ipsec commands
configure
— ipsec
— apply-groups reference
— apply-groups-exclude reference
— cert-profile string
— admin-state keyword
— apply-groups reference
— apply-groups-exclude reference
— entry number
— apply-groups reference
— apply-groups-exclude reference
— cert string
— compare-chain-include reference
— key string
— rsa-signature keyword
— send-chain
— ca-profile reference
— client-db string
— admin-state keyword
— apply-groups reference
— apply-groups-exclude reference
— client number
— admin-state keyword
— apply-groups reference
— apply-groups-exclude reference
— client-name string
— credential
— pre-shared-key string
— identification
— idi
— any boolean
— fqdn string
— fqdn-suffix string
— ipv4-prefix string
— ipv4-prefix-any boolean
— ipv6-prefix string
— ipv6-prefix-any boolean
— rfc822 string
— rfc822-suffix string
— peer-ip-prefix
— ip-prefix (ipv4-prefix | ipv6-prefix)
— ipv4-only boolean
— ipv6-only boolean
— private-interface string
— private-service-name string
— ts-list string
— tunnel-template number
— description string
— match-list
— idi boolean
— peer-ip-prefix boolean
— ike-policy number
— apply-groups reference
— apply-groups-exclude reference
— description string
— dpd
— interval number
— max-retries number
— reply-only boolean
— ike-transform reference
— ike-version-1
— auth-method keyword
— ike-mode keyword
— own-auth-method keyword
— ph1-responder-delete-notify boolean
— ike-version-2
— auth-method keyword
— auto-eap-method keyword
— ikev2-fragment
— mtu number
— reassembly-timeout number
— own-auth-method keyword
— own-auto-eap-method keyword
— send-idr-after-eap-success boolean
— ipsec-lifetime number
— limit-init-exchange
— admin-state keyword
— reduced-max-exchange-timeout (number | keyword)
— lockout
— block (number | keyword)
— duration number
— failed-attempts number
— max-port-per-ip number
— match-peer-id-to-cert boolean
— nat-traversal
— force boolean
— force-keep-alive boolean
— keep-alive-interval number
— pfs
— dh-group keyword
— relay-unsolicited-cfg-attribute
— internal-ip4-address boolean
— internal-ip4-dns boolean
— internal-ip4-netmask boolean
— internal-ip6-address boolean
— internal-ip6-dns boolean
— ike-transform number
— apply-groups reference
— apply-groups-exclude reference
— dh-group keyword
— ike-auth-algorithm keyword
— ike-encryption-algorithm keyword
— ike-prf-algorithm keyword
— isakmp-lifetime number
— ipsec-transform number
— apply-groups reference
— apply-groups-exclude reference
— esp-auth-algorithm keyword
— esp-encryption-algorithm keyword
— extended-sequence-number boolean
— ipsec-lifetime number
— pfs-dh-group keyword
— ipsec-transport-mode-profile string
— apply-groups reference
— apply-groups-exclude reference
— description string
— key-exchange
— dynamic
— auto-establish boolean
— cert
— cert-profile reference
— status-verify
— default-result keyword
— primary keyword
— secondary keyword
— trust-anchor-profile reference
— id
— fqdn string
— ipv4 string
— ipv6 (ipv4-address-no-zone | ipv6-address-no-zone)
— ike-policy reference
— ipsec-transform reference
— pre-shared-key string
— max-history-key-records
— esp number
— ike number
— replay-window number
— radius
— accounting-policy string
— apply-groups reference
— apply-groups-exclude reference
— include-radius-attribute
— acct-stats boolean
— called-station-id boolean
— calling-station-id boolean
— framed-ip-addr boolean
— framed-ipv6-prefix boolean
— nas-identifier boolean
— nas-ip-addr boolean
— nas-port-id boolean
— radius-server-policy reference
— update-interval
— jitter number
— value number
— authentication-policy string
— apply-groups reference
— apply-groups-exclude reference
— include-radius-attribute
— called-station-id boolean
— calling-station-id boolean
— client-cert-subject-key-id boolean
— nas-identifier boolean
— nas-ip-addr boolean
— nas-port-id boolean
— password string
— radius-server-policy reference
— show-ipsec-keys boolean
— static-sa string
— apply-groups reference
— apply-groups-exclude reference
— authentication
— algorithm keyword
— key string
— description string
— direction keyword
— protocol keyword
— spi number
— trust-anchor-profile string
— apply-groups reference
— apply-groups-exclude reference
— trust-anchor reference
— ts-list string
— apply-groups reference
— apply-groups-exclude reference
— local
— entry number
— address
— prefix (ipv4-prefix | ipv6-prefix)
— range
— begin (ipv4-address-no-zone | ipv6-address-no-zone)
— end (ipv4-address-no-zone | ipv6-address-no-zone)
— apply-groups reference
— apply-groups-exclude reference
— protocol
— any
— id
— icmp
— opaque
— port-range
— begin-icmp-code number
— begin-icmp-type number
— end-icmp-code number
— end-icmp-type number
— icmp6
— opaque
— port-range
— begin-icmp-code number
— begin-icmp-type number
— end-icmp-code number
— end-icmp-type number
— mipv6
— opaque
— port-range
— begin number
— end number
— protocol-id-with-any-port (keyword | number)
— sctp
— opaque
— port-range
— begin number
— end number
— tcp
— opaque
— port-range
— begin number
— end number
— udp
— opaque
— port-range
— begin number
— end number
— remote
— entry number
— address
— prefix (ipv4-prefix | ipv6-prefix)
— range
— begin (ipv4-address-no-zone | ipv6-address-no-zone)
— end (ipv4-address-no-zone | ipv6-address-no-zone)
— apply-groups reference
— apply-groups-exclude reference
— protocol
— any
— id
— icmp
— opaque
— port-range
— begin-icmp-code number
— begin-icmp-type number
— end-icmp-code number
— end-icmp-type number
— icmp6
— opaque
— port-range
— begin-icmp-code number
— begin-icmp-type number
— end-icmp-code number
— end-icmp-type number
— mipv6
— opaque
— port-range
— begin number
— end number
— protocol-id-with-any-port (keyword | number)
— sctp
— opaque
— port-range
— begin number
— end number
— tcp
— opaque
— port-range
— begin number
— end number
— udp
— opaque
— port-range
— begin number
— end number
— tunnel-template number
— apply-groups reference
— apply-groups-exclude reference
— clear-df-bit boolean
— copy-traffic-class-upon-decapsulation boolean
— description string
— encapsulated-ip-mtu number
— icmp-generation
— frag-required
— admin-state keyword
— interval number
— message-count number
— icmp6-generation
— pkt-too-big
— admin-state keyword
— interval number
— message-count number
— ignore-default-route boolean
— ip-mtu number
— ipsec-transform reference
— pmtu-discovery-aging number
— private-tcp-mss-adjust number
— propagate-pmtu-v4 boolean
— propagate-pmtu-v6 boolean
— public-tcp-mss-adjust (number | keyword)
— replay-window number
— sp-reverse-route keyword
ipsec command descriptions
ipsec
cert-profile [name] string
Synopsis | Enter the cert-profile list instance | |
Context | configure ipsec cert-profile string | |
Tree | cert-profile | |
Description | Commands in this context configure the certificate profile. | |
Max. Instances | 10200 | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
[name] string
Synopsis | Certificate profile name | |
Context | configure ipsec cert-profile string | |
Tree | cert-profile | |
String Length | 1 to 32 | |
Notes | This element is part of a list key. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
admin-state keyword
Synopsis | Administrative state of the certificate profile | |
Context | configure ipsec cert-profile string admin-state keyword | |
Tree | admin-state | |
Options | ||
Default | disable | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
entry [id] number
Synopsis | Enter the entry list instance | |
Context | configure ipsec cert-profile string entry number | |
Tree | entry | |
Description | Commands in this context configure the certificate profile entry. | |
Max. Instances | 8 | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
[id] number
Synopsis | Certificate profile entry ID | |
Context | configure ipsec cert-profile string entry number | |
Tree | entry | |
Range | 1 to 8 | |
Notes | This element is part of a list key. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
cert string
Synopsis | File name of the imported certificate for the entry | |
Context | configure ipsec cert-profile string entry number cert string | |
Tree | cert | |
String Length | 1 to 95 | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
compare-chain-include reference
Synopsis | CA profile to include in the compare-chain | |
Context | configure ipsec cert-profile string entry number compare-chain-include reference | |
Tree | compare-chain-include | |
Description | This command specifies the Certificate Authority (CA) that needs to be included in the compare-chain for the entry. This configuration is required in instances where the configured root CA is cross-signed by another CA. | |
Reference | configure system security pki ca-profile string | |
Introduced | 23.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
key string
Synopsis | File name of the imported key used for authentication | |
Context | configure ipsec cert-profile string entry number key string | |
Tree | key | |
String Length | 1 to 95 | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
rsa-signature keyword
Synopsis | Signature scheme for the RSA key | |
Context | configure ipsec cert-profile string entry number rsa-signature keyword | |
Tree | rsa-signature | |
Options | ||
Default | pkcs1 | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
send-chain
Synopsis | Enter the send-chain context | |
Context | configure ipsec cert-profile string entry number send-chain | |
Tree | send-chain | |
Description | Commands in this context allow the system to send additional CA certificates to the peer. These additional CA certificates must be in the certificate chain of the certificate specified by the cert command in the same entry. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ca-profile reference
Synopsis | CA certificate to send to the peer | |
Context | configure ipsec cert-profile string entry number send-chain ca-profile reference | |
Tree | ca-profile | |
Reference | configure system security pki ca-profile string | |
Max. Instances | 7 | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
client-db [name] string
[name] string
admin-state keyword
Synopsis | Administrative state of the client database | |
Context | configure ipsec client-db string admin-state keyword | |
Tree | admin-state | |
Options | ||
Default | disable | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
client [id] number
[id] number
admin-state keyword
Synopsis | Administrative state of the database client | |
Context | configure ipsec client-db string client number admin-state keyword | |
Tree | admin-state | |
Options | ||
Default | disable | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
client-name string
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Client name | |
Context | configure ipsec client-db string client number client-name string | |
Tree | client-name | |
String Length | 1 to 32 | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
credential
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Enter the credential context | |
Context | configure ipsec client-db string client number credential | |
Tree | credential | |
