ipsec

vpn ipsec

SDE M10-Smart M2 RS420 AresC640

VPN IP security (IPsec) parameters

vpn ipsec auth-profile <id>

SDE M10-Smart M2 RS420 AresC640

IPSec Authentication Profile

Values:

• id – Name of the IPSec authentication profile

Instances:

Multiple

vpn ipsec auth-profile <id> local

SDE M10-Smart M2 RS420 AresC640

Local (left) authentication configuration

vpn ipsec auth-profile <id> local auth

SDE M10-Smart M2 RS420 AresC640

Authentication method locally used

When a peer authenticates against us (as a server), a local authentication method must be used. By default, it is “pubkey” (key-pair certificates) and if not specified uses system certificates for authentication. This is done in order to ensure that we are who we say (it is, to avoid spoofing attacks). Another method is done by using a pre-shared key. Despite this is not as secure as X.509 certificates, it will allow server identification and would serve for the same purposes. Finally, there is also EAP (Extensible Authentication Protocol) available, which allows authenticating users using a username/password.

Values:

• pre-shared-secret – Use a previously shared secret key

• radius – Use a RADIUS server for authenticating users

• eap – Use EAP authentication

Instances:

Unique

vpn ipsec auth-profile <id> local auth eap <id>

SDE M10-Smart M2 RS420 AresC640

EAP (Extensible Authentication Protocol) for local peers

The EAP authentication allows defining a pair of username (or ID) and a secret, which can be a PSK. This is used for authenticating peers during connection. Notice that strongSwan magic values can be used (for example, “%any”). For more information, please refer to the VPN documentation.

Values:

• id – EAP identifier/username/remote ID used against when authenticating

• %any – Match any identity from configured secrets (ask)

Instances:

Multiple

vpn ipsec auth-profile <id> local auth eap <id> encrypted-secret <password>

SDE M10-Smart M2 RS420 AresC640

Values:

• password – Encrypted secret used by associated EAP identifier

vpn ipsec auth-profile <id> local auth eap <id> secret <txt>

SDE M10-Smart M2 RS420 AresC640

Secret used by associated EAP identifier

These characters are allowed to be used for setting the secret: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set pre-shared secret key is recommended. If you are using special characters in the secret then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

Values:

• id – Secret used when authenticating

vpn ipsec auth-profile <id> local auth eap <id> type <id>

SDE M10-Smart M2 RS420 AresC640

Type of EAP authentication to use. By default, it is guessed

Different kind of EAP authentication mechanisms can be used during identity exchange. By default, the EAP method is guessed during IKE negotiation but you can manually specify which one must be used

Values:

• mschapv2 – EAP-Microsoft Challenge Handshake Authentication Protocol version 2

• tls – EAP-TLS protocol handler, to authenticate with certificates in EAP

• ttls – EAP-TTLS protocol handler, wraps other EAP methods securely

• md5 – EAP-MD5 protocol handler using passwords

vpn ipsec auth-profile <id> local auth encrypted-pre-shared-secret <password>

SDE M10-Smart M2 RS420 AresC640

Values:

• password – Encrypted PSK (Pre-Shared Key) for local peers

vpn ipsec auth-profile <id> local auth pre-shared-secret <txt>

SDE M10-Smart M2 RS420 AresC640

Values:

• txt –

  PSK (Pre-Shared Key) for local peers

  These characters are allowed to be used for setting pre-shared secret key : alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set pre-shared secret key is recommended. If you are using special characters in the pre-shared secret key then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

vpn ipsec auth-profile <id> local auth radius

SDE M10-Smart M2 RS420 AresC640

IPSec RADIUS based authentication

vpn ipsec auth-profile <id> local ca-cert-file <file>

SDE M10-Smart M2 RS420 AresC640

Values:

• file – local CA certificate file

vpn ipsec auth-profile <id> local cert-file <file>

SDE M10-Smart M2 RS420 AresC640

Values:

• file – local certificate file

vpn ipsec auth-profile <id> local crl

SDE M10-Smart M2 RS420 AresC640

local Certificate Revocation List

vpn ipsec auth-profile <id> local crl file <file>

SDE M10-Smart M2 RS420 AresC640

Values:

• file – Local CRL file

vpn ipsec auth-profile <id> local crl revocation <id>

SDE M10-Smart M2 RS420 AresC640

Revocation mode

Values:

• relaxed – Auth fails, if certificate revoked

• strict – Auth fails, if certificate revoked or if CRL cannot be loaded/downloaded

vpn ipsec auth-profile <id> local crl url <txt>

SDE M10-Smart M2 RS420 AresC640

Values:

• txt –

  CRL file HTTP download URL

  Will attempt to HTTP fetch this URL first, before attempting to fetch CRL URL which is potentially defined within peer certificate. However will use CRL URL defined within peer certificate as fallback, if fetch fails.

vpn ipsec auth-profile <id> local csr <id>

SDE M10-Smart M2 RS420 AresC640

local Certificate Signing Request instance (SCEP)

Reference:

system certificate scep csr <id>

vpn ipsec auth-profile <id> local id <id>

SDE M10-Smart M2 RS420 AresC640

Local IKE identity used for authentication

The local identity is what a peer expects to find when connecting using the IKE protocol. This can be either an IP address, hostname or strongSwan “magic” variables (such as “%any”). Please, refer to: https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing for more information

Values:

• ipv4 – IPv4 used by peers

• ipv6 – IPv6 used by peers

• fqdn – Hostname used by peers

• %any – Match any identity

• id – Any other value matching Identity Parsing rules

vpn ipsec auth-profile <id> local key

SDE M10-Smart M2 RS420 AresC640

local private key

Required:

vpn ipsec auth-profile <id> local key encrypted-passphrase <password>

SDE M10-Smart M2 RS420 AresC640

Values:

• password – Encrypted passphrase

vpn ipsec auth-profile <id> local key file <file>

SDE M10-Smart M2 RS420 AresC640

Values:

• file – Private key file

vpn ipsec auth-profile <id> local key passphrase <txt>

SDE M10-Smart M2 RS420 AresC640

Values:

• txt –

  Passphrase for private key file

  These characters are allowed to be used for the passphrase: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set the passphrase is recommended. If you are using special characters in the passphrase then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

vpn ipsec auth-profile <id> local pkcs12

SDE M10-Smart M2 RS420 AresC640

local PKCS#12

Required:

Required:

vpn ipsec auth-profile <id> local pkcs12 encrypted-passphrase <password>

SDE M10-Smart M2 RS420 AresC640

Values:

• password – Encrypted passphrase

vpn ipsec auth-profile <id> local pkcs12 file <file>

SDE M10-Smart M2 RS420 AresC640

Values:

• file – PKCS#12 file

vpn ipsec auth-profile <id> local pkcs12 passphrase <txt>

SDE M10-Smart M2 RS420 AresC640

Values:

• txt –

  Passphrase of PKCS#12 file

  These characters are allowed to be used for the passphrase : alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set the passphrase is recommended. If you are using special characters in the passphrase then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

vpn ipsec auth-profile <id> mirror-config <bool>

SDE M10-Smart M2 RS420 AresC640

Mirror one authentication side into the other, if not defined

When defining an authentication side (local/remote), you can opt-in for only defining one of them. By default, the configuration is mirrored into the missing side (only “auth”) respecting already existing data. This way, authentication profiles can be partially defined but with a fully working VPN connection

Values:

• true – The existing profile is mirrored into the non-existing one

• false – No mirroring is done. Notice that you must define both of them individually

vpn ipsec auth-profile <id> remote

SDE M10-Smart M2 RS420 AresC640

Remote (right) authentication configuration

vpn ipsec auth-profile <id> remote auth

SDE M10-Smart M2 RS420 AresC640

Authentication method used by connecting peer

When a peer authenticates against us (as a server), a remote authentication method must be used. By default, it is “pubkey” (key-pair certificates) which servers for the purpose of identifying the peer. Another method is done by using a pre-shared key in which a key must be shared for connecting. And finally it is possible to authenticate using the RADIUS, usually based on a username/password.

Values:

• pre-shared-secret – Use a previously shared secret key

• radius – Use a RADIUS server for authenticating users

• eap – Use EAP authentication

Instances:

Unique

vpn ipsec auth-profile <id> remote auth eap <id>

SDE M10-Smart M2 RS420 AresC640

EAP (Extensible Authentication Protocol) for remote peers

The EAP authentication allows defining a pair of username (or ID) and a secret, which can be a PSK. This is used for authenticating peers during connection. Notice that strongSwan magic values can be used (for example, “%any”). For more information, please refer to the VPN documentation.

Values:

• id – EAP identifier/username/remote ID used against when authenticating

• %any – Match any identity from configured secrets (ask)

Instances:

Multiple

vpn ipsec auth-profile <id> remote auth eap <id> encrypted-secret <password>

SDE M10-Smart M2 RS420 AresC640

Values:

• password – Encrypted secret used by associated EAP identifier

vpn ipsec auth-profile <id> remote auth eap <id> secret <txt>

SDE M10-Smart M2 RS420 AresC640

Secret used by associated EAP identifier

These characters are allowed to be used for setting the secret: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set pre-shared secret key is recommended. If you are using special characters in the secret then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

Values:

• id – Secret used when authenticating

vpn ipsec auth-profile <id> remote auth eap <id> type <id>

SDE M10-Smart M2 RS420 AresC640

Type of EAP authentication to use. By default, it is guessed

Different kind of EAP authentication mechanisms can be used during identity exchange. By default, the EAP method is guessed during IKE negotiation but you can manually specify which one must be used

Values:

• mschapv2 – EAP-Microsoft Challenge Handshake Authentication Protocol version 2

• tls – EAP-TLS protocol handler, to authenticate with certificates in EAP

• ttls – EAP-TTLS protocol handler, wraps other EAP methods securely

• md5 – EAP-MD5 protocol handler using passwords

vpn ipsec auth-profile <id> remote auth encrypted-pre-shared-secret <password>

SDE M10-Smart M2 RS420 AresC640

Values:

• password – Encrypted PSK (Pre-Shared Key) for remote peers

vpn ipsec auth-profile <id> remote auth pre-shared-secret <txt>

SDE M10-Smart M2 RS420 AresC640

Values:

• txt –

  PSK (Pre-Shared Key) for remote peers

  These characters are allowed to be used for setting pre-shared secret key : alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set pre-shared secret key is recommended. If you are using special characters in the pre-shared secret key then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

vpn ipsec auth-profile <id> remote auth radius

SDE M10-Smart M2 RS420 AresC640

IPSec RADIUS based authentication

vpn ipsec auth-profile <id> remote ca-cert-file <file>

SDE M10-Smart M2 RS420 AresC640

Values:

• file – remote CA certificate file

vpn ipsec auth-profile <id> remote cert-file <file>

SDE M10-Smart M2 RS420 AresC640

Values:

• file – remote certificate file

vpn ipsec auth-profile <id> remote crl

SDE M10-Smart M2 RS420 AresC640

remote Certificate Revocation List

vpn ipsec auth-profile <id> remote crl file <file>

SDE M10-Smart M2 RS420 AresC640

Values:

• file – Local CRL file

vpn ipsec auth-profile <id> remote crl revocation <id>

SDE M10-Smart M2 RS420 AresC640

Revocation mode

Values:

• relaxed – Auth fails, if certificate revoked

• strict – Auth fails, if certificate revoked or if CRL cannot be loaded/downloaded

vpn ipsec auth-profile <id> remote crl url <txt>

SDE M10-Smart M2 RS420 AresC640

Values:

• txt –

  CRL file HTTP download URL

  Will attempt to HTTP fetch this URL first, before attempting to fetch CRL URL which is potentially defined within peer certificate. However will use CRL URL defined within peer certificate as fallback, if fetch fails.

