ipsec commands
configure
— ipsec
— apply-groups reference
— apply-groups-exclude reference
— cert-profile named-item
— admin-state keyword
— apply-groups reference
— apply-groups-exclude reference
— entry number
— apply-groups reference
— apply-groups-exclude reference
— cert pki-file-name
— compare-chain-include reference
— key pki-file-name
— rsa-signature keyword
— send-chain
— ca-profile reference
— client-db named-item
— admin-state keyword
— apply-groups reference
— apply-groups-exclude reference
— client number
— admin-state keyword
— apply-groups reference
— apply-groups-exclude reference
— client-name named-item
— credential
— pre-shared-key encrypted-leaf-hex-without-prefix
— identification
— idi
— any boolean
— fqdn display-string-or-empty
— fqdn-suffix display-string-or-empty
— ipv4-prefix ipv4-prefix
— ipv4-prefix-any boolean
— ipv6-prefix ipv6-prefix
— ipv6-prefix-any boolean
— rfc822 display-string-or-empty
— rfc822-suffix display-string-or-empty
— peer-ip-prefix
— ip-prefix (ipv4-prefix | ipv6-prefix)
— ipv4-only boolean
— ipv6-only boolean
— private-interface named-item
— private-service-name service-name
— ts-list named-item
— tunnel-template number
— description description
— match-list
— idi boolean
— peer-ip-prefix boolean
— ike-policy number
— apply-groups reference
— apply-groups-exclude reference
— description description
— dpd
— interval number
— max-retries number
— reply-only boolean
— ike-transform reference
— ike-version-1
— auth-method keyword
— ike-mode keyword
— own-auth-method keyword
— ph1-responder-delete-notify boolean
— ike-version-2
— auth-method keyword
— auto-eap-method keyword
— ikev2-fragment
— mtu number
— reassembly-timeout number
— own-auth-method keyword
— own-auto-eap-method keyword
— ppk-required boolean
— send-idr-after-eap-success boolean
— ipsec-lifetime number
— limit-init-exchange
— admin-state keyword
— reduced-max-exchange-timeout (number | keyword)
— lockout
— block (number | keyword)
— duration number
— failed-attempts number
— max-port-per-ip number
— match-peer-id-to-cert boolean
— nat-traversal
— force boolean
— force-keep-alive boolean
— keep-alive-interval number
— pfs
— dh-group keyword
— relay-unsolicited-cfg-attribute
— internal-ip4-address boolean
— internal-ip4-dns boolean
— internal-ip4-netmask boolean
— internal-ip6-address boolean
— internal-ip6-dns boolean
— ike-transform number
— apply-groups reference
— apply-groups-exclude reference
— dh-group keyword
— ike-auth-algorithm keyword
— ike-encryption-algorithm keyword
— ike-prf-algorithm keyword
— isakmp-lifetime number
— ipsec-transform number
— apply-groups reference
— apply-groups-exclude reference
— esp-auth-algorithm keyword
— esp-encryption-algorithm keyword
— extended-sequence-number boolean
— ipsec-lifetime number
— pfs-dh-group keyword
— ipsec-transport-mode-profile named-item
— apply-groups reference
— apply-groups-exclude reference
— description description
— key-exchange
— dynamic
— auto-establish boolean
— cert
— cert-profile reference
— status-verify
— default-result keyword
— primary keyword
— secondary keyword
— trust-anchor-profile reference
— id
— fqdn fully-qualified-domain-name
— ipv4 ipv4-unicast-address
— ipv6 (ipv4-address-no-zone | ipv6-address-no-zone)
— ike-policy reference
— ipsec-transform reference
— ppk
— id reference
— list reference
— pre-shared-key encrypted-leaf
— max-history-key-records
— esp number
— ike number
— replay-window number
— ppk-list named-item
— apply-groups reference
— apply-groups-exclude reference
— ppk named-item-64
— apply-groups reference
— apply-groups-exclude reference
— value
— ascii encrypted-leaf
— hex encrypted-leaf-hex
— radius
— accounting-policy named-item
— apply-groups reference
— apply-groups-exclude reference
— include-radius-attribute
— acct-stats boolean
— called-station-id boolean
— calling-station-id boolean
— framed-ip-addr boolean
— framed-ipv6-prefix boolean
— nas-identifier boolean
— nas-ip-addr boolean
— nas-port-id boolean
— radius-server-policy reference
— update-interval
— jitter number
— value number
— authentication-policy named-item
— apply-groups reference
— apply-groups-exclude reference
— include-radius-attribute
— called-station-id boolean
— calling-station-id boolean
— client-cert-subject-key-id boolean
— nas-identifier boolean
— nas-ip-addr boolean
— nas-port-id boolean
— password encrypted-leaf
— radius-server-policy reference
— show-ipsec-keys boolean
— static-sa named-item
— apply-groups reference
— apply-groups-exclude reference
— authentication
— algorithm keyword
— key encrypted-leaf
— description named-item
— direction keyword
— protocol keyword
— spi number
— trust-anchor-profile named-item
— apply-groups reference
— apply-groups-exclude reference
— trust-anchor reference
— ts-list named-item
— apply-groups reference
— apply-groups-exclude reference
— local
— entry number
— address
— prefix (ipv4-prefix | ipv6-prefix)
— range
— begin (ipv4-address-no-zone | ipv6-address-no-zone)
— end (ipv4-address-no-zone | ipv6-address-no-zone)
— apply-groups reference
— apply-groups-exclude reference
— protocol
— any
— id
— icmp
— opaque
— port-range
— begin-icmp-code number
— begin-icmp-type number
— end-icmp-code number
— end-icmp-type number
— icmp6
— opaque
— port-range
— begin-icmp-code number
— begin-icmp-type number
— end-icmp-code number
— end-icmp-type number
— mipv6
— opaque
— port-range
— begin number
— end number
— protocol-id-with-any-port (keyword | number)
— sctp
— opaque
— port-range
— begin number
— end number
— tcp
— opaque
— port-range
— begin number
— end number
— udp
— opaque
— port-range
— begin number
— end number
— remote
— entry number
— address
— prefix (ipv4-prefix | ipv6-prefix)
— range
— begin (ipv4-address-no-zone | ipv6-address-no-zone)
— end (ipv4-address-no-zone | ipv6-address-no-zone)
— apply-groups reference
— apply-groups-exclude reference
— protocol
— any
— id
— icmp
— opaque
— port-range
— begin-icmp-code number
— begin-icmp-type number
— end-icmp-code number
— end-icmp-type number
— icmp6
— opaque
— port-range
— begin-icmp-code number
— begin-icmp-type number
— end-icmp-code number
— end-icmp-type number
— mipv6
— opaque
— port-range
— begin number
— end number
— protocol-id-with-any-port (keyword | number)
— sctp
— opaque
— port-range
— begin number
— end number
— tcp
— opaque
— port-range
— begin number
— end number
— udp
— opaque
— port-range
— begin number
— end number
— tunnel-template number
— apply-groups reference
— apply-groups-exclude reference
— clear-df-bit boolean
— copy-traffic-class-upon-decapsulation boolean
— description description
— encapsulated-ip-mtu number
— icmp-generation
— frag-required
— admin-state keyword
— interval number
— message-count number
— icmp6-generation
— pkt-too-big
— admin-state keyword
— interval number
— message-count number
— ignore-default-route boolean
— ip-mtu number
— ipsec-transform reference
— pmtu-discovery-aging number
— ppk-list reference
— private-tcp-mss-adjust number
— propagate-pmtu-v4 boolean
— propagate-pmtu-v6 boolean
— public-tcp-mss-adjust (number | keyword)
— replay-window number
— reverse-route
— metric number
— preference number
— sp-reverse-route keyword
ipsec command descriptions
ipsec
cert-profile [name] named-item
| Synopsis | Enter the cert-profile list instance | |
| Context | configure ipsec cert-profile named-item | |
| Tree | cert-profile | |
Description | Commands in this context configure the certificate profile. | |
| Max. instances | 10200 | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
[name] named-item
| Synopsis | Certificate profile name | |
| Context | configure ipsec cert-profile named-item | |
| Tree | cert-profile | |
| String length | 1 to 32 | |
Notes | This element is part of a list key. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
admin-state keyword
| Synopsis | Administrative state of the certificate profile | |
| Context | configure ipsec cert-profile named-item admin-state keyword | |
| Tree | admin-state | |
| Options | ||
| Default | disable | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
entry [id] number
| Synopsis | Enter the entry list instance | |
| Context | configure ipsec cert-profile named-item entry number | |
| Tree | entry | |
Description | Commands in this context configure the certificate profile entry. | |
| Max. instances | 8 | |
| Introduced | 19.7.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
[id] number
| Synopsis | Certificate profile entry ID | |
| Context | configure ipsec cert-profile named-item entry number | |
| Tree | entry | |
| Range | 1 to 8 | |
Notes | This element is part of a list key. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
cert pki-file-name
| Synopsis | File name of the imported certificate for the entry | |
| Context | configure ipsec cert-profile named-item entry number cert pki-file-name | |
| Tree | cert | |
| String length | 1 to 95 | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
compare-chain-include reference
| Synopsis | CA profile to include in the compare-chain | |
| Context | configure ipsec cert-profile named-item entry number compare-chain-include reference | |
| Tree | compare-chain-include | |
Description | This command specifies the Certificate Authority (CA) that needs to be included in the compare-chain for the entry. This configuration is required in instances where the configured root CA is cross-signed by another CA. | |
Reference | configure system security pki ca-profile named-item | |
| Introduced | 23.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
key pki-file-name
| Synopsis | File name of the imported key used for authentication | |
| Context | configure ipsec cert-profile named-item entry number key pki-file-name | |
| Tree | key | |
| String length | 1 to 95 | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
rsa-signature keyword
| Synopsis | Signature scheme for the RSA key | |
| Context | configure ipsec cert-profile named-item entry number rsa-signature keyword | |
| Tree | rsa-signature | |
| Options | ||
| Default | pkcs1 | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
send-chain
| Synopsis | Enter the send-chain context | |
| Context | configure ipsec cert-profile named-item entry number send-chain | |
| Tree | send-chain | |
Description | Commands in this context allow the system to send additional CA certificates to the peer. These additional CA certificates must be in the certificate chain of the certificate specified by the cert command in the same entry. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ca-profile reference
| Synopsis | CA certificate to send to the peer | |
| Context | configure ipsec cert-profile named-item entry number send-chain ca-profile reference | |
| Tree | ca-profile | |
Reference | configure system security pki ca-profile named-item | |
| Max. instances | 7 | |
| Introduced | 19.7.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
client-db [name] named-item
[name] named-item
admin-state keyword
| Synopsis | Administrative state of the client database | |
| Context | configure ipsec client-db named-item admin-state keyword | |
| Tree | admin-state | |
| Options | ||
| Default | disable | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
client [id] number
[id] number
admin-state keyword
| Synopsis | Administrative state of the database client | |
| Context | configure ipsec client-db named-item client number admin-state keyword | |
| Tree | admin-state | |
| Options | ||
| Default | disable | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
client-name named-item
|
Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
| Synopsis | Client name | |
| Context | configure ipsec client-db named-item client number client-name named-item | |
| Tree | client-name | |
| String length | 1 to 32 | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR | |
credential
|
Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
| Synopsis | Enter the credential context | |
| Context | configure ipsec client-db named-item client number credential | |
| Tree | credential | |
Description | Commands in this context authenticate peers. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR | |
pre-shared-key encrypted-leaf-hex-without-prefix
|
Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
| Synopsis | Pre-shared key used to authenticate peers | |
| Context | configure ipsec client-db named-item client number credential pre-shared-key encrypted-leaf-hex-without-prefix | |