Description | Commands in this context authenticate peers. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
pre-shared-key string
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Pre-shared key used to authenticate peers | |
Context | configure ipsec client-db string client number credential pre-shared-key string | |
Tree | pre-shared-key | |
String Length | 1 to 115 | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
identification
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Enter the identification context | |
Context | configure ipsec client-db string client number identification | |
Tree | identification | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
idi
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Enable the idi context | |
Context | configure ipsec client-db string client number identification idi | |
Tree | idi | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
any boolean
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Accept any IDi value as a match | |
Context | configure ipsec client-db string client number identification idi any boolean | |
Tree | any | |
Notes | The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
fqdn string
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | FQDN used as the match criteria for the IDi | |
Context | configure ipsec client-db string client number identification idi fqdn string | |
Tree | fqdn | |
String Length | 0 to 255 | |
Notes | The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
fqdn-suffix string
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | FQDN suffix used as the match criteria for the IDi | |
Context | configure ipsec client-db string client number identification idi fqdn-suffix string | |
Tree | fqdn-suffix | |
String Length | 0 to 255 | |
Notes | The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ipv4-prefix string
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | IPv4 prefix used as the match criteria for the IDi | |
Context | configure ipsec client-db string client number identification idi ipv4-prefix string | |
Tree | ipv4-prefix | |
Notes | The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ipv4-prefix-any boolean
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Accept any valid IPv4 prefix as a match for the IDi | |
Context | configure ipsec client-db string client number identification idi ipv4-prefix-any boolean | |
Tree | ipv4-prefix-any | |
Notes | The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ipv6-prefix string
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | IPv6 prefix used as the match criteria for the IDi | |
Context | configure ipsec client-db string client number identification idi ipv6-prefix string | |
Tree | ipv6-prefix | |
Notes | The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ipv6-prefix-any boolean
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Accept any valid IPv6 prefix as a match for the IDi | |
Context | configure ipsec client-db string client number identification idi ipv6-prefix-any boolean | |
Tree | ipv6-prefix-any | |
Notes | The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
rfc822 string
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Email address (RFC 822) used as match criteria for IDi | |
Context | configure ipsec client-db string client number identification idi rfc822 string | |
Tree | rfc822 | |
String Length | 0 to 255 | |
Notes | The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
rfc822-suffix string
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Email address domain (RFC 822) as IDi match criteria | |
Context | configure ipsec client-db string client number identification idi rfc822-suffix string | |
Tree | rfc822-suffix | |
String Length | 0 to 255 | |
Notes | The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
peer-ip-prefix
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Enable the peer-ip-prefix context | |
Context | configure ipsec client-db string client number identification peer-ip-prefix | |
Tree | peer-ip-prefix | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ip-prefix (ipv4-prefix | ipv6-prefix)
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | IP prefix used as the match criteria | |
Context | configure ipsec client-db string client number identification peer-ip-prefix ip-prefix (ipv4-prefix | ipv6-prefix) | |
Tree | ip-prefix | |
Notes | The following elements are part of a mandatory choice: ip-prefix, ipv4-only, or ipv6-only. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ipv4-only boolean
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Accept any valid IPv4 address as a match | |
Context | configure ipsec client-db string client number identification peer-ip-prefix ipv4-only boolean | |
Tree | ipv4-only | |
Notes | The following elements are part of a mandatory choice: ip-prefix, ipv4-only, or ipv6-only. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ipv6-only boolean
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Accept any valid IPv6 address as a match | |
Context | configure ipsec client-db string client number identification peer-ip-prefix ipv6-only boolean | |
Tree | ipv6-only | |
Notes | The following elements are part of a mandatory choice: ip-prefix, ipv4-only, or ipv6-only. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
private-interface string
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Private interface name used for tunnel setup | |
Context | configure ipsec client-db string client number private-interface string | |
Tree | private-interface | |
String Length | 1 to 32 | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
private-service-name string
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Name of the private service used for tunnel setup | |
Context | configure ipsec client-db string client number private-service-name string | |
Tree | private-service-name | |
String Length | 1 to 64 | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ts-list string
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Traffic selector list used by the tunnel | |
Context | configure ipsec client-db string client number ts-list string | |
Tree | ts-list | |
String Length | 1 to 32 | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
tunnel-template number
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Tunnel template ID | |
Context | configure ipsec client-db string client number tunnel-template number | |
Tree | tunnel-template | |
Range | 1 to 2048 | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
description string
Synopsis | Text description | |
Context | configure ipsec client-db string description string | |
Tree | description | |
String Length | 1 to 80 | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
match-list
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Enter the match-list context | |
Context | configure ipsec client-db string match-list | |
Tree | match-list | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
idi boolean
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Use IDi type in the IPsec client matching process | |
Context | configure ipsec client-db string match-list idi boolean | |
Tree | idi | |
Default | false | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
peer-ip-prefix boolean
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Use the peer tunnel IP address in the matching process | |
Context | configure ipsec client-db string match-list peer-ip-prefix boolean | |
Tree | peer-ip-prefix | |
Default | false | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ike-policy [id] number
Synopsis | Enter the ike-policy list instance | |
Context | configure ipsec ike-policy number | |
Tree | ike-policy | |
Description | Commands in this context configure an Internet Key Exchange (IKE) policy. | |
Max. Instances | 2048 | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
[id] number
Synopsis | IKE policy ID | |
Context | configure ipsec ike-policy number | |
Tree | ike-policy | |
Range | 1 to 2048 | |
Notes | This element is part of a list key. | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
description string
Synopsis | Text description | |
Context | configure ipsec ike-policy number description string | |
Tree | description | |
String Length | 1 to 80 | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
dpd
Synopsis | Enable the dpd context | |
Context | configure ipsec ike-policy number dpd | |
Tree | dpd | |
Description | Commands in this context configure the dead peer detection mechanism. | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
interval number
Synopsis | DPD interval | |
Context | configure ipsec ike-policy number dpd interval number | |
Tree | interval | |
Description | This command specifies the DPD interval. Because more time is necessary to determine if there is incoming traffic, the actual time needed to bring down the tunnel is larger than the DPD interval multiplied by the value configured for maximum retry attempts. | |
Range | 10 to 300 | |
Units | seconds | |
Default | 30 | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
max-retries number
Synopsis | Maximum number of retries before the tunnel is removed | |
Context | configure ipsec ike-policy number dpd max-retries number | |
Tree | max-retries | |
Range | 2 to 5 | |
Default | 3 | |
Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
reply-only boolean
Synopsis | Initiate DPD request for incoming ESP or IKE packets | |
Context | configure ipsec ike-policy number dpd reply-only boolean | |
Tree | reply-only | |
Default | false | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ike-transform reference
Synopsis | IKE transform instance associated with the IKE policy | |
Context | configure ipsec ike-policy number ike-transform reference | |
Tree | ike-transform | |
Description | This command specifies the IKE transform instance associated with the IKE policy. If multiple IDs are specified, the system selects an IKE transform based on the proposal of the peer. If the system is a tunnel initiator, it uses the configured IKE transform to generate the SA payload. | |
Reference | configure ipsec ike-transform number | |
Max. Instances | 4 | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ike-version-1
Synopsis | Enter the ike-version-1 context | |
Context | configure ipsec ike-policy number ike-version-1 | |
Tree | ike-version-1 | |
Description | Commands in this context configure the IKE version 1 mode of operation that the IKE policy uses. | |
Notes | The following elements are part of a choice: ike-version-1 or ike-version-2. | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
auth-method keyword
Synopsis | Authentication method used with the IKE policy | |
Context | configure ipsec ike-policy number ike-version-1 auth-method keyword | |
Tree | auth-method | |
Options | ||
Default | psk | |
Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ike-mode keyword
Synopsis | Mode of operation | |
Context | configure ipsec ike-policy number ike-version-1 ike-mode keyword | |
Tree | ike-mode | |
Options | ||
Default | main | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
own-auth-method keyword
Synopsis | Authentication method used with policy on its own side | |
Context | configure ipsec ike-policy number ike-version-1 own-auth-method keyword | |
Tree | own-auth-method | |
Options | ||
Default | symmetric | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ph1-responder-delete-notify boolean
Synopsis | Send delete notification for IKEv1 phase 1 removal | |
Context | configure ipsec ike-policy number ike-version-1 ph1-responder-delete-notify boolean | |
Tree | ph1-responder-delete-notify | |
Description | When configured to true, a delete notification is sent to the peer when deleting an IKEv1 phase 1 SA for which it was the responder. When configured to false, no notification is sent. | |
Default | true | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ike-version-2
Synopsis | Enable the ike-version-2 context | |
Context | configure ipsec ike-policy number ike-version-2 | |
Tree | ike-version-2 | |
Description | Commands in this context configure the IKE version 2 mode of operation that the IKE policy uses. | |
Notes | The following elements are part of a choice: ike-version-1 or ike-version-2. | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
auth-method keyword
Synopsis | Authentication method used with the IKE policy | |
Context | configure ipsec ike-policy number ike-version-2 auth-method keyword | |
Tree | auth-method | |
Options | ||
Default | psk | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
auto-eap-method keyword
Synopsis | Authentication method used for the remote peer | |
Context | configure ipsec ike-policy number ike-version-2 auto-eap-method keyword | |
Tree | auto-eap-method | |
Description | This command specifies the behavior for the IKEv2 remote-access tunnel when the authentication method uses EAP or potentially another method to authenticate the remote peer. | |
Options | ||
Default | cert | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ikev2-fragment
Synopsis | Enable the ikev2-fragment context | |
Context | configure ipsec ike-policy number ike-version-2 ikev2-fragment | |
Tree | ikev2-fragment | |
Description | Commands in this context configure IKEv2 protocol level fragmentation (RFC 7383). | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
mtu number
Synopsis | Maximum size of the IKEv2 packet | |
Context | configure ipsec ike-policy number ike-version-2 ikev2-fragment mtu number | |
Tree | mtu | |
Range | 512 to 9000 | |
Units | octets | |
Default | 1500 | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
reassembly-timeout number
Synopsis | Timeout for reassembly of IKEv2 message fragments | |
Context | configure ipsec ike-policy number ike-version-2 ikev2-fragment reassembly-timeout number | |
Tree | reassembly-timeout | |
Range | 1 to 5 | |
Units | seconds | |
Default | 2 | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
own-auth-method keyword
Synopsis | Authentication method used with IKE policy on own side | |
Context | configure ipsec ike-policy number ike-version-2 own-auth-method keyword | |
Tree | own-auth-method | |
Options | ||
Default | symmetric | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
own-auto-eap-method keyword
Synopsis | Authentication method used on its own side | |
Context | configure ipsec ike-policy number ike-version-2 own-auto-eap-method keyword | |
Tree | own-auto-eap-method | |
Description | This command specifies the behavior for the IKEv2 remote-access tunnel when the authentication method uses EAP or potentially another method to authenticate the peer. | |
Options | ||
Default | cert | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
send-idr-after-eap-success boolean
Synopsis | Send IDr payload in last IKE authentication response | |
Context | configure ipsec ike-policy number ike-version-2 send-idr-after-eap-success boolean | |
Tree | send-idr-after-eap-success | |
Description | When configured to true, the Identification Responder (IDr) payload is added in the last IKE authentication response after an Extensible Authentication Protocol (EAP) Success packet is received. When configured to false, the IDr payload is not included in the last IKE. | |
Default | true | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ipsec-lifetime number
Synopsis | Lifetime of the Phase 2 IKE key | |
Context | configure ipsec ike-policy number ipsec-lifetime number | |
Tree | ipsec-lifetime | |
Range | 1200 to 31536000 | |
Units | seconds | |
Default | 3600 | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
limit-init-exchange
Synopsis | Enter the limit-init-exchange context | |
Context | configure ipsec ike-policy number limit-init-exchange | |
Tree | limit-init-exchange | |
Description | Commands in this context limit the number of ongoing IKEv2 initial exchanges per tunnel. | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
admin-state keyword
Synopsis | Administrative state of limiting initial IKE exchanges | |
Context | configure ipsec ike-policy number limit-init-exchange admin-state keyword | |
Tree | admin-state | |
Options | ||
Default | enable | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
reduced-max-exchange-timeout (number | keyword)
Synopsis | Maximum timeout for in-progress initial IKE exchange | |
Context | configure ipsec ike-policy number limit-init-exchange reduced-max-exchange-timeout (number | keyword) | |
Tree | reduced-max-exchange-timeout | |
Description | This command configures the maximum timeout for the in-progress initial IKE exchange. If a new IKEv2 IKE_SA_INIT request is received when there is an ongoing IKEv2 initial exchange from the same peer, the timeout value of the existing exchange is set to this specified value. If the none option is configured for this command, the timeout value remains unchanged. | |
Range | 2 to 60 | |
Units | seconds | |
Options | ||
Default | 2 | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
lockout
Synopsis | Enable the lockout context | |
Context | configure ipsec ike-policy number lockout | |
Tree | lockout | |
Description | Commands in this context specify the lockout mechanism for the IPsec tunnel. These commands apply only when the system acts as a tunnel responder. | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
block (number | keyword)
Synopsis | Time a client is blocked for failed authentications | |
Context | configure ipsec ike-policy number lockout block (number | keyword) | |
Tree | block | |
Description | This command configures the time the client is blocked if the number of failed authentications exceeds the configured value within the specified duration. | |
Range | 1 to 1440 | |
Units | minutes | |
Options | ||
Default | 10 | |
Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
duration number
Synopsis | Time interval for failed attempts threshold | |
Context | configure ipsec ike-policy number lockout duration number | |
Tree | duration | |
Description | This command specifies the time interval in which the configured failed authentication count must be exceeded to trigger a lockout. | |
Range | 1 to 60 | |
Units | minutes | |
Default | 5 | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
failed-attempts number
Synopsis | Maximum failed authentications allowed in the duration | |
Context | configure ipsec ike-policy number lockout failed-attempts number | |
Tree | failed-attempts | |
Range | 1 to 64 | |
Default | 3 | |
Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
max-port-per-ip number
Synopsis | Maximum number of ports allowed under same IP address | |
Context | configure ipsec ike-policy number lockout max-port-per-ip number | |
Tree | max-port-per-ip | |
Description | This command configures the maximum number of ports allowed under the same IP address. When the threshold is exceeded and the client is locked out, all ports behind the IP address are blocked. | |
Range | 1 to 32000 | |
Default | 16 | |
Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
match-peer-id-to-cert boolean
Synopsis | Check IKE peer ID during certificate authentication | |
Context | configure ipsec ike-policy number match-peer-id-to-cert boolean | |
Tree | match-peer-id-to-cert | |
Default | false | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
nat-traversal
Synopsis | Enable the nat-traversal context | |
Context | configure ipsec ike-policy number nat-traversal | |
Tree | nat-traversal | |
Description | Commands in this context configure the Network Address Translation Traversal (NAT-T) functionality. | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
force boolean
Synopsis | Enable NAT-T in forced mode | |
Context | configure ipsec ike-policy number nat-traversal force boolean | |
Tree | force | |
Default | false | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
force-keep-alive boolean
Synopsis | Continue sending keepalive packets (no expiry) | |
Context | configure ipsec ike-policy number nat-traversal force-keep-alive boolean | |
Tree | force-keep-alive | |
Default | true | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
keep-alive-interval number
Synopsis | Keepalive interval for NAT-T | |
Context | configure ipsec ike-policy number nat-traversal keep-alive-interval number | |
Tree | keep-alive-interval | |
Range | 120 to 600 | |
Units | seconds | |
Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
pfs
Synopsis | Enable the pfs context | |
Context | configure ipsec ike-policy number pfs | |
Tree | pfs | |
Description | Commands in this context configure perfect forward secrecy on the IPsec tunnel using the policy. PFS provides for a new Diffie-Hellman (DH) key exchange each time the Security Association (SA) key is renegotiated. When the SA key expires, another key is generated (if the SA remains up). | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
dh-group keyword
Synopsis | Diffie-Helman group used to calculate session keys | |
Context | configure ipsec ike-policy number pfs dh-group keyword | |
Tree | dh-group | |
Description | This command specifies which DH group to use for calculating session keys. More bits provide a higher level of security, but require more processing. | |
Options | ||
Default | group-2 | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
relay-unsolicited-cfg-attribute
Synopsis | Enter the relay-unsolicited-cfg-attribute context | |
Context | configure ipsec ike-policy number relay-unsolicited-cfg-attribute | |
Tree | relay-unsolicited-cfg-attribute | |
Description | Commands in this context configure attributes returned from the source (such as a RADIUS server) that are returned to the IKEv2 remote-access tunnel client regardless if the client has requested the attribute in the CFG_REQUEST payload. | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
internal-ip4-address boolean
Synopsis | Return the IPv4 address from the source to the client | |
Context | configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip4-address boolean | |
Tree | internal-ip4-address | |
Description | When configured to true, the system returns the IPv4 address from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the address in the CFG_REQUEST payload. | |
Default | false | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
internal-ip4-dns boolean
Synopsis | Return IPv4 DNS server address from source to client | |
Context | configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip4-dns boolean | |
Tree | internal-ip4-dns | |
Description | When configured to true, the system returns the IPv4 DNS server address from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the address in the CFG_REQUEST payload. | |
Default | false | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
internal-ip4-netmask boolean
Synopsis | Return the IPv4 netmask from the source to the client | |
Context | configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip4-netmask boolean | |
Tree | internal-ip4-netmask | |
Description | When configured to true, the system returns the IPv4 netmask from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the netmask in the CFG_REQUEST payload. | |
Default | false | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
internal-ip6-address boolean
Synopsis | Return the IPv6 address from the source to the client | |
Context | configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip6-address boolean | |
Tree | internal-ip6-address | |
Description | When configured to true, the system returns the IPv6 address from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the address in the CFG_REQUEST payload. | |
Default | false | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
internal-ip6-dns boolean
Synopsis | Return IPv6 DNS server address from source to client | |
Context | configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip6-dns boolean | |
Tree | internal-ip6-dns | |
Description | When configured to true, the system returns the IPv6 DNS server address from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the address in the CFG_REQUEST payload. | |
Default | false | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ike-transform [id] number
Synopsis | Enter the ike-transform list instance | |
Context | configure ipsec ike-transform number | |
Tree | ike-transform | |
Max. Instances | 4096 | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
[id] number
Synopsis | IKE transform instance ID | |
Context | configure ipsec ike-transform number | |
Tree | ike-transform | |
Range | 1 to 4096 | |
Notes | This element is part of a list key. | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
dh-group keyword
Synopsis | Diffie-Helman group used to calculate session keys | |
Context | configure ipsec ike-transform number dh-group keyword | |
Tree | dh-group | |
Options | ||
Default | group-2 | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ike-auth-algorithm keyword
Synopsis | IKE authentication algorithm for IKE transform instance | |
Context | configure ipsec ike-transform number ike-auth-algorithm keyword | |
Tree | ike-auth-algorithm | |
Options | ||
Default | sha-1 | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ike-encryption-algorithm keyword
Synopsis | IKE encryption algorith for the IKE transform instance | |
Context | configure ipsec ike-transform number ike-encryption-algorithm keyword | |
Tree | ike-encryption-algorithm | |
Options | ||
Default | aes-128 | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ike-prf-algorithm keyword
Synopsis | PRF algorithm for the IKE transform instance | |
Context | configure ipsec ike-transform number ike-prf-algorithm keyword | |
Tree | ike-prf-algorithm | |
Description | This command specifies the pseudo-random function algorithm used for IKE security association. If an encrypted algorithm such as AES-GCM is used for the IKE encryption algorithm, same-as-auth cannot be used for the IKE PRF algorithm. | |
Options | ||
Default | same-as-auth | |
Introduced | 16.0.R6 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
isakmp-lifetime number
Synopsis | Phase 1 lifetime for the IKE transform instance | |
Context | configure ipsec ike-transform number isakmp-lifetime number | |
Tree | isakmp-lifetime | |
Range | 1200 to 31536000 | |
Units | seconds | |
Default | 86400 | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ipsec-transform [id] number
Synopsis | Enter the ipsec-transform list instance | |
Context | configure ipsec ipsec-transform number | |
Tree | ipsec-transform | |
Description | Commands in this context create an IPsec transform policy. IPsec transform policies can be shared. A change to the IPsec transform is allowed at any time. The change does not impact tunnels that have been established until they are renegotiated. If the change is required immediately, the tunnel must be cleared (reset) for force renegotiation. | |
Max. Instances | 2048 | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
[id] number
Synopsis | IPsec transform policy ID | |
Context | configure ipsec ipsec-transform number | |
Tree | ipsec-transform | |
Range | 1 to 2048 | |
Notes | This element is part of a list key. | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
esp-auth-algorithm keyword
Synopsis | Encapsulating Security Payload (ESP) authentication | |
Context | configure ipsec ipsec-transform number esp-auth-algorithm keyword | |
Tree | esp-auth-algorithm | |
Description | This command specifies the hashing algorithm used for the authentication function. Both ends of a manually configured tunnel must share the same configuration for the IPsec tunnel to enter the operational state. | |
Options | ||
Default | sha-1 | |
Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
esp-encryption-algorithm keyword
Synopsis | Encryption algorithm for the IPsec transform session | |
Context | configure ipsec ipsec-transform number esp-encryption-algorithm keyword | |
Tree | esp-encryption-algorithm | |
Description | This command specifies the encryption algorithm used for the IPsec session. Encryption applies only to ESP configurations. If encryption is not defined, ESP is not used. Both ends of a manually configured tunnel must share the same encryption algorithm for the IPsec tunnel to enter the operational state. When AES-GCM or AES-GMAC is configured:
| |
Options | ||
Default | aes-128 | |
Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
extended-sequence-number boolean
Synopsis | Enable extended sequence numbering support | |
Context | configure ipsec ipsec-transform number extended-sequence-number boolean | |
Tree | extended-sequence-number | |
Description | When configured to true, this command enables 64-bit extended sequence numbering support. This numbering is used for high throughput CHILD_SA to avoid frequent re-keying caused by sequence numbering wrap around. When configured to false, only 32-bit sequence numbering is supported. | |
Default | false | |
Introduced | 21.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ipsec-lifetime number
Synopsis | Phase 2 lifetime for the IPsec transform session | |
Context | configure ipsec ipsec-transform number ipsec-lifetime number | |
Tree | ipsec-lifetime | |
Description | This command configures the lifetime of the Phase 2 IKE key. When unconfigured, the value is inherited from the IPsec lifetime configured in the corresponding IKE policy configured for the same IPsec gateway or IPsec tunnel. | |
Range | 1200 to 31536000 | |
Units | seconds | |
Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
pfs-dh-group keyword
Synopsis | Diffie-Hellman group used for PFS compilation | |
Context | configure ipsec ipsec-transform number pfs-dh-group keyword | |
Tree | pfs-dh-group | |
Description | This command specifies the DH group used for Perfect Forward Secrecy (PFS) compilation during CHILD_SA rekeying. When unconfigured, the value is inherited from the DH group value from the IPsec gateway or IPsec tunnel. | |
Options | ||
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ipsec-transport-mode-profile [name] string
Synopsis | Enter the ipsec-transport-mode-profile list instance | |
Context | configure ipsec ipsec-transport-mode-profile string | |
Tree | ipsec-transport-mode-profile | |
Description | Commands in this context configure IPsec-specific attributes that allow an IP tunnel (for example, GRE) to be protected by using IPsec transport mode. | |
Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
[name] string
Synopsis | IPsec transport mode profile name string | |
Context | configure ipsec ipsec-transport-mode-profile string | |
Tree | ipsec-transport-mode-profile | |
Description | This command specifies the name of the IPsec transport mode profile. | |
String Length | 1 to 32 | |
Notes | This element is part of a list key. | |
Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
description string
Synopsis | Text description | |
Context | configure ipsec ipsec-transport-mode-profile string description string | |
Tree | description | |
String Length | 1 to 80 | |
Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
key-exchange
Synopsis | Enter the key-exchange context | |
Context | configure ipsec ipsec-transport-mode-profile string key-exchange | |
Tree | key-exchange | |
Description | Commands in this context configure the key exchange used each time the Security Association (SA) key is renegotiated. | |
Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
dynamic
Synopsis | Enter the dynamic context | |
Context | configure ipsec ipsec-transport-mode-profile string key-exchange dynamic | |
Tree | dynamic | |
Description | Commands in this context configure dynamic keying for the transport mode profile. | |
Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
auto-establish boolean
Synopsis | Attempt to establish a phase 1 exchange automatically | |
Context | configure ipsec ipsec-transport-mode-profile string key-exchange dynamic auto-establish boolean | |
Tree | auto-establish | |
Default | false | |
Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
cert
Synopsis | Enter the cert context | |
Context | configure ipsec ipsec-transport-mode-profile string key-exchange dynamic cert | |
Tree | cert | |
Description | Commands in this context configure the attributes of the dynamic keying certificate. | |
Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
cert-profile reference
Synopsis | Certificate profile name | |
Context | configure ipsec ipsec-transport-mode-profile string key-exchange dynamic cert cert-profile reference | |
Tree | cert-profile | |
Reference | configure ipsec cert-profile string | |
Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
status-verify
Synopsis | Enter the status-verify context | |
Context | configure ipsec ipsec-transport-mode-profile string key-exchange dynamic cert status-verify | |
Tree | status-verify | |
Description | Commands in this context configure attributes of Certificate Status Verification (CSV). | |
Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
default-result keyword
Synopsis | Default result for Certificate Status Verification | |
Context | configure ipsec ipsec-transport-mode-profile string key-exchange dynamic cert status-verify default-result keyword | |
Tree | default-result | |
Description | This command specifies the default certificate revocation status result to use when all configured CSV methods fail to return a result. | |
Options | ||
Default | revoked | |
Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
primary keyword
Synopsis | Primary method of CSV to verify the revocation status | |
Context | configure ipsec ipsec-transport-mode-profile string key-exchange dynamic cert status-verify primary keyword | |
Tree | primary | |
Description | This command configures the primary method of Certificate Status Verification (CSV) that is used to verify the revocation status of the certificate of the peer. | |
Options | ||
Default | crl | |
Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
secondary keyword
Synopsis | Secondary method used to verify certificate revocation | |
Context | configure ipsec ipsec-transport-mode-profile string key-exchange dynamic cert status-verify secondary keyword | |
Tree | secondary | |
Description | This command specifies the secondary method of Certificate Status Verification (CSV) that is used to verify the revocation status of the peer certificate. | |
Options | ||
Default | none | |
Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
trust-anchor-profile reference
Synopsis | Trust anchor profile name | |
Context | configure ipsec ipsec-transport-mode-profile string key-exchange dynamic cert trust-anchor-profile reference | |
Tree | trust-anchor-profile | |
Reference | configure ipsec trust-anchor-profile string | |
Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
id
Synopsis | Enter the id context | |
Context | configure ipsec ipsec-transport-mode-profile string key-exchange dynamic id | |
Tree | id | |
Description | Commands in this context specify the local ID used for IDi or IDr for IKEv2 negotiation. The default behavior depends on the local authentication method as follows:
| |
Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
fqdn string
Synopsis | FQDN used as the local ID IKE type | |
Context | configure ipsec ipsec-transport-mode-profile string key-exchange dynamic id fqdn string | |
Tree | fqdn | |
String Length | 1 to 255 | |
Notes | The following elements are part of a choice: fqdn, ipv4, or ipv6. | |
Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ipv4 string
Synopsis | IPv4 as the local ID type | |
Context | configure ipsec ipsec-transport-mode-profile string key-exchange dynamic id ipv4 string | |
Tree | ipv4 | |
Notes | The following elements are part of a choice: fqdn, ipv4, or ipv6. | |
Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ipv6 (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis | IPv6 used as the local IKE ID type | |
Context | configure ipsec ipsec-transport-mode-profile string key-exchange dynamic id ipv6 (ipv4-address-no-zone | ipv6-address-no-zone) | |
Tree | ipv6 | |
Notes | The following elements are part of a choice: fqdn, ipv4, or ipv6. | |
Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ike-policy reference
Synopsis | IKE policy ID | |
Context | configure ipsec ipsec-transport-mode-profile string key-exchange dynamic ike-policy reference | |
Tree | ike-policy | |
Description | This command specifies the ID of the IKE policy used for IKE negotiation. The ipsec-transport-mode-profile configuration only supports IKEv2. | |
Reference | configure ipsec ike-policy number | |
Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ipsec-transform reference
Synopsis | IPsec transform IDs used by the dynamic key | |
Context | configure ipsec ipsec-transport-mode-profile string key-exchange dynamic ipsec-transform reference | |
Tree | ipsec-transform | |
Description | This command specifies IPsec transform IDs used for CHILD_SA negotiation. | |
Reference | configure ipsec ipsec-transform number | |
Max. Instances | 4 | |
Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
pre-shared-key string
Synopsis | Pre-shared key for IKE authentication | |
Context | configure ipsec ipsec-transport-mode-profile string key-exchange dynamic pre-shared-key string | |
Tree | pre-shared-key | |
String Length | 1 to 115 | |
Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
max-history-key-records
Synopsis | Enter the max-history-key-records context | |
Context | configure ipsec ipsec-transport-mode-profile string max-history-key-records | |
Tree | max-history-key-records | |
Description | Commands in this context configure the settings for recording historical IPsec keys. | |
Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
esp number
Synopsis | Maximum number of recent records | |
Context | configure ipsec ipsec-transport-mode-profile string max-history-key-records esp number | |
Tree | esp | |
Range | 1 to 48 | |
Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ike number
Synopsis | Maximum number of historical IKE key records | |
Context | configure ipsec ipsec-transport-mode-profile string max-history-key-records ike number | |
Tree | ike | |
Range | 1 to 3 | |
Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
replay-window number
Synopsis | Anti-replay window size | |
Context | configure ipsec ipsec-transport-mode-profile string replay-window number | |
Tree | replay-window | |
Description | This command specifies the size of an IPsec anti-replay window. If unconfigured, IPsec anti-replay is disabled. | |
Range | 32 | 64 | 128 | 256 | 512 | |
Units | packets | |
Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
radius
accounting-policy [name] string
Synopsis | Enter the accounting-policy list instance | |
Context | configure ipsec radius accounting-policy string | |
Tree | accounting-policy | |
Description | Commands in this context configure RADIUS accounting policies to collect accounting statistics. | |
Max. Instances | 100 | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
[name] string
Synopsis | RADIUS accounting policy name | |
Context | configure ipsec radius accounting-policy string | |
Tree | accounting-policy | |
String Length | 1 to 32 | |
Notes | This element is part of a list key. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
include-radius-attribute
Synopsis | Enter the include-radius-attribute context | |
Context | configure ipsec radius accounting-policy string include-radius-attribute | |
Tree | include-radius-attribute | |
Description | Commands in this context specify the RADIUS attributes that are to be included in the RADIUS Authentication-Request messages. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
acct-stats boolean
Synopsis | Include accounting attributes in RADIUS packets | |
Context | configure ipsec radius accounting-policy string include-radius-attribute acct-stats boolean | |
Tree | acct-stats | |
Default | false | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
called-station-id boolean
Synopsis | Include the Called-Station-Id attribute | |
Context | configure ipsec radius accounting-policy string include-radius-attribute called-station-id boolean | |
Tree | called-station-id | |
Default | false | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
calling-station-id boolean
Synopsis | Include the Calling-Station-Id attribute | |
Context | configure ipsec radius accounting-policy string include-radius-attribute calling-station-id boolean | |
Tree | calling-station-id | |
Default | false | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
framed-ip-addr boolean
Synopsis | Include the Framed-IP-Address attribute | |
Context | configure ipsec radius accounting-policy string include-radius-attribute framed-ip-addr boolean | |
Tree | framed-ip-addr | |
Default | false | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
framed-ipv6-prefix boolean
Synopsis | Include the Framed-IPv6-Prefix attribute | |
Context | configure ipsec radius accounting-policy string include-radius-attribute framed-ipv6-prefix boolean | |
Tree | framed-ipv6-prefix | |
Default | false | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
nas-identifier boolean
Synopsis | Include the NAS-Identifier attribute | |
Context | configure ipsec radius accounting-policy string include-radius-attribute nas-identifier boolean | |
Tree | nas-identifier | |
Default | false | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
nas-ip-addr boolean
Synopsis | Include the NAS-IP-Address attribute | |
Context | configure ipsec radius accounting-policy string include-radius-attribute nas-ip-addr boolean | |
Tree | nas-ip-addr | |
Default | false | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
nas-port-id boolean
Synopsis | Include the NAS-Port-Id attribute | |
Context | configure ipsec radius accounting-policy string include-radius-attribute nas-port-id boolean | |
Tree | nas-port-id | |
Default | false | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
radius-server-policy reference
Synopsis | Referenced RADIUS server policy | |
Context | configure ipsec radius accounting-policy string radius-server-policy reference | |
Tree | radius-server-policy | |
Reference | configure aaa radius server-policy string | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
update-interval
Synopsis | Enter the update-interval context | |
Context | configure ipsec radius accounting-policy string update-interval | |
Tree | update-interval | |
Description | Commands in this context determine how RADIUS interim-update packets are sent for IKEv2 remote-access tunnels. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
jitter number
Synopsis | Jitter interval for sending each interim-update packet | |
Context | configure ipsec radius accounting-policy string update-interval jitter number | |
Tree | jitter | |
Description | This command specifies the jitter interval for the RADIUS interim-update packets. When unconfigured, the system uses 10% of the update interval value. | |
Range | 0 to 3600 | |
Units | seconds | |
Introduced | 19.7.R1 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
value number
Synopsis | Update interval of the RADIUS accounting data | |
Context | configure ipsec radius accounting-policy string update-interval value number | |
Tree | value | |
Description | This command configures the update interval of the RADIUS accounting data. If a value of 0 is configured, no intermediate updates are sent. | |
Range | 0 | 5 to 259200 | |
Units | minutes | |
Default | 10 | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
authentication-policy [name] string
Synopsis | Enter the authentication-policy list instance | |
Context | configure ipsec radius authentication-policy string | |
Tree | authentication-policy | |
Description | Commands in this context configure the RADIUS authentication policy associated with the IPsec gateway. | |
Max. Instances | 100 | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
[name] string
Synopsis | RADIUS authentication policy name | |
Context | configure ipsec radius authentication-policy string | |
Tree | authentication-policy | |
String Length | 1 to 32 | |
Notes | This element is part of a list key. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
include-radius-attribute
Synopsis | Enter the include-radius-attribute context | |
Context | configure ipsec radius authentication-policy string include-radius-attribute | |
Tree | include-radius-attribute | |
Description | Commands in this context specify the RADIUS attributes to be included in the RADIUS Authentication-Request messages. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
called-station-id boolean
Synopsis | Include the Called-Station-Id attribute | |
Context | configure ipsec radius authentication-policy string include-radius-attribute called-station-id boolean | |
Tree | called-station-id | |
Default | false | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
calling-station-id boolean
Synopsis | Include the Calling-Station-Id attribute | |
Context | configure ipsec radius authentication-policy string include-radius-attribute calling-station-id boolean | |
Tree | calling-station-id | |
Default | false | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
client-cert-subject-key-id boolean
Synopsis | Include the Subject Key Identifier | |
Context | configure ipsec radius authentication-policy string include-radius-attribute client-cert-subject-key-id boolean | |
Tree | client-cert-subject-key-id | |
Description | When configured to true, the Subject Key Identifier of the certificate of the peer is included in the RADIUS Access-Request packet as VSA: Alc-Subject-Key-Identifier. See the 7450 ESS, 7750 SR, 7950 XRS, and VSR RADIUS Attributes Reference Guide for more information. | |
Default | false | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
nas-identifier boolean
Synopsis | Include the NAS-Identifier attribute | |
Context | configure ipsec radius authentication-policy string include-radius-attribute nas-identifier boolean | |
Tree | nas-identifier | |
Default | false | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
nas-ip-addr boolean
Synopsis | Include the NAS-IP-Address attribute | |
Context | configure ipsec radius authentication-policy string include-radius-attribute nas-ip-addr boolean | |
Tree | nas-ip-addr | |
Default | false | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
nas-port-id boolean
Synopsis | Include the NAS-Port-Id attribute | |
Context | configure ipsec radius authentication-policy string include-radius-attribute nas-port-id boolean | |
Tree | nas-port-id | |
Default | false | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
password string
Synopsis | Password used in RADIUS access requests | |
Context | configure ipsec radius authentication-policy string password string | |
Tree | password | |
String Length | 1 to 115 | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
radius-server-policy reference
Synopsis | Referenced RADIUS server policy | |
Context | configure ipsec radius authentication-policy string radius-server-policy reference | |
Tree | radius-server-policy | |
Reference | configure aaa radius server-policy string | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
show-ipsec-keys boolean
Synopsis | Show IPsec IKE and ESP keys in the output | |
Context | configure ipsec show-ipsec-keys boolean | |
Tree | show-ipsec-keys | |
Description | When configured to true, this command allows IPsec keys to be (optionally) included in the display output of certain debug and admin commands. When configured to false, the key display is disabled. | |
Default | false | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
static-sa [name] string
[name] string
authentication
Synopsis | Enable the authentication context | |
Context | configure ipsec static-sa string authentication | |
Tree | authentication | |
Introduced | 16.0.R6 | |
Platforms | All |
algorithm keyword
Synopsis | Authentication algorithm used for an IPsec manual SA | |
Context | configure ipsec static-sa string authentication algorithm keyword | |
Tree | algorithm | |
Options | ||
Notes |
This element is mandatory. | |
Introduced | 16.0.R6 | |
Platforms |
All |
key string
Synopsis | Key used for the authentication algorithm | |
Context | configure ipsec static-sa string authentication key string | |
Tree | key | |
String Length | 1 to 54 | |
Notes | This element is mandatory. | |
Introduced | 16.0.R6 | |
Platforms | All |
description string
Synopsis | Text description | |
Context | configure ipsec static-sa string description string | |
Tree | description | |
String Length | 1 to 32 | |
Introduced | 16.0.R6 | |
Platforms | All |
direction keyword
protocol keyword
spi number
Synopsis | Security Parameter Index (SPI) for the static SA | |
Context | configure ipsec static-sa string spi number | |
Tree | spi | |
Description | This command specifies the SPI for the static SA. When the direction command is set to inbound, the SPI is used to look up the instruction to verify and decrypt the incoming IPsec packets. When the direction command is set to outbound, the SPI is used in the encoding of the outgoing packets. The remote node can use the SPI to look up the instruction to verify and decrypt the packet. When unconfigured, the static SA cannot be used. | |
Range | 256 to 16383 | |
Introduced | 16.0.R6 | |
Platforms | All |
trust-anchor-profile [name] string
Synopsis | Enter the trust-anchor-profile list instance | |
Context | configure ipsec trust-anchor-profile string | |
Tree | trust-anchor-profile | |
Max. Instances | 10128 | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
[name] string
Synopsis | Trust anchor profile name for IPsec tunnel or gateway | |
Context | configure ipsec trust-anchor-profile string | |
Tree | trust-anchor-profile | |
String Length | 1 to 32 | |
Notes | This element is part of a list key. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
trust-anchor [ca-profile] reference
Synopsis | Add a list entry for trust-anchor | |
Context | configure ipsec trust-anchor-profile string trust-anchor reference | |
Tree | trust-anchor | |
Description | Commands in this context configure a CA profile as a trust anchor CA. | |
Max. Instances | 8 | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
[ca-profile] reference
Synopsis | Name of the CA profile as a trust anchor profile | |
Context | configure ipsec trust-anchor-profile string trust-anchor reference | |
Tree | trust-anchor | |
Reference | configure system security pki ca-profile string | |
Notes | This element is part of a list key. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ts-list [name] string
[name] string
local
entry [id] number
[id] number
address
prefix (ipv4-prefix | ipv6-prefix)
Synopsis | IP prefix for address range in IKEv2 traffic selector | |
Context | configure ipsec ts-list string local entry number address prefix (ipv4-prefix | ipv6-prefix) | |
Tree | prefix | |
Notes | The following elements are part of a mandatory choice: prefix or range. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
range
begin (ipv4-address-no-zone | ipv6-address-no-zone)
end (ipv4-address-no-zone | ipv6-address-no-zone)
protocol
any
id
icmp
Synopsis | Enter the icmp context | |
Context | configure ipsec ts-list string local entry number protocol id icmp | |
Tree | icmp | |
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
opaque
Synopsis | Support OPAQUE ports | |
Context | configure ipsec ts-list string local entry number protocol id icmp opaque | |
Tree | opaque | |
Description | This command allows the protocol ID to be accepted even when the port information is not available. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
port-range
Synopsis | Enable the port-range context | |
Context | configure ipsec ts-list string local entry number protocol id icmp port-range | |
Tree | port-range | |
Description | Commands in this context configure port range information for the protocol. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin-icmp-code number
Synopsis | Lower bound of the ICMP code range | |
Context | configure ipsec ts-list string local entry number protocol id icmp port-range begin-icmp-code number | |
Tree | begin-icmp-code | |
Range | 0 to 255 | |
Notes | This element is mandatory. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin-icmp-type number
Synopsis | Lower bound of the ICMP type range | |
Context | configure ipsec ts-list string local entry number protocol id icmp port-range begin-icmp-type number | |
Tree | begin-icmp-type | |
Range | 0 to 255 | |
Notes | This element is mandatory. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
end-icmp-code number
Synopsis | Upper bound of the ICMP code range | |
Context | configure ipsec ts-list string local entry number protocol id icmp port-range end-icmp-code number | |
Tree | end-icmp-code | |
Range | 0 to 255 | |
Notes | This element is mandatory. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
end-icmp-type number
Synopsis | Upper bound of the ICMP type range | |
Context | configure ipsec ts-list string local entry number protocol id icmp port-range end-icmp-type number | |
Tree | end-icmp-type | |
Range | 0 to 255 | |
Notes | This element is mandatory. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
icmp6
Synopsis | Enter the icmp6 context | |
Context | configure ipsec ts-list string local entry number protocol id icmp6 | |
Tree | icmp6 | |
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
opaque
Synopsis | Support OPAQUE ports | |
Context | configure ipsec ts-list string local entry number protocol id icmp6 opaque | |
Tree | opaque | |
Description | This command allows the protocol ID to be accepted even when the port information is not available. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
port-range
Synopsis | Enable the port-range context | |
Context | configure ipsec ts-list string local entry number protocol id icmp6 port-range | |
Tree | port-range | |
Description | Commands in this context configure port range information for the protocol. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin-icmp-code number
Synopsis | Lower bound of the ICMP code range | |
Context | configure ipsec ts-list string local entry number protocol id icmp6 port-range begin-icmp-code number | |
Tree | begin-icmp-code | |
Range | 0 to 255 | |
Notes | This element is mandatory. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin-icmp-type number
Synopsis | Lower bound of the ICMP type range | |
Context | configure ipsec ts-list string local entry number protocol id icmp6 port-range begin-icmp-type number | |
Tree | begin-icmp-type | |
Range | 0 to 255 | |
Notes | This element is mandatory. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
end-icmp-code number
Synopsis | Upper bound of the ICMP code range | |
Context | configure ipsec ts-list string local entry number protocol id icmp6 port-range end-icmp-code number | |
Tree | end-icmp-code | |
Range | 0 to 255 | |
Notes | This element is mandatory. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
end-icmp-type number
Synopsis | Upper bound of the ICMP type range | |
Context | configure ipsec ts-list string local entry number protocol id icmp6 port-range end-icmp-type number | |
Tree | end-icmp-type | |
Range | 0 to 255 | |
Notes | This element is mandatory. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
mipv6
Synopsis | Enter the mipv6 context | |
Context | configure ipsec ts-list string local entry number protocol id mipv6 | |
Tree | mipv6 | |
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
opaque
Synopsis | Support OPAQUE ports | |
Context | configure ipsec ts-list string local entry number protocol id mipv6 opaque | |
Tree | opaque | |
Description | This command allows the protocol ID to be accepted even when the port information is not available. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
port-range