vpn ipsec auth-profile <id> remote csr <id>

SDE M10-Smart M2 RS420 AresC640

remote Certificate Signing Request instance (SCEP)

Reference:

system certificate scep csr <id>

vpn ipsec auth-profile <id> remote id <id>

SDE M10-Smart M2 RS420 AresC640

Remote IKE identity used for authentication

The remote identity is what a peer expects to find when connecting using the IKE protocol. This can be either an IP address, hostname or strongSwan “magic” variables (such as “%any”). Please, refer to: https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing for more information

Values:

• ipv4 – IPv4 used by peers

• ipv6 – IPv6 used by peers

• fqdn – Hostname used by peers

• %any – Match any identity

• id – Any other value matching Identity Parsing rules

vpn ipsec auth-profile <id> remote key

SDE M10-Smart M2 RS420 AresC640

remote private key

Required:

vpn ipsec auth-profile <id> remote key encrypted-passphrase <password>

SDE M10-Smart M2 RS420 AresC640

Values:

• password – Encrypted passphrase

vpn ipsec auth-profile <id> remote key file <file>

SDE M10-Smart M2 RS420 AresC640

Values:

• file – Private key file

vpn ipsec auth-profile <id> remote key passphrase <txt>

SDE M10-Smart M2 RS420 AresC640

Values:

• txt –

  Passphrase for private key file

  These characters are allowed to be used for the passphrase: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set the passphrase is recommended. If you are using special characters in the passphrase then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

vpn ipsec auth-profile <id> remote pkcs12

SDE M10-Smart M2 RS420 AresC640

remote PKCS#12

Required:

Required:

vpn ipsec auth-profile <id> remote pkcs12 encrypted-passphrase <password>

SDE M10-Smart M2 RS420 AresC640

Values:

• password – Encrypted passphrase

vpn ipsec auth-profile <id> remote pkcs12 file <file>

SDE M10-Smart M2 RS420 AresC640

Values:

• file – PKCS#12 file

vpn ipsec auth-profile <id> remote pkcs12 passphrase <txt>

SDE M10-Smart M2 RS420 AresC640

Values:

• txt –

  Passphrase of PKCS#12 file

  These characters are allowed to be used for the passphrase : alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set the passphrase is recommended. If you are using special characters in the passphrase then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

vpn ipsec auth-profile <id> secrets <id>

SDE M10-Smart M2 RS420 AresC640

Arbitrary secrets for local/remote peers

The EAP authentication allows defining a pair of username (or ID) and a secret, which can be a PSK. This is used for authenticating peers during connection. Notice that strongSwan magic values can be used (for example, “%any”). For more information, please refer to the VPN documentation.

Values:

• id – Specific identity to use

Instances:

Multiple

vpn ipsec auth-profile <id> secrets <id> encrypted-secret <password>

SDE M10-Smart M2 RS420 AresC640

Values:

• password – Encrypted secret associated to ID

vpn ipsec auth-profile <id> secrets <id> secret <txt>

SDE M10-Smart M2 RS420 AresC640

Secret associated to ID

These characters are allowed to be used for setting the secret: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set pre-shared secret key is recommended. If you are using special characters in the secret then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

Values:

• id – Secret used when authenticating

vpn ipsec dmvpn-profile <id>

SDE M10-Smart M2 RS420 AresC640

DMVPN IPSec Profile

Values:

• id – Name of the DMVPN IPSec profile

Instances:

Multiple

Required:

vpn ipsec auth-profile <id>

Required:

vpn ipsec esp-group <id>

Required:

vpn ipsec ike-group <id>

vpn ipsec dmvpn-profile <id> auth-profile <id>

SDE M10-Smart M2 RS420 AresC640

IPSec Authentication Profile

Reference:

vpn ipsec auth-profile <id>

vpn ipsec dmvpn-profile <id> esp-group <id>

SDE M10-Smart M2 RS420 AresC640

Esp group name

Reference:

vpn ipsec esp-group <id>

vpn ipsec dmvpn-profile <id> ike-group <id>

SDE M10-Smart M2 RS420 AresC640

Ike group name

Reference:

vpn ipsec ike-group <id>

vpn ipsec downloader

SDE M10-Smart M2 RS420 AresC640

VPN downloader configuration

vpn ipsec downloader local-address <ipv4|ipv6>

SDE M10-Smart M2 RS420 AresC640

Local IP address to use as source for strongSwan downloads

Values:

• ipv4 – Local IPv4 address

• ipv6 – Local IPv6 address

Local IP address:

vpn ipsec downloader local-interface <ifc>

SDE M10-Smart M2 RS420 AresC640

Values:

• ifc – Interface to use as source for strongSwan downloads

vpn ipsec downloader local-vrf <id>

SDE M10-Smart M2 RS420 AresC640

VRF to use as source for strongSwan downloads

Reference:

system vrf <id>

vpn ipsec esp-group <id>

SDE M10-Smart M2 RS420 AresC640

Values:

• id – Name of Encapsulating Security Payload (ESP) group

Instances:

Multiple

vpn ipsec esp-group <id> compression

SDE M10-Smart M2 RS420 AresC640

ESP compression

vpn ipsec esp-group <id> lifetime <u32>

SDE M10-Smart M2 RS420 AresC640

ESP lifetime

Values:

• u32 – ESP lifetime (in seconds by default)

Instances:

Unique

vpn ipsec esp-group <id> lifetime <u32> MB

SDE M10-Smart M2 RS420 AresC640

ESP lifetime to be in megabytes

vpn ipsec esp-group <id> lifetime <u32> packets

SDE M10-Smart M2 RS420 AresC640

ESP lifetime to be in packets

vpn ipsec esp-group <id> lifetime <u32> seconds

SDE M10-Smart M2 RS420 AresC640

ESP lifetime to be in seconds

vpn ipsec esp-group <id> mark-in <u32|txt>

SDE M10-Smart M2 RS420 AresC640

Set an XFRM mark on the inbound policy

Values:

