openvpn

vpn openvpn: SDE M10-Smart M2 RS420 AresC640
OpenVPN profiles

vpn openvpn client-profile <id>

SDE M10-Smart M2 RS420 AresC640

Values:

id – Client options

Instances:

Multiple

vpn openvpn client-profile <id> allow-pull-fqdn: SDE M10-Smart M2 RS420 AresC640
Allow client to pull DNS names from server

vpn openvpn client-profile <id> authentication

SDE M10-Smart M2 RS420 AresC640

Client authentication

Required:
Required:

vpn openvpn client-profile <id> authentication encrypted-password <password>

SDE M10-Smart M2 RS420 AresC640

Values:

password – VPN encrypted password

vpn openvpn client-profile <id> authentication password <txt>

SDE M10-Smart M2 RS420 AresC640

Values:

txt – VPN password

vpn openvpn client-profile <id> authentication username <id>

SDE M10-Smart M2 RS420 AresC640

Values:

id – VPN username

vpn openvpn client-profile <id> pull: SDE M10-Smart M2 RS420 AresC640
Option pulling parameters

vpn openvpn client-profile <id> pull filter <u32>

SDE M10-Smart M2 RS420 AresC640

Option filter parameters

Values:

u32 – Filter index

Instances:

Multiple

Required:

vpn openvpn client-profile <id> pull filter <u32> policy <id>

SDE M10-Smart M2 RS420 AresC640

Filter policy

Values:

accept – Allow option
ignore – Remove option
reject – Flag option as error and restart tunnel

vpn openvpn client-profile <id> pull filter <u32> text <txt>

SDE M10-Smart M2 RS420 AresC640

Values:

txt – Filter rules that start with this text

vpn openvpn encryption-profile <id>

SDE M10-Smart M2 RS420 AresC640

Values:

id – Data channel encryption options

Instances:

Multiple

vpn openvpn encryption-profile <id> auth <u32>

SDE M10-Smart M2 RS420 AresC640

Digest algorithms to authenticate data channel packets with

Values:

u32 – Digest index

Instances:

Multiple

Required:

vpn openvpn encryption-profile <id> auth <u32> algorithm <id>

SDE M10-Smart M2 RS420 AresC640

Digest algorithm

Values:

none – Disable data channel authentication

vpn openvpn encryption-profile <id> cipher <u32>

SDE M10-Smart M2 RS420 AresC640

Cipher algorithms to encrypt data channel packets with

Values:

u32 – Cipher index

Instances:

Multiple

Required:

vpn openvpn encryption-profile <id> cipher <u32> algorithm <id>

SDE M10-Smart M2 RS420 AresC640

Cipher algorithm

Values:

none – Disable data channel encryption

vpn openvpn encryption-profile <id> ncp: SDE M10-Smart M2 RS420 AresC640
Negotiable Crypto Parameters (client/server mode)

vpn openvpn encryption-profile <id> ncp cipher <u32>

SDE M10-Smart M2 RS420 AresC640

Cipher negotiation proposals

Values:

u32 – Cipher index

Instances:

Multiple

Required:

vpn openvpn encryption-profile <id> ncp cipher <u32> algorithm <id>

SDE M10-Smart M2 RS420 AresC640

Values:

id – Cipher algorithm

vpn openvpn encryption-profile <id> ncp disable: SDE M10-Smart M2 RS420 AresC640
Disable cipher negotiation

vpn openvpn encryption-profile <id> secret

SDE M10-Smart M2 RS420 AresC640

Static key encryption mode (p2p mode)

Required:

vpn openvpn encryption-profile <id> secret direction <u32>

SDE M10-Smart M2 RS420 AresC640

Values:

u32 – Data flow direction

vpn openvpn encryption-profile <id> secret static-key <file>

SDE M10-Smart M2 RS420 AresC640

Values:

file – Static key file

vpn openvpn server-profile <id>

SDE M10-Smart M2 RS420 AresC640

Values:

id – Server options

Instances:

Multiple

vpn openvpn server-profile <id> authentication <id>

SDE M10-Smart M2 RS420 AresC640

Authentication list

Reference:: system aaa list <id>

vpn openvpn server-profile <id> client <id>

SDE M10-Smart M2 RS420 AresC640

Values:

id –
Client parameters

Client Common Name

Instances:

Multiple

vpn openvpn server-profile <id> client <id> address <ipv4|fqdn>

SDE M10-Smart M2 RS420 AresC640

Values:

ipv4 – Static IP address
fqdn – Static IP address

vpn openvpn server-profile <id> client <id> disable: SDE M10-Smart M2 RS420 AresC640
Disable client

vpn openvpn server-profile <id> client <id> push: SDE M10-Smart M2 RS420 AresC640
Option pushing parameters

vpn openvpn server-profile <id> client <id> push reset: SDE M10-Smart M2 RS420 AresC640
Ignore global push list for client

vpn openvpn server-profile <id> client <id> push route: SDE M10-Smart M2 RS420 AresC640
Routing parameters

vpn openvpn server-profile <id> client <id> push route delay <u32>

SDE M10-Smart M2 RS420 AresC640

Values:

u32 – Delay after connection establishment before adding routes

vpn openvpn server-profile <id> client <id> push route destination <ipv4cidr|ipv4net|id>

SDE M10-Smart M2 RS420 AresC640

Route destination

Values:

ipv4cidr – IPv4 address
ipv4net – IPv4 network
vpn_gateway – Remote VPN endpoint address
net_gateway – Pre-existing IP default gateway
remote_host – Remote host

Instances:

Multiple

vpn openvpn server-profile <id> client <id> push route destination <ipv4cidr|ipv4net|id> gateway <ipv4|id>

SDE M10-Smart M2 RS420 AresC640

Route gateway

Values:

vpn_gateway – Remote VPN endpoint address
net_gateway – Pre-existing IP default gateway
remote_host – Remote host

vpn openvpn server-profile <id> client <id> push route destination <ipv4cidr|ipv4net|id> metric <u32>

SDE M10-Smart M2 RS420 AresC640

Values:

u32 – Route metric

vpn openvpn server-profile <id> client <id> push route gateway <ipv4|id>

SDE M10-Smart M2 RS420 AresC640

Default gateway to use with pushed routes

Values:

ipv4 – IPv4 address
dhcp – Extract the gateway address from a DHCP negotiation

vpn openvpn server-profile <id> client-to-client: SDE M10-Smart M2 RS420 AresC640
Allow connected clients to reach each other

vpn openvpn server-profile <id> duplicate-cn: SDE M10-Smart M2 RS420 AresC640
Allow multiple clients with the same common name to concurrently connect

vpn openvpn server-profile <id> push: SDE M10-Smart M2 RS420 AresC640
Push configuration options to the clients

vpn openvpn server-profile <id> push route: SDE M10-Smart M2 RS420 AresC640
Routing parameters

vpn openvpn server-profile <id> push route delay <u32>

SDE M10-Smart M2 RS420 AresC640

Values:

u32 – Delay after connection establishment before adding routes

vpn openvpn server-profile <id> push route destination <ipv4net|id>

SDE M10-Smart M2 RS420 AresC640

Route destination

Values:

ipv4net – IPv4 network
vpn_gateway – Remote VPN endpoint address
net_gateway – Pre-existing IP default gateway
remote_host – Remote host

Instances:

Multiple

vpn openvpn server-profile <id> push route destination <ipv4net|id> gateway <ipv4|id>

SDE M10-Smart M2 RS420 AresC640

Route gateway

Values:

vpn_gateway – Remote VPN endpoint address
net_gateway – Pre-existing IP default gateway
remote_host – Remote host

vpn openvpn server-profile <id> push route destination <ipv4net|id> metric <u32>

SDE M10-Smart M2 RS420 AresC640

Values:

u32 – Route metric

vpn openvpn server-profile <id> push route gateway <ipv4|id>

SDE M10-Smart M2 RS420 AresC640

Default gateway to use with pushed routes

Values:

ipv4 – IPv4 address
dhcp – Extract the gateway address from a DHCP negotiation

vpn openvpn tls-profile <id>

SDE M10-Smart M2 RS420 AresC640

Values:

id – TLS options

Instances:

Multiple

vpn openvpn tls-profile <id> auth

SDE M10-Smart M2 RS420 AresC640

Additional layer of HMAC authentication on top of the TLS control channel

Required:

vpn openvpn tls-profile <id> auth direction <u32>

SDE M10-Smart M2 RS420 AresC640

Values:

u32 – Data flow direction

vpn openvpn tls-profile <id> auth static-key <file>

SDE M10-Smart M2 RS420 AresC640

Values:

file – Static key to use for HMAC authentication

vpn openvpn tls-profile <id> ca <file>

SDE M10-Smart M2 RS420 AresC640

Values:

file – Certificate Authority certificate in PEM format

vpn openvpn tls-profile <id> certificate <file>

SDE M10-Smart M2 RS420 AresC640

Values:

file – Local certificate in PEM format

vpn openvpn tls-profile <id> crl <file>

SDE M10-Smart M2 RS420 AresC640

Values:

file – Certificate Revocation List in PEM format

vpn openvpn tls-profile <id> crypt

SDE M10-Smart M2 RS420 AresC640

Encrypt and authenticate all control channel packets

Required:

vpn openvpn tls-profile <id> crypt static-key <file>

SDE M10-Smart M2 RS420 AresC640

Values:

file – Static key to use for HMAC authentication

vpn openvpn tls-profile <id> csr <id>

SDE M10-Smart M2 RS420 AresC640

Certificate Signing Request instance (SCEP)

Reference:: system certificate scep csr <id>

vpn openvpn tls-profile <id> dhparam <file|id>

SDE M10-Smart M2 RS420 AresC640

Diffie-Hellman parameters in PEM format (server mode)

Values:

none – Do not use dhparam file

vpn openvpn tls-profile <id> private-key <file>

SDE M10-Smart M2 RS420 AresC640

Values:

file – Local certificate’s private key in PEM format

vpn openvpn tunnel-profile <id>

SDE M10-Smart M2 RS420 AresC640

Values:

id – Tunnel options

Instances:

Multiple

vpn openvpn tunnel-profile <id> compression <id>

SDE M10-Smart M2 RS420 AresC640

Compression algorithm to use

Values:

lzo – Better compatibility
lz4 – Better performance

vpn openvpn tunnel-profile <id> float: SDE M10-Smart M2 RS420 AresC640
Allow remote peer to change its IP address and/or port number

vpn openvpn tunnel-profile <id> keepalive

SDE M10-Smart M2 RS420 AresC640

Keepalive parameters

Required:
Required:

vpn openvpn tunnel-profile <id> keepalive interval <u32>

SDE M10-Smart M2 RS420 AresC640

Values:

u32 – Ping interval

vpn openvpn tunnel-profile <id> keepalive timeout <u32>

SDE M10-Smart M2 RS420 AresC640

Values:

u32 – Ping timeout to restart

vpn openvpn tunnel-profile <id> log-level <u32>

SDE M10-Smart M2 RS420 AresC640

OpenVPN log level

Values:

u32 – Disable all logging except fatal errors (0)
u32 – Normal usage range (1-4)
u32 – Output R and W for each packet read and write (5)
u32 – Debug info range (6-11)