ipsec commands

configure 
ipsec 
apply-groups reference
apply-groups-exclude reference
cert-profile string 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
entry number 
apply-groups reference
apply-groups-exclude reference
cert string
compare-chain-include reference
key string
rsa-signature keyword
send-chain 
ca-profile reference
client-db string 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
client number 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
client-name string
credential 
pre-shared-key string
identification 
idi 
any boolean
fqdn string
fqdn-suffix string
ipv4-prefix string
ipv4-prefix-any boolean
ipv6-prefix string
ipv6-prefix-any boolean
rfc822 string
rfc822-suffix string
peer-ip-prefix 
ip-prefix (ipv4-prefix | ipv6-prefix)
ipv4-only boolean
ipv6-only boolean
private-interface string
private-service-name string
ts-list string
tunnel-template number
description string
match-list 
idi boolean
peer-ip-prefix boolean
ike-policy number 
apply-groups reference
apply-groups-exclude reference
description string
dpd 
interval number
max-retries number
reply-only boolean
ike-transform reference
ike-version-1 
auth-method keyword
ike-mode keyword
own-auth-method keyword
ph1-responder-delete-notify boolean
ike-version-2 
auth-method keyword
auto-eap-method keyword
ikev2-fragment 
mtu number
reassembly-timeout number
own-auth-method keyword
own-auto-eap-method keyword
send-idr-after-eap-success boolean
ipsec-lifetime number
limit-init-exchange 
admin-state keyword
reduced-max-exchange-timeout (number | keyword)
lockout 
block (number | keyword)
duration number
failed-attempts number
max-port-per-ip number
match-peer-id-to-cert boolean
nat-traversal 
force boolean
force-keep-alive boolean
keep-alive-interval number
pfs 
dh-group keyword
relay-unsolicited-cfg-attribute 
internal-ip4-address boolean
internal-ip4-dns boolean
internal-ip4-netmask boolean
internal-ip6-address boolean
internal-ip6-dns boolean
ike-transform number 
apply-groups reference
apply-groups-exclude reference
dh-group keyword
ike-auth-algorithm keyword
ike-encryption-algorithm keyword
ike-prf-algorithm keyword
isakmp-lifetime number
ipsec-transform number 
apply-groups reference
apply-groups-exclude reference
esp-auth-algorithm keyword
esp-encryption-algorithm keyword
extended-sequence-number boolean
ipsec-lifetime number
pfs-dh-group keyword
ipsec-transport-mode-profile string 
apply-groups reference
apply-groups-exclude reference
description string
key-exchange 
dynamic 
auto-establish boolean
cert 
cert-profile reference
status-verify 
default-result keyword
primary keyword
secondary keyword
trust-anchor-profile reference
id 
fqdn string
ipv4 string
ipv6 (ipv4-address-no-zone | ipv6-address-no-zone)
ike-policy reference
ipsec-transform reference
pre-shared-key string
max-history-key-records 
esp number
ike number
replay-window number
radius 
accounting-policy string 
apply-groups reference
apply-groups-exclude reference
include-radius-attribute 
acct-stats boolean
called-station-id boolean
calling-station-id boolean
framed-ip-addr boolean
framed-ipv6-prefix boolean
nas-identifier boolean
nas-ip-addr boolean
nas-port-id boolean
radius-server-policy reference
update-interval 
jitter number
value number
authentication-policy string 
apply-groups reference
apply-groups-exclude reference
include-radius-attribute 
called-station-id boolean
calling-station-id boolean
client-cert-subject-key-id boolean
nas-identifier boolean
nas-ip-addr boolean
nas-port-id boolean
password string
radius-server-policy reference
show-ipsec-keys boolean
static-sa string 
apply-groups reference
apply-groups-exclude reference
authentication 
algorithm keyword
key string
description string
direction keyword
protocol keyword
spi number
trust-anchor-profile string 
apply-groups reference
apply-groups-exclude reference
trust-anchor reference 
ts-list string 
apply-groups reference
apply-groups-exclude reference
local 
entry number 
address 
prefix (ipv4-prefix | ipv6-prefix)
range 
begin (ipv4-address-no-zone | ipv6-address-no-zone)
end (ipv4-address-no-zone | ipv6-address-no-zone)
apply-groups reference
apply-groups-exclude reference
protocol 
any 
id 
icmp 
opaque 
port-range 
begin-icmp-code number
begin-icmp-type number
end-icmp-code number
end-icmp-type number
icmp6 
opaque 
port-range 
begin-icmp-code number
begin-icmp-type number
end-icmp-code number
end-icmp-type number
mipv6 
opaque 
port-range 
begin number
end number
protocol-id-with-any-port (keyword | number)
sctp 
opaque 
port-range 
begin number
end number
tcp 
opaque 
port-range 
begin number
end number
udp 
opaque 
port-range 
begin number
end number
remote 
entry number 
address 
prefix (ipv4-prefix | ipv6-prefix)
range 
begin (ipv4-address-no-zone | ipv6-address-no-zone)
end (ipv4-address-no-zone | ipv6-address-no-zone)
apply-groups reference
apply-groups-exclude reference
protocol 
any 
id 
icmp 
opaque 
port-range 
begin-icmp-code number
begin-icmp-type number
end-icmp-code number
end-icmp-type number
icmp6 
opaque 
port-range 
begin-icmp-code number
begin-icmp-type number
end-icmp-code number
end-icmp-type number
mipv6 
opaque 
port-range 
begin number
end number
protocol-id-with-any-port (keyword | number)
sctp 
opaque 
port-range 
begin number
end number
tcp 
opaque 
port-range 
begin number
end number
udp 
opaque 
port-range 
begin number
end number
tunnel-template number 
apply-groups reference
apply-groups-exclude reference
clear-df-bit boolean
copy-traffic-class-upon-decapsulation boolean
description string
encapsulated-ip-mtu number
icmp-generation 
frag-required 
admin-state keyword
interval number
message-count number
icmp6-generation 
pkt-too-big 
admin-state keyword
interval number
message-count number
ignore-default-route boolean
ip-mtu number
ipsec-transform reference
pmtu-discovery-aging number
private-tcp-mss-adjust number
propagate-pmtu-v4 boolean
propagate-pmtu-v6 boolean
public-tcp-mss-adjust (number | keyword)
replay-window number
sp-reverse-route keyword

ipsec command descriptions

ipsec

Synopsis Enter the ipsec context
Context configure ipsec
Treeipsec

Description

Commands in this context configure Internet Protocol Security (IPsec) commands.

Introduced16.0.R4

Platforms

All

cert-profile [name] string

Synopsis Enter the cert-profile list instance
Contextconfigure ipsec cert-profile string
Treecert-profile

Description

Commands in this context configure the certificate profile.

Max. Instances10200
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[name] string
Synopsis Certificate profile name
Context configure ipsec cert-profile string
Treecert-profile
String Length1 to 32

Notes

This element is part of a list key.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

admin-state keyword
Synopsis Administrative state of the certificate profile
Contextconfigure ipsec cert-profile string admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

entry [id] number
Synopsis Enter the entry list instance
Context configure ipsec cert-profile string entry number
Treeentry

Description

Commands in this context configure the certificate profile entry.

Max. Instances8
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[id] number
Synopsis Certificate profile entry ID
Context configure ipsec cert-profile string entry number
Treeentry
Range1 to 8

Notes

This element is part of a list key.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

cert string
Synopsis File name of the imported certificate for the entry
Contextconfigure ipsec cert-profile string entry number cert string
Treecert
String Length1 to 95
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

compare-chain-include reference
Synopsis CA profile to include in the compare-chain
Contextconfigure ipsec cert-profile string entry number compare-chain-include reference
Treecompare-chain-include

Description

This command specifies the Certificate Authority (CA) that needs to be included in the compare-chain for the entry. This configuration is required in instances where the configured root CA is cross-signed by another CA.

Reference

configure system security pki ca-profile string

Introduced23.10.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

key string
Synopsis File name of the imported key used for authentication
Contextconfigure ipsec cert-profile string entry number key string
Treekey
String Length1 to 95
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

rsa-signature keyword
Synopsis Signature scheme for the RSA key
Context configure ipsec cert-profile string entry number rsa-signature keyword
Treersa-signature
Optionspkcs1, pss
Default pkcs1
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

send-chain
Synopsis Enter the send-chain context
Context configure ipsec cert-profile string entry number send-chain
Treesend-chain

Description

Commands in this context allow the system to send additional CA certificates to the peer. These additional CA certificates must be in the certificate chain of the certificate specified by the cert command in the same entry.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

client-db [name] string

Synopsis Enter the client-db list instance
Contextconfigure ipsec client-db string
Treeclient-db
Max. Instances1000
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[name] string
Synopsis IPsec client database name
Context configure ipsec client-db string
Treeclient-db
String Length1 to 32

Notes

This element is part of a list key.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

admin-state keyword
Synopsis Administrative state of the client database
Contextconfigure ipsec client-db string admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

client [id] number
Synopsis Enter the client list instance
Contextconfigure ipsec client-db string client number
Treeclient

Description

Commands in this context configure the IPsec client entry in the client database.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[id] number
Synopsis Client ID
Contextconfigure ipsec client-db string client number
Treeclient
Range1 to 8000

Notes

This element is part of a list key.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

admin-state keyword
Synopsis Administrative state of the database client
Contextconfigure ipsec client-db string client number admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

client-name string
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisClient name
Contextconfigure ipsec client-db string client number client-name string
Treeclient-name
String Length1 to 32
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

credential
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisEnter the credential context
Contextconfigure ipsec client-db string client number credential
Treecredential

Description

Commands in this context authenticate peers.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

pre-shared-key string
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisPre-shared key used to authenticate peers
Contextconfigure ipsec client-db string client number credential pre-shared-key string
Treepre-shared-key
String Length1 to 115
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

identification
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisEnter the identification context
Contextconfigure ipsec client-db string client number identification
Treeidentification
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

idi
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisEnable the idi context
Contextconfigure ipsec client-db string client number identification idi
Treeidi
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

any boolean
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisAccept any IDi value as a match
Contextconfigure ipsec client-db string client number identification idi any boolean
Treeany

Notes

The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

fqdn string
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisFQDN used as the match criteria for the IDi
Contextconfigure ipsec client-db string client number identification idi fqdn string
Treefqdn
String Length0 to 255

Notes

The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

fqdn-suffix string
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisFQDN suffix used as the match criteria for the IDi
Contextconfigure ipsec client-db string client number identification idi fqdn-suffix string
Treefqdn-suffix
String Length0 to 255

Notes

The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ipv4-prefix string
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisIPv4 prefix used as the match criteria for the IDi
Contextconfigure ipsec client-db string client number identification idi ipv4-prefix string
Treeipv4-prefix

Notes

The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ipv4-prefix-any boolean
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisAccept any valid IPv4 prefix as a match for the IDi
Contextconfigure ipsec client-db string client number identification idi ipv4-prefix-any boolean
Treeipv4-prefix-any

Notes

The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ipv6-prefix string
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisIPv6 prefix used as the match criteria for the IDi
Contextconfigure ipsec client-db string client number identification idi ipv6-prefix string
Treeipv6-prefix

Notes

The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ipv6-prefix-any boolean
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisAccept any valid IPv6 prefix as a match for the IDi
Contextconfigure ipsec client-db string client number identification idi ipv6-prefix-any boolean
Treeipv6-prefix-any

Notes

The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

rfc822 string
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisEmail address (RFC 822) used as match criteria for IDi
Contextconfigure ipsec client-db string client number identification idi rfc822 string
Treerfc822
String Length0 to 255

Notes

The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

rfc822-suffix string
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisEmail address domain (RFC 822) as IDi match criteria
Contextconfigure ipsec client-db string client number identification idi rfc822-suffix string
Treerfc822-suffix
String Length0 to 255

Notes

The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

peer-ip-prefix
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisEnable the peer-ip-prefix context
Contextconfigure ipsec client-db string client number identification peer-ip-prefix
Treepeer-ip-prefix
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ip-prefix (ipv4-prefix | ipv6-prefix)
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisIP prefix used as the match criteria
Contextconfigure ipsec client-db string client number identification peer-ip-prefix ip-prefix (ipv4-prefix | ipv6-prefix)
Treeip-prefix

Notes

The following elements are part of a mandatory choice: ip-prefix, ipv4-only, or ipv6-only.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ipv4-only boolean
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisAccept any valid IPv4 address as a match
Contextconfigure ipsec client-db string client number identification peer-ip-prefix ipv4-only boolean
Treeipv4-only

Notes

The following elements are part of a mandatory choice: ip-prefix, ipv4-only, or ipv6-only.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ipv6-only boolean
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisAccept any valid IPv6 address as a match
Contextconfigure ipsec client-db string client number identification peer-ip-prefix ipv6-only boolean
Treeipv6-only

Notes

The following elements are part of a mandatory choice: ip-prefix, ipv4-only, or ipv6-only.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

private-interface string
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisPrivate interface name used for tunnel setup
Contextconfigure ipsec client-db string client number private-interface string
Treeprivate-interface
String Length1 to 32
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

private-service-name string
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisName of the private service used for tunnel setup
Contextconfigure ipsec client-db string client number private-service-name string
Treeprivate-service-name
String Length1 to 64
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ts-list string
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisTraffic selector list used by the tunnel
Contextconfigure ipsec client-db string client number ts-list string
Treets-list
String Length1 to 32
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

tunnel-template number
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisTunnel template ID
Contextconfigure ipsec client-db string client number tunnel-template number
Treetunnel-template
Range1 to 2048
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

description string
Synopsis Text description
Context configure ipsec client-db string description string
Treedescription
String Length1 to 80
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

match-list
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisEnter the match-list context
Contextconfigure ipsec client-db string match-list
Treematch-list
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

idi boolean
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisUse IDi type in the IPsec client matching process
Contextconfigure ipsec client-db string match-list idi boolean
Treeidi
Defaultfalse
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

peer-ip-prefix boolean
WARNING:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisUse the peer tunnel IP address in the matching process
Contextconfigure ipsec client-db string match-list peer-ip-prefix boolean
Treepeer-ip-prefix
Defaultfalse
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ike-policy [id] number

Synopsis Enter the ike-policy list instance
Contextconfigure ipsec ike-policy number
Treeike-policy

Description

Commands in this context configure an Internet Key Exchange (IKE) policy.

Max. Instances2048
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[id] number
Synopsis IKE policy ID
Contextconfigure ipsec ike-policy number
Treeike-policy
Range1 to 2048

Notes

This element is part of a list key.

Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

description string
Synopsis Text description
Context configure ipsec ike-policy number description string
Treedescription
String Length1 to 80
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

dpd
Synopsis Enable the dpd context
Context configure ipsec ike-policy number dpd
Treedpd

Description

Commands in this context configure the dead peer detection mechanism.

Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

interval number
Synopsis DPD interval
Contextconfigure ipsec ike-policy number dpd interval number
Treeinterval

Description

This command specifies the DPD interval.

Because more time is necessary to determine if there is incoming traffic, the actual time needed to bring down the tunnel is larger than the DPD interval multiplied by the value configured for maximum retry attempts.

Range10 to 300
Unitsseconds
Default 30
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

max-retries number
Synopsis Maximum number of retries before the tunnel is removed
Contextconfigure ipsec ike-policy number dpd max-retries number
Treemax-retries
Range2 to 5
Default3
Introduced 16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

reply-only boolean
Synopsis Initiate DPD request for incoming ESP or IKE packets
Contextconfigure ipsec ike-policy number dpd reply-only boolean
Treereply-only
Defaultfalse
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ike-transform reference
Synopsis IKE transform instance associated with the IKE policy
Contextconfigure ipsec ike-policy number ike-transform reference
Treeike-transform

Description

This command specifies the IKE transform instance associated with the IKE policy. If multiple IDs are specified, the system selects an IKE transform based on the proposal of the peer. If the system is a tunnel initiator, it uses the configured IKE transform to generate the SA payload.

Reference

configure ipsec ike-transform number

Max. Instances4
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ike-version-1
Synopsis Enter the ike-version-1 context
Contextconfigure ipsec ike-policy number ike-version-1
Treeike-version-1

Description

Commands in this context configure the IKE version 1 mode of operation that the IKE policy uses.

Notes

The following elements are part of a choice: ike-version-1 or ike-version-2.

Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

auth-method keyword
Synopsis Authentication method used with the IKE policy
Contextconfigure ipsec ike-policy number ike-version-1 auth-method keyword
Treeauth-method
Optionspsk, plain-psk-xauth
Defaultpsk
Introduced 16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ike-mode keyword
Synopsis Mode of operation
Context configure ipsec ike-policy number ike-version-1 ike-mode keyword
Treeike-mode
Optionsmain, aggressive
Default main
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

own-auth-method keyword
Synopsis Authentication method used with policy on its own side
Contextconfigure ipsec ike-policy number ike-version-1 own-auth-method keyword
Treeown-auth-method
Optionssymmetric
Defaultsymmetric
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ph1-responder-delete-notify boolean
Synopsis Send delete notification for IKEv1 phase 1 removal
Contextconfigure ipsec ike-policy number ike-version-1 ph1-responder-delete-notify boolean
Treeph1-responder-delete-notify

Description

When configured to true, a delete notification is sent to the peer when deleting an IKEv1 phase 1 SA for which it was the responder.

When configured to false, no notification is sent.

Defaulttrue
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ike-version-2
Synopsis Enable the ike-version-2 context
Contextconfigure ipsec ike-policy number ike-version-2
Treeike-version-2

Description

Commands in this context configure the IKE version 2 mode of operation that the IKE policy uses.

Notes

The following elements are part of a choice: ike-version-1 or ike-version-2.

Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

auth-method keyword
Synopsis Authentication method used with the IKE policy
Contextconfigure ipsec ike-policy number ike-version-2 auth-method keyword
Treeauth-method
Optionspsk, cert, psk-radius, cert-radius, eap, auto-eap-radius, auto-eap
Defaultpsk
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

auto-eap-method keyword
Synopsis Authentication method used for the remote peer
Contextconfigure ipsec ike-policy number ike-version-2 auto-eap-method keyword
Treeauto-eap-method

Description

This command specifies the behavior for the IKEv2 remote-access tunnel when the authentication method uses EAP or potentially another method to authenticate the remote peer.

Optionspsk, cert, psk-or-cert
Defaultcert
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ikev2-fragment
Synopsis Enable the ikev2-fragment context
Contextconfigure ipsec ike-policy number ike-version-2 ikev2-fragment
Treeikev2-fragment

Description

Commands in this context configure IKEv2 protocol level fragmentation (RFC 7383).

Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

mtu number
Synopsis Maximum size of the IKEv2 packet
Context configure ipsec ike-policy number ike-version-2 ikev2-fragment mtu number
Treemtu
Range512 to 9000
Unitsoctets
Default 1500
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

own-auth-method keyword
Synopsis Authentication method used with IKE policy on own side
Contextconfigure ipsec ike-policy number ike-version-2 own-auth-method keyword
Treeown-auth-method
Optionssymmetric, psk, cert, eap-only
Default symmetric
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

own-auto-eap-method keyword
Synopsis Authentication method used on its own side
Contextconfigure ipsec ike-policy number ike-version-2 own-auto-eap-method keyword
Treeown-auto-eap-method

Description

This command specifies the behavior for the IKEv2 remote-access tunnel when the authentication method uses EAP or potentially another method to authenticate the peer.

Optionspsk, cert
Default cert
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

send-idr-after-eap-success boolean
Synopsis Send IDr payload in last IKE authentication response
Contextconfigure ipsec ike-policy number ike-version-2 send-idr-after-eap-success boolean
Treesend-idr-after-eap-success

Description

When configured to true, the Identification Responder (IDr) payload is added in the last IKE authentication response after an Extensible Authentication Protocol (EAP) Success packet is received.

When configured to false, the IDr payload is not included in the last IKE.

Defaulttrue
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ipsec-lifetime number
Synopsis Lifetime of the Phase 2 IKE key
Context configure ipsec ike-policy number ipsec-lifetime number
Treeipsec-lifetime
Range1200 to 31536000
Unitsseconds
Default 3600
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

limit-init-exchange
Synopsis Enter the limit-init-exchange context
Contextconfigure ipsec ike-policy number limit-init-exchange
Treelimit-init-exchange

Description

Commands in this context limit the number of ongoing IKEv2 initial exchanges per tunnel.

Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

admin-state keyword
Synopsis Administrative state of limiting initial IKE exchanges
Contextconfigure ipsec ike-policy number limit-init-exchange admin-state keyword
Treeadmin-state
Optionsenable, disable
Default enable
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

reduced-max-exchange-timeout (number | keyword)
Synopsis Maximum timeout for in-progress initial IKE exchange
Contextconfigure ipsec ike-policy number limit-init-exchange reduced-max-exchange-timeout (number | keyword)
Treereduced-max-exchange-timeout

Description

This command configures the maximum timeout for the in-progress initial IKE exchange. If a new IKEv2 IKE_SA_INIT request is received when there is an ongoing IKEv2 initial exchange from the same peer, the timeout value of the existing exchange is set to this specified value. If the none option is configured for this command, the timeout value remains unchanged.

Range2 to 60
Unitsseconds
Options none
Default 2
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

lockout
Synopsis Enable the lockout context
Context configure ipsec ike-policy number lockout
Treelockout

Description

Commands in this context specify the lockout mechanism for the IPsec tunnel. These commands apply only when the system acts as a tunnel responder.

Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

block (number | keyword)
Synopsis Time a client is blocked for failed authentications
Contextconfigure ipsec ike-policy number lockout block (number | keyword)
Treeblock

Description

This command configures the time the client is blocked if the number of failed authentications exceeds the configured value within the specified duration.

Range1 to 1440
Unitsminutes
Options infinite
Default10
Introduced 16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

duration number
Synopsis Time interval for failed attempts threshold
Contextconfigure ipsec ike-policy number lockout duration number
Treeduration

Description

This command specifies the time interval in which the configured failed authentication count must be exceeded to trigger a lockout.

Range1 to 60
Unitsminutes
Default 5
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

failed-attempts number
Synopsis Maximum failed authentications allowed in the duration
Contextconfigure ipsec ike-policy number lockout failed-attempts number
Treefailed-attempts
Range1 to 64
Default3
Introduced 16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

max-port-per-ip number
Synopsis Maximum number of ports allowed under same IP address
Contextconfigure ipsec ike-policy number lockout max-port-per-ip number
Treemax-port-per-ip

Description

This command configures the maximum number of ports allowed under the same IP address. When the threshold is exceeded and the client is locked out, all ports behind the IP address are blocked.

Range1 to 32000
Default16
Introduced 16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

nat-traversal
Synopsis Enable the nat-traversal context
Contextconfigure ipsec ike-policy number nat-traversal
Treenat-traversal

Description

Commands in this context configure the Network Address Translation Traversal (NAT-T) functionality.

Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

force boolean
Synopsis Enable NAT-T in forced mode
Context configure ipsec ike-policy number nat-traversal force boolean
Treeforce
Defaultfalse
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

pfs
Synopsis Enable the pfs context
Context configure ipsec ike-policy number pfs
Treepfs

Description

Commands in this context configure perfect forward secrecy on the IPsec tunnel using the policy. PFS provides for a new Diffie-Hellman (DH) key exchange each time the Security Association (SA) key is renegotiated. When the SA key expires, another key is generated (if the SA remains up).

Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

dh-group keyword
Synopsis Diffie-Helman group used to calculate session keys
Contextconfigure ipsec ike-policy number pfs dh-group keyword
Treedh-group

Description

This command specifies which DH group to use for calculating session keys. More bits provide a higher level of security, but require more processing.

Optionsgroup-1, group-2, group-5, group-14, group-15, group-19, group-20, group-21
Default group-2
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

relay-unsolicited-cfg-attribute
Synopsis Enter the relay-unsolicited-cfg-attribute context
Contextconfigure ipsec ike-policy number relay-unsolicited-cfg-attribute
Treerelay-unsolicited-cfg-attribute

Description

Commands in this context configure attributes returned from the source (such as a RADIUS server) that are returned to the IKEv2 remote-access tunnel client regardless if the client has requested the attribute in the CFG_REQUEST payload.

Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

internal-ip4-address boolean
Synopsis Return the IPv4 address from the source to the client
Contextconfigure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip4-address boolean
Treeinternal-ip4-address

Description

When configured to true, the system returns the IPv4 address from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the address in the CFG_REQUEST payload.

Defaultfalse
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

internal-ip4-dns boolean
Synopsis Return IPv4 DNS server address from source to client
Contextconfigure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip4-dns boolean
Treeinternal-ip4-dns

Description

When configured to true, the system returns the IPv4 DNS server address from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the address in the CFG_REQUEST payload.

Defaultfalse
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

internal-ip4-netmask boolean
Synopsis Return the IPv4 netmask from the source to the client
Contextconfigure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip4-netmask boolean
Treeinternal-ip4-netmask

Description

When configured to true, the system returns the IPv4 netmask from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the netmask in the CFG_REQUEST payload.

Defaultfalse
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

internal-ip6-address boolean
Synopsis Return the IPv6 address from the source to the client
Contextconfigure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip6-address boolean
Treeinternal-ip6-address

Description

When configured to true, the system returns the IPv6 address from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the address in the CFG_REQUEST payload.

Defaultfalse
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

internal-ip6-dns boolean
Synopsis Return IPv6 DNS server address from source to client
Contextconfigure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip6-dns boolean
Treeinternal-ip6-dns

Description

When configured to true, the system returns the IPv6 DNS server address from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the address in the CFG_REQUEST payload.

Defaultfalse
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ike-transform [id] number

Synopsis Enter the ike-transform list instance
Contextconfigure ipsec ike-transform number
Treeike-transform
Max. Instances4096
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[id] number
Synopsis IKE transform instance ID
Context configure ipsec ike-transform number
Treeike-transform
Range1 to 4096

Notes

This element is part of a list key.

Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

dh-group keyword
Synopsis Diffie-Helman group used to calculate session keys
Contextconfigure ipsec ike-transform number dh-group keyword
Treedh-group
Optionsgroup-1, group-2, group-5, group-14, group-15, group-19, group-20, group-21
Default group-2
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ike-auth-algorithm keyword
Synopsis IKE authentication algorithm for IKE transform instance
Contextconfigure ipsec ike-transform number ike-auth-algorithm keyword
Treeike-auth-algorithm
Optionsmd-5, sha-1, sha-256, sha-384, sha-512, aes-xcbc, auth-encryption
Defaultsha-1
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ike-encryption-algorithm keyword
Synopsis IKE encryption algorith for the IKE transform instance
Contextconfigure ipsec ike-transform number ike-encryption-algorithm keyword
Treeike-encryption-algorithm
Optionsdes, des-3, aes-128, aes-192, aes-256, aes128-gcm8, aes128-gcm16, aes256-gcm8, aes256-gcm16
Defaultaes-128
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ike-prf-algorithm keyword
Synopsis PRF algorithm for the IKE transform instance
Contextconfigure ipsec ike-transform number ike-prf-algorithm keyword
Treeike-prf-algorithm

Description

This command specifies the pseudo-random function algorithm used for IKE security association.

If an encrypted algorithm such as AES-GCM is used for the IKE encryption algorithm, same-as-auth cannot be used for the IKE PRF algorithm.

Optionsmd-5, sha-1, sha-256, sha-384, sha-512, aes-xcbc, same-as-auth
Defaultsame-as-auth
Introduced16.0.R6

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

isakmp-lifetime number
Synopsis Phase 1 lifetime for the IKE transform instance
Contextconfigure ipsec ike-transform number isakmp-lifetime number
Treeisakmp-lifetime
Range1200 to 31536000
Unitsseconds
Default 86400
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ipsec-transform [id] number

Synopsis Enter the ipsec-transform list instance
Contextconfigure ipsec ipsec-transform number
Treeipsec-transform

Description

Commands in this context create an IPsec transform policy. IPsec transform policies can be shared. A change to the IPsec transform is allowed at any time. The change does not impact tunnels that have been established until they are renegotiated. If the change is required immediately, the tunnel must be cleared (reset) for force renegotiation.

Max. Instances2048
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[id] number
Synopsis IPsec transform policy ID
Context configure ipsec ipsec-transform number
Treeipsec-transform
Range1 to 2048

Notes

This element is part of a list key.

Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

esp-auth-algorithm keyword
Synopsis Encapsulating Security Payload (ESP) authentication
Contextconfigure ipsec ipsec-transform number esp-auth-algorithm keyword
Treeesp-auth-algorithm

Description

This command specifies the hashing algorithm used for the authentication function. Both ends of a manually configured tunnel must share the same configuration for the IPsec tunnel to enter the operational state.

Optionsnull, md-5, sha-1, sha-256, sha-384, sha-512, aes-xcbc, auth-encryption
Defaultsha-1
Introduced 16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

esp-encryption-algorithm keyword
Synopsis Encryption algorithm for the IPsec transform session
Contextconfigure ipsec ipsec-transform number esp-encryption-algorithm keyword
Treeesp-encryption-algorithm

Description

This command specifies the encryption algorithm used for the IPsec session. Encryption applies only to ESP configurations. If encryption is not defined, ESP is not used.

Both ends of a manually configured tunnel must share the same encryption algorithm for the IPsec tunnel to enter the operational state.

When AES-GCM or AES-GMAC is configured:

  • the authentication encryption must be set to auth-encryption

  • the system does not include the authentication algorithm in the ESP proposal of the SA payload

  • IPsec transform cannot be used for manual keying

Optionsnull, des, des-3, aes-128, aes-192, aes-256, aes128-gcm8, aes128-gcm12, aes128-gcm16, aes192-gcm8, aes192-gcm12, aes192-gcm16, aes256-gcm8, aes256-gcm12, aes256-gcm16, null-aes128-gmac, null-aes192-gmac, null-aes256-gmac
Defaultaes-128
Introduced 16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

extended-sequence-number boolean
Synopsis Enable extended sequence numbering support
Contextconfigure ipsec ipsec-transform number extended-sequence-number boolean
Treeextended-sequence-number

Description

When configured to true, this command enables 64-bit extended sequence numbering support. This numbering is used for high throughput CHILD_SA to avoid frequent re-keying caused by sequence numbering wrap around.

When configured to false, only 32-bit sequence numbering is supported.

Defaultfalse
Introduced21.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ipsec-lifetime number
Synopsis Phase 2 lifetime for the IPsec transform session
Contextconfigure ipsec ipsec-transform number ipsec-lifetime number
Treeipsec-lifetime

Description

This command configures the lifetime of the Phase 2 IKE key.

When unconfigured, the value is inherited from the IPsec lifetime configured in the corresponding IKE policy configured for the same IPsec gateway or IPsec tunnel.

Range1200 to 31536000
Unitsseconds
Introduced 16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

pfs-dh-group keyword
Synopsis Diffie-Hellman group used for PFS compilation
Contextconfigure ipsec ipsec-transform number pfs-dh-group keyword
Treepfs-dh-group

Description

This command specifies the DH group used for Perfect Forward Secrecy (PFS) compilation during CHILD_SA rekeying.

When unconfigured, the value is inherited from the DH group value from the IPsec gateway or IPsec tunnel.

Optionsnone, group-1, group-2, group-5, group-14, group-15, group-19, group-20, group-21
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ipsec-transport-mode-profile [name] string

Synopsis Enter the ipsec-transport-mode-profile list instance
Contextconfigure ipsec ipsec-transport-mode-profile string
Treeipsec-transport-mode-profile

Description

Commands in this context configure IPsec-specific attributes that allow an IP tunnel (for example, GRE) to be protected by using IPsec transport mode.

Introduced21.10.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[name] string
Synopsis IPsec transport mode profile name string
Contextconfigure ipsec ipsec-transport-mode-profile string
Treeipsec-transport-mode-profile

Description

This command specifies the name of the IPsec transport mode profile.

String Length1 to 32

Notes

This element is part of a list key.

Introduced21.10.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

key-exchange
Synopsis Enter the key-exchange context
Contextconfigure ipsec ipsec-transport-mode-profile string key-exchange
Treekey-exchange

Description

Commands in this context configure the key exchange used each time the Security Association (SA) key is renegotiated.

Introduced21.10.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

dynamic
Synopsis Enter the dynamic context
Context configure ipsec ipsec-transport-mode-profile string key-exchange dynamic
Treedynamic

Description

Commands in this context configure dynamic keying for the transport mode profile.

Introduced21.10.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

cert
Synopsis Enter the cert context
Context configure ipsec ipsec-transport-mode-profile string key-exchange dynamic cert
Treecert

Description

Commands in this context configure the attributes of the dynamic keying certificate.

Introduced21.10.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

status-verify
Synopsis Enter the status-verify context
Contextconfigure ipsec ipsec-transport-mode-profile string key-exchange dynamic cert status-verify
Treestatus-verify

Description

Commands in this context configure attributes of Certificate Status Verification (CSV).

Introduced21.10.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

default-result keyword
Synopsis Default result for Certificate Status Verification
Contextconfigure ipsec ipsec-transport-mode-profile string key-exchange dynamic cert status-verify default-result keyword
Treedefault-result

Description

This command specifies the default certificate revocation status result to use when all configured CSV methods fail to return a result.   

Optionsrevoked, good
Default revoked
Introduced21.10.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

primary keyword
Synopsis Primary method of CSV to verify the revocation status
Contextconfigure ipsec ipsec-transport-mode-profile string key-exchange dynamic cert status-verify primary keyword
Treeprimary

Description

This command configures the primary method of Certificate Status Verification (CSV) that is used to verify the revocation status of the certificate of the peer.

Optionscrl, ocsp
Default crl
Introduced21.10.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

secondary keyword
Synopsis Secondary method used to verify certificate revocation
Contextconfigure ipsec ipsec-transport-mode-profile string key-exchange dynamic cert status-verify secondary keyword
Treesecondary

Description

This command specifies the secondary method of Certificate Status Verification (CSV) that is used to verify the revocation status of the peer certificate.

Optionsnone, crl, ocsp
Defaultnone
Introduced21.10.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

id
Synopsis Enter the id context
Context configure ipsec ipsec-transport-mode-profile string key-exchange dynamic id
Treeid

Description

Commands in this context specify the local ID used for IDi or IDr for IKEv2 negotiation.

The default behavior depends on the local authentication method as follows:

  • Psk: local tunnel IP address

  • Cert-auth: subject of the local certificate

Introduced21.10.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

fqdn string
Synopsis FQDN used as the local ID IKE type
Context configure ipsec ipsec-transport-mode-profile string key-exchange dynamic id fqdn string
Treefqdn
String Length1 to 255

Notes

The following elements are part of a choice: fqdn, ipv4, or ipv6.

Introduced21.10.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ipv6 (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis IPv6 used as the local IKE ID type
Context configure ipsec ipsec-transport-mode-profile string key-exchange dynamic id ipv6 (ipv4-address-no-zone | ipv6-address-no-zone)
Treeipv6

Notes

The following elements are part of a choice: fqdn, ipv4, or ipv6.

Introduced21.10.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

max-history-key-records
Synopsis Enter the max-history-key-records context
Contextconfigure ipsec ipsec-transport-mode-profile string max-history-key-records
Treemax-history-key-records

Description

Commands in this context configure the settings for recording historical IPsec keys.

Introduced21.10.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

replay-window number
Synopsis Anti-replay window size
Context configure ipsec ipsec-transport-mode-profile string replay-window number
Treereplay-window

Description

This command specifies the size of an IPsec anti-replay window. If unconfigured, IPsec anti-replay is disabled.

Range32 | 64 | 128 | 256 | 512
Unitspackets
Introduced21.10.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

radius

Synopsis Enter the radius context
Context configure ipsec radius
Treeradius
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

accounting-policy [name] string
Synopsis Enter the accounting-policy list instance
Contextconfigure ipsec radius accounting-policy string
Treeaccounting-policy

Description

Commands in this context configure RADIUS accounting policies to collect accounting statistics.

Max. Instances100
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[name] string
Synopsis RADIUS accounting policy name
Context configure ipsec radius accounting-policy string
Treeaccounting-policy
String Length1 to 32

Notes

This element is part of a list key.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

include-radius-attribute
Synopsis Enter the include-radius-attribute context
Contextconfigure ipsec radius accounting-policy string include-radius-attribute
Treeinclude-radius-attribute

Description

Commands in this context specify the RADIUS attributes that are to be included in the RADIUS Authentication-Request messages.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

update-interval
Synopsis Enter the update-interval context
Contextconfigure ipsec radius accounting-policy string update-interval
Treeupdate-interval

Description

Commands in this context determine how RADIUS interim-update packets are sent for IKEv2 remote-access tunnels.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

jitter number
Synopsis Jitter interval for sending each interim-update packet
Contextconfigure ipsec radius accounting-policy string update-interval jitter number
Treejitter

Description

This command specifies the jitter interval for the RADIUS interim-update packets.

When unconfigured, the system uses 10% of the update interval value.

Range0 to 3600
Unitsseconds
Introduced 19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

value number
Synopsis Update interval of the RADIUS accounting data
Contextconfigure ipsec radius accounting-policy string update-interval value number
Treevalue

Description

This command configures the update interval of the RADIUS accounting data. If a value of 0 is configured, no intermediate updates are sent.

Range0 | 5 to 259200
Unitsminutes
Default 10
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

authentication-policy [name] string
Synopsis Enter the authentication-policy list instance
Contextconfigure ipsec radius authentication-policy string
Treeauthentication-policy

Description

Commands in this context configure the RADIUS authentication policy associated with the IPsec gateway.

Max. Instances100
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[name] string
Synopsis RADIUS authentication policy name
Context configure ipsec radius authentication-policy string
Treeauthentication-policy
String Length1 to 32

Notes

This element is part of a list key.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

include-radius-attribute
Synopsis Enter the include-radius-attribute context
Contextconfigure ipsec radius authentication-policy string include-radius-attribute
Treeinclude-radius-attribute

Description

Commands in this context specify the RADIUS attributes to be included in the RADIUS Authentication-Request messages.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

client-cert-subject-key-id boolean
Synopsis Include the Subject Key Identifier
Context configure ipsec radius authentication-policy string include-radius-attribute client-cert-subject-key-id boolean
Treeclient-cert-subject-key-id

Description

When configured to true, the Subject Key Identifier of the certificate of the peer is included in the RADIUS Access-Request packet as VSA: Alc-Subject-Key-Identifier.

See the 7450 ESS, 7750 SR, 7950 XRS, and VSR RADIUS Attributes Reference Guide for more information.

Defaultfalse
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

password string
Synopsis Password used in RADIUS access requests
Contextconfigure ipsec radius authentication-policy string password string
Treepassword
String Length1 to 115
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

show-ipsec-keys boolean

Synopsis Show IPsec IKE and ESP keys in the output
Contextconfigure ipsec show-ipsec-keys boolean
Treeshow-ipsec-keys

Description

When configured to true, this command allows IPsec keys to be (optionally) included in the display output of certain debug and admin commands.

When configured to false, the key display is disabled.

Defaultfalse
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

static-sa [name] string

Synopsis Enter the static-sa list instance
Contextconfigure ipsec static-sa string
Treestatic-sa
Max. Instances1000
Introduced16.0.R6

Platforms

All

[name] string
Synopsis Static SA name
Contextconfigure ipsec static-sa string
Treestatic-sa
String Length1 to 32

Notes

This element is part of a list key.

Introduced16.0.R6

Platforms

All

authentication
Synopsis Enable the authentication context
Contextconfigure ipsec static-sa string authentication
Treeauthentication
Introduced16.0.R6

Platforms

All

algorithm keyword
Synopsis Authentication algorithm used for an IPsec manual SA
Contextconfigure ipsec static-sa string authentication algorithm keyword
Treealgorithm
Optionsmd5, sha1

Notes

This element is mandatory.

Introduced 16.0.R6

Platforms

All

key string
Synopsis Key used for the authentication algorithm
Contextconfigure ipsec static-sa string authentication key string
Treekey
String Length1 to 54

Notes

This element is mandatory.

Introduced16.0.R6

Platforms

All

direction keyword
Synopsis Direction to which the static SA entry can be applied
Contextconfigure ipsec static-sa string direction keyword
Treedirection
Optionsinbound, outbound, bidirectional
Defaultbidirectional
Introduced16.0.R6

Platforms

All

protocol keyword
Synopsis IPsec protocol used with the static SA
Contextconfigure ipsec static-sa string protocol keyword
Treeprotocol
Optionsah, esp
Default esp
Introduced16.0.R6

Platforms

All

spi number
Synopsis Security Parameter Index (SPI) for the static SA
Contextconfigure ipsec static-sa string spi number
Treespi

Description

This command specifies the SPI for the static SA.

When the direction command is set to inbound, the SPI is used to look up the instruction to verify and decrypt the incoming IPsec packets. When the direction command is set to outbound, the SPI is used in the encoding of the outgoing packets. The remote node can use the SPI to look up the instruction to verify and decrypt the packet.

When unconfigured, the static SA cannot be used.

Range256 to 16383
Introduced16.0.R6

Platforms

All

trust-anchor-profile [name] string

Synopsis Enter the trust-anchor-profile list instance
Contextconfigure ipsec trust-anchor-profile string
Treetrust-anchor-profile
Max. Instances10128
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[name] string
Synopsis Trust anchor profile name for IPsec tunnel or gateway
Contextconfigure ipsec trust-anchor-profile string
Treetrust-anchor-profile
String Length1 to 32

Notes

This element is part of a list key.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

trust-anchor [ca-profile] reference
Synopsis Add a list entry for trust-anchor
Contextconfigure ipsec trust-anchor-profile string trust-anchor reference
Treetrust-anchor

Description

Commands in this context configure a CA profile as a trust anchor CA.

Max. Instances8
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ts-list [name] string

Synopsis Enter the ts-list list instance
Contextconfigure ipsec ts-list string
Treets-list

Description

Commands in this context configure Traffic Selector (TS) settings.

Max. Instances32768
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[name] string
Synopsis Traffic Selector (TS) list name
Context configure ipsec ts-list string
Treets-list
String Length1 to 32

Notes

This element is part of a list key.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

local
Synopsis Enter the local context
Context configure ipsec ts-list string local
Treelocal

Description

Commands in this context configure a local TS list, a traffic selector, such as TSr, when the system acts as an IKEv2 responder.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

entry [id] number
Synopsis Enter the entry list instance
Context configure ipsec ts-list string local entry number
Treeentry
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[id] number
Synopsis TS list entry ID
Context configure ipsec ts-list string local entry number
Treeentry
Range1 to 32

Notes

This element is part of a list key.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

address
Synopsis Enable the address context
Context configure ipsec ts-list string local entry number address
Treeaddress
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

prefix (ipv4-prefix | ipv6-prefix)
Synopsis IP prefix for address range in IKEv2 traffic selector
Contextconfigure ipsec ts-list string local entry number address prefix (ipv4-prefix | ipv6-prefix)
Treeprefix

Notes

The following elements are part of a mandatory choice: prefix or range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

range
Synopsis Enable the range context
Context configure ipsec ts-list string local entry number address range
Treerange

Notes

The following elements are part of a mandatory choice: prefix or range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

begin (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis Lower bound of the IP address range for the entry
Contextconfigure ipsec ts-list string local entry number address range begin (ipv4-address-no-zone | ipv6-address-no-zone)
Treebegin

Notes

This element is mandatory.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis Upper bound of the IP address range
Context configure ipsec ts-list string local entry number address range end (ipv4-address-no-zone | ipv6-address-no-zone)
Treeend

Notes

This element is mandatory.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

protocol
Synopsis Enable the protocol context
Context configure ipsec ts-list string local entry number protocol
Treeprotocol

Description

Commands in this context specify the protocol settings for the IKEv2 traffic selector.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

any
Synopsis Match any protocol ID
Context configure ipsec ts-list string local entry number protocol any
Treeany

Notes

The following elements are part of a mandatory choice: any or id.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

id
Synopsis Enable the id context
Context configure ipsec ts-list string local entry number protocol id
Treeid

Notes

The following elements are part of a mandatory choice: any or id.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

icmp
Synopsis Enter the icmp context
Context configure ipsec ts-list string local entry number protocol id icmp
Treeicmp

Notes

The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

opaque
Synopsis Support OPAQUE ports
Context configure ipsec ts-list string local entry number protocol id icmp opaque
Treeopaque

Description

This command allows the protocol ID to be accepted even when the port information is not available.

Notes

The following elements are part of a choice: opaque or port-range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

port-range
Synopsis Enable the port-range context
Context configure ipsec ts-list string local entry number protocol id icmp port-range
Treeport-range

Description

Commands in this context configure port range information for the protocol.

Notes

The following elements are part of a choice: opaque or port-range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

icmp6
Synopsis Enter the icmp6 context
Context configure ipsec ts-list string local entry number protocol id icmp6
Treeicmp6

Notes

The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

opaque
Synopsis Support OPAQUE ports
Context configure ipsec ts-list string local entry number protocol id icmp6 opaque
Treeopaque

Description

This command allows the protocol ID to be accepted even when the port information is not available.

Notes

The following elements are part of a choice: opaque or port-range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

port-range
Synopsis Enable the port-range context
Context configure ipsec ts-list string local entry number protocol id icmp6 port-range
Treeport-range

Description

Commands in this context configure port range information for the protocol.

Notes

The following elements are part of a choice: opaque or port-range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

mipv6
Synopsis Enter the mipv6 context
Context configure ipsec ts-list string local entry number protocol id mipv6
Treemipv6

Notes

The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

opaque
Synopsis Support OPAQUE ports
Context configure ipsec ts-list string local entry number protocol id mipv6 opaque
Treeopaque

Description

This command allows the protocol ID to be accepted even when the port information is not available.

Notes

The following elements are part of a choice: opaque or port-range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

port-range
Synopsis Enable the port-range context
Context configure ipsec ts-list string local entry number protocol id mipv6 port-range
Treeport-range

Notes

The following elements are part of a choice: opaque or port-range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end number
Synopsis Upper bound of the port range
Context configure ipsec ts-list string local entry number protocol id mipv6 port-range end number
Treeend
Range0 to 255

Notes

This element is mandatory.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

protocol-id-with-any-port (keyword | number)
Synopsis Protocol ID that accepts any port value
Contextconfigure ipsec ts-list string local entry number protocol id protocol-id-with-any-port (keyword | number)
Treeprotocol-id-with-any-port
Range1 to 255
Optionsicmp, tcp, udp, icmp6, sctp, mipv6

Notes

The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

sctp
Synopsis Enter the sctp context
Context configure ipsec ts-list string local entry number protocol id sctp
Treesctp

Notes

The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

opaque
Synopsis Support OPAQUE ports
Context configure ipsec ts-list string local entry number protocol id sctp opaque
Treeopaque

Description

This command allows the protocol ID to be accepted even when the port information is not available.

Notes

The following elements are part of a choice: opaque or port-range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

port-range
Synopsis Enable the port-range context
Context configure ipsec ts-list string local entry number protocol id sctp port-range
Treeport-range

Notes

The following elements are part of a choice: opaque or port-range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

begin number
Synopsis Lower bound of the port range
Context configure ipsec ts-list string local entry number protocol id sctp port-range begin number
Treebegin
Range0 to 65535

Notes

This element is mandatory.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end number
Synopsis Upper bound of the port range
Context configure ipsec ts-list string local entry number protocol id sctp port-range end number
Treeend
Range0 to 65535

Notes

This element is mandatory.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

tcp
Synopsis Enter the tcp context
Context configure ipsec ts-list string local entry number protocol id tcp
Treetcp

Notes

The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

opaque
Synopsis Support OPAQUE ports
Context configure ipsec ts-list string local entry number protocol id tcp opaque
Treeopaque

Description

This command allows the protocol ID to be accepted even when the port information is not available.

Notes

The following elements are part of a choice: opaque or port-range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

port-range
Synopsis Enable the port-range context
Context configure ipsec ts-list string local entry number protocol id tcp port-range
Treeport-range

Notes

The following elements are part of a choice: opaque or port-range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

begin number
Synopsis Lower bound of the port range
Context configure ipsec ts-list string local entry number protocol id tcp port-range begin number
Treebegin
Range0 to 65535

Notes

This element is mandatory.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end number
Synopsis Upper bound of the port range
Context configure ipsec ts-list string local entry number protocol id tcp port-range end number
Treeend
Range0 to 65535

Notes

This element is mandatory.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

udp
Synopsis Enter the udp context
Context configure ipsec ts-list string local entry number protocol id udp
Treeudp

Notes

The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

opaque
Synopsis Support OPAQUE ports
Context configure ipsec ts-list string local entry number protocol id udp opaque
Treeopaque

Description

This command allows the protocol ID to be accepted even when the port information is not available.

Notes

The following elements are part of a choice: opaque or port-range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

port-range
Synopsis Enable the port-range context
Context configure ipsec ts-list string local entry number protocol id udp port-range
Treeport-range

Notes

The following elements are part of a choice: opaque or port-range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

begin number
Synopsis Lower bound of the port range
Context configure ipsec ts-list string local entry number protocol id udp port-range begin number
Treebegin
Range0 to 65535

Notes

This element is mandatory.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end number
Synopsis Upper bound of the port range
Context configure ipsec ts-list string local entry number protocol id udp port-range end number
Treeend
Range0 to 65535

Notes

This element is mandatory.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

remote
Synopsis Enter the remote context
Context configure ipsec ts-list string remote
Treeremote

Description

Commands in this context configure a remote TS list, a traffic selector, such as TSr, when the system acts as an IKEv2 responder.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

entry [id] number
Synopsis Enter the entry list instance
Context configure ipsec ts-list string remote entry number
Treeentry
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[id] number
Synopsis TS list entry ID
Context configure ipsec ts-list string remote entry number
Treeentry
Range1 to 32

Notes

This element is part of a list key.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

address
Synopsis Enable the address context
Context configure ipsec ts-list string remote entry number address
Treeaddress
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

prefix (ipv4-prefix | ipv6-prefix)
Synopsis IP prefix for address range in IKEv2 traffic selector
Contextconfigure ipsec ts-list string remote entry number address prefix (ipv4-prefix | ipv6-prefix)
Treeprefix

Notes

The following elements are part of a mandatory choice: prefix or range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

range
Synopsis Enable the range context
Context configure ipsec ts-list string remote entry number address range
Treerange

Notes

The following elements are part of a mandatory choice: prefix or range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

begin (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis Lower bound of the IP address range for the entry
Contextconfigure ipsec ts-list string remote entry number address range begin (ipv4-address-no-zone | ipv6-address-no-zone)
Treebegin

Notes

This element is mandatory.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis Upper bound of the IP address range
Context configure ipsec ts-list string remote entry number address range end (ipv4-address-no-zone | ipv6-address-no-zone)
Treeend

Notes

This element is mandatory.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

protocol
Synopsis Enable the protocol context
Context configure ipsec ts-list string remote entry number protocol
Treeprotocol

Description

Commands in this context specify the protocol settings for the IKEv2 traffic selector.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

any
Synopsis Match any protocol ID
Context configure ipsec ts-list string remote entry number protocol any
Treeany

Notes

The following elements are part of a mandatory choice: any or id.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

id
Synopsis Enable the id context
Context configure ipsec ts-list string remote entry number protocol id
Treeid

Notes

The following elements are part of a mandatory choice: any or id.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

icmp
Synopsis Enter the icmp context
Context configure ipsec ts-list string remote entry number protocol id icmp
Treeicmp

Notes

The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

opaque
Synopsis Support OPAQUE ports
Context configure ipsec ts-list string remote entry number protocol id icmp opaque
Treeopaque

Description

This command allows the protocol ID to be accepted even when the port information is not available.

Notes

The following elements are part of a choice: opaque or port-range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

port-range
Synopsis Enable the port-range context
Context configure ipsec ts-list string remote entry number protocol id icmp port-range
Treeport-range

Description

Commands in this context configure port range information for the protocol.

Notes

The following elements are part of a choice: opaque or port-range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

icmp6
Synopsis Enter the icmp6 context
Context configure ipsec ts-list string remote entry number protocol id icmp6
Treeicmp6

Notes

The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

opaque
Synopsis Support OPAQUE ports
Context configure ipsec ts-list string remote entry number protocol id icmp6 opaque
Treeopaque

Description

This command allows the protocol ID to be accepted even when the port information is not available.

Notes

The following elements are part of a choice: opaque or port-range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

port-range
Synopsis Enable the port-range context
Context configure ipsec ts-list string remote entry number protocol id icmp6 port-range
Treeport-range

Description

Commands in this context configure port range information for the protocol.

Notes

The following elements are part of a choice: opaque or port-range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

mipv6
Synopsis Enter the mipv6 context
Context configure ipsec ts-list string remote entry number protocol id mipv6
Treemipv6

Notes

The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

opaque
Synopsis Support OPAQUE ports
Context configure ipsec ts-list string remote entry number protocol id mipv6 opaque
Treeopaque

Description

This command allows the protocol ID to be accepted even when the port information is not available.

Notes

The following elements are part of a choice: opaque or port-range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

port-range
Synopsis Enable the port-range context
Context configure ipsec ts-list string remote entry number protocol id mipv6 port-range
Treeport-range

Notes

The following elements are part of a choice: opaque or port-range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end number
Synopsis Upper bound of the port range
Context configure ipsec ts-list string remote entry number protocol id mipv6 port-range end number
Treeend
Range0 to 255

Notes

This element is mandatory.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

protocol-id-with-any-port (keyword | number)
Synopsis Protocol ID that accepts any port value
Contextconfigure ipsec ts-list string remote entry number protocol id protocol-id-with-any-port (keyword | number)
Treeprotocol-id-with-any-port
Range1 to 255
Optionsicmp, tcp, udp, icmp6, sctp, mipv6

Notes

The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

sctp
Synopsis Enter the sctp context
Context configure ipsec ts-list string remote entry number protocol id sctp
Treesctp

Notes

The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

opaque
Synopsis Support OPAQUE ports
Context configure ipsec ts-list string remote entry number protocol id sctp opaque
Treeopaque

Description

This command allows the protocol ID to be accepted even when the port information is not available.

Notes

The following elements are part of a choice: opaque or port-range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

port-range
Synopsis Enable the port-range context
Context configure ipsec ts-list string remote entry number protocol id sctp port-range
Treeport-range

Notes

The following elements are part of a choice: opaque or port-range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end number
Synopsis Upper bound of the port range
Context configure ipsec ts-list string remote entry number protocol id sctp port-range end number
Treeend
Range0 to 65535

Notes

This element is mandatory.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

tcp
Synopsis Enter the tcp context
Context configure ipsec ts-list string remote entry number protocol id tcp
Treetcp

Notes

The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

opaque
Synopsis Support OPAQUE ports
Context configure ipsec ts-list string remote entry number protocol id tcp opaque
Treeopaque

Description

This command allows the protocol ID to be accepted even when the port information is not available.

Notes

The following elements are part of a choice: opaque or port-range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

port-range
Synopsis Enable the port-range context
Context configure ipsec ts-list string remote entry number protocol id tcp port-range
Treeport-range

Notes

The following elements are part of a choice: opaque or port-range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

begin number
Synopsis Lower bound of the port range
Context configure ipsec ts-list string remote entry number protocol id tcp port-range begin number
Treebegin
Range0 to 65535

Notes

This element is mandatory.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end number
Synopsis Upper bound of the port range
Context configure ipsec ts-list string remote entry number protocol id tcp port-range end number
Treeend
Range0 to 65535

Notes

This element is mandatory.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

udp
Synopsis Enter the udp context
Context configure ipsec ts-list string remote entry number protocol id udp
Treeudp

Notes

The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

opaque
Synopsis Support OPAQUE ports
Context configure ipsec ts-list string remote entry number protocol id udp opaque
Treeopaque

Description

This command allows the protocol ID to be accepted even when the port information is not available.

