ipsec
- vpn ipsec
- Devices
VPN IP security (IPsec) parameters
- vpn ipsec auth-profile <id>
- Devices
IPSec Authentication Profile
- Values:
id – Name of the IPSec authentication profile
- Instances:
Multiple
- vpn ipsec auth-profile <id> global-secrets
- Devices
Global secrets for local/remote peers
- vpn ipsec auth-profile <id> global-secrets eap <id>
- Devices
EAP (Extensible Authentication Protocol) for local/remote peers
EAP-Identity to use in EAP-Identity exchange and the EAP method.
- Values:
id – EAP identifier used against when authenticating
- Instances:
Multiple
- Required:
vpn ipsec auth-profile <id> global-secrets eap <id> encrypted-secret <password>
- vpn ipsec auth-profile <id> global-secrets eap <id> encrypted-secret <password>
- Devices
- Values:
password – Encrypted secret used by associated EAP identifier
- vpn ipsec auth-profile <id> global-secrets eap <id> secret <txt>
- Devices
Secret used by associated EAP identifier
These characters are allowed to be used for setting the secret: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set pre-shared secret key is recommended. If you are using special characters in the secret then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’
- Values:
id – Secret used when authenticating
- vpn ipsec auth-profile <id> global-secrets ike-psk <id>
- Devices
IKE Pre-Shared Key for local/remote peers
- Values:
id – Specific identity to use
- Instances:
Multiple
- Required:
vpn ipsec auth-profile <id> global-secrets ike-psk <id> encrypted-secret <password>
- vpn ipsec auth-profile <id> global-secrets ike-psk <id> encrypted-secret <password>
- Devices
- Values:
password – Encrypted secret used by associated IKE Pre-Shared Key identifier
- vpn ipsec auth-profile <id> global-secrets ike-psk <id> secret <txt>
- Devices
Secret used by associated IKE Pre-Shared Key identifier
These characters are allowed to be used for setting the secret: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set pre-shared secret key is recommended. If you are using special characters in the secret then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’
- Values:
id – Secret used when authenticating
- vpn ipsec auth-profile <id> global-secrets ppk <id>
- Devices
PPK (Post-Quantum Pre-Shared Key) for local/remote peers
The PPK (Post-Quantum Pre-Shared Key) identifier used for authentication.
- Values:
id – String identifying the Postquantum Preshared Key to be used
- Instances:
Unique
- vpn ipsec auth-profile <id> global-secrets ppk <id> encrypted-secret <password>
- Devices
- Values:
password – Encrypted Post-Quantum Pre-Shared Key used by associated ID
- vpn ipsec auth-profile <id> global-secrets ppk <id> file <file>
- Devices
- Values:
file – File containing the Post-Quantum Pre-Shared Key (PPK) to use
- vpn ipsec auth-profile <id> global-secrets ppk <id> secret <txt>
- Devices
Post-Quantum Pre-Shared Key used by associated ID
These characters are allowed to be used for setting the secret: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set pre-shared secret key is recommended. If you are using special characters in the secret then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’
- Values:
id – Secret used when authenticating
- vpn ipsec auth-profile <id> global-secrets xauth <id>
- Devices
XAUTH (Extended Authentication) for both peers
Client XAuth username used in the XAuth exchange.
- Values:
id – Client XAUTH username
- Instances:
Multiple
- Required:
vpn ipsec auth-profile <id> global-secrets xauth <id> encrypted-secret <password>
- vpn ipsec auth-profile <id> global-secrets xauth <id> encrypted-secret <password>
- Devices
- Values:
password – Encrypted secret used by associated XAUTH identifier
- vpn ipsec auth-profile <id> global-secrets xauth <id> secret <txt>
- Devices
Secret used by associated XAUTH identifier
These characters are allowed to be used for setting the secret: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set the secret is recommended. If you are using special characters in the secret then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’
- Values:
id – Secret used when authenticating
- vpn ipsec auth-profile <id> local
- Devices
Local (left) authentication configuration
- vpn ipsec auth-profile <id> local auth
- Devices
Authentication method locally used
When a peer authenticates against us (as a server), a local authentication method must be used. By default, it is “pubkey” (key-pair certificates) and if not specified uses system certificates for authentication. This is done in order to ensure that we are who we say (it is, to avoid spoofing attacks). Another method is done by using a pre-shared key. Despite this is not as secure as X.509 certificates, it will allow server identification and would serve for the same purposes. Finally, there is also EAP (Extensible Authentication Protocol) available, which allows authenticating users using a username/password.
- Instances:
Unique
- vpn ipsec auth-profile <id> local auth eap <id>
- Devices
EAP (Extensible Authentication Protocol) for local/remote peers
Specify which EAP secret ID to use for authentication. The actual secret must be defined in global-secrets/eap. Notice that strongSwan magic values can be used (for example, “%any”). For more information, please refer to the VPN documentation.
- Values:
id – EAP identifier/username/remote ID used against when authenticating
- Instances:
Multiple
- vpn ipsec auth-profile <id> local auth eap <id> type <id>
- Devices
Type of EAP authentication to use. By default, it is guessed
Different kind of EAP authentication mechanisms can be used during identity exchange. By default, the EAP method is guessed during IKE negotiation but you can manually specify which one must be used.
- Values:
mschapv2 – EAP-Microsoft Challenge Handshake Authentication Protocol version 2
tls – EAP-TLS protocol handler, to authenticate with certificates in EAP
ttls – EAP-TTLS protocol handler, wraps other EAP methods securely
md5 – EAP-MD5 protocol handler using passwords
- vpn ipsec auth-profile <id> local auth ike-psk
- Devices
IKE Pre-Shared Key for local/remote peers
- vpn ipsec auth-profile <id> local auth ike-psk id <txt>
- Devices
String identifying IKE Pre-Shared Key for local/remote peers
Specify which IKE Pre-Shared Key secret ID to use for local authentication. This is used for authenticating peers during IKE negotiation. For more information, refer to the VPN documentation.
- Values:
id – String identifying the IKE Pre-Shared Key to be used
- vpn ipsec auth-profile <id> local auth radius
- Devices
IPSec RADIUS based authentication
- vpn ipsec auth-profile <id> local ca-cert-file <file>
- Devices
- Values:
file – local CA certificate file
- Instances:
Multiple
- vpn ipsec auth-profile <id> local cert-file <file>
- Devices
- Values:
file – local certificate file
- vpn ipsec auth-profile <id> local cnm-certs
- Devices
Licenses
local Cloud Network Manager (CNM) certificates
- vpn ipsec auth-profile <id> local crl
- Devices
local Certificate Revocation List
- vpn ipsec auth-profile <id> local crl file <file>
- Devices
- Values:
file – Local CRL file
- vpn ipsec auth-profile <id> local crl revocation <id>
- Devices
Revocation mode
- Values:
relaxed – Auth fails, if certificate revoked
strict – Auth fails, if certificate revoked or if CRL cannot be loaded/downloaded
- vpn ipsec auth-profile <id> local crl url <txt>
- Devices
- Values:
txt –
CRL file HTTP download URL
Will attempt to HTTP fetch this URL first, before attempting to fetch CRL URL which is potentially defined within peer certificate. However will use CRL URL defined within peer certificate as fallback, if fetch fails.
- vpn ipsec auth-profile <id> local csr <id>
- Devices
local Certificate Signing Request instance (SCEP)
- Reference:
- vpn ipsec auth-profile <id> local id <id>
- Devices
Local subject DN or subjectAltName contained in the certificate
The local identity is what a peer expects to find when connecting using the RSA certificate for authentication. This can be either an IP address, hostname or strongSwan “magic” variables (such as “%any”). Please, refer to: https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing for more information
- Values:
ipv4 – IPv4 address identity
ipv6 – IPv6 address identity
fqdn – Fully qualified domain name identity
%any – Accept any remote identity
id – Any other value matching Identity Parsing rules
- vpn ipsec auth-profile <id> local key
- Devices
local private key
- vpn ipsec auth-profile <id> local key encrypted-passphrase <password>
- Devices
- Values:
password – Encrypted passphrase
- vpn ipsec auth-profile <id> local key file <file>
- Devices
- Values:
file – Private key file
- vpn ipsec auth-profile <id> local key passphrase <txt>
- Devices
- Values:
txt –
Passphrase for private key file
These characters are allowed to be used for the passphrase: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set the passphrase is recommended. If you are using special characters in the passphrase then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’
- vpn ipsec auth-profile <id> local pkcs12
- Devices
local PKCS#12
- vpn ipsec auth-profile <id> local pkcs12 encrypted-passphrase <password>
- Devices
- Values:
password – Encrypted passphrase
- vpn ipsec auth-profile <id> local pkcs12 file <file>
- Devices
- Values:
file – PKCS#12 file
- vpn ipsec auth-profile <id> local pkcs12 passphrase <txt>
- Devices
- Values:
txt –
Passphrase of PKCS#12 file
These characters are allowed to be used for the passphrase: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set the passphrase is recommended. If you are using special characters in the passphrase then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’
- vpn ipsec auth-profile <id> local ppk
- Devices
PPK (Post-Quantum Pre-Shared Key) for local/remote peers
- vpn ipsec auth-profile <id> local ppk id <txt>
- Devices
String identifying PPK (Post-Quantum Pre-Shared Key) for local/remote peers
Specify which PPK (Post-Quantum Pre-Shared Key) secret ID to use for local authentication.
- Values:
id – String identifying the Postquantum Preshared Key to be used
- vpn ipsec auth-profile <id> local ppk required
- Devices
Whether the PPK is required for the connection
- vpn ipsec auth-profile <id> local xauth
- Devices
XAUTH (Extended Authentication) for local peers
- vpn ipsec auth-profile <id> local xauth id <txt>
- Devices
String identifying XAUTH (Extended Authentication) secret to be used in local peers
Specify which XAUTH secret ID to use for local extended authentication. This is used for Phase II authentication in IKEv1. For more information, refer to the VPN documentation.
- Values:
id – String identifying the XAUTH secret to be used
- vpn ipsec auth-profile <id> mirror-config <bool>
- Devices
Mirror one authentication side into the other, if not defined
When defining an authentication side (local/remote), you can opt-in for only defining one of them. By default, the configuration is mirrored into the missing side (only “auth”) respecting already existing data. This way, authentication profiles can be partially defined but with a fully working VPN connection
- Values:
true – The existing profile is mirrored into the non-existing one
false – No mirroring is done. Notice that you must define both of them individually
- vpn ipsec auth-profile <id> remote
- Devices
Remote (right) authentication configuration
- vpn ipsec auth-profile <id> remote auth
- Devices
Authentication method used by connecting peer
When a peer authenticates against us (as a server), a remote authentication method must be used. By default, it is “pubkey” (key-pair certificates) which servers for the purpose of identifying the peer. Another method is done by using a pre-shared key in which a key must be shared for connecting. And finally it is possible to authenticate using the RADIUS, usually based on a username/password.
- Instances:
Unique
- vpn ipsec auth-profile <id> remote auth eap <id>
- Devices
EAP (Extensible Authentication Protocol) for local/remote peers
Specify which EAP secret ID to use for authentication. The actual secret must be defined in global-secrets/eap. Notice that strongSwan magic values can be used (for example, “%any”). For more information, please refer to the VPN documentation.
- Values:
id – EAP identifier/username/remote ID used against when authenticating
%any – Match any identity from configured secrets
type – Supported types are rfc822, email, userfqdn, fqdn, dns, asn1dn, and keyid. Regex starts with a caret character (^) and ends with a dollar sign ($). As example, “email:^.*@teldat.com$”. Regular expressions can only be used to match remote identities, not as local identities. (<regex>)
- Instances:
Multiple
- vpn ipsec auth-profile <id> remote auth eap <id> type <id>
- Devices
Type of EAP authentication to use. By default, it is guessed
Different kind of EAP authentication mechanisms can be used during identity exchange. By default, the EAP method is guessed during IKE negotiation but you can manually specify which one must be used.
- Values:
mschapv2 – EAP-Microsoft Challenge Handshake Authentication Protocol version 2
tls – EAP-TLS protocol handler, to authenticate with certificates in EAP
ttls – EAP-TTLS protocol handler, wraps other EAP methods securely
md5 – EAP-MD5 protocol handler using passwords
- vpn ipsec auth-profile <id> remote auth ike-psk
- Devices
IKE Pre-Shared Key for local/remote peers
- vpn ipsec auth-profile <id> remote auth ike-psk id <txt>
- Devices
String identifying IKE Pre-Shared Key for local/remote peers
Specify which IKE Pre-Shared Key secret ID to use when authenticating remote peers. The strongSwan magic value “%any” can be used to match any remote peer identity. Avoid using “%any” for local authentication as it may cause unpredictable secret matching. This is used for authenticating peers during IKE negotiation. For more information, refer to the VPN documentation.
- Values:
id – String identifying the IKE Pre-Shared Key to be used
%any – Match any remote peer identity
type – Supported types are rfc822, email, userfqdn, fqdn, dns, asn1dn, and keyid. Regex starts with a caret character (^) and ends with a dollar sign ($). As example, “email:^.*@teldat.com$”. Regular expressions can only be used to match remote identities, not as local identities. (<regex>)
- vpn ipsec auth-profile <id> remote auth radius
- Devices
IPSec RADIUS based authentication
- vpn ipsec auth-profile <id> remote ca-cert-file <file>
- Devices
- Values:
file – remote CA certificate file
- Instances:
Multiple
- vpn ipsec auth-profile <id> remote cert-file <file>
- Devices
- Values:
file – remote certificate file
- vpn ipsec auth-profile <id> remote cnm-certs
- Devices
Licenses
remote Cloud Network Manager (CNM) certificates
- vpn ipsec auth-profile <id> remote crl
- Devices
remote Certificate Revocation List
- vpn ipsec auth-profile <id> remote crl file <file>
- Devices
- Values:
file – Local CRL file
- vpn ipsec auth-profile <id> remote crl revocation <id>
- Devices
Revocation mode
- Values:
relaxed – Auth fails, if certificate revoked
strict – Auth fails, if certificate revoked or if CRL cannot be loaded/downloaded
- vpn ipsec auth-profile <id> remote crl url <txt>
- Devices
- Values:
txt –
CRL file HTTP download URL
Will attempt to HTTP fetch this URL first, before attempting to fetch CRL URL which is potentially defined within peer certificate. However will use CRL URL defined within peer certificate as fallback, if fetch fails.
- vpn ipsec auth-profile <id> remote csr <id>
- Devices
remote Certificate Signing Request instance (SCEP)
- Reference:
- vpn ipsec auth-profile <id> remote id <id>
- Devices
Remote subject DN or subjectAltName contained in the certificate
The remote identity is what a peer expects to find when connecting using the RSA certificate for authentication. This can be either an IP address, hostname or strongSwan “magic” variables (such as “%any”). Please, refer to: https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing for more information
- Values:
ipv4 – IPv4 address identity
ipv6 – IPv6 address identity
fqdn – Fully qualified domain name identity
%any – Accept any remote identity
id – Any other value matching Identity Parsing rules
- vpn ipsec auth-profile <id> remote key
- Devices
remote private key
- vpn ipsec auth-profile <id> remote key encrypted-passphrase <password>
- Devices
- Values:
password – Encrypted passphrase
- vpn ipsec auth-profile <id> remote key file <file>
- Devices
- Values:
file – Private key file
- vpn ipsec auth-profile <id> remote key passphrase <txt>
- Devices
- Values:
txt –
Passphrase for private key file
These characters are allowed to be used for the passphrase: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set the passphrase is recommended. If you are using special characters in the passphrase then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’
- vpn ipsec auth-profile <id> remote pkcs12
- Devices
remote PKCS#12
- vpn ipsec auth-profile <id> remote pkcs12 encrypted-passphrase <password>
- Devices
- Values:
password – Encrypted passphrase
- vpn ipsec auth-profile <id> remote pkcs12 file <file>
- Devices
- Values:
file – PKCS#12 file
- vpn ipsec auth-profile <id> remote pkcs12 passphrase <txt>
- Devices
- Values:
txt –
Passphrase of PKCS#12 file
These characters are allowed to be used for the passphrase: alphanumeric characters a-z A-Z 0-9 special characters - + & ! @ # $ %% ^ * ( ) , . : _ Use of single quotes to set the passphrase is recommended. If you are using special characters in the passphrase then single quotes are required. Example usage: ‘aA1-&!@,.:_2Bb’
- vpn ipsec auth-profile <id> remote ppk
- Devices
PPK (Post-Quantum Pre-Shared Key) for local/remote peers
- vpn ipsec auth-profile <id> remote ppk id <txt>
- Devices
String identifying PPK (Post-Quantum Pre-Shared Key) for local/remote peers
Specify which PPK (Post-Quantum Pre-Shared Key) secret ID to use when authenticating remote peers.
- Values:
id – String identifying the Postquantum Preshared Key to be used
%any – Match any remote peer identity
regex – Match any identity that match with the regular expression defined, such as
*@teldat.com
- vpn ipsec auth-profile <id> remote ppk required
- Devices
Whether the PPK is required for the connection
- vpn ipsec auth-profile <id> remote xauth
- Devices
XAUTH (Extended Authentication) for remote peers
- Instances:
Unique
- vpn ipsec auth-profile <id> remote xauth id <txt>
- Devices
String identifying XAUTH (Extended Authentication) secret to be used in remote peers
Specify which XAUTH secret ID to use when authenticating remote peers with extended authentication. The actual secret must be defined in global-secrets/xauth. The strongSwan magic value “%any” can be used to match any remote peer identity.This is used for Phase II authentication in IKEv1. For more information, refer to the VPN documentation.
- Values:
id – String identifying the XAUTH secret to be used
%any – Match any remote peer identity
type – Supported types are rfc822, email, userfqdn, fqdn, dns, asn1dn, and keyid. Regex starts with a caret character (^) and ends with a dollar sign ($). As example, “email:^.*@teldat.com$”. Regular expressions can only be used to match remote identities, not as local identities. (<regex>)
- vpn ipsec auth-profile <id> remote xauth radius
- Devices
IPSec RADIUS based authentication
- vpn ipsec dmvpn-profile <id>
- Devices
Licenses
DMVPN IPSec Profile
- Values:
id – Name of the DMVPN IPSec profile
- Instances:
Multiple
- Required:
- Required:
- Required:
- vpn ipsec dmvpn-profile <id> auth-profile <id>
- Devices
Licenses
IPSec Authentication Profile
- Reference:
- vpn ipsec dmvpn-profile <id> esp-group <id>
- Devices
Licenses
Esp group name
- Reference:
- vpn ipsec dmvpn-profile <id> ike-group <id>
- Devices
Licenses
Ike group name
- Reference:
- vpn ipsec dmvpn-profile <id> unique <id>
- Devices
Licenses
Peer uniqueness policy to enforce when the same identity establishes a new SA
- Values:
never – No uniqueness enforcement. Ignores even INITIAL_CONTACT notifications from the peer. Allows duplicate SAs without restriction
no – Does not proactively check for duplicates, but does delete existing SAs if the peer sends INITIAL_CONTACT. Relies on the peer notifying the reconnection (default)
replace – Proactively checks for duplicates when a new SA is established. If a duplicate is found, destroys the old one and accepts the new one. Also reacts to INITIAL_CONTACT
keep – Proactively checks for duplicates. If a duplicate is found from a different IP, rejects the new connection and keeps the existing one. If the new peer sends INITIAL_CONTACT, the existing SA will be replaced regardless
- vpn ipsec downloader
- Devices
VPN downloader configuration
- vpn ipsec downloader local-address <ipv4|ipv6>
- Devices
Local IP address to use as source for strongSwan downloads
- Values:
ipv4 – Local IPv4 address
ipv6 – Local IPv6 address
- Local IP address:
- vpn ipsec downloader local-interface <ifc>
- Devices
- Values:
ifc – Interface to use as source for strongSwan downloads
- vpn ipsec downloader local-vrf <id>
- Devices
VRF to use as source for strongSwan downloads
- Reference:
- vpn ipsec esp-group <id>
- Devices
- Values:
id – Name of Encapsulating Security Payload (ESP) group
- Instances:
Multiple
- vpn ipsec esp-group <id> compression
- Devices
ESP compression
- vpn ipsec esp-group <id> lifetime <u32>
- Devices
ESP lifetime
- Values:
u32 – ESP lifetime (in seconds by default)
- Instances:
Unique
- vpn ipsec esp-group <id> lifetime <u32> MB
- Devices
ESP lifetime to be in megabytes
- vpn ipsec esp-group <id> lifetime <u32> packets
- Devices
ESP lifetime to be in packets
- vpn ipsec esp-group <id> lifetime <u32> seconds
- Devices
ESP lifetime to be in seconds
- vpn ipsec esp-group <id> mark-in <u32|txt>
- Devices
Set an XFRM mark on the inbound policy
- Values:
unique – Use a unique mark for each tunnel
unique-dir – Use a unique mark for each tunnel and direction (in/out)
unique-only-nat – Use a unique mark for each tunnel when NAT is detected
same – Use the same mark for all tunnels
u32 – Mark value
- vpn ipsec esp-group <id> mark-out <u32|txt>
- Devices
Set an XFRM mark on the outbound IPsec SA and policy
- Values:
unique – Use a unique mark for each tunnel
unique-dir – Use a unique mark for each tunnel and direction (in/out)
unique-only-nat – Use a unique mark for each tunnel when NAT is detected
same – Use the same mark for all tunnels
u32 – Mark value
- vpn ipsec esp-group <id> mode <id>
- Devices
- Values:
id – ESP mode
- vpn ipsec esp-group <id> proposal <u32>
- Devices
ESP-group proposal [REQUIRED]
- Values:
u32 – ESP-group proposal number (1-65535)
- Instances:
Multiple
- vpn ipsec esp-group <id> proposal <u32> encryption <id>
- Devices
- Values:
id – Encryption algorithm
- vpn ipsec esp-group <id> proposal <u32> hash <id>
- Devices
- Values:
id – Hash algorithm
- vpn ipsec esp-group <id> proposal <u32> pfs <id>
- Devices
- Values:
id – ESP Perfect Forward Secrecy
- vpn ipsec esp-group <id> replay-window <u32>
- Devices
Replay Window Value
- Values:
u32 – Replay Window Value (0-32)
- vpn ipsec esp-group <id> vrf-mark-in <id>
- Devices
Set an XFRM mark on the inbound policy using a VRF
- Reference:
- vpn ipsec esp-group <id> vrf-mark-out <id>
- Devices
Set an XFRM mark on the outbound IPsec SA and policy using a VRF
- Reference:
- vpn ipsec ike-group <id>
- Devices
- Values:
id – Name of Internet Key Exchange (IKE) group
- Instances:
Multiple
- vpn ipsec ike-group <id> dead-peer-detection
- Devices
Dead Peer Detection (DPD)
- vpn ipsec ike-group <id> dead-peer-detection action <id>
- Devices
Keep-alive failure action
- Values:
clear – Set action to clear
restart – Set action to restart
trap – Set action to trap
- vpn ipsec ike-group <id> dead-peer-detection interval <u32>
- Devices
Keep-alive interval
- Values:
u32 – Keep-alive interval in seconds (1-86400)
- vpn ipsec ike-group <id> dead-peer-detection timeout <u32>
- Devices
Keep-alive timeout
- Values:
u32 – Keep-alive timeout in seconds (1-86400)
- vpn ipsec ike-group <id> ikev2-reauth
- Devices
Re-authentication of the remote peer during an IKE re-key. IKEv2 option only
- vpn ipsec ike-group <id> key-exchange <id>
- Devices
- Values:
id – Key Exchange Version
- vpn ipsec ike-group <id> lifetime <u32>
- Devices
IKE lifetime
- Values:
u32 – IKE lifetime in seconds (30-4294967295)
- vpn ipsec ike-group <id> mobike
- Devices
Enable MOBIKE Support. MOBIKE is only available for IKEv2.
- vpn ipsec ike-group <id> mode <id>
- Devices
IKEv1 Phase 1 Mode Selection
- Values:
main – Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default)
aggressive – Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode.
- vpn ipsec ike-group <id> proposal <u32>
- Devices
IKE-group proposal [REQUIRED]
- Values:
u32 – IKE-group proposal (1-65535)
- Instances:
Multiple
- vpn ipsec ike-group <id> proposal <u32> dh-group <id>
- Devices
- Values:
id – Diffie-Hellman (DH) key exchange group
- vpn ipsec ike-group <id> proposal <u32> encryption <id>
- Devices
- Values:
id – Encryption algorithm
- vpn ipsec ike-group <id> proposal <u32> hash <id>
- Devices
- Values:
id – Hash algorithm
- vpn ipsec interface <ifc>
- Devices
Network interfaces that should be used by IPSec. All other interfaces are ignored.
- Values:
txt – IPSec interface
- Instances:
Multiple
- vpn ipsec logging
- Devices
IPsec logging
- vpn ipsec logging log-types
- Devices
Select log type
- vpn ipsec logging log-types any
- Devices
Apply log level to all existing types.
- vpn ipsec logging log-types any log-level <txt>
- Devices
- Values:
txt – VPN Logger Verbosity Level
- vpn ipsec logging log-types type <txt>
- Devices
Apply to a specific log type. To see what each log type exactly does, please refer to the VPN documentation
- Values:
dmn – Debug log option for VPN
mgr – Debug log option for VPN
ike – Debug log option for VPN
chd – Debug log option for VPN
job – Debug log option for VPN
cfg – Debug log option for VPN
knl – Debug log option for VPN
net – Debug log option for VPN
asn – Debug log option for VPN
enc – Debug log option for VPN
lib – Debug log option for VPN
esp – Debug log option for VPN
tls – Debug log option for VPN
tnc – Debug log option for VPN
imc – Debug log option for VPN
imv – Debug log option for VPN
pts – Debug log option for VPN
- Instances:
Multiple
- vpn ipsec logging log-types type <txt> log-level <id>
- Devices
- Values:
id – VPN Logger Verbosity Level
- vpn ipsec pool <id>
- Devices
- Values:
id – Name of Remote Address pool
- Instances:
Unique
- vpn ipsec pool <id> prefix <ipv4net|ipv6net>
- Devices
- Values:
ipv4net – Remote IPv4 or IPv6 prefix
ipv6net – Remote IPv4 or IPv6 prefix
- vpn ipsec pool <id> range
- Devices
Remote IPv4 or IPv6 range
- vpn ipsec pool <id> range first-address <ipv4|ipv6>
- Devices
- Values:
ipv4 – First IPv4 or IPv6 address of the pool range
ipv6 – First IPv4 or IPv6 address of the pool range
- vpn ipsec pool <id> range last-address <ipv4|ipv6>
- Devices
- Values:
ipv4 – Last IPv4 or IPv6 address of the pool range
ipv6 – Last IPv4 or IPv6 address of the pool range
- vpn ipsec radius
- Devices
IPSec RADIUS based authentication settings
- Required:
- vpn ipsec radius accounting
- Devices
Enable RADIUS accounting
- vpn ipsec radius authentication-list <id>
- Devices
VPN type list to use when authenticating
Choose the VPN list that will be used when an external user tries to authenticate. Lists can be set-up with “system aaa list” command
- Reference:
- vpn ipsec radius dae
- Devices
Dynamic Authorization Extension (DAE) options
- vpn ipsec radius dae encrypted-secret <password>
- Devices
- Values:
password – Encrypted secret
- vpn ipsec radius dae listen-address <ipv4|ipv6>
- Devices
Listen address to listen to DAE messages
- Values:
ipv4 – IPv4 listen address
ipv6 – IPv6 listen address
- Local IP address:
- vpn ipsec radius dae port <u32>
- Devices
Port to listen for requests
- Values:
u32 – Numeric IP port (1-65535)
- vpn ipsec radius dae secret <txt>
- Devices
- Values:
txt –
Shared secret used to verify/sign DAE messages
These characters are allowed to be used for setting the shared secret: alphanumeric characters: a-z A-Z 0-9 special characters: - + & ! @ # $ %% ^ * ( ) , . : _ It is recommended to use single quotes (’) for setting the shared-secret. If special characters are being used, then single quotes are mandatory
- vpn ipsec radius eap-start
- Devices
Send “EAP-Start” instead of “EAP-Identity” to start RADIUS conversation
- vpn ipsec site-to-site
- Devices
Site to site VPN
- vpn ipsec site-to-site peer <id>
- Devices
- Values:
id – VPN peer
- Instances:
Multiple
- Required:
- Required:
- vpn ipsec site-to-site peer <id> auth-profile <id>
- Devices
IPSec Authentication Profile
- Reference:
- vpn ipsec site-to-site peer <id> connection-type <id>
- Devices
Connection type
- Values:
initiate – This endpoint can initiate or respond to a connection
respond – This endpoint will only respond to a connection
on-demand – This endpoint will initiate a connection if matching traffic is detected
- vpn ipsec site-to-site peer <id> default-esp-group <id>
- Devices
Default ESP group name
- Reference:
- vpn ipsec site-to-site peer <id> description <txt>
- Devices
- Values:
txt – VPN peer description
- vpn ipsec site-to-site peer <id> dhcp-interface <ifc>
- Devices
- Values:
ifc – DHCP interface that supplies the local address to use for IKE communication
- vpn ipsec site-to-site peer <id> force-encapsulation
- Devices
Force UDP Encapsulation for ESP Payloads
- vpn ipsec site-to-site peer <id> ike-group <id>
- Devices
Internet Key Exchange (IKE) group name
- Reference:
- vpn ipsec site-to-site peer <id> install-vips
- Devices
Pull virtual IP addresses from remote
- vpn ipsec site-to-site peer <id> install-vips address <ipv4>
- Devices
- Values:
ipv4 –
Request specific address(es)
If not set, 0.0.0.0 will be used (i.e., it will accept any virtual IP)
- Instances:
Multiple
- vpn ipsec site-to-site peer <id> install-vips interface <ifc>
- Devices
- Values:
ifc – Interface where VIPs should be installed
- vpn ipsec site-to-site peer <id> local-address <ipv4|ipv6|fqdn|id>
- Devices
Local address(es) to use for IKE communication
As initiator, the first non-range/non-subset is used to initiate the connection. As the responder, the local destination address must match at least one of the specified addresses, subnets or ranges. FQDNs are resolved each time a configuration lookup is done. Finally, “magic” values can be placed here (such as “%any”).
- Values:
ipv4 – IPv4 address of a local interface for VPN
ipv6 – IPv6 address of a local interface for VPN
fqdn – DNS domain name of the local interface
%any – Match any address specified as local interface
- Instances:
Multiple
- vpn ipsec site-to-site peer <id> local-vrf <id>
- Devices
Bind to local Virtual Routing and Forwarding domain name
- Reference:
- vpn ipsec site-to-site peer <id> pool <id>
- Devices
List of vpn pools to allocate virtual IP addresses
- Reference:
- Instances:
Multiple
- vpn ipsec site-to-site peer <id> remote-address <ipv4|ipv6|fqdn|id>
- Devices
Remote address(es) to use for IKE communication. Required to initiate a connection
As initiator, the first non-range/non-subset is used to initiate the connection. As the responder, the local destination address must match at least one of the specified addresses, subnets or ranges. FQDNs are resolved each time a configuration lookup is done. Finally, “magic” values can be placed here (such as “%any”).
- Values:
ipv4 – IPv4 address of peer
ipv6 – IPv6 address of peer
fqdn – DNS domain name of the peer
%any – Match any peer
- Instances:
Multiple
- vpn ipsec site-to-site peer <id> tunnel <u32>
- Devices
- Values:
u32 – Peer tunnel
- Instances:
Multiple
- vpn ipsec site-to-site peer <id> tunnel <u32> disable
- Devices
Option to disable vpn tunnel
- vpn ipsec site-to-site peer <id> tunnel <u32> esp-group <id>
- Devices
ESP group name
- Reference:
- vpn ipsec site-to-site peer <id> tunnel <u32> install-routes <id>
- Devices
Enable route installation for this tunnel
- Reference:
- vpn ipsec site-to-site peer <id> tunnel <u32> local
- Devices
Local parameters for interesting traffic
- vpn ipsec site-to-site peer <id> tunnel <u32> local port <u32>
- Devices
Any TCP or UDP port
- Values:
u32 – Numeric IP port (1-32767)
u32 – Numeric IP port (60000-65535)
- vpn ipsec site-to-site peer <id> tunnel <u32> local prefix <ipv4net|ipv6net>
- Devices
- Values:
ipv4net – Local IPv4 or IPv6 prefixes
ipv6net – Local IPv4 or IPv6 prefixes
- Instances:
Multiple
- vpn ipsec site-to-site peer <id> tunnel <u32> local-interface <ifc>
- Devices
- Values:
ifc – Local interface to use in outbound IPSec policies
- vpn ipsec site-to-site peer <id> tunnel <u32> local-vrf <id>
- Devices
Local VRF to use in outbound IPSec policies
- Reference:
- vpn ipsec site-to-site peer <id> tunnel <u32> protocol <u32|id>
- Devices
Protocol to encrypt
- Values:
all – All protocols
u32 – IP protocol number (0-255)
ah – Authentication Header [RFC2402]
ax.25 – AX.25 frames
dccp – Datagram Congestion Control Prot. [RFC4340]
ddp – Datagram Delivery Protocol
egp – exterior gateway protocol
eigrp – Enhanced Interior Routing Protocol (Cisco)
encap – Yet Another IP encapsulation [RFC1241]
esp – Encap Security Payload [RFC2406]
etherip – Ethernet-within-IP Encapsulation [RFC3378]
fc – Fibre Channel
ggp – gateway-gateway protocol
gre – General Routing Encapsulation
hip – Host Identity Protocol
hmp – host monitoring protocol
hopopt – IPv6 Hop-by-Hop Option [RFC1883]
icmp – internet control message protocol
idpr-cmtp – IDPR Control Message Transport
idrp – Inter-Domain Routing Protocol
igmp – Internet Group Management
igp – any private interior gateway (Cisco)
ip – internet protocol, pseudo protocol number
ipcomp – IP Payload Compression Protocol
ipencap – IP encapsulated in IP (officially ‘’IP’’)
ipip – IP-within-IP Encapsulation Protocol
ipv6-frag – Fragment Header for IPv6
ipv6-icmp – ICMP for IPv6
ipv6-nonxt – No Next Header for IPv6
ipv6-opts – Destination Options for IPv6
ipv6-route – Routing Header for IPv6
ipv6 – Internet Protocol, version 6
isis – IS-IS over IPv4
iso-tp4 – ISO Transport Protocol class 4 [RFC905]
l2tp – Layer Two Tunneling Protocol [RFC2661]
manet – MANET Protocols [RFC5498]
mobility-header – Mobility Support for IPv6 [RFC3775]
mpls-in-ip – MPLS-in-IP [RFC4023]
ospf – Open Shortest Path First IGP
pim – Protocol Independent Multicast
pup – PARC universal packet protocol
rdp – “reliable datagram” protocol
rohc – Robust Header Compression
rspf – Radio Shortest Path First (officially CPHB)
rsvp – Reservation Protocol
sctp – Stream Control Transmission Protocol
shim6 – Shim6 Protocol [RFC5533]
skip – SKIP
st – ST datagram mode
tcp – transmission control protocol
udp – user datagram
udplite – UDP-Lite [RFC3828]
vmtp – Versatile Message Transport
vrrp – Virtual Router Redundancy Protocol [RFC5798]
wesp – Wrapped Encapsulating Security Payload
xns-idp – Xerox NS IDP
xtp – Xpress Transfer Protocol
- vpn ipsec site-to-site peer <id> tunnel <u32> remote
- Devices
Remote parameters for interesting traffic
- vpn ipsec site-to-site peer <id> tunnel <u32> remote port <u32>
- Devices
Any TCP or UDP port
- Values:
u32 – Numbered port (1-65535)
- vpn ipsec site-to-site peer <id> tunnel <u32> remote prefix <ipv4net|ipv6net>
- Devices
- Values:
ipv4net – Remote IPv4 or IPv6 prefixes
ipv6net – Remote IPv4 or IPv6 prefixes
- Instances:
Multiple
- vpn ipsec site-to-site peer <id> tunnel <u32> route-priority <u32>
- Devices
- Values:
u32 – Set the priority of the installed routes
- vpn ipsec site-to-site peer <id> tunnel <u32> xfrm-interface-in <txt>
- Devices
Inbound XFRM interface to install policies/SA on
- Reference:
- vpn ipsec site-to-site peer <id> tunnel <u32> xfrm-interface-out <txt>
- Devices
Outbound XFRM interface to install policies/SA on
- Reference:
- vpn ipsec site-to-site peer <id> unique <id>
- Devices
Peer uniqueness policy to enforce when the same identity establishes a new SA
- Values:
never – No uniqueness enforcement. Ignores even INITIAL_CONTACT notifications from the peer. Allows duplicate SAs without restriction
no – Does not proactively check for duplicates, but does delete existing SAs if the peer sends INITIAL_CONTACT. Relies on the peer notifying the reconnection (default)
replace – Proactively checks for duplicates when a new SA is established. If a duplicate is found, destroys the old one and accepts the new one. Also reacts to INITIAL_CONTACT
keep – Proactively checks for duplicates. If a duplicate is found from a different IP, rejects the new connection and keeps the existing one. If the new peer sends INITIAL_CONTACT, the existing SA will be replaced regardless
- vpn ipsec site-to-site peer <id> vti
- Devices
Virtual tunnel interface
- vpn ipsec site-to-site peer <id> vti local
- Devices
Local parameters for interesting traffic
- vpn ipsec site-to-site peer <id> vti local port <u32>
- Devices
Any TCP or UDP port
- Values:
u32 – Numeric IP port (1-32767)
u32 – Numeric IP port (60000-65535)
- vpn ipsec site-to-site peer <id> vti local prefix <ipv4net|ipv6net>
- Devices
- Values:
ipv4net – Local IPv4 or IPv6 prefixes
ipv6net – Local IPv4 or IPv6 prefixes
- Instances:
Multiple
- vpn ipsec site-to-site peer <id> vti protocol <u32|id>
- Devices
Protocol to encrypt
- Values:
all – All protocols
u32 – IP protocol number (0-255)
ah – Authentication Header [RFC2402]
ax.25 – AX.25 frames
dccp – Datagram Congestion Control Prot. [RFC4340]
ddp – Datagram Delivery Protocol
egp – exterior gateway protocol
eigrp – Enhanced Interior Routing Protocol (Cisco)
encap – Yet Another IP encapsulation [RFC1241]
esp – Encap Security Payload [RFC2406]
etherip – Ethernet-within-IP Encapsulation [RFC3378]
fc – Fibre Channel
ggp – gateway-gateway protocol
gre – General Routing Encapsulation
hip – Host Identity Protocol
hmp – host monitoring protocol
hopopt – IPv6 Hop-by-Hop Option [RFC1883]
icmp – internet control message protocol
idpr-cmtp – IDPR Control Message Transport
idrp – Inter-Domain Routing Protocol
igmp – Internet Group Management
igp – any private interior gateway (Cisco)
ip – internet protocol, pseudo protocol number
ipcomp – IP Payload Compression Protocol
ipencap – IP encapsulated in IP (officially ‘’IP’’)
ipip – IP-within-IP Encapsulation Protocol
ipv6-frag – Fragment Header for IPv6
ipv6-icmp – ICMP for IPv6
ipv6-nonxt – No Next Header for IPv6
ipv6-opts – Destination Options for IPv6
ipv6-route – Routing Header for IPv6
ipv6 – Internet Protocol, version 6
isis – IS-IS over IPv4
iso-tp4 – ISO Transport Protocol class 4 [RFC905]
l2tp – Layer Two Tunneling Protocol [RFC2661]
manet – MANET Protocols [RFC5498]
mobility-header – Mobility Support for IPv6 [RFC3775]
mpls-in-ip – MPLS-in-IP [RFC4023]
ospf – Open Shortest Path First IGP
pim – Protocol Independent Multicast
pup – PARC universal packet protocol
rdp – “reliable datagram” protocol
rohc – Robust Header Compression
rspf – Radio Shortest Path First (officially CPHB)
rsvp – Reservation Protocol
sctp – Stream Control Transmission Protocol
shim6 – Shim6 Protocol [RFC5533]
skip – SKIP
st – ST datagram mode
tcp – transmission control protocol
udp – user datagram
udplite – UDP-Lite [RFC3828]
vmtp – Versatile Message Transport
vrrp – Virtual Router Redundancy Protocol [RFC5798]
wesp – Wrapped Encapsulating Security Payload
xns-idp – Xerox NS IDP
xtp – Xpress Transfer Protocol
- vpn ipsec site-to-site peer <id> vti remote
- Devices
Remote parameters for interesting traffic
- vpn ipsec site-to-site peer <id> vti remote port <u32>
- Devices
Any TCP or UDP port
- Values:
u32 – Numbered port (1-65535)
- vpn ipsec site-to-site peer <id> vti remote prefix <ipv4net|ipv6net>
- Devices
- Values:
ipv4net – Remote IPv4 or IPv6 prefixes
ipv6net – Remote IPv4 or IPv6 prefixes
- Instances:
Multiple
- vpn ipsec site-to-site peer <id> xfrm-interface-in <txt>
- Devices
Inbound XFRM interface used to install policies/SA on in this peer, this could be overridden by the tunnel’s own xfrm-interface-in
- Reference:
- vpn ipsec site-to-site peer <id> xfrm-interface-out <txt>
- Devices
Outbound XFRM interface used to install policies/SA on in this peer, this could be overridden by the tunnel’s own xfrm-interface-out
- Reference:
- vpn ipsec timers
- Devices
VPN global timers
- vpn ipsec timers ike-retransmission
- Devices
IKE retransmission timeouts
- vpn ipsec timers ike-retransmission base <float>
- Devices
- Values:
float – Base of exponential backoff
- vpn ipsec timers ike-retransmission retries <u32>
- Devices
- Values:
u32 – Number of retransmissions to send before giving up
- vpn ipsec timers ike-retransmission timeout <float>
- Devices
- Values:
float – Timeout in seconds
- vpn ipsec triplets <id>
- Devices
- Values:
id –
Comma-separated list of values used in various authentication methods, such as EAP-SIM
Triplets are used when performing EAP authentication via SIM or AKA methods. They have the form: <ID>,<ROUND1>,<SRES1>,<SIM-KC2> <ID>,<ROUND2>,<SRES2>,<SIM-KC2> <ID>,<ROUND3>,<SRES3>,<SIM-KC2> They are used for authenticating an user with various rounds based on SIM cards.
- Instances:
Multiple