Synopsis | Enable the port-range context | |
Context | configure ipsec ts-list string local entry number protocol id mipv6 port-range | |
Tree | port-range | |
Notes | The following elements are part of a choice: opaque or port-range. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin number
end number
protocol-id-with-any-port (keyword | number)
Synopsis | Protocol ID that accepts any port value | |
Context | configure ipsec ts-list string local entry number protocol id protocol-id-with-any-port (keyword | number) | |
Tree | protocol-id-with-any-port | |
Range | 1 to 255 | |
Options | ||
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
sctp
Synopsis | Enter the sctp context | |
Context | configure ipsec ts-list string local entry number protocol id sctp | |
Tree | sctp | |
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
opaque
Synopsis | Support OPAQUE ports | |
Context | configure ipsec ts-list string local entry number protocol id sctp opaque | |
Tree | opaque | |
Description | This command allows the protocol ID to be accepted even when the port information is not available. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
port-range
Synopsis | Enable the port-range context | |
Context | configure ipsec ts-list string local entry number protocol id sctp port-range | |
Tree | port-range | |
Notes | The following elements are part of a choice: opaque or port-range. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin number
end number
tcp
Synopsis | Enter the tcp context | |
Context | configure ipsec ts-list string local entry number protocol id tcp | |
Tree | tcp | |
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
opaque
Synopsis | Support OPAQUE ports | |
Context | configure ipsec ts-list string local entry number protocol id tcp opaque | |
Tree | opaque | |
Description | This command allows the protocol ID to be accepted even when the port information is not available. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
port-range
Synopsis | Enable the port-range context | |
Context | configure ipsec ts-list string local entry number protocol id tcp port-range | |
Tree | port-range | |
Notes | The following elements are part of a choice: opaque or port-range. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin number
end number
udp
Synopsis | Enter the udp context | |
Context | configure ipsec ts-list string local entry number protocol id udp | |
Tree | udp | |
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
opaque
Synopsis | Support OPAQUE ports | |
Context | configure ipsec ts-list string local entry number protocol id udp opaque | |
Tree | opaque | |
Description | This command allows the protocol ID to be accepted even when the port information is not available. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
port-range
Synopsis | Enable the port-range context | |
Context | configure ipsec ts-list string local entry number protocol id udp port-range | |
Tree | port-range | |
Notes | The following elements are part of a choice: opaque or port-range. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin number
end number
remote
Synopsis | Enter the remote context | |
Context | configure ipsec ts-list string remote | |
Tree | remote | |
Description | Commands in this context configure a remote TS list, a traffic selector, such as TSr, when the system acts as an IKEv2 responder. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
entry [id] number
[id] number
address
prefix (ipv4-prefix | ipv6-prefix)
Synopsis | IP prefix for address range in IKEv2 traffic selector | |
Context | configure ipsec ts-list string remote entry number address prefix (ipv4-prefix | ipv6-prefix) | |
Tree | prefix | |
Notes | The following elements are part of a mandatory choice: prefix or range. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
range
begin (ipv4-address-no-zone | ipv6-address-no-zone)
end (ipv4-address-no-zone | ipv6-address-no-zone)
protocol
any
id
icmp
Synopsis | Enter the icmp context | |
Context | configure ipsec ts-list string remote entry number protocol id icmp | |
Tree | icmp | |
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
opaque
Synopsis | Support OPAQUE ports | |
Context | configure ipsec ts-list string remote entry number protocol id icmp opaque | |
Tree | opaque | |
Description | This command allows the protocol ID to be accepted even when the port information is not available. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
port-range
Synopsis | Enable the port-range context | |
Context | configure ipsec ts-list string remote entry number protocol id icmp port-range | |
Tree | port-range | |
Description | Commands in this context configure port range information for the protocol. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin-icmp-code number
Synopsis | Lower bound of the ICMP code range | |
Context | configure ipsec ts-list string remote entry number protocol id icmp port-range begin-icmp-code number | |
Tree | begin-icmp-code | |
Range | 0 to 255 | |
Notes | This element is mandatory. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin-icmp-type number
Synopsis | Lower bound of the ICMP type range | |
Context | configure ipsec ts-list string remote entry number protocol id icmp port-range begin-icmp-type number | |
Tree | begin-icmp-type | |
Range | 0 to 255 | |
Notes | This element is mandatory. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
end-icmp-code number
Synopsis | Upper bound of the ICMP code range | |
Context | configure ipsec ts-list string remote entry number protocol id icmp port-range end-icmp-code number | |
Tree | end-icmp-code | |
Range | 0 to 255 | |
Notes | This element is mandatory. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
end-icmp-type number
Synopsis | Upper bound of the ICMP type range | |
Context | configure ipsec ts-list string remote entry number protocol id icmp port-range end-icmp-type number | |
Tree | end-icmp-type | |
Range | 0 to 255 | |
Notes | This element is mandatory. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
icmp6
Synopsis | Enter the icmp6 context | |
Context | configure ipsec ts-list string remote entry number protocol id icmp6 | |
Tree | icmp6 | |
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
opaque
Synopsis | Support OPAQUE ports | |
Context | configure ipsec ts-list string remote entry number protocol id icmp6 opaque | |
Tree | opaque | |
Description | This command allows the protocol ID to be accepted even when the port information is not available. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
port-range
Synopsis | Enable the port-range context | |
Context | configure ipsec ts-list string remote entry number protocol id icmp6 port-range | |
Tree | port-range | |
Description | Commands in this context configure port range information for the protocol. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin-icmp-code number
Synopsis | Lower bound of the ICMP code range | |
Context | configure ipsec ts-list string remote entry number protocol id icmp6 port-range begin-icmp-code number | |
Tree | begin-icmp-code | |
Range | 0 to 255 | |
Notes | This element is mandatory. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin-icmp-type number
Synopsis | Lower bound of the ICMP type range | |
Context | configure ipsec ts-list string remote entry number protocol id icmp6 port-range begin-icmp-type number | |
Tree | begin-icmp-type | |
Range | 0 to 255 | |
Notes | This element is mandatory. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
end-icmp-code number
Synopsis | Upper bound of the ICMP code range | |
Context | configure ipsec ts-list string remote entry number protocol id icmp6 port-range end-icmp-code number | |
Tree | end-icmp-code | |
Range | 0 to 255 | |
Notes | This element is mandatory. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
end-icmp-type number
Synopsis | Upper bound of the ICMP type range | |
Context | configure ipsec ts-list string remote entry number protocol id icmp6 port-range end-icmp-type number | |
Tree | end-icmp-type | |
Range | 0 to 255 | |
Notes | This element is mandatory. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
mipv6
Synopsis | Enter the mipv6 context | |
Context | configure ipsec ts-list string remote entry number protocol id mipv6 | |
Tree | mipv6 | |
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
opaque
Synopsis | Support OPAQUE ports | |
Context | configure ipsec ts-list string remote entry number protocol id mipv6 opaque | |
Tree | opaque | |
Description | This command allows the protocol ID to be accepted even when the port information is not available. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
port-range
Synopsis | Enable the port-range context | |
Context | configure ipsec ts-list string remote entry number protocol id mipv6 port-range | |
Tree | port-range | |
Notes | The following elements are part of a choice: opaque or port-range. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin number
end number
protocol-id-with-any-port (keyword | number)
Synopsis | Protocol ID that accepts any port value | |
Context | configure ipsec ts-list string remote entry number protocol id protocol-id-with-any-port (keyword | number) | |
Tree | protocol-id-with-any-port | |
Range | 1 to 255 | |
Options | ||
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
sctp
Synopsis | Enter the sctp context | |
Context | configure ipsec ts-list string remote entry number protocol id sctp | |
Tree | sctp | |
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
opaque
Synopsis | Support OPAQUE ports | |
Context | configure ipsec ts-list string remote entry number protocol id sctp opaque | |
Tree | opaque | |
Description | This command allows the protocol ID to be accepted even when the port information is not available. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
port-range
Synopsis | Enable the port-range context | |
Context | configure ipsec ts-list string remote entry number protocol id sctp port-range | |
Tree | port-range | |
Notes | The following elements are part of a choice: opaque or port-range. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin number
end number
tcp
Synopsis | Enter the tcp context | |
Context | configure ipsec ts-list string remote entry number protocol id tcp | |
Tree | tcp | |
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
opaque
Synopsis | Support OPAQUE ports | |
Context | configure ipsec ts-list string remote entry number protocol id tcp opaque | |
Tree | opaque | |
Description | This command allows the protocol ID to be accepted even when the port information is not available. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
port-range
Synopsis | Enable the port-range context | |
Context | configure ipsec ts-list string remote entry number protocol id tcp port-range | |
Tree | port-range | |
Notes | The following elements are part of a choice: opaque or port-range. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin number
end number
udp
Synopsis | Enter the udp context | |
Context | configure ipsec ts-list string remote entry number protocol id udp | |
Tree | udp | |
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
