ipsec
-----
.. osdx:cfgcmd:: vpn ipsec
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
VPN IP security (IPsec) parameters
.. osdx:cfgcmd:: vpn ipsec auth-profile
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
IPSec Authentication Profile
:arg id:
Name of the IPSec authentication profile
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec auth-profile local
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Local (left) authentication configuration
.. osdx:cfgcmd:: vpn ipsec auth-profile local auth
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Authentication method locally used
When a peer authenticates against us (as a server), a local authentication
method must be used. By default, it is "pubkey" (key-pair certificates)
and if not specified uses system certificates for authentication. This is done
in order to ensure that we are who we say (it is, to avoid spoofing attacks).
Another method is done by using a pre-shared key. Despite this is not as secure as
X.509 certificates, it will allow server identification and would serve for the
same purposes. Finally, there is also EAP (Extensible Authentication Protocol)
available, which allows authenticating users using a username/password.
:arg pre-shared-secret:
Use a previously shared secret key
:arg radius:
Use a RADIUS server for authenticating users
:arg eap:
Use EAP authentication
:instances: Unique
.. osdx:cfgcmd:: vpn ipsec auth-profile local auth eap
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
EAP (Extensible Authentication Protocol) for local peers
The EAP authentication allows defining a pair of username (or ID)
and a secret, which can be a PSK. This is used for authenticating peers
during connection. Notice that strongSwan magic values can be used (for example, "%any").
For more information, please refer to the VPN documentation.
:arg id:
EAP identifier/username/remote ID used against when authenticating
:arg %any:
Match any identity from configured secrets (ask)
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec auth-profile local auth eap encrypted-secret
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg password:
Encrypted secret used by associated EAP identifier
.. osdx:cfgcmd:: vpn ipsec auth-profile local auth eap secret
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Secret used by associated EAP identifier
These characters are allowed to be used for setting the secret:
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set pre-shared secret key is recommended. If you are
using special characters in the secret then single quotes are
required.
Example usage: 'aA1-&!@,.:_2Bb'
:arg id:
Secret used when authenticating
.. osdx:cfgcmd:: vpn ipsec auth-profile local auth eap type
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Type of EAP authentication to use. By default, it is guessed
Different kind of EAP authentication mechanisms can be used during identity
exchange. By default, the EAP method is guessed during IKE negotiation but you
can manually specify which one must be used
:arg mschapv2:
EAP-Microsoft Challenge Handshake Authentication Protocol version 2
:arg tls:
EAP-TLS protocol handler, to authenticate with certificates in EAP
:arg ttls:
EAP-TTLS protocol handler, wraps other EAP methods securely
:arg md5:
EAP-MD5 protocol handler using passwords
.. osdx:cfgcmd:: vpn ipsec auth-profile local auth encrypted-pre-shared-secret
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg password:
Encrypted PSK (Pre-Shared Key) for local peers
.. osdx:cfgcmd:: vpn ipsec auth-profile local auth pre-shared-secret
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg txt:
PSK (Pre-Shared Key) for local peers
These characters are allowed to be used for setting pre-shared secret key :
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set pre-shared secret key is recommended. If you are
using special characters in the pre-shared secret key then single quotes are
required.
Example usage: 'aA1-&!@,.:_2Bb'
.. osdx:cfgcmd:: vpn ipsec auth-profile local auth radius
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
IPSec RADIUS based authentication
.. osdx:cfgcmd:: vpn ipsec auth-profile local ca-cert-file
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg file:
local CA certificate file
.. osdx:cfgcmd:: vpn ipsec auth-profile local cert-file
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg file:
local certificate file
.. osdx:cfgcmd:: vpn ipsec auth-profile local crl
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
local Certificate Revocation List
.. osdx:cfgcmd:: vpn ipsec auth-profile local crl file
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg file:
Local CRL file
.. osdx:cfgcmd:: vpn ipsec auth-profile local crl revocation
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Revocation mode
:arg relaxed:
Auth fails, if certificate revoked
:arg strict:
Auth fails, if certificate revoked or if CRL cannot be loaded/downloaded
.. osdx:cfgcmd:: vpn ipsec auth-profile local crl url
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg txt:
CRL file HTTP download URL
Will attempt to HTTP fetch this URL first, before attempting to fetch CRL URL
which is potentially defined within peer certificate. However will use
CRL URL defined within peer certificate as fallback, if fetch fails.
.. osdx:cfgcmd:: vpn ipsec auth-profile local csr
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
local Certificate Signing Request instance (SCEP)
:ref Reference: system certificate scep csr *
.. osdx:cfgcmd:: vpn ipsec auth-profile local id
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Local IKE identity used for authentication
The local identity is what a peer expects to find when connecting using the IKE
protocol. This can be either an IP address, hostname or strongSwan "magic" variables
(such as "%any"). Please, refer to: https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing
for more information
:arg ipv4:
IPv4 used by peers
:arg ipv6:
IPv6 used by peers
:arg fqdn:
Hostname used by peers
:arg %any:
Match any identity
:arg id:
Any other value matching Identity Parsing rules
.. osdx:cfgcmd:: vpn ipsec auth-profile local key
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
local private key
:ref Required:
.. osdx:cfgcmd:: vpn ipsec auth-profile local key encrypted-passphrase
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg password:
Encrypted passphrase
.. osdx:cfgcmd:: vpn ipsec auth-profile local key file
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg file:
Private key file
.. osdx:cfgcmd:: vpn ipsec auth-profile local key passphrase
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg txt:
Passphrase for private key file
These characters are allowed to be used for the passphrase:
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set the passphrase is recommended. If you are
using special characters in the passphrase then single quotes are
required.
Example usage: 'aA1-&!@,.:_2Bb'
.. osdx:cfgcmd:: vpn ipsec auth-profile local pkcs12
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
local PKCS#12
:ref Required:
:ref Required:
.. osdx:cfgcmd:: vpn ipsec auth-profile local pkcs12 encrypted-passphrase
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg password:
Encrypted passphrase
.. osdx:cfgcmd:: vpn ipsec auth-profile local pkcs12 file
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg file:
PKCS#12 file
.. osdx:cfgcmd:: vpn ipsec auth-profile local pkcs12 passphrase
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg txt:
Passphrase of PKCS#12 file
These characters are allowed to be used for the passphrase :
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set the passphrase is recommended. If you are
using special characters in the passphrase then single quotes are
required.
Example usage: 'aA1-&!@,.:_2Bb'
.. osdx:cfgcmd:: vpn ipsec auth-profile local xauth
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
XAuth (Extended Authentication) configuration for local side
:instances: Unique
:ref Required:
.. osdx:cfgcmd:: vpn ipsec auth-profile local xauth user
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
XAUTH (Extended Authentication) for local peers
The XAUTH authentication allows defining a pair of username (or ID)
and a secret, which can be a PSK o RSA certificate. This is used for authenticating peers
during connection.
:arg id:
XAUTH identifier/username/remote ID used against when authenticating
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec auth-profile local xauth user encrypted-secret
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg password:
Encrypted secret used by associated XAUTH identifier
.. osdx:cfgcmd:: vpn ipsec auth-profile local xauth user secret
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Secret used by associated XAUTH identifier
These characters are allowed to be used for setting the secret:
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set pre-shared secret key is recommended. If you are
using special characters in the secret then single quotes are
required.
Example usage: 'aA1-&!@,.:_2Bb'
:arg id:
Secret used when authenticating
.. osdx:cfgcmd:: vpn ipsec auth-profile mirror-config
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Mirror one authentication side into the other, if not defined
When defining an authentication side (local/remote), you can opt-in for only
defining one of them. By default, the configuration is mirrored into the missing
side (only "auth") respecting already existing data. This way, authentication
profiles can be partially defined but with a fully working VPN connection
:arg true:
The existing profile is mirrored into the non-existing one
:arg false:
No mirroring is done. Notice that you must define both of them individually
.. osdx:cfgcmd:: vpn ipsec auth-profile remote
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Remote (right) authentication configuration
.. osdx:cfgcmd:: vpn ipsec auth-profile remote auth
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Authentication method used by connecting peer
When a peer authenticates against us (as a server), a remote authentication
method must be used. By default, it is "pubkey" (key-pair certificates)
which servers for the purpose of identifying the peer.
Another method is done by using a pre-shared key in which a key must be shared
for connecting. And finally it is possible to authenticate using the RADIUS,
usually based on a username/password.
:arg pre-shared-secret:
Use a previously shared secret key
:arg radius:
Use a RADIUS server for authenticating users
:arg eap:
Use EAP authentication
:instances: Unique
.. osdx:cfgcmd:: vpn ipsec auth-profile remote auth eap
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
EAP (Extensible Authentication Protocol) for remote peers
The EAP authentication allows defining a pair of username (or ID)
and a secret, which can be a PSK. This is used for authenticating peers
during connection. Notice that strongSwan magic values can be used (for example, "%any").
For more information, please refer to the VPN documentation.
:arg id:
EAP identifier/username/remote ID used against when authenticating
:arg %any:
Match any identity from configured secrets (ask)
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec auth-profile remote auth eap encrypted-secret
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg password:
Encrypted secret used by associated EAP identifier
.. osdx:cfgcmd:: vpn ipsec auth-profile remote auth eap secret
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Secret used by associated EAP identifier
These characters are allowed to be used for setting the secret:
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set pre-shared secret key is recommended. If you are
using special characters in the secret then single quotes are
required.
Example usage: 'aA1-&!@,.:_2Bb'
:arg id:
Secret used when authenticating
.. osdx:cfgcmd:: vpn ipsec auth-profile remote auth eap type
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Type of EAP authentication to use. By default, it is guessed
Different kind of EAP authentication mechanisms can be used during identity
exchange. By default, the EAP method is guessed during IKE negotiation but you
can manually specify which one must be used
:arg mschapv2:
EAP-Microsoft Challenge Handshake Authentication Protocol version 2
:arg tls:
EAP-TLS protocol handler, to authenticate with certificates in EAP
:arg ttls:
EAP-TTLS protocol handler, wraps other EAP methods securely
:arg md5:
EAP-MD5 protocol handler using passwords
.. osdx:cfgcmd:: vpn ipsec auth-profile remote auth encrypted-pre-shared-secret
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg password:
Encrypted PSK (Pre-Shared Key) for remote peers
.. osdx:cfgcmd:: vpn ipsec auth-profile remote auth pre-shared-secret
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg txt:
PSK (Pre-Shared Key) for remote peers
These characters are allowed to be used for setting pre-shared secret key :
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set pre-shared secret key is recommended. If you are
using special characters in the pre-shared secret key then single quotes are
required.
Example usage: 'aA1-&!@,.:_2Bb'
.. osdx:cfgcmd:: vpn ipsec auth-profile remote auth radius
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
IPSec RADIUS based authentication
.. osdx:cfgcmd:: vpn ipsec auth-profile remote ca-cert-file
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg file:
remote CA certificate file
.. osdx:cfgcmd:: vpn ipsec auth-profile remote cert-file
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg file:
remote certificate file
.. osdx:cfgcmd:: vpn ipsec auth-profile remote crl
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
remote Certificate Revocation List
.. osdx:cfgcmd:: vpn ipsec auth-profile remote crl file
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg file:
Local CRL file
.. osdx:cfgcmd:: vpn ipsec auth-profile remote crl revocation
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Revocation mode
:arg relaxed:
Auth fails, if certificate revoked
:arg strict:
Auth fails, if certificate revoked or if CRL cannot be loaded/downloaded
.. osdx:cfgcmd:: vpn ipsec auth-profile remote crl url
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg txt:
CRL file HTTP download URL
Will attempt to HTTP fetch this URL first, before attempting to fetch CRL URL
which is potentially defined within peer certificate. However will use
CRL URL defined within peer certificate as fallback, if fetch fails.
.. osdx:cfgcmd:: vpn ipsec auth-profile remote csr
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
remote Certificate Signing Request instance (SCEP)
:ref Reference: system certificate scep csr *
.. osdx:cfgcmd:: vpn ipsec auth-profile remote id
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Remote IKE identity used for authentication
The remote identity is what a peer expects to find when connecting using the IKE
protocol. This can be either an IP address, hostname or strongSwan "magic" variables
(such as "%any"). Please, refer to: https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing
for more information
:arg ipv4:
IPv4 used by peers
:arg ipv6:
IPv6 used by peers
:arg fqdn:
Hostname used by peers
:arg %any:
Match any identity
:arg id:
Any other value matching Identity Parsing rules
.. osdx:cfgcmd:: vpn ipsec auth-profile remote key
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
remote private key
:ref Required:
.. osdx:cfgcmd:: vpn ipsec auth-profile remote key encrypted-passphrase
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg password:
Encrypted passphrase
.. osdx:cfgcmd:: vpn ipsec auth-profile remote key file
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg file:
Private key file
.. osdx:cfgcmd:: vpn ipsec auth-profile remote key passphrase
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg txt:
Passphrase for private key file
These characters are allowed to be used for the passphrase:
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set the passphrase is recommended. If you are
using special characters in the passphrase then single quotes are
required.
Example usage: 'aA1-&!@,.:_2Bb'
.. osdx:cfgcmd:: vpn ipsec auth-profile remote pkcs12
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
remote PKCS#12
:ref Required:
:ref Required:
.. osdx:cfgcmd:: vpn ipsec auth-profile remote pkcs12 encrypted-passphrase
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg password:
Encrypted passphrase
.. osdx:cfgcmd:: vpn ipsec auth-profile remote pkcs12 file
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg file:
PKCS#12 file
.. osdx:cfgcmd:: vpn ipsec auth-profile remote pkcs12 passphrase
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg txt:
Passphrase of PKCS#12 file
These characters are allowed to be used for the passphrase :
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set the passphrase is recommended. If you are
using special characters in the passphrase then single quotes are
required.
Example usage: 'aA1-&!@,.:_2Bb'
.. osdx:cfgcmd:: vpn ipsec auth-profile remote xauth
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
XAuth (Extended Authentication) configuration for remote side
:instances: Unique
.. osdx:cfgcmd:: vpn ipsec auth-profile remote xauth radius
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
IPSec RADIUS based authentication
.. osdx:cfgcmd:: vpn ipsec auth-profile remote xauth user
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
XAUTH (Extended Authentication) for remote peers
The XAUTH authentication allows defining a pair of username (or ID)
and a secret, which can be a PSK o RSA certificate. This is used for authenticating peers
during connection. Notice that strongSwan magic values can be used (for example, "%any").
For more information, please refer to the VPN documentation.
:arg %any:
Match any identity from configured secrets
:arg id:
XAUTH identifier/username/remote ID used against when authenticating
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec auth-profile remote xauth user encrypted-secret
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg password:
Encrypted secret used by associated XAUTH identifier
.. osdx:cfgcmd:: vpn ipsec auth-profile remote xauth user secret
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Secret used by associated XAUTH identifier
These characters are allowed to be used for setting the secret:
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set pre-shared secret key is recommended. If you are
using special characters in the secret then single quotes are
required.
Example usage: 'aA1-&!@,.:_2Bb'
:arg id:
Secret used when authenticating
.. osdx:cfgcmd:: vpn ipsec auth-profile secrets
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Arbitrary secrets for local/remote peers
:arg id:
Specific identity to use
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec auth-profile secrets encrypted-secret
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg password:
Encrypted secret associated to ID
.. osdx:cfgcmd:: vpn ipsec auth-profile secrets secret
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Secret associated to ID
These characters are allowed to be used for setting the secret:
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set pre-shared secret key is recommended. If you are
using special characters in the secret then single quotes are
required.
Example usage: 'aA1-&!@,.:_2Bb'
:arg id:
Secret used when authenticating
.. osdx:cfgcmd:: vpn ipsec dmvpn-profile
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
DMVPN IPSec Profile
:arg id:
Name of the DMVPN IPSec profile
:instances: Multiple
:ref Required: vpn ipsec auth-profile *
:ref Required: vpn ipsec esp-group *
:ref Required: vpn ipsec ike-group *
.. osdx:cfgcmd:: vpn ipsec dmvpn-profile auth-profile
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
IPSec Authentication Profile
:ref Reference: vpn ipsec auth-profile *
.. osdx:cfgcmd:: vpn ipsec dmvpn-profile esp-group
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Esp group name
:ref Reference: vpn ipsec esp-group *
.. osdx:cfgcmd:: vpn ipsec dmvpn-profile ike-group
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Ike group name
:ref Reference: vpn ipsec ike-group *
.. osdx:cfgcmd:: vpn ipsec downloader
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
VPN downloader configuration
.. osdx:cfgcmd:: vpn ipsec downloader local-address
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Local IP address to use as source for strongSwan downloads
:arg ipv4:
Local IPv4 address
:arg ipv6:
Local IPv6 address
:Local IP address:
.. osdx:cfgcmd:: vpn ipsec downloader local-interface
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg ifc:
Interface to use as source for strongSwan downloads
.. osdx:cfgcmd:: vpn ipsec downloader local-vrf
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
VRF to use as source for strongSwan downloads
:ref Reference: system vrf *
.. osdx:cfgcmd:: vpn ipsec esp-group
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg id:
Name of Encapsulating Security Payload (ESP) group
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec esp-group compression
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
ESP compression
.. osdx:cfgcmd:: vpn ipsec esp-group lifetime
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
ESP lifetime
:arg u32:
ESP lifetime (in seconds by default)
:instances: Unique
.. osdx:cfgcmd:: vpn ipsec esp-group lifetime MB
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
ESP lifetime to be in megabytes
.. osdx:cfgcmd:: vpn ipsec esp-group lifetime packets
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
ESP lifetime to be in packets
.. osdx:cfgcmd:: vpn ipsec esp-group lifetime seconds
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
ESP lifetime to be in seconds
.. osdx:cfgcmd:: vpn ipsec esp-group mark-in
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Set an XFRM mark on the inbound policy
:arg unique:
Use a unique mark for each tunnel
:arg unique-dir:
Use a unique mark for each tunnel and direction (in/out)
:arg unique-only-nat:
Use a unique mark for each tunnel when NAT is detected
:arg same:
Use the same mark for all tunnels
:arg u32:
Mark value
.. osdx:cfgcmd:: vpn ipsec esp-group mark-out
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Set an XFRM mark on the outbound IPsec SA and policy
:arg unique:
Use a unique mark for each tunnel
:arg unique-dir:
Use a unique mark for each tunnel and direction (in/out)
:arg unique-only-nat:
Use a unique mark for each tunnel when NAT is detected
:arg same:
Use the same mark for all tunnels
:arg u32:
Mark value
.. osdx:cfgcmd:: vpn ipsec esp-group mode
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg id:
ESP mode
.. osdx:cfgcmd:: vpn ipsec esp-group proposal
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
ESP-group proposal [REQUIRED]
:arg u32:
ESP-group proposal number (1-65535)
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec esp-group proposal encryption
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg id:
Encryption algorithm
.. osdx:cfgcmd:: vpn ipsec esp-group proposal hash
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg id:
Hash algorithm
.. osdx:cfgcmd:: vpn ipsec esp-group proposal pfs
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg id:
ESP Perfect Forward Secrecy
.. osdx:cfgcmd:: vpn ipsec esp-group replay-window
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Replay Window Value
:arg u32:
Replay Window Value (0-32)
.. osdx:cfgcmd:: vpn ipsec esp-group vrf-mark-in
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Set an XFRM mark on the inbound policy using a VRF
:ref Reference: system vrf *
.. osdx:cfgcmd:: vpn ipsec esp-group vrf-mark-out
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Set an XFRM mark on the outbound IPsec SA and policy using a VRF
:ref Reference: system vrf *
.. osdx:cfgcmd:: vpn ipsec ike-group
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg id:
Name of Internet Key Exchange (IKE) group
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec ike-group dead-peer-detection
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Dead Peer Detection (DPD)
.. osdx:cfgcmd:: vpn ipsec ike-group dead-peer-detection action
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Keep-alive failure action
:arg clear:
Set action to clear
:arg restart:
Set action to restart
:arg trap:
Set action to trap
.. osdx:cfgcmd:: vpn ipsec ike-group dead-peer-detection interval
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Keep-alive interval
:arg u32:
Keep-alive interval in seconds (1-86400)
.. osdx:cfgcmd:: vpn ipsec ike-group dead-peer-detection timeout
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Keep-alive timeout
:arg u32:
Keep-alive timeout in seconds (1-86400)
.. osdx:cfgcmd:: vpn ipsec ike-group ikev2-reauth
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Re-authentication of the remote peer during an IKE re-key. IKEv2 option only
.. osdx:cfgcmd:: vpn ipsec ike-group key-exchange
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg id:
Key Exchange Version
.. osdx:cfgcmd:: vpn ipsec ike-group lifetime
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
IKE lifetime
:arg u32:
IKE lifetime in seconds (30-86400)
.. osdx:cfgcmd:: vpn ipsec ike-group mobike
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Enable MOBIKE Support. MOBIKE is only available for IKEv2.
.. osdx:cfgcmd:: vpn ipsec ike-group mode
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
IKEv1 Phase 1 Mode Selection
:arg main:
Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default)
:arg aggressive:
Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode.
.. osdx:cfgcmd:: vpn ipsec ike-group proposal
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
IKE-group proposal [REQUIRED]
:arg u32:
IKE-group proposal (1-65535)
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec ike-group proposal dh-group
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg u32:
Diffie-Hellman (DH) key exchange group
.. osdx:cfgcmd:: vpn ipsec ike-group proposal encryption
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg id:
Encryption algorithm
.. osdx:cfgcmd:: vpn ipsec ike-group proposal hash
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg id:
Hash algorithm
.. osdx:cfgcmd:: vpn ipsec interface
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Network interfaces that should be used by IPSec. All other interfaces are ignored.
:arg txt:
IPSec interface
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec logging
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
IPsec logging
.. osdx:cfgcmd:: vpn ipsec logging log-types
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Select log type
.. osdx:cfgcmd:: vpn ipsec logging log-types any
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Apply log level to all existing types.
.. osdx:cfgcmd:: vpn ipsec logging log-types any log-level
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg txt:
VPN Logger Verbosity Level
.. osdx:cfgcmd:: vpn ipsec logging log-types type
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Apply to a specific log type. To see what each log type exactly does, please refer to the VPN documentation
:arg dmn:
Debug log option for VPN
:arg mgr:
Debug log option for VPN
:arg ike:
Debug log option for VPN
:arg chd:
Debug log option for VPN
:arg job:
Debug log option for VPN
:arg cfg:
Debug log option for VPN
:arg knl:
Debug log option for VPN
:arg net:
Debug log option for VPN
:arg asn:
Debug log option for VPN
:arg enc:
Debug log option for VPN
:arg lib:
Debug log option for VPN
:arg esp:
Debug log option for VPN
:arg tls:
Debug log option for VPN
:arg tnc:
Debug log option for VPN
:arg imc:
Debug log option for VPN
:arg imv:
Debug log option for VPN
:arg pts:
Debug log option for VPN
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec logging log-types type log-level
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg id:
VPN Logger Verbosity Level
.. osdx:cfgcmd:: vpn ipsec pool
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg id:
Name of Remote Address pool
:instances: Unique
.. osdx:cfgcmd:: vpn ipsec pool prefix
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg ipv4net:
Remote IPv4 or IPv6 prefix
:arg ipv6net:
Remote IPv4 or IPv6 prefix
.. osdx:cfgcmd:: vpn ipsec pool range
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Remote IPv4 or IPv6 range
.. osdx:cfgcmd:: vpn ipsec pool range first-address
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg ipv4:
First IPv4 or IPv6 address of the pool range
:arg ipv6:
First IPv4 or IPv6 address of the pool range
.. osdx:cfgcmd:: vpn ipsec pool range last-address
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg ipv4:
Last IPv4 or IPv6 address of the pool range
:arg ipv6:
Last IPv4 or IPv6 address of the pool range
.. osdx:cfgcmd:: vpn ipsec radius
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
IPSec RADIUS based authentication settings
:ref Required: system aaa list *
.. osdx:cfgcmd:: vpn ipsec radius accounting
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Enable RADIUS accounting
.. osdx:cfgcmd:: vpn ipsec radius authentication-list
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
VPN type list to use when authenticating
Choose the VPN list that will be used when an external user
tries to authenticate. Lists can be set-up with "system aaa list" command
:ref Reference: system aaa list *
.. osdx:cfgcmd:: vpn ipsec radius dae
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Dynamic Authorization Extension (DAE) options
:ref Required:
.. osdx:cfgcmd:: vpn ipsec radius dae encrypted-secret
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg password:
Encrypted secret
.. osdx:cfgcmd:: vpn ipsec radius dae listen-address
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Listen address to listen to DAE messages
:arg ipv4:
IPv4 listen address
:arg ipv6:
IPv6 listen address
:Local IP address:
.. osdx:cfgcmd:: vpn ipsec radius dae port
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Port to listen for requests
:arg u32:
Numeric IP port (1-65535)
.. osdx:cfgcmd:: vpn ipsec radius dae secret
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg txt:
Shared secret used to verify/sign DAE messages
These characters are allowed to be used for setting the shared secret:
alphanumeric characters: a-z A-Z 0-9
special characters: - + & ! @ # $ %% ^ * ( ) , . : _
It is recommended to use single quotes (') for setting the shared-secret.
If special characters are being used, then single quotes are mandatory
.. osdx:cfgcmd:: vpn ipsec radius eap-start
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Send "EAP-Start" instead of "EAP-Identity" to start RADIUS conversation
.. osdx:cfgcmd:: vpn ipsec site-to-site
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Site to site VPN
.. osdx:cfgcmd:: vpn ipsec site-to-site peer
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg id:
VPN peer
:instances: Multiple
:ref Required: vpn ipsec auth-profile *
:ref Required: vpn ipsec ike-group *
.. osdx:cfgcmd:: vpn ipsec site-to-site peer auth-profile
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
IPSec Authentication Profile
:ref Reference: vpn ipsec auth-profile *
.. osdx:cfgcmd:: vpn ipsec site-to-site peer connection-type
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Connection type
:arg initiate:
This endpoint can initiate or respond to a connection
:arg respond:
This endpoint will only respond to a connection
:arg on-demand:
This endpoint will initiate a connection if matching traffic is detected
.. osdx:cfgcmd:: vpn ipsec site-to-site peer default-esp-group
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Default ESP group name
:ref Reference: vpn ipsec esp-group *
.. osdx:cfgcmd:: vpn ipsec site-to-site peer description
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg txt:
VPN peer description
.. osdx:cfgcmd:: vpn ipsec site-to-site peer dhcp-interface
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg ifc:
DHCP interface that supplies the local address to use for IKE communication
.. osdx:cfgcmd:: vpn ipsec site-to-site peer force-encapsulation
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Force UDP Encapsulation for ESP Payloads
.. osdx:cfgcmd:: vpn ipsec site-to-site peer ike-group
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Internet Key Exchange (IKE) group name
:ref Reference: vpn ipsec ike-group *
.. osdx:cfgcmd:: vpn ipsec site-to-site peer install-vips
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Pull virtual IP addresses from remote
:ref Required:
.. osdx:cfgcmd:: vpn ipsec site-to-site peer install-vips address
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg ipv4:
Request specific address(es)
If not set, 0.0.0.0 will be used (i.e., it will accept any virtual IP)
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec site-to-site peer install-vips interface
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg ifc:
Interface where VIPs should be installed
.. osdx:cfgcmd:: vpn ipsec site-to-site peer local-address
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Local address(es) to use for IKE communication
As initiator, the first non-range/non-subset is used to initiate the connection.
As the responder, the local destination address must match at least one of the
specified addresses, subnets or ranges. FQDNs are resolved each time a
configuration lookup is done. Finally, "magic" values can be placed
here (such as "%any").
:arg ipv4:
IPv4 address of a local interface for VPN
:arg ipv6:
IPv6 address of a local interface for VPN
:arg fqdn:
DNS domain name of the local interface
:arg %any:
Match any address specified as local interface
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec site-to-site peer local-vrf
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Bind to local Virtual Routing and Forwarding domain name
:ref Reference: system vrf *
.. osdx:cfgcmd:: vpn ipsec site-to-site peer pool
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
List of vpn pools to allocate virtual IP addresses
This is only valid for responder configuration
:ref Reference: vpn ipsec pool *
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec site-to-site peer remote-address
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Remote address(es) to use for IKE communication. Required to initiate a connection
As initiator, the first non-range/non-subset is used to initiate the connection.
As the responder, the local destination address must match at least one of the
specified addresses, subnets or ranges. FQDNs are resolved each time a
configuration lookup is done. Finally, "magic" values can be placed
here (such as "%any").
:arg ipv4:
IPv4 address of peer
:arg ipv6:
IPv6 address of peer
:arg fqdn:
DNS domain name of the peer
:arg %any:
Match any peer
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec site-to-site peer tunnel
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
:arg u32:
Peer tunnel
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec site-to-site peer tunnel disable
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Option to disable vpn tunnel
.. osdx:cfgcmd:: vpn ipsec site-to-site peer tunnel esp-group
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
ESP group name
:ref Reference: vpn ipsec esp-group *
.. osdx:cfgcmd:: vpn ipsec site-to-site peer tunnel install-routes
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Enable route installation for this tunnel
:ref Reference: system vrf *
.. osdx:cfgcmd:: vpn ipsec site-to-site peer tunnel local
.. raw:: html
AresC640
Atlas840
M10-Smart
M2
RS420
RXL15000
SDE
Local parameters for interesting traffic
.. osdx:cfgcmd:: vpn ipsec site-to-site peer tunnel local port