IPsec VPN configuration

VPN management IKE configuration

access profile

The command creates user's configuration profile for IKE-GATEWAY with a certain name and switches to profile configuration mode.

The use of a negative form (no) of the command removes a specified user's configuration profile for IKE-GATEWAY.

Syntax

[no] access profile <NAME>

Parameters

<NAME> – IKE-GATEWAY user profile name, set by the string of up to 31 characters.

Required privilege level

15

Command mode

CONFIG

Example

esr(config)# access profile OFFICE

address-assignment pool

The command creates a pool of addresses and configure parameters for the dynamic configuration of IPsec clients.

The use of a negative form (no) of the command removes address pool.

Syntax

[no] address-assignment pool <NAME>

Parameters

<NAME> – addresses pool name, set by the string of up to 31 characters.

Required privilege level

10

Command mode

CONFIG

Example

esr(config)# address-assignment pool CENTER
esr(config-pool)#

assign-interface

This command specifies a loopback interface for assigning a dynamic address received from an IPsec-VPN server.

The use of a negative form of the command (no) removes the loopback interface to assign a dynamic address received from the IPsec-VPN server.

Syntax

assign-interface loopback <LOOPBACK>[-<LOOPBACK>

no assign-interface

Parameters

<LOOPBACK> – number of the loopback interface created earlier, takes a value in the range [1..8].

Default value

None

Required privilege level

10

Command mode

CONFIG-IKE-GW

Example

esr(config-ike-gw)# assign-interface loopback 3

authentication algorithm

This command sets the authentication algorithm that is used to authenticate messages of an established IKE connection. When establishing an IKE connection, message authentication by key is used (authentication, see section password).

The use of a negative form (no) of the command sets the default value.

Syntax

authentication algorithm <ALGORITHM>

no authentication algorithm

Parameters

<ALGORITHM> – authentication algorithm, takes values of: md5, sha1, sha2-256, sha2‑384, sha2-512.

Default value

sha1

Required privilege level

15

Command mode

CONFIG-IKE-PROPOSAL

Example

esr(config-ike-proposal)# authentication algorithm md5

authentication mode

This command sets the XAUTH authentication mode of remote users connecting via IPsec.

The use of a negative form (no) of the command removes a set mode.

Syntax

authentication mode { local | radius | client }

no authentication mode

Parameters

local - authentication mode using the local user base of the configured profile;

radius - the mode in which user authentication passes through a RADIUS server;

client – mode used by the xauth client.

Required privilege level

15

Command mode

CONFIG-IKE-POLICY

Example

esr(config-ike-policy)# authentication mode local

authentication method

This command selects the key authentication method for the IKE connection. Message authentication by key is used when an IKE connection is established, the key is set in the IKE policy (see section pre-shared-key). After an IKE connection is established, message authentication is performed using a hashing algorithm.

The use of a negative form (no) of the command sets the default value.

Syntax

authentication method <METHOD>

no authentication method

Parameters

<METHOD> – key authentication method. May take the following values:

• pre-shared-key – authentication method using pre-received encryption keys;
• rsa-public-key – authentication method using RSA certificate;
• xauth-psk-key – an extended authentication method using local or remote user databases.

Default value

pre-shared-key

Required privilege level

15

Command mode

CONFIG-IKE-POLICY

Example

esr(config-ike-proposal)# authentication method pre-shared-key

bind-interface vti

This command specifies the tunnel interface through which traffic will pass in the 'route-based' tunnel mode.

The use of a negative form (no) of the command removes a bind to tunnel interface.

Syntax

bind-interface vti <VTI>

no bind-interface vti

Parameters

<VTI> – VTI ID.

Required privilege level

10

Command mode

CONFIG-IKE-GATEWAY

Example

esr(config-ike-gw)# bind-interface vti 1

certificate

This command specifies the necessary certificates.

The use of a negative form (no) of the command removes certificate name from the configuration.

Syntax

certificate <CERTIFICATE-TYPE> <NAME>

no certificate <CERTIFICATE-TYPE>

Parameters

<CERTIFICATE-TYPE> – certificate or key type, may take the following values:

• ca – certificate authority certificate;
• crl – certificate revocation list;
• local-crt – local side certificate;
• local-crt-key – RSA key of the local side certificate;
• local-id – local side ID. The key «any» is used to disable the verification of the Subject attribute fields of the local certificate;
• remote-crt – remote side certificate. Instead of the file name, it is possible to use the key «any» to set the mode of reception of the public key of the remote party over the network;
• remote-id – remote side ID. The key «any» is used to disable the verification of the Subject attribute fields of the remote party certificate;

<NAME> – certificate or key name, set by the string of up to 31 characters.

Default value

None

Required privilege level

15

Command mode

CONFIG-IKE-POLICY

Example

esr(config-ike-policy)# certificate ca KEY

data-tunnel address

This command specifies the IP address for building a GRE data tunnel that is sent to the client, connected via IPsec using dynamic parameter configuration. GRE data tunnel must be supported on the client side. (Requires ELTEX_DATA_IP(28684).

The use of a negative form (no) of the command removes the IP address for GRE data tunnel building.

Syntax

data-tunnel address <ADDR>
no data-tunnel address

Parameters

<ADDR> – IP address for GRE data tunnel building, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

Default value

None

Required privilege level

10

Command mode

CONFIG-POOL

Example

esr(config-pool)# data-tunnel address 192.168.2.66

dead-peer-detection action

This command sets the action that the device should take, in case of detection of unavailability of IPSec neighbor, by the mechanism of Dead Peer Detection.

Dead Peer Detection (DPD) is a mechanism for checking the status and availability of neighboring devices. The mechanism periodically sends R-U-THERE messages (for IKE version 1) or empty INFORMATIONAL messages (for IKE version 2) to check the availability of the IPsec neighbor.

The use of a negative form (no) of the command sets the default value.

Syntax

dead-peer-detection action <MODE>

no dead-peer-detection action

Parameters

<MODE> – DPD operation mode:

• restart – connection restarts;
• clear – conection stops;
• hold – connection holds;
• none - the mechanism is disabled, no action is taken.

Default value

none

Required privilege level

10

Command mode

CONFIG-IKE-GATEWAY

Example

esr(config-ike-gw)# dead-peer-detection action clear

dead-peer-detection interval

This command sets the interval between sending messages by the DPD mechanism.

The DPD mechanism is described in section certificate.

The use of a negative form (no) of the command sets the default value.

Syntax

dead-peer-detection interval <SEC>

no dead-peer-detection interval

Parameters

<SEC> – interval between sending messages via DPD mechanism, takes values of [1..180] seconds.

Default value

2 seconds

Required privilege level

10

Command mode

CONFIG-IKE-GATEWAY

Example

esr(config-ike-gw)# dead-peer-detection interval 15

dead-peer-detection timeout

This command sets the response timeout for messages sent by the DPD mechanism.

The DPD mechanism is described in section certificate.

The use of a negative form (no) of the command sets the default value.

Syntax

dead-peer-detection timeout <SEC>

no dead-peer-detection timeout

Parameters

<SEC> –  time interval of response to DPD mechanism messages, takes values of [1..180] seconds.

Default value

30 seconds

Required privilege level

10

Command mode

CONFIG-IKE-GATEWAY

Example

esr(config-ike-gw)# dead-peer-detection timeout 60

description

The command changes the profile, policy, or gateway to the IKE protocol description.

The use of a negative form (no) of the command removes description.

Syntax

description <DESCRIPTION>

no description

Parameters

<DESCRIPTION> – profile description, set by the string of up to 255 characters.

Required privilege level

10

Command mode

CONFIG-IKE-PROPOSAL

CONFIG-IKE-POLICY

CONFIG-IKE-GATEWAY

Example

esr(config-ike-proposal)# description "my proposal"

dh-group

This command sets the group number of the Diffie-Hellman method. The group number defines the level of security of the IKE connection when exchanging keys — security increases as the group number increases, but the connection establishment time increases.

The use of a negative form (no) of the command sets the default value.

Syntax

dh-group <DH-GROUP>

no dh-group

Parameters

<DH-GROUP> – Diffie-Hellman group number, takes values of [1, 2, 5, 14, 15, 16, 17, 18].

Default value

1

Required privilege level

15

Command mode

CONFIG-IKE-PROPOSAL

Example

esr(config-ike-proposal)# dh-group 5

encryption algorithm

This command selects the encryption algorithm used when establishing an IKE connection.

The use of a negative form (no) of the command sets the default value.

Syntax

encryption algorithm <ALGORITHM>

no encryption algorithm

Parameters

<ALGORITHM> – encryption protocol ID, takes the following values: des, 3des, blowfis28, blowfis92, blowfish256, aes128, aes192, aes256, aes128ctr, aes192ctr, aes256ctr, camellia128, camellia192, camellia256.

Default value

3des

Required privilege level

15

Command mode

CONFIG-IKE-PROPOSAL

Example

esr(config-ike-proposal)# encryption algorithm aes128

ike-policy

This command establishes the binding of the IKE protocol policy to the gateway.

The use of a negative form (no) of the command removes poilitics binding.

Syntax

[no] ike-policy <NAME>

Parameters

<NAME> – IKE protocol policy name, set by the string of up to 31 characters.

Required privilege level

15

Command mode

CONFIG-IKE-GATEWAY

Example

esr(config-ike-gw)# ike-policy ike_pol1

ip prefix

This command specifies the address pool from which addresses will be issued to IPsec clients.

The use of a negative form (no) of the command removes the address pool from which addresses will be issued to IPsec clients.

Syntax

ip prefix <ADDR/LEN>

no ip prefix

Parameters

<ADDR/LEN> – IP subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].

Default value

Unspecified.

Required privilege level

10

Command mode

CONFIG-POOL

Example

esr(config-pool)# ip prefix 192.168.0.0/16

lifetime seconds

This command sets the lifetime of the IKE protocol connection.

The use of a negative form (no) of the command sets the default value.

Syntax

lifetime seconds <SEC>

no lifetime seconds

Parameters

<SEC> – time interval, takes values of [4..86400] seconds.

Default value

10800 seconds

Required privilege level

10

Command mode

CONFIG-IKE-POLICY

Example

esr(config-ike-proposal)# lifetime 21600

local address

The command sets IP address of a local IPsec tunnel gateway.

The use of a negative form (no) of the command removes local gateway IP address.

Syntax

local address <ADDR>

no local address

Parameters

<ADDR> – IP address of a local gateway.

Required privilege level

10

Command mode

CONFIG-IKE-GATEWAY

Example

esr(config-ike-gw)# local address 192.168.1.1

local interface

The command sets the use of IP address assigned to the interface as a IPsec tunnel local gateway.

The use of a negative form (no) of the command stops the use of IP address assigned to the interface as a local gateway.

Syntax

local interface <IF>

no local interface

Parameters

<IF> – interface type and identifier specified in the form described in Section Types and naming order of router interfaces.

Required privilege level

10

Command mode

CONFIG-IKE-GW

Example

esr(config-ike-gw)# local interface gigabitethernet 1/0/1

local network

This command sets sender's subnet IP address as well as IP and port. Traffic that meets the specified criteria will be sent to the IPsec tunnel.

The use of a negative form (no) of the command removes senders subnet IP address.

Syntax

[no] local network <ADDR/LEN> [ protocol { <TYPE> | <ID> } [ port <PORT> ] ]

Parameters

<ADDR/LEN> – IP subnet of a sender. The parameter is defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32];

<TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre;

<ID> – IP identification number, takes values of [0x00-0xFF];

<PORT> – TCP/UDP port, takes values of [1..65535].

Required privilege level

10

Command mode

CONFIG-IKE-GATEWAY

Example

esr(config-ike-gw)# local network 192.168.1.0/24 protocol tcp port 22

management-tunnel address

This command specifies the tunnel IP address for building a GRE management tunnel that is sent to the client, connected via IPsec using dynamic parameter configuration. GRE management tunnel must be supported on the client side. (Requires ELTEX_MANAGEMENT_IP(28683).

The use of a negative form (no) of the command removes the tunnel IP address for GRE management tunnel building.

Syntax

management-tunnel address <ADDR>
no management-tunnel address

Parameters

<ADDR> – IP address for GRE management tunnel building, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

Default value

None

Required privilege level

10

Command mode

CONFIG-POOL

Example

esr(config-pool)# management-tunnel address 192.168.2.87

mobike disable

This command disables the ability of the connection initiator to change its network connection point (to use the IP address as the local address parameter).

The use of a negative form (no) of the command activates the automatic selection of local addres when the described in the configuration is not available.

Syntax

[ no ] mobike disable

Parameters

None.

Default value

Enabled.

Required privilege level

10

Command mode

CONFIG-IKE-GATEWAY

Example

esr(config-ike-gateway)# mobike disable

mode

This command sets the negotiation mode for the first phase of the IKE protocol.

The use of a negative form (no) of the command sets the default value.

Syntax

mode <MODE>

no mode

Parameters

<MODE> – first IKE phase mode, may take values:

• main – consists of three bilateral exchanges between the sender and the recipient:
  • During the first exchange, the authentication and encryption algorithms that will be used to protect the IKE connection by matching the IKE protocol profiles of each node will be matched;
  • Using the Diffie-Hellman algorithm, the parties exchange a common secret key. The nodes also check each other's identification by sending and confirming a sequence of pseudo-random numbers;
  • The identity of the opposite side is checked. As a result of the main mode execution, a secure channel is created for the second phase of the IKE protocol.
• aggressive – this mode is costing fewer exchanges and, accordingly, the number of packets:
  • The first message (from the initiator) sends information that is used to establish an IKE connection: a suggestion of the SA parameters, the initiation of a Diffie-Hellman exchange, the sending of a pseudo-random number and a packet identifier;
  • In the second message, the responder accepts the SA, authenticates the initiator, sends a pseudo-random number and its IKE-identifier;
  • In the third message, the initiator authenticates the responder and confirms the exchange.

Default value

main

Required privilege level

15

Command mode

CONFIG-IKE-POLICY

Example

esr(config-ike-policy)# mode aggressive

mode

This command sets the mode of traffic redirection to the tunnel.

The use of a negative form (no) of the command sets the default value.

Syntax

mode <MODE>

no mode

Parameters

<MODE> – mode of traffic redirection into the tunnel, takes the following values:

• policy-based — traffic is redirected based on the subnets specified in the policies;
• route-based — traffic is redirected based on routes whose gateway is a tunnel interface.

Required privilege level

10

Command mode

CONFIG-IKE-GATEWAY

Example

esr(config-ike-gw)# mode route-based

password

This command is used to set the user password for IKE-GETWAY. The password can be set both in clear text and in the form of sha512 hash.

The use of a negative form (no) of the command removes user's password for IKE-GETWAY from the system.

Syntax

password ascii-text { <CLEAR-TEXT> | encrypted <HASH_SHA512> }

no password

Parameters

<CLEAR-TEXT> – password, set by the string of 8 to 32 characters, takes the value of [0-9a-fA-F].

<HASH_SHA512> – hash password via sha512 algorithm, set by the string of 110 characters;

Required privilege level

15

Command mode

CONFIG-PROFILE

Example

esr(config-profile) password tteesstt

password local-crt-key

This command is used to set the password from the encrypted certificate chain (certificates are assigned using the certificate command)

The use of a negative form (no) of the command removes the password.

Syntax

password local-crt-key ascii-text { <CLEAR-TEXT> | encrypted <HASH_SHA512> }

no password local-crt-key

Parameters

<CLEAR-TEXT> – password, set by the string of 8 to 32 characters, takes the value of [0-9a-fA-F].

<HASH_SHA512> – hash password via sha512 algorithm, set by the string of 110 characters;

Required privilege level

15

Command mode

CONFIG-IKE-POLICY

Example

esr(config-ike-policy) password tteesstt

pfs dh-group

This command sets the group number of the Diffie-Hellman method. The group number defines the level of security of the IPsec connection when exchanging keys — security increases as the group number increases, but the connection establishment time increases.

The use of a negative form (no) of the command sets the default value.

Syntax

pfs dh-group <DH-GROUP>

no pfs dh-group

Parameters

<DH-GROUP> – Diffie-Hellman group number, takes values of [1, 2, 5, 14, 15, 16, 17, 18].

Default value

1

Required privilege level

15

Command mode

CONFIG-IPSEC-PROPOSAL

Example

esr(config-isec-proposal)# pfs dh-group 5

pre-shared-key

This command specifies a shared secret authentication key that should be the same for both parties of the tunnel.

The use of a negative form (no) of the command removes a set key.

Syntax

pre-shared-key { ascii-text { <TEXT> | encrypted <ENCRYPTED-TEXT> } | hexadecimal { <HEX> | encrypted <ENCRYPTED-HEX> } }

no pre-shared-key

Parameters

<TEXT> – string [1..64] ASCII characters;

<HEX> – number, [1..32] bytes size, set by the string of [2..128] characters in hexadecimal format (0xYYYY ...) or (YYYY ...).

<ENCRYPTED-TEXT> – encrypted password, [1..32] bytes size, set by the string of [2..128] characters.

<ENCRYPTED-TEXT> – encrypted number, [2..64] bytes size, set by the string of [2..256] characters.

Default value

none

Required privilege level

15

Command mode

CONFIG-IKE-POLICY

Example

esr(config-ike-policy)# pre-shared-key hexadecimal abc123

proposal

This command establishes the binding of the IKE protocol profile to the policy.

The use of a negative form (no) of the command removes IKE protocol profile binding.

Syntax

[no] proposal <NAME>

Parameters

<NAME> – IKE protocol name, set by the string of up to 31 characters.

Required privilege level

15

Command mode

CONFIG-IKE-POLICY

Example

esr(config-ike-policy)# proposal ike_prop1

remote address

The command sets IP address of a remote IPsec tunnel gateway.

The use of a negative form (no) of the command removes remote gateway IP address.

Syntax

remote address { <ADDR> | any }

no remote address

Parameters

<ADDR> – IP address of a remote gateway.

any – key that allows you to receive requests to establish an IKE session from any IP address.

Required privilege level

10

Command mode

CONFIG-IKE-GATEWAY

Example

esr(config-ike-gw)# remote address 192.168.1.2

remote network

This command sets the IP address of the receiver's subnet, as well as the IP protocol and port, or assigns a dynamic address pool for remote clients using XAUTH. Traffic that meets the specified criteria will be sent to the IPsec tunnel.

The use of a negative form (no) of the command removes senders subnet IP address.

Syntax

remote network { dynamic pool <POOL> | <ADDR/LEN> [ protocol { <TYPE> | <ID> } [ port <PORT> ] ] | any }

no remote network { dynamic pool |<ADDR/LEN> [ protocol { <TYPE> | <ID> } [ port <PORT> ] ] | any }

Parameters

<POOL> – dedicated dynamic address pool for XAUTH clients;

<ADDR/LEN> – IP subnet of a recipient. The parameter is defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32];

<TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre;

<ID> – IP identification number, takes values of [0x00-0xFF];

<PORT> – TCP/UDP port, takes values of [1..65535];

any – key indicating the need to encrypt any outgoing traffic.

Required privilege level

10

Command mode

CONFIG-IKE-GATEWAY

Example

esr(config-ike-gw)# remote network 192.168.0.0/24 protocol tcp port 22

remote network dynamic client

This command enables receiving a list of remote networks from an IPsec-VPN server.

The use of a negative form of the command (no) disables the receiption of a list of remote networks from the IPsec-VPN server.

Syntax

[no] remote network dynamic client

Parameters

None.

Default value

Disabled.

Required privilege level

10

Command mode

CONFIG-IKE-GW

Example

esr(config-ike-gw)# remote network dynamic client

security ike gateway

This command switches to the command configuration mode of the IKE SECURITY IKE GATEWAY gateway. If an IKE gateway with the specified name does not exist in the configuration, it will be created. Gateway parameters include the VTI interface to which the traffic will be sent, the policy and version of the IKE protocol, and also the mode of forwarding traffic to the tunnel.

The use of a negative form (no) of the command removes IKE protocol gateway.

Syntax

[no] security ike gateway <NAME>

Parameters

<NAME> – IKE protocol gateway name, set by the string of up to 31 characters. The use of a negative form (no) of the command with ‘all’ parameter removes all IKE gateways.

Required privilege level

10

Command mode

CONFIG

Example

esr(config)# security ike gateway ike_gw1
esr(config-ike-gw)#

security ike policy

This command creates an IKE policy that includes IKE protocol profiles, a shared secret key for authentication, and a negotiation mode for the first phase of the IKE protocol.

The use of a negative form (no) of the command removes a specified policy. The command sets the command line mode to SECURITY IKE POLICY.

Syntax

[no] security ike policy <NAME>

Parameters

<NAME> – IKE policy name, set by the string of up to 31 characters. The use of a negative form (no) of the command with ‘all’ parameter removes all IKE policy.

Required privilege level

10

Command mode

CONFIG

Example

esr(config)# security ike policy ike_pol1
esr(config-ike-policy)#

security ike proposal

This command creates an Internet Key Exchange (IKE) protocol profile that includes the encryption and authentication parameters of the Diffie-Hellman method, which will be used when negotiating IKE parameters with the opposite side of the VPN connection when creating the Security Association (SA). In addition, the profile sets the SA limit time. The use of a negative form (no) of the command removes a specified profile.

Syntax

[no] security ike proposal <NAME>

Parameters

<NAME> – IKE protocol name, set by the string of up to 31 characters. The use of a negative form (no) of the command with 'all' parameter removes all IKE profiles.

Required privilege level

10

Command mode

CONFIG

Example

esr(config)# security ike proposal ike_prop1
esr(config-ike-proposal)#

security ike session uniqueids

This command sets the mode for reconnecting XAUTH clients with one login/password.

The use of a negative form (no) of the command sets the default value.

Syntax

security ike session uniqueids <MODE>
no security ike session uniqueids

Parameters

<MODE> – reconnect mode, may take the following values:

• no – established XAUTH connection will be deleted if an «INITIAL_CONTACT» notification is sent for a new XAUTH connection by the initiator of the connection, the previously used IP address will be assigned. Otherwise, the established XAUTH connection will be withheld. A new IP address will be assigned to the new XAUTH connection.
• never – established XAUTH connection will be withheld. A new IP address will be assigned to the new XAUTH connection. The «INITIAL_CONTACT» notification will be ignored anyway.
• replace – established XAUTH connection will be deleted. The previously used IP address will be used for the new XAUTH connection.
• keep – established XAUTH connection will be withheld. A new XAUTH connection will be rejected. 

Default value

never

Required privilege level

10

Command mode

CONFIG

Example

esr(config)# security ike session uniqueids replace 

show security ike

The command is used to view a list of gateways, policies or profiles.

Syntax

show security ike { gateway | policy | proposal } [<NAME>]

Parameters

gateway - if the 'gateway' command is specified, the list of configured gateways will be displayed;

policy - when specifying the 'policy' command, a list of configured policies will be displayed;

proposal - if you specify the 'proposal' command, a list of configured profiles will be displayed;

<NAME> – name. If you specify a specific gateway name, policy, profile, detailed information will be displayed.

Required privilege level

10

Command mode

ROOT

Example

esr# show security ike proposal
   Proposal
   ~~~~~~~~
Name           Auth      Encryption         DH   Hash         Lifetime
------------   -------   ----------------   --   ----------   ----------
aaa            pre-sha   3des               1    sha1         3600
               red-key
 esr# show security ike policy
   Policy
   ~~~~~~
Name                           Mode         Proposal
----------------------------   ----------   -----------------------------------
ike_pol1                       main         ike_prop1
 esr# show security ike gateway ik_gw
Description:                --
IKE Policy:                 ike_pol1
IKE Version:                v1-only
Mode:                       route-based
Binding interface:          vti1
IKE Dead Peer Detection:
    Action:                 none
    Interval:               2
    Timeout:                30

user

This command sets the username for IKE-GATEWAY authentication.

The use of a negative form (no) of the command removes a specified user.

After executing this command, the router enters the user password configuration mode (config-profile).

Syntax

[no] user <NAME>

Parameters

<NAME> – user name, set by the string of up to 31 characters.

Required privilege level

15

Command mode

CONFIG-ACCESS-PROFILE

Example

esr(config-access-profile)# user connecter963

version

This command sets the IKE protocol version.

The use of a negative form (no) of the command sets the default value.

Syntax

version <VERSION>

no version

Parameters

<version> – IKE protocol version: v1-only or v2-only.

Default value

v1-only

Required privilege level

15

Command mode

CONFIG-IKE-GATEWAY

Example

esr(config-ike-gw)# version v2-only

xauth access-profile

This command specifies the local list of users for authorization XAUTH.

The use of a negative form (no) of the command removes a specified profile.

Syntax

[no] xauth access-profile <NAME> [client <USER-NAME>

Parameters

<NAME> – local XAUTH user list name, set by the string of up to 31 characters;

<USER-NAME> – username from the attached xauth-profile is specified by a string of up to 31 characters.

Required privilege level

15

Command mode

CONFIG-IKE-GATEWAY

Example

esr(config-ike-gateway)# xauth access-profile OFFICE

VPN management. IPsec configuration

authentication algorithm

The command sets an authentication algorithm. The use of a negative form (no) of the command sets the default value.

Syntax

authentication algorithm <ALGORITHM>

no authentication algorithm

Parameters

<ALGORITHM> – authentication algorithm, takes values of: md5, sha1, sha2-256, sha2‑384, sha2-512.

Default value

sha1

Required privilege level

15

Command mode

CONFIG-IPSEC-PROPOSAL

Example

esr(config-ipsec-proposal)# authentication algorithm md5

description

This command changes the description.

The use of a negative form (no) of the command removes description.

Syntax

description <DESCRIPTION>

no description

Parameters

<DESCRIPTION> – profile description, set by the string of up to 255 characters.

Required privilege level

10

Command mode

CONFIG-IPSEC-VPN

CONFIG-IPSEC-PROPOSAL

CONFIG-IPSEC-POLICY

Example

esr(config-ipsec-vpn)# description "VPN to Moscow Office"

enable

This command enables IPsec VPN.

The use of a negative form of the command (no) disables IPsec VPN.

Syntax

[no] enable

Parameters

The command does not contain parameters.

Default value

Disabled

Required privilege level

10

Command mode

CONFIG-IPSEC-VPN

Example

esr(config-ipsec-vpn)# enable

encryption algorithm

The command sets encryption algorithm. The use of a negative form (no) of the command sets the default value.

Syntax

encryption algorithm <ALGORITHM>

no encryption algorithm

Parameters

<ALGORITHM> – encryption protocol, takes the following values: null, des, 3des, blowfis28, blowfish192, blowfish256, aes128, aes192, aes256, aes128ctr, aes192ctr, aes256ctr, camellia128, camellia192, camellia256.

Default value

3des

Required privilege level

15

Command mode

CONFIG-IPSEC-PROPOSAL

Example

esr(config-ipsec-proposal)# encryption algorithm blowfish128

ike dscp

The command sets the DSCP code value for the use in IP headers of IKE protocol outgoing packets.

The use of a negative form (no) of the command sets the default DSCP value.

Syntax

ike dscp <DSCP>

no ike dscp

Parameters

<DSCP> – DSCP code value, takes values in the range of [0..63].

Default value

63

Required privilege level

10

Command mode

CONFIG-IPSEC-VPN

Example

esr(config-ipsec-vpn)# ike dscp 40

ike establish-tunnel

This command sets VPN activation mode. This command is relevant only if the 'ike' key agreement mode is selected in VPN. Key agreement mode configuration is described in mode.

The use of a negative form (no) of the command sets the default value.

Syntax

ike establish-tunnel <MODE>

no Ike establish-tunnel

Parameters

<MODE> – VPN activation mode:

• by-request – connection is enabled by an opposing party;
• route – connection is enabled when there is traffic routed to the tunnel;
• immediate – tunnel is enabled automatically after applying the configuration.

Required privilege level

15

Command mode

CONFIG-IPSEC-VPN

Example

esr(config-ipsec-vpn)# ike establish-tunnel route

ike gateway

This command binds the IKE gateway to the VPN. This command is relevant only if the 'ike' key agreement mode is selected in VPN. Key agreement mode configuration is described in mode.

Syntax

ike gateway <NAME>

no ike gateway

Parameters

<NAME> – IKE gateway name, set by the string of up to 31 characters.

Required privilege level

10

Command mode

CONFIG-IPSEC-VPN

Example

esr(config-ipsec-vpn)# ike gateway ike_gw1

ike idle-time

This command sets the time interval value in seconds after which the connection is closed, if no packet has been received or sent via SA (optionally)

The use of a negative form (no) of the command disables this timer.

Syntax

ike idle-time <TIME>

no ike idle-time

Parameters

<TIME> – interval in seconds, takes values of [4..86400].

Required privilege level

10

Command mode

CONFIG-IPSEC-VPN

Example

esr(config-ipsec-vpn)# ike idle-time 3600

ike rekey disable

Disable key re-approval before the IKE connection is lost due to the timeout, the number of transmitted packets or bytes.

The use of a negative form (no) of the command enables the renegotiation of keys.

Syntax

[no] ike rekey disable

Parameters

The command does not contain parameters.

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG-IPSEC-VPN

Example

esr(config-ipsec-vpn)# ike rekey disable

ike rekey margin

This command allows you to configure the start of the renegotiation of the keys of an IKE connection before the expiration of the lifetime.

The use of a negative form (no) of the command sets the default value.

Syntax

Ike rekey margin { seconds <SEC> | packets <PACKETS> | kilobytes <KB> } 

no ike rekey margin { seconds | packets | kilobytes } 

Parameters

<SEC> – time interval in seconds remaining before the connection release (set by the lifetime seconds command, see lifetime). Takes values in the range of [4..86400]. 

<PACKETS> – number of packets remaining before the connection release (set by the lifetime packets command, see lifetime). Takes values in the range of [4..86400].

<KB> – traffic volume in kilobytes remaining before the connection release (set by the lifetime kilobytes command, see lifetime). Takes values in the range of [4..86400].

Default value

- Keys re-approval before the expire of time – 540 seconds before.

- Keys re-approval before the expire of traffic volume and amount of packets – disabled.

Required privilege level

15

Command mode

CONFIG-IPSEC-VPN

Example

esr(config-ipsec-vpn)# ike rekey margin seconds 1800

ike rekey randomization

This command sets the level of margin seconds, margin packets, margin kilobytes values random spread (optionally).

The use of a negative form (no) of the command sets the default value.

Syntax

ike rekey randomization <VALUE>

no ike rekey randomization

Parameters

<VALUE> – maximum ratio of values spread, takes values of [1..100].

Default value

100%

Required privilege level

15

Command mode

CONFIG-IPSEC-VPN

Example

esr(config-ipsec-vpn)# ike rekey randomization 10

ike ipsec-policy

This command associates the IPsec policy with the VPN. This command is relevant only if the 'ike' key agreement mode is selected in VPN. Key agreement mode configuration is described in mode. 

Syntax

ike ipsec-policy <NAME>

no ike ipsec-policy

Parameters

<NAME> – IPsec policy name, set by the string of up to 31 characters.

Required privilege level

15

Command mode

CONFIG-IPSEC-VPN

Example

esr(config-ipsec-vpn)# ike ipsec-policy ipsec_pol1

lifetime

This command sets the lifetime of the IPsec tunnel.

The use of a negative form (no) of the command sets the default value.

Syntax

lifetime { seconds <SEC> | packets <PACKETS> | kilobytes <KB> }

no lifetime { seconds | packets | kilobytes }

Parameters

<SEC> – IPsec tunnel lifetime after which the re-approval is carried out. Takes values in the range of [1140..86400] seconds.

<PACKETS> – number of packets after transmitting of which the IPsec tunnel re-approval is carried out. Takes values in the range of [4..86400].

<KB> – traffic amount after transmitting of which the IPsec tunnel re-approval is carried out. Takes values in the range of [4..86400] seconds.

Default value

3600 seconds

Required privilege level

10

Command mode

CONFIG-IPSEC-POLICY

Example

esr(config-ipsec-proposal)# lifetime seconds 3600

manual authentication algorithm

The command sets an authentication algorithm. This command is relevant only if the 'manual' key matching mode is selected in VPN. Key agreement mode configuration is described in mode.

The use of a negative form (no) of the command sets the default value.

Syntax

manual authentication algorithm <ALGORITHM>

no manual authentication algorithm

Parameters

<ALGORITHM> – authentication algorithm, takes values of: md5, md5-128, sha1, sha1-160, aesxcbc, sha2-256, sha2-384, sha2-512].

Default value

none

Required privilege level

15

Command mode

CONFIG-IPSEC-VPN

Example

esr(config-ipsec-vpn)# manual authentication algorithm sha1

manual authentication key

The command sets an authentication key. This command is relevant only if the 'manual' key agreement mode is selected in VPN. Key agreement mode configuration is described in mode.

Syntax

manual authentication key { ascii-text {<TEXT> | encrypted <ENCRYPTED-TEXT>} | hexadecimal {<HEX> | encrypted <ENCRYPTED-HEX> } }

no manual authentication key

Parameters

<TEXT> – string [1..64] ASCII characters;

<HEX> – number, [1..32] bytes size, set by the string of [2..128] characters in hexadecimal format (0xYYYY ...) or (YYYY ...);

<ENCRYPTED_TEXT> – encrypted password, [1..32] bytes size, set by the string of [2..128] characters.

<ENCRYPTED_HEX> – encrypted number, [2..64] bytes size, set by the string of [2..256] characters.

Required privilege level

15

Command mode

CONFIG-IPSEC-VPN

Example

esr(config-ipsec-vpn)# manual authentication key hexadecimal abcdef

manual bind-interface vti

This command specifies the tunnel interface through which traffic will pass in the 'route-based' tunnel mode. This command is relevant only if the 'manual' key agreement mode is selected in VPN. Key agreement mode configuration is described in mode.

The use of a negative form (no) of the command sets the default value.

Syntax

manual bind-interface vti <VTI>

no manual bind-interface vti

Parameters

<VTI> – VTI interface index, takes the values:

ESR-10/12V/12VF/14VF – [1..10];

ESR-20/21/100/200 – [1..250];

ESR-1000/1200/1500/1511/1700/3100 – [1..500].

Required privilege level

10

Command mode

CONFIG-IPSEC-VPN

Example

esr(config-ipsec-vpn)# manual bind-interface vti 0

manual encryption algorithm

The command sets encryption algorithm. This command is relevant only if the 'manual' key agreement mode is selected in VPN. Key agreement mode configuration is described in mode.

The use of a negative form (no) of the command removes a specified value.

Syntax

manual encryption algorithm <ALGORITHM>

no manual encryption algorithm

Parameters

<ALGORITHM> – encryption algorithm, takes the following values: des, 3des, blowfis28, blowfis92, blowfish256, aes128, aes192, aes256, aes128ctr, aes192ctr, aes256ctr, camellia128, camellia192, camellia256.

Default value

3des

Required privilege level

15

Command mode

CONFIG-IPSEC-VPN

Example

esr(config-ipsec-vpn)# manual encryption algorithm blowfis28

manual encryption key

The command sets encryption key. This command is relevant only if the 'manual' key agreement mode is selected in VPN. Key agreement mode configuration is described in mode.

The use of a negative form (no) of the command removes a specified value.

Syntax

manual encryption key { ascii-text { < TEXT> | encrypted <ENCRYPTED-TEXT> } | hexadecimal { <HEX> | encrypted <ENCRYPTED-HEX> } }

no manual encryption key

Parameters

<TEXT> – string [1..36] ASCII characters;

<HEX> – number, [1..24] bytes size, set by the string of [2..72] characters in hexadecimal format (0xYYYY ...) or (YYYY ...);

<ENCRYPTED-TEXT> – encrypted password, [1..24] bytes size, set by the string of [2..72] characters;

<ENCRYPTED-HEX> – encrypted number, [2..36] bytes size, set by the string of [2..144] characters.

Required privilege level

15

Command mode

CONFIG-IPSEC-VPN

Example

esr(config-ipsec-vpn)# manual encryption key hexadecimal 0x123456

manual mode

This command sets the mode of traffic redirection to the tunnel. This command is relevant only if the 'manual' key agreement mode is selected in VPN. Key agreement mode configuration is described in mode.

The use of a negative form (no) of the command sets the default value.

Syntax

manual mode <MODE>

no manual mode

Parameters

<MODE> - traffic passing mode:

• policy-based — traffic is redirected based on the subnets specified in the policies;
• route-based — traffic is redirected based on routes whose gateway is a tunnel interface.

Required privilege level

10

Command mode

CONFIG-IPSEC-VPN

Example

esr(config-ipsec-vpn)# manual mode route-based

manual protocol

The command sets encapsulation protocol. This command is relevant only if the 'manual' key agreement mode is selected in VPN. Key agreement mode configuration is described in mode.

The use of a negative form (no) of the command sets the default value.

Syntax

manual protocol <TYPE>

no manual protocol

Parameters

<TYPE> – protocol type, takes the following values:

• ah - this protocol performs only traffic authentication, data encryption is not performed;
• esp - this protocol authenticates and encrypts traffic.

Default value

esp

Required privilege level

15

Command mode

CONFIG-IPSEC-VPN

Example

esr(config-ipsec-vpn)# manual protocol ah

manual spi

This command sets the index of security settings. This command is relevant only if the 'manual' key agreement mode is selected in VPN. Key agreement mode configuration is described in mode.

The use of a negative form (no) of the command removes a specified security parameters index.

Syntax

manual spi <HEX>

no manual spi

Parameters

<HEX> – an index of security parameters, set to 32 bits (8 characters) in hexadecimal format (0xYYYY ...) or (YYYY ...).

Required privilege level

15

Command mode

CONFIG-IPSEC-VPN

Example

esr(config-ipsec-vpn)# manual spi FF

mode

This command defines the matching mode of data required for VPN activation.

Syntax

mode <MODE>

no mode

Parameters

<MODE> – VPN operation mode:

• ike – coordination of authentication and encryption algorithms, authentication and encryption keys, security parameter index and other data is carried out through the IKE protocol;
• manual - the user must configure identical parameters on both nodes for the VPN to work. This mode does not establish an IKE connection between nodes. Each node encrypts and decrypts packets based only on the specified parameters.

Required privilege level

15

Command mode

CONFIG-IPSEC-VPN

Example

esr(config-ipsec-vpn)# mode ike

proposal

This command binds IPsec protocol set profiles to the policy.

The use of a negative form (no) of the command removes a bind to a specified profile.

Syntax

[no] proposal <NAME>

Parameters

<NAME> – IPsec protocol set profile name, set by the string of up to 31 characters.

Required privilege level

15

Command mode

CONFIG-IPSEC-POLICY

Example

esr(config-ipsec-policy)# proposal ipsec_prop1

protocol

The command sets encapsulation protocol.

The use of a negative form (no) of the command sets the default value.

Syntax

protocol <PROTOCOL>

no protocol

Parameters

<PROTOCOL> – encapsulation protocol, takes the following values:

• ah - this protocol performs only traffic authentication, data encryption is not performed;
• esp - this protocol authenticates and encrypts traffic.

Default value

esp

Required privilege level

15

Command mode

CONFIG-IPSEC-PROPOSAL

Example

esr(config-ipsec-proposal)# protocol ah

security ipsec policy

This command creates an IPsec protocol dial policy that includes IPsec protocol suite profiles for negotiating the second phase of the IKE protocol.

The use of a negative form (no) of the command removes a specified value.

The command sets the command line mode to SECURITY IPSEC POLICY.

Syntax

[no] security ipsec policy <NAME>

Parameters

<NAME> – IPsec policy name, set by the string of up to 31 characters. The use of a negative form (no) of the command with ‘all’ parameter removes all IPsec policy.

Required privilege level

10

Command mode

CONFIG

Example

esr(config)# security ipsec policy ipsec_pol1
esr(config-ipsec-policy)#

security ipsec proposal

This command creates a profile for the IPsec protocol suite. The IPsec profile includes the parameters of the encryption and authentication algorithms, the security protocol of the IPsec tunnel connection, and the lifetime of the connection.

The use of a negative form (no) of the command removes a specified profile.

The command sets the command line mode to SECURITY IPSEC PROPOSAL.

Syntax

[no] security ipsec proposal <NAME>

Parameters

<NAME> – IPsec profile name, set by the string of up to 31 characters. The use of a negative form (no) of the command with 'all' parameter removes all IPsec profiles.

Required privilege level

10

Command mode

CONFIG

Example

esr(config)# security ipsec proposal ipsec_prop1
esr(config-ipsec-proposal)#

security ipsec vpn

This command creates a VPN based on the IPsec protocol suite and sets the SECURITY IPSEC VPN command mode.

The use of a negative form (no) of the command removes a configured VPN.

Syntax

[no] security ipsec vpn <NAME>

Parameters

<NAME> – VPN name, set by the string of up to 31 characters. The use of a negative form (no) of the command with ‘all’ parameter removes all VPN.

Required privilege level

10

Command mode

CONFIG

Example

esr(config)# security ipsec vpn ipsec_vpn1
esr(config-ipsec-vpn)#

show security ipsec

This command displays the VPN configurations, policies, and IPsec protocol suite profiles.

Syntax

show security ipsec { vpn configuration | policy | proposal } [<NAME>]

Parameters

vpn configuration – if this command is specified, the configuration of all VPNs will be displayed;

vpn status – if this command is specified, the operational status of all VPNs will be displayed;

policy — specifying this command will display a list of configured IPsec protocol set policies;

proposal - specifying this command will display a list of configured IPsec protocol set profiles;

<NAME> – name. If you specify a specific name of VPN, policy, or profile detailed information will be displayed.

Required privilege level

10

Command mode

ROOT

Example

esr# show security ipsec proposal
   Proposal
   ~~~~~~~~
Name                    Prot   Enc. alg.          Auth. alg.        Lifetime
---------------------   ----   ----------------   ---------------   -----------
ipsec_prop1             esp    aes128             sha1              28800 sec
esr# show secu	rity ipsec policy
Name                   Description           Proposal
--------------------   -------------------   -----------------------------------
ipsec_pol1                                   ipsec_prop1
Master# show security ipsec vpn configuration IPSECVPN
Description:                --
State:                      Enabled
IKE:
    Establish tunnel:           immediate
    IPsec policy:               IPSECPOLICY
    IKE gateway:                IKEGW
    IKE DSCP:                   63
    IKE idle-time:              0s
    IKE rekeying:               Enabled
        Margin time:                540s
        Margin kilobytes:           0
        Margin packets:             0
        Randomization:              100%

show security ipsec vpn authentication

This command allows you to see the list and parameters of the connected IPsec-VPN clients.

Syntax

show security ipsec vpn authentication <NAME> [ vrf <VRF> ]

Parameters

<NAME> – IPsec VPN name, set by the string of up to 31 characters.

<VRF> – VRF instance name, set by the string of up to 31 characters, within which DNS names resolution will be enabled.

Required privilege level

10

Command mode

ROOT

Example

esr# show security ipsec vpn authentication
Local host        Remote host       Local subnet          Remote subnet         Authentication                              State 
---------------   ---------------   -------------------   -------------------   -----------------------------------------   ----------- 
2.2.2.1           2.2.2.2           192.168.2.0/24        192.168.1.1/32        Xauth PSK, login: ipsec                     Established

show security ipsec vpn status

This command shows the status of all VPNs that establish a connection through the IKE protocol or a specific VPN when specifying its name.

Syntax

show security ipsec vpn status [ vrf <VRF> ] [ <NAME> ]

Parameters

<NAME> – VPN name, set by the string of up to 31 characters.

<VRF> – VRF instance name, set by the string of up to 31 characters.

Required privilege level

10

Command mode

ROOT

Example

esr# show security ipsec vpn status
Name      Local host   Remote host  Initiator spi       Responder spi        State
--------- ------------ ------------ ---------------     ---------------      ------
ipsec_vpn1 10.100.14.1 10.100.14.2  0x05d8e0ac3543f0cb  0xcfa1c4179d001154   Established