| Tree | pre-shared-key | |
| String length | 1 to 115 | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR | |
identification
|
Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
| Synopsis | Enter the identification context | |
| Context | configure ipsec client-db named-item client number identification | |
| Tree | identification | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR | |
idi
|
Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
| Synopsis | Enable the idi context | |
| Context | configure ipsec client-db named-item client number identification idi | |
| Tree | idi | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR | |
any boolean
|
Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
| Synopsis | Accept any IDi value as a match | |
| Context | configure ipsec client-db named-item client number identification idi any boolean | |
| Tree | any | |
Notes | The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR | |
fqdn display-string-or-empty
|
Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
| Synopsis | FQDN used as the match criteria for the IDi | |
| Context | configure ipsec client-db named-item client number identification idi fqdn display-string-or-empty | |
| Tree | fqdn | |
| String length | 0 to 255 | |
Notes | The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR | |
fqdn-suffix display-string-or-empty
|
Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
| Synopsis | FQDN suffix used as the match criteria for the IDi | |
| Context | configure ipsec client-db named-item client number identification idi fqdn-suffix display-string-or-empty | |
| Tree | fqdn-suffix | |
| String length | 0 to 255 | |
Notes | The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR | |
ipv4-prefix ipv4-prefix
|
Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
| Synopsis | IPv4 prefix used as the match criteria for the IDi | |
| Context | configure ipsec client-db named-item client number identification idi ipv4-prefix ipv4-prefix | |
| Tree | ipv4-prefix | |
Notes | The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR | |
ipv4-prefix-any boolean
|
Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
| Synopsis | Accept any valid IPv4 prefix as a match for the IDi | |
| Context | configure ipsec client-db named-item client number identification idi ipv4-prefix-any boolean | |
| Tree | ipv4-prefix-any | |
Notes | The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR | |
ipv6-prefix ipv6-prefix
|
Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
| Synopsis | IPv6 prefix used as the match criteria for the IDi | |
| Context | configure ipsec client-db named-item client number identification idi ipv6-prefix ipv6-prefix | |
| Tree | ipv6-prefix | |
Notes | The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR | |
ipv6-prefix-any boolean
|
Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
| Synopsis | Accept any valid IPv6 prefix as a match for the IDi | |
| Context | configure ipsec client-db named-item client number identification idi ipv6-prefix-any boolean | |
| Tree | ipv6-prefix-any | |
Notes | The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR | |
rfc822 display-string-or-empty
|
Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
| Synopsis | Email address (RFC 822) used as match criteria for IDi | |
| Context | configure ipsec client-db named-item client number identification idi rfc822 display-string-or-empty | |
| Tree | rfc822 | |
| String length | 0 to 255 | |
Notes | The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR | |
rfc822-suffix display-string-or-empty
|
Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
| Synopsis | Email address domain (RFC 822) as IDi match criteria | |
| Context | configure ipsec client-db named-item client number identification idi rfc822-suffix display-string-or-empty | |
| Tree | rfc822-suffix | |
| String length | 0 to 255 | |
Notes | The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR | |
peer-ip-prefix
|
Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
| Synopsis | Enable the peer-ip-prefix context | |
| Context | configure ipsec client-db named-item client number identification peer-ip-prefix | |
| Tree | peer-ip-prefix | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR | |
ip-prefix (ipv4-prefix | ipv6-prefix)
|
Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
| Synopsis | IP prefix used as the match criteria | |
| Context | configure ipsec client-db named-item client number identification peer-ip-prefix ip-prefix (ipv4-prefix | ipv6-prefix) | |
| Tree | ip-prefix | |
Notes | The following elements are part of a mandatory choice: ip-prefix, ipv4-only, or ipv6-only. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR | |
ipv4-only boolean
|
Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
| Synopsis | Accept any valid IPv4 address as a match | |
| Context | configure ipsec client-db named-item client number identification peer-ip-prefix ipv4-only boolean | |
| Tree | ipv4-only | |
Notes | The following elements are part of a mandatory choice: ip-prefix, ipv4-only, or ipv6-only. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR | |
ipv6-only boolean
|
Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
| Synopsis | Accept any valid IPv6 address as a match | |
| Context | configure ipsec client-db named-item client number identification peer-ip-prefix ipv6-only boolean | |
| Tree | ipv6-only | |
Notes | The following elements are part of a mandatory choice: ip-prefix, ipv4-only, or ipv6-only. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR | |
private-interface named-item
|
Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
| Synopsis | Private interface name used for tunnel setup | |
| Context | configure ipsec client-db named-item client number private-interface named-item | |
| Tree | private-interface | |
| String length | 1 to 32 | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR | |
private-service-name service-name
|
Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
| Synopsis | Name of the private service used for tunnel setup | |
| Context | configure ipsec client-db named-item client number private-service-name service-name | |
| Tree | private-service-name | |
| String length | 1 to 64 | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR | |
ts-list named-item
|
Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
| Synopsis | Traffic selector list used by the tunnel | |
| Context | configure ipsec client-db named-item client number ts-list named-item | |
| Tree | ts-list | |
| String length | 1 to 32 | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR | |
tunnel-template number
|
Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
| Synopsis | Tunnel template ID | |
| Context | configure ipsec client-db named-item client number tunnel-template number | |
| Tree | tunnel-template | |
| Range | 1 to 2048 | |
| Introduced | 19.7.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR | |
description description
| Synopsis | Text description | |
| Context | configure ipsec client-db named-item description description | |
| Tree | description | |
| String length | 1 to 80 | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
match-list
|
Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
| Synopsis | Enter the match-list context | |
| Context | configure ipsec client-db named-item match-list | |
| Tree | match-list | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR | |
idi boolean
|
Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
| Synopsis | Use IDi type in the IPsec client matching process | |
| Context | configure ipsec client-db named-item match-list idi boolean | |
| Tree | idi | |
| Default | false | |
| Introduced | 19.7.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR | |
peer-ip-prefix boolean
|
Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
| Synopsis | Use the peer tunnel IP address in the matching process | |
| Context | configure ipsec client-db named-item match-list peer-ip-prefix boolean | |
| Tree | peer-ip-prefix | |
| Default | false | |
| Introduced | 19.7.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR | |
ike-policy [id] number
| Synopsis | Enter the ike-policy list instance | |
| Context | configure ipsec ike-policy number | |
| Tree | ike-policy | |
Description | Commands in this context configure an Internet Key Exchange (IKE) policy. | |
| Max. instances | 2048 | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
[id] number
| Synopsis | IKE policy ID | |
| Context | configure ipsec ike-policy number | |
| Tree | ike-policy | |
| Range | 1 to 2048 | |
Notes | This element is part of a list key. | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
description description
| Synopsis | Text description | |
| Context | configure ipsec ike-policy number description description | |
| Tree | description | |
| String length | 1 to 80 | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
dpd
| Synopsis | Enable the dpd context | |
| Context | configure ipsec ike-policy number dpd | |
| Tree | dpd | |
Description | Commands in this context configure the dead peer detection mechanism. | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
interval number
| Synopsis | DPD interval | |
| Context | configure ipsec ike-policy number dpd interval number | |
| Tree | interval | |
Description | This command specifies the DPD interval. Because more time is necessary to determine if there is incoming traffic, the actual time needed to bring down the tunnel is larger than the DPD interval multiplied by the value configured for maximum retry attempts. | |
| Range | 10 to 300 | |
| Units | seconds | |
| Default | 30 | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
max-retries number
| Synopsis | Maximum number of retries before the tunnel is removed | |
| Context | configure ipsec ike-policy number dpd max-retries number | |
| Tree | max-retries | |
| Range | 2 to 5 | |
| Default | 3 | |
| Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
reply-only boolean
| Synopsis | Initiate DPD request for incoming ESP or IKE packets | |
| Context | configure ipsec ike-policy number dpd reply-only boolean | |
| Tree | reply-only | |
| Default | false | |
| Introduced | 16.0.R4 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ike-transform reference
| Synopsis | IKE transform instance associated with the IKE policy | |
| Context | configure ipsec ike-policy number ike-transform reference | |
| Tree | ike-transform | |
Description | This command specifies the IKE transform instance associated with the IKE policy. If multiple IDs are specified, the system selects an IKE transform based on the proposal of the peer. If the system is a tunnel initiator, it uses the configured IKE transform to generate the SA payload. | |
Reference | configure ipsec ike-transform number | |
| Max. instances | 4 | |
| Introduced | 16.0.R4 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ike-version-1
| Synopsis | Enter the ike-version-1 context | |
| Context | configure ipsec ike-policy number ike-version-1 | |
| Tree | ike-version-1 | |
Description | Commands in this context configure the IKE version 1 mode of operation that the IKE policy uses. | |
Notes | The following elements are part of a choice: ike-version-1 or ike-version-2. | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
auth-method keyword
| Synopsis | Authentication method used with the IKE policy | |
| Context | configure ipsec ike-policy number ike-version-1 auth-method keyword | |
| Tree | auth-method | |
| Options | ||
| Default | psk | |
| Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ike-mode keyword
| Synopsis | Mode of operation | |
| Context | configure ipsec ike-policy number ike-version-1 ike-mode keyword | |
| Tree | ike-mode | |
| Options | ||
| Default | main | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
own-auth-method keyword
| Synopsis | Authentication method used with policy on its own side | |
| Context | configure ipsec ike-policy number ike-version-1 own-auth-method keyword | |
| Tree | own-auth-method | |
| Options | ||
| Default | symmetric | |
| Introduced | 16.0.R4 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ph1-responder-delete-notify boolean
| Synopsis | Send delete notification for IKEv1 phase 1 removal | |
| Context | configure ipsec ike-policy number ike-version-1 ph1-responder-delete-notify boolean | |
| Tree | ph1-responder-delete-notify | |
