (group 20).

ecp521

Elliptic Curve 521 bits (group 21).

ecp224bp

Brainpool Elliptic Curve 224 bits (group 27).

ecp256bp

Brainpool Elliptic Curve 256 bits (group 28).

ecp384bp

Brainpool Elliptic Curve 384 bits (group 29).

ecp512bp

Brainpool Elliptic Curve 512 bits (group 30).

curve25519

Montgomery Elliptic Curve 256 bits (group 31).

curve448

Goldilocks Elliptic Curve 448 bits (group 32).

esn (config only)

List of Extended Sequence Number modes.

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template> esp-proposal <uint8>
vsr running esp-proposal <uint8># esn true|false

ah-proposal (config only)

List of AH proposals.

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template> ah-proposal <uint8>

<uint8>

Index in list of AH proposals.

auth-alg (config only) (mandatory)

List of auth algorithms for IPsec SAs.

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template> ah-proposal <uint8>
vsr running ah-proposal <uint8># auth-alg AUTH-ALG

AUTH-ALG values

Description

hmac-md5

HMAC-MD5-96.

hmac-sha1

HMAC-SHA1-96.

hmac-sha256

HMAC-SHA256-128.

hmac-sha384

HMAC-SHA384-192.

hmac-sha512

HMAC-SHA512-256.

aes-xcbc

AES-XCBC-96.

dh-group (config only)

List of Diffie Hellman groups for Perfect Forward Secrecy.

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template> ah-proposal <uint8>
vsr running ah-proposal <uint8># dh-group DH-GROUP

DH-GROUP values

Description

modp768

Modulo Prime 768 bits (group 1).

modp1024

Modulo Prime 1024 bits (group 2).

modp1536

Modulo Prime 1536 bits (group 5).

modp2048

Modulo Prime 2048 bits (group 14).

modp3072

Modulo Prime 3072 bits (group 15).

modp4096

Modulo Prime 4096 bits (group 16).

modp6144

Modulo Prime 6144 bits (group 17).

modp8192

Modulo Prime 8192 bits (group 18).

modp1024s160

Modulo Prime 1024 bits, Subgroup 160 bits (group 22).

modp2048s224

Modulo Prime 2048 bits, Subgroup 224 bits (group 23).

modp2048s256

Modulo Prime 2048 bits, Subgroup 256 bits (group 24).

ecp192

Elliptic Curve 192 bits (group 25).

ecp224

Elliptic Curve 224 bits (group 26).

ecp256

Elliptic Curve 256 bits (group 19).

ecp384

Elliptic Curve 384 bits (group 20).

ecp521

Elliptic Curve 521 bits (group 21).

ecp224bp

Brainpool Elliptic Curve 224 bits (group 27).

ecp256bp

Brainpool Elliptic Curve 256 bits (group 28).

ecp384bp

Brainpool Elliptic Curve 384 bits (group 29).

ecp512bp

Brainpool Elliptic Curve 512 bits (group 30).

curve25519

Montgomery Elliptic Curve 256 bits (group 31).

curve448

Goldilocks Elliptic Curve 448 bits (group 32).

esn (config only)

List of Extended Sequence Number modes.

vsr running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template> ah-proposal <uint8>
vsr running ah-proposal <uint8># esn true|false

vpn

List of IKE Virtual Private Networks.

vsr running config# vrf <vrf> ike vpn <vpn>

<vpn>

IKE object name type.

enabled

State of the VPN.

vsr running config# vrf <vrf> ike vpn <vpn>
vsr running vpn <vpn># enabled true|false
Default value
true

description

Description of the VPN.

vsr running config# vrf <vrf> ike vpn <vpn>
vsr running vpn <vpn># description <string>

version

IKE version. 0 accepts both IKEv1 and IKEv2 as responder, and initiates the connection actively with IKEv2.

vsr running config# vrf <vrf> ike vpn <vpn>
vsr running vpn <vpn># version <0-2>
Default value
2

local-address

List of IKE local peer addresses.

vsr running config# vrf <vrf> ike vpn <vpn>
vsr running vpn <vpn># local-address LOCAL-ADDRESS

LOCAL-ADDRESS values

Description

<domain-name>{1,253}

The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

<ipv4-prefix>

An IPv4 prefix: address and CIDR mask.

<ipv6-prefix>

An IPv6 prefix: address and CIDR mask.

<ipv4-range>

An IPv4 address range, in the form addr4-addr4.

<ipv6-range>

An IPv6 address range, in the form addr6-addr6.

remote-address

List of IKE remote peer addresses.

vsr running config# vrf <vrf> ike vpn <vpn>
vsr running vpn <vpn># remote-address REMOTE-ADDRESS

REMOTE-ADDRESS values

Description

<domain-name>{1,253}

The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

<ipv4-prefix>

An IPv4 prefix: address and CIDR mask.

<ipv6-prefix>

An IPv6 prefix: address and CIDR mask.

<ipv4-range>

An IPv4 address range, in the form addr4-addr4.

<ipv6-range>

An IPv6 address range, in the form addr6-addr6.

local-id

Local IKE identifier (IP address, fqdn, user-fqdn, ASN.1 Distinguished Name) (Default psk: IP address, certificates: SubjectName).

vsr running config# vrf <vrf> ike vpn <vpn>
vsr running vpn <vpn># local-id LOCAL-ID

LOCAL-ID values

Description

<ike-id>

An IPv4 address.

<ike-id>

An IPv6 address.

<ike-id>{1,253}

The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.

<ike-id>

IKE ID (IP address, fqdn, e-mail address or distinguished name).

<ike-id>

IKE ID (IP address, fqdn, e-mail address or distinguished name).

remote-id

Remote IKE identifier (IP address, fqdn, user-fqdn, ASN.1 Distinguished Name) (Default psk: IP address, certificates: SubjectName).

vsr running config# vrf <vrf> ike vpn <vpn>
vsr running vpn <vpn># remote-id REMOTE-ID

REMOTE-ID values

Description

<ike-id>

An IPv4 address.

<ike-id>

An IPv6 address.

<ike-id>{1,253}

The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.

<ike-id>

IKE ID (IP address, fqdn, e-mail address or distinguished name).

<ike-id>

IKE ID (IP address, fqdn, e-mail address or distinguished name).

local-eap-id

Local EAP identifier (Default = local-id). Only taken into account if the server initiates an EAP-Identity exchange and asks for an EAP identity.

vsr running config# vrf <vrf> ike vpn <vpn>
vsr running vpn <vpn># local-eap-id LOCAL-EAP-ID

LOCAL-EAP-ID

EAP ID.

remote-eap-id

Remote EAP identifier (Default = remote-id). Setting it to %any will initiate an EAP-Identity exchange with the client and ask for its EAP identity.

vsr running config# vrf <vrf> ike vpn <vpn>
vsr running vpn <vpn># remote-eap-id REMOTE-EAP-ID

REMOTE-EAP-ID

EAP ID.

certificate

List of certificates to use for authentication of the local peer.

vsr running config# vrf <vrf> ike vpn <vpn>
vsr running vpn <vpn># certificate <string>

remote-ca-certificate

List of certificate authority certificates to accept for authentication of the remote peer.

vsr running config# vrf <vrf> ike vpn <vpn>
vsr running vpn <vpn># remote-ca-certificate <string>

vip-request

List of virtual IP addresses to request (0.0.0.0 for any IPv4 address, :: for any IPv6 address).

vsr running config# vrf <vrf> ike vpn <vpn>
vsr running vpn <vpn># vip-request VIP-REQUEST

VIP-REQUEST values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

vip-pool

List of virtual IP pools, to assign a virtual IP to an IKE peer.

vsr running config# vrf <vrf> ike vpn <vpn>
vsr running vpn <vpn># vip-pool <leafref>

dynamic-svti (config only)

Dynamic SVTI interfaces creation.

vsr running config# vrf <vrf> ike vpn <vpn> dynamic-svti

svti-template (config only) (mandatory)

Dynamic SVTI template.

vsr running config# vrf <vrf> ike vpn <vpn> dynamic-svti
vsr running dynamic-svti# svti-template <leafref>

vrf (config only)

Dynamic SVTI template vrf.

vsr running config# vrf <vrf> ike vpn <vpn> dynamic-svti
vsr running dynamic-svti# vrf VRF

VRF values

Description

main

The main vrf.

<string>

The vrf name.

dynamic-gre (config only)

Dynamic GRE tunnel parameters.

vsr running config# vrf <vrf> ike vpn <vpn> dynamic-gre

template (config only) (mandatory)

GRE interface template.

vsr running config# vrf <vrf> ike vpn <vpn> dynamic-gre
vsr running dynamic-gre# template TEMPLATE

TEMPLATE

Name of an interface template.

vrf (config only)

GRE interface template vrf.

vsr running config# vrf <vrf> ike vpn <vpn> dynamic-gre
vsr running dynamic-gre# vrf VRF

VRF values

Description

main

The main vrf.

<string>

The vrf name.

ike-policy

IKE policy configuration.

vsr running config# vrf <vrf> ike vpn <vpn> ike-policy

template (config only) (mandatory)

Template from which this IKE policy derives.

vsr running config# vrf <vrf> ike vpn <vpn> ike-policy
vsr running ike-policy# template <leafref>

local-auth-method

Local IKE authentication method.

vsr running config# vrf <vrf> ike vpn <vpn> ike-policy
vsr running ike-policy# local-auth-method LOCAL-AUTH-METHOD

LOCAL-AUTH-METHOD values

Description

pre-shared-key

Pre-shared key.

certificate

Public key signature with X509 Certificates.

eap-md5

Extensible Authentication Protocol - MD5-Challenge.

eap-mschapv2

Extensible Authentication Protocol - Microsoft Challenge-Handshake Authentication Protocol v2.

remote-auth-method

Remote IKE authentication method.

vsr running config# vrf <vrf> ike vpn <vpn> ike-policy
vsr running ike-policy# remote-auth-method REMOTE-AUTH-METHOD

REMOTE-AUTH-METHOD values

Description

pre-shared-key

Pre-shared key.

certificate

Public key signature with X509 Certificates.

eap-md5

Extensible Authentication Protocol - MD5-Challenge.

eap-mschapv2

Extensible Authentication Protocol - Microsoft Challenge-Handshake Authentication Protocol v2.

eap-radius

Extensible Authentication Protocol delegated to a RADIUS server.

keying-tries

Number of times we should try to initiate an IKE connection if the responder does not answer (after a full sequence of retransmissions). A value of 0 initiates a new sequence forever, until the connection establishes or fails with a permanent error.

vsr running config# vrf <vrf> ike vpn <vpn> ike-policy
vsr running ike-policy# keying-tries <uint32>

unique-sa

Connection uniqueness policy to enforce, to avoid multiple connections from the same user ID.

vsr running config# vrf <vrf> ike vpn <vpn> ike-policy
vsr running ike-policy# unique-sa UNIQUE-SA

UNIQUE-SA values

Description

no

Do not enforce IKE SA uniqueness, except if a peer included INITIAL_CONTACT notify.

never

Never enforce IKE SA uniqueness, even if a peer included INITIAL_CONTACT notify. Never send INITIAL_CONTACT as initiator.

keep

Reject new connection attempts from same user.

replace

Delete any existing connection if a new one for the same user gets established.

reauth-time

Time to schedule IKE reauthentication, at least greather than 10% of the rekey-time.

vsr running config# vrf <vrf> ike vpn <vpn> ike-policy
vsr running ike-policy# reauth-time REAUTH-TIME

REAUTH-TIME

IKE duration, with optional unit (s|m|h|d).

rekey-time

Time to schedule IKE rekeying.

vsr running config# vrf <vrf> ike vpn <vpn> ike-policy
vsr running ike-policy# rekey-time REKEY-TIME

REKEY-TIME

IKE duration, with optional unit (s|m|h|d).

dpd-delay

Interval to check the liveness of a peer.

vsr running config# vrf <vrf> ike vpn <vpn> ike-policy
vsr running ike-policy# dpd-delay DPD-DELAY

DPD-DELAY

IKE duration, with optional unit (s|m|h|d).

aggressive

Enable or disable Aggressive Mode instead of Main Mode in IKEv1.

vsr running config# vrf <vrf> ike vpn <vpn> ike-policy
vsr running ike-policy# aggressive true|false

udp-encap

If true, enforce UDP encapsulation of ESP packets.

vsr running config# vrf <vrf> ike vpn <vpn> ike-policy
vsr running ike-policy# udp-encap true|false

mobike

If true, enable MOBIKE (IKEv2 Mobility and Multihoming Protocol).

vsr running config# vrf <vrf> ike vpn <vpn> ike-policy
vsr running ike-policy# mobike true|false

revocation

Peer certificate revocation policy.

vsr running config# vrf <vrf> ike vpn <vpn> ike-policy
vsr running ike-policy# revocation REVOCATION

REVOCATION values

Description

strict

Revocation check fails if a certificate is revoked or if no revocation information is available (no revocation URL or the revocation servers are unreachable).

if-url

Revocation check fails if a certificate is revoked or if the revocation servers are unreachable.

relaxed

Revocation check fails if a certificate is revoked, i.e. it is explicitly known that it is bad.

ike-proposal

List of IKE phase 1 proposals.

vsr running config# vrf <vrf> ike vpn <vpn> ike-policy ike-proposal <uint8>

<uint8>

Index in the list of IKE phase 1 proposals.

enc-alg

List of encryption algorithms for IKE SAs.

vsr running config# vrf <vrf> ike vpn <vpn> ike-policy ike-proposal <uint8>
vsr running ike-proposal <uint8># enc-alg ENC-ALG

ENC-ALG values

Description

aes128-cbc

AES-CBC, 128 bit key.

aes192-cbc

AES-CBC, 192 bit key.

aes256-cbc

AES-CBC, 256 bit key.

des-cbc

DES-CBC, 56 bit key.

3des-cbc

3DES-CBC, 168 bit key.

aes128-ctr

AES-CTR, 128 bit key.

aes192-ctr

AES-CTR, 192 bit key.

aes256-ctr

AES-CTR, 256 bit key.

cast-cbc

CAST-CBC, 128 bit key.

blowfish128-cbc

Blowfish-CBC, 128 bit key.

blowfish192-cbc

Blowfish-CBC, 192 bit key.

blowfish256-cbc

Blowfish-CBC, 256 bit key.

camellia128-cbc

Camellia-CBC, 128 bit key.

camellia192-cbc

Camellia-CBC, 192 bit key.

camellia256-cbc

Camellia-CBC, 256 bit key.

camellia128-ctr

Camellia-CTR, 128 bit key.

camellia192-ctr

Camellia-CTR, 192 bit key.

camellia256-ctr

Camellia-CTR, 256 bit key.

auth-alg

List of auth algorithms for IKE SAs.

vsr running config# vrf <vrf> ike vpn <vpn> ike-policy ike-proposal <uint8>
vsr running ike-proposal <uint8># auth-alg AUTH-ALG

AUTH-ALG values

Description

hmac-md5

HMAC-MD5-96.

hmac-sha1

HMAC-SHA1-96.

hmac-sha256

HMAC-SHA256-128.

hmac-sha384

HMAC-SHA384-192.

hmac-sha512

HMAC-SHA512-256.

aes-xcbc

AES-XCBC-96.

aead-alg

List of combined-mode (AEAD) algorithms for IKE SAs.

vsr running config# vrf <vrf> ike vpn <vpn> ike-policy ike-proposal <uint8>
vsr running ike-proposal <uint8># aead-alg AEAD-ALG

AEAD-ALG values

Description

aes128-gcm-64

AES-GCM, 128 bit key, 64 bit ICV.

aes192-gcm-64

AES-GCM, 192 bit key, 64 bit ICV.

aes256-gcm-64

AES-GCM, 256 bit key, 64 bit ICV.

aes128-gcm-96

AES-GCM, 128 bit key, 96 bit ICV.

aes192-gcm-96

AES-GCM, 192 bit key, 96 bit ICV.

aes256-gcm-96

AES-GCM, 256 bit key, 96 bit ICV.

aes128-gcm-128

AES-GCM, 128 bit key, 128 bit ICV.

aes192-gcm-128

AES-GCM, 192 bit key, 128 bit ICV.

aes256-gcm-128

AES-GCM, 256 bit key, 128 bit ICV.

aes128-ccm-64

AES-CCM, 128 bit key, 64 bit ICV.

aes192-ccm-64

AES-CCM, 192 bit key, 64 bit ICV.

aes256-ccm-64

AES-CCM, 256 bit key, 64 bit ICV.

aes128-ccm-96

AES-CCM, 128 bit key, 96 bit ICV.

aes192-ccm-96

AES-CCM, 192 bit key, 96 bit ICV.

aes256-ccm-96

AES-CCM, 256 bit key, 96 bit ICV.

aes128-ccm-128

AES-CCM, 128 bit key, 128 bit ICV.

aes192-ccm-128

AES-CCM, 192 bit key, 128 bit ICV.

aes256-ccm-128

AES-CCM, 256 bit key, 128 bit ICV.

camellia128-ccm-64

Camellia-CCM, 128 bit key, 64 bit ICV.

camellia192-ccm-64

Camellia-CCM, 192 bit key, 64 bit ICV.

camellia256-ccm-64

Camellia-CCM, 256 bit key, 64 bit ICV.

camellia128-ccm-96

Camellia-CCM, 128 bit key, 96 bit ICV.

camellia192-ccm-96

Camellia-CCM, 192 bit key, 96 bit ICV.

camellia256-ccm-96

Camellia-CCM, 256 bit key, 96 bit ICV.

prf-alg

List of pseudo-random algorithms for IKE SAs.

vsr running config# vrf <vrf> ike vpn <vpn> ike-policy ike-proposal <uint8>
vsr running ike-proposal <uint8># prf-alg PRF-ALG

PRF-ALG values

Description

hmac-md5

PRF-HMAC-MD5.

hmac-sha1

PRF-HMAC-SHA1.

aes-xcbc

AES-XCBC-PRF-128.

aes-cmac

AES-CMAC-PRF-128.

hmac-sha256

PRF-HMAC-SHA-256.

hmac-sha384

PRF-HMAC-SHA-384.

hmac-sha512

PRF-HMAC-SHA-512.

dh-group (mandatory)

List of Diffie Hellman groups for key exchange.

vsr running config# vrf <vrf> ike vpn <vpn> ike-policy ike-proposal <uint8>
vsr running ike-proposal <uint8># dh-group DH-GROUP

DH-GROUP values

Description

modp768

Modulo Prime 768 bits (group 1).

modp1024

Modulo Prime 1024 bits (group 2).

modp1536

Modulo Prime 1536 bits (group 5).

modp2048

Modulo Prime 2048 bits (group 14).

modp3072

Modulo Prime 3072 bits (group 15).

modp4096

Modulo Prime 4096 bits (group 16).

modp6144

Modulo Prime 6144 bits (group 17).

modp8192

Modulo Prime 8192 bits (group 18).

modp1024s160

Modulo Prime 1024 bits, Subgroup 160 bits (group 22).

modp2048s224

Modulo Prime 2048 bits, Subgroup 224 bits (group 23).

modp2048s256

Modulo Prime 2048 bits, Subgroup 256 bits (group 24).

ecp192

Elliptic Curve 192 bits (group 25).

ecp224

Elliptic Curve 224 bits (group 26).

ecp256

Elliptic Curve 256 bits (group 19).

ecp384

Elliptic Curve 384 bits (group 20).

ecp521

Elliptic Curve 521 bits (group 21).

ecp224bp

Brainpool Elliptic Curve 224 bits (group 27).

ecp256bp

Brainpool Elliptic Curve 256 bits (group 28).

ecp384bp

Brainpool Elliptic Curve 384 bits (group 29).

ecp512bp

Brainpool Elliptic Curve 512 bits (group 30).

curve25519

Montgomery Elliptic Curve 256 bits (group 31).

curve448

Goldilocks Elliptic Curve 448 bits (group 32).

ipsec-policy

IPsec policy configuration.

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy

template (config only) (mandatory)

Template from which this IPsec policy derives.

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vsr running ipsec-policy# template <leafref>

start-action

Action to perform for this CHILD_SA on DPD timeout.

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vsr running ipsec-policy# start-action START-ACTION

START-ACTION values

Description

none

Load the connection only, can be used as a responder configuration.

trap

Install a trap policy, which triggers the tunnel as soon as matching traffic has been detected.

start

Initiate the connection actively.

close-action

Action to perform when a CHILD_SA gets closed by a peer.

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vsr running ipsec-policy# close-action CLOSE-ACTION

CLOSE-ACTION values

Description

none

Close the Child SA and take no further action.

trap

Install a trap policy matching traffic and try to re-negotiate the tunnel on-demand.

start

Try to immediately re-create the CHILD_SA.

dpd-action

Action to perform for a CHILD_SA on DPD timeout.

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vsr running ipsec-policy# dpd-action DPD-ACTION

DPD-ACTION values

Description

clear

Close the Child SA and take no further action.

trap

Install a trap policy, which will catch matching traffic and tries to re-negotiate the tunnel on-demand action.

restart

Immediately try to re-negotiate the CHILD_SA under a fresh IKE_SA.

replay-window

Replay window size. 0 disables IPsec replay protection.

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vsr running ipsec-policy# replay-window <0-4096>

rekey-time

Time before initiating CHILD_SA rekeying.

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vsr running ipsec-policy# rekey-time REKEY-TIME

REKEY-TIME

IKE duration, with optional unit (s|m|h|d).

inactivity

Timeout before closing CHILD_SA after inactivity. If no traffic has been processed in either direction for the configured timeout, the CHILD_SA gets closed due to inactivity (default value of 0 disables inactivity checks).

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vsr running ipsec-policy# inactivity INACTIVITY

INACTIVITY

IKE duration, with optional unit (s|m|h|d).

life-time

Maximum lifetime before CHILD_SA gets closed (default rekey-time + 10%).

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vsr running ipsec-policy# life-time LIFE-TIME

LIFE-TIME

IKE duration, with optional unit (s|m|h|d).

rand-time

Time range from which to choose a random value to subtract from rekey_time (default life_time - rekey_time).

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vsr running ipsec-policy# rand-time RAND-TIME

RAND-TIME

IKE duration, with optional unit (s|m|h|d).

rekey-bytes

Number of bytes processed before initiating CHILD_SA rekeying.

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vsr running ipsec-policy# rekey-bytes <uint64>

life-bytes

Maximum bytes processed before CHILD_SA gets closed (default rekey- bytes + 10%).

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vsr running ipsec-policy# life-bytes <uint64>

rand-bytes

Byte range from which to choose a random value to subtract from rekey_bytes (default life_bytes - rekey_bytes).

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vsr running ipsec-policy# rand-bytes <uint64>

rekey-packets

Number of packets processed before initiating CHILD_SA rekeying.

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vsr running ipsec-policy# rekey-packets <uint64>

life-packets

Maximum packets processed before CHILD_SA gets closed (default rekey- bytes + 10%).

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vsr running ipsec-policy# life-packets <uint64>

rand-packets

Packet range from which to choose a random value to subtract from rekey_packets (default life_bytes - rekey_bytes).

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vsr running ipsec-policy# rand-packets <uint64>

encap-copy-dscp

Whether to copy DSCP from inner to outer IP header at IPsec encapsulation.

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vsr running ipsec-policy# encap-copy-dscp true|false

decap-copy-dscp

Whether to copy DSCP from outer to inner IP header at IPsec decapsulation.

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vsr running ipsec-policy# decap-copy-dscp true|false

encap-copy-df

Whether to copy the Don’t Fragment bit from outer to inner IP header at IPsec encapsulation.

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vsr running ipsec-policy# encap-copy-df true|false

esp-proposal

List of ESP proposals.

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy esp-proposal <uint8>

<uint8>

Index in list of ESP proposals.

enc-alg

List of encryption algorithms for IPsec SAs.

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy esp-proposal <uint8>
vsr running esp-proposal <uint8># enc-alg ENC-ALG

ENC-ALG values

Description

null

NULL.

aes128-cbc

AES-CBC, 128 bit key.

aes192-cbc

AES-CBC, 192 bit key.

aes256-cbc

AES-CBC, 256 bit key.

des-cbc

DES-CBC, 56 bit key.

3des-cbc

3DES-CBC, 168 bit key.

auth-alg

List of auth algorithms for IPsec SAs.

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy esp-proposal <uint8>
vsr running esp-proposal <uint8># auth-alg AUTH-ALG

AUTH-ALG values

Description

none

NONE.

hmac-md5

HMAC-MD5-96.

hmac-sha1

HMAC-SHA1-96.

hmac-sha256

HMAC-SHA256-128.

hmac-sha384

HMAC-SHA384-192.

hmac-sha512

HMAC-SHA512-256.

aes-xcbc

AES-XCBC-96.

aead-alg

List of combined-mode (AEAD) algorithms for IPsec SAs.

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy esp-proposal <uint8>
vsr running esp-proposal <uint8># aead-alg AEAD-ALG

AEAD-ALG values

Description

aes128-gcm-128

AES-GCM, 128 bit key, 128 bit ICV.

aes192-gcm-128

AES-GCM, 192 bit key, 128 bit ICV.

aes256-gcm-128

AES-GCM, 256 bit key, 128 bit ICV.

aes128-gmac

AES-GMAC, 128 bit key, 128 bit ICV.

aes192-gmac

AES-GMAC, 192 bit key, 128 bit ICV.

aes256-gmac

AES-GMAC, 256 bit key, 128 bit ICV.

dh-group

List of Diffie Hellman groups for Perfect Forward Secrecy.

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy esp-proposal <uint8>
vsr running esp-proposal <uint8># dh-group DH-GROUP

DH-GROUP values

Description

modp768

Modulo Prime 768 bits (group 1).

modp1024

Modulo Prime 1024 bits (group 2).

modp1536

Modulo Prime 1536 bits (group 5).

modp2048

Modulo Prime 2048 bits (group 14).

modp3072

Modulo Prime 3072 bits (group 15).

modp4096

Modulo Prime 4096 bits (group 16).

modp6144

Modulo Prime 6144 bits (group 17).

modp8192

Modulo Prime 8192 bits (group 18).

modp1024s160

Modulo Prime 1024 bits, Subgroup 160 bits (group 22).

modp2048s224

Modulo Prime 2048 bits, Subgroup 224 bits (group 23).

modp2048s256

Modulo Prime 2048 bits, Subgroup 256 bits (group 24).

ecp192

Elliptic Curve 192 bits (group 25).

ecp224

Elliptic Curve 224 bits (group 26).

ecp256

Elliptic Curve 256 bits (group 19).

ecp384

Elliptic Curve 384 bits (group 20).

ecp521

Elliptic Curve 521 bits (group 21).

ecp224bp

Brainpool Elliptic Curve 224 bits (group 27).

ecp256bp

Brainpool Elliptic Curve 256 bits (group 28).

ecp384bp

Brainpool Elliptic Curve 384 bits (group 29).

ecp512bp

Brainpool Elliptic Curve 512 bits (group 30).

curve25519

Montgomery Elliptic Curve 256 bits (group 31).

curve448

Goldilocks Elliptic Curve 448 bits (group 32).

esn

List of Extended Sequence Number modes.

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy esp-proposal <uint8>
vsr running esp-proposal <uint8># esn true|false

ah-proposal

List of AH proposals.

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy ah-proposal <uint8>

<uint8>

Index in list of AH proposals.

auth-alg (mandatory)

List of auth algorithms for IPsec SAs.

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy ah-proposal <uint8>
vsr running ah-proposal <uint8># auth-alg AUTH-ALG

AUTH-ALG values

Description

hmac-md5

HMAC-MD5-96.

hmac-sha1

HMAC-SHA1-96.

hmac-sha256

HMAC-SHA256-128.

hmac-sha384

HMAC-SHA384-192.

hmac-sha512

HMAC-SHA512-256.

aes-xcbc

AES-XCBC-96.

dh-group

List of Diffie Hellman groups for Perfect Forward Secrecy.

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy ah-proposal <uint8>
vsr running ah-proposal <uint8># dh-group DH-GROUP

DH-GROUP values

Description

modp768

Modulo Prime 768 bits (group 1).

modp1024

Modulo Prime 1024 bits (group 2).

modp1536

Modulo Prime 1536 bits (group 5).

modp2048

Modulo Prime 2048 bits (group 14).

modp3072

Modulo Prime 3072 bits (group 15).

modp4096

Modulo Prime 4096 bits (group 16).

modp6144

Modulo Prime 6144 bits (group 17).

modp8192

Modulo Prime 8192 bits (group 18).

modp1024s160

Modulo Prime 1024 bits, Subgroup 160 bits (group 22).

modp2048s224

Modulo Prime 2048 bits, Subgroup 224 bits (group 23).

modp2048s256

Modulo Prime 2048 bits, Subgroup 256 bits (group 24).

ecp192

Elliptic Curve 192 bits (group 25).

ecp224

Elliptic Curve 224 bits (group 26).

ecp256

Elliptic Curve 256 bits (group 19).

ecp384

Elliptic Curve 384 bits (group 20).

ecp521

Elliptic Curve 521 bits (group 21).

ecp224bp

Brainpool Elliptic Curve 224 bits (group 27).

ecp256bp

Brainpool Elliptic Curve 256 bits (group 28).

ecp384bp

Brainpool Elliptic Curve 384 bits (group 29).

ecp512bp

Brainpool Elliptic Curve 512 bits (group 30).

curve25519

Montgomery Elliptic Curve 256 bits (group 31).

curve448

Goldilocks Elliptic Curve 448 bits (group 32).

esn

List of Extended Sequence Number modes.

vsr running config# vrf <vrf> ike vpn <vpn> ipsec-policy ah-proposal <uint8>
vsr running ah-proposal <uint8># esn true|false

security-policy

List of IPsec bidirectional security policies.

vsr running config# vrf <vrf> ike vpn <vpn> security-policy <security-policy>

<security-policy>

IKE object name type.

svti-id-in

SVTI ID set on inbound policies/SA.

vsr running config# vrf <vrf> ike vpn <vpn> security-policy <security-policy>
vsr running security-policy <security-policy># svti-id-in <uint32>

svti-id-out

SVTI ID set on outbound policies/SA.

vsr running config# vrf <vrf> ike vpn <vpn> security-policy <security-policy>
vsr running security-policy <security-policy># svti-id-out <uint32>

action

IPsec action.

vsr running config# vrf <vrf> ike vpn <vpn> security-policy <security-policy>
vsr running security-policy <security-policy># action ACTION

ACTION values

Description

esp

Protect traffic with Encapsulating Security Payload.

ah

Protect traffic with Authentication Header.

pass

Pass traffic in plain text.

drop

Drop traffic.

Default value
esp

mode

IPsec mode if action is esp or ah.

vsr running config# vrf <vrf> ike vpn <vpn> security-policy <security-policy>
vsr running security-policy <security-policy># mode MODE

MODE values

Description

tunnel

Tunnel mode.

transport

Transport mode.

beet

Bound End to End Tunnel mode.

Default value
tunnel

priority

Security policy priority (0 stands for dynamically calculated).

vsr running config# vrf <vrf> ike vpn <vpn> security-policy <security-policy>
vsr running security-policy <security-policy># priority <uint32>
Default value
0

local-ts

Local traffic selector (default the tunnel outer address or the virtual IP, if negotiated).

vsr running config# vrf <vrf> ike vpn <vpn> security-policy <security-policy>
vsr running security-policy <security-policy># local-ts subnet SUBNET protocol <uint8> \
... port <uint16>
subnet

Private subnet or address (default: the tunnel outer address or virtual IP, if negotiated).

subnet SUBNET

SUBNET values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

<ipv4-prefix>

An IPv4 prefix: address and CIDR mask.

<ipv6-prefix>

An IPv6 prefix: address and CIDR mask.

protocol

Protocol number (default any).

protocol <uint8>
port

Port number or ICMP type/code (default any).

port <uint16>

remote-ts

Remote traffic selector (default the tunnel outer address or the virtual IP, if negotiated).

vsr running config# vrf <vrf> ike vpn <vpn> security-policy <security-policy>
vsr running security-policy <security-policy># remote-ts subnet SUBNET protocol <uint8> \
... port <uint16>
subnet

Private subnet or address (default: the tunnel outer address or virtual IP, if negotiated).

subnet SUBNET

SUBNET values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

<ipv4-prefix>

An IPv4 prefix: address and CIDR mask.

<ipv6-prefix>

An IPv6 prefix: address and CIDR mask.

protocol

Protocol number (default any).

protocol <uint8>
port

Port number or ICMP type/code (default any).

port <uint16>

traffic-selectors

Traffic selectors (default the tunnel outer address or the virtual IP, if negotiated).

vsr running config# vrf <vrf> ike vpn <vpn> security-policy <security-policy> traffic-selectors
local-ts

List of local traffic selectors (default the tunnel outer address or the virtual IP, if negotiated).

vsr running config# vrf <vrf> ike vpn <vpn> security-policy <security-policy> traffic-selectors
vsr running traffic-selectors# local-ts <1-32> subnet SUBNET protocol <uint8> \
... port <uint16>

<1-32>

Traffic selectors index.

subnet

Private subnet or address (default: the tunnel outer address or virtual IP, if negotiated).

subnet SUBNET

SUBNET values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

<ipv4-prefix>

An IPv4 prefix: address and CIDR mask.

<ipv6-prefix>

An IPv6 prefix: address and CIDR mask.

protocol

Protocol number (default any).

protocol <uint8>
port

Port number or ICMP type/code (default any).

port <uint16>
remote-ts

List of remote traffic selectors (default the tunnel outer address or the virtual IP, if negotiated).

vsr running config# vrf <vrf> ike vpn <vpn> security-policy <security-policy> traffic-selectors
vsr running traffic-selectors# remote-ts <1-32> subnet SUBNET protocol <uint8> \
... port <uint16>

<1-32>

Traffic selectors index.

subnet

Private subnet or address (default: the tunnel outer address or virtual IP, if negotiated).

subnet SUBNET

SUBNET values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

<ipv4-prefix>

An IPv4 prefix: address and CIDR mask.

<ipv6-prefix>

An IPv6 prefix: address and CIDR mask.

protocol

Protocol number (default any).

protocol <uint8>
port

Port number or ICMP type/code (default any).

port <uint16>

inject-routes

Reverse Route Injection parameters.

vsr running config# vrf <vrf> ike vpn <vpn> security-policy <security-policy> inject-routes
next-hop (mandatory)

Injected routes next hop.

vsr running config# vrf <vrf> ike vpn <vpn> security-policy <security-policy> inject-routes
vsr running inject-routes# next-hop NEXT-HOP

NEXT-HOP values

Description

<A.B.C.D>

An IPv4 address.

<X:X::X:X>

An IPv6 address.

<ifname>{1,15}

An interface name.

<ipv4-address-and-ifname>

An IPv4 address followed by an interface name.

<ipv6-address-and-ifname>

An IPv6 address followed by an interface name.

next-hop-backup

Injected routes next hop when ha is enabled and the node is backup.

vsr running config# vrf <vrf> ike vpn <vpn> security-policy <security-policy> inject-routes
vsr running inject-routes# next-hop-backup NEXT-HOP-BACKUP

NEXT-HOP-BACKUP values

Description

<A.B.C.D>

An IPv4 address.

<X:X::X:X>

An IPv6 address.

<ifname>{1,15}

An interface name.

<ipv4-address-and-ifname>

An IPv4 address followed by an interface name.

<ipv6-address-and-ifname>

An IPv6 address followed by an interface name.

vrf

Injected routes vrf.

vsr running config# vrf <vrf> ike vpn <vpn> security-policy <security-policy> inject-routes
vsr running inject-routes# vrf VRF

VRF values

Description

main

The main vrf.

<string>

The vrf name.

l3vrf

Injected routes l3vrf.

vsr running config# vrf <vrf> ike vpn <vpn> security-policy <security-policy> inject-routes
vsr running inject-routes# l3vrf L3VRF

L3VRF

The l3vrf name.

table

Table in which the route must be injected.

vsr running config# vrf <vrf> ike vpn <vpn> security-policy <security-policy> inject-routes
vsr running inject-routes# table <1-max>

ike-sas (state only)

Number of IKE SAs.

total (state only)

Total number of IKE SAs (half-open or established).

vsr> show state vrf <vrf> ike ike-sas total

half-open (state only)

Number of half-open IKE SAs.

vsr> show state vrf <vrf> ike ike-sas half-open

task-processing (state only)

Internal task processing statistics.

worker-threads (state only)

State of IKE daemon threads.

total (state only)

Total number of threads.

vsr> show state vrf <vrf> ike task-processing worker-threads total

idle (state only)

Number of idle threads.

vsr> show state vrf <vrf> ike task-processing worker-threads idle

critical (state only)

Number of threads executing critical priority tasks.

vsr> show state vrf <vrf> ike task-processing worker-threads critical

high (state only)

Number of threads executing high priority tasks.

vsr> show state vrf <vrf> ike task-processing worker-threads high

medium (state only)

Number of threads executing medium priority tasks.

vsr> show state vrf <vrf> ike task-processing worker-threads medium

low (state only)

Number of threads executing low priority tasks.

vsr> show state vrf <vrf> ike task-processing worker-threads low

task-queues (state only)

Counters of pending tasks.

critical (state only)

Number of critical priority tasks waiting for an available thread.

vsr> show state vrf <vrf> ike task-processing task-queues critical

high (state only)

Number of high priority tasks waiting for an available thread.

vsr> show state vrf <vrf> ike task-processing task-queues high

medium (state only)

Number of medium priority tasks waiting for an available thread.

vsr> show state vrf <vrf> ike task-processing task-queues medium

low (state only)

Number of low priority tasks waiting for an available thread.

vsr> show state vrf <vrf> ike task-processing task-queues low

scheduled (state only)

Number of tasks waiting for a timer to expire.

vsr> show state vrf <vrf> ike task-processing task-queues scheduled

counters (state only)

Global IKE message counters.

ike-rekey-init (state only)

Initiated IKE_SA rekeyings.

vsr> show state vrf <vrf> ike counters ike-rekey-init

ike-rekey-resp (state only)

Responded IKE_SA rekeyings.

vsr> show state vrf <vrf> ike counters ike-rekey-resp

child-rekey (state only)

Completed CHILD_SA rekeyings.

vsr> show state vrf <vrf> ike counters child-rekey

invalid (state only)

Messages with an invalid IKE SPI.

vsr> show state vrf <vrf> ike counters invalid

invalid-spi (state only)

Messages with invalid types, length, or a value out of range.

vsr> show state vrf <vrf> ike counters invalid-spi

ike-init-in-req (state only)

Received IKE_SA_INIT requests.

vsr> show state vrf <vrf> ike counters ike-init-in-req

ike-init-in-resp (state only)

Received IKE_SA_INIT responses.

vsr> show state vrf <vrf> ike counters ike-init-in-resp

ike-init-out-req (state only)

Sent IKE_SA_INIT requests.

vsr> show state vrf <vrf> ike counters ike-init-out-req

ike-init-out-resp (state only)

Sent IKE_SA_INIT responses.

vsr> show state vrf <vrf> ike counters ike-init-out-resp

ike-auth-in-req (state only)

Received IKE_AUTH requests.

vsr> show state vrf <vrf> ike counters ike-auth-in-req

ike-auth-in-resp (state only)

Received IKE_AUTH responses.

vsr> show state vrf <vrf> ike counters ike-auth-in-resp

ike-auth-out-req (state only)

Sent IKE_AUTH requests.

vsr> show state vrf <vrf> ike counters ike-auth-out-req

ike-auth-out-resp (state only)

Sent IKE_AUTH responses.

vsr> show state vrf <vrf> ike counters ike-auth-out-resp

create-child-in-req (state only)

Received CREATE_CHILD_SA requests.

vsr> show state vrf <vrf> ike counters create-child-in-req

create-child-in-resp (state only)

Received CREATE_CHILD_SA responses.

vsr> show state vrf <vrf> ike counters create-child-in-resp

create-child-out-req (state only)

Sent CREATE_CHILD_SA requests.

vsr> show state vrf <vrf> ike counters create-child-out-req

create-child-out-resp (state only)

Sent CREATE_CHILD_SA responses.

vsr> show state vrf <vrf> ike counters create-child-out-resp

info-in-req (state only)

Received INFORMATIONAL requests.

vsr> show state vrf <vrf> ike counters info-in-req

info-in-resp (state only)

Received INFORMATIONAL responses.

vsr> show state vrf <vrf> ike counters info-in-resp

info-out-req (state only)

Sent INFORMATIONAL requests.

vsr> show state vrf <vrf> ike counters info-out-req

info-out-resp (state only)

Sent INFORMATIONAL responses.

vsr> show state vrf <vrf> ike counters info-out-resp

vpn-counters (state only)

List of per-VPN IKE message counters.

ike-rekey-init (state only)

Initiated IKE_SA rekeyings.

vsr> show state vrf <vrf> ike vpn-counters name <vpn-counters> ike-rekey-init

ike-rekey-resp (state only)

Responded IKE_SA rekeyings.

vsr> show state vrf <vrf> ike vpn-counters name <vpn-counters> ike-rekey-resp

child-rekey (state only)

Completed CHILD_SA rekeyings.

vsr> show state vrf <vrf> ike vpn-counters name <vpn-counters> child-rekey

invalid (state only)

Messages with an invalid IKE SPI.

vsr> show state vrf <vrf> ike vpn-counters name <vpn-counters> invalid

invalid-spi (state only)

Messages with invalid types, length, or a value out of range.

vsr> show state vrf <vrf> ike vpn-counters name <vpn-counters> invalid-spi

ike-init-in-req (state only)

Received IKE_SA_INIT requests.

vsr> show state vrf <vrf> ike vpn-counters name <vpn-counters> ike-init-in-req

ike-init-in-resp (state only)

Received IKE_SA_INIT responses.

vsr> show state vrf <vrf> ike vpn-counters name <vpn-counters> ike-init-in-resp

ike-init-out-req (state only)

Sent IKE_SA_INIT requests.

vsr> show state vrf <vrf> ike vpn-counters name <vpn-counters> ike-init-out-req

ike-init-out-resp (state only)

Sent IKE_SA_INIT responses.

vsr> show state vrf <vrf> ike vpn-counters name <vpn-counters> ike-init-out-resp

ike-auth-in-req (state only)

Received IKE_AUTH requests.

vsr> show state vrf <vrf> ike vpn-counters name <vpn-counters> ike-auth-in-req

ike-auth-in-resp (state only)

Received IKE_AUTH responses.

vsr> show state vrf <vrf> ike vpn-counters name <vpn-counters> ike-auth-in-resp

ike-auth-out-req (state only)

Sent IKE_AUTH requests.

vsr> show state vrf <vrf> ike vpn-counters name <vpn-counters> ike-auth-out-req

ike-auth-out-resp (state only)

Sent IKE_AUTH responses.

vsr> show state vrf <vrf> ike vpn-counters name <vpn-counters> ike-auth-out-resp

create-child-in-req (state only)

Received CREATE_CHILD_SA requests.

vsr> show state vrf <vrf> ike vpn-counters name <vpn-counters> create-child-in-req

create-child-in-resp (state only)

Received CREATE_CHILD_SA responses.

vsr> show state vrf <vrf> ike vpn-counters name <vpn-counters> create-child-in-resp

create-child-out-req (state only)

Sent CREATE_CHILD_SA requests.

vsr> show state vrf <vrf> ike vpn-counters name <vpn-counters> create-child-out-req

create-child-out-resp (state only)

Sent CREATE_CHILD_SA responses.

vsr> show state vrf <vrf> ike vpn-counters name <vpn-counters> create-child-out-resp

info-in-req (state only)

Received INFORMATIONAL requests.

vsr> show state vrf <vrf> ike vpn-counters name <vpn-counters> info-in-req

info-in-resp (state only)

Received INFORMATIONAL responses.

vsr> show state vrf <vrf> ike vpn-counters name <vpn-counters> info-in-resp

info-out-req (state only)

Sent INFORMATIONAL requests.

vsr> show state vrf <vrf> ike vpn-counters name <vpn-counters> info-out-req

info-out-resp (state only)

Sent INFORMATIONAL responses.

vsr> show state vrf <vrf> ike vpn-counters name <vpn-counters> info-out-resp

ike-sa (state only)

List of IKE Security Associations.

name (state only)

Name of the VPN.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> name

version (state only)

IKE version.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> version

state (state only)

IKE SA state.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> state

local-address (state only)

Local IKE IP address.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> local-address

remote-address (state only)

Remote IKE IP address.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> remote-address

local-port (state only)

Local IKE UDP port.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> local-port

remote-port (state only)

Remote IKE UDP port.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> remote-port

local-id (state only)

Local IKE identifier.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> local-id

remote-id (state only)

Remote IKE identifier.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> remote-id

remote-eap-id (state only)

Remote EAP identifier.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> remote-eap-id

initiator-spi (state only)

IKE initiator SPI.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> initiator-spi

responder-spi (state only)

IKE responder SPI.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> responder-spi

enc-alg (state only)

IKE encryption algorithm.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> enc-alg

auth-alg (state only)

IKE authentication algorithm.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> auth-alg

aead-alg (state only)

IKE combined-mode algorithm.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> aead-alg

prf-alg (state only)

IKE pseudo-random algorithm.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> prf-alg

dh-group (state only)

IKE Diffie Hellman group.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> dh-group

established-time (state only)

Seconds since IKE session was established.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> established-time

rekey-time (state only)

Seconds before IKE session is rekeyed.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> rekey-time

reauth-time (state only)

Seconds before IKE session is reauthenticated.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> reauth-time

udp-encap (state only)

UDP encapsulation state.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> udp-encap

mobike (state only)

IKEv2 Mobility and Multihoming Protocol (MOBIKE) state.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> mobike

local-vip (state only)

List of local virtual IP addresses.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> local-vip

remote-vip (state only)

List of local virtual IP addresses.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> remote-vip

child-sa (state only)

List of Child Security Associations.

name (state only)

Name of the policy.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> name

state (state only)

Child SA state.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> state

reqid (state only)

Request ID of the Child SA, that binds IPsec SAs to SPs.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> reqid

protocol (state only)

IPsec protocol.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> protocol

udp-encap (state only)

UDP encapsulation state.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> udp-encap

mobike (state only)

IKEv2 Mobility and Multihoming Protocol (MOBIKE) state.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> mobike

spi-in (state only)

Inbound Security Parameters Index.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> spi-in

spi-out (state only)

Outbound Security Parameters Index.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> spi-out

svti-id-in (state only)

SVTI ID set on inbound SA.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> svti-id-in

svti-id-out (state only)

SVTI ID set on outbound SA.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> svti-id-out

enc-alg (state only)

ESP encryption algorithm.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> enc-alg

auth-alg (state only)

ESP or AH authentication algorithm.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> auth-alg

aead-alg (state only)

ESP combined-mode algorithm.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> aead-alg

dh-group (state only)

Diffie Hellman group for Perfect Forward Secrecy.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> dh-group

esn (state only)

Extended Sequence Number state.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> esn

bytes-in (state only)

Input bytes processed by this Child SA.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> bytes-in

packets-in (state only)

Input packets processed by this Child SA.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> packets-in

bytes-out (state only)

Output bytes processed by this Child SA.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> bytes-out

packets-out (state only)

Output packets processed by this Child SA.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> packets-out

installed-time (state only)

Seconds since IPsec SAs were installed.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> installed-time

rekey-time (state only)

Seconds before IPsec SAs are rekeyed.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> rekey-time

life-time (state only)

Seconds before IPsec SAs are deleted.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> life-time

mode (state only)

IPsec mode.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> mode

local-ts (state only)

Local traffic selector.

subnet (state only)

Private subnet or address (default: the tunnel outer address or virtual IP, if negotiated).

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> local-ts subnet
protocol (state only)

Protocol number (default any).

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> local-ts protocol
port (state only)

Port number or ICMP type/code (default any).

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> local-ts port
unsupported (state only)

The type of traffic selector proposed by the remote peer is not supported. The configuration may not work as expected.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> local-ts unsupported

remote-ts (state only)

Remote traffic selector.

subnet (state only)

Private subnet or address (default: the tunnel outer address or virtual IP, if negotiated).

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> remote-ts subnet
protocol (state only)

Protocol number (default any).

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> remote-ts protocol
port (state only)

Port number or ICMP type/code (default any).

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> remote-ts port
unsupported (state only)

The type of traffic selector proposed by the remote peer is not supported. The configuration may not work as expected.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> remote-ts unsupported

traffic-selectors (state only)

Traffic selectors.

local-ts (state only)

List of local traffic selectors (default the tunnel outer address or the virtual IP, if negotiated).

subnet (state only)

Private subnet or address (default: the tunnel outer address or virtual IP, if negotiated).

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> traffic-selectors local-ts <uint16> subnet
protocol (state only)

Protocol number (default any).

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> traffic-selectors local-ts <uint16> protocol
port (state only)

Port number or ICMP type/code (default any).

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> traffic-selectors local-ts <uint16> port
unsupported (state only)

The type of traffic selector proposed by the remote peer is not supported. The configuration may not work as expected.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> traffic-selectors local-ts <uint16> unsupported
remote-ts (state only)

List of remote traffic selectors (default the tunnel outer address or the virtual IP, if negotiated).

subnet (state only)

Private subnet or address (default: the tunnel outer address or virtual IP, if negotiated).

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> traffic-selectors remote-ts <uint16> subnet
protocol (state only)

Protocol number (default any).

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> traffic-selectors remote-ts <uint16> protocol
port (state only)

Port number or ICMP type/code (default any).

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> traffic-selectors remote-ts <uint16> port
unsupported (state only)

The type of traffic selector proposed by the remote peer is not supported. The configuration may not work as expected.

vsr> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> traffic-selectors remote-ts <uint16> unsupported

pool-lease (state only)

List of virtual address pool leases.

address (state only)

Base virtual address of the pool.

vsr> show state vrf <vrf> ike pool-lease name <pool-lease> address

size (state only)

Virtual address pool size.

vsr> show state vrf <vrf> ike pool-lease name <pool-lease> size

online (state only)

Number of online virtual addresses.

vsr> show state vrf <vrf> ike pool-lease name <pool-lease> online

offline (state only)

Number of offline virtual addresses.

vsr> show state vrf <vrf> ike pool-lease name <pool-lease> offline