ipsec ----- .. osdx:cfgcmd:: vpn ipsec .. raw:: html SDE M10-Smart M2 RS420 VPN IP security (IPsec) parameters .. osdx:cfgcmd:: vpn ipsec auth-profile .. raw:: html SDE M10-Smart M2 RS420 IPSec Authentication Profile :arg id: Name of the IPSec authentication profile :instances: Multiple .. osdx:cfgcmd:: vpn ipsec auth-profile local .. raw:: html SDE M10-Smart M2 RS420 Local (left) authentication configuration .. osdx:cfgcmd:: vpn ipsec auth-profile local auth .. raw:: html SDE M10-Smart M2 RS420 Authentication method locally used When a peer authenticates against us (as a server), a local authentication method must be used. By default, it is "pubkey" (X.509 key-pair certificates) and if not specified uses system certificates for authentication. This is done in order to ensure that we are who we say (it is, to avoid spoofing attacks). Another method is done by using a pre-shared key. Despite this is not as secure as X.509 certificates, it will allow server identification and would serve for the same purposes. Finally, there is also EAP (Extensible Authentication Protocol) available, which allows authenticating users using a username/password. :arg pre-shared-secret: Use a previously shared secret key :arg x509: Use X.509 certificates (pubkey) :arg radius: Use a RADIUS server for authenticating users :arg eap: Use EAP authentication :instances: Unique .. osdx:cfgcmd:: vpn ipsec auth-profile local auth eap .. raw:: html SDE M10-Smart M2 RS420 EAP (Extensible Authentication Protocol) for local peers The EAP authentication allows defining a pair of username (or ID) and a secret, which can be a PSK. This is used for authenticating peers during connection. Notice that strongSwan magic values can be used (for example, "%any"). For more information, please refer to the VPN documentation. :arg id: EAP identifier/username/remote ID used against when authenticating :arg %any: Match any identity from configured secrets (ask) :instances: Multiple .. osdx:cfgcmd:: vpn ipsec auth-profile local auth eap encrypted-secret .. raw:: html SDE M10-Smart M2 RS420 :arg password: Encrypted secret used by associated EAP identifier .. osdx:cfgcmd:: vpn ipsec auth-profile local auth eap secret .. raw:: html SDE M10-Smart M2 RS420 Secret used by associated EAP identifier These characters are allowed to be used for setting the secret: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set pre-shared secret key is recommended. If you are using special characters in the secret then single quotes are required. Example usage: 'aA1-&!@,.:_2Bb' :arg id: Secret used when authenticating .. osdx:cfgcmd:: vpn ipsec auth-profile local auth eap type .. raw:: html SDE M10-Smart M2 RS420 Type of EAP authentication to use. By default, it is guessed Different kind of EAP authentication mechanisms can be used during identity exchange. By default, the EAP method is guessed during IKE negotiation but you can manually specify which one must be used :arg none: Guess EAP method to use :arg identity: EAP-Identity protocol for requesting a different identity :arg sim: EAP-Subscriber Identity Module using SIM cards (or files) :arg aka: EAP-Authentication and Key Agreement using UMTS for authentication :arg gtc: EAP-GTC protocol handler authenticating with XAuth backends :arg mschapv2: EAP-Microsoft Challenge Handshake Authentication Protocol version 2 :arg radius: EAP forwarding EAP conversations to a RADIUS server :arg tls: EAP-TLS protocol handler, to authenticate with certificates in EAP :arg ttls: EAP-TTLS protocol handler, wraps other EAP methods securely :arg tnc: EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel :arg md5: EAP-MD5 protocol handler using passwords .. osdx:cfgcmd:: vpn ipsec auth-profile local auth encrypted-pre-shared-secret .. raw:: html SDE M10-Smart M2 RS420 :arg password: Encrypted PSK (Pre-Shared Key) for local peers .. osdx:cfgcmd:: vpn ipsec auth-profile local auth pre-shared-secret .. raw:: html SDE M10-Smart M2 RS420 :arg txt: PSK (Pre-Shared Key) for local peers These characters are allowed to be used for setting pre-shared secret key : alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set pre-shared secret key is recommended. If you are using special characters in the pre-shared secret key then single quotes are required. Example usage: 'aA1-&!@,.:_2Bb' .. osdx:cfgcmd:: vpn ipsec auth-profile local auth radius .. raw:: html SDE M10-Smart M2 RS420 IPSec RADIUS based authentication .. osdx:cfgcmd:: vpn ipsec auth-profile local auth x509 .. raw:: html SDE M10-Smart M2 RS420 Local X.509 Certificate-based Authentication .. osdx:cfgcmd:: vpn ipsec auth-profile local auth x509 ca-cert-file .. raw:: html SDE M10-Smart M2 RS420 :arg file: Local CA certificate file .. osdx:cfgcmd:: vpn ipsec auth-profile local auth x509 cert-file .. raw:: html SDE M10-Smart M2 RS420 :arg file: Local certificate file .. osdx:cfgcmd:: vpn ipsec auth-profile local auth x509 crl .. raw:: html SDE M10-Smart M2 RS420 Local Certificate Revocation List .. osdx:cfgcmd:: vpn ipsec auth-profile local auth x509 crl file .. raw:: html SDE M10-Smart M2 RS420 :arg file: Local CRL file .. osdx:cfgcmd:: vpn ipsec auth-profile local auth x509 crl revocation .. raw:: html SDE M10-Smart M2 RS420 Revocation mode :arg relaxed: Auth fails, if certificate revoked :arg strict: Auth fails, if certificate revoked or if CRL cannot be loaded/downloaded .. osdx:cfgcmd:: vpn ipsec auth-profile local auth x509 crl url .. raw:: html SDE M10-Smart M2 RS420 :arg txt: CRL file HTTP download URL Will attempt to HTTP fetch this URL first, before attempting to fetch CRL URL which is potentially defined within peer certificate. However will use CRL URL defined within peer certificate as fallback, if fetch fails. .. osdx:cfgcmd:: vpn ipsec auth-profile local auth x509 csr .. raw:: html SDE M10-Smart M2 RS420 Local Certificate Signing Request instance (SCEP) :ref Reference: system certificate scep csr * .. osdx:cfgcmd:: vpn ipsec auth-profile local auth x509 key .. raw:: html SDE M10-Smart M2 RS420 Local private key :ref Required: .. osdx:cfgcmd:: vpn ipsec auth-profile local auth x509 key encrypted-passphrase .. raw:: html SDE M10-Smart M2 RS420 :arg password: Encrypted passphrase .. osdx:cfgcmd:: vpn ipsec auth-profile local auth x509 key file .. raw:: html SDE M10-Smart M2 RS420 :arg file: Private key file .. osdx:cfgcmd:: vpn ipsec auth-profile local auth x509 key passphrase .. raw:: html SDE M10-Smart M2 RS420 :arg txt: Passphrase for private key file These characters are allowed to be used for the passphrase: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set the passphrase is recommended. If you are using special characters in the passphrase then single quotes are required. Example usage: 'aA1-&!@,.:_2Bb' .. osdx:cfgcmd:: vpn ipsec auth-profile local auth x509 pkcs12 .. raw:: html SDE M10-Smart M2 RS420 Local PKCS#12 :ref Required: :ref Required: .. osdx:cfgcmd:: vpn ipsec auth-profile local auth x509 pkcs12 encrypted-passphrase .. raw:: html SDE M10-Smart M2 RS420 :arg password: Encrypted passphrase .. osdx:cfgcmd:: vpn ipsec auth-profile local auth x509 pkcs12 file .. raw:: html SDE M10-Smart M2 RS420 :arg file: PKCS#12 file .. osdx:cfgcmd:: vpn ipsec auth-profile local auth x509 pkcs12 passphrase .. raw:: html SDE M10-Smart M2 RS420 :arg txt: Passphrase of PKCS#12 file These characters are allowed to be used for the passphrase : alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set the passphrase is recommended. If you are using special characters in the passphrase then single quotes are required. Example usage: 'aA1-&!@,.:_2Bb' .. osdx:cfgcmd:: vpn ipsec auth-profile local id .. raw:: html SDE M10-Smart M2 RS420 Local IKE identity used for authentication The local identity is what a peer expects to find when connecting using the IKE protocol. This can be either an IP address, hostname or strongSwan "magic" variables (such as "%any"). Please, refer to: https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing for more information :arg ipv4: IPv4 used by peers :arg ipv6: IPv6 used by peers :arg fqdn: Hostname used by peers :arg %any: Match any identity :arg id: Any other value matching Identity Parsing rules .. osdx:cfgcmd:: vpn ipsec auth-profile mirror-config .. raw:: html SDE M10-Smart M2 RS420 Mirror one authentication side into the other, if not defined When defining an authentication side (local/remote), you can opt-in for only defining one of them. By default, the configuration is mirrored into the missing side (only "auth") respecting already existing data. This way, authentication profiles can be partially defined but with a fully working VPN connection :arg true: The existing profile is mirrored into the non-existing one :arg false: No mirroring is done. Notice that you must define both of them individually .. osdx:cfgcmd:: vpn ipsec auth-profile remote .. raw:: html SDE M10-Smart M2 RS420 Remote (right) authentication configuration .. osdx:cfgcmd:: vpn ipsec auth-profile remote auth .. raw:: html SDE M10-Smart M2 RS420 Authentication method used by connecting peer When a peer authenticates against us (as a server), a remote authentication method must be used. By default, it is "pubkey" (X.509 key-pair certificates) which servers for the purpose of identifying the peer. Another method is done by using a pre-shared key in which a key must be shared for connecting. And finally it is possible to authenticate using the RADIUS, usually based on a username/password. :arg pre-shared-secret: Use a previously shared secret key :arg x509: Use X.509 certificates (pubkey) :arg radius: Use a RADIUS server for authenticating users :arg eap: Use EAP authentication :instances: Unique .. osdx:cfgcmd:: vpn ipsec auth-profile remote auth eap .. raw:: html SDE M10-Smart M2 RS420 EAP (Extensible Authentication Protocol) for remote peers The EAP authentication allows defining a pair of username (or ID) and a secret, which can be a PSK. This is used for authenticating peers during connection. Notice that strongSwan magic values can be used (for example, "%any"). For more information, please refer to the VPN documentation. :arg id: EAP identifier/username/remote ID used against when authenticating :arg %any: Match any identity from configured secrets (ask) :instances: Multiple .. osdx:cfgcmd:: vpn ipsec auth-profile remote auth eap encrypted-secret .. raw:: html SDE M10-Smart M2 RS420 :arg password: Encrypted secret used by associated EAP identifier .. osdx:cfgcmd:: vpn ipsec auth-profile remote auth eap secret .. raw:: html SDE M10-Smart M2 RS420 Secret used by associated EAP identifier These characters are allowed to be used for setting the secret: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set pre-shared secret key is recommended. If you are using special characters in the secret then single quotes are required. Example usage: 'aA1-&!@,.:_2Bb' :arg id: Secret used when authenticating .. osdx:cfgcmd:: vpn ipsec auth-profile remote auth eap type .. raw:: html SDE M10-Smart M2 RS420 Type of EAP authentication to use. By default, it is guessed Different kind of EAP authentication mechanisms can be used during identity exchange. By default, the EAP method is guessed during IKE negotiation but you can manually specify which one must be used :arg none: Guess EAP method to use :arg identity: EAP-Identity protocol for requesting a different identity :arg sim: EAP-Subscriber Identity Module using SIM cards (or files) :arg aka: EAP-Authentication and Key Agreement using UMTS for authentication :arg gtc: EAP-GTC protocol handler authenticating with XAuth backends :arg mschapv2: EAP-Microsoft Challenge Handshake Authentication Protocol version 2 :arg radius: EAP forwarding EAP conversations to a RADIUS server :arg tls: EAP-TLS protocol handler, to authenticate with certificates in EAP :arg ttls: EAP-TTLS protocol handler, wraps other EAP methods securely :arg tnc: EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel :arg md5: EAP-MD5 protocol handler using passwords .. osdx:cfgcmd:: vpn ipsec auth-profile remote auth encrypted-pre-shared-secret .. raw:: html SDE M10-Smart M2 RS420 :arg password: Encrypted PSK (Pre-Shared Key) for remote peers .. osdx:cfgcmd:: vpn ipsec auth-profile remote auth pre-shared-secret .. raw:: html SDE M10-Smart M2 RS420 :arg txt: PSK (Pre-Shared Key) for remote peers These characters are allowed to be used for setting pre-shared secret key : alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set pre-shared secret key is recommended. If you are using special characters in the pre-shared secret key then single quotes are required. Example usage: 'aA1-&!@,.:_2Bb' .. osdx:cfgcmd:: vpn ipsec auth-profile remote auth radius .. raw:: html SDE M10-Smart M2 RS420 IPSec RADIUS based authentication .. osdx:cfgcmd:: vpn ipsec auth-profile remote auth x509 .. raw:: html SDE M10-Smart M2 RS420 Remote X.509 Certificate-based Authentication .. osdx:cfgcmd:: vpn ipsec auth-profile remote auth x509 ca-cert-file .. raw:: html SDE M10-Smart M2 RS420 :arg file: Remote CA certificate file .. osdx:cfgcmd:: vpn ipsec auth-profile remote auth x509 cert-file .. raw:: html SDE M10-Smart M2 RS420 :arg file: Remote certificate file .. osdx:cfgcmd:: vpn ipsec auth-profile remote auth x509 crl .. raw:: html SDE M10-Smart M2 RS420 Remote Certificate Revocation List .. osdx:cfgcmd:: vpn ipsec auth-profile remote auth x509 crl file .. raw:: html SDE M10-Smart M2 RS420 :arg file: Local CRL file .. osdx:cfgcmd:: vpn ipsec auth-profile remote auth x509 crl revocation .. raw:: html SDE M10-Smart M2 RS420 Revocation mode :arg relaxed: Auth fails, if certificate revoked :arg strict: Auth fails, if certificate revoked or if CRL cannot be loaded/downloaded .. osdx:cfgcmd:: vpn ipsec auth-profile remote auth x509 crl url .. raw:: html SDE M10-Smart M2 RS420 :arg txt: CRL file HTTP download URL Will attempt to HTTP fetch this URL first, before attempting to fetch CRL URL which is potentially defined within peer certificate. However will use CRL URL defined within peer certificate as fallback, if fetch fails. .. osdx:cfgcmd:: vpn ipsec auth-profile remote auth x509 csr .. raw:: html SDE M10-Smart M2 RS420 Remote Certificate Signing Request instance (SCEP) :ref Reference: system certificate scep csr * .. osdx:cfgcmd:: vpn ipsec auth-profile remote auth x509 key .. raw:: html SDE M10-Smart M2 RS420 Remote private key :ref Required: .. osdx:cfgcmd:: vpn ipsec auth-profile remote auth x509 key encrypted-passphrase .. raw:: html SDE M10-Smart M2 RS420 :arg password: Encrypted passphrase .. osdx:cfgcmd:: vpn ipsec auth-profile remote auth x509 key file .. raw:: html SDE M10-Smart M2 RS420 :arg file: Private key file .. osdx:cfgcmd:: vpn ipsec auth-profile remote auth x509 key passphrase .. raw:: html SDE M10-Smart M2 RS420 :arg txt: Passphrase for private key file These characters are allowed to be used for the passphrase: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set the passphrase is recommended. If you are using special characters in the passphrase then single quotes are required. Example usage: 'aA1-&!@,.:_2Bb' .. osdx:cfgcmd:: vpn ipsec auth-profile remote auth x509 pkcs12 .. raw:: html SDE M10-Smart M2 RS420 Remote PKCS#12 :ref Required: :ref Required: .. osdx:cfgcmd:: vpn ipsec auth-profile remote auth x509 pkcs12 encrypted-passphrase .. raw:: html SDE M10-Smart M2 RS420 :arg password: Encrypted passphrase .. osdx:cfgcmd:: vpn ipsec auth-profile remote auth x509 pkcs12 file .. raw:: html SDE M10-Smart M2 RS420 :arg file: PKCS#12 file .. osdx:cfgcmd:: vpn ipsec auth-profile remote auth x509 pkcs12 passphrase .. raw:: html SDE M10-Smart M2 RS420 :arg txt: Passphrase of PKCS#12 file These characters are allowed to be used for the passphrase : alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set the passphrase is recommended. If you are using special characters in the passphrase then single quotes are required. Example usage: 'aA1-&!@,.:_2Bb' .. osdx:cfgcmd:: vpn ipsec auth-profile remote id .. raw:: html SDE M10-Smart M2 RS420 Remote IKE identity used for authentication The remote identity is what a peer expects to find when connecting using the IKE protocol. This can be either an IP address, hostname or strongSwan "magic" variables (such as "%any"). Please, refer to: https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing for more information :arg ipv4: IPv4 used by peers :arg ipv6: IPv6 used by peers :arg fqdn: Hostname used by peers :arg %any: Match any identity :arg id: Any other value matching Identity Parsing rules .. osdx:cfgcmd:: vpn ipsec auth-profile secrets .. raw:: html SDE M10-Smart M2 RS420 Arbitrary secrets for local/remote peers The EAP authentication allows defining a pair of username (or ID) and a secret, which can be a PSK. This is used for authenticating peers during connection. Notice that strongSwan magic values can be used (for example, "%any"). For more information, please refer to the VPN documentation. :arg id: Specific identity to use :instances: Multiple .. osdx:cfgcmd:: vpn ipsec auth-profile secrets encrypted-secret .. raw:: html SDE M10-Smart M2 RS420 :arg password: Encrypted secret associated to ID .. osdx:cfgcmd:: vpn ipsec auth-profile secrets secret .. raw:: html SDE M10-Smart M2 RS420 Secret associated to ID These characters are allowed to be used for setting the secret: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set pre-shared secret key is recommended. If you are using special characters in the secret then single quotes are required. Example usage: 'aA1-&!@,.:_2Bb' :arg id: Secret used when authenticating .. osdx:cfgcmd:: vpn ipsec dmvpn-profile .. raw:: html SDE M10-Smart M2 RS420 DMVPN IPSec Profile :arg id: Name of the DMVPN IPSec profile :instances: Multiple :ref Required: vpn ipsec auth-profile * :ref Required: vpn ipsec esp-group * :ref Required: vpn ipsec ike-group * .. osdx:cfgcmd:: vpn ipsec dmvpn-profile auth-profile .. raw:: html SDE M10-Smart M2 RS420 IPSec Authentication Profile :ref Reference: vpn ipsec auth-profile * .. osdx:cfgcmd:: vpn ipsec dmvpn-profile esp-group .. raw:: html SDE M10-Smart M2 RS420 Esp group name :ref Reference: vpn ipsec esp-group * .. osdx:cfgcmd:: vpn ipsec dmvpn-profile ike-group .. raw:: html SDE M10-Smart M2 RS420 Ike group name :ref Reference: vpn ipsec ike-group * .. osdx:cfgcmd:: vpn ipsec downloader .. raw:: html SDE M10-Smart M2 RS420 VPN downloader configuration .. osdx:cfgcmd:: vpn ipsec downloader local-address .. raw:: html SDE M10-Smart M2 RS420 Local IP address to use as source for strongSwan downloads :arg ipv4: Local IPv4 address :arg ipv6: Local IPv6 address :Local IP address: .. osdx:cfgcmd:: vpn ipsec downloader local-interface .. raw:: html SDE M10-Smart M2 RS420 :arg ifc: Interface to use as source for strongSwan downloads .. osdx:cfgcmd:: vpn ipsec downloader local-vrf .. raw:: html SDE M10-Smart M2 RS420 VRF to use as source for strongSwan downloads :ref Reference: system vrf * .. osdx:cfgcmd:: vpn ipsec esp-group .. raw:: html SDE M10-Smart M2 RS420 :arg id: Name of Encapsulating Security Payload (ESP) group :instances: Multiple .. osdx:cfgcmd:: vpn ipsec esp-group compression .. raw:: html SDE M10-Smart M2 RS420 ESP compression .. osdx:cfgcmd:: vpn ipsec esp-group lifetime .. raw:: html SDE M10-Smart M2 RS420 ESP lifetime :arg u32: ESP lifetime (in seconds by default) :instances: Unique .. osdx:cfgcmd:: vpn ipsec esp-group lifetime MB .. raw:: html SDE M10-Smart M2 RS420 ESP lifetime to be in megabytes .. osdx:cfgcmd:: vpn ipsec esp-group lifetime packets .. raw:: html SDE M10-Smart M2 RS420 ESP lifetime to be in packets .. osdx:cfgcmd:: vpn ipsec esp-group lifetime seconds .. raw:: html SDE M10-Smart M2 RS420 ESP lifetime to be in seconds .. osdx:cfgcmd:: vpn ipsec esp-group mark-in .. raw:: html SDE M10-Smart M2 RS420 Set an XFRM mark on the inbound policy :arg unique: Use a unique mark for each tunnel :arg unique-dir: Use a unique mark for each tunnel and direction (in/out) :arg unique-only-nat: Use a unique mark for each tunnel when NAT is detected :arg same: Use the same mark for all tunnels :arg u32: Mark value .. osdx:cfgcmd:: vpn ipsec esp-group mark-out .. raw:: html SDE M10-Smart M2 RS420 Set an XFRM mark on the outbound IPsec SA and policy. :arg unique: Use a unique mark for each tunnel :arg unique-dir: Use a unique mark for each tunnel and direction (in/out) :arg unique-only-nat: Use a unique mark for each tunnel when NAT is detected :arg same: Use the same mark for all tunnels :arg u32: Mark value .. osdx:cfgcmd:: vpn ipsec esp-group mode .. raw:: html SDE M10-Smart M2 RS420 ESP mode :arg tunnel: Tunnel mode :arg transport: Transport mode .. osdx:cfgcmd:: vpn ipsec esp-group proposal .. raw:: html SDE M10-Smart M2 RS420 ESP-group proposal [REQUIRED] :arg u32: ESP-group proposal number (1-65535) :instances: Multiple .. osdx:cfgcmd:: vpn ipsec esp-group proposal encryption .. raw:: html SDE M10-Smart M2 RS420 Encryption algorithm :arg aes128: AES-128 encryption with CBC :arg aes192: AES-192 encryption with CBC :arg aes256: AES-256 encryption with CBC :arg aes128gcm128: AES-128 encryption with Galois Counter Mode 128-bit :arg aes192gcm64: AES-192 encryption with GCM and 64 bit ICV :arg aes192gcm128: AES-192 encryption with Galois Counter Mode 128-bit :arg aes256gcm128: AES-256 encryption with Galois Counter Mode 128-bit :arg aes128gmac: Null encryption with AES-128 Galois Message Authentication Code :arg aes192gmac: Null encryption with AES-192 Galois Message Authentication Code :arg aes256gmac: Null encryption with AES-256 Galois Message Authentication Code :arg aes128ccm64: AES-128 encryption with CCM and 64 bit ICV :arg aes192ccm64: AES-192 encryption with CCM and 64 bit ICV :arg aes256ccm64: AES-256 encryption with CCM and 64 bit ICV :arg 3des: 3DES encryption :arg chacha20poly1305: ChaCha20-Poly1305 encryption :arg null: Null encryption .. osdx:cfgcmd:: vpn ipsec esp-group proposal hash .. raw:: html SDE M10-Smart M2 RS420 Hash algorithm :arg md5: MD5 hash :arg sha1: SHA1 hash :arg sha256: SHA2-256 hash :arg sha384: SHA2-384 hash :arg sha512: SHA2-512 hash .. osdx:cfgcmd:: vpn ipsec esp-group proposal pfs .. raw:: html SDE M10-Smart M2 RS420 ESP Perfect Forward Secrecy :arg dh-group2: Enable PFS. Use Diffie-Hellman group 2 (modp1024) :arg dh-group5: Enable PFS. Use Diffie-Hellman group 5 (modp1536) :arg dh-group14: Enable PFS. Use Diffie-Hellman group 14 (modp2048) :arg dh-group15: Enable PFS. Use Diffie-Hellman group 15 (modp3072) :arg dh-group16: Enable PFS. Use Diffie-Hellman group 16 (modp4096) :arg dh-group17: Enable PFS. Use Diffie-Hellman group 17 (modp6144) :arg dh-group18: Enable PFS. Use Diffie-Hellman group 18 (modp8192) :arg dh-group19: Enable PFS. Use Diffie-Hellman group 19 (ecp256) :arg dh-group20: Enable PFS. Use Diffie-Hellman group 20 (ecp384) :arg dh-group21: Enable PFS. Use Diffie-Hellman group 21 (ecp521) :arg dh-group22: Enable PFS. Use Diffie-Hellman group 22 (modp1024s160) :arg dh-group23: Enable PFS. Use Diffie-Hellman group 23 (modp2048s224) :arg dh-group24: Enable PFS. Use Diffie-Hellman group 24 (modp2048s256) :arg dh-group25: Enable PFS. Use Diffie-Hellman group 25 (ecp192) :arg dh-group26: Enable PFS. Use Diffie-Hellman group 26 (ecp224) .. osdx:cfgcmd:: vpn ipsec esp-group replay-window .. raw:: html SDE M10-Smart M2 RS420 Replay Window Value :arg u32: Replay Window Value (0-32) .. osdx:cfgcmd:: vpn ipsec ike-group .. raw:: html SDE M10-Smart M2 RS420 :arg id: Name of Internet Key Exchange (IKE) group :instances: Multiple .. osdx:cfgcmd:: vpn ipsec ike-group dead-peer-detection .. raw:: html SDE M10-Smart M2 RS420 Dead Peer Detection (DPD) .. osdx:cfgcmd:: vpn ipsec ike-group dead-peer-detection action .. raw:: html SDE M10-Smart M2 RS420 Keep-alive failure action :arg clear: Set action to clear :arg restart: Set action to restart :arg trap: Set action to trap .. osdx:cfgcmd:: vpn ipsec ike-group dead-peer-detection interval .. raw:: html SDE M10-Smart M2 RS420 Keep-alive interval :arg u32: Keep-alive interval in seconds (1-86400) .. osdx:cfgcmd:: vpn ipsec ike-group dead-peer-detection timeout .. raw:: html SDE M10-Smart M2 RS420 Keep-alive timeout :arg u32: Keep-alive timeout in seconds (1-86400) .. osdx:cfgcmd:: vpn ipsec ike-group ikev2-reauth .. raw:: html SDE M10-Smart M2 RS420 Re-authentication of the remote peer during an IKE re-key. IKEv2 option only .. osdx:cfgcmd:: vpn ipsec ike-group key-exchange .. raw:: html SDE M10-Smart M2 RS420 Key Exchange Version :arg ikev1: Use IKEv1 for Key Exchange :arg ikev2: Use IKEv2 for Key Exchange .. osdx:cfgcmd:: vpn ipsec ike-group lifetime .. raw:: html SDE M10-Smart M2 RS420 IKE lifetime :arg u32: IKE lifetime in seconds (30-86400) .. osdx:cfgcmd:: vpn ipsec ike-group mobike .. raw:: html SDE M10-Smart M2 RS420 Enable MOBIKE Support. MOBIKE is only available for IKEv2. .. osdx:cfgcmd:: vpn ipsec ike-group mode .. raw:: html SDE M10-Smart M2 RS420 IKEv1 Phase 1 Mode Selection :arg main: Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default) :arg aggressive: Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode. .. osdx:cfgcmd:: vpn ipsec ike-group proposal .. raw:: html SDE M10-Smart M2 RS420 IKE-group proposal [REQUIRED] :arg u32: IKE-group proposal (1-65535) :instances: Multiple .. osdx:cfgcmd:: vpn ipsec ike-group proposal dh-group .. raw:: html SDE M10-Smart M2 RS420 Diffie-Hellman (DH) key exchange group :arg 2: DH group 2 (modp1024) :arg 5: DH group 5 (modp1536) :arg 14: DH group 14 (modp2048) :arg 15: DH group 15 (modp3072) :arg 16: DH group 16 (modp4096) :arg 17: DH group 17 (modp6144) :arg 18: DH group 18 (modp8192) :arg 19: DH group 19 (ecp256) :arg 20: DH group 20 (ecp384) :arg 21: DH group 21 (ecp521) :arg 22: DH group 22 (modp1024s160) :arg 23: DH group 23 (modp2048s224) :arg 24: DH group 24 (modp2048s256) :arg 25: DH group 25 (ecp192) :arg 26: DH group 26 (ecp224) .. osdx:cfgcmd:: vpn ipsec ike-group proposal encryption .. raw:: html SDE M10-Smart M2 RS420 Encryption algorithm :arg aes128: AES-128 encryption with CBC :arg aes192: AES-192 encryption with CBC :arg aes256: AES-256 encryption with CBC :arg aes128gcm128: AES-128 encryption with Galois Counter Mode 128-bit :arg aes192gcm64: AES-192 encryption with GCM and 64 bit ICV :arg aes192gcm128: AES-192 encryption with Galois Counter Mode 128-bit :arg aes256gcm128: AES-256 encryption with Galois Counter Mode 128-bit :arg aes128gmac: Null encryption with AES-128 Galois Message Authentication Code :arg aes192gmac: Null encryption with AES-192 Galois Message Authentication Code :arg aes256gmac: Null encryption with AES-256 Galois Message Authentication Code :arg aes128ccm64: AES-128 encryption with CCM and 64 bit ICV :arg aes192ccm64: AES-192 encryption with CCM and 64 bit ICV :arg aes256ccm64: AES-256 encryption with CCM and 64 bit ICV :arg 3des: 3DES encryption :arg chacha20poly1305: ChaCha20-Poly1305 encryption :arg null: Null encryption .. osdx:cfgcmd:: vpn ipsec ike-group proposal hash .. raw:: html SDE M10-Smart M2 RS420 Hash algorithm :arg md5: MD5 hash :arg sha1: SHA1 hash :arg sha256: SHA2-256 hash :arg sha384: SHA2-384 hash :arg sha512: SHA2-512 hash .. osdx:cfgcmd:: vpn ipsec interface .. raw:: html SDE M10-Smart M2 RS420 Network interfaces that should be used by IPSec. All other interfaces are ignored. :arg txt: IPSec interface :instances: Multiple .. osdx:cfgcmd:: vpn ipsec logging .. raw:: html SDE M10-Smart M2 RS420 IPsec logging .. osdx:cfgcmd:: vpn ipsec logging log-types .. raw:: html SDE M10-Smart M2 RS420 Select log type .. osdx:cfgcmd:: vpn ipsec logging log-types any .. raw:: html SDE M10-Smart M2 RS420 Apply log level to all existing types. .. osdx:cfgcmd:: vpn ipsec logging log-types any log-level .. raw:: html SDE M10-Smart M2 RS420 :arg txt: VPN Logger Verbosity Level .. osdx:cfgcmd:: vpn ipsec logging log-types type .. raw:: html SDE M10-Smart M2 RS420 Apply to a specific log type. To see what each log type exactly does, please refer to the VPN documentation :arg dmn: Debug log option for VPN :arg mgr: Debug log option for VPN :arg ike: Debug log option for VPN :arg chd: Debug log option for VPN :arg job: Debug log option for VPN :arg cfg: Debug log option for VPN :arg knl: Debug log option for VPN :arg net: Debug log option for VPN :arg asn: Debug log option for VPN :arg enc: Debug log option for VPN :arg lib: Debug log option for VPN :arg esp: Debug log option for VPN :arg tls: Debug log option for VPN :arg tnc: Debug log option for VPN :arg imc: Debug log option for VPN :arg imv: Debug log option for VPN :arg pts: Debug log option for VPN :instances: Multiple .. osdx:cfgcmd:: vpn ipsec logging log-types type log-level .. raw:: html SDE M10-Smart M2 RS420 :arg id: VPN Logger Verbosity Level .. osdx:cfgcmd:: vpn ipsec pool .. raw:: html SDE M10-Smart M2 RS420 :arg id: Name of Remote Address pool :instances: Multiple .. osdx:cfgcmd:: vpn ipsec pool prefix .. raw:: html SDE M10-Smart M2 RS420 :arg ipv4net: Remote IPv4 or IPv6 prefix :arg ipv6net: Remote IPv4 or IPv6 prefix .. osdx:cfgcmd:: vpn ipsec pool range .. raw:: html SDE M10-Smart M2 RS420 Remote IPv4 or IPv6 range .. osdx:cfgcmd:: vpn ipsec pool range first-address .. raw:: html SDE M10-Smart M2 RS420 :arg ipv4: first IPv4 or IPv6 address of the pool range :arg ipv6: first IPv4 or IPv6 address of the pool range .. osdx:cfgcmd:: vpn ipsec pool range last-address .. raw:: html SDE M10-Smart M2 RS420 :arg ipv4: last IPv4 or IPv6 address of the pool range :arg ipv6: last IPv4 or IPv6 address of the pool range .. osdx:cfgcmd:: vpn ipsec radius .. raw:: html SDE M10-Smart M2 RS420 IPSec RADIUS based authentication settings :ref Required: system aaa list * .. osdx:cfgcmd:: vpn ipsec radius accounting .. raw:: html SDE M10-Smart M2 RS420 Enable RADIUS accounting .. osdx:cfgcmd:: vpn ipsec radius authentication-list .. raw:: html SDE M10-Smart M2 RS420 VPN type list to use when authenticating Choose the VPN list that will be used when an external user tries to authenticate. Lists can be set-up with "system aaa list" command :ref Reference: system aaa list * .. osdx:cfgcmd:: vpn ipsec radius dae .. raw:: html SDE M10-Smart M2 RS420 Dynamic Authorization Extension (DAE) options :ref Required: .. osdx:cfgcmd:: vpn ipsec radius dae encrypted-secret .. raw:: html SDE M10-Smart M2 RS420 :arg password: Encrypted secret .. osdx:cfgcmd:: vpn ipsec radius dae listen-address .. raw:: html SDE M10-Smart M2 RS420 Listen address to listen to DAE messages :arg ipv4: IPv4 listen address :arg ipv6: IPv6 listen address :Local IP address: .. osdx:cfgcmd:: vpn ipsec radius dae port .. raw:: html SDE M10-Smart M2 RS420 Port to listen for requests :arg u32: Numeric IP port (1-65535) .. osdx:cfgcmd:: vpn ipsec radius dae secret .. raw:: html SDE M10-Smart M2 RS420 :arg txt: Shared secret used to verify/sign DAE messages These characters are allowed to be used for setting the shared secret: alphanumeric characters: a-z A-Z 0-9 special characters: - + & ! @ # $ %% ^ * ( ) , . : _ It is recommended to use single quotes (') for setting the shared-secret. If special characters are being used, then single quotes are mandatory .. osdx:cfgcmd:: vpn ipsec radius eap-start .. raw:: html SDE M10-Smart M2 RS420 Send "EAP-Start" instead of "EAP-Identity" to start RADIUS conversation .. osdx:cfgcmd:: vpn ipsec site-to-site .. raw:: html SDE M10-Smart M2 RS420 Site to site VPN .. osdx:cfgcmd:: vpn ipsec site-to-site peer .. raw:: html SDE M10-Smart M2 RS420 :arg id: VPN peer :instances: Multiple :ref Required: vpn ipsec auth-profile * :ref Required: vpn ipsec ike-group * .. osdx:cfgcmd:: vpn ipsec site-to-site peer auth-profile .. raw:: html SDE M10-Smart M2 RS420 IPSec Authentication Profile :ref Reference: vpn ipsec auth-profile * .. osdx:cfgcmd:: vpn ipsec site-to-site peer connection-type .. raw:: html SDE M10-Smart M2 RS420 Connection type :arg initiate: This endpoint can initiate or respond to a connection :arg respond: This endpoint will only respond to a connection :arg on-demand: This endpoint will initiate a connection if matching traffic is detected .. osdx:cfgcmd:: vpn ipsec site-to-site peer default-esp-group .. raw:: html SDE M10-Smart M2 RS420 Default ESP group name :ref Reference: vpn ipsec esp-group * .. osdx:cfgcmd:: vpn ipsec site-to-site peer description .. raw:: html SDE M10-Smart M2 RS420 :arg txt: VPN peer description .. osdx:cfgcmd:: vpn ipsec site-to-site peer force-encapsulation .. raw:: html SDE M10-Smart M2 RS420 Force UDP Encapsulation for ESP Payloads .. osdx:cfgcmd:: vpn ipsec site-to-site peer ike-group .. raw:: html SDE M10-Smart M2 RS420 Internet Key Exchange (IKE) group name :ref Reference: vpn ipsec ike-group * .. osdx:cfgcmd:: vpn ipsec site-to-site peer local-address .. raw:: html SDE M10-Smart M2 RS420 Local address(es) to use for IKE communication As initiator, the first non-range/non-subset is used to initiate the connection. As the responder, the local destination address must match at least one of the specified addresses, subnets or ranges. FQDNs are resolved each time a configuration lookup is done. Finally, "magic" values can be placed here (such as "%any"). :arg ipv4: IPv4 address of a local interface for VPN :arg ipv6: IPv6 address of a local interface for VPN :arg fqdn: DNS domain name of the local interface :arg %any: Match any address specified as local interface :instances: Multiple .. osdx:cfgcmd:: vpn ipsec site-to-site peer local-vrf .. raw:: html SDE M10-Smart M2 RS420 Bind to local Virtual Routing and Forwarding domain name :ref Reference: system vrf * .. osdx:cfgcmd:: vpn ipsec site-to-site peer remote-address .. raw:: html SDE M10-Smart M2 RS420 Remote address(es) to use for IKE communication. Required to initiate a connection As initiator, the first non-range/non-subset is used to initiate the connection. As the responder, the local destination address must match at least one of the specified addresses, subnets or ranges. FQDNs are resolved each time a configuration lookup is done. Finally, "magic" values can be placed here (such as "%any"). :arg ipv4: IPv4 address of peer :arg ipv6: IPv6 address of peer :arg fqdn: DNS domain name of the peer :arg %any: Match any peer :instances: Multiple .. osdx:cfgcmd:: vpn ipsec site-to-site peer tunnel .. raw:: html SDE M10-Smart M2 RS420 :arg u32: Peer tunnel :instances: Multiple .. osdx:cfgcmd:: vpn ipsec site-to-site peer tunnel disable .. raw:: html SDE M10-Smart M2 RS420 Option to disable vpn tunnel .. osdx:cfgcmd:: vpn ipsec site-to-site peer tunnel esp-group .. raw:: html SDE M10-Smart M2 RS420 ESP group name :ref Reference: vpn ipsec esp-group * .. osdx:cfgcmd:: vpn ipsec site-to-site peer tunnel local .. raw:: html SDE M10-Smart M2 RS420 Local parameters for interesting traffic .. osdx:cfgcmd:: vpn ipsec site-to-site peer tunnel local port .. raw:: html SDE M10-Smart M2 RS420 Any TCP or UDP port :arg u32: Numeric IP port (1-32767) :arg u32: Numeric IP port (60000-65535) .. osdx:cfgcmd:: vpn ipsec site-to-site peer tunnel local prefix .. raw:: html SDE M10-Smart M2 RS420 :arg ipv4net: Local IPv4 or IPv6 prefix :arg ipv6net: Local IPv4 or IPv6 prefix .. osdx:cfgcmd:: vpn ipsec site-to-site peer tunnel local-interface .. raw:: html SDE M10-Smart M2 RS420 :arg ifc: Local interface .. osdx:cfgcmd:: vpn ipsec site-to-site peer tunnel protocol .. raw:: html SDE M10-Smart M2 RS420 Protocol to encrypt :arg all: All protocols :arg u32: IP protocol number (0-255) :arg ah: Authentication Header [RFC2402] :arg ax.25: AX.25 frames :arg dccp: Datagram Congestion Control Prot. [RFC4340] :arg ddp: Datagram Delivery Protocol :arg egp: exterior gateway protocol :arg eigrp: Enhanced Interior Routing Protocol (Cisco) :arg encap: Yet Another IP encapsulation [RFC1241] :arg esp: Encap Security Payload [RFC2406] :arg etherip: Ethernet-within-IP Encapsulation [RFC3378] :arg fc: Fibre Channel :arg ggp: gateway-gateway protocol :arg gre: General Routing Encapsulation :arg hip: Host Identity Protocol :arg hmp: host monitoring protocol :arg hopopt: IPv6 Hop-by-Hop Option [RFC1883] :arg icmp: internet control message protocol :arg idpr-cmtp: IDPR Control Message Transport :arg idrp: Inter-Domain Routing Protocol :arg igmp: Internet Group Management :arg igp: any private interior gateway (Cisco) :arg ip: internet protocol, pseudo protocol number :arg ipcomp: IP Payload Compression Protocol :arg ipencap: IP encapsulated in IP (officially ''IP'') :arg ipip: IP-within-IP Encapsulation Protocol :arg ipv6-frag: Fragment Header for IPv6 :arg ipv6-icmp: ICMP for IPv6 :arg ipv6-nonxt: No Next Header for IPv6 :arg ipv6-opts: Destination Options for IPv6 :arg ipv6-route: Routing Header for IPv6 :arg ipv6: Internet Protocol, version 6 :arg isis: IS-IS over IPv4 :arg iso-tp4: ISO Transport Protocol class 4 [RFC905] :arg l2tp: Layer Two Tunneling Protocol [RFC2661] :arg manet: MANET Protocols [RFC5498] :arg mobility-header: Mobility Support for IPv6 [RFC3775] :arg mpls-in-ip: MPLS-in-IP [RFC4023] :arg ospf: Open Shortest Path First IGP :arg pim: Protocol Independent Multicast :arg pup: PARC universal packet protocol :arg rdp: "reliable datagram" protocol :arg rohc: Robust Header Compression :arg rspf: Radio Shortest Path First (officially CPHB) :arg rsvp: Reservation Protocol :arg sctp: Stream Control Transmission Protocol :arg shim6: Shim6 Protocol [RFC5533] :arg skip: SKIP :arg st: ST datagram mode :arg tcp: transmission control protocol :arg udp: user datagram :arg udplite: UDP-Lite [RFC3828] :arg vmtp: Versatile Message Transport :arg vrrp: Virtual Router Redundancy Protocol [RFC5798] :arg wesp: Wrapped Encapsulating Security Payload :arg xns-idp: Xerox NS IDP :arg xtp: Xpress Transfer Protocol .. osdx:cfgcmd:: vpn ipsec site-to-site peer tunnel remote .. raw:: html SDE M10-Smart M2 RS420 Remote parameters for interesting traffic .. osdx:cfgcmd:: vpn ipsec site-to-site peer tunnel remote pool .. raw:: html SDE M10-Smart M2 RS420 Remote address pool name :ref Reference: vpn ipsec pool * .. osdx:cfgcmd:: vpn ipsec site-to-site peer tunnel remote port .. raw:: html SDE M10-Smart M2 RS420 Any TCP or UDP port :arg u32: Numbered port (1-65535) .. osdx:cfgcmd:: vpn ipsec site-to-site peer tunnel remote prefix .. raw:: html SDE M10-Smart M2 RS420 :arg ipv4net: Remote IPv4 or IPv6 prefix :arg ipv6net: Remote IPv4 or IPv6 prefix .. osdx:cfgcmd:: vpn ipsec site-to-site peer vti .. raw:: html SDE M10-Smart M2 RS420 Virtual tunnel interface .. osdx:cfgcmd:: vpn ipsec site-to-site peer vti local-prefix .. raw:: html SDE M10-Smart M2 RS420 :arg ipv4net: Local IPv4 or IPv6 prefix :arg ipv6net: Local IPv4 or IPv6 prefix .. osdx:cfgcmd:: vpn ipsec site-to-site peer vti remote-prefix .. raw:: html SDE M10-Smart M2 RS420 :arg ipv4net: Remote IPv4 or IPv6 prefix :arg ipv6net: Remote IPv4 or IPv6 prefix .. osdx:cfgcmd:: vpn ipsec timers .. raw:: html SDE M10-Smart M2 RS420 VPN global timers .. osdx:cfgcmd:: vpn ipsec timers ike-retransmission .. raw:: html SDE M10-Smart M2 RS420 IKE retransmission timeouts .. osdx:cfgcmd:: vpn ipsec timers ike-retransmission base .. raw:: html SDE M10-Smart M2 RS420 :arg float: Base of exponential backoff .. osdx:cfgcmd:: vpn ipsec timers ike-retransmission retries .. raw:: html SDE M10-Smart M2 RS420 :arg u32: Number of retransmissions to send before giving up .. osdx:cfgcmd:: vpn ipsec timers ike-retransmission timeout .. raw:: html SDE M10-Smart M2 RS420 :arg float: Timeout in seconds .. osdx:cfgcmd:: vpn ipsec triplets .. raw:: html SDE M10-Smart M2 RS420 :arg id: Comma-separated list of values used in various authentication methods, such as EAP-SIM Triplets are used when performing EAP authentication via SIM or AKA methods. They have the form: ,,, ,,, ,,, They are used for authenticating an user with various rounds based on SIM cards. :instances: Multiple