ipsec commands

configure 
   —  ipsec 
      —  apply-groups reference
      —  apply-groups-exclude reference
      —  cert-profile named-item 
         —  admin-state keyword
         —  apply-groups reference
         —  apply-groups-exclude reference
         —  entry number 
            —  apply-groups reference
            —  apply-groups-exclude reference
            —  cert pki-file-name
            —  compare-chain-include reference
            —  key pki-file-name
            —  rsa-signature keyword
            —  send-chain 
               —  ca-profile reference
      —  client-db named-item 
         —  admin-state keyword
         —  apply-groups reference
         —  apply-groups-exclude reference
         —  client number 
            —  admin-state keyword
            —  apply-groups reference
            —  apply-groups-exclude reference
            —  client-name named-item
            —  credential 
               —  pre-shared-key encrypted-leaf-hex-without-prefix
            —  identification 
               —  idi 
                  —  any boolean
                  —  fqdn display-string-or-empty
                  —  fqdn-suffix display-string-or-empty
                  —  ipv4-prefix ipv4-prefix
                  —  ipv4-prefix-any boolean
                  —  ipv6-prefix ipv6-prefix
                  —  ipv6-prefix-any boolean
                  —  rfc822 display-string-or-empty
                  —  rfc822-suffix display-string-or-empty
               —  peer-ip-prefix 
                  —  ip-prefix (ipv4-prefix | ipv6-prefix)
                  —  ipv4-only boolean
                  —  ipv6-only boolean
            —  private-interface named-item
            —  private-service-name service-name
            —  ts-list named-item
            —  tunnel-template number
         —  description description
         —  match-list 
            —  idi boolean
            —  peer-ip-prefix boolean
      —  ike-policy number 
         —  apply-groups reference
         —  apply-groups-exclude reference
         —  description description
         —  dpd 
            —  interval number
            —  max-retries number
            —  reply-only boolean
         —  ike-transform reference
         —  ike-version-1 
            —  auth-method keyword
            —  ike-mode keyword
            —  own-auth-method keyword
            —  ph1-responder-delete-notify boolean
         —  ike-version-2 
            —  auth-method keyword
            —  auto-eap-method keyword
            —  ikev2-fragment 
               —  mtu number
               —  reassembly-timeout number
            —  own-auth-method keyword
            —  own-auto-eap-method keyword
            —  ppk-required boolean
            —  send-idr-after-eap-success boolean
         —  ipsec-lifetime number
         —  limit-init-exchange 
            —  admin-state keyword
            —  reduced-max-exchange-timeout (number | keyword)
         —  lockout 
            —  block (number | keyword)
            —  duration number
            —  failed-attempts number
            —  max-port-per-ip number
         —  match-peer-id-to-cert boolean
         —  nat-traversal 
            —  force boolean
            —  force-keep-alive boolean
            —  keep-alive-interval number
         —  pfs 
            —  dh-group keyword
         —  relay-unsolicited-cfg-attribute 
            —  internal-ip4-address boolean
            —  internal-ip4-dns boolean
            —  internal-ip4-netmask boolean
            —  internal-ip6-address boolean
            —  internal-ip6-dns boolean
      —  ike-transform number 
         —  apply-groups reference
         —  apply-groups-exclude reference
         —  dh-group keyword
         —  ike-auth-algorithm keyword
         —  ike-encryption-algorithm keyword
         —  ike-prf-algorithm keyword
         —  isakmp-lifetime number
      —  ipsec-transform number 
         —  apply-groups reference
         —  apply-groups-exclude reference
         —  esp-auth-algorithm keyword
         —  esp-encryption-algorithm keyword
         —  extended-sequence-number boolean
         —  ipsec-lifetime number
         —  pfs-dh-group keyword
      —  ipsec-transport-mode-profile named-item 
         —  apply-groups reference
         —  apply-groups-exclude reference
         —  description description
         —  key-exchange 
            —  dynamic 
               —  auto-establish boolean
               —  cert 
                  —  cert-profile reference
                  —  status-verify 
                     —  default-result keyword
                     —  primary keyword
                     —  secondary keyword
                  —  trust-anchor-profile reference
               —  id 
                  —  fqdn fully-qualified-domain-name
                  —  ipv4 ipv4-unicast-address
                  —  ipv6 (ipv4-address-no-zone | ipv6-address-no-zone)
               —  ike-policy reference
               —  ipsec-transform reference
               —  ppk 
                  —  id reference
                  —  list reference
               —  pre-shared-key encrypted-leaf
         —  max-history-key-records 
            —  esp number
            —  ike number
         —  replay-window number
      —  ppk-list named-item 
         —  apply-groups reference
         —  apply-groups-exclude reference
         —  ppk named-item-64 
            —  apply-groups reference
            —  apply-groups-exclude reference
            —  value 
               —  ascii encrypted-leaf
               —  hex encrypted-leaf-hex
      —  radius 
         —  accounting-policy named-item 
            —  apply-groups reference
            —  apply-groups-exclude reference
            —  include-radius-attribute 
               —  acct-stats boolean
               —  called-station-id boolean
               —  calling-station-id boolean
               —  framed-ip-addr boolean
               —  framed-ipv6-prefix boolean
               —  nas-identifier boolean
               —  nas-ip-addr boolean
               —  nas-port-id boolean
            —  radius-server-policy reference
            —  update-interval 
               —  jitter number
               —  value number
         —  authentication-policy named-item 
            —  apply-groups reference
            —  apply-groups-exclude reference
            —  include-radius-attribute 
               —  called-station-id boolean
               —  calling-station-id boolean
               —  client-cert-subject-key-id boolean
               —  nas-identifier boolean
               —  nas-ip-addr boolean
               —  nas-port-id boolean
            —  password encrypted-leaf
            —  radius-server-policy reference
      —  show-ipsec-keys boolean
      —  static-sa named-item 
         —  apply-groups reference
         —  apply-groups-exclude reference
         —  authentication 
            —  algorithm keyword
            —  key encrypted-leaf
         —  description named-item
         —  direction keyword
         —  protocol keyword
         —  spi number
      —  trust-anchor-profile named-item 
         —  apply-groups reference
         —  apply-groups-exclude reference
         —  trust-anchor reference 
      —  ts-list named-item 
         —  apply-groups reference
         —  apply-groups-exclude reference
         —  local 
            —  entry number 
               —  address 
                  —  prefix (ipv4-prefix | ipv6-prefix)
                  —  range 
                     —  begin (ipv4-address-no-zone | ipv6-address-no-zone)
                     —  end (ipv4-address-no-zone | ipv6-address-no-zone)
               —  apply-groups reference
               —  apply-groups-exclude reference
               —  protocol 
                  —  any 
                  —  id 
                     —  icmp 
                        —  opaque 
                        —  port-range 
                           —  begin-icmp-code number
                           —  begin-icmp-type number
                           —  end-icmp-code number
                           —  end-icmp-type number
                     —  icmp6 
                        —  opaque 
                        —  port-range 
                           —  begin-icmp-code number
                           —  begin-icmp-type number
                           —  end-icmp-code number
                           —  end-icmp-type number
                     —  mipv6 
                        —  opaque 
                        —  port-range 
                           —  begin number
                           —  end number
                     —  protocol-id-with-any-port (keyword | number)
                     —  sctp 
                        —  opaque 
                        —  port-range 
                           —  begin number
                           —  end number
                     —  tcp 
                        —  opaque 
                        —  port-range 
                           —  begin number
                           —  end number
                     —  udp 
                        —  opaque 
                        —  port-range 
                           —  begin number
                           —  end number
         —  remote 
            —  entry number 
               —  address 
                  —  prefix (ipv4-prefix | ipv6-prefix)
                  —  range 
                     —  begin (ipv4-address-no-zone | ipv6-address-no-zone)
                     —  end (ipv4-address-no-zone | ipv6-address-no-zone)
               —  apply-groups reference
               —  apply-groups-exclude reference
               —  protocol 
                  —  any 
                  —  id 
                     —  icmp 
                        —  opaque 
                        —  port-range 
                           —  begin-icmp-code number
                           —  begin-icmp-type number
                           —  end-icmp-code number
                           —  end-icmp-type number
                     —  icmp6 
                        —  opaque 
                        —  port-range 
                           —  begin-icmp-code number
                           —  begin-icmp-type number
                           —  end-icmp-code number
                           —  end-icmp-type number
                     —  mipv6 
                        —  opaque 
                        —  port-range 
                           —  begin number
                           —  end number
                     —  protocol-id-with-any-port (keyword | number)
                     —  sctp 
                        —  opaque 
                        —  port-range 
                           —  begin number
                           —  end number
                     —  tcp 
                        —  opaque 
                        —  port-range 
                           —  begin number
                           —  end number
                     —  udp 
                        —  opaque 
                        —  port-range 
                           —  begin number
                           —  end number
      —  tunnel-template number 
         —  apply-groups reference
         —  apply-groups-exclude reference
         —  clear-df-bit boolean
         —  copy-traffic-class-upon-decapsulation boolean
         —  description description
         —  encapsulated-ip-mtu number
         —  icmp-generation 
            —  frag-required 
               —  admin-state keyword
               —  interval number
               —  message-count number
         —  icmp6-generation 
            —  pkt-too-big 
               —  admin-state keyword
               —  interval number
               —  message-count number
         —  ignore-default-route boolean
         —  ip-mtu number
         —  ipsec-transform reference
         —  pmtu-discovery-aging number
         —  ppk-list reference
         —  private-tcp-mss-adjust number
         —  propagate-pmtu-v4 boolean
         —  propagate-pmtu-v6 boolean
         —  public-tcp-mss-adjust (number | keyword)
         —  replay-window number
         —  reverse-route 
            —  metric number
            —  preference number
         —  sp-reverse-route keyword

ipsec command descriptions

ipsec


	Synopsis	Enter the ipsec context
	Context	configure ipsec
	Tree	ipsec
	Description	Commands in this context configure Internet Protocol Security (IPsec) commands.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

cert-profile [name] named-item


	Synopsis	Enter the cert-profile list instance
	Context	configure ipsec cert-profile named-item
	Tree	cert-profile
	Description	Commands in this context configure the certificate profile.
	Max. instances	10200
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

[name] named-item


	Synopsis	Certificate profile name
	Context	configure ipsec cert-profile named-item
	Tree	cert-profile
	String length	1 to 32
	Notes	This element is part of a list key.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

admin-state keyword


	Synopsis	Administrative state of the certificate profile
	Context	configure ipsec cert-profile named-item admin-state keyword
	Tree	admin-state
	Options	enable, disable
	Default	disable
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

entry [id] number


	Synopsis	Enter the entry list instance
	Context	configure ipsec cert-profile named-item entry number
	Tree	entry
	Description	Commands in this context configure the certificate profile entry.
	Max. instances	8
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

[id] number


	Synopsis	Certificate profile entry ID
	Context	configure ipsec cert-profile named-item entry number
	Tree	entry
	Range	1 to 8
	Notes	This element is part of a list key.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

cert pki-file-name


	Synopsis	File name of the imported certificate for the entry
	Context	configure ipsec cert-profile named-item entry number cert pki-file-name
	Tree	cert
	String length	1 to 95
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

compare-chain-include reference


	Synopsis	CA profile to include in the compare-chain
	Context	configure ipsec cert-profile named-item entry number compare-chain-include reference
	Tree	compare-chain-include
	Description	This command specifies the Certificate Authority (CA) that needs to be included in the compare-chain for the entry. This configuration is required in instances where the configured root CA is cross-signed by another CA.
	Reference	configure system security pki ca-profile named-item
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

key pki-file-name


	Synopsis	File name of the imported key used for authentication
	Context	configure ipsec cert-profile named-item entry number key pki-file-name
	Tree	key
	String length	1 to 95
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

rsa-signature keyword


	Synopsis	Signature scheme for the RSA key
	Context	configure ipsec cert-profile named-item entry number rsa-signature keyword
	Tree	rsa-signature
	Options	pkcs1, pss
	Default	pkcs1
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

send-chain


	Synopsis	Enter the send-chain context
	Context	configure ipsec cert-profile named-item entry number send-chain
	Tree	send-chain
	Description	Commands in this context allow the system to send additional CA certificates to the peer. These additional CA certificates must be in the certificate chain of the certificate specified by the cert command in the same entry.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ca-profile reference


	Synopsis	CA certificate to send to the peer
	Context	configure ipsec cert-profile named-item entry number send-chain ca-profile reference
	Tree	ca-profile
	Reference	configure system security pki ca-profile named-item
	Max. instances	7
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

client-db [name] named-item


	Synopsis	Enter the client-db list instance
	Context	configure ipsec client-db named-item
	Tree	client-db
	Max. instances	1000
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

[name] named-item


	Synopsis	IPsec client database name
	Context	configure ipsec client-db named-item
	Tree	client-db
	String length	1 to 32
	Notes	This element is part of a list key.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

admin-state keyword


	Synopsis	Administrative state of the client database
	Context	configure ipsec client-db named-item admin-state keyword
	Tree	admin-state
	Options	enable, disable
	Default	disable
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

client [id] number


	Synopsis	Enter the client list instance
	Context	configure ipsec client-db named-item client number
	Tree	client
	Description	Commands in this context configure the IPsec client entry in the client database.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

[id] number


	Synopsis	Client ID
	Context	configure ipsec client-db named-item client number
	Tree	client
	Range	1 to 8000
	Notes	This element is part of a list key.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

admin-state keyword


	Synopsis	Administrative state of the database client
	Context	configure ipsec client-db named-item client number admin-state keyword
	Tree	admin-state
	Options	enable, disable
	Default	disable
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

client-name named-item


WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Client name
	Context	configure ipsec client-db named-item client number client-name named-item
	Tree	client-name
	String length	1 to 32
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

credential


WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Enter the credential context
	Context	configure ipsec client-db named-item client number credential
	Tree	credential
	Description	Commands in this context authenticate peers.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

pre-shared-key encrypted-leaf-hex-without-prefix


WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Pre-shared key used to authenticate peers
	Context	configure ipsec client-db named-item client number credential pre-shared-key encrypted-leaf-hex-without-prefix
	Tree	pre-shared-key
	String length	1 to 115
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

identification


WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Enter the identification context
	Context	configure ipsec client-db named-item client number identification
	Tree	identification
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

idi


WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Enable the idi context
	Context	configure ipsec client-db named-item client number identification idi
	Tree	idi
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

any boolean


WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Accept any IDi value as a match
	Context	configure ipsec client-db named-item client number identification idi any boolean
	Tree	any
	Notes	The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

fqdn display-string-or-empty


WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	FQDN used as the match criteria for the IDi
	Context	configure ipsec client-db named-item client number identification idi fqdn display-string-or-empty
	Tree	fqdn
	String length	0 to 255
	Notes	The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

fqdn-suffix display-string-or-empty


WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	FQDN suffix used as the match criteria for the IDi
	Context	configure ipsec client-db named-item client number identification idi fqdn-suffix display-string-or-empty
	Tree	fqdn-suffix
	String length	0 to 255
	Notes	The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ipv4-prefix ipv4-prefix


WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	IPv4 prefix used as the match criteria for the IDi
	Context	configure ipsec client-db named-item client number identification idi ipv4-prefix ipv4-prefix
	Tree	ipv4-prefix
	Notes	The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ipv4-prefix-any boolean


WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Accept any valid IPv4 prefix as a match for the IDi
	Context	configure ipsec client-db named-item client number identification idi ipv4-prefix-any boolean
	Tree	ipv4-prefix-any
	Notes	The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ipv6-prefix ipv6-prefix


WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	IPv6 prefix used as the match criteria for the IDi
	Context	configure ipsec client-db named-item client number identification idi ipv6-prefix ipv6-prefix
	Tree	ipv6-prefix
	Notes	The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ipv6-prefix-any boolean


WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Accept any valid IPv6 prefix as a match for the IDi
	Context	configure ipsec client-db named-item client number identification idi ipv6-prefix-any boolean
	Tree	ipv6-prefix-any
	Notes	The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

rfc822 display-string-or-empty


WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Email address (RFC 822) used as match criteria for IDi
	Context	configure ipsec client-db named-item client number identification idi rfc822 display-string-or-empty
	Tree	rfc822
	String length	0 to 255
	Notes	The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

rfc822-suffix display-string-or-empty


WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Email address domain (RFC 822) as IDi match criteria
	Context	configure ipsec client-db named-item client number identification idi rfc822-suffix display-string-or-empty
	Tree	rfc822-suffix
	String length	0 to 255
	Notes	The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

peer-ip-prefix


WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Enable the peer-ip-prefix context
	Context	configure ipsec client-db named-item client number identification peer-ip-prefix
	Tree	peer-ip-prefix
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ip-prefix (ipv4-prefix | ipv6-prefix)


WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	IP prefix used as the match criteria
	Context	configure ipsec client-db named-item client number identification peer-ip-prefix ip-prefix (ipv4-prefix \| ipv6-prefix)
	Tree	ip-prefix
	Notes	The following elements are part of a mandatory choice: ip-prefix, ipv4-only, or ipv6-only.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ipv4-only boolean


WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Accept any valid IPv4 address as a match
	Context	configure ipsec client-db named-item client number identification peer-ip-prefix ipv4-only boolean
	Tree	ipv4-only
	Notes	The following elements are part of a mandatory choice: ip-prefix, ipv4-only, or ipv6-only.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ipv6-only boolean


WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Accept any valid IPv6 address as a match
	Context	configure ipsec client-db named-item client number identification peer-ip-prefix ipv6-only boolean
	Tree	ipv6-only
	Notes	The following elements are part of a mandatory choice: ip-prefix, ipv4-only, or ipv6-only.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

private-interface named-item


WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Private interface name used for tunnel setup
	Context	configure ipsec client-db named-item client number private-interface named-item
	Tree	private-interface
	String length	1 to 32
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

private-service-name service-name


WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Name of the private service used for tunnel setup
	Context	configure ipsec client-db named-item client number private-service-name service-name
	Tree	private-service-name
	String length	1 to 64
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ts-list named-item


WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Traffic selector list used by the tunnel
	Context	configure ipsec client-db named-item client number ts-list named-item
	Tree	ts-list
	String length	1 to 32
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

tunnel-template number


WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Tunnel template ID
	Context	configure ipsec client-db named-item client number tunnel-template number
	Tree	tunnel-template
	Range	1 to 2048
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

description description


	Synopsis	Text description
	Context	configure ipsec client-db named-item description description
	Tree	description
	String length	1 to 80
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

match-list


WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Enter the match-list context
	Context	configure ipsec client-db named-item match-list
	Tree	match-list
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

idi boolean


WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Use IDi type in the IPsec client matching process
	Context	configure ipsec client-db named-item match-list idi boolean
	Tree	idi
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

peer-ip-prefix boolean


WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Use the peer tunnel IP address in the matching process
	Context	configure ipsec client-db named-item match-list peer-ip-prefix boolean
	Tree	peer-ip-prefix
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ike-policy [id] number


	Synopsis	Enter the ike-policy list instance
	Context	configure ipsec ike-policy number
	Tree	ike-policy
	Description	Commands in this context configure an Internet Key Exchange (IKE) policy.
	Max. instances	2048
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

[id] number


	Synopsis	IKE policy ID
	Context	configure ipsec ike-policy number
	Tree	ike-policy
	Range	1 to 2048
	Notes	This element is part of a list key.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

description description


	Synopsis	Text description
	Context	configure ipsec ike-policy number description description
	Tree	description
	String length	1 to 80
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

dpd


	Synopsis	Enable the dpd context
	Context	configure ipsec ike-policy number dpd
	Tree	dpd
	Description	Commands in this context configure the dead peer detection mechanism.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

interval number


	Synopsis	DPD interval
	Context	configure ipsec ike-policy number dpd interval number
	Tree	interval
	Description	This command specifies the DPD interval. Because more time is necessary to determine if there is incoming traffic, the actual time needed to bring down the tunnel is larger than the DPD interval multiplied by the value configured for maximum retry attempts.
	Range	10 to 300
	Units	seconds
	Default	30
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

max-retries number


	Synopsis	Maximum number of retries before the tunnel is removed
	Context	configure ipsec ike-policy number dpd max-retries number
	Tree	max-retries
	Range	2 to 5
	Default	3
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

reply-only boolean


	Synopsis	Initiate DPD request for incoming ESP or IKE packets
	Context	configure ipsec ike-policy number dpd reply-only boolean
	Tree	reply-only
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ike-transform reference


	Synopsis	IKE transform instance associated with the IKE policy
	Context	configure ipsec ike-policy number ike-transform reference
	Tree	ike-transform
	Description	This command specifies the IKE transform instance associated with the IKE policy. If multiple IDs are specified, the system selects an IKE transform based on the proposal of the peer. If the system is a tunnel initiator, it uses the configured IKE transform to generate the SA payload.
	Reference	configure ipsec ike-transform number
	Max. instances	4
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ike-version-1


	Synopsis	Enter the ike-version-1 context
	Context	configure ipsec ike-policy number ike-version-1
	Tree	ike-version-1
	Description	Commands in this context configure the IKE version 1 mode of operation that the IKE policy uses.
	Notes	The following elements are part of a choice: ike-version-1 or ike-version-2.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

auth-method keyword


	Synopsis	Authentication method used with the IKE policy
	Context	configure ipsec ike-policy number ike-version-1 auth-method keyword
	Tree	auth-method
	Options	psk, plain-psk-xauth
	Default	psk
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ike-mode keyword


	Synopsis	Mode of operation
	Context	configure ipsec ike-policy number ike-version-1 ike-mode keyword
	Tree	ike-mode
	Options	main, aggressive
	Default	main
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

own-auth-method keyword


	Synopsis	Authentication method used with policy on its own side
	Context	configure ipsec ike-policy number ike-version-1 own-auth-method keyword
	Tree	own-auth-method
	Options	symmetric
	Default	symmetric
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ph1-responder-delete-notify boolean


	Synopsis	Send delete notification for IKEv1 phase 1 removal
	Context	configure ipsec ike-policy number ike-version-1 ph1-responder-delete-notify boolean
	Tree	ph1-responder-delete-notify
	Description	When configured to true, a delete notification is sent to the peer when deleting an IKEv1 phase 1 SA for which it was the responder. When configured to false, no notification is sent.
	Default	true
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ike-version-2


	Synopsis	Enable the ike-version-2 context
	Context	configure ipsec ike-policy number ike-version-2
	Tree	ike-version-2
	Description	Commands in this context configure the IKE version 2 mode of operation that the IKE policy uses.
	Notes	The following elements are part of a choice: ike-version-1 or ike-version-2.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

auth-method keyword


	Synopsis	Authentication method used with the IKE policy
	Context	configure ipsec ike-policy number ike-version-2 auth-method keyword
	Tree	auth-method
	Options	psk, cert, psk-radius, cert-radius, eap, auto-eap-radius, auto-eap
	Default	psk
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

auto-eap-method keyword


	Synopsis	Authentication method used for the remote peer
	Context	configure ipsec ike-policy number ike-version-2 auto-eap-method keyword
	Tree	auto-eap-method
	Description	This command specifies the behavior for the IKEv2 remote-access tunnel when the authentication method uses EAP or potentially another method to authenticate the remote peer.
	Options	psk, cert, psk-or-cert
	Default	cert
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ikev2-fragment


	Synopsis	Enable the ikev2-fragment context
	Context	configure ipsec ike-policy number ike-version-2 ikev2-fragment
	Tree	ikev2-fragment
	Description	Commands in this context configure IKEv2 protocol level fragmentation (RFC 7383).
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

mtu number


	Synopsis	Maximum size of the IKEv2 packet
	Context	configure ipsec ike-policy number ike-version-2 ikev2-fragment mtu number
	Tree	mtu
	Range	512 to 9000
	Units	octets
	Default	1500
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

reassembly-timeout number


	Synopsis	Timeout for reassembly of IKEv2 message fragments
	Context	configure ipsec ike-policy number ike-version-2 ikev2-fragment reassembly-timeout number
	Tree	reassembly-timeout
	Range	1 to 5
	Units	seconds
	Default	2
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

own-auth-method keyword


	Synopsis	Authentication method used with IKE policy on own side
	Context	configure ipsec ike-policy number ike-version-2 own-auth-method keyword
	Tree	own-auth-method
	Options	symmetric, psk, cert, eap-only
	Default	symmetric
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

own-auto-eap-method keyword


	Synopsis	Authentication method used on its own side
	Context	configure ipsec ike-policy number ike-version-2 own-auto-eap-method keyword
	Tree	own-auto-eap-method
	Description	This command specifies the behavior for the IKEv2 remote-access tunnel when the authentication method uses EAP or potentially another method to authenticate the peer.
	Options	psk, cert
	Default	cert
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ppk-required boolean


	Synopsis	Force the use of PPK
	Context	configure ipsec ike-policy number ike-version-2 ppk-required boolean
	Tree	ppk-required
	Description	When configured to true, the router is forced to use PPKs for the IKEv2 key derivation process. When configured to false, PPK use is optional, and the router can fall back to derive keys without PPK.
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

send-idr-after-eap-success boolean


	Synopsis	Send IDr payload in last IKE authentication response
	Context	configure ipsec ike-policy number ike-version-2 send-idr-after-eap-success boolean
	Tree	send-idr-after-eap-success
	Description	When configured to true, the Identification Responder (IDr) payload is added in the last IKE authentication response after an Extensible Authentication Protocol (EAP) Success packet is received. When configured to false, the IDr payload is not included in the last IKE.
	Default	true
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ipsec-lifetime number


	Synopsis	Lifetime of the Phase 2 IKE key
	Context	configure ipsec ike-policy number ipsec-lifetime number
	Tree	ipsec-lifetime
	Range	1200 to 31536000
	Units	seconds
	Default	3600
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

limit-init-exchange


	Synopsis	Enter the limit-init-exchange context
	Context	configure ipsec ike-policy number limit-init-exchange
	Tree	limit-init-exchange
	Description	Commands in this context limit the number of ongoing IKEv2 initial exchanges per tunnel.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

admin-state keyword


	Synopsis	Administrative state of limiting initial IKE exchanges
	Context	configure ipsec ike-policy number limit-init-exchange admin-state keyword
	Tree	admin-state
	Options	enable, disable
	Default	enable
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

reduced-max-exchange-timeout (number | keyword)


	Synopsis	Maximum timeout for in-progress initial IKE exchange
	Context	configure ipsec ike-policy number limit-init-exchange reduced-max-exchange-timeout (number \| keyword)
	Tree	reduced-max-exchange-timeout
	Description	This command configures the maximum timeout for the in-progress initial IKE exchange. If a new IKEv2 IKE_SA_INIT request is received when there is an ongoing IKEv2 initial exchange from the same peer, the timeout value of the existing exchange is set to this specified value. If the none option is configured for this command, the timeout value remains unchanged.
	Range	2 to 60
	Units	seconds
	Options	none
	Default	2
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

lockout


	Synopsis	Enable the lockout context
	Context	configure ipsec ike-policy number lockout
	Tree	lockout
	Description	Commands in this context specify the lockout mechanism for the IPsec tunnel. These commands apply only when the system acts as a tunnel responder.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

block (number | keyword)


	Synopsis	Time a client is blocked for failed authentications
	Context	configure ipsec ike-policy number lockout block (number \| keyword)
	Tree	block
	Description	This command configures the time the client is blocked if the number of failed authentications exceeds the configured value within the specified duration.
	Range	1 to 1440
	Units	minutes
	Options	infinite
	Default	10
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

duration number


	Synopsis	Time interval for failed attempts threshold
	Context	configure ipsec ike-policy number lockout duration number
	Tree	duration
	Description	This command specifies the time interval in which the configured failed authentication count must be exceeded to trigger a lockout.
	Range	1 to 60
	Units	minutes
	Default	5
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

failed-attempts number


	Synopsis	Maximum failed authentications allowed in the duration
	Context	configure ipsec ike-policy number lockout failed-attempts number
	Tree	failed-attempts
	Range	1 to 64
	Default	3
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

max-port-per-ip number


	Synopsis	Maximum number of ports allowed under same IP address
	Context	configure ipsec ike-policy number lockout max-port-per-ip number
	Tree	max-port-per-ip
	Description	This command configures the maximum number of ports allowed under the same IP address. When the threshold is exceeded and the client is locked out, all ports behind the IP address are blocked.
	Range	1 to 32000
	Default	16
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

match-peer-id-to-cert boolean


	Synopsis	Check IKE peer ID during certificate authentication
	Context	configure ipsec ike-policy number match-peer-id-to-cert boolean
	Tree	match-peer-id-to-cert
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

nat-traversal


	Synopsis	Enable the nat-traversal context
	Context	configure ipsec ike-policy number nat-traversal
	Tree	nat-traversal
	Description	Commands in this context configure the Network Address Translation Traversal (NAT-T) functionality.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

force boolean


	Synopsis	Enable NAT-T in forced mode
	Context	configure ipsec ike-policy number nat-traversal force boolean
	Tree	force
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

force-keep-alive boolean


	Synopsis	Continue sending keepalive packets (no expiry)
	Context	configure ipsec ike-policy number nat-traversal force-keep-alive boolean
	Tree	force-keep-alive
	Default	true
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

keep-alive-interval number


	Synopsis	Keepalive interval for NAT-T
	Context	configure ipsec ike-policy number nat-traversal keep-alive-interval number
	Tree	keep-alive-interval
	Range	120 to 600
	Units	seconds
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

pfs


	Synopsis	Enable the pfs context
	Context	configure ipsec ike-policy number pfs
	Tree	pfs
	Description	Commands in this context configure perfect forward secrecy on the IPsec tunnel using the policy. PFS provides for a new Diffie-Hellman (DH) key exchange each time the Security Association (SA) key is renegotiated. When the SA key expires, another key is generated (if the SA remains up).
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

dh-group keyword


	Synopsis	Diffie-Helman group used to calculate session keys
	Context	configure ipsec ike-policy number pfs dh-group keyword
	Tree	dh-group
	Description	This command specifies which DH group to use for calculating session keys. More bits provide a higher level of security, but require more processing.
	Options	group-1, group-2, group-5, group-14, group-15, group-19, group-20, group-21
	Default	group-2
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

relay-unsolicited-cfg-attribute


	Synopsis	Enter the relay-unsolicited-cfg-attribute context
	Context	configure ipsec ike-policy number relay-unsolicited-cfg-attribute
	Tree	relay-unsolicited-cfg-attribute
	Description	Commands in this context configure attributes returned from the source (such as a RADIUS server) that are returned to the IKEv2 remote-access tunnel client regardless if the client has requested the attribute in the CFG_REQUEST payload.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

internal-ip4-address boolean


	Synopsis	Return the IPv4 address from the source to the client
	Context	configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip4-address boolean
	Tree	internal-ip4-address
	Description	When configured to true, the system returns the IPv4 address from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the address in the CFG_REQUEST payload.
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

internal-ip4-dns boolean


	Synopsis	Return IPv4 DNS server address from source to client
	Context	configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip4-dns boolean
	Tree	internal-ip4-dns
	Description	When configured to true, the system returns the IPv4 DNS server address from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the address in the CFG_REQUEST payload.
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

internal-ip4-netmask boolean


	Synopsis	Return the IPv4 netmask from the source to the client
	Context	configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip4-netmask boolean
	Tree	internal-ip4-netmask
	Description	When configured to true, the system returns the IPv4 netmask from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the netmask in the CFG_REQUEST payload.
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

internal-ip6-address boolean


	Synopsis	Return the IPv6 address from the source to the client
	Context	configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip6-address boolean
	Tree	internal-ip6-address
	Description	When configured to true, the system returns the IPv6 address from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the address in the CFG_REQUEST payload.
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

internal-ip6-dns boolean


	Synopsis	Return IPv6 DNS server address from source to client
	Context	configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip6-dns boolean
	Tree	internal-ip6-dns
	Description	When configured to true, the system returns the IPv6 DNS server address from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the address in the CFG_REQUEST payload.
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ike-transform [id] number


	Synopsis	Enter the ike-transform list instance
	Context	configure ipsec ike-transform number
	Tree	ike-transform
	Max. instances	4096
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

[id] number


	Synopsis	IKE transform instance ID
	Context	configure ipsec ike-transform number
	Tree	ike-transform
	Range	1 to 4096
	Notes	This element is part of a list key.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

dh-group keyword


	Synopsis	Diffie-Helman group used to calculate session keys
	Context	configure ipsec ike-transform number dh-group keyword
	Tree	dh-group
	Options	group-1, group-2, group-5, group-14, group-15, group-19, group-20, group-21
	Default	group-2
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ike-auth-algorithm keyword


	Synopsis	IKE authentication algorithm for IKE transform instance
	Context	configure ipsec ike-transform number ike-auth-algorithm keyword
	Tree	ike-auth-algorithm
	Options	md-5, sha-1, sha-256, sha-384, sha-512, aes-xcbc, auth-encryption
	Default	sha-1
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ike-encryption-algorithm keyword


	Synopsis	IKE encryption algorith for the IKE transform instance
	Context	configure ipsec ike-transform number ike-encryption-algorithm keyword
	Tree	ike-encryption-algorithm
	Options	des, des-3, aes-128, aes-192, aes-256, aes128-gcm8, aes128-gcm16, aes256-gcm8, aes256-gcm16
	Default	aes-128
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ike-prf-algorithm keyword


	Synopsis	PRF algorithm for the IKE transform instance
	Context	configure ipsec ike-transform number ike-prf-algorithm keyword
	Tree	ike-prf-algorithm
	Description	This command specifies the pseudo-random function algorithm used for IKE security association. If an encrypted algorithm such as AES-GCM is used for the IKE encryption algorithm, same-as-auth cannot be used for the IKE PRF algorithm.
	Options	md-5, sha-1, sha-256, sha-384, sha-512, aes-xcbc, same-as-auth
	Default	same-as-auth
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

isakmp-lifetime number


	Synopsis	Phase 1 lifetime for the IKE transform instance
	Context	configure ipsec ike-transform number isakmp-lifetime number
	Tree	isakmp-lifetime
	Range	1200 to 31536000
	Units	seconds
	Default	86400
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ipsec-transform [id] number


	Synopsis	Enter the ipsec-transform list instance
	Context	configure ipsec ipsec-transform number
	Tree	ipsec-transform
	Description	Commands in this context create an IPsec transform policy. IPsec transform policies can be shared. A change to the IPsec transform is allowed at any time. The change does not impact tunnels that have been established until they are renegotiated. If the change is required immediately, the tunnel must be cleared (reset) for force renegotiation.
	Max. instances	2048
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

[id] number


	Synopsis	IPsec transform policy ID
	Context	configure ipsec ipsec-transform number
	Tree	ipsec-transform
	Range	1 to 2048
	Notes	This element is part of a list key.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

esp-auth-algorithm keyword


	Synopsis	Encapsulating Security Payload (ESP) authentication
	Context	configure ipsec ipsec-transform number esp-auth-algorithm keyword
	Tree	esp-auth-algorithm
	Description	This command specifies the hashing algorithm used for the authentication function. Both ends of a manually configured tunnel must share the same configuration for the IPsec tunnel to enter the operational state.
	Options	null, md-5, sha-1, sha-256, sha-384, sha-512, aes-xcbc, auth-encryption
	Default	sha-1
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

esp-encryption-algorithm keyword


	Synopsis	Encryption algorithm for the IPsec transform session
	Context	configure ipsec ipsec-transform number esp-encryption-algorithm keyword
	Tree	esp-encryption-algorithm
	Description	This command specifies the encryption algorithm used for the IPsec session. Encryption applies only to ESP configurations. If encryption is not defined, ESP is not used. Both ends of a manually configured tunnel must share the same encryption algorithm for the IPsec tunnel to enter the operational state. When AES-GCM or AES-GMAC is configured: the authentication encryption must be set to auth-encryption the system does not include the authentication algorithm in the ESP proposal of the SA payload IPsec transform cannot be used for manual keying
	Options	null, des, des-3, aes-128, aes-192, aes-256, aes128-gcm8, aes128-gcm12, aes128-gcm16, aes192-gcm8, aes192-gcm12, aes192-gcm16, aes256-gcm8, aes256-gcm12, aes256-gcm16, null-aes128-gmac, null-aes192-gmac, null-aes256-gmac
	Default	aes-128
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

extended-sequence-number boolean


	Synopsis	Enable extended sequence numbering support
	Context	configure ipsec ipsec-transform number extended-sequence-number boolean
	Tree	extended-sequence-number
	Description	When configured to true, this command enables 64-bit extended sequence numbering support. This numbering is used for high throughput CHILD_SA to avoid frequent re-keying caused by sequence numbering wrap around. When configured to false, only 32-bit sequence numbering is supported.
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ipsec-lifetime number


	Synopsis	Phase 2 lifetime for the IPsec transform session
	Context	configure ipsec ipsec-transform number ipsec-lifetime number
	Tree	ipsec-lifetime
	Description	This command configures the lifetime of the Phase 2 IKE key. When unconfigured, the value is inherited from the IPsec lifetime configured in the corresponding IKE policy configured for the same IPsec gateway or IPsec tunnel.
	Range	1200 to 31536000
	Units	seconds
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

pfs-dh-group keyword


	Synopsis	Diffie-Hellman group used for PFS compilation
	Context	configure ipsec ipsec-transform number pfs-dh-group keyword
	Tree	pfs-dh-group
	Description	This command specifies the DH group used for Perfect Forward Secrecy (PFS) compilation during CHILD_SA rekeying. When unconfigured, the value is inherited from the DH group value from the IPsec gateway or IPsec tunnel.
	Options	none, group-1, group-2, group-5, group-14, group-15, group-19, group-20, group-21
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ipsec-transport-mode-profile [name] named-item


	Synopsis	Enter the ipsec-transport-mode-profile list instance
	Context	configure ipsec ipsec-transport-mode-profile named-item
	Tree	ipsec-transport-mode-profile
	Description	Commands in this context configure IPsec-specific attributes that allow an IP tunnel (for example, GRE) to be protected by using IPsec transport mode.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

[name] named-item


	Synopsis	IPsec transport mode profile name string
	Context	configure ipsec ipsec-transport-mode-profile named-item
	Tree	ipsec-transport-mode-profile
	Description	This command specifies the name of the IPsec transport mode profile.
	String length	1 to 32
	Notes	This element is part of a list key.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

description description


	Synopsis	Text description
	Context	configure ipsec ipsec-transport-mode-profile named-item description description
	Tree	description
	String length	1 to 80
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

key-exchange


	Synopsis	Enter the key-exchange context
	Context	configure ipsec ipsec-transport-mode-profile named-item key-exchange
	Tree	key-exchange
	Description	Commands in this context configure the key exchange used each time the Security Association (SA) key is renegotiated.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

dynamic


	Synopsis	Enter the dynamic context
	Context	configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic
	Tree	dynamic
	Description	Commands in this context configure dynamic keying for the transport mode profile.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

auto-establish boolean


	Synopsis	Attempt to establish a phase 1 exchange automatically
	Context	configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic auto-establish boolean
	Tree	auto-establish
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

cert


	Synopsis	Enter the cert context
	Context	configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic cert
	Tree	cert
	Description	Commands in this context configure the attributes of the dynamic keying certificate.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

cert-profile reference


	Synopsis	Certificate profile name
	Context	configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic cert cert-profile reference
	Tree	cert-profile
	Reference	configure ipsec cert-profile named-item
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

status-verify


	Synopsis	Enter the status-verify context
	Context	configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic cert status-verify
	Tree	status-verify
	Description	Commands in this context configure attributes of Certificate Status Verification (CSV).
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

default-result keyword


	Synopsis	Default result for Certificate Status Verification
	Context	configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic cert status-verify default-result keyword
	Tree	default-result
	Description	This command specifies the default certificate revocation status result to use when all configured CSV methods fail to return a result.
	Options	revoked, good
	Default	revoked
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

primary keyword


	Synopsis	Primary method of CSV to verify the revocation status
	Context	configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic cert status-verify primary keyword
	Tree	primary
	Description	This command configures the primary method of Certificate Status Verification (CSV) that is used to verify the revocation status of the certificate of the peer.
	Options	crl, ocsp
	Default	crl
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

secondary keyword


	Synopsis	Secondary method used to verify certificate revocation
	Context	configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic cert status-verify secondary keyword
	Tree	secondary
	Description	This command specifies the secondary method of Certificate Status Verification (CSV) that is used to verify the revocation status of the peer certificate.
	Options	none, crl, ocsp
	Default	none
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

trust-anchor-profile reference


	Synopsis	Trust anchor profile name
	Context	configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic cert trust-anchor-profile reference
	Tree	trust-anchor-profile
	Reference	configure ipsec trust-anchor-profile named-item
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

id


	Synopsis	Enter the id context
	Context	configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic id
	Tree	id
	Description	Commands in this context specify the local ID used for IDi or IDr for IKEv2 negotiation. The default behavior depends on the local authentication method as follows: Psk: local tunnel IP address Cert-auth: subject of the local certificate
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

fqdn fully-qualified-domain-name


	Synopsis	FQDN used as the local ID IKE type
	Context	configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic id fqdn fully-qualified-domain-name
	Tree	fqdn
	String length	1 to 255
	Notes	The following elements are part of a choice: fqdn, ipv4, or ipv6.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ipv4 ipv4-unicast-address


	Synopsis	IPv4 as the local ID type
	Context	configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic id ipv4 ipv4-unicast-address
	Tree	ipv4
	Notes	The following elements are part of a choice: fqdn, ipv4, or ipv6.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ipv6 (ipv4-address-no-zone | ipv6-address-no-zone)


	Synopsis	IPv6 used as the local IKE ID type
	Context	configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic id ipv6 (ipv4-address-no-zone \| ipv6-address-no-zone)
	Tree	ipv6
	Notes	The following elements are part of a choice: fqdn, ipv4, or ipv6.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ike-policy reference


	Synopsis	IKE policy ID
	Context	configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic ike-policy reference
	Tree	ike-policy
	Description	This command specifies the ID of the IKE policy used for IKE negotiation. The ipsec-transport-mode-profile configuration only supports IKEv2.
	Reference	configure ipsec ike-policy number
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ipsec-transform reference


	Synopsis	IPsec transform IDs used by the dynamic key
	Context	configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic ipsec-transform reference
	Tree	ipsec-transform
	Description	This command specifies IPsec transform IDs used for CHILD_SA negotiation.
	Reference	configure ipsec ipsec-transform number
	Max. instances	4
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ppk


	Synopsis	Enter the ppk context
	Context	configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic ppk
	Tree	ppk
	Description	Commands in this context configure the PPKs to use for dynamic keying of the IPsec tunnel.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

id reference


	Synopsis	PPK ID
	Context	configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic ppk id reference
	Tree	id
	Reference	configure ipsec ppk-list named-item ppk named-item-64
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

list reference


	Synopsis	PPK list instance name
	Context	configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic ppk list reference
	Tree	list
	Reference	configure ipsec ppk-list named-item
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

pre-shared-key encrypted-leaf


	Synopsis	Pre-shared key for IKE authentication
	Context	configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic pre-shared-key encrypted-leaf
	Tree	pre-shared-key
	String length	1 to 115
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

max-history-key-records


	Synopsis	Enter the max-history-key-records context
	Context	configure ipsec ipsec-transport-mode-profile named-item max-history-key-records
	Tree	max-history-key-records
	Description	Commands in this context configure the settings for recording historical IPsec keys.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

esp number


	Synopsis	Maximum number of recent records
	Context	configure ipsec ipsec-transport-mode-profile named-item max-history-key-records esp number
	Tree	esp
	Range	1 to 48
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ike number


	Synopsis	Maximum number of historical IKE key records
	Context	configure ipsec ipsec-transport-mode-profile named-item max-history-key-records ike number
	Tree	ike
	Range	1 to 3
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

replay-window number


	Synopsis	Anti-replay window size
	Context	configure ipsec ipsec-transport-mode-profile named-item replay-window number
	Tree	replay-window
	Description	This command specifies the size of an IPsec anti-replay window. If unconfigured, IPsec anti-replay is disabled.
	Range	32 \| 64 \| 128 \| 256 \| 512
	Units	packets
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ppk-list [name] named-item


	Synopsis	Enter the ppk-list list instance
	Context	configure ipsec ppk-list named-item
	Tree	ppk-list
	Description	Commands in this context configure the list of Post-quantum Preshared Keys (PPKs) to use for IKEv2 key derivation, as described in RFC 8784.
	Max. instances	128
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

[name] named-item


	Synopsis	PPK list instance name
	Context	configure ipsec ppk-list named-item
	Tree	ppk-list
	String length	1 to 32
	Notes	This element is part of a list key.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ppk [ppk-id] named-item-64


	Synopsis	Enter the ppk list instance
	Context	configure ipsec ppk-list named-item ppk named-item-64
	Tree	ppk
	Description	Commands in this context configure the attributes for a PPK within the list.
	Max. instances	128
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

[ppk-id] named-item-64


	Synopsis	PPK ID
	Context	configure ipsec ppk-list named-item ppk named-item-64
	Tree	ppk
	String length	1 to 64
	Notes	This element is part of a list key.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

value


	Synopsis	Enable the value context
	Context	configure ipsec ppk-list named-item ppk named-item-64 value
	Tree	value
	Description	Commands in this context configure the values for the specified PPK.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ascii encrypted-leaf


	Synopsis	PPK value as an ASCII string
	Context	configure ipsec ppk-list named-item ppk named-item-64 value ascii encrypted-leaf
	Tree	ascii
	String length	1 to 115
	Notes	The following elements are part of a mandatory choice: ascii or hex.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

hex encrypted-leaf-hex


	Synopsis	PPK value as a hexadecimal string with prefix 0x
	Context	configure ipsec ppk-list named-item ppk named-item-64 value hex encrypted-leaf-hex
	Tree	hex
	String length	1 to 115
	Notes	The following elements are part of a mandatory choice: ascii or hex.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

radius


	Synopsis	Enter the radius context
	Context	configure ipsec radius
	Tree	radius
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

accounting-policy [name] named-item


	Synopsis	Enter the accounting-policy list instance
	Context	configure ipsec radius accounting-policy named-item
	Tree	accounting-policy
	Description	Commands in this context configure RADIUS accounting policies to collect accounting statistics.
	Max. instances	100
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

[name] named-item


	Synopsis	RADIUS accounting policy name
	Context	configure ipsec radius accounting-policy named-item
	Tree	accounting-policy
	String length	1 to 32
	Notes	This element is part of a list key.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

include-radius-attribute


	Synopsis	Enter the include-radius-attribute context
	Context	configure ipsec radius accounting-policy named-item include-radius-attribute
	Tree	include-radius-attribute
	Description	Commands in this context specify the RADIUS attributes that are to be included in the RADIUS Authentication-Request messages.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

acct-stats boolean


	Synopsis	Include accounting attributes in RADIUS packets
	Context	configure ipsec radius accounting-policy named-item include-radius-attribute acct-stats boolean
	Tree	acct-stats
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

called-station-id boolean


	Synopsis	Include the Called-Station-Id attribute
	Context	configure ipsec radius accounting-policy named-item include-radius-attribute called-station-id boolean
	Tree	called-station-id
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

calling-station-id boolean


	Synopsis	Include the Calling-Station-Id attribute
	Context	configure ipsec radius accounting-policy named-item include-radius-attribute calling-station-id boolean
	Tree	calling-station-id
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

framed-ip-addr boolean


	Synopsis	Include the Framed-IP-Address attribute
	Context	configure ipsec radius accounting-policy named-item include-radius-attribute framed-ip-addr boolean
	Tree	framed-ip-addr
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

framed-ipv6-prefix boolean


	Synopsis	Include the Framed-IPv6-Prefix attribute
	Context	configure ipsec radius accounting-policy named-item include-radius-attribute framed-ipv6-prefix boolean
	Tree	framed-ipv6-prefix
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

nas-identifier boolean


	Synopsis	Include the NAS-Identifier attribute
	Context	configure ipsec radius accounting-policy named-item include-radius-attribute nas-identifier boolean
	Tree	nas-identifier
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

nas-ip-addr boolean


	Synopsis	Include the NAS-IP-Address attribute
	Context	configure ipsec radius accounting-policy named-item include-radius-attribute nas-ip-addr boolean
	Tree	nas-ip-addr
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

nas-port-id boolean


	Synopsis	Include the NAS-Port-Id attribute
	Context	configure ipsec radius accounting-policy named-item include-radius-attribute nas-port-id boolean
	Tree	nas-port-id
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

radius-server-policy reference


	Synopsis	Referenced RADIUS server policy
	Context	configure ipsec radius accounting-policy named-item radius-server-policy reference
	Tree	radius-server-policy
	Reference	configure aaa radius server-policy named-item
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

update-interval


	Synopsis	Enter the update-interval context
	Context	configure ipsec radius accounting-policy named-item update-interval
	Tree	update-interval
	Description	Commands in this context determine how RADIUS interim-update packets are sent for IKEv2 remote-access tunnels.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

jitter number


	Synopsis	Jitter interval for sending each interim-update packet
	Context	configure ipsec radius accounting-policy named-item update-interval jitter number
	Tree	jitter
	Description	This command specifies the jitter interval for the RADIUS interim-update packets. When unconfigured, the system uses 10% of the update interval value.
	Range	0 to 3600
	Units	seconds
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

value number


	Synopsis	Update interval of the RADIUS accounting data
	Context	configure ipsec radius accounting-policy named-item update-interval value number
	Tree	value
	Description	This command configures the update interval of the RADIUS accounting data. If a value of 0 is configured, no intermediate updates are sent.
	Range	0 \| 5 to 259200
	Units	minutes
	Default	10
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

authentication-policy [name] named-item


	Synopsis	Enter the authentication-policy list instance
	Context	configure ipsec radius authentication-policy named-item
	Tree	authentication-policy
	Description	Commands in this context configure the RADIUS authentication policy associated with the IPsec gateway.
	Max. instances	100
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

[name] named-item


	Synopsis	RADIUS authentication policy name
	Context	configure ipsec radius authentication-policy named-item
	Tree	authentication-policy
	String length	1 to 32
	Notes	This element is part of a list key.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

include-radius-attribute


	Synopsis	Enter the include-radius-attribute context
	Context	configure ipsec radius authentication-policy named-item include-radius-attribute
	Tree	include-radius-attribute
	Description	Commands in this context specify the RADIUS attributes to be included in the RADIUS Authentication-Request messages.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

called-station-id boolean


	Synopsis	Include the Called-Station-Id attribute
	Context	configure ipsec radius authentication-policy named-item include-radius-attribute called-station-id boolean
	Tree	called-station-id
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

calling-station-id boolean


	Synopsis	Include the Calling-Station-Id attribute
	Context	configure ipsec radius authentication-policy named-item include-radius-attribute calling-station-id boolean
	Tree	calling-station-id
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

client-cert-subject-key-id boolean


	Synopsis	Include the Subject Key Identifier
	Context	configure ipsec radius authentication-policy named-item include-radius-attribute client-cert-subject-key-id boolean
	Tree	client-cert-subject-key-id
	Description	When configured to true, the Subject Key Identifier of the certificate of the peer is included in the RADIUS Access-Request packet as VSA: Alc-Subject-Key-Identifier.
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

nas-identifier boolean


	Synopsis	Include the NAS-Identifier attribute
	Context	configure ipsec radius authentication-policy named-item include-radius-attribute nas-identifier boolean
	Tree	nas-identifier
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

nas-ip-addr boolean


	Synopsis	Include the NAS-IP-Address attribute
	Context	configure ipsec radius authentication-policy named-item include-radius-attribute nas-ip-addr boolean
	Tree	nas-ip-addr
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

nas-port-id boolean


	Synopsis	Include the NAS-Port-Id attribute
	Context	configure ipsec radius authentication-policy named-item include-radius-attribute nas-port-id boolean
	Tree	nas-port-id
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

password encrypted-leaf


	Synopsis	Password used in RADIUS access requests
	Context	configure ipsec radius authentication-policy named-item password encrypted-leaf
	Tree	password
	String length	1 to 115
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

radius-server-policy reference


	Synopsis	Referenced RADIUS server policy
	Context	configure ipsec radius authentication-policy named-item radius-server-policy reference
	Tree	radius-server-policy
	Reference	configure aaa radius server-policy named-item
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

show-ipsec-keys boolean


	Synopsis	Show IPsec IKE and ESP keys in the output
	Context	configure ipsec show-ipsec-keys boolean
	Tree	show-ipsec-keys
	Description	When configured to true, this command allows IPsec keys to be (optionally) included in the display output of certain debug and admin commands. When configured to false, the key display is disabled.
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

static-sa [name] named-item


	Synopsis	Enter the static-sa list instance
	Context	configure ipsec static-sa named-item
	Tree	static-sa
	Max. instances	1000
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

[name] named-item


	Synopsis	Static SA name
	Context	configure ipsec static-sa named-item
	Tree	static-sa
	String length	1 to 32
	Notes	This element is part of a list key.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

authentication


	Synopsis	Enable the authentication context
	Context	configure ipsec static-sa named-item authentication
	Tree	authentication
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

algorithm keyword


	Synopsis	Authentication algorithm used for an IPsec manual SA
	Context	configure ipsec static-sa named-item authentication algorithm keyword
	Tree	algorithm
	Options	md5, sha1
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

key encrypted-leaf


	Synopsis	Key used for the authentication algorithm
	Context	configure ipsec static-sa named-item authentication key encrypted-leaf
	Tree	key
	String length	1 to 54
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

description named-item


	Synopsis	Text description
	Context	configure ipsec static-sa named-item description named-item
	Tree	description
	String length	1 to 32
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

direction keyword


	Synopsis	Direction to which the static SA entry can be applied
	Context	configure ipsec static-sa named-item direction keyword
	Tree	direction
	Options	inbound, outbound, bidirectional
	Default	bidirectional
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

protocol keyword


	Synopsis	IPsec protocol used with the static SA
	Context	configure ipsec static-sa named-item protocol keyword
	Tree	protocol
	Options	ah, esp
	Default	esp
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

spi number


	Synopsis	Security Parameter Index (SPI) for the static SA
	Context	configure ipsec static-sa named-item spi number
	Tree	spi
	Description	This command specifies the SPI for the static SA. When the direction command is set to inbound, the SPI is used to look up the instruction to verify and decrypt the incoming IPsec packets. When the direction command is set to outbound, the SPI is used in the encoding of the outgoing packets. The remote node can use the SPI to look up the instruction to verify and decrypt the packet. When unconfigured, the static SA cannot be used.
	Range	256 to 16383
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

trust-anchor-profile [name] named-item


	Synopsis	Enter the trust-anchor-profile list instance
	Context	configure ipsec trust-anchor-profile named-item
	Tree	trust-anchor-profile
	Max. instances	10128
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

[name] named-item


	Synopsis	Trust anchor profile name for IPsec tunnel or gateway
	Context	configure ipsec trust-anchor-profile named-item
	Tree	trust-anchor-profile
	String length	1 to 32
	Notes	This element is part of a list key.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

trust-anchor [ca-profile] reference


	Synopsis	Add a list entry for trust-anchor
	Context	configure ipsec trust-anchor-profile named-item trust-anchor reference
	Tree	trust-anchor
	Description	Commands in this context configure a CA profile as a trust anchor CA.
	Max. instances	8
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

[ca-profile] reference


	Synopsis	Name of the CA profile as a trust anchor profile
	Context	configure ipsec trust-anchor-profile named-item trust-anchor reference
	Tree	trust-anchor
	Reference	configure system security pki ca-profile named-item
	Notes	This element is part of a list key.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ts-list [name] named-item


	Synopsis	Enter the ts-list list instance
	Context	configure ipsec ts-list named-item
	Tree	ts-list
	Description	Commands in this context configure Traffic Selector (TS) settings.
	Max. instances	32768
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

[name] named-item


	Synopsis	Traffic Selector (TS) list name
	Context	configure ipsec ts-list named-item
	Tree	ts-list
	String length	1 to 32
	Notes	This element is part of a list key.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

local


	Synopsis	Enter the local context
	Context	configure ipsec ts-list named-item local
	Tree	local
	Description	Commands in this context configure a local TS list, a traffic selector, such as TSr, when the system acts as an IKEv2 responder.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

entry [id] number


	Synopsis	Enter the entry list instance
	Context	configure ipsec ts-list named-item local entry number
	Tree	entry
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

[id] number


	Synopsis	TS list entry ID
	Context	configure ipsec ts-list named-item local entry number
	Tree	entry
	Range	1 to 32
	Notes	This element is part of a list key.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

address


	Synopsis	Enable the address context
	Context	configure ipsec ts-list named-item local entry number address
	Tree	address
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

prefix (ipv4-prefix | ipv6-prefix)


	Synopsis	IP prefix for address range in IKEv2 traffic selector
	Context	configure ipsec ts-list named-item local entry number address prefix (ipv4-prefix \| ipv6-prefix)
	Tree	prefix
	Notes	The following elements are part of a mandatory choice: prefix or range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

range


	Synopsis	Enable the range context
	Context	configure ipsec ts-list named-item local entry number address range
	Tree	range
	Notes	The following elements are part of a mandatory choice: prefix or range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

begin (ipv4-address-no-zone | ipv6-address-no-zone)


	Synopsis	Lower bound of the IP address range for the entry
	Context	configure ipsec ts-list named-item local entry number address range begin (ipv4-address-no-zone \| ipv6-address-no-zone)
	Tree	begin
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

end (ipv4-address-no-zone | ipv6-address-no-zone)


	Synopsis	Upper bound of the IP address range
	Context	configure ipsec ts-list named-item local entry number address range end (ipv4-address-no-zone \| ipv6-address-no-zone)
	Tree	end
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

protocol


	Synopsis	Enable the protocol context
	Context	configure ipsec ts-list named-item local entry number protocol
	Tree	protocol
	Description	Commands in this context specify the protocol settings for the IKEv2 traffic selector.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

any


	Synopsis	Match any protocol ID
	Context	configure ipsec ts-list named-item local entry number protocol any
	Tree	any
	Notes	The following elements are part of a mandatory choice: any or id.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

id


	Synopsis	Enable the id context
	Context	configure ipsec ts-list named-item local entry number protocol id
	Tree	id
	Notes	The following elements are part of a mandatory choice: any or id.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

icmp


	Synopsis	Enter the icmp context
	Context	configure ipsec ts-list named-item local entry number protocol id icmp
	Tree	icmp
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

opaque


	Synopsis	Support OPAQUE ports
	Context	configure ipsec ts-list named-item local entry number protocol id icmp opaque
	Tree	opaque
	Description	This command allows the protocol ID to be accepted even when the port information is not available.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

port-range


	Synopsis	Enable the port-range context
	Context	configure ipsec ts-list named-item local entry number protocol id icmp port-range
	Tree	port-range
	Description	Commands in this context configure port range information for the protocol.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

begin-icmp-code number


	Synopsis	Lower bound of the ICMP code range
	Context	configure ipsec ts-list named-item local entry number protocol id icmp port-range begin-icmp-code number
	Tree	begin-icmp-code
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

begin-icmp-type number


	Synopsis	Lower bound of the ICMP type range
	Context	configure ipsec ts-list named-item local entry number protocol id icmp port-range begin-icmp-type number
	Tree	begin-icmp-type
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

end-icmp-code number


	Synopsis	Upper bound of the ICMP code range
	Context	configure ipsec ts-list named-item local entry number protocol id icmp port-range end-icmp-code number
	Tree	end-icmp-code
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

end-icmp-type number


	Synopsis	Upper bound of the ICMP type range
	Context	configure ipsec ts-list named-item local entry number protocol id icmp port-range end-icmp-type number
	Tree	end-icmp-type
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

icmp6


	Synopsis	Enter the icmp6 context
	Context	configure ipsec ts-list named-item local entry number protocol id icmp6
	Tree	icmp6
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

opaque


	Synopsis	Support OPAQUE ports
	Context	configure ipsec ts-list named-item local entry number protocol id icmp6 opaque
	Tree	opaque
	Description	This command allows the protocol ID to be accepted even when the port information is not available.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

port-range


	Synopsis	Enable the port-range context
	Context	configure ipsec ts-list named-item local entry number protocol id icmp6 port-range
	Tree	port-range
	Description	Commands in this context configure port range information for the protocol.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

begin-icmp-code number


	Synopsis	Lower bound of the ICMP code range
	Context	configure ipsec ts-list named-item local entry number protocol id icmp6 port-range begin-icmp-code number
	Tree	begin-icmp-code
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

begin-icmp-type number


	Synopsis	Lower bound of the ICMP type range
	Context	configure ipsec ts-list named-item local entry number protocol id icmp6 port-range begin-icmp-type number
	Tree	begin-icmp-type
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

end-icmp-code number


	Synopsis	Upper bound of the ICMP code range
	Context	configure ipsec ts-list named-item local entry number protocol id icmp6 port-range end-icmp-code number
	Tree	end-icmp-code
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

end-icmp-type number


	Synopsis	Upper bound of the ICMP type range
	Context	configure ipsec ts-list named-item local entry number protocol id icmp6 port-range end-icmp-type number
	Tree	end-icmp-type
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

mipv6


	Synopsis	Enter the mipv6 context
	Context	configure ipsec ts-list named-item local entry number protocol id mipv6
	Tree	mipv6
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

opaque


	Synopsis	Support OPAQUE ports
	Context	configure ipsec ts-list named-item local entry number protocol id mipv6 opaque
	Tree	opaque
	Description	This command allows the protocol ID to be accepted even when the port information is not available.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

port-range


	Synopsis	Enable the port-range context
	Context	configure ipsec ts-list named-item local entry number protocol id mipv6 port-range
	Tree	port-range
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

begin number


	Synopsis	Lower bound of the port range
	Context	configure ipsec ts-list named-item local entry number protocol id mipv6 port-range begin number
	Tree	begin
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

end number


	Synopsis	Upper bound of the port range
	Context	configure ipsec ts-list named-item local entry number protocol id mipv6 port-range end number
	Tree	end
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

protocol-id-with-any-port (keyword | number)