Description | When configured to true, a delete notification is sent to the peer when deleting an IKEv1 phase 1 SA for which it was the responder. When configured to false, no notification is sent. | |
| Default | true | |
| Introduced | 16.0.R4 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ike-version-2
| Synopsis | Enable the ike-version-2 context | |
| Context | configure ipsec ike-policy number ike-version-2 | |
| Tree | ike-version-2 | |
Description | Commands in this context configure the IKE version 2 mode of operation that the IKE policy uses. | |
Notes | The following elements are part of a choice: ike-version-1 or ike-version-2. | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
auth-method keyword
| Synopsis | Authentication method used with the IKE policy | |
| Context | configure ipsec ike-policy number ike-version-2 auth-method keyword | |
| Tree | auth-method | |
| Options | ||
| Default | psk | |
| Introduced | 16.0.R4 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
auto-eap-method keyword
| Synopsis | Authentication method used for the remote peer | |
| Context | configure ipsec ike-policy number ike-version-2 auto-eap-method keyword | |
| Tree | auto-eap-method | |
Description | This command specifies the behavior for the IKEv2 remote-access tunnel when the authentication method uses EAP or potentially another method to authenticate the remote peer. | |
| Options | ||
| Default | cert | |
| Introduced | 16.0.R4 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ikev2-fragment
| Synopsis | Enable the ikev2-fragment context | |
| Context | configure ipsec ike-policy number ike-version-2 ikev2-fragment | |
| Tree | ikev2-fragment | |
Description | Commands in this context configure IKEv2 protocol level fragmentation (RFC 7383). | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
mtu number
| Synopsis | Maximum size of the IKEv2 packet | |
| Context | configure ipsec ike-policy number ike-version-2 ikev2-fragment mtu number | |
| Tree | mtu | |
| Range | 512 to 9000 | |
| Units | octets | |
| Default | 1500 | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
reassembly-timeout number
| Synopsis | Timeout for reassembly of IKEv2 message fragments | |
| Context | configure ipsec ike-policy number ike-version-2 ikev2-fragment reassembly-timeout number | |
| Tree | reassembly-timeout | |
| Range | 1 to 5 | |
| Units | seconds | |
| Default | 2 | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
own-auth-method keyword
| Synopsis | Authentication method used with IKE policy on own side | |
| Context | configure ipsec ike-policy number ike-version-2 own-auth-method keyword | |
| Tree | own-auth-method | |
| Options | ||
| Default | symmetric | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
own-auto-eap-method keyword
| Synopsis | Authentication method used on its own side | |
| Context | configure ipsec ike-policy number ike-version-2 own-auto-eap-method keyword | |
| Tree | own-auto-eap-method | |
Description | This command specifies the behavior for the IKEv2 remote-access tunnel when the authentication method uses EAP or potentially another method to authenticate the peer. | |
| Options | ||
| Default | cert | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ppk-required boolean
| Synopsis | Force the use of PPK | |
| Context | configure ipsec ike-policy number ike-version-2 ppk-required boolean | |
| Tree | ppk-required | |
Description | When configured to true, the router is forced to use PPKs for the IKEv2 key derivation process. When configured to false, PPK use is optional, and the router can fall back to derive keys without PPK. | |
| Default | false | |
| Introduced | 24.10.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
send-idr-after-eap-success boolean
| Synopsis | Send IDr payload in last IKE authentication response | |
| Context | configure ipsec ike-policy number ike-version-2 send-idr-after-eap-success boolean | |
| Tree | send-idr-after-eap-success | |
Description | When configured to true, the Identification Responder (IDr) payload is added in the last IKE authentication response after an Extensible Authentication Protocol (EAP) Success packet is received. When configured to false, the IDr payload is not included in the last IKE. | |
| Default | true | |
| Introduced | 16.0.R4 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ipsec-lifetime number
| Synopsis | Lifetime of the Phase 2 IKE key | |
| Context | configure ipsec ike-policy number ipsec-lifetime number | |
| Tree | ipsec-lifetime | |
| Range | 1200 to 31536000 | |
| Units | seconds | |
| Default | 3600 | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
limit-init-exchange
| Synopsis | Enter the limit-init-exchange context | |
| Context | configure ipsec ike-policy number limit-init-exchange | |
| Tree | limit-init-exchange | |
Description | Commands in this context limit the number of ongoing IKEv2 initial exchanges per tunnel. | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
admin-state keyword
| Synopsis | Administrative state of limiting initial IKE exchanges | |
| Context | configure ipsec ike-policy number limit-init-exchange admin-state keyword | |
| Tree | admin-state | |
| Options | ||
| Default | enable | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
reduced-max-exchange-timeout (number | keyword)
| Synopsis | Maximum timeout for in-progress initial IKE exchange | |
| Context | configure ipsec ike-policy number limit-init-exchange reduced-max-exchange-timeout (number | keyword) | |
| Tree | reduced-max-exchange-timeout | |
Description | This command configures the maximum timeout for the in-progress initial IKE exchange. If a new IKEv2 IKE_SA_INIT request is received when there is an ongoing IKEv2 initial exchange from the same peer, the timeout value of the existing exchange is set to this specified value. If the none option is configured for this command, the timeout value remains unchanged. | |
| Range | 2 to 60 | |
| Units | seconds | |
| Options | ||
| Default | 2 | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
lockout
| Synopsis | Enable the lockout context | |
| Context | configure ipsec ike-policy number lockout | |
| Tree | lockout | |
Description | Commands in this context specify the lockout mechanism for the IPsec tunnel. These commands apply only when the system acts as a tunnel responder. | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
block (number | keyword)
| Synopsis | Time a client is blocked for failed authentications | |
| Context | configure ipsec ike-policy number lockout block (number | keyword) | |
| Tree | block | |
Description | This command configures the time the client is blocked if the number of failed authentications exceeds the configured value within the specified duration. | |
| Range | 1 to 1440 | |
| Units | minutes | |
| Options | ||
| Default | 10 | |
| Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
duration number
| Synopsis | Time interval for failed attempts threshold | |
| Context | configure ipsec ike-policy number lockout duration number | |
| Tree | duration | |
Description | This command specifies the time interval in which the configured failed authentication count must be exceeded to trigger a lockout. | |
| Range | 1 to 60 | |
| Units | minutes | |
| Default | 5 | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
failed-attempts number
| Synopsis | Maximum failed authentications allowed in the duration | |
| Context | configure ipsec ike-policy number lockout failed-attempts number | |
| Tree | failed-attempts | |
| Range | 1 to 64 | |
| Default | 3 | |
| Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
max-port-per-ip number
| Synopsis | Maximum number of ports allowed under same IP address | |
| Context | configure ipsec ike-policy number lockout max-port-per-ip number | |
| Tree | max-port-per-ip | |
Description | This command configures the maximum number of ports allowed under the same IP address. When the threshold is exceeded and the client is locked out, all ports behind the IP address are blocked. | |
| Range | 1 to 32000 | |
| Default | 16 | |
| Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
match-peer-id-to-cert boolean
| Synopsis | Check IKE peer ID during certificate authentication | |
| Context | configure ipsec ike-policy number match-peer-id-to-cert boolean | |
| Tree | match-peer-id-to-cert | |
| Default | false | |
| Introduced | 16.0.R4 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
nat-traversal
| Synopsis | Enable the nat-traversal context | |
| Context | configure ipsec ike-policy number nat-traversal | |
| Tree | nat-traversal | |
Description | Commands in this context configure the Network Address Translation Traversal (NAT-T) functionality. | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
force boolean
| Synopsis | Enable NAT-T in forced mode | |
| Context | configure ipsec ike-policy number nat-traversal force boolean | |
| Tree | force | |
| Default | false | |
| Introduced | 16.0.R4 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
force-keep-alive boolean
| Synopsis | Continue sending keepalive packets (no expiry) | |
| Context | configure ipsec ike-policy number nat-traversal force-keep-alive boolean | |
| Tree | force-keep-alive | |
| Default | true | |
| Introduced | 16.0.R4 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
keep-alive-interval number
| Synopsis | Keepalive interval for NAT-T | |
| Context | configure ipsec ike-policy number nat-traversal keep-alive-interval number | |
| Tree | keep-alive-interval | |
| Range | 120 to 600 | |
| Units | seconds | |
| Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
pfs
| Synopsis | Enable the pfs context | |
| Context | configure ipsec ike-policy number pfs | |
| Tree | pfs | |
Description | Commands in this context configure perfect forward secrecy on the IPsec tunnel using the policy. PFS provides for a new Diffie-Hellman (DH) key exchange each time the Security Association (SA) key is renegotiated. When the SA key expires, another key is generated (if the SA remains up). | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
dh-group keyword
| Synopsis | Diffie-Helman group used to calculate session keys | |
| Context | configure ipsec ike-policy number pfs dh-group keyword | |
| Tree | dh-group | |
Description | This command specifies which DH group to use for calculating session keys. More bits provide a higher level of security, but require more processing. | |
| Options | ||
| Default | group-2 | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
relay-unsolicited-cfg-attribute
| Synopsis | Enter the relay-unsolicited-cfg-attribute context | |
| Context | configure ipsec ike-policy number relay-unsolicited-cfg-attribute | |
| Tree | relay-unsolicited-cfg-attribute | |
Description | Commands in this context configure attributes returned from the source (such as a RADIUS server) that are returned to the IKEv2 remote-access tunnel client regardless if the client has requested the attribute in the CFG_REQUEST payload. | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
internal-ip4-address boolean
| Synopsis | Return the IPv4 address from the source to the client | |
| Context | configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip4-address boolean | |
| Tree | internal-ip4-address | |
Description | When configured to true, the system returns the IPv4 address from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the address in the CFG_REQUEST payload. | |
| Default | false | |
| Introduced | 16.0.R4 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
internal-ip4-dns boolean
| Synopsis | Return IPv4 DNS server address from source to client | |
| Context | configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip4-dns boolean | |
| Tree | internal-ip4-dns | |
Description | When configured to true, the system returns the IPv4 DNS server address from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the address in the CFG_REQUEST payload. | |
| Default | false | |
| Introduced | 16.0.R4 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
internal-ip4-netmask boolean
| Synopsis | Return the IPv4 netmask from the source to the client | |
| Context | configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip4-netmask boolean | |
| Tree | internal-ip4-netmask | |
Description | When configured to true, the system returns the IPv4 netmask from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the netmask in the CFG_REQUEST payload. | |
| Default | false | |
| Introduced | 16.0.R4 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
internal-ip6-address boolean
| Synopsis | Return the IPv6 address from the source to the client | |
| Context | configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip6-address boolean | |
| Tree | internal-ip6-address | |
Description | When configured to true, the system returns the IPv6 address from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the address in the CFG_REQUEST payload. | |
| Default | false | |
| Introduced | 16.0.R4 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
internal-ip6-dns boolean
| Synopsis | Return IPv6 DNS server address from source to client | |
| Context | configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip6-dns boolean | |
| Tree | internal-ip6-dns | |
Description | When configured to true, the system returns the IPv6 DNS server address from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the address in the CFG_REQUEST payload. | |
| Default | false | |
| Introduced | 16.0.R4 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ike-transform [id] number
| Synopsis | Enter the ike-transform list instance | |
| Context | configure ipsec ike-transform number | |
| Tree | ike-transform | |
| Max. instances | 4096 | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
[id] number
| Synopsis | IKE transform instance ID | |
| Context | configure ipsec ike-transform number | |
| Tree | ike-transform | |
| Range | 1 to 4096 | |
Notes | This element is part of a list key. | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
dh-group keyword
| Synopsis | Diffie-Helman group used to calculate session keys | |
| Context | configure ipsec ike-transform number dh-group keyword | |
| Tree | dh-group | |
| Options | ||
| Default | group-2 | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ike-auth-algorithm keyword
| Synopsis | IKE authentication algorithm for IKE transform instance | |
| Context | configure ipsec ike-transform number ike-auth-algorithm keyword | |
| Tree | ike-auth-algorithm | |
| Options | ||
| Default | sha-1 | |
| Introduced | 16.0.R4 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ike-encryption-algorithm keyword
| Synopsis | IKE encryption algorith for the IKE transform instance | |
| Context | configure ipsec ike-transform number ike-encryption-algorithm keyword | |
| Tree | ike-encryption-algorithm | |
| Options | ||
| Default | aes-128 | |
| Introduced | 16.0.R4 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ike-prf-algorithm keyword
| Synopsis | PRF algorithm for the IKE transform instance | |
| Context | configure ipsec ike-transform number ike-prf-algorithm keyword | |
| Tree | ike-prf-algorithm | |
Description | This command specifies the pseudo-random function algorithm used for IKE security association. If an encrypted algorithm such as AES-GCM is used for the IKE encryption algorithm, same-as-auth cannot be used for the IKE PRF algorithm. | |
| Options | ||
| Default | same-as-auth | |
| Introduced | 16.0.R6 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
isakmp-lifetime number
| Synopsis | Phase 1 lifetime for the IKE transform instance | |
| Context | configure ipsec ike-transform number isakmp-lifetime number | |
| Tree | isakmp-lifetime | |
| Range | 1200 to 31536000 | |
| Units | seconds | |
| Default | 86400 | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ipsec-transform [id] number
| Synopsis | Enter the ipsec-transform list instance | |
| Context | configure ipsec ipsec-transform number | |
| Tree | ipsec-transform | |
Description | Commands in this context create an IPsec transform policy. IPsec transform policies can be shared. A change to the IPsec transform is allowed at any time. The change does not impact tunnels that have been established until they are renegotiated. If the change is required immediately, the tunnel must be cleared (reset) for force renegotiation. | |
| Max. instances | 2048 | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
[id] number
| Synopsis | IPsec transform policy ID | |
| Context | configure ipsec ipsec-transform number | |
| Tree | ipsec-transform | |
| Range | 1 to 2048 | |
Notes | This element is part of a list key. | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
esp-auth-algorithm keyword
| Synopsis | Encapsulating Security Payload (ESP) authentication | |
| Context | configure ipsec ipsec-transform number esp-auth-algorithm keyword | |
| Tree | esp-auth-algorithm | |
Description | This command specifies the hashing algorithm used for the authentication function. Both ends of a manually configured tunnel must share the same configuration for the IPsec tunnel to enter the operational state. | |
| Options | ||
| Default | sha-1 | |
| Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
esp-encryption-algorithm keyword
| Synopsis | Encryption algorithm for the IPsec transform session | |
| Context | configure ipsec ipsec-transform number esp-encryption-algorithm keyword | |
| Tree | esp-encryption-algorithm | |
Description | This command specifies the encryption algorithm used for the IPsec session. Encryption applies only to ESP configurations. If encryption is not defined, ESP is not used. Both ends of a manually configured tunnel must share the same encryption algorithm for the IPsec tunnel to enter the operational state. When AES-GCM or AES-GMAC is configured:
| |
| Options | ||
| Default | aes-128 | |
| Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
extended-sequence-number boolean
| Synopsis | Enable extended sequence numbering support | |
| Context | configure ipsec ipsec-transform number extended-sequence-number boolean | |
| Tree | extended-sequence-number | |
Description | When configured to true, this command enables 64-bit extended sequence numbering support. This numbering is used for high throughput CHILD_SA to avoid frequent re-keying caused by sequence numbering wrap around. When configured to false, only 32-bit sequence numbering is supported. | |
| Default | false | |
| Introduced | 21.7.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ipsec-lifetime number
| Synopsis | Phase 2 lifetime for the IPsec transform session | |
| Context | configure ipsec ipsec-transform number ipsec-lifetime number | |
| Tree | ipsec-lifetime | |
Description | This command configures the lifetime of the Phase 2 IKE key. When unconfigured, the value is inherited from the IPsec lifetime configured in the corresponding IKE policy configured for the same IPsec gateway or IPsec tunnel. | |
| Range | 1200 to 31536000 | |
| Units | seconds | |
| Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
pfs-dh-group keyword
| Synopsis | Diffie-Hellman group used for PFS compilation | |
| Context | configure ipsec ipsec-transform number pfs-dh-group keyword | |
| Tree | pfs-dh-group | |
Description | This command specifies the DH group used for Perfect Forward Secrecy (PFS) compilation during CHILD_SA rekeying. When unconfigured, the value is inherited from the DH group value from the IPsec gateway or IPsec tunnel. | |
| Options | ||
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ipsec-transport-mode-profile [name] named-item
| Synopsis | Enter the ipsec-transport-mode-profile list instance | |
| Context | configure ipsec ipsec-transport-mode-profile named-item | |
| Tree | ipsec-transport-mode-profile | |
Description | Commands in this context configure IPsec-specific attributes that allow an IP tunnel (for example, GRE) to be protected by using IPsec transport mode. | |
| Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
[name] named-item
| Synopsis | IPsec transport mode profile name string | |
| Context | configure ipsec ipsec-transport-mode-profile named-item | |
| Tree | ipsec-transport-mode-profile | |
Description | This command specifies the name of the IPsec transport mode profile. | |
| String length | 1 to 32 | |
Notes | This element is part of a list key. | |
| Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
description description
| Synopsis | Text description | |
| Context | configure ipsec ipsec-transport-mode-profile named-item description description | |
| Tree | description | |
| String length | 1 to 80 | |
| Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
key-exchange
| Synopsis | Enter the key-exchange context | |
| Context | configure ipsec ipsec-transport-mode-profile named-item key-exchange | |
| Tree | key-exchange | |
Description | Commands in this context configure the key exchange used each time the Security Association (SA) key is renegotiated. | |
| Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
dynamic
| Synopsis | Enter the dynamic context | |
| Context | configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic | |
| Tree | dynamic | |
Description | Commands in this context configure dynamic keying for the transport mode profile. | |
| Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
auto-establish boolean
| Synopsis | Attempt to establish a phase 1 exchange automatically | |
| Context | configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic auto-establish boolean | |
| Tree | auto-establish | |
| Default | false | |
| Introduced | 21.10.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
cert
| Synopsis | Enter the cert context | |
| Context | configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic cert | |
| Tree | cert | |
Description | Commands in this context configure the attributes of the dynamic keying certificate. | |
| Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
cert-profile reference
| Synopsis | Certificate profile name | |
| Context | configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic cert cert-profile reference | |
| Tree | cert-profile | |
Reference | configure ipsec cert-profile named-item | |
| Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
status-verify
| Synopsis | Enter the status-verify context | |
| Context | configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic cert status-verify | |
| Tree | status-verify | |
Description | Commands in this context configure attributes of Certificate Status Verification (CSV). | |
| Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
default-result keyword
| Synopsis | Default result for Certificate Status Verification | |
| Context | configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic cert status-verify default-result keyword | |
| Tree | default-result | |
Description | This command specifies the default certificate revocation status result to use when all configured CSV methods fail to return a result. | |
| Options | ||
| Default | revoked | |
| Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
primary keyword
| Synopsis | Primary method of CSV to verify the revocation status | |
| Context | configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic cert status-verify primary keyword | |
| Tree | primary | |
Description | This command configures the primary method of Certificate Status Verification (CSV) that is used to verify the revocation status of the certificate of the peer. | |
| Options | ||
| Default | crl | |
| Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
secondary keyword
| Synopsis | Secondary method used to verify certificate revocation | |
| Context | configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic cert status-verify secondary keyword | |
| Tree | secondary | |
Description | This command specifies the secondary method of Certificate Status Verification (CSV) that is used to verify the revocation status of the peer certificate. | |
| Options | ||
| Default | none | |
| Introduced | 21.10.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
trust-anchor-profile reference
| Synopsis | Trust anchor profile name | |
| Context | configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic cert trust-anchor-profile reference | |
| Tree | trust-anchor-profile | |
Reference | configure ipsec trust-anchor-profile named-item | |
| Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
id
| Synopsis | Enter the id context | |
| Context | configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic id | |
| Tree | id | |
Description | Commands in this context specify the local ID used for IDi or IDr for IKEv2 negotiation. The default behavior depends on the local authentication method as follows:
| |
| Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
fqdn fully-qualified-domain-name
| Synopsis | FQDN used as the local ID IKE type | |
| Context | configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic id fqdn fully-qualified-domain-name | |
| Tree | fqdn | |
| String length | 1 to 255 | |
Notes | The following elements are part of a choice: fqdn, ipv4, or ipv6. | |
| Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ipv4 ipv4-unicast-address
| Synopsis | IPv4 as the local ID type | |
| Context | configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic id ipv4 ipv4-unicast-address | |
| Tree | ipv4 | |
Notes | The following elements are part of a choice: fqdn, ipv4, or ipv6. | |
| Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ipv6 (ipv4-address-no-zone | ipv6-address-no-zone)
| Synopsis | IPv6 used as the local IKE ID type | |
| Context | configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic id ipv6 (ipv4-address-no-zone | ipv6-address-no-zone) | |
| Tree | ipv6 | |
Notes | The following elements are part of a choice: fqdn, ipv4, or ipv6. | |
| Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ike-policy reference
| Synopsis | IKE policy ID | |
| Context | configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic ike-policy reference | |
| Tree | ike-policy | |
Description | This command specifies the ID of the IKE policy used for IKE negotiation. The ipsec-transport-mode-profile configuration only supports IKEv2. | |
Reference | configure ipsec ike-policy number | |
| Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ipsec-transform reference
| Synopsis | IPsec transform IDs used by the dynamic key | |
| Context | configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic ipsec-transform reference | |
| Tree | ipsec-transform | |
Description | This command specifies IPsec transform IDs used for CHILD_SA negotiation. | |
Reference | configure ipsec ipsec-transform number | |
| Max. instances | 4 | |
| Introduced | 21.10.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ppk
| Synopsis | Enter the ppk context | |
| Context | configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic ppk | |
| Tree | ppk | |
Description | Commands in this context configure the PPKs to use for dynamic keying of the IPsec tunnel. | |
| Introduced | 24.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
id reference
| Synopsis | PPK ID | |
| Context | configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic ppk id reference | |
| Tree | id | |
Reference | ||
| Introduced | 24.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
list reference
| Synopsis | PPK list instance name | |
| Context | configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic ppk list reference | |
| Tree | list | |
Reference | ||
| Introduced | 24.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
pre-shared-key encrypted-leaf
| Synopsis | Pre-shared key for IKE authentication | |
| Context | configure ipsec ipsec-transport-mode-profile named-item key-exchange dynamic pre-shared-key encrypted-leaf | |
| Tree | pre-shared-key | |
| String length | 1 to 115 | |
| Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
max-history-key-records
| Synopsis | Enter the max-history-key-records context | |
| Context | configure ipsec ipsec-transport-mode-profile named-item max-history-key-records | |
| Tree | max-history-key-records | |
Description | Commands in this context configure the settings for recording historical IPsec keys. | |
| Introduced | 21.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
esp number
| Synopsis | Maximum number of recent records | |
| Context | configure ipsec ipsec-transport-mode-profile named-item max-history-key-records esp number | |
| Tree | esp | |
| Range | 1 to 48 | |
| Introduced | 21.10.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ike number
| Synopsis | Maximum number of historical IKE key records | |
| Context | configure ipsec ipsec-transport-mode-profile named-item max-history-key-records ike number | |
| Tree | ike | |
| Range | 1 to 3 | |
| Introduced | 21.10.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
replay-window number
| Synopsis | Anti-replay window size | |
| Context | configure ipsec ipsec-transport-mode-profile named-item replay-window number | |
| Tree | replay-window | |
Description | This command specifies the size of an IPsec anti-replay window. If unconfigured, IPsec anti-replay is disabled. | |
| Range | 32 | 64 | 128 | 256 | 512 | |
| Units | packets | |
| Introduced | 21.10.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ppk-list [name] named-item
| Synopsis | Enter the ppk-list list instance | |
| Context | configure ipsec ppk-list named-item | |
| Tree | ppk-list | |
Description | Commands in this context configure the list of Post-quantum Preshared Keys (PPKs) to use for IKEv2 key derivation, as described in RFC 8784. | |
| Max. instances | 128 | |
| Introduced | 24.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
[name] named-item
ppk [ppk-id] named-item-64
[ppk-id] named-item-64
value
ascii encrypted-leaf
| Synopsis | PPK value as an ASCII string | |
| Context | configure ipsec ppk-list named-item ppk named-item-64 value ascii encrypted-leaf | |
| Tree | ascii | |
| String length | 1 to 115 | |
Notes | The following elements are part of a mandatory choice: ascii or hex. | |
| Introduced | 24.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
hex encrypted-leaf-hex
| Synopsis | PPK value as a hexadecimal string with prefix 0x | |
| Context | configure ipsec ppk-list named-item ppk named-item-64 value hex encrypted-leaf-hex | |
| Tree | hex | |
| String length | 1 to 115 | |
Notes | The following elements are part of a mandatory choice: ascii or hex. | |
| Introduced | 24.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
radius
accounting-policy [name] named-item
| Synopsis | Enter the accounting-policy list instance | |
| Context | configure ipsec radius accounting-policy named-item | |
| Tree | accounting-policy | |
Description | Commands in this context configure RADIUS accounting policies to collect accounting statistics. | |
| Max. instances | 100 | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
[name] named-item
| Synopsis | RADIUS accounting policy name | |
| Context | configure ipsec radius accounting-policy named-item | |
| Tree | accounting-policy | |
| String length | 1 to 32 | |
Notes | This element is part of a list key. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
include-radius-attribute
| Synopsis | Enter the include-radius-attribute context | |
| Context | configure ipsec radius accounting-policy named-item include-radius-attribute | |
| Tree | include-radius-attribute | |
Description | Commands in this context specify the RADIUS attributes that are to be included in the RADIUS Authentication-Request messages. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
acct-stats boolean
| Synopsis | Include accounting attributes in RADIUS packets | |
| Context | configure ipsec radius accounting-policy named-item include-radius-attribute acct-stats boolean | |
| Tree | acct-stats | |
| Default | false | |
| Introduced | 19.7.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
called-station-id boolean
| Synopsis | Include the Called-Station-Id attribute | |
| Context | configure ipsec radius accounting-policy named-item include-radius-attribute called-station-id boolean | |
| Tree | called-station-id | |
| Default | false | |
| Introduced | 19.7.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
calling-station-id boolean
| Synopsis | Include the Calling-Station-Id attribute | |
| Context | configure ipsec radius accounting-policy named-item include-radius-attribute calling-station-id boolean | |
| Tree | calling-station-id | |
| Default | false | |
| Introduced | 19.7.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
framed-ip-addr boolean
| Synopsis | Include the Framed-IP-Address attribute | |
| Context | configure ipsec radius accounting-policy named-item include-radius-attribute framed-ip-addr boolean | |
| Tree | framed-ip-addr | |
| Default | false | |
| Introduced | 19.7.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
framed-ipv6-prefix boolean
| Synopsis | Include the Framed-IPv6-Prefix attribute | |
| Context | configure ipsec radius accounting-policy named-item include-radius-attribute framed-ipv6-prefix boolean | |
| Tree | framed-ipv6-prefix | |
| Default | false | |
| Introduced | 19.7.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
nas-identifier boolean
| Synopsis | Include the NAS-Identifier attribute | |
| Context | configure ipsec radius accounting-policy named-item include-radius-attribute nas-identifier boolean | |
| Tree | nas-identifier | |
| Default | false | |
| Introduced | 19.7.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
nas-ip-addr boolean
| Synopsis | Include the NAS-IP-Address attribute | |
| Context | configure ipsec radius accounting-policy named-item include-radius-attribute nas-ip-addr boolean | |
| Tree | nas-ip-addr | |
| Default | false | |
| Introduced | 19.7.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
nas-port-id boolean
| Synopsis | Include the NAS-Port-Id attribute | |
| Context | configure ipsec radius accounting-policy named-item include-radius-attribute nas-port-id boolean | |
| Tree | nas-port-id | |
| Default | false | |
| Introduced | 19.7.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
radius-server-policy reference
| Synopsis | Referenced RADIUS server policy | |
| Context | configure ipsec radius accounting-policy named-item radius-server-policy reference | |
| Tree | radius-server-policy | |
Reference | configure aaa radius server-policy named-item | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
update-interval
| Synopsis | Enter the update-interval context | |
| Context | configure ipsec radius accounting-policy named-item update-interval | |
| Tree | update-interval | |
Description | Commands in this context determine how RADIUS interim-update packets are sent for IKEv2 remote-access tunnels. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
jitter number
| Synopsis | Jitter interval for sending each interim-update packet | |
| Context | configure ipsec radius accounting-policy named-item update-interval jitter number | |
| Tree | jitter | |
Description | This command specifies the jitter interval for the RADIUS interim-update packets. When unconfigured, the system uses 10% of the update interval value. | |
| Range | 0 to 3600 | |
| Units | seconds | |
| Introduced | 19.7.R1 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
value number
| Synopsis | Update interval of the RADIUS accounting data | |
| Context | configure ipsec radius accounting-policy named-item update-interval value number | |
| Tree | value | |
Description | This command configures the update interval of the RADIUS accounting data. If a value of 0 is configured, no intermediate updates are sent. | |
| Range | 0 | 5 to 259200 | |
| Units | minutes | |
| Default | 10 | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
authentication-policy [name] named-item
| Synopsis | Enter the authentication-policy list instance | |
| Context | configure ipsec radius authentication-policy named-item | |
| Tree | authentication-policy | |
Description | Commands in this context configure the RADIUS authentication policy associated with the IPsec gateway. | |
| Max. instances | 100 | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
[name] named-item
| Synopsis | RADIUS authentication policy name | |
| Context | configure ipsec radius authentication-policy named-item | |
| Tree | authentication-policy | |
| String length | 1 to 32 | |
Notes | This element is part of a list key. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
include-radius-attribute
| Synopsis | Enter the include-radius-attribute context | |
| Context | configure ipsec radius authentication-policy named-item include-radius-attribute | |
| Tree | include-radius-attribute | |
Description | Commands in this context specify the RADIUS attributes to be included in the RADIUS Authentication-Request messages. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
called-station-id boolean
| Synopsis | Include the Called-Station-Id attribute | |
| Context | configure ipsec radius authentication-policy named-item include-radius-attribute called-station-id boolean | |
| Tree | called-station-id | |
| Default | false | |
| Introduced | 19.7.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
calling-station-id boolean
| Synopsis | Include the Calling-Station-Id attribute | |
| Context | configure ipsec radius authentication-policy named-item include-radius-attribute calling-station-id boolean | |
| Tree | calling-station-id | |
| Default | false | |
| Introduced | 19.7.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
client-cert-subject-key-id boolean
| Synopsis | Include the Subject Key Identifier | |
| Context | configure ipsec radius authentication-policy named-item include-radius-attribute client-cert-subject-key-id boolean | |
| Tree | client-cert-subject-key-id | |
Description | When configured to true, the Subject Key Identifier of the certificate of the peer is included in the RADIUS Access-Request packet as VSA: Alc-Subject-Key-Identifier. See the 7450 ESS, 7750 SR, 7950 XRS, and VSR RADIUS Attributes Reference Guide for more information. | |
| Default | false | |
| Introduced | 19.7.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
nas-identifier boolean
| Synopsis | Include the NAS-Identifier attribute | |
| Context | configure ipsec radius authentication-policy named-item include-radius-attribute nas-identifier boolean | |
| Tree | nas-identifier | |
| Default | false | |
| Introduced | 19.7.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
nas-ip-addr boolean
| Synopsis | Include the NAS-IP-Address attribute | |
| Context | configure ipsec radius authentication-policy named-item include-radius-attribute nas-ip-addr boolean | |
| Tree | nas-ip-addr | |
| Default | false | |
| Introduced | 19.7.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
nas-port-id boolean
| Synopsis | Include the NAS-Port-Id attribute | |
| Context | configure ipsec radius authentication-policy named-item include-radius-attribute nas-port-id boolean | |
| Tree | nas-port-id | |
| Default | false | |
| Introduced | 19.7.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
password encrypted-leaf
| Synopsis | Password used in RADIUS access requests | |
| Context | configure ipsec radius authentication-policy named-item password encrypted-leaf | |
| Tree | password | |
| String length | 1 to 115 | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
radius-server-policy reference
| Synopsis | Referenced RADIUS server policy | |
| Context | configure ipsec radius authentication-policy named-item radius-server-policy reference | |
| Tree | radius-server-policy | |
Reference | configure aaa radius server-policy named-item | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
show-ipsec-keys boolean
| Synopsis | Show IPsec IKE and ESP keys in the output | |
| Context | configure ipsec show-ipsec-keys boolean | |
| Tree | show-ipsec-keys | |
Description | When configured to true, this command allows IPsec keys to be (optionally) included in the display output of certain debug and admin commands. When configured to false, the key display is disabled. | |
| Default | false | |
| Introduced | 16.0.R4 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
static-sa [name] named-item
[name] named-item
authentication
| Synopsis | Enable the authentication context | |
| Context | configure ipsec static-sa named-item authentication | |
| Tree | authentication | |
| Introduced | 16.0.R6 | |
Platforms | All |
algorithm keyword
| Synopsis | Authentication algorithm used for an IPsec manual SA | |
| Context | configure ipsec static-sa named-item authentication algorithm keyword | |
| Tree | algorithm | |
| Options | ||
Notes |
This element is mandatory. | |
| Introduced | 16.0.R6 | |
Platforms |
All |
key encrypted-leaf
| Synopsis | Key used for the authentication algorithm | |
| Context | configure ipsec static-sa named-item authentication key encrypted-leaf | |
| Tree | key | |
| String length | 1 to 54 | |
Notes | This element is mandatory. | |
| Introduced | 16.0.R6 | |
Platforms | All |
description named-item
| Synopsis | Text description | |
| Context | configure ipsec static-sa named-item description named-item | |
| Tree | description | |
| String length | 1 to 32 | |
| Introduced | 16.0.R6 | |
Platforms | All |
direction keyword
protocol keyword
spi number
| Synopsis | Security Parameter Index (SPI) for the static SA | |
| Context | configure ipsec static-sa named-item spi number | |
| Tree | spi | |
Description | This command specifies the SPI for the static SA. When the direction command is set to inbound, the SPI is used to look up the instruction to verify and decrypt the incoming IPsec packets. When the direction command is set to outbound, the SPI is used in the encoding of the outgoing packets. The remote node can use the SPI to look up the instruction to verify and decrypt the packet. When unconfigured, the static SA cannot be used. | |
| Range | 256 to 16383 | |
| Introduced | 16.0.R6 | |
|
Platforms | All |
trust-anchor-profile [name] named-item
| Synopsis | Enter the trust-anchor-profile list instance | |
| Context | configure ipsec trust-anchor-profile named-item | |
| Tree | trust-anchor-profile | |
| Max. instances | 10128 | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
[name] named-item
| Synopsis | Trust anchor profile name for IPsec tunnel or gateway | |
| Context | configure ipsec trust-anchor-profile named-item | |
| Tree | trust-anchor-profile | |
| String length | 1 to 32 | |
Notes | This element is part of a list key. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
trust-anchor [ca-profile] reference
| Synopsis | Add a list entry for trust-anchor | |
| Context | configure ipsec trust-anchor-profile named-item trust-anchor reference | |
| Tree | trust-anchor | |
Description | Commands in this context configure a CA profile as a trust anchor CA. | |
| Max. instances | 8 | |
| Introduced | 19.7.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
[ca-profile] reference
| Synopsis | Name of the CA profile as a trust anchor profile | |
| Context | configure ipsec trust-anchor-profile named-item trust-anchor reference | |
| Tree | trust-anchor | |
Reference | configure system security pki ca-profile named-item | |
Notes | This element is part of a list key. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ts-list [name] named-item
[name] named-item
local
| Synopsis | Enter the local context | |
| Context | configure ipsec ts-list named-item local | |
| Tree | local | |
Description | Commands in this context configure a local TS list, a traffic selector, such as TSr, when the system acts as an IKEv2 responder. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
entry [id] number
[id] number
address
prefix (ipv4-prefix | ipv6-prefix)
| Synopsis | IP prefix for address range in IKEv2 traffic selector | |
| Context | configure ipsec ts-list named-item local entry number address prefix (ipv4-prefix | ipv6-prefix) | |
| Tree | prefix | |
Notes | The following elements are part of a mandatory choice: prefix or range. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
range
begin (ipv4-address-no-zone | ipv6-address-no-zone)
end (ipv4-address-no-zone | ipv6-address-no-zone)
protocol
any
id
icmp
| Synopsis | Enter the icmp context | |
| Context | configure ipsec ts-list named-item local entry number protocol id icmp | |
| Tree | icmp | |
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
opaque
| Synopsis | Support OPAQUE ports | |
| Context | configure ipsec ts-list named-item local entry number protocol id icmp opaque | |
| Tree | opaque | |
Description | This command allows the protocol ID to be accepted even when the port information is not available. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
port-range
| Synopsis | Enable the port-range context | |
| Context | configure ipsec ts-list named-item local entry number protocol id icmp port-range | |
| Tree | port-range | |
Description | Commands in this context configure port range information for the protocol. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin-icmp-code number
| Synopsis | Lower bound of the ICMP code range | |
| Context | configure ipsec ts-list named-item local entry number protocol id icmp port-range begin-icmp-code number | |
| Tree | begin-icmp-code | |
| Range | 0 to 255 | |
Notes | This element is mandatory. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin-icmp-type number
| Synopsis | Lower bound of the ICMP type range | |
| Context | configure ipsec ts-list named-item local entry number protocol id icmp port-range begin-icmp-type number | |
| Tree | begin-icmp-type | |
| Range | 0 to 255 | |
Notes | This element is mandatory. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
end-icmp-code number
| Synopsis | Upper bound of the ICMP code range | |
| Context | configure ipsec ts-list named-item local entry number protocol id icmp port-range end-icmp-code number | |
| Tree | end-icmp-code | |
| Range | 0 to 255 | |
Notes | This element is mandatory. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
end-icmp-type number
| Synopsis | Upper bound of the ICMP type range | |
| Context | configure ipsec ts-list named-item local entry number protocol id icmp port-range end-icmp-type number | |
| Tree | end-icmp-type | |
| Range | 0 to 255 | |
Notes | This element is mandatory. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
icmp6
| Synopsis | Enter the icmp6 context | |
| Context | configure ipsec ts-list named-item local entry number protocol id icmp6 | |
| Tree | icmp6 | |
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
opaque
| Synopsis | Support OPAQUE ports | |
| Context | configure ipsec ts-list named-item local entry number protocol id icmp6 opaque | |
| Tree | opaque | |
Description | This command allows the protocol ID to be accepted even when the port information is not available. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
port-range
| Synopsis | Enable the port-range context | |
| Context | configure ipsec ts-list named-item local entry number protocol id icmp6 port-range | |
| Tree | port-range | |
Description | Commands in this context configure port range information for the protocol. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin-icmp-code number
| Synopsis | Lower bound of the ICMP code range | |
| Context | configure ipsec ts-list named-item local entry number protocol id icmp6 port-range begin-icmp-code number | |
| Tree | begin-icmp-code | |
| Range | 0 to 255 | |
Notes | This element is mandatory. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin-icmp-type number
| Synopsis | Lower bound of the ICMP type range | |
| Context | configure ipsec ts-list named-item local entry number protocol id icmp6 port-range begin-icmp-type number | |
| Tree | begin-icmp-type | |
| Range | 0 to 255 | |
Notes | This element is mandatory. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
end-icmp-code number
| Synopsis | Upper bound of the ICMP code range | |
| Context | configure ipsec ts-list named-item local entry number protocol id icmp6 port-range end-icmp-code number | |
| Tree | end-icmp-code | |
| Range | 0 to 255 | |
Notes | This element is mandatory. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
end-icmp-type number
| Synopsis | Upper bound of the ICMP type range | |
| Context | configure ipsec ts-list named-item local entry number protocol id icmp6 port-range end-icmp-type number | |
| Tree | end-icmp-type | |
| Range | 0 to 255 | |
Notes | This element is mandatory. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
mipv6
| Synopsis | Enter the mipv6 context | |
| Context | configure ipsec ts-list named-item local entry number protocol id mipv6 | |
| Tree | mipv6 | |
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
opaque
| Synopsis | Support OPAQUE ports | |
| Context | configure ipsec ts-list named-item local entry number protocol id mipv6 opaque | |
| Tree | opaque | |
Description | This command allows the protocol ID to be accepted even when the port information is not available. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
port-range
| Synopsis | Enable the port-range context | |
| Context | configure ipsec ts-list named-item local entry number protocol id mipv6 port-range | |
| Tree | port-range | |
Notes | The following elements are part of a choice: opaque or port-range. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin number
end number
protocol-id-with-any-port (keyword | number)
| Synopsis | Protocol ID that accepts any port value | |
| Context | configure ipsec ts-list named-item local entry number protocol id protocol-id-with-any-port (keyword | number) | |
| Tree | protocol-id-with-any-port | |
| Range | 1 to 255 | |
| Options | ||
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
sctp
| Synopsis | Enter the sctp context | |
| Context | configure ipsec ts-list named-item local entry number protocol id sctp | |
| Tree | sctp | |
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
opaque
| Synopsis | Support OPAQUE ports | |
| Context | configure ipsec ts-list named-item local entry number protocol id sctp opaque | |
| Tree | opaque | |
Description | This command allows the protocol ID to be accepted even when the port information is not available. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
port-range
| Synopsis | Enable the port-range context | |
| Context | configure ipsec ts-list named-item local entry number protocol id sctp port-range | |
| Tree | port-range | |
Notes | The following elements are part of a choice: opaque or port-range. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin number
end number
tcp
| Synopsis | Enter the tcp context | |
| Context | configure ipsec ts-list named-item local entry number protocol id tcp | |
| Tree | tcp | |
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
opaque
| Synopsis | Support OPAQUE ports | |
| Context | configure ipsec ts-list named-item local entry number protocol id tcp opaque | |
| Tree | opaque | |
Description | This command allows the protocol ID to be accepted even when the port information is not available. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
port-range
| Synopsis | Enable the port-range context | |
| Context | configure ipsec ts-list named-item local entry number protocol id tcp port-range | |
| Tree | port-range | |
Notes | The following elements are part of a choice: opaque or port-range. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin number
end number
udp
| Synopsis | Enter the udp context | |
| Context | configure ipsec ts-list named-item local entry number protocol id udp | |
| Tree | udp | |
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
opaque
| Synopsis | Support OPAQUE ports | |
| Context | configure ipsec ts-list named-item local entry number protocol id udp opaque | |
| Tree | opaque | |
Description | This command allows the protocol ID to be accepted even when the port information is not available. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
port-range
| Synopsis | Enable the port-range context | |
| Context | configure ipsec ts-list named-item local entry number protocol id udp port-range | |
| Tree | port-range | |
Notes | The following elements are part of a choice: opaque or port-range. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin number
end number
remote
| Synopsis | Enter the remote context | |
| Context | configure ipsec ts-list named-item remote | |
| Tree | remote | |
Description | Commands in this context configure a remote TS list, a traffic selector, such as TSr, when the system acts as an IKEv2 responder. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
entry [id] number
[id] number
address
prefix (ipv4-prefix | ipv6-prefix)
| Synopsis | IP prefix for address range in IKEv2 traffic selector | |
| Context | configure ipsec ts-list named-item remote entry number address prefix (ipv4-prefix | ipv6-prefix) | |
| Tree | prefix | |
Notes | The following elements are part of a mandatory choice: prefix or range. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
range
begin (ipv4-address-no-zone | ipv6-address-no-zone)
| Synopsis | Lower bound of the IP address range for the entry | |
| Context | configure ipsec ts-list named-item remote entry number address range begin (ipv4-address-no-zone | ipv6-address-no-zone) | |
| Tree | begin | |
Notes | This element is mandatory. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
end (ipv4-address-no-zone | ipv6-address-no-zone)
protocol
any
id
icmp
| Synopsis | Enter the icmp context | |
| Context | configure ipsec ts-list named-item remote entry number protocol id icmp | |
| Tree | icmp | |
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
opaque
| Synopsis | Support OPAQUE ports | |
| Context | configure ipsec ts-list named-item remote entry number protocol id icmp opaque | |
| Tree | opaque | |
Description | This command allows the protocol ID to be accepted even when the port information is not available. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
port-range
| Synopsis | Enable the port-range context | |
| Context | configure ipsec ts-list named-item remote entry number protocol id icmp port-range | |
| Tree | port-range | |
Description | Commands in this context configure port range information for the protocol. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin-icmp-code number
| Synopsis | Lower bound of the ICMP code range | |
| Context | configure ipsec ts-list named-item remote entry number protocol id icmp port-range begin-icmp-code number | |
| Tree | begin-icmp-code | |
| Range | 0 to 255 | |
Notes | This element is mandatory. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin-icmp-type number
| Synopsis | Lower bound of the ICMP type range | |
| Context | configure ipsec ts-list named-item remote entry number protocol id icmp port-range begin-icmp-type number | |
| Tree | begin-icmp-type | |
| Range | 0 to 255 | |
Notes | This element is mandatory. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
end-icmp-code number
| Synopsis | Upper bound of the ICMP code range | |
| Context | configure ipsec ts-list named-item remote entry number protocol id icmp port-range end-icmp-code number | |
| Tree | end-icmp-code | |
| Range | 0 to 255 | |
Notes | This element is mandatory. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
end-icmp-type number
| Synopsis | Upper bound of the ICMP type range | |
| Context | configure ipsec ts-list named-item remote entry number protocol id icmp port-range end-icmp-type number | |
| Tree | end-icmp-type | |
| Range | 0 to 255 | |
Notes | This element is mandatory. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
icmp6
| Synopsis | Enter the icmp6 context | |
| Context | configure ipsec ts-list named-item remote entry number protocol id icmp6 | |
| Tree | icmp6 | |
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
opaque
| Synopsis | Support OPAQUE ports | |
| Context | configure ipsec ts-list named-item remote entry number protocol id icmp6 opaque | |
| Tree | opaque | |
Description | This command allows the protocol ID to be accepted even when the port information is not available. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
port-range
| Synopsis | Enable the port-range context | |
| Context | configure ipsec ts-list named-item remote entry number protocol id icmp6 port-range | |
| Tree | port-range | |
Description | Commands in this context configure port range information for the protocol. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin-icmp-code number
| Synopsis | Lower bound of the ICMP code range | |
| Context | configure ipsec ts-list named-item remote entry number protocol id icmp6 port-range begin-icmp-code number | |
| Tree | begin-icmp-code | |
| Range | 0 to 255 | |
Notes | This element is mandatory. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin-icmp-type number
| Synopsis | Lower bound of the ICMP type range | |
| Context | configure ipsec ts-list named-item remote entry number protocol id icmp6 port-range begin-icmp-type number | |
| Tree | begin-icmp-type | |
| Range | 0 to 255 | |
Notes | This element is mandatory. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
end-icmp-code number
| Synopsis | Upper bound of the ICMP code range | |
| Context | configure ipsec ts-list named-item remote entry number protocol id icmp6 port-range end-icmp-code number | |
| Tree | end-icmp-code | |
| Range | 0 to 255 | |
Notes | This element is mandatory. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
end-icmp-type number
| Synopsis | Upper bound of the ICMP type range | |
| Context | configure ipsec ts-list named-item remote entry number protocol id icmp6 port-range end-icmp-type number | |
| Tree | end-icmp-type | |
| Range | 0 to 255 | |
Notes | This element is mandatory. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
mipv6
| Synopsis | Enter the mipv6 context | |
| Context | configure ipsec ts-list named-item remote entry number protocol id mipv6 | |
| Tree | mipv6 | |
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
opaque
| Synopsis | Support OPAQUE ports | |
| Context | configure ipsec ts-list named-item remote entry number protocol id mipv6 opaque | |
| Tree | opaque | |
Description | This command allows the protocol ID to be accepted even when the port information is not available. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
port-range
| Synopsis | Enable the port-range context | |
| Context | configure ipsec ts-list named-item remote entry number protocol id mipv6 port-range | |
| Tree | port-range | |
Notes | The following elements are part of a choice: opaque or port-range. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin number
end number
protocol-id-with-any-port (keyword | number)
| Synopsis | Protocol ID that accepts any port value | |
| Context | configure ipsec ts-list named-item remote entry number protocol id protocol-id-with-any-port (keyword | number) | |
| Tree | protocol-id-with-any-port | |
| Range | 1 to 255 | |
| Options | ||
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
sctp
| Synopsis | Enter the sctp context | |
| Context | configure ipsec ts-list named-item remote entry number protocol id sctp | |
| Tree | sctp | |
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
opaque
| Synopsis | Support OPAQUE ports | |
| Context | configure ipsec ts-list named-item remote entry number protocol id sctp opaque | |
| Tree | opaque | |
Description | This command allows the protocol ID to be accepted even when the port information is not available. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
port-range
| Synopsis | Enable the port-range context | |
| Context | configure ipsec ts-list named-item remote entry number protocol id sctp port-range | |
| Tree | port-range | |
Notes | The following elements are part of a choice: opaque or port-range. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin number
end number
tcp
| Synopsis | Enter the tcp context | |
| Context | configure ipsec ts-list named-item remote entry number protocol id tcp | |
| Tree | tcp | |
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
opaque
| Synopsis | Support OPAQUE ports | |
| Context | configure ipsec ts-list named-item remote entry number protocol id tcp opaque | |
| Tree | opaque | |
Description | This command allows the protocol ID to be accepted even when the port information is not available. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
port-range
| Synopsis | Enable the port-range context | |
| Context | configure ipsec ts-list named-item remote entry number protocol id tcp port-range | |
| Tree | port-range | |
Notes | The following elements are part of a choice: opaque or port-range. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin number
end number
udp
| Synopsis | Enter the udp context | |
| Context | configure ipsec ts-list named-item remote entry number protocol id udp | |
| Tree | udp | |
Notes | The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
opaque
| Synopsis | Support OPAQUE ports | |
| Context | configure ipsec ts-list named-item remote entry number protocol id udp opaque | |
| Tree | opaque | |
Description | This command allows the protocol ID to be accepted even when the port information is not available. | |
Notes | The following elements are part of a choice: opaque or port-range. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
port-range
| Synopsis | Enable the port-range context | |
| Context | configure ipsec ts-list named-item remote entry number protocol id udp port-range | |
| Tree | port-range | |
Notes | The following elements are part of a choice: opaque or port-range. | |
| Introduced | 19.7.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
begin number
end number
tunnel-template [id] number
| Synopsis | Enter the tunnel-template list instance | |
| Context | configure ipsec tunnel-template number | |
| Tree | tunnel-template | |
| Max. instances | 2048 | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
[id] number
| Synopsis | Tunnel template ID | |
| Context | configure ipsec tunnel-template number | |
| Tree | tunnel-template | |
| Range | 1 to 2048 | |
Notes | This element is part of a list key. | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
clear-df-bit boolean
| Synopsis | Clear the Do-not-Fragment (DF) bit | |
| Context | configure ipsec tunnel-template number clear-df-bit boolean | |
| Tree | clear-df-bit | |
| Default | false | |
| Introduced | 16.0.R4 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
copy-traffic-class-upon-decapsulation boolean
| Synopsis | Enable traffic class copy upon decapsulation | |
| Context | configure ipsec tunnel-template number copy-traffic-class-upon-decapsulation boolean | |
| Tree | copy-traffic-class-upon-decapsulation | |
Description | When configured to true, the system copies the traffic class from the outer tunnel IP packet header to the payload IP packet header in the decapsulating direction (public to private). When configured to false, the system does not copy the traffic class from the outer IP packet to the payload IP packet header upon decapsulation. | |
| Default | false | |
| Introduced | 21.5.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
description description
| Synopsis | Text description | |
| Context | configure ipsec tunnel-template number description description | |
| Tree | description | |
| String length | 1 to 80 | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
encapsulated-ip-mtu number
| Synopsis | Maximum size of the encapsulated tunnel packet | |
| Context | configure ipsec tunnel-template number encapsulated-ip-mtu number | |
| Tree | encapsulated-ip-mtu | |
Description | This command specifies the maximum size of the encapsulated tunnel packet to the IPsec tunnel, the IP tunnel, or the dynamic tunnels terminated on the IPsec Gateway. If the encapsulated IPv4 or IPv6 tunnel packet exceeds this value, the system fragments the packet. | |
| Range | 512 to 9000 | |
| Units | octets | |
| Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
icmp-generation
| Synopsis | Enter the icmp-generation context | |
| Context | configure ipsec tunnel-template number icmp-generation | |
| Tree | icmp-generation | |
Description | Commands in this context configure settings for ICMPv4 message generation. | |
| Introduced | 21.5.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
frag-required
| Synopsis | Enter the frag-required context | |
| Context | configure ipsec tunnel-template number icmp-generation frag-required | |
| Tree | frag-required | |
Description | Commands in this context configure the attributes for sending generated ICMP Destination Unreachable "fragmentation needed and DF set" messages (type 3, code 4) back to the source, if the received size of the IPv4 packet on the private side exceeds the private MTU size. | |
| Introduced | 21.5.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
admin-state keyword
| Synopsis | Administrative state of sending ICMP messages | |
| Context | configure ipsec tunnel-template number icmp-generation frag-required admin-state keyword | |
| Tree | admin-state | |
Description | This command configures the administrative state of sending ICMP Destination Unreachable "fragmentation needed, DF set" messages (type 3, code 4) messages to the source if the received size of the IPv4 packet on the private side exceeds the private MTU size. | |
| Options | ||
| Default | enable | |
| Introduced | 21.5.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
interval number
| Synopsis | Interval for sending ICMP messages | |
| Context | configure ipsec tunnel-template number icmp-generation frag-required interval number | |
| Tree | interval | |
Description | This command configures the interval for sending ICMP Destination Unreachable "fragmentation needed, DF set" messages (type 3, code 4). | |
| Range | 1 to 60 | |
| Units | seconds | |
| Default | 10 | |
| Introduced | 21.5.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
message-count number
| Synopsis | Maximum number of ICMP messages that can be sent | |
| Context | configure ipsec tunnel-template number icmp-generation frag-required message-count number | |
| Tree | message-count | |
Description | This command configures the maximum number of ICMP Destination Unreachable "fragmentation needed, DF set" messages (type 3, code 4) that can be sent during the configured interval. | |
| Range | 10 to 1000 | |
| Default | 100 | |
| Introduced | 21.5.R1 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
icmp6-generation
| Synopsis | Enter the icmp6-generation context | |
| Context | configure ipsec tunnel-template number icmp6-generation | |
| Tree | icmp6-generation | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
pkt-too-big
| Synopsis | Enter the pkt-too-big context | |
| Context | configure ipsec tunnel-template number icmp6-generation pkt-too-big | |
| Tree | pkt-too-big | |
Description | Commands in this context configure values for the ICMPv6 Packet Too Big (PTB) messages. The system sends PTB messages if an IPv6 packet is received on the private side that is larger than 1280 bytes and also exceeds the private MTU of the tunnel. | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
admin-state keyword
| Synopsis | Administrative state of Packet Too Big message sends | |
| Context | configure ipsec tunnel-template number icmp6-generation pkt-too-big admin-state keyword | |
| Tree | admin-state | |
| Options | ||
| Default | enable | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
interval number
| Synopsis | Maximum interval during which PTB messages can be sent | |
| Context | configure ipsec tunnel-template number icmp6-generation pkt-too-big interval number | |
| Tree | interval | |
| Range | 1 to 60 | |
| Units | seconds | |
| Default | 10 | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
message-count number
| Synopsis | Max ICMPv6 messages that can be sent during interval | |
| Context | configure ipsec tunnel-template number icmp6-generation pkt-too-big message-count number | |
| Tree | message-count | |
| Range | 10 to 1000 | |
| Default | 100 | |
| Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ignore-default-route boolean
| Synopsis | Ignore any full range traffic selector in TSi | |
| Context | configure ipsec tunnel-template number ignore-default-route boolean | |
| Tree | ignore-default-route | |
Description | When configured to true, any full range traffic selector is ignored when creating a reverse route. When configured to false, no CHILD_SA is created if any full range traffic selector is included in TSi. | |
| Default | false | |
| Introduced | 19.7.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ip-mtu number
| Synopsis | Maximum size of the IP MTU for the payload packets | |
| Context | configure ipsec tunnel-template number ip-mtu number | |
| Tree | ip-mtu | |
| Range | 512 to 9000 | |
| Units | octets | |
| Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ipsec-transform reference
| Synopsis | IPsec transform ID for the tunnel template | |
| Context | configure ipsec tunnel-template number ipsec-transform reference | |
| Tree | ipsec-transform | |
Reference | configure ipsec ipsec-transform number | |
| Max. instances | 4 | |
| Introduced | 16.0.R4 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
pmtu-discovery-aging number
| Synopsis | Aging out time of the learned path MTU | |
| Context | configure ipsec tunnel-template number pmtu-discovery-aging number | |
| Tree | pmtu-discovery-aging | |
Description | This command configures the temporary public and private MTU expiration time. The temporary MTU is used for MTU propagation. | |
| Range | 900 to 3600 | |
| Units | seconds | |
| Default | 900 | |
| Introduced | 21.5.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
ppk-list reference
| Synopsis | PPK list to use in the tunnel template | |
| Context | configure ipsec tunnel-template number ppk-list reference | |
| Tree | ppk-list | |
Description | This command specifies the PPK list to use in the tunnel template, which represents a list of PPKs available for the IPsec gateway. The actual PPK to use depends on the tunnel initiator. | |
Reference | ||
| Introduced | 24.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
private-tcp-mss-adjust number
| Synopsis | New TCP MSS value on the private side | |
| Context | configure ipsec tunnel-template number private-tcp-mss-adjust number | |
| Tree | private-tcp-mss-adjust | |
Description | This command specifies the new (adjusted) TCP MSS value of TCP SYN packets on the private side. When unconfigured, the MSS value is derived from the received TCP SYN packet on the private side. | |
| Range | 512 to 9000 | |
| Units | octets | |
| Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
propagate-pmtu-v4 boolean
| Synopsis | Enable propagation of the path MTU to IPv4 hosts | |
| Context | configure ipsec tunnel-template number propagate-pmtu-v4 boolean | |
| Tree | propagate-pmtu-v4 | |
Description | When configured to true, the system propagates the path MTU learned from the public side to the private side (IPv4 hosts). | |
| Default | true | |
| Introduced | 21.5.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
propagate-pmtu-v6 boolean
| Synopsis | Enable propagation of the path MTU to IPv6 hosts | |
| Context | configure ipsec tunnel-template number propagate-pmtu-v6 boolean | |
| Tree | propagate-pmtu-v6 | |
Description | When configured to true, the system propagates the path MTU learned from the public side to the private side (IPv6 hosts). | |
| Default | true | |
| Introduced | 21.5.R1 | |
|
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
public-tcp-mss-adjust (number | keyword)
| Synopsis | New TCP MSS value on the public side | |
| Context | configure ipsec tunnel-template number public-tcp-mss-adjust (number | keyword) | |
| Tree | public-tcp-mss-adjust | |
Description | This command specifies the new (adjusted) TCP MSS value for the TCP traffic in an IPsec tunnel which is sent from the public network to the private network. The system can use this value to adjust or insert the MSS option in the TCP SYN packet. When unconfigured, the MSS value is derived from the public MTU and IPsec overhead. | |
| Range | 512 to 9000 | |
| Units | octets | |
| Options | ||
| Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
replay-window number
| Synopsis | Anti-replay window size for the tunnel template | |
| Context | configure ipsec tunnel-template number replay-window number | |
| Tree | replay-window | |
| Range | 32 | 64 | 128 | 256 | 512 | |
| Introduced | 16.0.R4 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
reverse-route
| Synopsis | Enter the reverse-route context | |
| Context | configure ipsec tunnel-template number reverse-route | |
| Tree | reverse-route | |
Description | Commands in this context configure the dynamic LAN-to-LAN (DL2L) tunnel reverse-route options for the tunnel template. | |
| Introduced | 24.10.R1 | |
Platforms | 7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
metric number
| Synopsis | Metric used for DL2L tunnel reverse routes | |
| Context | configure ipsec tunnel-template number reverse-route metric number | |
| Tree | metric | |
Description | This command configures the metric for reverse routes. The system uses the metric when selecting a route to install in the route table. | |
| Range | 0 to 65535 | |
| Default | 0 | |
| Introduced | 24.10.R1 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
preference number
| Synopsis | Preference used for DL2L tunnel reverse routes | |
| Context | configure ipsec tunnel-template number reverse-route preference number | |
| Tree | preference | |
Description | This command specifies the route preference assigned to the DL2L tunnel reverse route. The system uses the preference when selecting a route to install in the route table. | |
| Range | 0 to 255 | |
| Default | 0 | |
| Introduced | 24.10.R1 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |
sp-reverse-route keyword
| Synopsis | Reverse route creation method in private service | |
| Context | configure ipsec tunnel-template number sp-reverse-route keyword | |
| Tree | sp-reverse-route | |
Description | This command allows the system to automatically create a reverse route based on dynamic LAN-to-LAN tunnel's TSi in private service. | |
| Options | ||
| Default | none | |
| Introduced | 16.0.R4 | |
Platforms |
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR |