3.2.25. ike¶
Note
requires a Turbo IPsec Application License.
IKE configuration.
vrouter running config# vrf <vrf> ike
enabled¶
Enable or disable the IKE protocol and indicate whether the system should negotiate Security Associations for the IPsec protocol.
vrouter running config# vrf <vrf> ike
vrouter running ike# enabled true|false
- Default value
true
pool¶
List of virtual address pools.
vrouter running config# vrf <vrf> ike pool <pool>
<pool> |
IKE object name type. |
address (mandatory)¶
Virtual addresses in the pool.
vrouter running config# vrf <vrf> ike pool <pool>
vrouter running pool <pool># address ADDRESS
|
Description |
---|---|
<ipv4-address> |
An IPv4 address. |
<ipv6-address> |
An IPv6 address. |
<ipv4-prefix> |
An IPv4 prefix: address and CIDR mask. |
<ipv6-prefix> |
An IPv6 prefix: address and CIDR mask. |
<ipv4-range> |
An IPv4 address range, in the form addr4-addr4. |
<ipv6-range> |
An IPv6 address range, in the form addr6-addr6. |
dns¶
List of DNS (Domain Name Service) servers IP addresses.
vrouter running config# vrf <vrf> ike pool <pool>
vrouter running pool <pool># dns DNS
|
Description |
---|---|
<ipv4-address> |
An IPv4 address. |
<ipv6-address> |
An IPv6 address. |
nbns¶
List of NBNS (NetBIOS Name Service) servers IP addresses.
vrouter running config# vrf <vrf> ike pool <pool>
vrouter running pool <pool># nbns NBNS
|
Description |
---|---|
<ipv4-address> |
An IPv4 address. |
<ipv6-address> |
An IPv6 address. |
dhcp¶
List of DHCP servers IP addresses.
vrouter running config# vrf <vrf> ike pool <pool>
vrouter running pool <pool># dhcp DHCP
|
Description |
---|---|
<ipv4-address> |
An IPv4 address. |
<ipv6-address> |
An IPv6 address. |
certificate¶
List of X509 certificates.
vrouter running config# vrf <vrf> ike certificate <certificate>
<certificate> |
IKE object name type. |
certificate (mandatory)¶
PEM-encoded X509 certificate.
vrouter running config# vrf <vrf> ike certificate <certificate>
vrouter running certificate <certificate># certificate <string>
private-key (mandatory)¶
PEM-encoded X509 private key.
vrouter running config# vrf <vrf> ike certificate <certificate>
vrouter running certificate <certificate># private-key <string>
certificate-authority¶
List of X509 CA certificates.
vrouter running config# vrf <vrf> ike certificate-authority <certificate-authority>
<certificate-authority> |
IKE object name type. |
certificate (mandatory)¶
PEM-encoded X509 certificate.
vrouter running config# vrf <vrf> ike certificate-authority <certificate-authority>
vrouter running certificate-authority <certificate-authority># certificate <string>
crl¶
PEM-encoded X509 certificate revocation list.
vrouter running config# vrf <vrf> ike certificate-authority <certificate-authority>
vrouter running certificate-authority <certificate-authority># crl <string>
crl-uri¶
List of CRL distribution points (ldap or http URIs).
vrouter running config# vrf <vrf> ike certificate-authority <certificate-authority>
vrouter running certificate-authority <certificate-authority># crl-uri CRL-URI
CRL-URI |
An ASCII-encoded Uniform Resource Identifier (URI) as defined in RFC 3986. |
eap-key¶
List of EAP keys.
vrouter running config# vrf <vrf> ike eap-key <eap-key>
<eap-key> |
IKE object name type. |
id¶
List of EAP identities the EAP secret belongs to.
vrouter running config# vrf <vrf> ike eap-key <eap-key>
vrouter running eap-key <eap-key># id ID
ID |
EAP ID. |
secret (mandatory)¶
Value of the EAP secret.
vrouter running config# vrf <vrf> ike eap-key <eap-key>
vrouter running eap-key <eap-key># secret SECRET
|
Description |
---|---|
<0x-hex-string> |
Pre-shared key secret. |
<0s-base64-string> |
Pre-shared key secret. |
<ascii-string> |
Pre-shared key secret. |
eap-radius¶
EAP RADIUS parameters.
vrouter running config# vrf <vrf> ike eap-radius
nas-identifier¶
Network Access Server identifier.
vrouter running config# vrf <vrf> ike eap-radius
vrouter running eap-radius# nas-identifier <string>
- Default value
6WINDvRouter
auth-port¶
RADIUS server port number for EAP authentication.
vrouter running config# vrf <vrf> ike eap-radius
vrouter running eap-radius# auth-port <uint16>
- Default value
1812
sockets¶
Maximum simultaneous authentication sessions with the RADIUS server.
vrouter running config# vrf <vrf> ike eap-radius
vrouter running eap-radius# sockets <uint32>
- Default value
1
retransmit-tries¶
Number of times to retransmit a packet before giving up.
vrouter running config# vrf <vrf> ike eap-radius
vrouter running eap-radius# retransmit-tries <0..100>
- Default value
4
retransmit-timeout¶
Timeout in seconds before sending first retransmit.
vrouter running config# vrf <vrf> ike eap-radius
vrouter running eap-radius# retransmit-timeout <0.000 .. 60.000>
- Default value
2.0
retransmit-base¶
Base to use for calculating retransmit exponential back off.
vrouter running config# vrf <vrf> ike eap-radius
vrouter running eap-radius# retransmit-base <0.000 .. 10.000>
- Default value
1.4
server¶
List of RADIUS servers for EAP.
vrouter running config# vrf <vrf> ike eap-radius server <server>
<server> |
IKE object name type. |
address (mandatory)¶
RADIUS server IP address.
vrouter running config# vrf <vrf> ike eap-radius server <server>
vrouter running server <server># address ADDRESS
|
Description |
---|---|
<ipv4-address> |
An IPv4 address. |
<ipv6-address> |
An IPv6 address. |
secret (mandatory)¶
Secret shared with the RADIUS server.
vrouter running config# vrf <vrf> ike eap-radius server <server>
vrouter running server <server># secret SECRET
|
Description |
---|---|
<0x-hex-string> |
Pre-shared key secret. |
<0s-base64-string> |
Pre-shared key secret. |
<ascii-string> |
Pre-shared key secret. |
nas-identifier¶
Network Access Server identifier.
vrouter running config# vrf <vrf> ike eap-radius server <server>
vrouter running server <server># nas-identifier <string>
auth-port¶
RADIUS server port number for EAP authentication.
vrouter running config# vrf <vrf> ike eap-radius server <server>
vrouter running server <server># auth-port <uint16>
sockets¶
Maximum simultaneous authentication sessions with the RADIUS server.
vrouter running config# vrf <vrf> ike eap-radius server <server>
vrouter running server <server># sockets <uint32>
retransmit-tries¶
Number of times to retransmit a packet before giving up.
vrouter running config# vrf <vrf> ike eap-radius server <server>
vrouter running server <server># retransmit-tries <0..100>
retransmit-timeout¶
Timeout in seconds before sending first retransmit.
vrouter running config# vrf <vrf> ike eap-radius server <server>
vrouter running server <server># retransmit-timeout <0.000 .. 60.000>
retransmit-base¶
Base to use for calculating retransmit exponential back off.
vrouter running config# vrf <vrf> ike eap-radius server <server>
vrouter running server <server># retransmit-base <0.000 .. 10.000>
logging¶
Logs configuration.
vrouter running config# vrf <vrf> ike logging
daemon¶
Max level of messages logged in the system daemons facility.
vrouter running config# vrf <vrf> ike logging daemon
default¶
Default max log level.
vrouter running config# vrf <vrf> ike logging daemon
vrouter running daemon# default DEFAULT
|
Description |
---|---|
disable |
No log. |
0 |
Very basic auditing logs, (e.g. SA up/SA down). |
1 |
Generic control flow with errors, a good default to see whats going on. |
2 |
More detailed debugging control flow. |
3 |
Including RAW data dumps in hex. |
4 |
Also include sensitive material in dumps, e.g. keys. |
- Default value
0
asn1¶
Low-level encoding/decoding (ASN.1, X.509 etc.).
vrouter running config# vrf <vrf> ike logging daemon
vrouter running daemon# asn1 ASN1
|
Description |
---|---|
disable |
No log. |
0 |
Very basic auditing logs, (e.g. SA up/SA down). |
1 |
Generic control flow with errors, a good default to see whats going on. |
2 |
More detailed debugging control flow. |
3 |
Including RAW data dumps in hex. |
4 |
Also include sensitive material in dumps, e.g. keys. |
config¶
Configuration management and plugins.
vrouter running config# vrf <vrf> ike logging daemon
vrouter running daemon# config CONFIG
|
Description |
---|---|
disable |
No log. |
0 |
Very basic auditing logs, (e.g. SA up/SA down). |
1 |
Generic control flow with errors, a good default to see whats going on. |
2 |
More detailed debugging control flow. |
3 |
Including RAW data dumps in hex. |
4 |
Also include sensitive material in dumps, e.g. keys. |
child¶
CHILD_SA/IPsec SA processing.
vrouter running config# vrf <vrf> ike logging daemon
vrouter running daemon# child CHILD
|
Description |
---|---|
disable |
No log. |
0 |
Very basic auditing logs, (e.g. SA up/SA down). |
1 |
Generic control flow with errors, a good default to see whats going on. |
2 |
More detailed debugging control flow. |
3 |
Including RAW data dumps in hex. |
4 |
Also include sensitive material in dumps, e.g. keys. |
daemon¶
Main daemon setup/cleanup/signal handling.
vrouter running config# vrf <vrf> ike logging daemon
vrouter running daemon# daemon DAEMON
|
Description |
---|---|
disable |
No log. |
0 |
Very basic auditing logs, (e.g. SA up/SA down). |
1 |
Generic control flow with errors, a good default to see whats going on. |
2 |
More detailed debugging control flow. |
3 |
Including RAW data dumps in hex. |
4 |
Also include sensitive material in dumps, e.g. keys. |
encoding¶
Packet encoding/decoding encryption/decryption operations.
vrouter running config# vrf <vrf> ike logging daemon
vrouter running daemon# encoding ENCODING
|
Description |
---|---|
disable |
No log. |
0 |
Very basic auditing logs, (e.g. SA up/SA down). |
1 |
Generic control flow with errors, a good default to see whats going on. |
2 |
More detailed debugging control flow. |
3 |
Including RAW data dumps in hex. |
4 |
Also include sensitive material in dumps, e.g. keys. |
ipsec¶
Libipsec library messages.
vrouter running config# vrf <vrf> ike logging daemon
vrouter running daemon# ipsec IPSEC
|
Description |
---|---|
disable |
No log. |
0 |
Very basic auditing logs, (e.g. SA up/SA down). |
1 |
Generic control flow with errors, a good default to see whats going on. |
2 |
More detailed debugging control flow. |
3 |
Including RAW data dumps in hex. |
4 |
Also include sensitive material in dumps, e.g. keys. |
ike¶
IKE_SA/ISAKMP SA processing.
vrouter running config# vrf <vrf> ike logging daemon
vrouter running daemon# ike IKE
|
Description |
---|---|
disable |
No log. |
0 |
Very basic auditing logs, (e.g. SA up/SA down). |
1 |
Generic control flow with errors, a good default to see whats going on. |
2 |
More detailed debugging control flow. |
3 |
Including RAW data dumps in hex. |
4 |
Also include sensitive material in dumps, e.g. keys. |
job¶
Jobs queuing/processing and thread pool management.
vrouter running config# vrf <vrf> ike logging daemon
vrouter running daemon# job JOB
|
Description |
---|---|
disable |
No log. |
0 |
Very basic auditing logs, (e.g. SA up/SA down). |
1 |
Generic control flow with errors, a good default to see whats going on. |
2 |
More detailed debugging control flow. |
3 |
Including RAW data dumps in hex. |
4 |
Also include sensitive material in dumps, e.g. keys. |
kernel¶
IPsec/Networking kernel interface.
vrouter running config# vrf <vrf> ike logging daemon
vrouter running daemon# kernel KERNEL
|
Description |
---|---|
disable |
No log. |
0 |
Very basic auditing logs, (e.g. SA up/SA down). |
1 |
Generic control flow with errors, a good default to see whats going on. |
2 |
More detailed debugging control flow. |
3 |
Including RAW data dumps in hex. |
4 |
Also include sensitive material in dumps, e.g. keys. |
library¶
Libstrongwan library messages.
vrouter running config# vrf <vrf> ike logging daemon
vrouter running daemon# library LIBRARY
|
Description |
---|---|
disable |
No log. |
0 |
Very basic auditing logs, (e.g. SA up/SA down). |
1 |
Generic control flow with errors, a good default to see whats going on. |
2 |
More detailed debugging control flow. |
3 |
Including RAW data dumps in hex. |
4 |
Also include sensitive material in dumps, e.g. keys. |
manager¶
IKE_SA manager, handling synchronization for IKE_SA access.
vrouter running config# vrf <vrf> ike logging daemon
vrouter running daemon# manager MANAGER
|
Description |
---|---|
disable |
No log. |
0 |
Very basic auditing logs, (e.g. SA up/SA down). |
1 |
Generic control flow with errors, a good default to see whats going on. |
2 |
More detailed debugging control flow. |
3 |
Including RAW data dumps in hex. |
4 |
Also include sensitive material in dumps, e.g. keys. |
network¶
IKE network communication.
vrouter running config# vrf <vrf> ike logging daemon
vrouter running daemon# network NETWORK
|
Description |
---|---|
disable |
No log. |
0 |
Very basic auditing logs, (e.g. SA up/SA down). |
1 |
Generic control flow with errors, a good default to see whats going on. |
2 |
More detailed debugging control flow. |
3 |
Including RAW data dumps in hex. |
4 |
Also include sensitive material in dumps, e.g. keys. |
authpriv¶
Max level of messages logged in the private security/authorization messages facility.
vrouter running config# vrf <vrf> ike logging authpriv
default¶
Default max log level.
vrouter running config# vrf <vrf> ike logging authpriv
vrouter running authpriv# default DEFAULT
|
Description |
---|---|
disable |
No log. |
0 |
Very basic auditing logs, (e.g. SA up/SA down). |
1 |
Generic control flow with errors, a good default to see whats going on. |
2 |
More detailed debugging control flow. |
3 |
Including RAW data dumps in hex. |
4 |
Also include sensitive material in dumps, e.g. keys. |
- Default value
disable
asn1¶
Low-level encoding/decoding (ASN.1, X.509 etc.).
vrouter running config# vrf <vrf> ike logging authpriv
vrouter running authpriv# asn1 ASN1
|
Description |
---|---|
disable |
No log. |
0 |
Very basic auditing logs, (e.g. SA up/SA down). |
1 |
Generic control flow with errors, a good default to see whats going on. |
2 |
More detailed debugging control flow. |
3 |
Including RAW data dumps in hex. |
4 |
Also include sensitive material in dumps, e.g. keys. |
config¶
Configuration management and plugins.
vrouter running config# vrf <vrf> ike logging authpriv
vrouter running authpriv# config CONFIG
|
Description |
---|---|
disable |
No log. |
0 |
Very basic auditing logs, (e.g. SA up/SA down). |
1 |
Generic control flow with errors, a good default to see whats going on. |
2 |
More detailed debugging control flow. |
3 |
Including RAW data dumps in hex. |
4 |
Also include sensitive material in dumps, e.g. keys. |
child¶
CHILD_SA/IPsec SA processing.
vrouter running config# vrf <vrf> ike logging authpriv
vrouter running authpriv# child CHILD
|
Description |
---|---|
disable |
No log. |
0 |
Very basic auditing logs, (e.g. SA up/SA down). |
1 |
Generic control flow with errors, a good default to see whats going on. |
2 |
More detailed debugging control flow. |
3 |
Including RAW data dumps in hex. |
4 |
Also include sensitive material in dumps, e.g. keys. |
daemon¶
Main daemon setup/cleanup/signal handling.
vrouter running config# vrf <vrf> ike logging authpriv
vrouter running authpriv# daemon DAEMON
|
Description |
---|---|
disable |
No log. |
0 |
Very basic auditing logs, (e.g. SA up/SA down). |
1 |
Generic control flow with errors, a good default to see whats going on. |
2 |
More detailed debugging control flow. |
3 |
Including RAW data dumps in hex. |
4 |
Also include sensitive material in dumps, e.g. keys. |
encoding¶
Packet encoding/decoding encryption/decryption operations.
vrouter running config# vrf <vrf> ike logging authpriv
vrouter running authpriv# encoding ENCODING
|
Description |
---|---|
disable |
No log. |
0 |
Very basic auditing logs, (e.g. SA up/SA down). |
1 |
Generic control flow with errors, a good default to see whats going on. |
2 |
More detailed debugging control flow. |
3 |
Including RAW data dumps in hex. |
4 |
Also include sensitive material in dumps, e.g. keys. |
ipsec¶
Libipsec library messages.
vrouter running config# vrf <vrf> ike logging authpriv
vrouter running authpriv# ipsec IPSEC
|
Description |
---|---|
disable |
No log. |
0 |
Very basic auditing logs, (e.g. SA up/SA down). |
1 |
Generic control flow with errors, a good default to see whats going on. |
2 |
More detailed debugging control flow. |
3 |
Including RAW data dumps in hex. |
4 |
Also include sensitive material in dumps, e.g. keys. |
ike¶
IKE_SA/ISAKMP SA processing.
vrouter running config# vrf <vrf> ike logging authpriv
vrouter running authpriv# ike IKE
|
Description |
---|---|
disable |
No log. |
0 |
Very basic auditing logs, (e.g. SA up/SA down). |
1 |
Generic control flow with errors, a good default to see whats going on. |
2 |
More detailed debugging control flow. |
3 |
Including RAW data dumps in hex. |
4 |
Also include sensitive material in dumps, e.g. keys. |
job¶
Jobs queuing/processing and thread pool management.
vrouter running config# vrf <vrf> ike logging authpriv
vrouter running authpriv# job JOB
|
Description |
---|---|
disable |
No log. |
0 |
Very basic auditing logs, (e.g. SA up/SA down). |
1 |
Generic control flow with errors, a good default to see whats going on. |
2 |
More detailed debugging control flow. |
3 |
Including RAW data dumps in hex. |
4 |
Also include sensitive material in dumps, e.g. keys. |
kernel¶
IPsec/Networking kernel interface.
vrouter running config# vrf <vrf> ike logging authpriv
vrouter running authpriv# kernel KERNEL
|
Description |
---|---|
disable |
No log. |
0 |
Very basic auditing logs, (e.g. SA up/SA down). |
1 |
Generic control flow with errors, a good default to see whats going on. |
2 |
More detailed debugging control flow. |
3 |
Including RAW data dumps in hex. |
4 |
Also include sensitive material in dumps, e.g. keys. |
library¶
Libstrongwan library messages.
vrouter running config# vrf <vrf> ike logging authpriv
vrouter running authpriv# library LIBRARY
|
Description |
---|---|
disable |
No log. |
0 |
Very basic auditing logs, (e.g. SA up/SA down). |
1 |
Generic control flow with errors, a good default to see whats going on. |
2 |
More detailed debugging control flow. |
3 |
Including RAW data dumps in hex. |
4 |
Also include sensitive material in dumps, e.g. keys. |
manager¶
IKE_SA manager, handling synchronization for IKE_SA access.
vrouter running config# vrf <vrf> ike logging authpriv
vrouter running authpriv# manager MANAGER
|
Description |
---|---|
disable |
No log. |
0 |
Very basic auditing logs, (e.g. SA up/SA down). |
1 |
Generic control flow with errors, a good default to see whats going on. |
2 |
More detailed debugging control flow. |
3 |
Including RAW data dumps in hex. |
4 |
Also include sensitive material in dumps, e.g. keys. |
network¶
IKE network communication.
vrouter running config# vrf <vrf> ike logging authpriv
vrouter running authpriv# network NETWORK
|
Description |
---|---|
disable |
No log. |
0 |
Very basic auditing logs, (e.g. SA up/SA down). |
1 |
Generic control flow with errors, a good default to see whats going on. |
2 |
More detailed debugging control flow. |
3 |
Including RAW data dumps in hex. |
4 |
Also include sensitive material in dumps, e.g. keys. |
global-options¶
Global ike options.
vrouter running config# vrf <vrf> ike global-options
threads¶
Number of worker threads in IKE daemon.
vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# threads <uint32>
- Default value
16
acquire-timeout¶
Lifetime of SA acquire messages created when traffic matches a trap policy (seconds).
vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# acquire-timeout <uint32>
- Default value
30
sa-table-size¶
Size of the IKE SA hash table.
vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# sa-table-size <uint32>
- Default value
1
sa-table-segments¶
Number of locks to use for the IKE SA hash table.
vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# sa-table-segments <uint32>
- Default value
1
install-routes¶
If true, install routes into a separate routing table for established IPsec tunnels.
vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# install-routes true|false
- Default value
false
routing-table¶
Numerical routing table to install routes to.
vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# routing-table <uint32>
- Default value
220
routing-table-prio¶
Priority of the routing table.
vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# routing-table-prio <uint32>
- Default value
220
retransmit-tries¶
Number of times to retransmit a packet before giving up.
vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# retransmit-tries <0..100>
- Default value
5
retransmit-timeout¶
Timeout in seconds before sending first retransmit.
vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# retransmit-timeout <0.000 .. 60.000>
- Default value
4.0
retransmit-base¶
Base to use for calculating retransmit exponential back off.
vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# retransmit-base <0.000 .. 10.000>
- Default value
1.8
delete-rekeyed¶
Whether to immediately delete the old child SAs after an IKEv1 rekey. If false, old child SAs will be deleted after their hard lifetime, or on reception of a delete notification from the IKE peer.
vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# delete-rekeyed true|false
- Default value
false
delete-rekeyed-delay¶
Delay in seconds before deleting the old inbound child SAs after an IKEv2 rekey as initiator.
vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# delete-rekeyed-delay DELETE-REKEYED-DELAY
|
Description |
---|---|
never |
Keep the inbound child SA until its lifetime. |
<uint32> |
No description. |
- Default value
5
make-before-break¶
During reauthentication, whether to recreate all new SAs before deleting the old ones. This implies to use overlapping IKE and child SAs, which must be supported by the IKE peer.
vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# make-before-break true|false
- Default value
false
interface-use¶
List of network interfaces that should be used. All other interfaces are ignored.
vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# interface-use INTERFACE-USE
INTERFACE-USE |
An interface name. |
interface-ignore¶
List of network interfaces that should be ignored, if interfaces-use is specified this option has no effect.
vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# interface-ignore INTERFACE-IGNORE
INTERFACE-IGNORE |
An interface name. |
snmp¶
Enable or disable the IKE SNMP agent (default false).
vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# snmp true|false
- Default value
false
mobike-prefer-best-path¶
Dynamically update SAs with MOBIKE on routing changes using the cheapest path.
vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# mobike-prefer-best-path true|false
- Default value
false
dos-protection¶
Denial of Service protection using cookies and aggressiveness checks.
vrouter running config# vrf <vrf> ike global-options dos-protection
cookie-threshold¶
Number of half-open IKE SAs that activate the cookie mechanism. 0 disables cookies.
vrouter running config# vrf <vrf> ike global-options dos-protection
vrouter running dos-protection# cookie-threshold COOKIE-THRESHOLD
|
Description |
---|---|
always |
Always activate the cookie mechanism. |
<uint32> |
No description. |
- Default value
10
block-threshold¶
Maximum number of half-open IKE SAs for a single peer IP. 0 disables this limit.
vrouter running config# vrf <vrf> ike global-options dos-protection
vrouter running dos-protection# block-threshold <uint32>
- Default value
5
init-limit-half-open¶
Refuse new connections if the current number of half open IKE SAs reaches this limit. 0 disables the limit.
vrouter running config# vrf <vrf> ike global-options dos-protection
vrouter running dos-protection# init-limit-half-open <uint32>
- Default value
0
sp-hash-ipv4¶
Thresholds for hashing IPv4 Security Policies in IPsec stack.
vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# sp-hash-ipv4 local <uint8> remote <uint8>
sp-hash-ipv6¶
Thresholds for hashing IPv6 Security Policies in IPsec stack.
vrouter running config# vrf <vrf> ike global-options
vrouter running global-options# sp-hash-ipv6 local <uint8> remote <uint8>
ha¶
IKE High Availability parameters.
vrouter running config# vrf <vrf> ike ha
enabled¶
Enable or disable IKE High Availability.
vrouter running config# vrf <vrf> ike ha
vrouter running ha# enabled true|false
- Default value
true
listen-ha-group (mandatory)¶
The HA group to be monitored. If the state of this group changes, it will trigger a failover of the IKE service to/from another IKE HA node.
vrouter running config# vrf <vrf> ike ha
vrouter running ha# listen-ha-group <string>
node-id (mandatory)¶
Local identifier in the IKE HA Cluster.
vrouter running config# vrf <vrf> ike ha
vrouter running ha# node-id <int8>
interface (mandatory)¶
Interface on which to perform HA peer discovery.
vrouter running config# vrf <vrf> ike ha
vrouter running ha# interface INTERFACE
INTERFACE |
An interface name. |
local-address (mandatory)¶
Local IP address to communicate with the HA peer.
vrouter running config# vrf <vrf> ike ha
vrouter running ha# local-address LOCAL-ADDRESS
|
Description |
---|---|
<ipv4-address> |
An IPv4 address. |
<ipv6-address> |
An IPv6 address. |
remote-address (mandatory)¶
Remote IP address to communicate with the HA peer.
vrouter running config# vrf <vrf> ike ha
vrouter running ha# remote-address REMOTE-ADDRESS
|
Description |
---|---|
<ipv4-address> |
An IPv4 address. |
<ipv6-address> |
An IPv6 address. |
seqnum-sync¶
SA sequence number synchronization.
vrouter running config# vrf <vrf> ike ha seqnum-sync
oseq-shift¶
SA output sequence number advance on backup node.
vrouter running config# vrf <vrf> ike ha seqnum-sync
vrouter running seqnum-sync# oseq-shift <uint64>
- Default value
65536
sync-period-time¶
SA sequence number synchronization period in time. State is always printed in seconds.
vrouter running config# vrf <vrf> ike ha seqnum-sync
vrouter running seqnum-sync# sync-period-time SYNC-PERIOD-TIME
SYNC-PERIOD-TIME |
IKE duration, with optional unit (s|m|h|d). |
- Default value
10s
sync-period-packets¶
SA sequence number synchronization period in packets.
vrouter running config# vrf <vrf> ike ha seqnum-sync
vrouter running seqnum-sync# sync-period-packets <uint32>
- Default value
2
pool¶
List of virtual address pools synchronized via HA.
vrouter running config# vrf <vrf> ike ha pool <pool>
<pool> |
IKE object name type. |
address (mandatory)¶
Virtual addresses in the pool.
vrouter running config# vrf <vrf> ike ha pool <pool>
vrouter running pool <pool># address ADDRESS
|
Description |
---|---|
<ipv4-prefix> |
An IPv4 prefix: address and CIDR mask. |
<ipv6-prefix> |
An IPv6 prefix: address and CIDR mask. |
ike-policy-template (config only)¶
List of IKE VPN policies.
vrouter running config# vrf <vrf> ike ike-policy-template <ike-policy-template>
<ike-policy-template> |
IKE object name type. |
local-auth-method (config only)¶
Local IKE authentication method.
vrouter running config# vrf <vrf> ike ike-policy-template <ike-policy-template>
vrouter running ike-policy-template <ike-policy-template># local-auth-method LOCAL-AUTH-METHOD
|
Description |
---|---|
pre-shared-key |
Pre-shared key. |
certificate |
Public key signature with X509 Certificates. |
eap-md5 |
Extensible Authentication Protocol - MD5-Challenge. |
eap-mschapv2 |
Extensible Authentication Protocol - Microsoft Challenge-Handshake Authentication Protocol v2. |
- Default value
pre-shared-key
remote-auth-method (config only)¶
Remote IKE authentication method.
vrouter running config# vrf <vrf> ike ike-policy-template <ike-policy-template>
vrouter running ike-policy-template <ike-policy-template># remote-auth-method REMOTE-AUTH-METHOD
|
Description |
---|---|
pre-shared-key |
Pre-shared key. |
certificate |
Public key signature with X509 Certificates. |
eap-md5 |
Extensible Authentication Protocol - MD5-Challenge. |
eap-mschapv2 |
Extensible Authentication Protocol - Microsoft Challenge-Handshake Authentication Protocol v2. |
eap-radius |
Extensible Authentication Protocol delegated to a RADIUS server. |
- Default value
pre-shared-key
keying-tries (config only)¶
Number of times we should try to initiate an IKE connection if the responder does not answer (after a full sequence of retransmissions). A value of 0 initiates a new sequence forever, until the connection establishes or fails with a permanent error.
vrouter running config# vrf <vrf> ike ike-policy-template <ike-policy-template>
vrouter running ike-policy-template <ike-policy-template># keying-tries <uint32>
- Default value
1
unique-sa (config only)¶
Connection uniqueness policy to enforce, to avoid multiple connections from the same user ID.
vrouter running config# vrf <vrf> ike ike-policy-template <ike-policy-template>
vrouter running ike-policy-template <ike-policy-template># unique-sa UNIQUE-SA
|
Description |
---|---|
no |
Do not enforce IKE SA uniqueness, except if a peer included INITIAL_CONTACT notify. |
never |
Never enforce IKE SA uniqueness, even if a peer included INITIAL_CONTACT notify. Never send INITIAL_CONTACT as initiator. |
keep |
Reject new connection attempts from same user. |
replace |
Delete any existing connection if a new one for the same user gets established. |
- Default value
no
reauth-time (config only)¶
Time to schedule IKE reauthentication.
vrouter running config# vrf <vrf> ike ike-policy-template <ike-policy-template>
vrouter running ike-policy-template <ike-policy-template># reauth-time REAUTH-TIME
REAUTH-TIME |
IKE duration, with optional unit (s|m|h|d). |
- Default value
0s
rekey-time (config only)¶
Time to schedule IKE rekeying.
vrouter running config# vrf <vrf> ike ike-policy-template <ike-policy-template>
vrouter running ike-policy-template <ike-policy-template># rekey-time REKEY-TIME
REKEY-TIME |
IKE duration, with optional unit (s|m|h|d). |
- Default value
4h
dpd-delay (config only)¶
Interval to check the liveness of a peer.
vrouter running config# vrf <vrf> ike ike-policy-template <ike-policy-template>
vrouter running ike-policy-template <ike-policy-template># dpd-delay DPD-DELAY
DPD-DELAY |
IKE duration, with optional unit (s|m|h|d). |
- Default value
0s
aggressive (config only)¶
Enable or disable Aggressive Mode instead of Main Mode in IKEv1.
vrouter running config# vrf <vrf> ike ike-policy-template <ike-policy-template>
vrouter running ike-policy-template <ike-policy-template># aggressive true|false
- Default value
false
udp-encap (config only)¶
If true, enforce UDP encapsulation of ESP packets.
vrouter running config# vrf <vrf> ike ike-policy-template <ike-policy-template>
vrouter running ike-policy-template <ike-policy-template># udp-encap true|false
- Default value
false
mobike (config only)¶
If true, enable MOBIKE (IKEv2 Mobility and Multihoming Protocol).
vrouter running config# vrf <vrf> ike ike-policy-template <ike-policy-template>
vrouter running ike-policy-template <ike-policy-template># mobike true|false
- Default value
false
ike-proposal (config only)¶
List of IKE phase 1 proposals.
vrouter running config# vrf <vrf> ike ike-policy-template <ike-policy-template> ike-proposal <uint8>
<uint8> |
Index in the list of IKE phase 1 proposals. |
enc-alg (config only)¶
List of encryption algorithms for IKE SAs.
vrouter running config# vrf <vrf> ike ike-policy-template <ike-policy-template> ike-proposal <uint8>
vrouter running ike-proposal <uint8># enc-alg ENC-ALG
|
Description |
---|---|
aes128-cbc |
AES-CBC, 128 bit key. |
aes192-cbc |
AES-CBC, 192 bit key. |
aes256-cbc |
AES-CBC, 256 bit key. |
des-cbc |
DES-CBC, 56 bit key. |
3des-cbc |
3DES-CBC, 168 bit key. |
aes128-ctr |
AES-CTR, 128 bit key. |
aes192-ctr |
AES-CTR, 192 bit key. |
aes256-ctr |
AES-CTR, 256 bit key. |
cast-cbc |
CAST-CBC, 128 bit key. |
blowfish128-cbc |
Blowfish-CBC, 128 bit key. |
blowfish192-cbc |
Blowfish-CBC, 192 bit key. |
blowfish256-cbc |
Blowfish-CBC, 256 bit key. |
camellia128-cbc |
Camellia-CBC, 128 bit key. |
camellia192-cbc |
Camellia-CBC, 192 bit key. |
camellia256-cbc |
Camellia-CBC, 256 bit key. |
camellia128-ctr |
Camellia-CTR, 128 bit key. |
camellia192-ctr |
Camellia-CTR, 192 bit key. |
camellia256-ctr |
Camellia-CTR, 256 bit key. |
auth-alg (config only)¶
List of auth algorithms for IKE SAs.
vrouter running config# vrf <vrf> ike ike-policy-template <ike-policy-template> ike-proposal <uint8>
vrouter running ike-proposal <uint8># auth-alg AUTH-ALG
|
Description |
---|---|
hmac-md5 |
HMAC-MD5-96. |
hmac-sha1 |
HMAC-SHA1-96. |
hmac-sha256 |
HMAC-SHA256-128. |
hmac-sha384 |
HMAC-SHA384-192. |
hmac-sha512 |
HMAC-SHA512-256. |
aes-xcbc |
AES-XCBC-96. |
aead-alg (config only)¶
List of combined-mode (AEAD) algorithms for IKE SAs.
vrouter running config# vrf <vrf> ike ike-policy-template <ike-policy-template> ike-proposal <uint8>
vrouter running ike-proposal <uint8># aead-alg AEAD-ALG
|
Description |
---|---|
aes128-gcm-64 |
AES-GCM, 128 bit key, 64 bit ICV. |
aes192-gcm-64 |
AES-GCM, 192 bit key, 64 bit ICV. |
aes256-gcm-64 |
AES-GCM, 256 bit key, 64 bit ICV. |
aes128-gcm-96 |
AES-GCM, 128 bit key, 96 bit ICV. |
aes192-gcm-96 |
AES-GCM, 192 bit key, 96 bit ICV. |
aes256-gcm-96 |
AES-GCM, 256 bit key, 96 bit ICV. |
aes128-gcm-128 |
AES-GCM, 128 bit key, 128 bit ICV. |
aes192-gcm-128 |
AES-GCM, 192 bit key, 128 bit ICV. |
aes256-gcm-128 |
AES-GCM, 256 bit key, 128 bit ICV. |
aes128-ccm-64 |
AES-CCM, 128 bit key, 64 bit ICV. |
aes192-ccm-64 |
AES-CCM, 192 bit key, 64 bit ICV. |
aes256-ccm-64 |
AES-CCM, 256 bit key, 64 bit ICV. |
aes128-ccm-96 |
AES-CCM, 128 bit key, 96 bit ICV. |
aes192-ccm-96 |
AES-CCM, 192 bit key, 96 bit ICV. |
aes256-ccm-96 |
AES-CCM, 256 bit key, 96 bit ICV. |
aes128-ccm-128 |
AES-CCM, 128 bit key, 128 bit ICV. |
aes192-ccm-128 |
AES-CCM, 192 bit key, 128 bit ICV. |
aes256-ccm-128 |
AES-CCM, 256 bit key, 128 bit ICV. |
camellia128-ccm-64 |
Camellia-CCM, 128 bit key, 64 bit ICV. |
camellia192-ccm-64 |
Camellia-CCM, 192 bit key, 64 bit ICV. |
camellia256-ccm-64 |
Camellia-CCM, 256 bit key, 64 bit ICV. |
camellia128-ccm-96 |
Camellia-CCM, 128 bit key, 96 bit ICV. |
camellia192-ccm-96 |
Camellia-CCM, 192 bit key, 96 bit ICV. |
camellia256-ccm-96 |
Camellia-CCM, 256 bit key, 96 bit ICV. |
prf-alg (config only)¶
List of pseudo-random algorithms for IKE SAs.
vrouter running config# vrf <vrf> ike ike-policy-template <ike-policy-template> ike-proposal <uint8>
vrouter running ike-proposal <uint8># prf-alg PRF-ALG
|
Description |
---|---|
hmac-md5 |
PRF-HMAC-MD5. |
hmac-sha1 |
PRF-HMAC-SHA1. |
aes-xcbc |
AES-XCBC-PRF-128. |
aes-cmac |
AES-CMAC-PRF-128. |
hmac-sha256 |
PRF-HMAC-SHA-256. |
hmac-sha384 |
PRF-HMAC-SHA-384. |
hmac-sha512 |
PRF-HMAC-SHA-512. |
dh-group (config only)¶
List of Diffie Hellman groups for key exchange.
vrouter running config# vrf <vrf> ike ike-policy-template <ike-policy-template> ike-proposal <uint8>
vrouter running ike-proposal <uint8># dh-group DH-GROUP
|
Description |
---|---|
modp768 |
Modulo Prime 768 bits (group 1). |
modp1024 |
Modulo Prime 1024 bits (group 2). |
modp1536 |
Modulo Prime 1536 bits (group 5). |
modp2048 |
Modulo Prime 2048 bits (group 14). |
modp3072 |
Modulo Prime 3072 bits (group 15). |
modp4096 |
Modulo Prime 4096 bits (group 16). |
modp6144 |
Modulo Prime 6144 bits (group 17). |
modp8192 |
Modulo Prime 8192 bits (group 18). |
modp1024s160 |
Modulo Prime 1024 bits, Subgroup 160 bits (group 22). |
modp1024s224 |
Modulo Prime 1024 bits, Subgroup 224 bits (group 23). |
modp1024s256 |
Modulo Prime 1024 bits, Subgroup 256 bits (group 24). |
ecp192 |
Elliptic Curve 192 bits (group 25). |
ecp224 |
Elliptic Curve 224 bits (group 26). |
ecp256 |
Elliptic Curve 256 bits (group 19). |
ecp384 |
Elliptic Curve 384 bits (group 20). |
ecp521 |
Elliptic Curve 521 bits (group 21). |
ecp224bp |
Brainpool Elliptic Curve 224 bits (group 27). |
ecp256bp |
Brainpool Elliptic Curve 256 bits (group 28). |
ecp384bp |
Brainpool Elliptic Curve 384 bits (group 29). |
ecp512bp |
Brainpool Elliptic Curve 512 bits (group 30). |
ipsec-policy-template (config only)¶
List of IPsec VPN policies.
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
<ipsec-policy-template> |
IKE object name type. |
start-action (config only)¶
Action to perform for this CHILD_SA on DPD timeout.
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vrouter running ipsec-policy-template <ipsec-policy-template># start-action START-ACTION
|
Description |
---|---|
none |
Load the connection only, can be used as a responder configuration. |
trap |
Install a trap policy, which triggers the tunnel as soon as matching traffic has been detected. |
start |
Initiate the connection actively. |
- Default value
trap
close-action (config only)¶
Action to perform when a CHILD_SA gets closed by a peer.
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vrouter running ipsec-policy-template <ipsec-policy-template># close-action CLOSE-ACTION
|
Description |
---|---|
none |
Close the Child SA and take no further action. |
trap |
Install a trap policy matching traffic and try to re-negotiate the tunnel on-demand. |
start |
Try to immediately re-create the CHILD_SA. |
- Default value
trap
dpd-action (config only)¶
Action to perform for a CHILD_SA on DPD timeout.
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vrouter running ipsec-policy-template <ipsec-policy-template># dpd-action DPD-ACTION
|
Description |
---|---|
clear |
Close the Child SA and take no further action. |
trap |
Install a trap policy, which will catch matching traffic and tries to re-negotiate the tunnel on-demand action. |
restart |
Immediately try to re-negotiate the CHILD_SA under a fresh IKE_SA. |
- Default value
restart
replay-window (config only)¶
Replay window size. 0 disables IPsec replay protection.
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vrouter running ipsec-policy-template <ipsec-policy-template># replay-window <uint16>
- Default value
32
rekey-time (config only)¶
Time before initiating CHILD_SA rekeying.
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vrouter running ipsec-policy-template <ipsec-policy-template># rekey-time REKEY-TIME
REKEY-TIME |
IKE duration, with optional unit (s|m|h|d). |
- Default value
1h
life-time (config only)¶
Maximum lifetime before CHILD_SA gets closed (default rekey-time + 10%).
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vrouter running ipsec-policy-template <ipsec-policy-template># life-time LIFE-TIME
LIFE-TIME |
IKE duration, with optional unit (s|m|h|d). |
rand-time (config only)¶
Time range from which to choose a random value to subtract from rekey_time (default life_time - rekey_time).
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vrouter running ipsec-policy-template <ipsec-policy-template># rand-time RAND-TIME
RAND-TIME |
IKE duration, with optional unit (s|m|h|d). |
rekey-bytes (config only)¶
Number of bytes processed before initiating CHILD_SA rekeying.
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vrouter running ipsec-policy-template <ipsec-policy-template># rekey-bytes <uint64>
- Default value
0
life-bytes (config only)¶
Maximum bytes processed before CHILD_SA gets closed (default rekey- bytes + 10%).
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vrouter running ipsec-policy-template <ipsec-policy-template># life-bytes <uint64>
rand-bytes (config only)¶
Byte range from which to choose a random value to subtract from rekey_bytes (default life_bytes - rekey_bytes).
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vrouter running ipsec-policy-template <ipsec-policy-template># rand-bytes <uint64>
rekey-packets (config only)¶
Number of packets processed before initiating CHILD_SA rekeying.
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vrouter running ipsec-policy-template <ipsec-policy-template># rekey-packets <uint64>
- Default value
0
life-packets (config only)¶
Maximum packets processed before CHILD_SA gets closed (default rekey- bytes + 10%).
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vrouter running ipsec-policy-template <ipsec-policy-template># life-packets <uint64>
rand-packets (config only)¶
Packet range from which to choose a random value to subtract from rekey_packets (default life_bytes - rekey_bytes).
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vrouter running ipsec-policy-template <ipsec-policy-template># rand-packets <uint64>
encap-copy-dscp (config only)¶
Whether to copy DSCP from inner to outer IP header at IPsec encapsulation.
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vrouter running ipsec-policy-template <ipsec-policy-template># encap-copy-dscp true|false
- Default value
true
decap-copy-dscp (config only)¶
Whether to copy DSCP from outer to inner IP header at IPsec decapsulation.
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vrouter running ipsec-policy-template <ipsec-policy-template># decap-copy-dscp true|false
- Default value
false
encap-copy-df (config only)¶
Whether to copy the Don’t Fragment bit from outer to inner IP header at IPsec encapsulation.
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template>
vrouter running ipsec-policy-template <ipsec-policy-template># encap-copy-df true|false
- Default value
true
esp-proposal (config only)¶
List of ESP proposals.
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template> esp-proposal <uint8>
<uint8> |
Index in list of ESP proposals. |
enc-alg (config only)¶
List of encryption algorithms for IPsec SAs.
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template> esp-proposal <uint8>
vrouter running esp-proposal <uint8># enc-alg ENC-ALG
|
Description |
---|---|
null |
NULL. |
aes128-cbc |
AES-CBC, 128 bit key. |
aes192-cbc |
AES-CBC, 192 bit key. |
aes256-cbc |
AES-CBC, 256 bit key. |
des-cbc |
DES-CBC, 56 bit key. |
3des-cbc |
3DES-CBC, 168 bit key. |
auth-alg (config only)¶
List of auth algorithms for IPsec SAs.
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template> esp-proposal <uint8>
vrouter running esp-proposal <uint8># auth-alg AUTH-ALG
|
Description |
---|---|
none |
NONE. |
hmac-md5 |
HMAC-MD5-96. |
hmac-sha1 |
HMAC-SHA1-96. |
hmac-sha256 |
HMAC-SHA256-128. |
hmac-sha384 |
HMAC-SHA384-192. |
hmac-sha512 |
HMAC-SHA512-256. |
aes-xcbc |
AES-XCBC-96. |
aead-alg (config only)¶
List of combined-mode (AEAD) algorithms for IPsec SAs.
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template> esp-proposal <uint8>
vrouter running esp-proposal <uint8># aead-alg AEAD-ALG
|
Description |
---|---|
aes128-gcm-128 |
AES-GCM, 128 bit key, 128 bit ICV. |
aes192-gcm-128 |
AES-GCM, 192 bit key, 128 bit ICV. |
aes256-gcm-128 |
AES-GCM, 256 bit key, 128 bit ICV. |
aes128-gmac |
AES-GMAC, 128 bit key, 128 bit ICV. |
aes192-gmac |
AES-GMAC, 192 bit key, 128 bit ICV. |
aes256-gmac |
AES-GMAC, 256 bit key, 128 bit ICV. |
dh-group (config only)¶
List of Diffie Hellman groups for Perfect Forward Secrecy.
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template> esp-proposal <uint8>
vrouter running esp-proposal <uint8># dh-group DH-GROUP
|
Description |
---|---|
modp768 |
Modulo Prime 768 bits (group 1). |
modp1024 |
Modulo Prime 1024 bits (group 2). |
modp1536 |
Modulo Prime 1536 bits (group 5). |
modp2048 |
Modulo Prime 2048 bits (group 14). |
modp3072 |
Modulo Prime 3072 bits (group 15). |
modp4096 |
Modulo Prime 4096 bits (group 16). |
modp6144 |
Modulo Prime 6144 bits (group 17). |
modp8192 |
Modulo Prime 8192 bits (group 18). |
modp1024s160 |
Modulo Prime 1024 bits, Subgroup 160 bits (group 22). |
modp1024s224 |
Modulo Prime 1024 bits, Subgroup 224 bits (group 23). |
modp1024s256 |
Modulo Prime 1024 bits, Subgroup 256 bits (group 24). |
ecp192 |
Elliptic Curve 192 bits (group 25). |
ecp224 |
Elliptic Curve 224 bits (group 26). |
ecp256 |
Elliptic Curve 256 bits (group 19). |
ecp384 |
Elliptic Curve 384 bits (group 20). |
ecp521 |
Elliptic Curve 521 bits (group 21). |
ecp224bp |
Brainpool Elliptic Curve 224 bits (group 27). |
ecp256bp |
Brainpool Elliptic Curve 256 bits (group 28). |
ecp384bp |
Brainpool Elliptic Curve 384 bits (group 29). |
ecp512bp |
Brainpool Elliptic Curve 512 bits (group 30). |
esn (config only)¶
List of Extended Sequence Number modes.
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template> esp-proposal <uint8>
vrouter running esp-proposal <uint8># esn true|false
ah-proposal (config only)¶
List of AH proposals.
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template> ah-proposal <string>
<string> |
Index in list of AH proposals. |
auth-alg (config only)¶
List of auth algorithms for IPsec SAs.
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template> ah-proposal <string>
vrouter running ah-proposal <string># auth-alg AUTH-ALG
|
Description |
---|---|
hmac-md5 |
HMAC-MD5-96. |
hmac-sha1 |
HMAC-SHA1-96. |
hmac-sha256 |
HMAC-SHA256-128. |
hmac-sha384 |
HMAC-SHA384-192. |
hmac-sha512 |
HMAC-SHA512-256. |
aes-xcbc |
AES-XCBC-96. |
dh-group (config only)¶
List of Diffie Hellman groups for Perfect Forward Secrecy.
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template> ah-proposal <string>
vrouter running ah-proposal <string># dh-group DH-GROUP
|
Description |
---|---|
modp768 |
Modulo Prime 768 bits (group 1). |
modp1024 |
Modulo Prime 1024 bits (group 2). |
modp1536 |
Modulo Prime 1536 bits (group 5). |
modp2048 |
Modulo Prime 2048 bits (group 14). |
modp3072 |
Modulo Prime 3072 bits (group 15). |
modp4096 |
Modulo Prime 4096 bits (group 16). |
modp6144 |
Modulo Prime 6144 bits (group 17). |
modp8192 |
Modulo Prime 8192 bits (group 18). |
modp1024s160 |
Modulo Prime 1024 bits, Subgroup 160 bits (group 22). |
modp1024s224 |
Modulo Prime 1024 bits, Subgroup 224 bits (group 23). |
modp1024s256 |
Modulo Prime 1024 bits, Subgroup 256 bits (group 24). |
ecp192 |
Elliptic Curve 192 bits (group 25). |
ecp224 |
Elliptic Curve 224 bits (group 26). |
ecp256 |
Elliptic Curve 256 bits (group 19). |
ecp384 |
Elliptic Curve 384 bits (group 20). |
ecp521 |
Elliptic Curve 521 bits (group 21). |
ecp224bp |
Brainpool Elliptic Curve 224 bits (group 27). |
ecp256bp |
Brainpool Elliptic Curve 256 bits (group 28). |
ecp384bp |
Brainpool Elliptic Curve 384 bits (group 29). |
ecp512bp |
Brainpool Elliptic Curve 512 bits (group 30). |
esn (config only)¶
List of Extended Sequence Number modes.
vrouter running config# vrf <vrf> ike ipsec-policy-template <ipsec-policy-template> ah-proposal <string>
vrouter running ah-proposal <string># esn true|false
vpn¶
List of IKE Virtual Private Networks.
vrouter running config# vrf <vrf> ike vpn <vpn>
<vpn> |
IKE object name type. |
description¶
Description of the VPN.
vrouter running config# vrf <vrf> ike vpn <vpn>
vrouter running vpn <vpn># description <string>
version¶
IKE version. 0 accepts both IKEv1 and IKEv2 as responder, and initiates the connection actively with IKEv2.
vrouter running config# vrf <vrf> ike vpn <vpn>
vrouter running vpn <vpn># version <uint8>
- Default value
2
local-address¶
List of IKE local peer addresses.
vrouter running config# vrf <vrf> ike vpn <vpn>
vrouter running vpn <vpn># local-address LOCAL-ADDRESS
|
Description |
---|---|
<domain-name> |
The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492. |
<ipv4-address> |
An IPv4 address. |
<ipv6-address> |
An IPv6 address. |
<ipv4-prefix> |
An IPv4 prefix: address and CIDR mask. |
<ipv6-prefix> |
An IPv6 prefix: address and CIDR mask. |
<ipv4-range> |
An IPv4 address range, in the form addr4-addr4. |
<ipv6-range> |
An IPv6 address range, in the form addr6-addr6. |
remote-address¶
List of IKE remote peer addresses.
vrouter running config# vrf <vrf> ike vpn <vpn>
vrouter running vpn <vpn># remote-address REMOTE-ADDRESS
|
Description |
---|---|
<domain-name> |
The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492. |
<ipv4-address> |
An IPv4 address. |
<ipv6-address> |
An IPv6 address. |
<ipv4-prefix> |
An IPv4 prefix: address and CIDR mask. |
<ipv6-prefix> |
An IPv6 prefix: address and CIDR mask. |
<ipv4-range> |
An IPv4 address range, in the form addr4-addr4. |
<ipv6-range> |
An IPv6 address range, in the form addr6-addr6. |
local-id¶
Local IKE identifier (IP address, fqdn, user-fqdn, ASN.1 Distinguished Name) (Default psk: IP address, certificates: SubjectName).
vrouter running config# vrf <vrf> ike vpn <vpn>
vrouter running vpn <vpn># local-id LOCAL-ID
|
Description |
---|---|
<ike-id> |
An IPv4 address. |
<ike-id> |
An IPv6 address. |
<ike-id> |
The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492. |
<ike-id> |
IKE ID (IP address, fqdn, e-mail address or distinguished name). |
<ike-id> |
IKE ID (IP address, fqdn, e-mail address or distinguished name). |
remote-id¶
Remote IKE identifier (IP address, fqdn, user-fqdn, ASN.1 Distinguished Name) (Default psk: IP address, certificates: SubjectName).
vrouter running config# vrf <vrf> ike vpn <vpn>
vrouter running vpn <vpn># remote-id REMOTE-ID
|
Description |
---|---|
<ike-id> |
An IPv4 address. |
<ike-id> |
An IPv6 address. |
<ike-id> |
The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492. |
<ike-id> |
IKE ID (IP address, fqdn, e-mail address or distinguished name). |
<ike-id> |
IKE ID (IP address, fqdn, e-mail address or distinguished name). |
local-eap-id¶
Local EAP identifier (Default = local-id).
vrouter running config# vrf <vrf> ike vpn <vpn>
vrouter running vpn <vpn># local-eap-id LOCAL-EAP-ID
LOCAL-EAP-ID |
EAP ID. |
remote-eap-id¶
Remote EAP identifier (Default = remote-id).
vrouter running config# vrf <vrf> ike vpn <vpn>
vrouter running vpn <vpn># remote-eap-id REMOTE-EAP-ID
REMOTE-EAP-ID |
EAP ID. |
certificate¶
List of certificates to use for authentication of the local peer.
vrouter running config# vrf <vrf> ike vpn <vpn>
vrouter running vpn <vpn># certificate <leafref>
remote-ca-certificate¶
List of certificate authority certificates to accept for authentication of the remote peer.
vrouter running config# vrf <vrf> ike vpn <vpn>
vrouter running vpn <vpn># remote-ca-certificate <leafref>
vip-request¶
List of virtual IP addresses to request (0.0.0.0 for any IPv4 address, :: for any IPv6 address).
vrouter running config# vrf <vrf> ike vpn <vpn>
vrouter running vpn <vpn># vip-request VIP-REQUEST
|
Description |
---|---|
<ipv4-address> |
An IPv4 address. |
<ipv6-address> |
An IPv6 address. |
vip-pool¶
List of virtual IP pools, to assign a virtual IP to an IKE peer.
vrouter running config# vrf <vrf> ike vpn <vpn>
vrouter running vpn <vpn># vip-pool <leafref>
dynamic-svti (config only)¶
Dynamic SVTI interfaces creation.
vrouter running config# vrf <vrf> ike vpn <vpn> dynamic-svti
svti-template (config only) (mandatory)¶
Dynamic SVTI template.
vrouter running config# vrf <vrf> ike vpn <vpn> dynamic-svti
vrouter running dynamic-svti# svti-template <leafref>
vrf (config only)¶
Dynamic SVTI template vrf.
vrouter running config# vrf <vrf> ike vpn <vpn> dynamic-svti
vrouter running dynamic-svti# vrf VRF
|
Description |
---|---|
main |
The main vrf. |
<string> |
The vrf name. |
ike-policy¶
IKE policy configuration.
vrouter running config# vrf <vrf> ike vpn <vpn> ike-policy
template (config only) (mandatory)¶
Template from which this IKE policy derives.
vrouter running config# vrf <vrf> ike vpn <vpn> ike-policy
vrouter running ike-policy# template <leafref>
local-auth-method¶
Local IKE authentication method.
vrouter running config# vrf <vrf> ike vpn <vpn> ike-policy
vrouter running ike-policy# local-auth-method LOCAL-AUTH-METHOD
|
Description |
---|---|
pre-shared-key |
Pre-shared key. |
certificate |
Public key signature with X509 Certificates. |
eap-md5 |
Extensible Authentication Protocol - MD5-Challenge. |
eap-mschapv2 |
Extensible Authentication Protocol - Microsoft Challenge-Handshake Authentication Protocol v2. |
remote-auth-method¶
Remote IKE authentication method.
vrouter running config# vrf <vrf> ike vpn <vpn> ike-policy
vrouter running ike-policy# remote-auth-method REMOTE-AUTH-METHOD
|
Description |
---|---|
pre-shared-key |
Pre-shared key. |
certificate |
Public key signature with X509 Certificates. |
eap-md5 |
Extensible Authentication Protocol - MD5-Challenge. |
eap-mschapv2 |
Extensible Authentication Protocol - Microsoft Challenge-Handshake Authentication Protocol v2. |
eap-radius |
Extensible Authentication Protocol delegated to a RADIUS server. |
keying-tries¶
Number of times we should try to initiate an IKE connection if the responder does not answer (after a full sequence of retransmissions). A value of 0 initiates a new sequence forever, until the connection establishes or fails with a permanent error.
vrouter running config# vrf <vrf> ike vpn <vpn> ike-policy
vrouter running ike-policy# keying-tries <uint32>
unique-sa¶
Connection uniqueness policy to enforce, to avoid multiple connections from the same user ID.
vrouter running config# vrf <vrf> ike vpn <vpn> ike-policy
vrouter running ike-policy# unique-sa UNIQUE-SA
|
Description |
---|---|
no |
Do not enforce IKE SA uniqueness, except if a peer included INITIAL_CONTACT notify. |
never |
Never enforce IKE SA uniqueness, even if a peer included INITIAL_CONTACT notify. Never send INITIAL_CONTACT as initiator. |
keep |
Reject new connection attempts from same user. |
replace |
Delete any existing connection if a new one for the same user gets established. |
reauth-time¶
Time to schedule IKE reauthentication.
vrouter running config# vrf <vrf> ike vpn <vpn> ike-policy
vrouter running ike-policy# reauth-time REAUTH-TIME
REAUTH-TIME |
IKE duration, with optional unit (s|m|h|d). |
rekey-time¶
Time to schedule IKE rekeying.
vrouter running config# vrf <vrf> ike vpn <vpn> ike-policy
vrouter running ike-policy# rekey-time REKEY-TIME
REKEY-TIME |
IKE duration, with optional unit (s|m|h|d). |
dpd-delay¶
Interval to check the liveness of a peer.
vrouter running config# vrf <vrf> ike vpn <vpn> ike-policy
vrouter running ike-policy# dpd-delay DPD-DELAY
DPD-DELAY |
IKE duration, with optional unit (s|m|h|d). |
aggressive¶
Enable or disable Aggressive Mode instead of Main Mode in IKEv1.
vrouter running config# vrf <vrf> ike vpn <vpn> ike-policy
vrouter running ike-policy# aggressive true|false
udp-encap¶
If true, enforce UDP encapsulation of ESP packets.
vrouter running config# vrf <vrf> ike vpn <vpn> ike-policy
vrouter running ike-policy# udp-encap true|false
mobike¶
If true, enable MOBIKE (IKEv2 Mobility and Multihoming Protocol).
vrouter running config# vrf <vrf> ike vpn <vpn> ike-policy
vrouter running ike-policy# mobike true|false
ike-proposal¶
List of IKE phase 1 proposals.
vrouter running config# vrf <vrf> ike vpn <vpn> ike-policy ike-proposal <uint8>
<uint8> |
Index in the list of IKE phase 1 proposals. |
enc-alg¶
List of encryption algorithms for IKE SAs.
vrouter running config# vrf <vrf> ike vpn <vpn> ike-policy ike-proposal <uint8>
vrouter running ike-proposal <uint8># enc-alg ENC-ALG
|
Description |
---|---|
aes128-cbc |
AES-CBC, 128 bit key. |
aes192-cbc |
AES-CBC, 192 bit key. |
aes256-cbc |
AES-CBC, 256 bit key. |
des-cbc |
DES-CBC, 56 bit key. |
3des-cbc |
3DES-CBC, 168 bit key. |
aes128-ctr |
AES-CTR, 128 bit key. |
aes192-ctr |
AES-CTR, 192 bit key. |
aes256-ctr |
AES-CTR, 256 bit key. |
cast-cbc |
CAST-CBC, 128 bit key. |
blowfish128-cbc |
Blowfish-CBC, 128 bit key. |
blowfish192-cbc |
Blowfish-CBC, 192 bit key. |
blowfish256-cbc |
Blowfish-CBC, 256 bit key. |
camellia128-cbc |
Camellia-CBC, 128 bit key. |
camellia192-cbc |
Camellia-CBC, 192 bit key. |
camellia256-cbc |
Camellia-CBC, 256 bit key. |
camellia128-ctr |
Camellia-CTR, 128 bit key. |
camellia192-ctr |
Camellia-CTR, 192 bit key. |
camellia256-ctr |
Camellia-CTR, 256 bit key. |
auth-alg¶
List of auth algorithms for IKE SAs.
vrouter running config# vrf <vrf> ike vpn <vpn> ike-policy ike-proposal <uint8>
vrouter running ike-proposal <uint8># auth-alg AUTH-ALG
|
Description |
---|---|
hmac-md5 |
HMAC-MD5-96. |
hmac-sha1 |
HMAC-SHA1-96. |
hmac-sha256 |
HMAC-SHA256-128. |
hmac-sha384 |
HMAC-SHA384-192. |
hmac-sha512 |
HMAC-SHA512-256. |
aes-xcbc |
AES-XCBC-96. |
aead-alg¶
List of combined-mode (AEAD) algorithms for IKE SAs.
vrouter running config# vrf <vrf> ike vpn <vpn> ike-policy ike-proposal <uint8>
vrouter running ike-proposal <uint8># aead-alg AEAD-ALG
|
Description |
---|---|
aes128-gcm-64 |
AES-GCM, 128 bit key, 64 bit ICV. |
aes192-gcm-64 |
AES-GCM, 192 bit key, 64 bit ICV. |
aes256-gcm-64 |
AES-GCM, 256 bit key, 64 bit ICV. |
aes128-gcm-96 |
AES-GCM, 128 bit key, 96 bit ICV. |
aes192-gcm-96 |
AES-GCM, 192 bit key, 96 bit ICV. |
aes256-gcm-96 |
AES-GCM, 256 bit key, 96 bit ICV. |
aes128-gcm-128 |
AES-GCM, 128 bit key, 128 bit ICV. |
aes192-gcm-128 |
AES-GCM, 192 bit key, 128 bit ICV. |
aes256-gcm-128 |
AES-GCM, 256 bit key, 128 bit ICV. |
aes128-ccm-64 |
AES-CCM, 128 bit key, 64 bit ICV. |
aes192-ccm-64 |
AES-CCM, 192 bit key, 64 bit ICV. |
aes256-ccm-64 |
AES-CCM, 256 bit key, 64 bit ICV. |
aes128-ccm-96 |
AES-CCM, 128 bit key, 96 bit ICV. |
aes192-ccm-96 |
AES-CCM, 192 bit key, 96 bit ICV. |
aes256-ccm-96 |
AES-CCM, 256 bit key, 96 bit ICV. |
aes128-ccm-128 |
AES-CCM, 128 bit key, 128 bit ICV. |
aes192-ccm-128 |
AES-CCM, 192 bit key, 128 bit ICV. |
aes256-ccm-128 |
AES-CCM, 256 bit key, 128 bit ICV. |
camellia128-ccm-64 |
Camellia-CCM, 128 bit key, 64 bit ICV. |
camellia192-ccm-64 |
Camellia-CCM, 192 bit key, 64 bit ICV. |
camellia256-ccm-64 |
Camellia-CCM, 256 bit key, 64 bit ICV. |
camellia128-ccm-96 |
Camellia-CCM, 128 bit key, 96 bit ICV. |
camellia192-ccm-96 |
Camellia-CCM, 192 bit key, 96 bit ICV. |
camellia256-ccm-96 |
Camellia-CCM, 256 bit key, 96 bit ICV. |
prf-alg¶
List of pseudo-random algorithms for IKE SAs.
vrouter running config# vrf <vrf> ike vpn <vpn> ike-policy ike-proposal <uint8>
vrouter running ike-proposal <uint8># prf-alg PRF-ALG
|
Description |
---|---|
hmac-md5 |
PRF-HMAC-MD5. |
hmac-sha1 |
PRF-HMAC-SHA1. |
aes-xcbc |
AES-XCBC-PRF-128. |
aes-cmac |
AES-CMAC-PRF-128. |
hmac-sha256 |
PRF-HMAC-SHA-256. |
hmac-sha384 |
PRF-HMAC-SHA-384. |
hmac-sha512 |
PRF-HMAC-SHA-512. |
dh-group¶
List of Diffie Hellman groups for key exchange.
vrouter running config# vrf <vrf> ike vpn <vpn> ike-policy ike-proposal <uint8>
vrouter running ike-proposal <uint8># dh-group DH-GROUP
|
Description |
---|---|
modp768 |
Modulo Prime 768 bits (group 1). |
modp1024 |
Modulo Prime 1024 bits (group 2). |
modp1536 |
Modulo Prime 1536 bits (group 5). |
modp2048 |
Modulo Prime 2048 bits (group 14). |
modp3072 |
Modulo Prime 3072 bits (group 15). |
modp4096 |
Modulo Prime 4096 bits (group 16). |
modp6144 |
Modulo Prime 6144 bits (group 17). |
modp8192 |
Modulo Prime 8192 bits (group 18). |
modp1024s160 |
Modulo Prime 1024 bits, Subgroup 160 bits (group 22). |
modp1024s224 |
Modulo Prime 1024 bits, Subgroup 224 bits (group 23). |
modp1024s256 |
Modulo Prime 1024 bits, Subgroup 256 bits (group 24). |
ecp192 |
Elliptic Curve 192 bits (group 25). |
ecp224 |
Elliptic Curve 224 bits (group 26). |
ecp256 |
Elliptic Curve 256 bits (group 19). |
ecp384 |
Elliptic Curve 384 bits (group 20). |
ecp521 |
Elliptic Curve 521 bits (group 21). |
ecp224bp |
Brainpool Elliptic Curve 224 bits (group 27). |
ecp256bp |
Brainpool Elliptic Curve 256 bits (group 28). |
ecp384bp |
Brainpool Elliptic Curve 384 bits (group 29). |
ecp512bp |
Brainpool Elliptic Curve 512 bits (group 30). |
ipsec-policy¶
IPsec policy configuration.
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy
template (config only) (mandatory)¶
Template from which this IPsec policy derives.
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vrouter running ipsec-policy# template <leafref>
start-action¶
Action to perform for this CHILD_SA on DPD timeout.
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vrouter running ipsec-policy# start-action START-ACTION
|
Description |
---|---|
none |
Load the connection only, can be used as a responder configuration. |
trap |
Install a trap policy, which triggers the tunnel as soon as matching traffic has been detected. |
start |
Initiate the connection actively. |
close-action¶
Action to perform when a CHILD_SA gets closed by a peer.
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vrouter running ipsec-policy# close-action CLOSE-ACTION
|
Description |
---|---|
none |
Close the Child SA and take no further action. |
trap |
Install a trap policy matching traffic and try to re-negotiate the tunnel on-demand. |
start |
Try to immediately re-create the CHILD_SA. |
dpd-action¶
Action to perform for a CHILD_SA on DPD timeout.
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vrouter running ipsec-policy# dpd-action DPD-ACTION
|
Description |
---|---|
clear |
Close the Child SA and take no further action. |
trap |
Install a trap policy, which will catch matching traffic and tries to re-negotiate the tunnel on-demand action. |
restart |
Immediately try to re-negotiate the CHILD_SA under a fresh IKE_SA. |
replay-window¶
Replay window size. 0 disables IPsec replay protection.
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vrouter running ipsec-policy# replay-window <uint16>
rekey-time¶
Time before initiating CHILD_SA rekeying.
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vrouter running ipsec-policy# rekey-time REKEY-TIME
REKEY-TIME |
IKE duration, with optional unit (s|m|h|d). |
life-time¶
Maximum lifetime before CHILD_SA gets closed (default rekey-time + 10%).
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vrouter running ipsec-policy# life-time LIFE-TIME
LIFE-TIME |
IKE duration, with optional unit (s|m|h|d). |
rand-time¶
Time range from which to choose a random value to subtract from rekey_time (default life_time - rekey_time).
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vrouter running ipsec-policy# rand-time RAND-TIME
RAND-TIME |
IKE duration, with optional unit (s|m|h|d). |
rekey-bytes¶
Number of bytes processed before initiating CHILD_SA rekeying.
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vrouter running ipsec-policy# rekey-bytes <uint64>
life-bytes¶
Maximum bytes processed before CHILD_SA gets closed (default rekey- bytes + 10%).
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vrouter running ipsec-policy# life-bytes <uint64>
rand-bytes¶
Byte range from which to choose a random value to subtract from rekey_bytes (default life_bytes - rekey_bytes).
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vrouter running ipsec-policy# rand-bytes <uint64>
rekey-packets¶
Number of packets processed before initiating CHILD_SA rekeying.
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vrouter running ipsec-policy# rekey-packets <uint64>
life-packets¶
Maximum packets processed before CHILD_SA gets closed (default rekey- bytes + 10%).
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vrouter running ipsec-policy# life-packets <uint64>
rand-packets¶
Packet range from which to choose a random value to subtract from rekey_packets (default life_bytes - rekey_bytes).
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vrouter running ipsec-policy# rand-packets <uint64>
encap-copy-dscp¶
Whether to copy DSCP from inner to outer IP header at IPsec encapsulation.
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vrouter running ipsec-policy# encap-copy-dscp true|false
decap-copy-dscp¶
Whether to copy DSCP from outer to inner IP header at IPsec decapsulation.
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vrouter running ipsec-policy# decap-copy-dscp true|false
encap-copy-df¶
Whether to copy the Don’t Fragment bit from outer to inner IP header at IPsec encapsulation.
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy
vrouter running ipsec-policy# encap-copy-df true|false
esp-proposal¶
List of ESP proposals.
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy esp-proposal <uint8>
<uint8> |
Index in list of ESP proposals. |
enc-alg¶
List of encryption algorithms for IPsec SAs.
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy esp-proposal <uint8>
vrouter running esp-proposal <uint8># enc-alg ENC-ALG
|
Description |
---|---|
null |
NULL. |
aes128-cbc |
AES-CBC, 128 bit key. |
aes192-cbc |
AES-CBC, 192 bit key. |
aes256-cbc |
AES-CBC, 256 bit key. |
des-cbc |
DES-CBC, 56 bit key. |
3des-cbc |
3DES-CBC, 168 bit key. |
auth-alg¶
List of auth algorithms for IPsec SAs.
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy esp-proposal <uint8>
vrouter running esp-proposal <uint8># auth-alg AUTH-ALG
|
Description |
---|---|
none |
NONE. |
hmac-md5 |
HMAC-MD5-96. |
hmac-sha1 |
HMAC-SHA1-96. |
hmac-sha256 |
HMAC-SHA256-128. |
hmac-sha384 |
HMAC-SHA384-192. |
hmac-sha512 |
HMAC-SHA512-256. |
aes-xcbc |
AES-XCBC-96. |
aead-alg¶
List of combined-mode (AEAD) algorithms for IPsec SAs.
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy esp-proposal <uint8>
vrouter running esp-proposal <uint8># aead-alg AEAD-ALG
|
Description |
---|---|
aes128-gcm-128 |
AES-GCM, 128 bit key, 128 bit ICV. |
aes192-gcm-128 |
AES-GCM, 192 bit key, 128 bit ICV. |
aes256-gcm-128 |
AES-GCM, 256 bit key, 128 bit ICV. |
aes128-gmac |
AES-GMAC, 128 bit key, 128 bit ICV. |
aes192-gmac |
AES-GMAC, 192 bit key, 128 bit ICV. |
aes256-gmac |
AES-GMAC, 256 bit key, 128 bit ICV. |
dh-group¶
List of Diffie Hellman groups for Perfect Forward Secrecy.
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy esp-proposal <uint8>
vrouter running esp-proposal <uint8># dh-group DH-GROUP
|
Description |
---|---|
modp768 |
Modulo Prime 768 bits (group 1). |
modp1024 |
Modulo Prime 1024 bits (group 2). |
modp1536 |
Modulo Prime 1536 bits (group 5). |
modp2048 |
Modulo Prime 2048 bits (group 14). |
modp3072 |
Modulo Prime 3072 bits (group 15). |
modp4096 |
Modulo Prime 4096 bits (group 16). |
modp6144 |
Modulo Prime 6144 bits (group 17). |
modp8192 |
Modulo Prime 8192 bits (group 18). |
modp1024s160 |
Modulo Prime 1024 bits, Subgroup 160 bits (group 22). |
modp1024s224 |
Modulo Prime 1024 bits, Subgroup 224 bits (group 23). |
modp1024s256 |
Modulo Prime 1024 bits, Subgroup 256 bits (group 24). |
ecp192 |
Elliptic Curve 192 bits (group 25). |
ecp224 |
Elliptic Curve 224 bits (group 26). |
ecp256 |
Elliptic Curve 256 bits (group 19). |
ecp384 |
Elliptic Curve 384 bits (group 20). |
ecp521 |
Elliptic Curve 521 bits (group 21). |
ecp224bp |
Brainpool Elliptic Curve 224 bits (group 27). |
ecp256bp |
Brainpool Elliptic Curve 256 bits (group 28). |
ecp384bp |
Brainpool Elliptic Curve 384 bits (group 29). |
ecp512bp |
Brainpool Elliptic Curve 512 bits (group 30). |
esn¶
List of Extended Sequence Number modes.
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy esp-proposal <uint8>
vrouter running esp-proposal <uint8># esn true|false
ah-proposal¶
List of AH proposals.
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy ah-proposal <string>
<string> |
Index in list of AH proposals. |
auth-alg¶
List of auth algorithms for IPsec SAs.
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy ah-proposal <string>
vrouter running ah-proposal <string># auth-alg AUTH-ALG
|
Description |
---|---|
hmac-md5 |
HMAC-MD5-96. |
hmac-sha1 |
HMAC-SHA1-96. |
hmac-sha256 |
HMAC-SHA256-128. |
hmac-sha384 |
HMAC-SHA384-192. |
hmac-sha512 |
HMAC-SHA512-256. |
aes-xcbc |
AES-XCBC-96. |
dh-group¶
List of Diffie Hellman groups for Perfect Forward Secrecy.
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy ah-proposal <string>
vrouter running ah-proposal <string># dh-group DH-GROUP
|
Description |
---|---|
modp768 |
Modulo Prime 768 bits (group 1). |
modp1024 |
Modulo Prime 1024 bits (group 2). |
modp1536 |
Modulo Prime 1536 bits (group 5). |
modp2048 |
Modulo Prime 2048 bits (group 14). |
modp3072 |
Modulo Prime 3072 bits (group 15). |
modp4096 |
Modulo Prime 4096 bits (group 16). |
modp6144 |
Modulo Prime 6144 bits (group 17). |
modp8192 |
Modulo Prime 8192 bits (group 18). |
modp1024s160 |
Modulo Prime 1024 bits, Subgroup 160 bits (group 22). |
modp1024s224 |
Modulo Prime 1024 bits, Subgroup 224 bits (group 23). |
modp1024s256 |
Modulo Prime 1024 bits, Subgroup 256 bits (group 24). |
ecp192 |
Elliptic Curve 192 bits (group 25). |
ecp224 |
Elliptic Curve 224 bits (group 26). |
ecp256 |
Elliptic Curve 256 bits (group 19). |
ecp384 |
Elliptic Curve 384 bits (group 20). |
ecp521 |
Elliptic Curve 521 bits (group 21). |
ecp224bp |
Brainpool Elliptic Curve 224 bits (group 27). |
ecp256bp |
Brainpool Elliptic Curve 256 bits (group 28). |
ecp384bp |
Brainpool Elliptic Curve 384 bits (group 29). |
ecp512bp |
Brainpool Elliptic Curve 512 bits (group 30). |
esn¶
List of Extended Sequence Number modes.
vrouter running config# vrf <vrf> ike vpn <vpn> ipsec-policy ah-proposal <string>
vrouter running ah-proposal <string># esn true|false
security-policy¶
List of IPsec bidirectional security policies.
vrouter running config# vrf <vrf> ike vpn <vpn> security-policy <security-policy>
<security-policy> |
IKE object name type. |
svti-id-in¶
SVTI ID set on inbound policies/SA.
vrouter running config# vrf <vrf> ike vpn <vpn> security-policy <security-policy>
vrouter running security-policy <security-policy># svti-id-in <uint32>
svti-id-out¶
SVTI ID set on outbound policies/SA.
vrouter running config# vrf <vrf> ike vpn <vpn> security-policy <security-policy>
vrouter running security-policy <security-policy># svti-id-out <uint32>
action¶
IPsec action.
vrouter running config# vrf <vrf> ike vpn <vpn> security-policy <security-policy>
vrouter running security-policy <security-policy># action ACTION
|
Description |
---|---|
esp |
Protect traffic with Encapsulating Security Payload. |
ah |
Protect traffic with Authentication Header. |
pass |
Pass traffic in plain text. |
drop |
Drop traffic. |
- Default value
esp
mode¶
IPsec mode if action is esp or ah.
vrouter running config# vrf <vrf> ike vpn <vpn> security-policy <security-policy>
vrouter running security-policy <security-policy># mode MODE
|
Description |
---|---|
tunnel |
Tunnel mode. |
transport |
Transport mode. |
beet |
Bound End to End Tunnel mode. |
- Default value
tunnel
priority¶
Security policy priority (0 stands for dynamically calculated).
vrouter running config# vrf <vrf> ike vpn <vpn> security-policy <security-policy>
vrouter running security-policy <security-policy># priority <uint32>
- Default value
0
local-ts¶
Local traffic selector (default the tunnel outer address or the virtual IP, if negotiated).
vrouter running config# vrf <vrf> ike vpn <vpn> security-policy <security-policy>
vrouter running security-policy <security-policy># local-ts subnet SUBNET \
... protocol <uint8> port <uint16>
subnet¶
Private subnet or address (default: the tunnel outer address or virtual IP, if negotiated).
subnet SUBNET
|
Description |
---|---|
<ipv4-address> |
An IPv4 address. |
<ipv6-address> |
An IPv6 address. |
<ipv4-prefix> |
An IPv4 prefix: address and CIDR mask. |
<ipv6-prefix> |
An IPv6 prefix: address and CIDR mask. |
remote-ts¶
Remote traffic selector (default the tunnel outer address or the virtual IP, if negotiated).
vrouter running config# vrf <vrf> ike vpn <vpn> security-policy <security-policy>
vrouter running security-policy <security-policy># remote-ts subnet SUBNET \
... protocol <uint8> port <uint16>
subnet¶
Private subnet or address (default: the tunnel outer address or virtual IP, if negotiated).
subnet SUBNET
|
Description |
---|---|
<ipv4-address> |
An IPv4 address. |
<ipv6-address> |
An IPv6 address. |
<ipv4-prefix> |
An IPv4 prefix: address and CIDR mask. |
<ipv6-prefix> |
An IPv6 prefix: address and CIDR mask. |
ike-sas (state only)¶
Number of IKE SAs.
total (state only)¶
Total number of IKE SAs (half-open or established).
vrouter> show state vrf <vrf> ike ike-sas total
half-open (state only)¶
Number of half-open IKE SAs.
vrouter> show state vrf <vrf> ike ike-sas half-open
task-processing (state only)¶
Internal task processing statistics.
worker-threads (state only)¶
State of IKE daemon threads.
total (state only)¶
Total number of threads.
vrouter> show state vrf <vrf> ike task-processing worker-threads total
idle (state only)¶
Number of idle threads.
vrouter> show state vrf <vrf> ike task-processing worker-threads idle
critical (state only)¶
Number of threads executing critical priority tasks.
vrouter> show state vrf <vrf> ike task-processing worker-threads critical
high (state only)¶
Number of threads executing high priority tasks.
vrouter> show state vrf <vrf> ike task-processing worker-threads high
medium (state only)¶
Number of threads executing medium priority tasks.
vrouter> show state vrf <vrf> ike task-processing worker-threads medium
low (state only)¶
Number of threads executing low priority tasks.
vrouter> show state vrf <vrf> ike task-processing worker-threads low
task-queues (state only)¶
Counters of pending tasks.
critical (state only)¶
Number of critical priority tasks waiting for an available thread.
vrouter> show state vrf <vrf> ike task-processing task-queues critical
high (state only)¶
Number of high priority tasks waiting for an available thread.
vrouter> show state vrf <vrf> ike task-processing task-queues high
medium (state only)¶
Number of medium priority tasks waiting for an available thread.
vrouter> show state vrf <vrf> ike task-processing task-queues medium
low (state only)¶
Number of low priority tasks waiting for an available thread.
vrouter> show state vrf <vrf> ike task-processing task-queues low
scheduled (state only)¶
Number of tasks waiting for a timer to expire.
vrouter> show state vrf <vrf> ike task-processing task-queues scheduled
counters (state only)¶
Global IKE message counters.
ike-rekey-init (state only)¶
Initiated IKE_SA rekeyings.
vrouter> show state vrf <vrf> ike counters ike-rekey-init
ike-rekey-resp (state only)¶
Responded IKE_SA rekeyings.
vrouter> show state vrf <vrf> ike counters ike-rekey-resp
child-rekey (state only)¶
Completed CHILD_SA rekeyings.
vrouter> show state vrf <vrf> ike counters child-rekey
invalid (state only)¶
Messages with an invalid IKE SPI.
vrouter> show state vrf <vrf> ike counters invalid
invalid-spi (state only)¶
Messages with invalid types, length, or a value out of range.
vrouter> show state vrf <vrf> ike counters invalid-spi
ike-init-in-req (state only)¶
Received IKE_SA_INIT requests.
vrouter> show state vrf <vrf> ike counters ike-init-in-req
ike-init-in-resp (state only)¶
Received IKE_SA_INIT responses.
vrouter> show state vrf <vrf> ike counters ike-init-in-resp
ike-init-out-req (state only)¶
Sent IKE_SA_INIT requests.
vrouter> show state vrf <vrf> ike counters ike-init-out-req
ike-init-out-resp (state only)¶
Sent IKE_SA_INIT responses.
vrouter> show state vrf <vrf> ike counters ike-init-out-resp
ike-auth-in-req (state only)¶
Received IKE_AUTH requests.
vrouter> show state vrf <vrf> ike counters ike-auth-in-req
ike-auth-in-resp (state only)¶
Received IKE_AUTH responses.
vrouter> show state vrf <vrf> ike counters ike-auth-in-resp
ike-auth-out-req (state only)¶
Sent IKE_AUTH requests.
vrouter> show state vrf <vrf> ike counters ike-auth-out-req
ike-auth-out-resp (state only)¶
Sent IKE_AUTH responses.
vrouter> show state vrf <vrf> ike counters ike-auth-out-resp
create-child-in-req (state only)¶
Received CREATE_CHILD_SA requests.
vrouter> show state vrf <vrf> ike counters create-child-in-req
create-child-in-resp (state only)¶
Received CREATE_CHILD_SA responses.
vrouter> show state vrf <vrf> ike counters create-child-in-resp
create-child-out-req (state only)¶
Sent CREATE_CHILD_SA requests.
vrouter> show state vrf <vrf> ike counters create-child-out-req
create-child-out-resp (state only)¶
Sent CREATE_CHILD_SA responses.
vrouter> show state vrf <vrf> ike counters create-child-out-resp
info-in-req (state only)¶
Received INFORMATIONAL requests.
vrouter> show state vrf <vrf> ike counters info-in-req
info-in-resp (state only)¶
Received INFORMATIONAL responses.
vrouter> show state vrf <vrf> ike counters info-in-resp
info-out-req (state only)¶
Sent INFORMATIONAL requests.
vrouter> show state vrf <vrf> ike counters info-out-req
info-out-resp (state only)¶
Sent INFORMATIONAL responses.
vrouter> show state vrf <vrf> ike counters info-out-resp
vpn-counters (state only)¶
List of per-VPN IKE message counters.
ike-rekey-init (state only)¶
Initiated IKE_SA rekeyings.
vrouter> show state vrf <vrf> ike vpn-counters name <vpn-counters> ike-rekey-init
ike-rekey-resp (state only)¶
Responded IKE_SA rekeyings.
vrouter> show state vrf <vrf> ike vpn-counters name <vpn-counters> ike-rekey-resp
child-rekey (state only)¶
Completed CHILD_SA rekeyings.
vrouter> show state vrf <vrf> ike vpn-counters name <vpn-counters> child-rekey
invalid (state only)¶
Messages with an invalid IKE SPI.
vrouter> show state vrf <vrf> ike vpn-counters name <vpn-counters> invalid
invalid-spi (state only)¶
Messages with invalid types, length, or a value out of range.
vrouter> show state vrf <vrf> ike vpn-counters name <vpn-counters> invalid-spi
ike-init-in-req (state only)¶
Received IKE_SA_INIT requests.
vrouter> show state vrf <vrf> ike vpn-counters name <vpn-counters> ike-init-in-req
ike-init-in-resp (state only)¶
Received IKE_SA_INIT responses.
vrouter> show state vrf <vrf> ike vpn-counters name <vpn-counters> ike-init-in-resp
ike-init-out-req (state only)¶
Sent IKE_SA_INIT requests.
vrouter> show state vrf <vrf> ike vpn-counters name <vpn-counters> ike-init-out-req
ike-init-out-resp (state only)¶
Sent IKE_SA_INIT responses.
vrouter> show state vrf <vrf> ike vpn-counters name <vpn-counters> ike-init-out-resp
ike-auth-in-req (state only)¶
Received IKE_AUTH requests.
vrouter> show state vrf <vrf> ike vpn-counters name <vpn-counters> ike-auth-in-req
ike-auth-in-resp (state only)¶
Received IKE_AUTH responses.
vrouter> show state vrf <vrf> ike vpn-counters name <vpn-counters> ike-auth-in-resp
ike-auth-out-req (state only)¶
Sent IKE_AUTH requests.
vrouter> show state vrf <vrf> ike vpn-counters name <vpn-counters> ike-auth-out-req
ike-auth-out-resp (state only)¶
Sent IKE_AUTH responses.
vrouter> show state vrf <vrf> ike vpn-counters name <vpn-counters> ike-auth-out-resp
create-child-in-req (state only)¶
Received CREATE_CHILD_SA requests.
vrouter> show state vrf <vrf> ike vpn-counters name <vpn-counters> create-child-in-req
create-child-in-resp (state only)¶
Received CREATE_CHILD_SA responses.
vrouter> show state vrf <vrf> ike vpn-counters name <vpn-counters> create-child-in-resp
create-child-out-req (state only)¶
Sent CREATE_CHILD_SA requests.
vrouter> show state vrf <vrf> ike vpn-counters name <vpn-counters> create-child-out-req
create-child-out-resp (state only)¶
Sent CREATE_CHILD_SA responses.
vrouter> show state vrf <vrf> ike vpn-counters name <vpn-counters> create-child-out-resp
info-in-req (state only)¶
Received INFORMATIONAL requests.
vrouter> show state vrf <vrf> ike vpn-counters name <vpn-counters> info-in-req
info-in-resp (state only)¶
Received INFORMATIONAL responses.
vrouter> show state vrf <vrf> ike vpn-counters name <vpn-counters> info-in-resp
info-out-req (state only)¶
Sent INFORMATIONAL requests.
vrouter> show state vrf <vrf> ike vpn-counters name <vpn-counters> info-out-req
info-out-resp (state only)¶
Sent INFORMATIONAL responses.
vrouter> show state vrf <vrf> ike vpn-counters name <vpn-counters> info-out-resp
ike-sa (state only)¶
List of IKE Security Associations.
name (state only)¶
Name of the VPN.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> name
version (state only)¶
IKE version.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> version
local-address (state only)¶
Local IKE IP address.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> local-address
remote-address (state only)¶
Remote IKE IP address.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> remote-address
local-port (state only)¶
Local IKE UDP port.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> local-port
remote-port (state only)¶
Remote IKE UDP port.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> remote-port
local-id (state only)¶
Local IKE identifier.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> local-id
remote-id (state only)¶
Remote IKE identifier.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> remote-id
remote-eap-id (state only)¶
Remote EAP identifier.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> remote-eap-id
initiator-spi (state only)¶
IKE initiator SPI.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> initiator-spi
responder-spi (state only)¶
IKE responder SPI.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> responder-spi
enc-alg (state only)¶
IKE encryption algorithm.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> enc-alg
auth-alg (state only)¶
IKE authentication algorithm.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> auth-alg
aead-alg (state only)¶
IKE combined-mode algorithm.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> aead-alg
prf-alg (state only)¶
IKE pseudo-random algorithm.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> prf-alg
dh-group (state only)¶
IKE Diffie Hellman group.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> dh-group
established-time (state only)¶
Seconds since IKE session was established.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> established-time
rekey-time (state only)¶
Seconds before IKE session is rekeyed.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> rekey-time
reauth-time (state only)¶
Seconds before IKE session is reauthenticated.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> reauth-time
udp-encap (state only)¶
UDP encapsulation state.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> udp-encap
mobike (state only)¶
IKEv2 Mobility and Multihoming Protocol (MOBIKE) state.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> mobike
local-vip (state only)¶
List of local virtual IP addresses.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> local-vip
remote-vip (state only)¶
List of local virtual IP addresses.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> remote-vip
child-sa (state only)¶
List of Child Security Associations.
name (state only)¶
Name of the policy.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> name
state (state only)¶
Child SA state.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> state
reqid (state only)¶
Request ID of the Child SA, that binds IPsec SAs to SPs.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> reqid
protocol (state only)¶
IPsec protocol.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> protocol
udp-encap (state only)¶
UDP encapsulation state.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> udp-encap
mobike (state only)¶
IKEv2 Mobility and Multihoming Protocol (MOBIKE) state.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> mobike
spi-in (state only)¶
Inbound Security Parameters Index.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> spi-in
spi-out (state only)¶
Outbound Security Parameters Index.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> spi-out
svti-id-in (state only)¶
SVTI ID set on inbound SA.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> svti-id-in
svti-id-out (state only)¶
SVTI ID set on outbound SA.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> svti-id-out
enc-alg (state only)¶
ESP encryption algorithm.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> enc-alg
auth-alg (state only)¶
ESP or AH authentication algorithm.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> auth-alg
aead-alg (state only)¶
ESP combined-mode algorithm.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> aead-alg
dh-group (state only)¶
Diffie Hellman group for Perfect Forward Secrecy.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> dh-group
esn (state only)¶
Extended Sequence Number state.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> esn
bytes-in (state only)¶
Input bytes processed by this Child SA.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> bytes-in
packets-in (state only)¶
Input packets processed by this Child SA.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> packets-in
bytes-out (state only)¶
Output bytes processed by this Child SA.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> bytes-out
packets-out (state only)¶
Output packets processed by this Child SA.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> packets-out
installed-time (state only)¶
Seconds since IPsec SAs were installed.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> installed-time
rekey-time (state only)¶
Seconds before IPsec SAs are rekeyed.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> rekey-time
life-time (state only)¶
Seconds before IPsec SAs are deleted.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> life-time
mode (state only)¶
IPsec mode.
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> mode
local-ts (state only)¶
Local traffic selector.
subnet (state only)¶
Private subnet or address (default: the tunnel outer address or virtual IP, if negotiated).
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> local-ts subnet
protocol (state only)¶
Protocol number (default any).
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> local-ts protocol
port (state only)¶
Port number or ICMP type/code (default any).
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> local-ts port
remote-ts (state only)¶
Remote traffic selector.
subnet (state only)¶
Private subnet or address (default: the tunnel outer address or virtual IP, if negotiated).
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> remote-ts subnet
protocol (state only)¶
Protocol number (default any).
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> remote-ts protocol
port (state only)¶
Port number or ICMP type/code (default any).
vrouter> show state vrf <vrf> ike ike-sa unique-id <uint32> child-sa unique-id <uint32> remote-ts port
pool-lease (state only)¶
List of virtual address pool leases.
address (state only)¶
First virtual address in the pool.
vrouter> show state vrf <vrf> ike pool-lease name <pool-lease> address
size (state only)¶
Virtual address pool size.
vrouter> show state vrf <vrf> ike pool-lease name <pool-lease> size
online (state only)¶
Number of online virtual addresses.
vrouter> show state vrf <vrf> ike pool-lease name <pool-lease> online
offline (state only)¶
Number of offline virtual addresses.
vrouter> show state vrf <vrf> ike pool-lease name <pool-lease> offline