	Synopsis	Protocol ID that accepts any port value
	Context	configure ipsec ts-list named-item local entry number protocol id protocol-id-with-any-port (keyword \| number)
	Tree	protocol-id-with-any-port
	Range	1 to 255
	Options	icmp, tcp, udp, icmp6, sctp, mipv6
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

sctp


	Synopsis	Enter the sctp context
	Context	configure ipsec ts-list named-item local entry number protocol id sctp
	Tree	sctp
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

opaque


	Synopsis	Support OPAQUE ports
	Context	configure ipsec ts-list named-item local entry number protocol id sctp opaque
	Tree	opaque
	Description	This command allows the protocol ID to be accepted even when the port information is not available.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

port-range


	Synopsis	Enable the port-range context
	Context	configure ipsec ts-list named-item local entry number protocol id sctp port-range
	Tree	port-range
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

begin number


	Synopsis	Lower bound of the port range
	Context	configure ipsec ts-list named-item local entry number protocol id sctp port-range begin number
	Tree	begin
	Range	0 to 65535
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

end number


	Synopsis	Upper bound of the port range
	Context	configure ipsec ts-list named-item local entry number protocol id sctp port-range end number
	Tree	end
	Range	0 to 65535
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

tcp


	Synopsis	Enter the tcp context
	Context	configure ipsec ts-list named-item local entry number protocol id tcp
	Tree	tcp
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

opaque


	Synopsis	Support OPAQUE ports
	Context	configure ipsec ts-list named-item local entry number protocol id tcp opaque
	Tree	opaque
	Description	This command allows the protocol ID to be accepted even when the port information is not available.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

port-range


	Synopsis	Enable the port-range context
	Context	configure ipsec ts-list named-item local entry number protocol id tcp port-range
	Tree	port-range
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

begin number


	Synopsis	Lower bound of the port range
	Context	configure ipsec ts-list named-item local entry number protocol id tcp port-range begin number
	Tree	begin
	Range	0 to 65535
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

end number


	Synopsis	Upper bound of the port range
	Context	configure ipsec ts-list named-item local entry number protocol id tcp port-range end number
	Tree	end
	Range	0 to 65535
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

udp


	Synopsis	Enter the udp context
	Context	configure ipsec ts-list named-item local entry number protocol id udp
	Tree	udp
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

opaque


	Synopsis	Support OPAQUE ports
	Context	configure ipsec ts-list named-item local entry number protocol id udp opaque
	Tree	opaque
	Description	This command allows the protocol ID to be accepted even when the port information is not available.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

port-range


	Synopsis	Enable the port-range context
	Context	configure ipsec ts-list named-item local entry number protocol id udp port-range
	Tree	port-range
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

begin number


	Synopsis	Lower bound of the port range
	Context	configure ipsec ts-list named-item local entry number protocol id udp port-range begin number
	Tree	begin
	Range	0 to 65535
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

end number


	Synopsis	Upper bound of the port range
	Context	configure ipsec ts-list named-item local entry number protocol id udp port-range end number
	Tree	end
	Range	0 to 65535
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

remote


	Synopsis	Enter the remote context
	Context	configure ipsec ts-list named-item remote
	Tree	remote
	Description	Commands in this context configure a remote TS list, a traffic selector, such as TSr, when the system acts as an IKEv2 responder.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

entry [id] number


	Synopsis	Enter the entry list instance
	Context	configure ipsec ts-list named-item remote entry number
	Tree	entry
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

[id] number


	Synopsis	TS list entry ID
	Context	configure ipsec ts-list named-item remote entry number
	Tree	entry
	Range	1 to 32
	Notes	This element is part of a list key.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

address


	Synopsis	Enable the address context
	Context	configure ipsec ts-list named-item remote entry number address
	Tree	address
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

prefix (ipv4-prefix | ipv6-prefix)


	Synopsis	IP prefix for address range in IKEv2 traffic selector
	Context	configure ipsec ts-list named-item remote entry number address prefix (ipv4-prefix \| ipv6-prefix)
	Tree	prefix
	Notes	The following elements are part of a mandatory choice: prefix or range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

range


	Synopsis	Enable the range context
	Context	configure ipsec ts-list named-item remote entry number address range
	Tree	range
	Notes	The following elements are part of a mandatory choice: prefix or range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

begin (ipv4-address-no-zone | ipv6-address-no-zone)


	Synopsis	Lower bound of the IP address range for the entry
	Context	configure ipsec ts-list named-item remote entry number address range begin (ipv4-address-no-zone \| ipv6-address-no-zone)
	Tree	begin
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

end (ipv4-address-no-zone | ipv6-address-no-zone)


	Synopsis	Upper bound of the IP address range
	Context	configure ipsec ts-list named-item remote entry number address range end (ipv4-address-no-zone \| ipv6-address-no-zone)
	Tree	end
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

protocol


	Synopsis	Enable the protocol context
	Context	configure ipsec ts-list named-item remote entry number protocol
	Tree	protocol
	Description	Commands in this context specify the protocol settings for the IKEv2 traffic selector.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

any


	Synopsis	Match any protocol ID
	Context	configure ipsec ts-list named-item remote entry number protocol any
	Tree	any
	Notes	The following elements are part of a mandatory choice: any or id.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

id


	Synopsis	Enable the id context
	Context	configure ipsec ts-list named-item remote entry number protocol id
	Tree	id
	Notes	The following elements are part of a mandatory choice: any or id.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

icmp


	Synopsis	Enter the icmp context
	Context	configure ipsec ts-list named-item remote entry number protocol id icmp
	Tree	icmp
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

opaque


	Synopsis	Support OPAQUE ports
	Context	configure ipsec ts-list named-item remote entry number protocol id icmp opaque
	Tree	opaque
	Description	This command allows the protocol ID to be accepted even when the port information is not available.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

port-range


	Synopsis	Enable the port-range context
	Context	configure ipsec ts-list named-item remote entry number protocol id icmp port-range
	Tree	port-range
	Description	Commands in this context configure port range information for the protocol.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

begin-icmp-code number


	Synopsis	Lower bound of the ICMP code range
	Context	configure ipsec ts-list named-item remote entry number protocol id icmp port-range begin-icmp-code number
	Tree	begin-icmp-code
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

begin-icmp-type number


	Synopsis	Lower bound of the ICMP type range
	Context	configure ipsec ts-list named-item remote entry number protocol id icmp port-range begin-icmp-type number
	Tree	begin-icmp-type
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

end-icmp-code number


	Synopsis	Upper bound of the ICMP code range
	Context	configure ipsec ts-list named-item remote entry number protocol id icmp port-range end-icmp-code number
	Tree	end-icmp-code
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

end-icmp-type number


	Synopsis	Upper bound of the ICMP type range
	Context	configure ipsec ts-list named-item remote entry number protocol id icmp port-range end-icmp-type number
	Tree	end-icmp-type
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

icmp6


	Synopsis	Enter the icmp6 context
	Context	configure ipsec ts-list named-item remote entry number protocol id icmp6
	Tree	icmp6
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

opaque


	Synopsis	Support OPAQUE ports
	Context	configure ipsec ts-list named-item remote entry number protocol id icmp6 opaque
	Tree	opaque
	Description	This command allows the protocol ID to be accepted even when the port information is not available.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

port-range


	Synopsis	Enable the port-range context
	Context	configure ipsec ts-list named-item remote entry number protocol id icmp6 port-range
	Tree	port-range
	Description	Commands in this context configure port range information for the protocol.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

begin-icmp-code number


	Synopsis	Lower bound of the ICMP code range
	Context	configure ipsec ts-list named-item remote entry number protocol id icmp6 port-range begin-icmp-code number
	Tree	begin-icmp-code
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

begin-icmp-type number


	Synopsis	Lower bound of the ICMP type range
	Context	configure ipsec ts-list named-item remote entry number protocol id icmp6 port-range begin-icmp-type number
	Tree	begin-icmp-type
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

end-icmp-code number


	Synopsis	Upper bound of the ICMP code range
	Context	configure ipsec ts-list named-item remote entry number protocol id icmp6 port-range end-icmp-code number
	Tree	end-icmp-code
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

end-icmp-type number


	Synopsis	Upper bound of the ICMP type range
	Context	configure ipsec ts-list named-item remote entry number protocol id icmp6 port-range end-icmp-type number
	Tree	end-icmp-type
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

mipv6


	Synopsis	Enter the mipv6 context
	Context	configure ipsec ts-list named-item remote entry number protocol id mipv6
	Tree	mipv6
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

opaque


	Synopsis	Support OPAQUE ports
	Context	configure ipsec ts-list named-item remote entry number protocol id mipv6 opaque
	Tree	opaque
	Description	This command allows the protocol ID to be accepted even when the port information is not available.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

port-range


	Synopsis	Enable the port-range context
	Context	configure ipsec ts-list named-item remote entry number protocol id mipv6 port-range
	Tree	port-range
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

begin number


	Synopsis	Lower bound of the port range
	Context	configure ipsec ts-list named-item remote entry number protocol id mipv6 port-range begin number
	Tree	begin
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

end number


	Synopsis	Upper bound of the port range
	Context	configure ipsec ts-list named-item remote entry number protocol id mipv6 port-range end number
	Tree	end
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

protocol-id-with-any-port (keyword | number)


	Synopsis	Protocol ID that accepts any port value
	Context	configure ipsec ts-list named-item remote entry number protocol id protocol-id-with-any-port (keyword \| number)
	Tree	protocol-id-with-any-port
	Range	1 to 255
	Options	icmp, tcp, udp, icmp6, sctp, mipv6
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

sctp


	Synopsis	Enter the sctp context
	Context	configure ipsec ts-list named-item remote entry number protocol id sctp
	Tree	sctp
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

opaque


	Synopsis	Support OPAQUE ports
	Context	configure ipsec ts-list named-item remote entry number protocol id sctp opaque
	Tree	opaque
	Description	This command allows the protocol ID to be accepted even when the port information is not available.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

port-range


	Synopsis	Enable the port-range context
	Context	configure ipsec ts-list named-item remote entry number protocol id sctp port-range
	Tree	port-range
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

begin number


	Synopsis	Lower bound of the port range
	Context	configure ipsec ts-list named-item remote entry number protocol id sctp port-range begin number
	Tree	begin
	Range	0 to 65535
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

end number


	Synopsis	Upper bound of the port range
	Context	configure ipsec ts-list named-item remote entry number protocol id sctp port-range end number
	Tree	end
	Range	0 to 65535
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

tcp


	Synopsis	Enter the tcp context
	Context	configure ipsec ts-list named-item remote entry number protocol id tcp
	Tree	tcp
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

opaque


	Synopsis	Support OPAQUE ports
	Context	configure ipsec ts-list named-item remote entry number protocol id tcp opaque
	Tree	opaque
	Description	This command allows the protocol ID to be accepted even when the port information is not available.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

port-range


	Synopsis	Enable the port-range context
	Context	configure ipsec ts-list named-item remote entry number protocol id tcp port-range
	Tree	port-range
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

begin number


	Synopsis	Lower bound of the port range
	Context	configure ipsec ts-list named-item remote entry number protocol id tcp port-range begin number
	Tree	begin
	Range	0 to 65535
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

end number


	Synopsis	Upper bound of the port range
	Context	configure ipsec ts-list named-item remote entry number protocol id tcp port-range end number
	Tree	end
	Range	0 to 65535
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

udp


	Synopsis	Enter the udp context
	Context	configure ipsec ts-list named-item remote entry number protocol id udp
	Tree	udp
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

opaque


	Synopsis	Support OPAQUE ports
	Context	configure ipsec ts-list named-item remote entry number protocol id udp opaque
	Tree	opaque
	Description	This command allows the protocol ID to be accepted even when the port information is not available.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

port-range


	Synopsis	Enable the port-range context
	Context	configure ipsec ts-list named-item remote entry number protocol id udp port-range
	Tree	port-range
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

begin number


	Synopsis	Lower bound of the port range
	Context	configure ipsec ts-list named-item remote entry number protocol id udp port-range begin number
	Tree	begin
	Range	0 to 65535
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

end number


	Synopsis	Upper bound of the port range
	Context	configure ipsec ts-list named-item remote entry number protocol id udp port-range end number
	Tree	end
	Range	0 to 65535
	Notes	This element is mandatory.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

tunnel-template [id] number


	Synopsis	Enter the tunnel-template list instance
	Context	configure ipsec tunnel-template number
	Tree	tunnel-template
	Max. instances	2048
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

[id] number


	Synopsis	Tunnel template ID
	Context	configure ipsec tunnel-template number
	Tree	tunnel-template
	Range	1 to 2048
	Notes	This element is part of a list key.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

clear-df-bit boolean


	Synopsis	Clear the Do-not-Fragment (DF) bit
	Context	configure ipsec tunnel-template number clear-df-bit boolean
	Tree	clear-df-bit
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

copy-traffic-class-upon-decapsulation boolean


	Synopsis	Enable traffic class copy upon decapsulation
	Context	configure ipsec tunnel-template number copy-traffic-class-upon-decapsulation boolean
	Tree	copy-traffic-class-upon-decapsulation
	Description	When configured to true, the system copies the traffic class from the outer tunnel IP packet header to the payload IP packet header in the decapsulating direction (public to private). When configured to false, the system does not copy the traffic class from the outer IP packet to the payload IP packet header upon decapsulation.
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

description description


	Synopsis	Text description
	Context	configure ipsec tunnel-template number description description
	Tree	description
	String length	1 to 80
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

encapsulated-ip-mtu number


	Synopsis	Maximum size of the encapsulated tunnel packet
	Context	configure ipsec tunnel-template number encapsulated-ip-mtu number
	Tree	encapsulated-ip-mtu
	Description	This command specifies the maximum size of the encapsulated tunnel packet to the IPsec tunnel, the IP tunnel, or the dynamic tunnels terminated on the IPsec Gateway. If the encapsulated IPv4 or IPv6 tunnel packet exceeds this value, the system fragments the packet.
	Range	512 to 9000
	Units	octets
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

icmp-generation


	Synopsis	Enter the icmp-generation context
	Context	configure ipsec tunnel-template number icmp-generation
	Tree	icmp-generation
	Description	Commands in this context configure settings for ICMPv4 message generation.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

frag-required


	Synopsis	Enter the frag-required context
	Context	configure ipsec tunnel-template number icmp-generation frag-required
	Tree	frag-required
	Description	Commands in this context configure the attributes for sending generated ICMP Destination Unreachable "fragmentation needed and DF set" messages (type 3, code 4) back to the source, if the received size of the IPv4 packet on the private side exceeds the private MTU size.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

admin-state keyword


	Synopsis	Administrative state of sending ICMP messages
	Context	configure ipsec tunnel-template number icmp-generation frag-required admin-state keyword
	Tree	admin-state
	Description	This command configures the administrative state of sending ICMP Destination Unreachable "fragmentation needed, DF set" messages (type 3, code 4) messages to the source if the received size of the IPv4 packet on the private side exceeds the private MTU size.
	Options	enable, disable
	Default	enable
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

interval number


	Synopsis	Interval for sending ICMP messages
	Context	configure ipsec tunnel-template number icmp-generation frag-required interval number
	Tree	interval
	Description	This command configures the interval for sending ICMP Destination Unreachable "fragmentation needed, DF set" messages (type 3, code 4).
	Range	1 to 60
	Units	seconds
	Default	10
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

message-count number


	Synopsis	Maximum number of ICMP messages that can be sent
	Context	configure ipsec tunnel-template number icmp-generation frag-required message-count number
	Tree	message-count
	Description	This command configures the maximum number of ICMP Destination Unreachable "fragmentation needed, DF set" messages (type 3, code 4) that can be sent during the configured interval.
	Range	10 to 1000
	Default	100
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

icmp6-generation


	Synopsis	Enter the icmp6-generation context
	Context	configure ipsec tunnel-template number icmp6-generation
	Tree	icmp6-generation
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

pkt-too-big


	Synopsis	Enter the pkt-too-big context
	Context	configure ipsec tunnel-template number icmp6-generation pkt-too-big
	Tree	pkt-too-big
	Description	Commands in this context configure values for the ICMPv6 Packet Too Big (PTB) messages. The system sends PTB messages if an IPv6 packet is received on the private side that is larger than 1280 bytes and also exceeds the private MTU of the tunnel.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

admin-state keyword


	Synopsis	Administrative state of Packet Too Big message sends
	Context	configure ipsec tunnel-template number icmp6-generation pkt-too-big admin-state keyword
	Tree	admin-state
	Options	enable, disable
	Default	enable
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

interval number


	Synopsis	Maximum interval during which PTB messages can be sent
	Context	configure ipsec tunnel-template number icmp6-generation pkt-too-big interval number
	Tree	interval
	Range	1 to 60
	Units	seconds
	Default	10
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

message-count number


	Synopsis	Max ICMPv6 messages that can be sent during interval
	Context	configure ipsec tunnel-template number icmp6-generation pkt-too-big message-count number
	Tree	message-count
	Range	10 to 1000
	Default	100
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ignore-default-route boolean


	Synopsis	Ignore any full range traffic selector in TSi
	Context	configure ipsec tunnel-template number ignore-default-route boolean
	Tree	ignore-default-route
	Description	When configured to true, any full range traffic selector is ignored when creating a reverse route. When configured to false, no CHILD_SA is created if any full range traffic selector is included in TSi.
	Default	false
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ip-mtu number


	Synopsis	Maximum size of the IP MTU for the payload packets
	Context	configure ipsec tunnel-template number ip-mtu number
	Tree	ip-mtu
	Range	512 to 9000
	Units	octets
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ipsec-transform reference


	Synopsis	IPsec transform ID for the tunnel template
	Context	configure ipsec tunnel-template number ipsec-transform reference
	Tree	ipsec-transform
	Reference	configure ipsec ipsec-transform number
	Max. instances	4
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

pmtu-discovery-aging number


	Synopsis	Aging out time of the learned path MTU
	Context	configure ipsec tunnel-template number pmtu-discovery-aging number
	Tree	pmtu-discovery-aging
	Description	This command configures the temporary public and private MTU expiration time. The temporary MTU is used for MTU propagation.
	Range	900 to 3600
	Units	seconds
	Default	900
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

ppk-list reference


	Synopsis	PPK list to use in the tunnel template
	Context	configure ipsec tunnel-template number ppk-list reference
	Tree	ppk-list
	Description	This command specifies the PPK list to use in the tunnel template, which represents a list of PPKs available for the IPsec gateway. The actual PPK to use depends on the tunnel initiator.
	Reference	configure ipsec ppk-list named-item
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

private-tcp-mss-adjust number


	Synopsis	New TCP MSS value on the private side
	Context	configure ipsec tunnel-template number private-tcp-mss-adjust number
	Tree	private-tcp-mss-adjust
	Description	This command specifies the new (adjusted) TCP MSS value of TCP SYN packets on the private side. When unconfigured, the MSS value is derived from the received TCP SYN packet on the private side.
	Range	512 to 9000
	Units	octets
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

propagate-pmtu-v4 boolean


	Synopsis	Enable propagation of the path MTU to IPv4 hosts
	Context	configure ipsec tunnel-template number propagate-pmtu-v4 boolean
	Tree	propagate-pmtu-v4
	Description	When configured to true, the system propagates the path MTU learned from the public side to the private side (IPv4 hosts).
	Default	true
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

propagate-pmtu-v6 boolean


	Synopsis	Enable propagation of the path MTU to IPv6 hosts
	Context	configure ipsec tunnel-template number propagate-pmtu-v6 boolean
	Tree	propagate-pmtu-v6
	Description	When configured to true, the system propagates the path MTU learned from the public side to the private side (IPv6 hosts).
	Default	true
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

public-tcp-mss-adjust (number | keyword)


	Synopsis	New TCP MSS value on the public side
	Context	configure ipsec tunnel-template number public-tcp-mss-adjust (number \| keyword)
	Tree	public-tcp-mss-adjust
	Description	This command specifies the new (adjusted) TCP MSS value for the TCP traffic in an IPsec tunnel which is sent from the public network to the private network. The system can use this value to adjust or insert the MSS option in the TCP SYN packet. When unconfigured, the MSS value is derived from the public MTU and IPsec overhead.
	Range	512 to 9000
	Units	octets
	Options	auto
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

replay-window number


	Synopsis	Anti-replay window size for the tunnel template
	Context	configure ipsec tunnel-template number replay-window number
	Tree	replay-window
	Range	32 \| 64 \| 128 \| 256 \| 512
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

reverse-route


	Synopsis	Enter the reverse-route context
	Context	configure ipsec tunnel-template number reverse-route
	Tree	reverse-route
	Description	Commands in this context configure the dynamic LAN-to-LAN (DL2L) tunnel reverse-route options for the tunnel template.
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

metric number


	Synopsis	Metric used for DL2L tunnel reverse routes
	Context	configure ipsec tunnel-template number reverse-route metric number
	Tree	metric
	Description	This command configures the metric for reverse routes. The system uses the metric when selecting a route to install in the route table.
	Range	0 to 65535
	Default	0
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

preference number


	Synopsis	Preference used for DL2L tunnel reverse routes
	Context	configure ipsec tunnel-template number reverse-route preference number
	Tree	preference
	Description	This command specifies the route preference assigned to the DL2L tunnel reverse route. The system uses the preference when selecting a route to install in the route table.
	Range	0 to 255
	Default	0
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2

sp-reverse-route keyword


	Synopsis	Reverse route creation method in private service
	Context	configure ipsec tunnel-template number sp-reverse-route keyword
	Tree	sp-reverse-route
	Description	This command allows the system to automatically create a reverse route based on dynamic LAN-to-LAN tunnel's TSi in private service.
	Options	none, use-security-policy
	Default	none
	Introduced	25.3.R2
	Platforms	7705 SAR Gen 2