ipsec
-----
.. osdx:cfgcmd:: vpn ipsec
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
VPN IP security (IPsec) parameters
.. osdx:cfgcmd:: vpn ipsec auth-profile
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
IPSec Authentication Profile
:arg id:
Name of the IPSec authentication profile
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Global secrets for local/remote peers
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets eap
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
EAP (Extensible Authentication Protocol) for local/remote peers
EAP-Identity to use in EAP-Identity exchange and the EAP method.
:arg id:
EAP identifier used against when authenticating
:instances: Multiple
:ref Required:
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets eap encrypted-secret
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg password:
Encrypted secret used by associated EAP identifier
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets eap secret
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Secret used by associated EAP identifier
These characters are allowed to be used for setting the secret:
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set pre-shared secret key is recommended. If you are
using special characters in the secret then single quotes are required.
Example usage: 'aA1-&!@,.:_2Bb'
:arg id:
Secret used when authenticating
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets ike-psk
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
IKE Pre-Shared Key for local/remote peers
:arg id:
Specific identity to use
:instances: Multiple
:ref Required:
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets ike-psk encrypted-secret
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg password:
Encrypted secret used by associated IKE Pre-Shared Key identifier
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets ike-psk secret
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Secret used by associated IKE Pre-Shared Key identifier
These characters are allowed to be used for setting the secret:
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set pre-shared secret key is recommended. If you are
using special characters in the secret then single quotes are required.
Example usage: 'aA1-&!@,.:_2Bb'
:arg id:
Secret used when authenticating
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets ppk
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
PPK (Post-Quantum Pre-Shared Key) for local/remote peers
The PPK (Post-Quantum Pre-Shared Key) identifier used for authentication.
:arg id:
String identifying the Postquantum Preshared Key to be used
:instances: Unique
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets ppk encrypted-secret
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg password:
Encrypted Post-Quantum Pre-Shared Key used by associated ID
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets ppk file
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg file:
File containing the Post-Quantum Pre-Shared Key (PPK) to use
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets ppk secret
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Post-Quantum Pre-Shared Key used by associated ID
These characters are allowed to be used for setting the secret:
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set pre-shared secret key is recommended. If you are
using special characters in the secret then single quotes are required.
Example usage: 'aA1-&!@,.:_2Bb'
:arg id:
Secret used when authenticating
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets xauth
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
XAUTH (Extended Authentication) for both peers
Client XAuth username used in the XAuth exchange.
:arg id:
Client XAUTH username
:instances: Multiple
:ref Required:
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets xauth encrypted-secret
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg password:
Encrypted secret used by associated XAUTH identifier
.. osdx:cfgcmd:: vpn ipsec auth-profile global-secrets xauth secret
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Secret used by associated XAUTH identifier
These characters are allowed to be used for setting the secret:
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set the secret is recommended. If you are
using special characters in the secret then single quotes are required.
Example usage: 'aA1-&!@,.:_2Bb'
:arg id:
Secret used when authenticating
.. osdx:cfgcmd:: vpn ipsec auth-profile local
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Local (left) authentication configuration
.. osdx:cfgcmd:: vpn ipsec auth-profile local auth
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Authentication method locally used
When a peer authenticates against us (as a server), a local authentication
method must be used. By default, it is "pubkey" (key-pair certificates)
and if not specified uses system certificates for authentication. This is done
in order to ensure that we are who we say (it is, to avoid spoofing attacks).
Another method is done by using a pre-shared key. Despite this is not as secure as
X.509 certificates, it will allow server identification and would serve for the
same purposes. Finally, there is also EAP (Extensible Authentication Protocol)
available, which allows authenticating users using a username/password.
:instances: Unique
.. osdx:cfgcmd:: vpn ipsec auth-profile local auth eap
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
EAP (Extensible Authentication Protocol) for local/remote peers
Specify which EAP secret ID to use for authentication.
The actual secret must be defined in global-secrets/eap.
Notice that strongSwan magic values can be used (for example, "%any").
For more information, please refer to the VPN documentation.
:arg id:
EAP identifier/username/remote ID used against when authenticating
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec auth-profile local auth eap type
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Type of EAP authentication to use. By default, it is guessed
Different kind of EAP authentication mechanisms can be used during identity
exchange. By default, the EAP method is guessed during IKE negotiation but you
can manually specify which one must be used.
:arg mschapv2:
EAP-Microsoft Challenge Handshake Authentication Protocol version 2
:arg tls:
EAP-TLS protocol handler, to authenticate with certificates in EAP
:arg ttls:
EAP-TTLS protocol handler, wraps other EAP methods securely
:arg md5:
EAP-MD5 protocol handler using passwords
.. osdx:cfgcmd:: vpn ipsec auth-profile local auth ike-psk
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
IKE Pre-Shared Key for local/remote peers
.. osdx:cfgcmd:: vpn ipsec auth-profile local auth ike-psk id
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
String identifying IKE Pre-Shared Key for local/remote peers
Specify which IKE Pre-Shared Key secret ID to use for local authentication.
This is used for authenticating peers during IKE negotiation. For more information, refer to the VPN documentation.
:arg id:
String identifying the IKE Pre-Shared Key to be used
.. osdx:cfgcmd:: vpn ipsec auth-profile local auth radius
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
IPSec RADIUS based authentication
.. osdx:cfgcmd:: vpn ipsec auth-profile local ca-cert-file
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg file:
local CA certificate file
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec auth-profile local cert-file
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg file:
local certificate file
.. osdx:cfgcmd:: vpn ipsec auth-profile local cnm-certs
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
local Cloud Network Manager (CNM) certificates
.. osdx:cfgcmd:: vpn ipsec auth-profile local crl
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
local Certificate Revocation List
.. osdx:cfgcmd:: vpn ipsec auth-profile local crl file
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg file:
Local CRL file
.. osdx:cfgcmd:: vpn ipsec auth-profile local crl revocation
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Revocation mode
:arg relaxed:
Auth fails, if certificate revoked
:arg strict:
Auth fails, if certificate revoked or if CRL cannot be loaded/downloaded
.. osdx:cfgcmd:: vpn ipsec auth-profile local crl url
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg txt:
CRL file HTTP download URL
Will attempt to HTTP fetch this URL first, before attempting to fetch CRL URL
which is potentially defined within peer certificate. However will use
CRL URL defined within peer certificate as fallback, if fetch fails.
.. osdx:cfgcmd:: vpn ipsec auth-profile local csr
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
local Certificate Signing Request instance (SCEP)
:ref Reference: system certificate scep csr *
.. osdx:cfgcmd:: vpn ipsec auth-profile local id
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Local subject DN or subjectAltName contained in the certificate
The local identity is what a peer expects to find when connecting using
the RSA certificate for authentication. This can be either an IP address, hostname or strongSwan "magic" variables
(such as "%any"). Please, refer to: https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing
for more information
:arg ipv4:
IPv4 address identity
:arg ipv6:
IPv6 address identity
:arg fqdn:
Fully qualified domain name identity
:arg %any:
Accept any remote identity
:arg id:
Any other value matching Identity Parsing rules
.. osdx:cfgcmd:: vpn ipsec auth-profile local key
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
local private key
:ref Required:
.. osdx:cfgcmd:: vpn ipsec auth-profile local key encrypted-passphrase
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg password:
Encrypted passphrase
.. osdx:cfgcmd:: vpn ipsec auth-profile local key file
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg file:
Private key file
.. osdx:cfgcmd:: vpn ipsec auth-profile local key passphrase
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg txt:
Passphrase for private key file
These characters are allowed to be used for the passphrase:
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set the passphrase is recommended. If you are
using special characters in the passphrase then single quotes are
required.
Example usage: 'aA1-&!@,.:_2Bb'
.. osdx:cfgcmd:: vpn ipsec auth-profile local pkcs12
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
local PKCS#12
:ref Required:
:ref Required:
.. osdx:cfgcmd:: vpn ipsec auth-profile local pkcs12 encrypted-passphrase
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg password:
Encrypted passphrase
.. osdx:cfgcmd:: vpn ipsec auth-profile local pkcs12 file
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg file:
PKCS#12 file
.. osdx:cfgcmd:: vpn ipsec auth-profile local pkcs12 passphrase
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg txt:
Passphrase of PKCS#12 file
These characters are allowed to be used for the passphrase:
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set the passphrase is recommended. If you are
using special characters in the passphrase then single quotes are
required.
Example usage: 'aA1-&!@,.:_2Bb'
.. osdx:cfgcmd:: vpn ipsec auth-profile local ppk
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
PPK (Post-Quantum Pre-Shared Key) for local/remote peers
.. osdx:cfgcmd:: vpn ipsec auth-profile local ppk id
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
String identifying PPK (Post-Quantum Pre-Shared Key) for local/remote peers
Specify which PPK (Post-Quantum Pre-Shared Key) secret ID to use for local authentication.
:arg id:
String identifying the Postquantum Preshared Key to be used
.. osdx:cfgcmd:: vpn ipsec auth-profile local ppk required
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Whether the PPK is required for the connection
.. osdx:cfgcmd:: vpn ipsec auth-profile local xauth
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
XAUTH (Extended Authentication) for local peers
.. osdx:cfgcmd:: vpn ipsec auth-profile local xauth id
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
String identifying XAUTH (Extended Authentication) secret to be used in local peers
Specify which XAUTH secret ID to use for local extended authentication.
This is used for Phase II authentication in IKEv1. For more information, refer to the VPN documentation.
:arg id:
String identifying the XAUTH secret to be used
.. osdx:cfgcmd:: vpn ipsec auth-profile mirror-config
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Mirror one authentication side into the other, if not defined
When defining an authentication side (local/remote), you can opt-in for only
defining one of them. By default, the configuration is mirrored into the missing
side (only "auth") respecting already existing data. This way, authentication
profiles can be partially defined but with a fully working VPN connection
:arg true:
The existing profile is mirrored into the non-existing one
:arg false:
No mirroring is done. Notice that you must define both of them individually
.. osdx:cfgcmd:: vpn ipsec auth-profile remote
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Remote (right) authentication configuration
.. osdx:cfgcmd:: vpn ipsec auth-profile remote auth
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Authentication method used by connecting peer
When a peer authenticates against us (as a server), a remote authentication
method must be used. By default, it is "pubkey" (key-pair certificates)
which servers for the purpose of identifying the peer.
Another method is done by using a pre-shared key in which a key must be shared
for connecting. And finally it is possible to authenticate using the RADIUS,
usually based on a username/password.
:instances: Unique
.. osdx:cfgcmd:: vpn ipsec auth-profile remote auth eap
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
EAP (Extensible Authentication Protocol) for local/remote peers
Specify which EAP secret ID to use for authentication.
The actual secret must be defined in global-secrets/eap.
Notice that strongSwan magic values can be used (for example, "%any").
For more information, please refer to the VPN documentation.
:arg id:
EAP identifier/username/remote ID used against when authenticating
:arg %any:
Match any identity from configured secrets
:arg type:
Supported types are rfc822, email, userfqdn, fqdn, dns, asn1dn, and keyid. Regex starts with a caret character (^) and ends with a dollar sign ($). As example, "email:^.*@teldat.com$". Regular expressions can only be used to match remote identities, not as local identities. ()
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec auth-profile remote auth eap type
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Type of EAP authentication to use. By default, it is guessed
Different kind of EAP authentication mechanisms can be used during identity
exchange. By default, the EAP method is guessed during IKE negotiation but you
can manually specify which one must be used.
:arg mschapv2:
EAP-Microsoft Challenge Handshake Authentication Protocol version 2
:arg tls:
EAP-TLS protocol handler, to authenticate with certificates in EAP
:arg ttls:
EAP-TTLS protocol handler, wraps other EAP methods securely
:arg md5:
EAP-MD5 protocol handler using passwords
.. osdx:cfgcmd:: vpn ipsec auth-profile remote auth ike-psk
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
IKE Pre-Shared Key for local/remote peers
.. osdx:cfgcmd:: vpn ipsec auth-profile remote auth ike-psk id
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
String identifying IKE Pre-Shared Key for local/remote peers
Specify which IKE Pre-Shared Key secret ID to use when authenticating remote peers.
The strongSwan magic value "%any" can be used to match any remote peer identity.
Avoid using "%any" for local authentication as it may cause unpredictable secret matching.
This is used for authenticating peers during IKE negotiation. For more information, refer to the VPN documentation.
:arg id:
String identifying the IKE Pre-Shared Key to be used
:arg %any:
Match any remote peer identity
:arg type:
Supported types are rfc822, email, userfqdn, fqdn, dns, asn1dn, and keyid. Regex starts with a caret character (^) and ends with a dollar sign ($). As example, "email:^.*@teldat.com$". Regular expressions can only be used to match remote identities, not as local identities. ()
.. osdx:cfgcmd:: vpn ipsec auth-profile remote auth radius
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
IPSec RADIUS based authentication
.. osdx:cfgcmd:: vpn ipsec auth-profile remote ca-cert-file
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg file:
remote CA certificate file
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec auth-profile remote cert-file
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg file:
remote certificate file
.. osdx:cfgcmd:: vpn ipsec auth-profile remote cnm-certs
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
remote Cloud Network Manager (CNM) certificates
.. osdx:cfgcmd:: vpn ipsec auth-profile remote crl
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
remote Certificate Revocation List
.. osdx:cfgcmd:: vpn ipsec auth-profile remote crl file
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg file:
Local CRL file
.. osdx:cfgcmd:: vpn ipsec auth-profile remote crl revocation
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Revocation mode
:arg relaxed:
Auth fails, if certificate revoked
:arg strict:
Auth fails, if certificate revoked or if CRL cannot be loaded/downloaded
.. osdx:cfgcmd:: vpn ipsec auth-profile remote crl url
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg txt:
CRL file HTTP download URL
Will attempt to HTTP fetch this URL first, before attempting to fetch CRL URL
which is potentially defined within peer certificate. However will use
CRL URL defined within peer certificate as fallback, if fetch fails.
.. osdx:cfgcmd:: vpn ipsec auth-profile remote csr
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
remote Certificate Signing Request instance (SCEP)
:ref Reference: system certificate scep csr *
.. osdx:cfgcmd:: vpn ipsec auth-profile remote id
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Remote subject DN or subjectAltName contained in the certificate
The remote identity is what a peer expects to find when connecting using
the RSA certificate for authentication. This can be either an IP address, hostname or strongSwan "magic" variables
(such as "%any"). Please, refer to: https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing
for more information
:arg ipv4:
IPv4 address identity
:arg ipv6:
IPv6 address identity
:arg fqdn:
Fully qualified domain name identity
:arg %any:
Accept any remote identity
:arg id:
Any other value matching Identity Parsing rules
.. osdx:cfgcmd:: vpn ipsec auth-profile remote key
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
remote private key
:ref Required:
.. osdx:cfgcmd:: vpn ipsec auth-profile remote key encrypted-passphrase
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg password:
Encrypted passphrase
.. osdx:cfgcmd:: vpn ipsec auth-profile remote key file
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg file:
Private key file
.. osdx:cfgcmd:: vpn ipsec auth-profile remote key passphrase
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg txt:
Passphrase for private key file
These characters are allowed to be used for the passphrase:
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set the passphrase is recommended. If you are
using special characters in the passphrase then single quotes are
required.
Example usage: 'aA1-&!@,.:_2Bb'
.. osdx:cfgcmd:: vpn ipsec auth-profile remote pkcs12
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
remote PKCS#12
:ref Required:
:ref Required:
.. osdx:cfgcmd:: vpn ipsec auth-profile remote pkcs12 encrypted-passphrase
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg password:
Encrypted passphrase
.. osdx:cfgcmd:: vpn ipsec auth-profile remote pkcs12 file
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg file:
PKCS#12 file
.. osdx:cfgcmd:: vpn ipsec auth-profile remote pkcs12 passphrase
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg txt:
Passphrase of PKCS#12 file
These characters are allowed to be used for the passphrase:
alphanumeric characters a-z A-Z 0-9
special characters - + & ! @ # $ %% ^ * ( ) , . : _
Use of single quotes to set the passphrase is recommended. If you are
using special characters in the passphrase then single quotes are
required.
Example usage: 'aA1-&!@,.:_2Bb'
.. osdx:cfgcmd:: vpn ipsec auth-profile remote ppk
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
PPK (Post-Quantum Pre-Shared Key) for local/remote peers
.. osdx:cfgcmd:: vpn ipsec auth-profile remote ppk id
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
String identifying PPK (Post-Quantum Pre-Shared Key) for local/remote peers
Specify which PPK (Post-Quantum Pre-Shared Key) secret ID to use when authenticating remote peers.
:arg id:
String identifying the Postquantum Preshared Key to be used
:arg %any:
Match any remote peer identity
:arg regex:
Match any identity that match with the regular expression defined, such as ``*@teldat.com``
.. osdx:cfgcmd:: vpn ipsec auth-profile remote ppk required
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Whether the PPK is required for the connection
.. osdx:cfgcmd:: vpn ipsec auth-profile remote xauth
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
XAUTH (Extended Authentication) for remote peers
:instances: Unique
.. osdx:cfgcmd:: vpn ipsec auth-profile remote xauth id
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
String identifying XAUTH (Extended Authentication) secret to be used in remote peers
Specify which XAUTH secret ID to use when authenticating remote peers with extended authentication.
The actual secret must be defined in global-secrets/xauth. The strongSwan magic value "%any"
can be used to match any remote peer identity.This is used for Phase II authentication in IKEv1. For more information, refer to the VPN documentation.
:arg id:
String identifying the XAUTH secret to be used
:arg %any:
Match any remote peer identity
:arg type:
Supported types are rfc822, email, userfqdn, fqdn, dns, asn1dn, and keyid. Regex starts with a caret character (^) and ends with a dollar sign ($). As example, "email:^.*@teldat.com$". Regular expressions can only be used to match remote identities, not as local identities. ()
.. osdx:cfgcmd:: vpn ipsec auth-profile remote xauth radius
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
IPSec RADIUS based authentication
.. osdx:cfgcmd:: vpn ipsec dmvpn-profile
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
DMVPN IPSec Profile
:arg id:
Name of the DMVPN IPSec profile
:instances: Multiple
:ref Required: vpn ipsec auth-profile *
:ref Required: vpn ipsec esp-group *
:ref Required: vpn ipsec ike-group *
.. osdx:cfgcmd:: vpn ipsec dmvpn-profile auth-profile
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
IPSec Authentication Profile
:ref Reference: vpn ipsec auth-profile *
.. osdx:cfgcmd:: vpn ipsec dmvpn-profile esp-group
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Esp group name
:ref Reference: vpn ipsec esp-group *
.. osdx:cfgcmd:: vpn ipsec dmvpn-profile ike-group
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Ike group name
:ref Reference: vpn ipsec ike-group *
.. osdx:cfgcmd:: vpn ipsec downloader
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
VPN downloader configuration
.. osdx:cfgcmd:: vpn ipsec downloader local-address
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Local IP address to use as source for strongSwan downloads
:arg ipv4:
Local IPv4 address
:arg ipv6:
Local IPv6 address
:Local IP address:
.. osdx:cfgcmd:: vpn ipsec downloader local-interface
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg ifc:
Interface to use as source for strongSwan downloads
.. osdx:cfgcmd:: vpn ipsec downloader local-vrf
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
VRF to use as source for strongSwan downloads
:ref Reference: system vrf *
.. osdx:cfgcmd:: vpn ipsec esp-group
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg id:
Name of Encapsulating Security Payload (ESP) group
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec esp-group compression
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
ESP compression
.. osdx:cfgcmd:: vpn ipsec esp-group lifetime
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
ESP lifetime
:arg u32:
ESP lifetime (in seconds by default)
:instances: Unique
.. osdx:cfgcmd:: vpn ipsec esp-group lifetime MB
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
ESP lifetime to be in megabytes
.. osdx:cfgcmd:: vpn ipsec esp-group lifetime packets
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
ESP lifetime to be in packets
.. osdx:cfgcmd:: vpn ipsec esp-group lifetime seconds
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
ESP lifetime to be in seconds
.. osdx:cfgcmd:: vpn ipsec esp-group mark-in
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Set an XFRM mark on the inbound policy
:arg unique:
Use a unique mark for each tunnel
:arg unique-dir:
Use a unique mark for each tunnel and direction (in/out)
:arg unique-only-nat:
Use a unique mark for each tunnel when NAT is detected
:arg same:
Use the same mark for all tunnels
:arg u32:
Mark value
.. osdx:cfgcmd:: vpn ipsec esp-group mark-out
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Set an XFRM mark on the outbound IPsec SA and policy
:arg unique:
Use a unique mark for each tunnel
:arg unique-dir:
Use a unique mark for each tunnel and direction (in/out)
:arg unique-only-nat:
Use a unique mark for each tunnel when NAT is detected
:arg same:
Use the same mark for all tunnels
:arg u32:
Mark value
.. osdx:cfgcmd:: vpn ipsec esp-group mode
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg id:
ESP mode
.. osdx:cfgcmd:: vpn ipsec esp-group proposal
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
ESP-group proposal [REQUIRED]
:arg u32:
ESP-group proposal number (1-65535)
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec esp-group proposal encryption
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg id:
Encryption algorithm
.. osdx:cfgcmd:: vpn ipsec esp-group proposal hash
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg id:
Hash algorithm
.. osdx:cfgcmd:: vpn ipsec esp-group proposal pfs
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg id:
ESP Perfect Forward Secrecy
.. osdx:cfgcmd:: vpn ipsec esp-group replay-window
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Replay Window Value
:arg u32:
Replay Window Value (0-32)
.. osdx:cfgcmd:: vpn ipsec esp-group vrf-mark-in
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Set an XFRM mark on the inbound policy using a VRF
:ref Reference: system vrf *
.. osdx:cfgcmd:: vpn ipsec esp-group vrf-mark-out
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Set an XFRM mark on the outbound IPsec SA and policy using a VRF
:ref Reference: system vrf *
.. osdx:cfgcmd:: vpn ipsec ike-group
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg id:
Name of Internet Key Exchange (IKE) group
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec ike-group dead-peer-detection
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Dead Peer Detection (DPD)
.. osdx:cfgcmd:: vpn ipsec ike-group dead-peer-detection action
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Keep-alive failure action
:arg clear:
Set action to clear
:arg restart:
Set action to restart
:arg trap:
Set action to trap
.. osdx:cfgcmd:: vpn ipsec ike-group dead-peer-detection interval
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Keep-alive interval
:arg u32:
Keep-alive interval in seconds (1-86400)
.. osdx:cfgcmd:: vpn ipsec ike-group dead-peer-detection timeout
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Keep-alive timeout
:arg u32:
Keep-alive timeout in seconds (1-86400)
.. osdx:cfgcmd:: vpn ipsec ike-group ikev2-reauth
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Re-authentication of the remote peer during an IKE re-key. IKEv2 option only
.. osdx:cfgcmd:: vpn ipsec ike-group key-exchange
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg id:
Key Exchange Version
.. osdx:cfgcmd:: vpn ipsec ike-group lifetime
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
IKE lifetime
:arg u32:
IKE lifetime in seconds (30-86400)
.. osdx:cfgcmd:: vpn ipsec ike-group mobike
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Enable MOBIKE Support. MOBIKE is only available for IKEv2.
.. osdx:cfgcmd:: vpn ipsec ike-group mode
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
IKEv1 Phase 1 Mode Selection
:arg main:
Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default)
:arg aggressive:
Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode.
.. osdx:cfgcmd:: vpn ipsec ike-group proposal
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
IKE-group proposal [REQUIRED]
:arg u32:
IKE-group proposal (1-65535)
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec ike-group proposal dh-group
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg id:
Diffie-Hellman (DH) key exchange group
.. osdx:cfgcmd:: vpn ipsec ike-group proposal encryption
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg id:
Encryption algorithm
.. osdx:cfgcmd:: vpn ipsec ike-group proposal hash
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg id:
Hash algorithm
.. osdx:cfgcmd:: vpn ipsec interface
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Network interfaces that should be used by IPSec. All other interfaces are ignored.
:arg txt:
IPSec interface
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec logging
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
IPsec logging
.. osdx:cfgcmd:: vpn ipsec logging log-types
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Select log type
.. osdx:cfgcmd:: vpn ipsec logging log-types any
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Apply log level to all existing types.
.. osdx:cfgcmd:: vpn ipsec logging log-types any log-level
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg txt:
VPN Logger Verbosity Level
.. osdx:cfgcmd:: vpn ipsec logging log-types type
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Apply to a specific log type. To see what each log type exactly does, please refer to the VPN documentation
:arg dmn:
Debug log option for VPN
:arg mgr:
Debug log option for VPN
:arg ike:
Debug log option for VPN
:arg chd:
Debug log option for VPN
:arg job:
Debug log option for VPN
:arg cfg:
Debug log option for VPN
:arg knl:
Debug log option for VPN
:arg net:
Debug log option for VPN
:arg asn:
Debug log option for VPN
:arg enc:
Debug log option for VPN
:arg lib:
Debug log option for VPN
:arg esp:
Debug log option for VPN
:arg tls:
Debug log option for VPN
:arg tnc:
Debug log option for VPN
:arg imc:
Debug log option for VPN
:arg imv:
Debug log option for VPN
:arg pts:
Debug log option for VPN
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec logging log-types type log-level
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg id:
VPN Logger Verbosity Level
.. osdx:cfgcmd:: vpn ipsec pool
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg id:
Name of Remote Address pool
:instances: Unique
.. osdx:cfgcmd:: vpn ipsec pool prefix
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg ipv4net:
Remote IPv4 or IPv6 prefix
:arg ipv6net:
Remote IPv4 or IPv6 prefix
.. osdx:cfgcmd:: vpn ipsec pool range
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Remote IPv4 or IPv6 range
.. osdx:cfgcmd:: vpn ipsec pool range first-address
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg ipv4:
First IPv4 or IPv6 address of the pool range
:arg ipv6:
First IPv4 or IPv6 address of the pool range
.. osdx:cfgcmd:: vpn ipsec pool range last-address
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg ipv4:
Last IPv4 or IPv6 address of the pool range
:arg ipv6:
Last IPv4 or IPv6 address of the pool range
.. osdx:cfgcmd:: vpn ipsec radius
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
IPSec RADIUS based authentication settings
:ref Required: system aaa list *
.. osdx:cfgcmd:: vpn ipsec radius accounting
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Enable RADIUS accounting
.. osdx:cfgcmd:: vpn ipsec radius authentication-list
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
VPN type list to use when authenticating
Choose the VPN list that will be used when an external user
tries to authenticate. Lists can be set-up with "system aaa list" command
:ref Reference: system aaa list *
.. osdx:cfgcmd:: vpn ipsec radius dae
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Dynamic Authorization Extension (DAE) options
:ref Required:
.. osdx:cfgcmd:: vpn ipsec radius dae encrypted-secret
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg password:
Encrypted secret
.. osdx:cfgcmd:: vpn ipsec radius dae listen-address
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Listen address to listen to DAE messages
:arg ipv4:
IPv4 listen address
:arg ipv6:
IPv6 listen address
:Local IP address:
.. osdx:cfgcmd:: vpn ipsec radius dae port
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Port to listen for requests
:arg u32:
Numeric IP port (1-65535)
.. osdx:cfgcmd:: vpn ipsec radius dae secret
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg txt:
Shared secret used to verify/sign DAE messages
These characters are allowed to be used for setting the shared secret:
alphanumeric characters: a-z A-Z 0-9
special characters: - + & ! @ # $ %% ^ * ( ) , . : _
It is recommended to use single quotes (') for setting the shared-secret.
If special characters are being used, then single quotes are mandatory
.. osdx:cfgcmd:: vpn ipsec radius eap-start
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Send "EAP-Start" instead of "EAP-Identity" to start RADIUS conversation
.. osdx:cfgcmd:: vpn ipsec site-to-site
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Site to site VPN
.. osdx:cfgcmd:: vpn ipsec site-to-site peer
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg id:
VPN peer
:instances: Multiple
:ref Required: vpn ipsec auth-profile *
:ref Required: vpn ipsec ike-group *
.. osdx:cfgcmd:: vpn ipsec site-to-site peer auth-profile
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
IPSec Authentication Profile
:ref Reference: vpn ipsec auth-profile *
.. osdx:cfgcmd:: vpn ipsec site-to-site peer connection-type
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Connection type
:arg initiate:
This endpoint can initiate or respond to a connection
:arg respond:
This endpoint will only respond to a connection
:arg on-demand:
This endpoint will initiate a connection if matching traffic is detected
.. osdx:cfgcmd:: vpn ipsec site-to-site peer default-esp-group
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Default ESP group name
:ref Reference: vpn ipsec esp-group *
.. osdx:cfgcmd:: vpn ipsec site-to-site peer description
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg txt:
VPN peer description
.. osdx:cfgcmd:: vpn ipsec site-to-site peer dhcp-interface
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg ifc:
DHCP interface that supplies the local address to use for IKE communication
.. osdx:cfgcmd:: vpn ipsec site-to-site peer force-encapsulation
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Force UDP Encapsulation for ESP Payloads
.. osdx:cfgcmd:: vpn ipsec site-to-site peer ike-group
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Internet Key Exchange (IKE) group name
:ref Reference: vpn ipsec ike-group *
.. osdx:cfgcmd:: vpn ipsec site-to-site peer install-vips
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Pull virtual IP addresses from remote
:ref Required:
.. osdx:cfgcmd:: vpn ipsec site-to-site peer install-vips address
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg ipv4:
Request specific address(es)
If not set, 0.0.0.0 will be used (i.e., it will accept any virtual IP)
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec site-to-site peer install-vips interface
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
:arg ifc:
Interface where VIPs should be installed
.. osdx:cfgcmd:: vpn ipsec site-to-site peer local-address
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Local address(es) to use for IKE communication
As initiator, the first non-range/non-subset is used to initiate the connection.
As the responder, the local destination address must match at least one of the
specified addresses, subnets or ranges. FQDNs are resolved each time a
configuration lookup is done. Finally, "magic" values can be placed
here (such as "%any").
:arg ipv4:
IPv4 address of a local interface for VPN
:arg ipv6:
IPv6 address of a local interface for VPN
:arg fqdn:
DNS domain name of the local interface
:arg %any:
Match any address specified as local interface
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec site-to-site peer local-vrf
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
Bind to local Virtual Routing and Forwarding domain name
:ref Reference: system vrf *
.. osdx:cfgcmd:: vpn ipsec site-to-site peer pool
.. raw:: html
AresC640
Atlas840
H5-Rail
M10-Smart
M2
M20
RS420
RXL15000
SDE
SDE-11k
List of vpn pools to allocate virtual IP addresses
:ref Reference: vpn ipsec pool *
:instances: Multiple
.. osdx:cfgcmd:: vpn ipsec site-to-site peer remote-address