ipsec

vpn ipsec

SDE M10-Smart M2 RS420

VPN IP security (IPsec) parameters

vpn ipsec auth-profile <id>

SDE M10-Smart M2 RS420

IPSec Authentication Profile

Values

• id – Name of the IPSec authentication profile

Instances

Multiple

vpn ipsec auth-profile <id> local

SDE M10-Smart M2 RS420

Local (left) authentication configuration

vpn ipsec auth-profile <id> local auth

SDE M10-Smart M2 RS420

Authentication method locally used

When a peer authenticates against us (as a server), a local authentication method must be used. By default, it is “pubkey” (X.509 key-pair certificates) and if not specified uses system certificates for authentication. This is done in order to ensure that we are who we say (it is, to avoid spoofing attacks). Another method is done by using a pre-shared key. Despite this is not as secure as X.509 certificates, it will allow server identification and would serve for the same purposes. Finally, there is also EAP (Extensible Authentication Protocol) available, which allows authenticating users using a username/password.

Values

• pre-shared-secret – Use a previously shared secret key

• x509 – Use X.509 certificates (pubkey)

• radius – Use a RADIUS server for authenticating users

• eap – Use EAP authentication

Instances

Unique

vpn ipsec auth-profile <id> local auth eap <id>

SDE M10-Smart M2 RS420

EAP (Extensible Authentication Protocol) for local peers

The EAP authentication allows defining a pair of username (or ID) and a secret, which can be a PSK. This is used for authenticating peers during connection. Notice that strongSwan magic values can be used (for example, “%any”). For more information, please refer to the VPN documentation.

Values

• id – EAP identifier/username/remote ID used against when authenticating

• %any – Match any identity from configured secrets (ask)

Instances

Multiple

vpn ipsec auth-profile <id> local auth eap <id> encrypted-secret <password>

SDE M10-Smart M2 RS420

Values

• password – Encrypted secret used by associated EAP identifier

vpn ipsec auth-profile <id> local auth eap <id> secret <txt>

SDE M10-Smart M2 RS420

Secret used by associated EAP identifier

These characters are allowed to be used for setting the secret: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set pre-shared secret key is recommended. If you are using special characters in the secret then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

Values

• id – Secret used when authenticating

vpn ipsec auth-profile <id> local auth eap <id> type <id>

SDE M10-Smart M2 RS420

Type of EAP authentication to use. By default, it is guessed

Different kind of EAP authentication mechanisms can be used during identity exchange. By default, the EAP method is guessed during IKE negotiation but you can manually specify which one must be used

Values

• none – Guess EAP method to use

• identity – EAP-Identity protocol for requesting a different identity

• sim – EAP-Subscriber Identity Module using SIM cards (or files)

• aka – EAP-Authentication and Key Agreement using UMTS for authentication

• gtc – EAP-GTC protocol handler authenticating with XAuth backends

• mschapv2 – EAP-Microsoft Challenge Handshake Authentication Protocol version 2

• radius – EAP forwarding EAP conversations to a RADIUS server

• tls – EAP-TLS protocol handler, to authenticate with certificates in EAP

• ttls – EAP-TTLS protocol handler, wraps other EAP methods securely

• tnc – EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel

• md5 – EAP-MD5 protocol handler using passwords

vpn ipsec auth-profile <id> local auth encrypted-pre-shared-secret <password>

SDE M10-Smart M2 RS420

Values

• password – Encrypted PSK (Pre-Shared Key) for local peers

vpn ipsec auth-profile <id> local auth pre-shared-secret <txt>

SDE M10-Smart M2 RS420

Values

• txt –

  PSK (Pre-Shared Key) for local peers

  These characters are allowed to be used for setting pre-shared secret key : alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set pre-shared secret key is recommended. If you are using special characters in the pre-shared secret key then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

vpn ipsec auth-profile <id> local auth radius

SDE M10-Smart M2 RS420

IPSec RADIUS based authentication

vpn ipsec auth-profile <id> local auth x509

SDE M10-Smart M2 RS420

Local X.509 Certificate-based Authentication

vpn ipsec auth-profile <id> local auth x509 ca-cert-file <file>

SDE M10-Smart M2 RS420

Values

• file – Local CA certificate file

vpn ipsec auth-profile <id> local auth x509 cert-file <file>

SDE M10-Smart M2 RS420

Values

• file – Local certificate file

vpn ipsec auth-profile <id> local auth x509 crl

SDE M10-Smart M2 RS420

Local Certificate Revocation List

vpn ipsec auth-profile <id> local auth x509 crl file <file>

SDE M10-Smart M2 RS420

Values

• file – Local CRL file

vpn ipsec auth-profile <id> local auth x509 crl revocation <id>

SDE M10-Smart M2 RS420

Revocation mode

Values

• relaxed – Auth fails, if certificate revoked

• strict – Auth fails, if certificate revoked or if CRL cannot be loaded/downloaded

vpn ipsec auth-profile <id> local auth x509 crl url <txt>

SDE M10-Smart M2 RS420

Values

• txt –

  CRL file HTTP download URL

  Will attempt to HTTP fetch this URL first, before attempting to fetch CRL URL which is potentially defined within peer certificate. However will use CRL URL defined within peer certificate as fallback, if fetch fails.

vpn ipsec auth-profile <id> local auth x509 csr <id>

SDE M10-Smart M2 RS420

Local Certificate Signing Request instance (SCEP)

Reference

system certificate scep csr <id>

vpn ipsec auth-profile <id> local auth x509 key

SDE M10-Smart M2 RS420

Local private key

Required

vpn ipsec auth-profile <id> local auth x509 key encrypted-passphrase <password>

SDE M10-Smart M2 RS420

Values

• password – Encrypted passphrase

vpn ipsec auth-profile <id> local auth x509 key file <file>

SDE M10-Smart M2 RS420

Values

• file – Private key file

vpn ipsec auth-profile <id> local auth x509 key passphrase <txt>

SDE M10-Smart M2 RS420

Values

• txt –

  Passphrase for private key file

  These characters are allowed to be used for the passphrase: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set the passphrase is recommended. If you are using special characters in the passphrase then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

vpn ipsec auth-profile <id> local auth x509 pkcs12

SDE M10-Smart M2 RS420

Local PKCS#12

Required

Required

vpn ipsec auth-profile <id> local auth x509 pkcs12 encrypted-passphrase <password>

SDE M10-Smart M2 RS420

Values

• password – Encrypted passphrase

vpn ipsec auth-profile <id> local auth x509 pkcs12 file <file>

SDE M10-Smart M2 RS420

Values

• file – PKCS#12 file

vpn ipsec auth-profile <id> local auth x509 pkcs12 passphrase <txt>

SDE M10-Smart M2 RS420

Values

• txt –

  Passphrase of PKCS#12 file

  These characters are allowed to be used for the passphrase : alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set the passphrase is recommended. If you are using special characters in the passphrase then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

vpn ipsec auth-profile <id> local id <id>

SDE M10-Smart M2 RS420

Local IKE identity used for authentication

The local identity is what a peer expects to find when connecting using the IKE protocol. This can be either an IP address, hostname or strongSwan “magic” variables (such as “%any”). Please, refer to: https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing for more information

Values

• ipv4 – IPv4 used by peers

• ipv6 – IPv6 used by peers

• fqdn – Hostname used by peers

• %any – Match any identity

• id – Any other value matching Identity Parsing rules

vpn ipsec auth-profile <id> mirror-config <bool>

SDE M10-Smart M2 RS420

Mirror one authentication side into the other, if not defined

When defining an authentication side (local/remote), you can opt-in for only defining one of them. By default, the configuration is mirrored into the missing side (only “auth”) respecting already existing data. This way, authentication profiles can be partially defined but with a fully working VPN connection

Values

• true – The existing profile is mirrored into the non-existing one

• false – No mirroring is done. Notice that you must define both of them individually

vpn ipsec auth-profile <id> remote

SDE M10-Smart M2 RS420

Remote (right) authentication configuration

vpn ipsec auth-profile <id> remote auth

SDE M10-Smart M2 RS420

Authentication method used by connecting peer

When a peer authenticates against us (as a server), a remote authentication method must be used. By default, it is “pubkey” (X.509 key-pair certificates) which servers for the purpose of identifying the peer. Another method is done by using a pre-shared key in which a key must be shared for connecting. And finally it is possible to authenticate using the RADIUS, usually based on a username/password.

Values

• pre-shared-secret – Use a previously shared secret key

• x509 – Use X.509 certificates (pubkey)

• radius – Use a RADIUS server for authenticating users

• eap – Use EAP authentication

Instances

Unique

vpn ipsec auth-profile <id> remote auth eap <id>

SDE M10-Smart M2 RS420

EAP (Extensible Authentication Protocol) for remote peers

The EAP authentication allows defining a pair of username (or ID) and a secret, which can be a PSK. This is used for authenticating peers during connection. Notice that strongSwan magic values can be used (for example, “%any”). For more information, please refer to the VPN documentation.

Values

• id – EAP identifier/username/remote ID used against when authenticating

• %any – Match any identity from configured secrets (ask)

Instances

Multiple

vpn ipsec auth-profile <id> remote auth eap <id> encrypted-secret <password>

SDE M10-Smart M2 RS420

Values

• password – Encrypted secret used by associated EAP identifier

vpn ipsec auth-profile <id> remote auth eap <id> secret <txt>

SDE M10-Smart M2 RS420

Secret used by associated EAP identifier

These characters are allowed to be used for setting the secret: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set pre-shared secret key is recommended. If you are using special characters in the secret then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

Values

• id – Secret used when authenticating

vpn ipsec auth-profile <id> remote auth eap <id> type <id>

SDE M10-Smart M2 RS420

Type of EAP authentication to use. By default, it is guessed

Different kind of EAP authentication mechanisms can be used during identity exchange. By default, the EAP method is guessed during IKE negotiation but you can manually specify which one must be used

Values

• none – Guess EAP method to use

• identity – EAP-Identity protocol for requesting a different identity

• sim – EAP-Subscriber Identity Module using SIM cards (or files)

• aka – EAP-Authentication and Key Agreement using UMTS for authentication

• gtc – EAP-GTC protocol handler authenticating with XAuth backends

• mschapv2 – EAP-Microsoft Challenge Handshake Authentication Protocol version 2

• radius – EAP forwarding EAP conversations to a RADIUS server

• tls – EAP-TLS protocol handler, to authenticate with certificates in EAP

• ttls – EAP-TTLS protocol handler, wraps other EAP methods securely

• tnc – EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel

• md5 – EAP-MD5 protocol handler using passwords

vpn ipsec auth-profile <id> remote auth encrypted-pre-shared-secret <password>

SDE M10-Smart M2 RS420

Values

• password – Encrypted PSK (Pre-Shared Key) for remote peers

vpn ipsec auth-profile <id> remote auth pre-shared-secret <txt>

SDE M10-Smart M2 RS420

Values

• txt –

  PSK (Pre-Shared Key) for remote peers

  These characters are allowed to be used for setting pre-shared secret key : alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set pre-shared secret key is recommended. If you are using special characters in the pre-shared secret key then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

vpn ipsec auth-profile <id> remote auth radius

SDE M10-Smart M2 RS420

IPSec RADIUS based authentication

vpn ipsec auth-profile <id> remote auth x509

SDE M10-Smart M2 RS420

Remote X.509 Certificate-based Authentication

vpn ipsec auth-profile <id> remote auth x509 ca-cert-file <file>

SDE M10-Smart M2 RS420

Values

• file – Remote CA certificate file

vpn ipsec auth-profile <id> remote auth x509 cert-file <file>

SDE M10-Smart M2 RS420

Values

• file – Remote certificate file

vpn ipsec auth-profile <id> remote auth x509 crl

SDE M10-Smart M2 RS420

Remote Certificate Revocation List

vpn ipsec auth-profile <id> remote auth x509 crl file <file>

SDE M10-Smart M2 RS420

Values

• file – Local CRL file

vpn ipsec auth-profile <id> remote auth x509 crl revocation <id>

SDE M10-Smart M2 RS420

Revocation mode

Values

• relaxed – Auth fails, if certificate revoked

• strict – Auth fails, if certificate revoked or if CRL cannot be loaded/downloaded

vpn ipsec auth-profile <id> remote auth x509 crl url <txt>

SDE M10-Smart M2 RS420

Values

• txt –

  CRL file HTTP download URL

  Will attempt to HTTP fetch this URL first, before attempting to fetch CRL URL which is potentially defined within peer certificate. However will use CRL URL defined within peer certificate as fallback, if fetch fails.

vpn ipsec auth-profile <id> remote auth x509 csr <id>

SDE M10-Smart M2 RS420

Remote Certificate Signing Request instance (SCEP)

Reference

system certificate scep csr <id>

vpn ipsec auth-profile <id> remote auth x509 key

SDE M10-Smart M2 RS420

Remote private key

Required

vpn ipsec auth-profile <id> remote auth x509 key encrypted-passphrase <password>

SDE M10-Smart M2 RS420

Values

• password – Encrypted passphrase

vpn ipsec auth-profile <id> remote auth x509 key file <file>

SDE M10-Smart M2 RS420

Values

• file – Private key file

vpn ipsec auth-profile <id> remote auth x509 key passphrase <txt>

SDE M10-Smart M2 RS420

Values

• txt –

  Passphrase for private key file

  These characters are allowed to be used for the passphrase: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set the passphrase is recommended. If you are using special characters in the passphrase then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

vpn ipsec auth-profile <id> remote auth x509 pkcs12

SDE M10-Smart M2 RS420

Remote PKCS#12

Required

Required

vpn ipsec auth-profile <id> remote auth x509 pkcs12 encrypted-passphrase <password>

SDE M10-Smart M2 RS420

Values

• password – Encrypted passphrase

vpn ipsec auth-profile <id> remote auth x509 pkcs12 file <file>

SDE M10-Smart M2 RS420

Values

• file – PKCS#12 file

vpn ipsec auth-profile <id> remote auth x509 pkcs12 passphrase <txt>

SDE M10-Smart M2 RS420

Values

• txt –

  Passphrase of PKCS#12 file

  These characters are allowed to be used for the passphrase : alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set the passphrase is recommended. If you are using special characters in the passphrase then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

vpn ipsec auth-profile <id> remote id <id>

SDE M10-Smart M2 RS420

Remote IKE identity used for authentication

The remote identity is what a peer expects to find when connecting using the IKE protocol. This can be either an IP address, hostname or strongSwan “magic” variables (such as “%any”). Please, refer to: https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing for more information

Values

• ipv4 – IPv4 used by peers

• ipv6 – IPv6 used by peers

• fqdn – Hostname used by peers

• %any – Match any identity

• id – Any other value matching Identity Parsing rules

vpn ipsec auth-profile <id> secrets <id>

SDE M10-Smart M2 RS420

Arbitrary secrets for local/remote peers

The EAP authentication allows defining a pair of username (or ID) and a secret, which can be a PSK. This is used for authenticating peers during connection. Notice that strongSwan magic values can be used (for example, “%any”). For more information, please refer to the VPN documentation.

Values

• id – Specific identity to use

Instances

Multiple

vpn ipsec auth-profile <id> secrets <id> encrypted-secret <password>

SDE M10-Smart M2 RS420

Values

• password – Encrypted secret associated to ID

vpn ipsec auth-profile <id> secrets <id> secret <txt>

SDE M10-Smart M2 RS420

Secret associated to ID

These characters are allowed to be used for setting the secret: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set pre-shared secret key is recommended. If you are using special characters in the secret then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

Values

• id – Secret used when authenticating

vpn ipsec dmvpn-profile <id>

SDE M10-Smart M2 RS420

DMVPN IPSec Profile

Values

• id – Name of the DMVPN IPSec profile

Instances

Multiple

Required

vpn ipsec auth-profile <id>

Required

vpn ipsec esp-group <id>

Required

vpn ipsec ike-group <id>

vpn ipsec dmvpn-profile <id> auth-profile <id>

SDE M10-Smart M2 RS420

IPSec Authentication Profile

Reference

vpn ipsec auth-profile <id>

vpn ipsec dmvpn-profile <id> esp-group <id>

SDE M10-Smart M2 RS420

Esp group name

Reference

vpn ipsec esp-group <id>

vpn ipsec dmvpn-profile <id> ike-group <id>

SDE M10-Smart M2 RS420

Ike group name

Reference

vpn ipsec ike-group <id>

vpn ipsec downloader

SDE M10-Smart M2 RS420

VPN downloader configuration

vpn ipsec downloader local-address <ipv4|ipv6>

SDE M10-Smart M2 RS420

Local IP address to use as source for strongSwan downloads

Values

• ipv4 – Local IPv4 address

• ipv6 – Local IPv6 address

Local IP address

vpn ipsec downloader local-interface <ifc>

SDE M10-Smart M2 RS420

Values

• ifc – Interface to use as source for strongSwan downloads

vpn ipsec downloader local-vrf <id>

SDE M10-Smart M2 RS420

VRF to use as source for strongSwan downloads

Reference

system vrf <id>

vpn ipsec esp-group <id>

SDE M10-Smart M2 RS420

Values

• id – Name of Encapsulating Security Payload (ESP) group

Instances

Multiple

vpn ipsec esp-group <id> compression

SDE M10-Smart M2 RS420

ESP compression

vpn ipsec esp-group <id> lifetime <u32>

SDE M10-Smart M2 RS420

ESP lifetime

Values

• u32 – ESP lifetime (in seconds by default)

Instances

Unique

vpn ipsec esp-group <id> lifetime <u32> MB

SDE M10-Smart M2 RS420

ESP lifetime to be in megabytes

vpn ipsec esp-group <id> lifetime <u32> packets

SDE M10-Smart M2 RS420

ESP lifetime to be in packets

vpn ipsec esp-group <id> lifetime <u32> seconds

SDE M10-Smart M2 RS420

ESP lifetime to be in seconds

vpn ipsec esp-group <id> mark-in <u32|txt>

SDE M10-Smart M2 RS420

Set an XFRM mark on the inbound policy

Values

• unique – Use a unique mark for each tunnel

• unique-dir – Use a unique mark for each tunnel and direction (in/out)

• unique-only-nat – Use a unique mark for each tunnel when NAT is detected

• same – Use the same mark for all tunnels

• u32 – Mark value

vpn ipsec esp-group <id> mark-out <u32|txt>

SDE M10-Smart M2 RS420

Set an XFRM mark on the outbound IPsec SA and policy.

Values

• unique – Use a unique mark for each tunnel

• unique-dir – Use a unique mark for each tunnel and direction (in/out)

• unique-only-nat – Use a unique mark for each tunnel when NAT is detected

• same – Use the same mark for all tunnels

• u32 – Mark value

vpn ipsec esp-group <id> mode <id>

SDE M10-Smart M2 RS420

ESP mode

Values

• tunnel – Tunnel mode

• transport – Transport mode

vpn ipsec esp-group <id> proposal <u32>

SDE M10-Smart M2 RS420

ESP-group proposal [REQUIRED]

Values

• u32 – ESP-group proposal number (1-65535)

Instances

Multiple

vpn ipsec esp-group <id> proposal <u32> encryption <id>

SDE M10-Smart M2 RS420

Encryption algorithm

Values

• aes128 – AES-128 encryption with CBC

• aes192 – AES-192 encryption with CBC

• aes256 – AES-256 encryption with CBC

• aes128gcm128 – AES-128 encryption with Galois Counter Mode 128-bit

• aes192gcm64 – AES-192 encryption with GCM and 64 bit ICV

• aes192gcm128 – AES-192 encryption with Galois Counter Mode 128-bit

• aes256gcm128 – AES-256 encryption with Galois Counter Mode 128-bit

• aes128gmac – Null encryption with AES-128 Galois Message Authentication Code

• aes192gmac – Null encryption with AES-192 Galois Message Authentication Code

• aes256gmac – Null encryption with AES-256 Galois Message Authentication Code

• aes128ccm64 – AES-128 encryption with CCM and 64 bit ICV

• aes192ccm64 – AES-192 encryption with CCM and 64 bit ICV

• aes256ccm64 – AES-256 encryption with CCM and 64 bit ICV

• 3des – 3DES encryption

• chacha20poly1305 – ChaCha20-Poly1305 encryption

• null – Null encryption

vpn ipsec esp-group <id> proposal <u32> hash <id>

SDE M10-Smart M2 RS420

Hash algorithm

Values

• md5 – MD5 hash

• sha1 – SHA1 hash

• sha256 – SHA2-256 hash

• sha384 – SHA2-384 hash

• sha512 – SHA2-512 hash

vpn ipsec esp-group <id> proposal <u32> pfs <id>

SDE M10-Smart M2 RS420

ESP Perfect Forward Secrecy

Values

• dh-group2 – Enable PFS. Use Diffie-Hellman group 2 (modp1024)

• dh-group5 – Enable PFS. Use Diffie-Hellman group 5 (modp1536)

• dh-group14 – Enable PFS. Use Diffie-Hellman group 14 (modp2048)

• dh-group15 – Enable PFS. Use Diffie-Hellman group 15 (modp3072)

• dh-group16 – Enable PFS. Use Diffie-Hellman group 16 (modp4096)

• dh-group17 – Enable PFS. Use Diffie-Hellman group 17 (modp6144)

• dh-group18 – Enable PFS. Use Diffie-Hellman group 18 (modp8192)

• dh-group19 – Enable PFS. Use Diffie-Hellman group 19 (ecp256)

• dh-group20 – Enable PFS. Use Diffie-Hellman group 20 (ecp384)

• dh-group21 – Enable PFS. Use Diffie-Hellman group 21 (ecp521)

• dh-group22 – Enable PFS. Use Diffie-Hellman group 22 (modp1024s160)

• dh-group23 – Enable PFS. Use Diffie-Hellman group 23 (modp2048s224)

• dh-group24 – Enable PFS. Use Diffie-Hellman group 24 (modp2048s256)

• dh-group25 – Enable PFS. Use Diffie-Hellman group 25 (ecp192)

• dh-group26 – Enable PFS. Use Diffie-Hellman group 26 (ecp224)

vpn ipsec esp-group <id> replay-window <u32>

SDE M10-Smart M2 RS420

Replay Window Value

Values

• u32 – Replay Window Value (0-32)

vpn ipsec ike-group <id>

SDE M10-Smart M2 RS420

Values

• id – Name of Internet Key Exchange (IKE) group

Instances

Multiple

vpn ipsec ike-group <id> dead-peer-detection

SDE M10-Smart M2 RS420

Dead Peer Detection (DPD)

vpn ipsec ike-group <id> dead-peer-detection action <id>

SDE M10-Smart M2 RS420

Keep-alive failure action

Values

• clear – Set action to clear

• restart – Set action to restart

• trap – Set action to trap

vpn ipsec ike-group <id> dead-peer-detection interval <u32>

SDE M10-Smart M2 RS420

Keep-alive interval

Values

• u32 – Keep-alive interval in seconds (1-86400)

vpn ipsec ike-group <id> dead-peer-detection timeout <u32>

SDE M10-Smart M2 RS420

Keep-alive timeout

Values

• u32 – Keep-alive timeout in seconds (1-86400)

vpn ipsec ike-group <id> ikev2-reauth

SDE M10-Smart M2 RS420

Re-authentication of the remote peer during an IKE re-key. IKEv2 option only

vpn ipsec ike-group <id> key-exchange <id>

SDE M10-Smart M2 RS420

Key Exchange Version

Values

• ikev1 – Use IKEv1 for Key Exchange

• ikev2 – Use IKEv2 for Key Exchange

vpn ipsec ike-group <id> lifetime <u32>

SDE M10-Smart M2 RS420

IKE lifetime

Values

• u32 – IKE lifetime in seconds (30-86400)

vpn ipsec ike-group <id> mobike

SDE M10-Smart M2 RS420

Enable MOBIKE Support. MOBIKE is only available for IKEv2.

vpn ipsec ike-group <id> mode <id>

SDE M10-Smart M2 RS420

IKEv1 Phase 1 Mode Selection

Values

• main – Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default)

• aggressive – Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode.

vpn ipsec ike-group <id> proposal <u32>

SDE M10-Smart M2 RS420

IKE-group proposal [REQUIRED]

Values

• u32 – IKE-group proposal (1-65535)

Instances

Multiple

vpn ipsec ike-group <id> proposal <u32> dh-group <u32>

SDE M10-Smart M2 RS420

Diffie-Hellman (DH) key exchange group

Values

• 2 – DH group 2 (modp1024)

• 5 – DH group 5 (modp1536)

• 14 – DH group 14 (modp2048)

• 15 – DH group 15 (modp3072)

• 16 – DH group 16 (modp4096)

• 17 – DH group 17 (modp6144)

• 18 – DH group 18 (modp8192)

• 19 – DH group 19 (ecp256)

• 20 – DH group 20 (ecp384)

• 21 – DH group 21 (ecp521)

• 22 – DH group 22 (modp1024s160)

• 23 – DH group 23 (modp2048s224)

• 24 – DH group 24 (modp2048s256)

• 25 – DH group 25 (ecp192)

• 26 – DH group 26 (ecp224)

vpn ipsec ike-group <id> proposal <u32> encryption <id>

SDE M10-Smart M2 RS420

Encryption algorithm

Values

• aes128 – AES-128 encryption with CBC

• aes192 – AES-192 encryption with CBC

• aes256 – AES-256 encryption with CBC

• aes128gcm128 – AES-128 encryption with Galois Counter Mode 128-bit

• aes192gcm64 – AES-192 encryption with GCM and 64 bit ICV

• aes192gcm128 – AES-192 encryption with Galois Counter Mode 128-bit

• aes256gcm128 – AES-256 encryption with Galois Counter Mode 128-bit

• aes128gmac – Null encryption with AES-128 Galois Message Authentication Code

• aes192gmac – Null encryption with AES-192 Galois Message Authentication Code

• aes256gmac – Null encryption with AES-256 Galois Message Authentication Code

• aes128ccm64 – AES-128 encryption with CCM and 64 bit ICV

• aes192ccm64 – AES-192 encryption with CCM and 64 bit ICV

• aes256ccm64 – AES-256 encryption with CCM and 64 bit ICV

• 3des – 3DES encryption

• chacha20poly1305 – ChaCha20-Poly1305 encryption

• null – Null encryption

vpn ipsec ike-group <id> proposal <u32> hash <id>

SDE M10-Smart M2 RS420

Hash algorithm

Values

• md5 – MD5 hash

• sha1 – SHA1 hash

• sha256 – SHA2-256 hash

• sha384 – SHA2-384 hash

• sha512 – SHA2-512 hash

vpn ipsec interface <ifc>

SDE M10-Smart M2 RS420

Network interfaces that should be used by IPSec. All other interfaces are ignored.

Values

• txt – IPSec interface

Instances

Multiple

vpn ipsec logging

SDE M10-Smart M2 RS420

IPsec logging

vpn ipsec logging log-types

SDE M10-Smart M2 RS420

Select log type

vpn ipsec logging log-types any

SDE M10-Smart M2 RS420

Apply log level to all existing types.

vpn ipsec logging log-types any log-level <txt>

SDE M10-Smart M2 RS420

Values

• txt – VPN Logger Verbosity Level

vpn ipsec logging log-types type <txt>

SDE M10-Smart M2 RS420

Apply to a specific log type. To see what each log type exactly does, please refer to the VPN documentation

Values

• dmn – Debug log option for VPN

• mgr – Debug log option for VPN

• ike – Debug log option for VPN

• chd – Debug log option for VPN

• job – Debug log option for VPN

• cfg – Debug log option for VPN

• knl – Debug log option for VPN

• net – Debug log option for VPN

• asn – Debug log option for VPN

• enc – Debug log option for VPN

• lib – Debug log option for VPN

• esp – Debug log option for VPN

• tls – Debug log option for VPN

• tnc – Debug log option for VPN

• imc – Debug log option for VPN

• imv – Debug log option for VPN

• pts – Debug log option for VPN

Instances

Multiple

vpn ipsec logging log-types type <txt> log-level <id>

SDE M10-Smart M2 RS420

Values

• id – VPN Logger Verbosity Level

vpn ipsec pool <id>

SDE M10-Smart M2 RS420

Values

• id – Name of Remote Address pool

Instances

Multiple

vpn ipsec pool <id> prefix <ipv4net|ipv6net>

SDE M10-Smart M2 RS420

Values

• ipv4net – Remote IPv4 or IPv6 prefix

• ipv6net – Remote IPv4 or IPv6 prefix

vpn ipsec pool <id> range

SDE M10-Smart M2 RS420

Remote IPv4 or IPv6 range

vpn ipsec pool <id> range first-address <ipv4|ipv6>

SDE M10-Smart M2 RS420

Values

• ipv4 – first IPv4 or IPv6 address of the pool range

• ipv6 – first IPv4 or IPv6 address of the pool range

vpn ipsec pool <id> range last-address <ipv4|ipv6>

SDE M10-Smart M2 RS420

Values

• ipv4 – last IPv4 or IPv6 address of the pool range

• ipv6 – last IPv4 or IPv6 address of the pool range

vpn ipsec radius

SDE M10-Smart M2 RS420

IPSec RADIUS based authentication settings

Required

system aaa list <id>

vpn ipsec radius accounting

SDE M10-Smart M2 RS420

Enable RADIUS accounting

vpn ipsec radius authentication-list <id>

SDE M10-Smart M2 RS420

VPN type list to use when authenticating Choose the VPN list that will be used when an external user tries to authenticate. Lists can be set-up with “system aaa list” command

Reference

system aaa list <id>

vpn ipsec radius dae

SDE M10-Smart M2 RS420

Dynamic Authorization Extension (DAE) options

Required

vpn ipsec radius dae encrypted-secret <password>

SDE M10-Smart M2 RS420

Values

• password – Encrypted secret

vpn ipsec radius dae listen-address <ipv4|ipv6>

SDE M10-Smart M2 RS420

Listen address to listen to DAE messages

Values

• ipv4 – IPv4 listen address

• ipv6 – IPv6 listen address

Local IP address

vpn ipsec radius dae port <u32>

SDE M10-Smart M2 RS420

Port to listen for requests

Values

• u32 – Numeric IP port (1-65535)

vpn ipsec radius dae secret <txt>

SDE M10-Smart M2 RS420

Values

• txt – Shared secret used to verify/sign DAE messages These characters are allowed to be used for setting the shared secret: alphanumeric characters: a-z A-Z 0-9 special characters: - + & ! @ # $ %% ^ * ( ) , . : _ It is recommended to use single quotes (’) for setting the shared-secret. If special characters are being used, then single quotes are mandatory

vpn ipsec radius eap-start

SDE M10-Smart M2 RS420

Send “EAP-Start” instead of “EAP-Identity” to start RADIUS conversation

vpn ipsec site-to-site

SDE M10-Smart M2 RS420

Site to site VPN

vpn ipsec site-to-site peer <id>

SDE M10-Smart M2 RS420

Values

• id – VPN peer

Instances

Multiple

Required

vpn ipsec auth-profile <id>

Required

vpn ipsec ike-group <id>

vpn ipsec site-to-site peer <id> auth-profile <id>

SDE M10-Smart M2 RS420

IPSec Authentication Profile

Reference

vpn ipsec auth-profile <id>

vpn ipsec site-to-site peer <id> connection-type <id>

SDE M10-Smart M2 RS420

Connection type

Values

• initiate – This endpoint can initiate or respond to a connection

• respond – This endpoint will only respond to a connection

• on-demand – This endpoint will initiate a connection if matching traffic is detected

vpn ipsec site-to-site peer <id> default-esp-group <id>

SDE M10-Smart M2 RS420

Default ESP group name

Reference

vpn ipsec esp-group <id>

vpn ipsec site-to-site peer <id> description <txt>

SDE M10-Smart M2 RS420

Values

• txt – VPN peer description

vpn ipsec site-to-site peer <id> force-encapsulation

SDE M10-Smart M2 RS420

Force UDP Encapsulation for ESP Payloads

vpn ipsec site-to-site peer <id> ike-group <id>

SDE M10-Smart M2 RS420

Internet Key Exchange (IKE) group name

Reference

vpn ipsec ike-group <id>

vpn ipsec site-to-site peer <id> local-address <ipv4|ipv6|fqdn|id>

SDE M10-Smart M2 RS420

Local address(es) to use for IKE communication

As initiator, the first non-range/non-subset is used to initiate the connection. As the responder, the local destination address must match at least one of the specified addresses, subnets or ranges. FQDNs are resolved each time a configuration lookup is done. Finally, “magic” values can be placed here (such as “%any”).

Values

• ipv4 – IPv4 address of a local interface for VPN

• ipv6 – IPv6 address of a local interface for VPN

• fqdn – DNS domain name of the local interface

• %any – Match any address specified as local interface

Instances

Multiple

vpn ipsec site-to-site peer <id> local-vrf <id>

SDE M10-Smart M2 RS420

Bind to local Virtual Routing and Forwarding domain name

Reference

system vrf <id>

vpn ipsec site-to-site peer <id> remote-address <ipv4|ipv6|fqdn|id>

SDE M10-Smart M2 RS420

Remote address(es) to use for IKE communication. Required to initiate a connection

As initiator, the first non-range/non-subset is used to initiate the connection. As the responder, the local destination address must match at least one of the specified addresses, subnets or ranges. FQDNs are resolved each time a configuration lookup is done. Finally, “magic” values can be placed here (such as “%any”).

Values

• ipv4 – IPv4 address of peer

• ipv6 – IPv6 address of peer

• fqdn – DNS domain name of the peer

• %any – Match any peer

Instances

Multiple

vpn ipsec site-to-site peer <id> tunnel <u32>

SDE M10-Smart M2 RS420

Values

• u32 – Peer tunnel

Instances

Multiple

vpn ipsec site-to-site peer <id> tunnel <u32> disable

SDE M10-Smart M2 RS420

Option to disable vpn tunnel

vpn ipsec site-to-site peer <id> tunnel <u32> esp-group <id>

SDE M10-Smart M2 RS420

ESP group name

Reference

vpn ipsec esp-group <id>

vpn ipsec site-to-site peer <id> tunnel <u32> local

SDE M10-Smart M2 RS420

Local parameters for interesting traffic

vpn ipsec site-to-site peer <id> tunnel <u32> local port <u32>

SDE M10-Smart M2 RS420

Any TCP or UDP port

Values

• u32 – Numeric IP port (1-32767)

• u32 – Numeric IP port (60000-65535)

vpn ipsec site-to-site peer <id> tunnel <u32> local prefix <ipv4net|ipv6net>

SDE M10-Smart M2 RS420

Values

• ipv4net – Local IPv4 or IPv6 prefix

• ipv6net – Local IPv4 or IPv6 prefix

vpn ipsec site-to-site peer <id> tunnel <u32> local-interface <ifc>

SDE M10-Smart M2 RS420

Values

• ifc – Local interface

vpn ipsec site-to-site peer <id> tunnel <u32> protocol <u32|id>

SDE M10-Smart M2 RS420

Protocol to encrypt

Values

• all – All protocols

• u32 – IP protocol number (0-255)

• ah – Authentication Header [RFC2402]

• ax.25 – AX.25 frames

• dccp – Datagram Congestion Control Prot. [RFC4340]

• ddp – Datagram Delivery Protocol

• egp – exterior gateway protocol

• eigrp – Enhanced Interior Routing Protocol (Cisco)

• encap – Yet Another IP encapsulation [RFC1241]

• esp – Encap Security Payload [RFC2406]

• etherip – Ethernet-within-IP Encapsulation [RFC3378]

• fc – Fibre Channel

• ggp – gateway-gateway protocol

• gre – General Routing Encapsulation

• hip – Host Identity Protocol

• hmp – host monitoring protocol

• hopopt – IPv6 Hop-by-Hop Option [RFC1883]

• icmp – internet control message protocol

• idpr-cmtp – IDPR Control Message Transport

• idrp – Inter-Domain Routing Protocol

• igmp – Internet Group Management

• igp – any private interior gateway (Cisco)

• ip – internet protocol, pseudo protocol number

• ipcomp – IP Payload Compression Protocol

• ipencap – IP encapsulated in IP (officially ‘’IP’’)

• ipip – IP-within-IP Encapsulation Protocol

• ipv6-frag – Fragment Header for IPv6

• ipv6-icmp – ICMP for IPv6

• ipv6-nonxt – No Next Header for IPv6

• ipv6-opts – Destination Options for IPv6

• ipv6-route – Routing Header for IPv6

• ipv6 – Internet Protocol, version 6

• isis – IS-IS over IPv4

• iso-tp4 – ISO Transport Protocol class 4 [RFC905]

• l2tp – Layer Two Tunneling Protocol [RFC2661]

• manet – MANET Protocols [RFC5498]

• mobility-header – Mobility Support for IPv6 [RFC3775]

• mpls-in-ip – MPLS-in-IP [RFC4023]

• ospf – Open Shortest Path First IGP

• pim – Protocol Independent Multicast

• pup – PARC universal packet protocol

• rdp – “reliable datagram” protocol

• rohc – Robust Header Compression

• rspf – Radio Shortest Path First (officially CPHB)

• rsvp – Reservation Protocol

• sctp – Stream Control Transmission Protocol

• shim6 – Shim6 Protocol [RFC5533]

• skip – SKIP

• st – ST datagram mode

• tcp – transmission control protocol

• udp – user datagram

• udplite – UDP-Lite [RFC3828]

• vmtp – Versatile Message Transport

• vrrp – Virtual Router Redundancy Protocol [RFC5798]

• wesp – Wrapped Encapsulating Security Payload

• xns-idp – Xerox NS IDP

• xtp – Xpress Transfer Protocol

vpn ipsec site-to-site peer <id> tunnel <u32> remote

SDE M10-Smart M2 RS420

Remote parameters for interesting traffic

vpn ipsec site-to-site peer <id> tunnel <u32> remote pool <id>

SDE M10-Smart M2 RS420

Remote address pool name

Reference

vpn ipsec pool <id>

vpn ipsec site-to-site peer <id> tunnel <u32> remote port <u32>

SDE M10-Smart M2 RS420

Any TCP or UDP port

Values

• u32 – Numbered port (1-65535)

vpn ipsec site-to-site peer <id> tunnel <u32> remote prefix <ipv4net|ipv6net>

SDE M10-Smart M2 RS420

Values

• ipv4net – Remote IPv4 or IPv6 prefix

• ipv6net – Remote IPv4 or IPv6 prefix

vpn ipsec site-to-site peer <id> vti

SDE M10-Smart M2 RS420

Virtual tunnel interface

vpn ipsec site-to-site peer <id> vti local-prefix <ipv4net|ipv6net>

SDE M10-Smart M2 RS420

Values

• ipv4net – Local IPv4 or IPv6 prefix

• ipv6net – Local IPv4 or IPv6 prefix

vpn ipsec site-to-site peer <id> vti remote-prefix <ipv4net|ipv6net>

SDE M10-Smart M2 RS420

Values

• ipv4net – Remote IPv4 or IPv6 prefix

• ipv6net – Remote IPv4 or IPv6 prefix

vpn ipsec timers

SDE M10-Smart M2 RS420

VPN global timers

vpn ipsec timers ike-retransmission

SDE M10-Smart M2 RS420

IKE retransmission timeouts

vpn ipsec timers ike-retransmission base <float>

SDE M10-Smart M2 RS420

Values

• float – Base of exponential backoff

vpn ipsec timers ike-retransmission retries <u32>

SDE M10-Smart M2 RS420

Values

• u32 – Number of retransmissions to send before giving up

vpn ipsec timers ike-retransmission timeout <float>

SDE M10-Smart M2 RS420

Values

• float – Timeout in seconds

vpn ipsec triplets <id>

SDE M10-Smart M2 RS420

Values

• id –

  Comma-separated list of values used in various authentication methods, such as EAP-SIM

  Triplets are used when performing EAP authentication via SIM or AKA methods. They have the form: <ID>,<ROUND1>,<SRES1>,<SIM-KC2> <ID>,<ROUND2>,<SRES2>,<SIM-KC2> <ID>,<ROUND3>,<SRES3>,<SIM-KC2> They are used for authenticating an user with various rounds based on SIM cards.

Instances

Multiple