opaque
Synopsis | Support OPAQUE ports | |
Context | configure ipsec ts-list string remote entry number protocol id udp opaque | |
Tree | opaque | |
Description | This command allows the protocol ID to be accepted even when the port information is not available. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
port-range
Synopsis | Enable the port-range context | |
Context | configure ipsec ts-list string remote entry number protocol id udp port-range | |
Tree | port-range | |
Notes | The following elements are part of a choice: opaque or port-range. | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin number
end number
tunnel-template [id] number
Synopsis | Enter the tunnel-template list instance | |
Context | configure ipsec tunnel-template number | |
Tree | tunnel-template | |
Max. Instances | 2048 | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
[id] number
Synopsis | Tunnel template ID | |
Context | configure ipsec tunnel-template number | |
Tree | tunnel-template | |
Range | 1 to 2048 | |
Notes | This element is part of a list key. | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
clear-df-bit boolean
Synopsis | Clear the Do-not-Fragment (DF) bit | |
Context | configure ipsec tunnel-template number clear-df-bit boolean | |
Tree | clear-df-bit | |
Default | false | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
copy-traffic-class-upon-decapsulation boolean
Synopsis | Enable traffic class copy upon decapsulation | |
Context | configure ipsec tunnel-template number copy-traffic-class-upon-decapsulation boolean | |
Tree | copy-traffic-class-upon-decapsulation | |
Description | When configured to true, the system copies the traffic class from the outer tunnel IP packet header to the payload IP packet header in the decapsulating direction (public to private). When configured to false, the system does not copy the traffic class from the outer IP packet to the payload IP packet header upon decapsulation. | |
Default | false | |
Introduced | 21.5.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
description string
Synopsis | Text description | |
Context | configure ipsec tunnel-template number description string | |
Tree | description | |
String Length | 1 to 80 | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
encapsulated-ip-mtu number
Synopsis | Maximum size of the encapsulated tunnel packet | |
Context | configure ipsec tunnel-template number encapsulated-ip-mtu number | |
Tree | encapsulated-ip-mtu | |
Description | This command specifies the maximum size of the encapsulated tunnel packet to the IPsec tunnel, the IP tunnel, or the dynamic tunnels terminated on the IPsec Gateway. If the encapsulated IPv4 or IPv6 tunnel packet exceeds this value, the system fragments the packet. | |
Range | 512 to 9000 | |
Units | octets | |
Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
icmp-generation
Synopsis | Enter the icmp-generation context | |
Context | configure ipsec tunnel-template number icmp-generation | |
Tree | icmp-generation | |
Description | Commands in this context configure settings for ICMPv4 message generation. | |
Introduced | 21.5.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
frag-required
Synopsis | Enter the frag-required context | |
Context | configure ipsec tunnel-template number icmp-generation frag-required | |
Tree | frag-required | |
Description | Commands in this context configure the attributes for sending generated ICMP Destination Unreachable "fragmentation needed and DF set" messages (type 3, code 4) back to the source, if the received size of the IPv4 packet on the private side exceeds the private MTU size. | |
Introduced | 21.5.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
admin-state keyword
Synopsis | Administrative state of sending ICMP messages | |
Context | configure ipsec tunnel-template number icmp-generation frag-required admin-state keyword | |
Tree | admin-state | |
Description | This command configures the administrative state of sending ICMP Destination Unreachable "fragmentation needed, DF set" messages (type 3, code 4) messages to the source if the received size of the IPv4 packet on the private side exceeds the private MTU size. | |
Options | ||
Default | enable | |
Introduced | 21.5.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
interval number
Synopsis | Interval for sending ICMP messages | |
Context | configure ipsec tunnel-template number icmp-generation frag-required interval number | |
Tree | interval | |
Description | This command configures the interval for sending ICMP Destination Unreachable "fragmentation needed, DF set" messages (type 3, code 4). | |
Range | 1 to 60 | |
Units | seconds | |
Default | 10 | |
Introduced | 21.5.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
message-count number
Synopsis | Maximum number of ICMP messages that can be sent | |
Context | configure ipsec tunnel-template number icmp-generation frag-required message-count number | |
Tree | message-count | |
Description | This command configures the maximum number of ICMP Destination Unreachable "fragmentation needed, DF set" messages (type 3, code 4) that can be sent during the configured interval. | |
Range | 10 to 1000 | |
Default | 100 | |
Introduced | 21.5.R1 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
icmp6-generation
Synopsis | Enter the icmp6-generation context | |
Context | configure ipsec tunnel-template number icmp6-generation | |
Tree | icmp6-generation | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
pkt-too-big
Synopsis | Enter the pkt-too-big context | |
Context | configure ipsec tunnel-template number icmp6-generation pkt-too-big | |
Tree | pkt-too-big | |
Description | Commands in this context configure values for the ICMPv6 Packet Too Big (PTB) messages. The system sends PTB messages if an IPv6 packet is received on the private side that is larger than 1280 bytes and also exceeds the private MTU of the tunnel. | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
admin-state keyword
Synopsis | Administrative state of Packet Too Big message sends | |
Context | configure ipsec tunnel-template number icmp6-generation pkt-too-big admin-state keyword | |
Tree | admin-state | |
Options | ||
Default | enable | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
interval number
Synopsis | Maximum interval during which PTB messages can be sent | |
Context | configure ipsec tunnel-template number icmp6-generation pkt-too-big interval number | |
Tree | interval | |
Range | 1 to 60 | |
Units | seconds | |
Default | 10 | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
message-count number
Synopsis | Max ICMPv6 messages that can be sent during interval | |
Context | configure ipsec tunnel-template number icmp6-generation pkt-too-big message-count number | |
Tree | message-count | |
Range | 10 to 1000 | |
Default | 100 | |
Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ignore-default-route boolean
Synopsis | Ignore any full range traffic selector in TSi | |
Context | configure ipsec tunnel-template number ignore-default-route boolean | |
Tree | ignore-default-route | |
Description | When configured to true, any full range traffic selector is ignored when creating a reverse route. When configured to false, no CHILD_SA is created if any full range traffic selector is included in TSi. | |
Default | false | |
Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ip-mtu number
Synopsis | Maximum size of the IP MTU for the payload packets | |
Context | configure ipsec tunnel-template number ip-mtu number | |
Tree | ip-mtu | |
Range | 512 to 9000 | |
Units | octets | |
Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ipsec-transform reference
Synopsis | IPsec transform ID for the tunnel template | |
Context | configure ipsec tunnel-template number ipsec-transform reference | |
Tree | ipsec-transform | |
Reference | configure ipsec ipsec-transform number | |
Max. Instances | 4 | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
pmtu-discovery-aging number
Synopsis | Aging out time of the learned path MTU | |
Context | configure ipsec tunnel-template number pmtu-discovery-aging number | |
Tree | pmtu-discovery-aging | |
Description | This command configures the temporary public and private MTU expiration time. The temporary MTU is used for MTU propagation. | |
Range | 900 to 3600 | |
Units | seconds | |
Default | 900 | |
Introduced | 21.5.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
private-tcp-mss-adjust number
Synopsis | New TCP MSS value on the private side | |
Context | configure ipsec tunnel-template number private-tcp-mss-adjust number | |
Tree | private-tcp-mss-adjust | |
Description | This command specifies the new (adjusted) TCP MSS value of TCP SYN packets on the private side. When unconfigured, the MSS value is derived from the received TCP SYN packet on the private side. | |
Range | 512 to 9000 | |
Units | octets | |
Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
propagate-pmtu-v4 boolean
Synopsis | Enable propagation of the path MTU to IPv4 hosts | |
Context | configure ipsec tunnel-template number propagate-pmtu-v4 boolean | |
Tree | propagate-pmtu-v4 | |
Description | When configured to true, the system propagates the path MTU learned from the public side to the private side (IPv4 hosts). | |
Default | true | |
Introduced | 21.5.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
propagate-pmtu-v6 boolean
Synopsis | Enable propagation of the path MTU to IPv6 hosts | |
Context | configure ipsec tunnel-template number propagate-pmtu-v6 boolean | |
Tree | propagate-pmtu-v6 | |
Description | When configured to true, the system propagates the path MTU learned from the public side to the private side (IPv6 hosts). | |
Default | true | |
Introduced | 21.5.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
public-tcp-mss-adjust (number | keyword)
Synopsis | New TCP MSS value on the public side | |
Context | configure ipsec tunnel-template number public-tcp-mss-adjust (number | keyword) | |
Tree | public-tcp-mss-adjust | |
Description | This command specifies the new (adjusted) TCP MSS value for the TCP traffic in an IPsec tunnel which is sent from the public network to the private network. The system can use this value to adjust or insert the MSS option in the TCP SYN packet. When unconfigured, the MSS value is derived from the public MTU and IPsec overhead. | |
Range | 512 to 9000 | |
Units | octets | |
Options | ||
Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
replay-window number
Synopsis | Anti-replay window size for the tunnel template | |
Context | configure ipsec tunnel-template number replay-window number | |
Tree | replay-window | |
Range | 32 | 64 | 128 | 256 | 512 | |
Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
sp-reverse-route keyword
Synopsis | Reverse route creation method in private service | |
Context | configure ipsec tunnel-template number sp-reverse-route keyword | |
Tree | sp-reverse-route | |
Description | This command allows the system to automatically create a reverse route based on dynamic LAN-to-LAN tunnel's TSi in private service. | |
Options | ||
Default | none | |
Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |