ipsec

vpn ipsec
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

VPN IP security (IPsec) parameters

vpn ipsec auth-profile <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

IPSec Authentication Profile

Values:

  • id – Name of the IPSec authentication profile

Instances:

Multiple

vpn ipsec auth-profile <id> local
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Local (left) authentication configuration

vpn ipsec auth-profile <id> local auth
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Authentication method locally used

When a peer authenticates against us (as a server), a local authentication method must be used. By default, it is “pubkey” (key-pair certificates) and if not specified uses system certificates for authentication. This is done in order to ensure that we are who we say (it is, to avoid spoofing attacks). Another method is done by using a pre-shared key. Despite this is not as secure as X.509 certificates, it will allow server identification and would serve for the same purposes. Finally, there is also EAP (Extensible Authentication Protocol) available, which allows authenticating users using a username/password.

Values:

  • pre-shared-secret – Use a previously shared secret key

  • radius – Use a RADIUS server for authenticating users

  • eap – Use EAP authentication

Instances:

Unique

vpn ipsec auth-profile <id> local auth eap <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

EAP (Extensible Authentication Protocol) for local peers

The EAP authentication allows defining a pair of username (or ID) and a secret, which can be a PSK. This is used for authenticating peers during connection. Notice that strongSwan magic values can be used (for example, “%any”). For more information, please refer to the VPN documentation.

Values:

  • id – EAP identifier/username/remote ID used against when authenticating

  • %any – Match any identity from configured secrets (ask)

Instances:

Multiple

vpn ipsec auth-profile <id> local auth eap <id> encrypted-secret <password>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • password – Encrypted secret used by associated EAP identifier

vpn ipsec auth-profile <id> local auth eap <id> secret <txt>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Secret used by associated EAP identifier

These characters are allowed to be used for setting the secret: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set pre-shared secret key is recommended. If you are using special characters in the secret then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

Values:

  • id – Secret used when authenticating

vpn ipsec auth-profile <id> local auth eap <id> type <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Type of EAP authentication to use. By default, it is guessed

Different kind of EAP authentication mechanisms can be used during identity exchange. By default, the EAP method is guessed during IKE negotiation but you can manually specify which one must be used

Values:

  • mschapv2 – EAP-Microsoft Challenge Handshake Authentication Protocol version 2

  • tls – EAP-TLS protocol handler, to authenticate with certificates in EAP

  • ttls – EAP-TTLS protocol handler, wraps other EAP methods securely

  • md5 – EAP-MD5 protocol handler using passwords

vpn ipsec auth-profile <id> local auth encrypted-pre-shared-secret <password>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • password – Encrypted PSK (Pre-Shared Key) for local peers

vpn ipsec auth-profile <id> local auth pre-shared-secret <txt>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • txt

    PSK (Pre-Shared Key) for local peers

    These characters are allowed to be used for setting pre-shared secret key : alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set pre-shared secret key is recommended. If you are using special characters in the pre-shared secret key then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

vpn ipsec auth-profile <id> local auth radius
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

IPSec RADIUS based authentication

vpn ipsec auth-profile <id> local ca-cert-file <file>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • file – local CA certificate file

vpn ipsec auth-profile <id> local cert-file <file>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • file – local certificate file

vpn ipsec auth-profile <id> local crl
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

local Certificate Revocation List

vpn ipsec auth-profile <id> local crl file <file>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • file – Local CRL file

vpn ipsec auth-profile <id> local crl revocation <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Revocation mode

Values:

  • relaxed – Auth fails, if certificate revoked

  • strict – Auth fails, if certificate revoked or if CRL cannot be loaded/downloaded

vpn ipsec auth-profile <id> local crl url <txt>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • txt

    CRL file HTTP download URL

    Will attempt to HTTP fetch this URL first, before attempting to fetch CRL URL which is potentially defined within peer certificate. However will use CRL URL defined within peer certificate as fallback, if fetch fails.

vpn ipsec auth-profile <id> local csr <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

local Certificate Signing Request instance (SCEP)

Reference:

system certificate scep csr <id>

vpn ipsec auth-profile <id> local id <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Local IKE identity used for authentication

The local identity is what a peer expects to find when connecting using the IKE protocol. This can be either an IP address, hostname or strongSwan “magic” variables (such as “%any”). Please, refer to: https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing for more information

Values:

  • ipv4 – IPv4 used by peers

  • ipv6 – IPv6 used by peers

  • fqdn – Hostname used by peers

  • %any – Match any identity

  • id – Any other value matching Identity Parsing rules

vpn ipsec auth-profile <id> local key
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

local private key

Required:

vpn ipsec auth-profile <id> local key encrypted-passphrase <password>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • password – Encrypted passphrase

vpn ipsec auth-profile <id> local key file <file>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • file – Private key file

vpn ipsec auth-profile <id> local key passphrase <txt>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • txt

    Passphrase for private key file

    These characters are allowed to be used for the passphrase: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set the passphrase is recommended. If you are using special characters in the passphrase then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

vpn ipsec auth-profile <id> local pkcs12
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

local PKCS#12

Required:

Required:

vpn ipsec auth-profile <id> local pkcs12 encrypted-passphrase <password>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • password – Encrypted passphrase

vpn ipsec auth-profile <id> local pkcs12 file <file>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • file – PKCS#12 file

vpn ipsec auth-profile <id> local pkcs12 passphrase <txt>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • txt

    Passphrase of PKCS#12 file

    These characters are allowed to be used for the passphrase : alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set the passphrase is recommended. If you are using special characters in the passphrase then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

vpn ipsec auth-profile <id> local xauth
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

XAuth (Extended Authentication) configuration for local side

Instances:

Unique

Required:

vpn ipsec auth-profile <id> local xauth user <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

XAUTH (Extended Authentication) for local peers

The XAUTH authentication allows defining a pair of username (or ID) and a secret, which can be a PSK o RSA certificate. This is used for authenticating peers during connection.

Values:

  • id – XAUTH identifier/username/remote ID used against when authenticating

Instances:

Multiple

vpn ipsec auth-profile <id> local xauth user <id> encrypted-secret <password>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • password – Encrypted secret used by associated XAUTH identifier

vpn ipsec auth-profile <id> local xauth user <id> secret <txt>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Secret used by associated XAUTH identifier

These characters are allowed to be used for setting the secret: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set pre-shared secret key is recommended. If you are using special characters in the secret then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

Values:

  • id – Secret used when authenticating

vpn ipsec auth-profile <id> mirror-config <bool>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Mirror one authentication side into the other, if not defined

When defining an authentication side (local/remote), you can opt-in for only defining one of them. By default, the configuration is mirrored into the missing side (only “auth”) respecting already existing data. This way, authentication profiles can be partially defined but with a fully working VPN connection

Values:

  • true – The existing profile is mirrored into the non-existing one

  • false – No mirroring is done. Notice that you must define both of them individually

vpn ipsec auth-profile <id> remote
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Remote (right) authentication configuration

vpn ipsec auth-profile <id> remote auth
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Authentication method used by connecting peer

When a peer authenticates against us (as a server), a remote authentication method must be used. By default, it is “pubkey” (key-pair certificates) which servers for the purpose of identifying the peer. Another method is done by using a pre-shared key in which a key must be shared for connecting. And finally it is possible to authenticate using the RADIUS, usually based on a username/password.

Values:

  • pre-shared-secret – Use a previously shared secret key

  • radius – Use a RADIUS server for authenticating users

  • eap – Use EAP authentication

Instances:

Unique

vpn ipsec auth-profile <id> remote auth eap <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

EAP (Extensible Authentication Protocol) for remote peers

The EAP authentication allows defining a pair of username (or ID) and a secret, which can be a PSK. This is used for authenticating peers during connection. Notice that strongSwan magic values can be used (for example, “%any”). For more information, please refer to the VPN documentation.

Values:

  • id – EAP identifier/username/remote ID used against when authenticating

  • %any – Match any identity from configured secrets (ask)

Instances:

Multiple

vpn ipsec auth-profile <id> remote auth eap <id> encrypted-secret <password>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • password – Encrypted secret used by associated EAP identifier

vpn ipsec auth-profile <id> remote auth eap <id> secret <txt>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Secret used by associated EAP identifier

These characters are allowed to be used for setting the secret: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set pre-shared secret key is recommended. If you are using special characters in the secret then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

Values:

  • id – Secret used when authenticating

vpn ipsec auth-profile <id> remote auth eap <id> type <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Type of EAP authentication to use. By default, it is guessed

Different kind of EAP authentication mechanisms can be used during identity exchange. By default, the EAP method is guessed during IKE negotiation but you can manually specify which one must be used

Values:

  • mschapv2 – EAP-Microsoft Challenge Handshake Authentication Protocol version 2

  • tls – EAP-TLS protocol handler, to authenticate with certificates in EAP

  • ttls – EAP-TTLS protocol handler, wraps other EAP methods securely

  • md5 – EAP-MD5 protocol handler using passwords

vpn ipsec auth-profile <id> remote auth encrypted-pre-shared-secret <password>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • password – Encrypted PSK (Pre-Shared Key) for remote peers

vpn ipsec auth-profile <id> remote auth pre-shared-secret <txt>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • txt

    PSK (Pre-Shared Key) for remote peers

    These characters are allowed to be used for setting pre-shared secret key : alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set pre-shared secret key is recommended. If you are using special characters in the pre-shared secret key then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

vpn ipsec auth-profile <id> remote auth radius
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

IPSec RADIUS based authentication

vpn ipsec auth-profile <id> remote ca-cert-file <file>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • file – remote CA certificate file

vpn ipsec auth-profile <id> remote cert-file <file>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • file – remote certificate file

vpn ipsec auth-profile <id> remote crl
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

remote Certificate Revocation List

vpn ipsec auth-profile <id> remote crl file <file>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • file – Local CRL file

vpn ipsec auth-profile <id> remote crl revocation <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Revocation mode

Values:

  • relaxed – Auth fails, if certificate revoked

  • strict – Auth fails, if certificate revoked or if CRL cannot be loaded/downloaded

vpn ipsec auth-profile <id> remote crl url <txt>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • txt

    CRL file HTTP download URL

    Will attempt to HTTP fetch this URL first, before attempting to fetch CRL URL which is potentially defined within peer certificate. However will use CRL URL defined within peer certificate as fallback, if fetch fails.

vpn ipsec auth-profile <id> remote csr <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

remote Certificate Signing Request instance (SCEP)

Reference:

system certificate scep csr <id>

vpn ipsec auth-profile <id> remote id <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Remote IKE identity used for authentication

The remote identity is what a peer expects to find when connecting using the IKE protocol. This can be either an IP address, hostname or strongSwan “magic” variables (such as “%any”). Please, refer to: https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing for more information

Values:

  • ipv4 – IPv4 used by peers

  • ipv6 – IPv6 used by peers

  • fqdn – Hostname used by peers

  • %any – Match any identity

  • id – Any other value matching Identity Parsing rules

vpn ipsec auth-profile <id> remote key
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

remote private key

Required:

vpn ipsec auth-profile <id> remote key encrypted-passphrase <password>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • password – Encrypted passphrase

vpn ipsec auth-profile <id> remote key file <file>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • file – Private key file

vpn ipsec auth-profile <id> remote key passphrase <txt>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • txt

    Passphrase for private key file

    These characters are allowed to be used for the passphrase: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set the passphrase is recommended. If you are using special characters in the passphrase then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

vpn ipsec auth-profile <id> remote pkcs12
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

remote PKCS#12

Required:

Required:

vpn ipsec auth-profile <id> remote pkcs12 encrypted-passphrase <password>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • password – Encrypted passphrase

vpn ipsec auth-profile <id> remote pkcs12 file <file>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • file – PKCS#12 file

vpn ipsec auth-profile <id> remote pkcs12 passphrase <txt>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • txt

    Passphrase of PKCS#12 file

    These characters are allowed to be used for the passphrase : alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set the passphrase is recommended. If you are using special characters in the passphrase then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

vpn ipsec auth-profile <id> remote xauth
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

XAuth (Extended Authentication) configuration for remote side

Instances:

Unique

vpn ipsec auth-profile <id> remote xauth radius
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

IPSec RADIUS based authentication

vpn ipsec auth-profile <id> remote xauth user <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

XAUTH (Extended Authentication) for remote peers

The XAUTH authentication allows defining a pair of username (or ID) and a secret, which can be a PSK o RSA certificate. This is used for authenticating peers during connection. Notice that strongSwan magic values can be used (for example, “%any”). For more information, please refer to the VPN documentation.

Values:

  • %any – Match any identity from configured secrets

  • id – XAUTH identifier/username/remote ID used against when authenticating

Instances:

Multiple

vpn ipsec auth-profile <id> remote xauth user <id> encrypted-secret <password>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • password – Encrypted secret used by associated XAUTH identifier

vpn ipsec auth-profile <id> remote xauth user <id> secret <txt>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Secret used by associated XAUTH identifier

These characters are allowed to be used for setting the secret: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set pre-shared secret key is recommended. If you are using special characters in the secret then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

Values:

  • id – Secret used when authenticating

vpn ipsec auth-profile <id> secrets <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Arbitrary secrets for local/remote peers

Values:

  • id – Specific identity to use

Instances:

Multiple

vpn ipsec auth-profile <id> secrets <id> encrypted-secret <password>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • password – Encrypted secret associated to ID

vpn ipsec auth-profile <id> secrets <id> secret <txt>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Secret associated to ID

These characters are allowed to be used for setting the secret: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set pre-shared secret key is recommended. If you are using special characters in the secret then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’

Values:

  • id – Secret used when authenticating

vpn ipsec dmvpn-profile <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

DMVPN IPSec Profile

Values:

  • id – Name of the DMVPN IPSec profile

Instances:

Multiple

Required:

vpn ipsec auth-profile <id>

Required:

vpn ipsec esp-group <id>

Required:

vpn ipsec ike-group <id>

vpn ipsec dmvpn-profile <id> auth-profile <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

IPSec Authentication Profile

Reference:

vpn ipsec auth-profile <id>

vpn ipsec dmvpn-profile <id> esp-group <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Esp group name

Reference:

vpn ipsec esp-group <id>

vpn ipsec dmvpn-profile <id> ike-group <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Ike group name

Reference:

vpn ipsec ike-group <id>

vpn ipsec downloader
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

VPN downloader configuration

vpn ipsec downloader local-address <ipv4|ipv6>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Local IP address to use as source for strongSwan downloads

Values:

  • ipv4 – Local IPv4 address

  • ipv6 – Local IPv6 address

Local IP address:

vpn ipsec downloader local-interface <ifc>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • ifc – Interface to use as source for strongSwan downloads

vpn ipsec downloader local-vrf <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

VRF to use as source for strongSwan downloads

Reference:

system vrf <id>

vpn ipsec esp-group <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • id – Name of Encapsulating Security Payload (ESP) group

Instances:

Multiple

vpn ipsec esp-group <id> compression
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

ESP compression

vpn ipsec esp-group <id> lifetime <u32>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

ESP lifetime

Values:

  • u32 – ESP lifetime (in seconds by default)

Instances:

Unique

vpn ipsec esp-group <id> lifetime <u32> MB
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

ESP lifetime to be in megabytes

vpn ipsec esp-group <id> lifetime <u32> packets
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

ESP lifetime to be in packets

vpn ipsec esp-group <id> lifetime <u32> seconds
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

ESP lifetime to be in seconds

vpn ipsec esp-group <id> mark-in <u32|txt>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Set an XFRM mark on the inbound policy

Values:

  • unique – Use a unique mark for each tunnel

  • unique-dir – Use a unique mark for each tunnel and direction (in/out)

  • unique-only-nat – Use a unique mark for each tunnel when NAT is detected

  • same – Use the same mark for all tunnels

  • u32 – Mark value

vpn ipsec esp-group <id> mark-out <u32|txt>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Set an XFRM mark on the outbound IPsec SA and policy

Values:

  • unique – Use a unique mark for each tunnel

  • unique-dir – Use a unique mark for each tunnel and direction (in/out)

  • unique-only-nat – Use a unique mark for each tunnel when NAT is detected

  • same – Use the same mark for all tunnels

  • u32 – Mark value

vpn ipsec esp-group <id> mode <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • id – ESP mode

vpn ipsec esp-group <id> proposal <u32>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

ESP-group proposal [REQUIRED]

Values:

  • u32 – ESP-group proposal number (1-65535)

Instances:

Multiple

vpn ipsec esp-group <id> proposal <u32> encryption <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • id – Encryption algorithm

vpn ipsec esp-group <id> proposal <u32> hash <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • id – Hash algorithm

vpn ipsec esp-group <id> proposal <u32> pfs <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • id – ESP Perfect Forward Secrecy

vpn ipsec esp-group <id> replay-window <u32>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Replay Window Value

Values:

  • u32 – Replay Window Value (0-32)

vpn ipsec esp-group <id> vrf-mark-in <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Set an XFRM mark on the inbound policy using a VRF

Reference:

system vrf <id>

vpn ipsec esp-group <id> vrf-mark-out <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Set an XFRM mark on the outbound IPsec SA and policy using a VRF

Reference:

system vrf <id>

vpn ipsec ike-group <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • id – Name of Internet Key Exchange (IKE) group

Instances:

Multiple

vpn ipsec ike-group <id> dead-peer-detection
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Dead Peer Detection (DPD)

vpn ipsec ike-group <id> dead-peer-detection action <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Keep-alive failure action

Values:

  • clear – Set action to clear

  • restart – Set action to restart

  • trap – Set action to trap

vpn ipsec ike-group <id> dead-peer-detection interval <u32>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Keep-alive interval

Values:

  • u32 – Keep-alive interval in seconds (1-86400)

vpn ipsec ike-group <id> dead-peer-detection timeout <u32>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Keep-alive timeout

Values:

  • u32 – Keep-alive timeout in seconds (1-86400)

vpn ipsec ike-group <id> ikev2-reauth
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Re-authentication of the remote peer during an IKE re-key. IKEv2 option only

vpn ipsec ike-group <id> key-exchange <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • id – Key Exchange Version

vpn ipsec ike-group <id> lifetime <u32>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

IKE lifetime

Values:

  • u32 – IKE lifetime in seconds (30-86400)

vpn ipsec ike-group <id> mobike
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Enable MOBIKE Support. MOBIKE is only available for IKEv2.

vpn ipsec ike-group <id> mode <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

IKEv1 Phase 1 Mode Selection

Values:

  • main – Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default)

  • aggressive – Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode.

vpn ipsec ike-group <id> proposal <u32>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

IKE-group proposal [REQUIRED]

Values:

  • u32 – IKE-group proposal (1-65535)

Instances:

Multiple

vpn ipsec ike-group <id> proposal <u32> dh-group <u32>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • u32 – Diffie-Hellman (DH) key exchange group

vpn ipsec ike-group <id> proposal <u32> encryption <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • id – Encryption algorithm

vpn ipsec ike-group <id> proposal <u32> hash <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • id – Hash algorithm

vpn ipsec interface <ifc>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Network interfaces that should be used by IPSec. All other interfaces are ignored.

Values:

  • txt – IPSec interface

Instances:

Multiple

vpn ipsec logging
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

IPsec logging

vpn ipsec logging log-types
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Select log type

vpn ipsec logging log-types any
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Apply log level to all existing types.

vpn ipsec logging log-types any log-level <txt>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • txt – VPN Logger Verbosity Level

vpn ipsec logging log-types type <txt>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Apply to a specific log type. To see what each log type exactly does, please refer to the VPN documentation

Values:

  • dmn – Debug log option for VPN

  • mgr – Debug log option for VPN

  • ike – Debug log option for VPN

  • chd – Debug log option for VPN

  • job – Debug log option for VPN

  • cfg – Debug log option for VPN

  • knl – Debug log option for VPN

  • net – Debug log option for VPN

  • asn – Debug log option for VPN

  • enc – Debug log option for VPN

  • lib – Debug log option for VPN

  • esp – Debug log option for VPN

  • tls – Debug log option for VPN

  • tnc – Debug log option for VPN

  • imc – Debug log option for VPN

  • imv – Debug log option for VPN

  • pts – Debug log option for VPN

Instances:

Multiple

vpn ipsec logging log-types type <txt> log-level <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • id – VPN Logger Verbosity Level

vpn ipsec pool <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • id – Name of Remote Address pool

Instances:

Unique

vpn ipsec pool <id> prefix <ipv4net|ipv6net>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • ipv4net – Remote IPv4 or IPv6 prefix

  • ipv6net – Remote IPv4 or IPv6 prefix

vpn ipsec pool <id> range
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Remote IPv4 or IPv6 range

vpn ipsec pool <id> range first-address <ipv4|ipv6>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • ipv4 – First IPv4 or IPv6 address of the pool range

  • ipv6 – First IPv4 or IPv6 address of the pool range

vpn ipsec pool <id> range last-address <ipv4|ipv6>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • ipv4 – Last IPv4 or IPv6 address of the pool range

  • ipv6 – Last IPv4 or IPv6 address of the pool range

vpn ipsec radius
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

IPSec RADIUS based authentication settings

Required:

system aaa list <id>

vpn ipsec radius accounting
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Enable RADIUS accounting

vpn ipsec radius authentication-list <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

VPN type list to use when authenticating

Choose the VPN list that will be used when an external user tries to authenticate. Lists can be set-up with “system aaa list” command

Reference:

system aaa list <id>

vpn ipsec radius dae
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Dynamic Authorization Extension (DAE) options

Required:

vpn ipsec radius dae encrypted-secret <password>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • password – Encrypted secret

vpn ipsec radius dae listen-address <ipv4|ipv6>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Listen address to listen to DAE messages

Values:

  • ipv4 – IPv4 listen address

  • ipv6 – IPv6 listen address

Local IP address:

vpn ipsec radius dae port <u32>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Port to listen for requests

Values:

  • u32 – Numeric IP port (1-65535)

vpn ipsec radius dae secret <txt>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • txt

    Shared secret used to verify/sign DAE messages

    These characters are allowed to be used for setting the shared secret: alphanumeric characters: a-z A-Z 0-9 special characters: - + & ! @ # $ %% ^ * ( ) , . : _ It is recommended to use single quotes (’) for setting the shared-secret. If special characters are being used, then single quotes are mandatory

vpn ipsec radius eap-start
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Send “EAP-Start” instead of “EAP-Identity” to start RADIUS conversation

vpn ipsec site-to-site
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Site to site VPN

vpn ipsec site-to-site peer <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • id – VPN peer

Instances:

Multiple

Required:

vpn ipsec auth-profile <id>

Required:

vpn ipsec ike-group <id>

vpn ipsec site-to-site peer <id> auth-profile <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

IPSec Authentication Profile

Reference:

vpn ipsec auth-profile <id>

vpn ipsec site-to-site peer <id> connection-type <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Connection type

Values:

  • initiate – This endpoint can initiate or respond to a connection

  • respond – This endpoint will only respond to a connection

  • on-demand – This endpoint will initiate a connection if matching traffic is detected

vpn ipsec site-to-site peer <id> default-esp-group <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Default ESP group name

Reference:

vpn ipsec esp-group <id>

vpn ipsec site-to-site peer <id> description <txt>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • txt – VPN peer description

vpn ipsec site-to-site peer <id> dhcp-interface <ifc>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • ifc – DHCP interface that supplies the local address to use for IKE communication

vpn ipsec site-to-site peer <id> force-encapsulation
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Force UDP Encapsulation for ESP Payloads

vpn ipsec site-to-site peer <id> ike-group <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Internet Key Exchange (IKE) group name

Reference:

vpn ipsec ike-group <id>

vpn ipsec site-to-site peer <id> install-vips
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Pull virtual IP addresses from remote

Required:

vpn ipsec site-to-site peer <id> install-vips address <ipv4>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • ipv4

    Request specific address(es)

    If not set, 0.0.0.0 will be used (i.e., it will accept any virtual IP)

Instances:

Multiple

vpn ipsec site-to-site peer <id> install-vips interface <ifc>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • ifc – Interface where VIPs should be installed

vpn ipsec site-to-site peer <id> local-address <ipv4|ipv6|fqdn|id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Local address(es) to use for IKE communication

As initiator, the first non-range/non-subset is used to initiate the connection. As the responder, the local destination address must match at least one of the specified addresses, subnets or ranges. FQDNs are resolved each time a configuration lookup is done. Finally, “magic” values can be placed here (such as “%any”).

Values:

  • ipv4 – IPv4 address of a local interface for VPN

  • ipv6 – IPv6 address of a local interface for VPN

  • fqdn – DNS domain name of the local interface

  • %any – Match any address specified as local interface

Instances:

Multiple

vpn ipsec site-to-site peer <id> local-vrf <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Bind to local Virtual Routing and Forwarding domain name

Reference:

system vrf <id>

vpn ipsec site-to-site peer <id> pool <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

List of vpn pools to allocate virtual IP addresses

This is only valid for responder configuration

Reference:

vpn ipsec pool <id>

Instances:

Multiple

vpn ipsec site-to-site peer <id> remote-address <ipv4|ipv6|fqdn|id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Remote address(es) to use for IKE communication. Required to initiate a connection

As initiator, the first non-range/non-subset is used to initiate the connection. As the responder, the local destination address must match at least one of the specified addresses, subnets or ranges. FQDNs are resolved each time a configuration lookup is done. Finally, “magic” values can be placed here (such as “%any”).

Values:

  • ipv4 – IPv4 address of peer

  • ipv6 – IPv6 address of peer

  • fqdn – DNS domain name of the peer

  • %any – Match any peer

Instances:

Multiple

vpn ipsec site-to-site peer <id> tunnel <u32>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • u32 – Peer tunnel

Instances:

Multiple

vpn ipsec site-to-site peer <id> tunnel <u32> disable
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Option to disable vpn tunnel

vpn ipsec site-to-site peer <id> tunnel <u32> esp-group <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

ESP group name

Reference:

vpn ipsec esp-group <id>

vpn ipsec site-to-site peer <id> tunnel <u32> install-routes <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Enable route installation for this tunnel

Reference:

system vrf <id>

vpn ipsec site-to-site peer <id> tunnel <u32> local
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Local parameters for interesting traffic

vpn ipsec site-to-site peer <id> tunnel <u32> local port <u32>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Any TCP or UDP port

Values:

  • u32 – Numeric IP port (1-32767)

  • u32 – Numeric IP port (60000-65535)

vpn ipsec site-to-site peer <id> tunnel <u32> local prefix <ipv4net|ipv6net>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • ipv4net – Local IPv4 or IPv6 prefixes

  • ipv6net – Local IPv4 or IPv6 prefixes

Instances:

Multiple

vpn ipsec site-to-site peer <id> tunnel <u32> local-interface <ifc>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • ifc – Local interface to use in outbound IPSec policies

vpn ipsec site-to-site peer <id> tunnel <u32> local-vrf <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Local VRF to use in outbound IPSec policies

Reference:

system vrf <id>

vpn ipsec site-to-site peer <id> tunnel <u32> protocol <u32|id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Protocol to encrypt

Values:

  • all – All protocols

  • u32 – IP protocol number (0-255)

  • ah – Authentication Header [RFC2402]

  • ax.25 – AX.25 frames

  • dccp – Datagram Congestion Control Prot. [RFC4340]

  • ddp – Datagram Delivery Protocol

  • egp – exterior gateway protocol

  • eigrp – Enhanced Interior Routing Protocol (Cisco)

  • encap – Yet Another IP encapsulation [RFC1241]

  • esp – Encap Security Payload [RFC2406]

  • etherip – Ethernet-within-IP Encapsulation [RFC3378]

  • fc – Fibre Channel

  • ggp – gateway-gateway protocol

  • gre – General Routing Encapsulation

  • hip – Host Identity Protocol

  • hmp – host monitoring protocol

  • hopopt – IPv6 Hop-by-Hop Option [RFC1883]

  • icmp – internet control message protocol

  • idpr-cmtp – IDPR Control Message Transport

  • idrp – Inter-Domain Routing Protocol

  • igmp – Internet Group Management

  • igp – any private interior gateway (Cisco)

  • ip – internet protocol, pseudo protocol number

  • ipcomp – IP Payload Compression Protocol

  • ipencap – IP encapsulated in IP (officially ‘’IP’’)

  • ipip – IP-within-IP Encapsulation Protocol

  • ipv6-frag – Fragment Header for IPv6

  • ipv6-icmp – ICMP for IPv6

  • ipv6-nonxt – No Next Header for IPv6

  • ipv6-opts – Destination Options for IPv6

  • ipv6-route – Routing Header for IPv6

  • ipv6 – Internet Protocol, version 6

  • isis – IS-IS over IPv4

  • iso-tp4 – ISO Transport Protocol class 4 [RFC905]

  • l2tp – Layer Two Tunneling Protocol [RFC2661]

  • manet – MANET Protocols [RFC5498]

  • mobility-header – Mobility Support for IPv6 [RFC3775]

  • mpls-in-ip – MPLS-in-IP [RFC4023]

  • ospf – Open Shortest Path First IGP

  • pim – Protocol Independent Multicast

  • pup – PARC universal packet protocol

  • rdp – “reliable datagram” protocol

  • rohc – Robust Header Compression

  • rspf – Radio Shortest Path First (officially CPHB)

  • rsvp – Reservation Protocol

  • sctp – Stream Control Transmission Protocol

  • shim6 – Shim6 Protocol [RFC5533]

  • skip – SKIP

  • st – ST datagram mode

  • tcp – transmission control protocol

  • udp – user datagram

  • udplite – UDP-Lite [RFC3828]

  • vmtp – Versatile Message Transport

  • vrrp – Virtual Router Redundancy Protocol [RFC5798]

  • wesp – Wrapped Encapsulating Security Payload

  • xns-idp – Xerox NS IDP

  • xtp – Xpress Transfer Protocol

vpn ipsec site-to-site peer <id> tunnel <u32> remote
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Remote parameters for interesting traffic

vpn ipsec site-to-site peer <id> tunnel <u32> remote port <u32>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Any TCP or UDP port

Values:

  • u32 – Numbered port (1-65535)

vpn ipsec site-to-site peer <id> tunnel <u32> remote prefix <ipv4net|ipv6net>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • ipv4net – Remote IPv4 or IPv6 prefixes

  • ipv6net – Remote IPv4 or IPv6 prefixes

Instances:

Multiple

vpn ipsec site-to-site peer <id> vti
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Virtual tunnel interface

vpn ipsec site-to-site peer <id> vti local
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Local parameters for interesting traffic

vpn ipsec site-to-site peer <id> vti local port <u32>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Any TCP or UDP port

Values:

  • u32 – Numeric IP port (1-32767)

  • u32 – Numeric IP port (60000-65535)

vpn ipsec site-to-site peer <id> vti local prefix <ipv4net|ipv6net>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • ipv4net – Local IPv4 or IPv6 prefixes

  • ipv6net – Local IPv4 or IPv6 prefixes

Instances:

Multiple

vpn ipsec site-to-site peer <id> vti protocol <u32|id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Protocol to encrypt

Values:

  • all – All protocols

  • u32 – IP protocol number (0-255)

  • ah – Authentication Header [RFC2402]

  • ax.25 – AX.25 frames

  • dccp – Datagram Congestion Control Prot. [RFC4340]

  • ddp – Datagram Delivery Protocol

  • egp – exterior gateway protocol

  • eigrp – Enhanced Interior Routing Protocol (Cisco)

  • encap – Yet Another IP encapsulation [RFC1241]

  • esp – Encap Security Payload [RFC2406]

  • etherip – Ethernet-within-IP Encapsulation [RFC3378]

  • fc – Fibre Channel

  • ggp – gateway-gateway protocol

  • gre – General Routing Encapsulation

  • hip – Host Identity Protocol

  • hmp – host monitoring protocol

  • hopopt – IPv6 Hop-by-Hop Option [RFC1883]

  • icmp – internet control message protocol

  • idpr-cmtp – IDPR Control Message Transport

  • idrp – Inter-Domain Routing Protocol

  • igmp – Internet Group Management

  • igp – any private interior gateway (Cisco)

  • ip – internet protocol, pseudo protocol number

  • ipcomp – IP Payload Compression Protocol

  • ipencap – IP encapsulated in IP (officially ‘’IP’’)

  • ipip – IP-within-IP Encapsulation Protocol

  • ipv6-frag – Fragment Header for IPv6

  • ipv6-icmp – ICMP for IPv6

  • ipv6-nonxt – No Next Header for IPv6

  • ipv6-opts – Destination Options for IPv6

  • ipv6-route – Routing Header for IPv6

  • ipv6 – Internet Protocol, version 6

  • isis – IS-IS over IPv4

  • iso-tp4 – ISO Transport Protocol class 4 [RFC905]

  • l2tp – Layer Two Tunneling Protocol [RFC2661]

  • manet – MANET Protocols [RFC5498]

  • mobility-header – Mobility Support for IPv6 [RFC3775]

  • mpls-in-ip – MPLS-in-IP [RFC4023]

  • ospf – Open Shortest Path First IGP

  • pim – Protocol Independent Multicast

  • pup – PARC universal packet protocol

  • rdp – “reliable datagram” protocol

  • rohc – Robust Header Compression

  • rspf – Radio Shortest Path First (officially CPHB)

  • rsvp – Reservation Protocol

  • sctp – Stream Control Transmission Protocol

  • shim6 – Shim6 Protocol [RFC5533]

  • skip – SKIP

  • st – ST datagram mode

  • tcp – transmission control protocol

  • udp – user datagram

  • udplite – UDP-Lite [RFC3828]

  • vmtp – Versatile Message Transport

  • vrrp – Virtual Router Redundancy Protocol [RFC5798]

  • wesp – Wrapped Encapsulating Security Payload

  • xns-idp – Xerox NS IDP

  • xtp – Xpress Transfer Protocol

vpn ipsec site-to-site peer <id> vti remote
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Remote parameters for interesting traffic

vpn ipsec site-to-site peer <id> vti remote port <u32>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

Any TCP or UDP port

Values:

  • u32 – Numbered port (1-65535)

vpn ipsec site-to-site peer <id> vti remote prefix <ipv4net|ipv6net>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • ipv4net – Remote IPv4 or IPv6 prefixes

  • ipv6net – Remote IPv4 or IPv6 prefixes

Instances:

Multiple

vpn ipsec timers
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

VPN global timers

vpn ipsec timers ike-retransmission
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE

IKE retransmission timeouts

vpn ipsec timers ike-retransmission base <float>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • float – Base of exponential backoff

vpn ipsec timers ike-retransmission retries <u32>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • u32 – Number of retransmissions to send before giving up

vpn ipsec timers ike-retransmission timeout <float>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • float – Timeout in seconds

vpn ipsec triplets <id>
AresC640 Atlas840 M10-Smart M2 RS420 RXL15000 SDE
Values:

  • id

    Comma-separated list of values used in various authentication methods, such as EAP-SIM

    Triplets are used when performing EAP authentication via SIM or AKA methods. They have the form: <ID>,<ROUND1>,<SRES1>,<SIM-KC2> <ID>,<ROUND2>,<SRES2>,<SIM-KC2> <ID>,<ROUND3>,<SRES3>,<SIM-KC2> They are used for authenticating an user with various rounds based on SIM cards.

Instances:

Multiple