• unique – Use a unique mark for each tunnel

• unique-dir – Use a unique mark for each tunnel and direction (in/out)

• unique-only-nat – Use a unique mark for each tunnel when NAT is detected

• same – Use the same mark for all tunnels

• u32 – Mark value

vpn ipsec esp-group <id> mark-out <u32|txt>

SDE M10-Smart M2 RS420 AresC640

Set an XFRM mark on the outbound IPsec SA and policy

Values:

• unique – Use a unique mark for each tunnel

• unique-dir – Use a unique mark for each tunnel and direction (in/out)

• unique-only-nat – Use a unique mark for each tunnel when NAT is detected

• same – Use the same mark for all tunnels

• u32 – Mark value

vpn ipsec esp-group <id> mode <id>

SDE M10-Smart M2 RS420 AresC640

ESP mode

Values:

• tunnel – Tunnel mode

• transport – Transport mode

vpn ipsec esp-group <id> proposal <u32>

SDE M10-Smart M2 RS420 AresC640

ESP-group proposal [REQUIRED]

Values:

• u32 – ESP-group proposal number (1-65535)

Instances:

Multiple

vpn ipsec esp-group <id> proposal <u32> encryption <id>

SDE M10-Smart M2 RS420 AresC640

Encryption algorithm

Values:

• aes128 – AES-128 encryption with CBC

• aes192 – AES-192 encryption with CBC

• aes256 – AES-256 encryption with CBC

• aes128gcm128 – AES-128 encryption with Galois Counter Mode 128-bit

• aes192gcm64 – AES-192 encryption with GCM and 64 bit ICV

• aes192gcm128 – AES-192 encryption with Galois Counter Mode 128-bit

• aes256gcm128 – AES-256 encryption with Galois Counter Mode 128-bit

• aes128gmac – Null encryption with AES-128 Galois Message Authentication Code

• aes192gmac – Null encryption with AES-192 Galois Message Authentication Code

• aes256gmac – Null encryption with AES-256 Galois Message Authentication Code

• aes128ccm64 – AES-128 encryption with CCM and 64 bit ICV

• aes192ccm64 – AES-192 encryption with CCM and 64 bit ICV

• aes256ccm64 – AES-256 encryption with CCM and 64 bit ICV

• 3des – 3DES encryption

• chacha20poly1305 – ChaCha20-Poly1305 encryption

• null – Null encryption

vpn ipsec esp-group <id> proposal <u32> hash <id>

SDE M10-Smart M2 RS420 AresC640

Hash algorithm

Values:

• md5 – MD5 hash

• sha1 – SHA1 hash

• sha256 – SHA2-256 hash

• sha384 – SHA2-384 hash

• sha512 – SHA2-512 hash

vpn ipsec esp-group <id> proposal <u32> pfs <id>

SDE M10-Smart M2 RS420 AresC640

ESP Perfect Forward Secrecy

Values:

• dh-group2 – Enable PFS. Use Diffie-Hellman group 2 (modp1024)

• dh-group5 – Enable PFS. Use Diffie-Hellman group 5 (modp1536)

• dh-group14 – Enable PFS. Use Diffie-Hellman group 14 (modp2048)

• dh-group15 – Enable PFS. Use Diffie-Hellman group 15 (modp3072)

• dh-group16 – Enable PFS. Use Diffie-Hellman group 16 (modp4096)

• dh-group17 – Enable PFS. Use Diffie-Hellman group 17 (modp6144)

• dh-group18 – Enable PFS. Use Diffie-Hellman group 18 (modp8192)

• dh-group19 – Enable PFS. Use Diffie-Hellman group 19 (ecp256)

• dh-group20 – Enable PFS. Use Diffie-Hellman group 20 (ecp384)

• dh-group21 – Enable PFS. Use Diffie-Hellman group 21 (ecp521)

• dh-group22 – Enable PFS. Use Diffie-Hellman group 22 (modp1024s160)

• dh-group23 – Enable PFS. Use Diffie-Hellman group 23 (modp2048s224)

• dh-group24 – Enable PFS. Use Diffie-Hellman group 24 (modp2048s256)

• dh-group25 – Enable PFS. Use Diffie-Hellman group 25 (ecp192)

• dh-group26 – Enable PFS. Use Diffie-Hellman group 26 (ecp224)

vpn ipsec esp-group <id> replay-window <u32>

SDE M10-Smart M2 RS420 AresC640

Replay Window Value

Values:

• u32 – Replay Window Value (0-32)

vpn ipsec esp-group <id> vrf-mark-in <id>

SDE M10-Smart M2 RS420 AresC640

Set an XFRM mark on the inbound policy using a VRF

Reference:

system vrf <id>

vpn ipsec esp-group <id> vrf-mark-out <id>

SDE M10-Smart M2 RS420 AresC640

Set an XFRM mark on the outbound IPsec SA and policy using a VRF

Reference:

system vrf <id>

vpn ipsec ike-group <id>

SDE M10-Smart M2 RS420 AresC640

Values:

• id – Name of Internet Key Exchange (IKE) group

Instances:

Multiple

vpn ipsec ike-group <id> dead-peer-detection

SDE M10-Smart M2 RS420 AresC640

Dead Peer Detection (DPD)

vpn ipsec ike-group <id> dead-peer-detection action <id>

SDE M10-Smart M2 RS420 AresC640

Keep-alive failure action

Values:

• clear – Set action to clear

• restart – Set action to restart

• trap – Set action to trap

vpn ipsec ike-group <id> dead-peer-detection interval <u32>

SDE M10-Smart M2 RS420 AresC640

Keep-alive interval

Values:

• u32 – Keep-alive interval in seconds (1-86400)

vpn ipsec ike-group <id> dead-peer-detection timeout <u32>

SDE M10-Smart M2 RS420 AresC640

Keep-alive timeout

Values:

• u32 – Keep-alive timeout in seconds (1-86400)

vpn ipsec ike-group <id> ikev2-reauth

SDE M10-Smart M2 RS420 AresC640

Re-authentication of the remote peer during an IKE re-key. IKEv2 option only

vpn ipsec ike-group <id> key-exchange <id>

SDE M10-Smart M2 RS420 AresC640

Key Exchange Version

Values:

• ikev1 – Use IKEv1 for Key Exchange

• ikev2 – Use IKEv2 for Key Exchange

vpn ipsec ike-group <id> lifetime <u32>

SDE M10-Smart M2 RS420 AresC640

IKE lifetime

Values:

• u32 – IKE lifetime in seconds (30-86400)

vpn ipsec ike-group <id> mobike

SDE M10-Smart M2 RS420 AresC640

Enable MOBIKE Support. MOBIKE is only available for IKEv2.

vpn ipsec ike-group <id> mode <id>

SDE M10-Smart M2 RS420 AresC640

IKEv1 Phase 1 Mode Selection

Values:

• main – Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default)

• aggressive – Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode.

vpn ipsec ike-group <id> proposal <u32>

SDE M10-Smart M2 RS420 AresC640

IKE-group proposal [REQUIRED]

Values:

• u32 – IKE-group proposal (1-65535)

Instances:

Multiple

vpn ipsec ike-group <id> proposal <u32> dh-group <u32>

SDE M10-Smart M2 RS420 AresC640

Diffie-Hellman (DH) key exchange group

Values:

• 2 – DH group 2 (modp1024)

• 5 – DH group 5 (modp1536)

• 14 – DH group 14 (modp2048)

• 15 – DH group 15 (modp3072)

• 16 – DH group 16 (modp4096)

• 17 – DH group 17 (modp6144)

• 18 – DH group 18 (modp8192)

• 19 – DH group 19 (ecp256)

• 20 – DH group 20 (ecp384)

• 21 – DH group 21 (ecp521)

• 22 – DH group 22 (modp1024s160)

• 23 – DH group 23 (modp2048s224)

• 24 – DH group 24 (modp2048s256)

• 25 – DH group 25 (ecp192)

• 26 – DH group 26 (ecp224)

vpn ipsec ike-group <id> proposal <u32> encryption <id>

SDE M10-Smart M2 RS420 AresC640

Encryption algorithm

Values:

• aes128 – AES-128 encryption with CBC

• aes192 – AES-192 encryption with CBC

• aes256 – AES-256 encryption with CBC

• aes128gcm128 – AES-128 encryption with Galois Counter Mode 128-bit

• aes192gcm64 – AES-192 encryption with GCM and 64 bit ICV

• aes192gcm128 – AES-192 encryption with Galois Counter Mode 128-bit

• aes256gcm128 – AES-256 encryption with Galois Counter Mode 128-bit

• aes128gmac – Null encryption with AES-128 Galois Message Authentication Code

• aes192gmac – Null encryption with AES-192 Galois Message Authentication Code

• aes256gmac – Null encryption with AES-256 Galois Message Authentication Code

• aes128ccm64 – AES-128 encryption with CCM and 64 bit ICV

• aes192ccm64 – AES-192 encryption with CCM and 64 bit ICV

• aes256ccm64 – AES-256 encryption with CCM and 64 bit ICV

• 3des – 3DES encryption

• chacha20poly1305 – ChaCha20-Poly1305 encryption

• null – Null encryption

vpn ipsec ike-group <id> proposal <u32> hash <id>

SDE M10-Smart M2 RS420 AresC640

Hash algorithm

Values:

• md5 – MD5 hash

• sha1 – SHA1 hash

• sha256 – SHA2-256 hash

• sha384 – SHA2-384 hash

• sha512 – SHA2-512 hash

vpn ipsec interface <ifc>

SDE M10-Smart M2 RS420 AresC640

Network interfaces that should be used by IPSec. All other interfaces are ignored.

Values:

• txt – IPSec interface

Instances:

Multiple

vpn ipsec logging

SDE M10-Smart M2 RS420 AresC640

IPsec logging

vpn ipsec logging log-types

SDE M10-Smart M2 RS420 AresC640

Select log type

vpn ipsec logging log-types any

SDE M10-Smart M2 RS420 AresC640

Apply log level to all existing types.

vpn ipsec logging log-types any log-level <txt>

SDE M10-Smart M2 RS420 AresC640

Values:

• txt – VPN Logger Verbosity Level

vpn ipsec logging log-types type <txt>

SDE M10-Smart M2 RS420 AresC640

Apply to a specific log type. To see what each log type exactly does, please refer to the VPN documentation

Values:

• dmn – Debug log option for VPN

• mgr – Debug log option for VPN

• ike – Debug log option for VPN

• chd – Debug log option for VPN

• job – Debug log option for VPN

• cfg – Debug log option for VPN

• knl – Debug log option for VPN

• net – Debug log option for VPN

• asn – Debug log option for VPN

• enc – Debug log option for VPN

• lib – Debug log option for VPN

• esp – Debug log option for VPN

• tls – Debug log option for VPN

• tnc – Debug log option for VPN

• imc – Debug log option for VPN

• imv – Debug log option for VPN

• pts – Debug log option for VPN

Instances:

Multiple

vpn ipsec logging log-types type <txt> log-level <id>

SDE M10-Smart M2 RS420 AresC640

Values:

• id – VPN Logger Verbosity Level

vpn ipsec pool <id>

SDE M10-Smart M2 RS420 AresC640

Values:

• id – Name of Remote Address pool

Instances:

Unique

vpn ipsec pool <id> prefix <ipv4net|ipv6net>

SDE M10-Smart M2 RS420 AresC640

Values:

• ipv4net – Remote IPv4 or IPv6 prefix

• ipv6net – Remote IPv4 or IPv6 prefix

vpn ipsec pool <id> range

SDE M10-Smart M2 RS420 AresC640

Remote IPv4 or IPv6 range

vpn ipsec pool <id> range first-address <ipv4|ipv6>

SDE M10-Smart M2 RS420 AresC640

Values:

• ipv4 – First IPv4 or IPv6 address of the pool range

• ipv6 – First IPv4 or IPv6 address of the pool range

vpn ipsec pool <id> range last-address <ipv4|ipv6>

SDE M10-Smart M2 RS420 AresC640

Values:

• ipv4 – Last IPv4 or IPv6 address of the pool range

• ipv6 – Last IPv4 or IPv6 address of the pool range

vpn ipsec radius

SDE M10-Smart M2 RS420 AresC640

IPSec RADIUS based authentication settings

Required:

system aaa list <id>

vpn ipsec radius accounting

SDE M10-Smart M2 RS420 AresC640

Enable RADIUS accounting

vpn ipsec radius authentication-list <id>

SDE M10-Smart M2 RS420 AresC640

VPN type list to use when authenticating

Choose the VPN list that will be used when an external user tries to authenticate. Lists can be set-up with “system aaa list” command

Reference:

system aaa list <id>

vpn ipsec radius dae

SDE M10-Smart M2 RS420 AresC640

Dynamic Authorization Extension (DAE) options

Required:

vpn ipsec radius dae encrypted-secret <password>

SDE M10-Smart M2 RS420 AresC640

Values:

• password – Encrypted secret

vpn ipsec radius dae listen-address <ipv4|ipv6>

SDE M10-Smart M2 RS420 AresC640

Listen address to listen to DAE messages

Values:

• ipv4 – IPv4 listen address

• ipv6 – IPv6 listen address

Local IP address:

vpn ipsec radius dae port <u32>

SDE M10-Smart M2 RS420 AresC640

Port to listen for requests

Values:

• u32 – Numeric IP port (1-65535)

vpn ipsec radius dae secret <txt>

SDE M10-Smart M2 RS420 AresC640

Values:

• txt –

  Shared secret used to verify/sign DAE messages

  These characters are allowed to be used for setting the shared secret: alphanumeric characters: a-z A-Z 0-9 special characters: - + & ! @ # $ %% ^ * ( ) , . : _ It is recommended to use single quotes (’) for setting the shared-secret. If special characters are being used, then single quotes are mandatory

vpn ipsec radius eap-start

SDE M10-Smart M2 RS420 AresC640

Send “EAP-Start” instead of “EAP-Identity” to start RADIUS conversation

vpn ipsec site-to-site

SDE M10-Smart M2 RS420 AresC640

Site to site VPN

vpn ipsec site-to-site peer <id>

SDE M10-Smart M2 RS420 AresC640

Values:

• id – VPN peer

Instances:

Multiple

Required:

vpn ipsec auth-profile <id>

Required:

vpn ipsec ike-group <id>

vpn ipsec site-to-site peer <id> auth-profile <id>

SDE M10-Smart M2 RS420 AresC640

IPSec Authentication Profile

Reference:

vpn ipsec auth-profile <id>

vpn ipsec site-to-site peer <id> connection-type <id>

SDE M10-Smart M2 RS420 AresC640

Connection type

Values:

• initiate – This endpoint can initiate or respond to a connection

• respond – This endpoint will only respond to a connection

• on-demand – This endpoint will initiate a connection if matching traffic is detected

vpn ipsec site-to-site peer <id> default-esp-group <id>

SDE M10-Smart M2 RS420 AresC640

Default ESP group name

Reference:

vpn ipsec esp-group <id>

vpn ipsec site-to-site peer <id> description <txt>

SDE M10-Smart M2 RS420 AresC640

Values:

• txt – VPN peer description

vpn ipsec site-to-site peer <id> dhcp-interface <ifc>

SDE M10-Smart M2 RS420 AresC640

Values:

• ifc – DHCP interface that supplies the local address to use for IKE communication

vpn ipsec site-to-site peer <id> force-encapsulation

SDE M10-Smart M2 RS420 AresC640

Force UDP Encapsulation for ESP Payloads

vpn ipsec site-to-site peer <id> ike-group <id>

SDE M10-Smart M2 RS420 AresC640

Internet Key Exchange (IKE) group name

Reference:

vpn ipsec ike-group <id>

vpn ipsec site-to-site peer <id> install-vips

SDE M10-Smart M2 RS420 AresC640

Pull virtual IP addresses from remote

Required:

vpn ipsec site-to-site peer <id> install-vips address <ipv4>

SDE M10-Smart M2 RS420 AresC640

Values:

• ipv4 –

  Request specific address(es)

  If not set, 0.0.0.0 will be used (i.e., it will accept any virtual IP)

Instances:

Multiple

vpn ipsec site-to-site peer <id> install-vips interface <ifc>

SDE M10-Smart M2 RS420 AresC640

Values:

• ifc – Interface where VIPs should be installed

vpn ipsec site-to-site peer <id> local-address <ipv4|ipv6|fqdn|id>

SDE M10-Smart M2 RS420 AresC640

Local address(es) to use for IKE communication

As initiator, the first non-range/non-subset is used to initiate the connection. As the responder, the local destination address must match at least one of the specified addresses, subnets or ranges. FQDNs are resolved each time a configuration lookup is done. Finally, “magic” values can be placed here (such as “%any”).

Values:

• ipv4 – IPv4 address of a local interface for VPN

• ipv6 – IPv6 address of a local interface for VPN

• fqdn – DNS domain name of the local interface

• %any – Match any address specified as local interface

Instances:

Multiple

vpn ipsec site-to-site peer <id> local-vrf <id>

SDE M10-Smart M2 RS420 AresC640

Bind to local Virtual Routing and Forwarding domain name

Reference:

system vrf <id>

vpn ipsec site-to-site peer <id> pool <id>

SDE M10-Smart M2 RS420 AresC640

List of vpn pools to allocate virtual IP addresses

This is only valid for responder configuration

Reference:

vpn ipsec pool <id>

Instances:

Multiple

vpn ipsec site-to-site peer <id> remote-address <ipv4|ipv6|fqdn|id>

SDE M10-Smart M2 RS420 AresC640

Remote address(es) to use for IKE communication. Required to initiate a connection

As initiator, the first non-range/non-subset is used to initiate the connection. As the responder, the local destination address must match at least one of the specified addresses, subnets or ranges. FQDNs are resolved each time a configuration lookup is done. Finally, “magic” values can be placed here (such as “%any”).

Values:

• ipv4 – IPv4 address of peer

• ipv6 – IPv6 address of peer

• fqdn – DNS domain name of the peer

• %any – Match any peer

Instances:

Multiple

vpn ipsec site-to-site peer <id> tunnel <u32>

SDE M10-Smart M2 RS420 AresC640

Values:

• u32 – Peer tunnel

Instances:

Multiple

vpn ipsec site-to-site peer <id> tunnel <u32> disable

SDE M10-Smart M2 RS420 AresC640

Option to disable vpn tunnel

vpn ipsec site-to-site peer <id> tunnel <u32> esp-group <id>

SDE M10-Smart M2 RS420 AresC640

ESP group name

Reference:

vpn ipsec esp-group <id>

vpn ipsec site-to-site peer <id> tunnel <u32> install-routes <id>

SDE M10-Smart M2 RS420 AresC640

Enable route installation for this tunnel

Reference:

system vrf <id>

vpn ipsec site-to-site peer <id> tunnel <u32> local

SDE M10-Smart M2 RS420 AresC640

Local parameters for interesting traffic

vpn ipsec site-to-site peer <id> tunnel <u32> local port <u32>

SDE M10-Smart M2 RS420 AresC640

Any TCP or UDP port

Values:

• u32 – Numeric IP port (1-32767)

• u32 – Numeric IP port (60000-65535)

vpn ipsec site-to-site peer <id> tunnel <u32> local prefix <ipv4net|ipv6net>

SDE M10-Smart M2 RS420 AresC640

Values:

• ipv4net – Local IPv4 or IPv6 prefixes

• ipv6net – Local IPv4 or IPv6 prefixes

Instances:

Multiple

vpn ipsec site-to-site peer <id> tunnel <u32> local-interface <ifc>

SDE M10-Smart M2 RS420 AresC640

Values:

• ifc – Local interface to use in outbound IPSec policies

vpn ipsec site-to-site peer <id> tunnel <u32> local-vrf <id>

SDE M10-Smart M2 RS420 AresC640

Local VRF to use in outbound IPSec policies

Reference:

system vrf <id>

vpn ipsec site-to-site peer <id> tunnel <u32> protocol <u32|id>

SDE M10-Smart M2 RS420 AresC640

Protocol to encrypt

Values:

• all – All protocols

• u32 – IP protocol number (0-255)

• ah – Authentication Header [RFC2402]

• ax.25 – AX.25 frames

• dccp – Datagram Congestion Control Prot. [RFC4340]

• ddp – Datagram Delivery Protocol

• egp – exterior gateway protocol

• eigrp – Enhanced Interior Routing Protocol (Cisco)

• encap – Yet Another IP encapsulation [RFC1241]

• esp – Encap Security Payload [RFC2406]

• etherip – Ethernet-within-IP Encapsulation [RFC3378]

• fc – Fibre Channel

• ggp – gateway-gateway protocol

• gre – General Routing Encapsulation

• hip – Host Identity Protocol

• hmp – host monitoring protocol

• hopopt – IPv6 Hop-by-Hop Option [RFC1883]

• icmp – internet control message protocol

• idpr-cmtp – IDPR Control Message Transport

• idrp – Inter-Domain Routing Protocol

• igmp – Internet Group Management

• igp – any private interior gateway (Cisco)

• ip – internet protocol, pseudo protocol number

• ipcomp – IP Payload Compression Protocol

• ipencap – IP encapsulated in IP (officially ‘’IP’’)

• ipip – IP-within-IP Encapsulation Protocol

• ipv6-frag – Fragment Header for IPv6

• ipv6-icmp – ICMP for IPv6

• ipv6-nonxt – No Next Header for IPv6

• ipv6-opts – Destination Options for IPv6

• ipv6-route – Routing Header for IPv6

• ipv6 – Internet Protocol, version 6

• isis – IS-IS over IPv4

• iso-tp4 – ISO Transport Protocol class 4 [RFC905]

• l2tp – Layer Two Tunneling Protocol [RFC2661]

• manet – MANET Protocols [RFC5498]

• mobility-header – Mobility Support for IPv6 [RFC3775]

• mpls-in-ip – MPLS-in-IP [RFC4023]

• ospf – Open Shortest Path First IGP

• pim – Protocol Independent Multicast

• pup – PARC universal packet protocol

• rdp – “reliable datagram” protocol

• rohc – Robust Header Compression

• rspf – Radio Shortest Path First (officially CPHB)

• rsvp – Reservation Protocol

• sctp – Stream Control Transmission Protocol

• shim6 – Shim6 Protocol [RFC5533]

• skip – SKIP

• st – ST datagram mode

• tcp – transmission control protocol

• udp – user datagram

• udplite – UDP-Lite [RFC3828]

• vmtp – Versatile Message Transport

• vrrp – Virtual Router Redundancy Protocol [RFC5798]

• wesp – Wrapped Encapsulating Security Payload

• xns-idp – Xerox NS IDP

• xtp – Xpress Transfer Protocol

vpn ipsec site-to-site peer <id> tunnel <u32> remote

SDE M10-Smart M2 RS420 AresC640

Remote parameters for interesting traffic

vpn ipsec site-to-site peer <id> tunnel <u32> remote port <u32>

SDE M10-Smart M2 RS420 AresC640

Any TCP or UDP port

Values:

• u32 – Numbered port (1-65535)

vpn ipsec site-to-site peer <id> tunnel <u32> remote prefix <ipv4net|ipv6net>

SDE M10-Smart M2 RS420 AresC640

Values:

• ipv4net – Remote IPv4 or IPv6 prefixes

• ipv6net – Remote IPv4 or IPv6 prefixes

Instances:

Multiple

vpn ipsec site-to-site peer <id> vti

SDE M10-Smart M2 RS420 AresC640

Virtual tunnel interface

vpn ipsec site-to-site peer <id> vti local

SDE M10-Smart M2 RS420 AresC640

Local parameters for interesting traffic

vpn ipsec site-to-site peer <id> vti local port <u32>

SDE M10-Smart M2 RS420 AresC640

Any TCP or UDP port

Values:

• u32 – Numeric IP port (1-32767)

• u32 – Numeric IP port (60000-65535)

vpn ipsec site-to-site peer <id> vti local prefix <ipv4net|ipv6net>

SDE M10-Smart M2 RS420 AresC640

Values:

• ipv4net – Local IPv4 or IPv6 prefixes

• ipv6net – Local IPv4 or IPv6 prefixes

Instances:

Multiple

vpn ipsec site-to-site peer <id> vti protocol <u32|id>

SDE M10-Smart M2 RS420 AresC640

Protocol to encrypt

Values:

• all – All protocols

• u32 – IP protocol number (0-255)

• ah – Authentication Header [RFC2402]

• ax.25 – AX.25 frames

• dccp – Datagram Congestion Control Prot. [RFC4340]

• ddp – Datagram Delivery Protocol

• egp – exterior gateway protocol

• eigrp – Enhanced Interior Routing Protocol (Cisco)

• encap – Yet Another IP encapsulation [RFC1241]

• esp – Encap Security Payload [RFC2406]

• etherip – Ethernet-within-IP Encapsulation [RFC3378]

• fc – Fibre Channel

• ggp – gateway-gateway protocol

• gre – General Routing Encapsulation

• hip – Host Identity Protocol

• hmp – host monitoring protocol

• hopopt – IPv6 Hop-by-Hop Option [RFC1883]

• icmp – internet control message protocol

• idpr-cmtp – IDPR Control Message Transport

• idrp – Inter-Domain Routing Protocol

• igmp – Internet Group Management

• igp – any private interior gateway (Cisco)

• ip – internet protocol, pseudo protocol number

• ipcomp – IP Payload Compression Protocol

• ipencap – IP encapsulated in IP (officially ‘’IP’’)

• ipip – IP-within-IP Encapsulation Protocol

• ipv6-frag – Fragment Header for IPv6

• ipv6-icmp – ICMP for IPv6

• ipv6-nonxt – No Next Header for IPv6

• ipv6-opts – Destination Options for IPv6

• ipv6-route – Routing Header for IPv6

• ipv6 – Internet Protocol, version 6

• isis – IS-IS over IPv4

• iso-tp4 – ISO Transport Protocol class 4 [RFC905]

• l2tp – Layer Two Tunneling Protocol [RFC2661]

• manet – MANET Protocols [RFC5498]

• mobility-header – Mobility Support for IPv6 [RFC3775]

• mpls-in-ip – MPLS-in-IP [RFC4023]

• ospf – Open Shortest Path First IGP

• pim – Protocol Independent Multicast

• pup – PARC universal packet protocol

• rdp – “reliable datagram” protocol

• rohc – Robust Header Compression

• rspf – Radio Shortest Path First (officially CPHB)

• rsvp – Reservation Protocol

• sctp – Stream Control Transmission Protocol

• shim6 – Shim6 Protocol [RFC5533]

• skip – SKIP

• st – ST datagram mode

• tcp – transmission control protocol

• udp – user datagram

• udplite – UDP-Lite [RFC3828]

• vmtp – Versatile Message Transport

• vrrp – Virtual Router Redundancy Protocol [RFC5798]

• wesp – Wrapped Encapsulating Security Payload

• xns-idp – Xerox NS IDP

• xtp – Xpress Transfer Protocol

vpn ipsec site-to-site peer <id> vti remote

SDE M10-Smart M2 RS420 AresC640

Remote parameters for interesting traffic

vpn ipsec site-to-site peer <id> vti remote port <u32>

SDE M10-Smart M2 RS420 AresC640

Any TCP or UDP port

Values:

• u32 – Numbered port (1-65535)

vpn ipsec site-to-site peer <id> vti remote prefix <ipv4net|ipv6net>

SDE M10-Smart M2 RS420 AresC640

Values:

• ipv4net – Remote IPv4 or IPv6 prefixes

• ipv6net – Remote IPv4 or IPv6 prefixes

Instances:

Multiple

vpn ipsec timers

SDE M10-Smart M2 RS420 AresC640

VPN global timers

vpn ipsec timers ike-retransmission

SDE M10-Smart M2 RS420 AresC640

IKE retransmission timeouts

vpn ipsec timers ike-retransmission base <float>

SDE M10-Smart M2 RS420 AresC640

Values:

• float – Base of exponential backoff

vpn ipsec timers ike-retransmission retries <u32>

SDE M10-Smart M2 RS420 AresC640

Values:

• u32 – Number of retransmissions to send before giving up

vpn ipsec timers ike-retransmission timeout <float>

SDE M10-Smart M2 RS420 AresC640

Values:

• float – Timeout in seconds

vpn ipsec triplets <id>

SDE M10-Smart M2 RS420 AresC640

Values:

• id –

  Comma-separated list of values used in various authentication methods, such as EAP-SIM

  Triplets are used when performing EAP authentication via SIM or AKA methods. They have the form: <ID>,<ROUND1>,<SRES1>,<SIM-KC2> <ID>,<ROUND2>,<SRES2>,<SIM-KC2> <ID>,<ROUND3>,<SRES3>,<SIM-KC2> They are used for authenticating an user with various rounds based on SIM cards.

Instances:

Multiple