Notes

The following elements are part of a choice: opaque or port-range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

port-range
Synopsis Enable the port-range context
Context configure ipsec ts-list string remote entry number protocol id udp port-range
Treeport-range

Notes

The following elements are part of a choice: opaque or port-range.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

begin number
Synopsis Lower bound of the port range
Context configure ipsec ts-list string remote entry number protocol id udp port-range begin number
Treebegin
Range0 to 65535

Notes

This element is mandatory.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end number
Synopsis Upper bound of the port range
Context configure ipsec ts-list string remote entry number protocol id udp port-range end number
Treeend
Range0 to 65535

Notes

This element is mandatory.

Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

tunnel-template [id] number

Synopsis Enter the tunnel-template list instance
Contextconfigure ipsec tunnel-template number
Treetunnel-template
Max. Instances2048
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[id] number
Synopsis Tunnel template ID
Context configure ipsec tunnel-template number
Treetunnel-template
Range1 to 2048

Notes

This element is part of a list key.

Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

clear-df-bit boolean
Synopsis Clear the Do-not-Fragment (DF) bit
Context configure ipsec tunnel-template number clear-df-bit boolean
Treeclear-df-bit
Defaultfalse
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

copy-traffic-class-upon-decapsulation boolean
Synopsis Enable traffic class copy upon decapsulation
Contextconfigure ipsec tunnel-template number copy-traffic-class-upon-decapsulation boolean
Treecopy-traffic-class-upon-decapsulation

Description

When configured to true, the system copies the traffic class from the outer tunnel IP packet header to the payload IP packet header in the decapsulating direction (public to private).

When configured to false, the system does not copy the traffic class from the outer IP packet to the payload IP packet header upon decapsulation.

Defaultfalse
Introduced21.5.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

description string
Synopsis Text description
Context configure ipsec tunnel-template number description string
Treedescription
String Length1 to 80
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

encapsulated-ip-mtu number
Synopsis Maximum size of the encapsulated tunnel packet
Contextconfigure ipsec tunnel-template number encapsulated-ip-mtu number
Treeencapsulated-ip-mtu

Description

This command specifies the maximum size of the encapsulated tunnel packet to the IPsec tunnel, the IP tunnel, or the dynamic tunnels terminated on the IPsec Gateway. If the encapsulated IPv4 or IPv6 tunnel packet exceeds this value, the system fragments the packet.

Range512 to 9000
Unitsoctets
Introduced 16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

icmp-generation
Synopsis Enter the icmp-generation context
Contextconfigure ipsec tunnel-template number icmp-generation
Treeicmp-generation

Description

Commands in this context configure settings for ICMPv4 message generation.

Introduced21.5.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

frag-required
Synopsis Enter the frag-required context
Contextconfigure ipsec tunnel-template number icmp-generation frag-required
Treefrag-required

Description

Commands in this context configure the attributes for sending generated ICMP Destination Unreachable "fragmentation needed and DF set" messages (type 3, code 4) back to the source, if the received size of the IPv4 packet on the private side exceeds the private MTU size.

Introduced21.5.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

admin-state keyword
Synopsis Administrative state of sending ICMP messages
Contextconfigure ipsec tunnel-template number icmp-generation frag-required admin-state keyword
Treeadmin-state

Description

This command configures the administrative state of sending ICMP Destination Unreachable "fragmentation needed, DF set" messages (type 3, code 4) messages to the source if the received size of the IPv4 packet on the private side exceeds the private MTU size.

Optionsenable, disable
Default enable
Introduced21.5.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

interval number
Synopsis Interval for sending ICMP messages
Context configure ipsec tunnel-template number icmp-generation frag-required interval number
Treeinterval

Description

This command configures the interval for sending ICMP Destination Unreachable "fragmentation needed, DF set" messages (type 3, code 4).

Range1 to 60
Unitsseconds
Default 10
Introduced21.5.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

message-count number
Synopsis Maximum number of ICMP messages that can be sent
Contextconfigure ipsec tunnel-template number icmp-generation frag-required message-count number
Treemessage-count

Description

This command configures the maximum number of ICMP Destination Unreachable "fragmentation needed, DF set" messages (type 3, code 4) that can be sent during the configured interval.

Range10 to 1000
Default100
Introduced 21.5.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

icmp6-generation
Synopsis Enter the icmp6-generation context
Contextconfigure ipsec tunnel-template number icmp6-generation
Treeicmp6-generation
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

pkt-too-big
Synopsis Enter the pkt-too-big context
Context configure ipsec tunnel-template number icmp6-generation pkt-too-big
Treepkt-too-big

Description

Commands in this context configure values for the ICMPv6 Packet Too Big (PTB) messages. The system sends PTB messages if an IPv6 packet is received on the private side that is larger than 1280 bytes and also exceeds the private MTU of the tunnel.

Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ignore-default-route boolean
Synopsis Ignore any full range traffic selector in TSi
Contextconfigure ipsec tunnel-template number ignore-default-route boolean
Treeignore-default-route

Description

When configured to true, any full range traffic selector is ignored when creating a reverse route.

When configured to false, no CHILD_SA is created if any full range traffic selector is included in TSi.

Defaultfalse
Introduced19.7.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ip-mtu number
Synopsis Maximum size of the IP MTU for the payload packets
Contextconfigure ipsec tunnel-template number ip-mtu number
Treeip-mtu
Range512 to 9000
Unitsoctets
Introduced 16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

pmtu-discovery-aging number
Synopsis Aging out time of the learned path MTU
Contextconfigure ipsec tunnel-template number pmtu-discovery-aging number
Treepmtu-discovery-aging

Description

This command configures the temporary public and private MTU expiration time. The temporary MTU is used for MTU propagation.

Range900 to 3600
Unitsseconds
Default 900
Introduced21.5.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

private-tcp-mss-adjust number
Synopsis New TCP MSS value on the private side
Contextconfigure ipsec tunnel-template number private-tcp-mss-adjust number
Treeprivate-tcp-mss-adjust

Description

This command specifies the new (adjusted) TCP MSS value of TCP SYN packets on the private side.

When unconfigured, the MSS value is derived from the received TCP SYN packet on the private side.

Range512 to 9000
Unitsoctets
Introduced 16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

propagate-pmtu-v4 boolean
Synopsis Enable propagation of the path MTU to IPv4 hosts
Contextconfigure ipsec tunnel-template number propagate-pmtu-v4 boolean
Treepropagate-pmtu-v4

Description

When configured to true, the system propagates the path MTU learned from the public side to the private side (IPv4 hosts).

Defaulttrue
Introduced21.5.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

propagate-pmtu-v6 boolean
Synopsis Enable propagation of the path MTU to IPv6 hosts
Contextconfigure ipsec tunnel-template number propagate-pmtu-v6 boolean
Treepropagate-pmtu-v6

Description

When configured to true, the system propagates the path MTU learned from the public side to the private side (IPv6 hosts).

Defaulttrue
Introduced21.5.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

public-tcp-mss-adjust (number | keyword)
Synopsis New TCP MSS value on the public side
Context configure ipsec tunnel-template number public-tcp-mss-adjust (number | keyword)
Treepublic-tcp-mss-adjust

Description

This command specifies the new (adjusted) TCP MSS value for the TCP traffic in an IPsec tunnel which is sent from the public network to the private network. The system can use this value to adjust or insert the MSS option in the TCP SYN packet.

When unconfigured, the MSS value is derived from the public MTU and IPsec overhead.

Range512 to 9000
Unitsoctets
Options auto
Introduced 16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

replay-window number
Synopsis Anti-replay window size for the tunnel template
Contextconfigure ipsec tunnel-template number replay-window number
Treereplay-window
Range32 | 64 | 128 | 256 | 512
Introduced16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

sp-reverse-route keyword
Synopsis Reverse route creation method in private service
Contextconfigure ipsec tunnel-template number sp-reverse-route keyword
Treesp-reverse-route

Description

This command allows the system to automatically create a reverse route based on dynamic LAN-to-LAN tunnel's TSi in private service.

Optionsnone, use-security-policy
Defaultnone
Introduced 16.0.R4

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR