IPsec VPN configuration
VPN management IKE configuration
access profile
The command creates user's configuration profile for IKE-GATEWAY with a certain name and switches to profile configuration mode.
The use of a negative form (no) of the command removes a specified user's configuration profile for IKE-GATEWAY.
Syntax
[no] access profile <NAME>
Parameters
<NAME> – IKE-GATEWAY user profile name, set by the string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# access profile OFFICE
address-assignment pool
The command creates a pool of addresses and configure parameters for the dynamic configuration of IPsec clients.
The use of a negative form (no) of the command removes address pool.
Syntax
[no] address-assignment pool <NAME>
Parameters
<NAME> – addresses pool name, set by the string of up to 31 characters.
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# address-assignment pool CENTER
esr(config-pool)#
assign-interface
This command specifies a loopback interface for assigning a dynamic address received from an IPsec-VPN server.
The use of a negative form of the command (no) removes the loopback interface to assign a dynamic address received from the IPsec-VPN server.
Syntax
assign-interface loopback <LOOPBACK>[-<LOOPBACK>
no assign-interface
Parameters
<LOOPBACK> – number of the loopback interface created earlier, takes a value in the range [1..8].
Default value
None
Required privilege level
10
Command mode
CONFIG-IKE-GW
Example
esr(config-ike-gw)# assign-interface loopback 3
authentication algorithm
This command sets the authentication algorithm that is used to authenticate messages of an established IKE connection. When establishing an IKE connection, message authentication by key is used (authentication, see section password).
The use of a negative form (no) of the command sets the default value.
Syntax
authentication algorithm <ALGORITHM>
no authentication algorithm
Parameters
<ALGORITHM> – authentication algorithm, takes values of: md5, sha1, sha2-256, sha2‑384, sha2-512.
Default value
sha1
Required privilege level
15
Command mode
CONFIG-IKE-PROPOSAL
Example
esr(config-ike-proposal)# authentication algorithm md5
authentication mode
This command sets the XAUTH authentication mode of remote users connecting via IPsec.
The use of a negative form (no) of the command removes a set mode.
Syntax
authentication mode { local | radius | client }
no authentication mode
Parameters
local - authentication mode using the local user base of the configured profile;
radius - the mode in which user authentication passes through a RADIUS server;
client – mode used by the xauth client.
Required privilege level
15
Command mode
CONFIG-IKE-POLICY
Example
esr(config-ike-policy)# authentication mode local
authentication method
This command selects the key authentication method for the IKE connection. Message authentication by key is used when an IKE connection is established, the key is set in the IKE policy (see section pre-shared-key). After an IKE connection is established, message authentication is performed using a hashing algorithm.
The use of a negative form (no) of the command sets the default value.
Syntax
authentication method <METHOD>
no authentication method
Parameters
<METHOD> – key authentication method. May take the following values:
- pre-shared-key – authentication method using pre-received encryption keys;
- rsa-public-key – authentication method using RSA certificate;
- xauth-psk-key – an extended authentication method using local or remote user databases.
Default value
pre-shared-key
Required privilege level
15
Command mode
CONFIG-IKE-POLICY
Example
esr(config-ike-proposal)# authentication method pre-shared-key
bind-interface vti
This command specifies the tunnel interface through which traffic will pass in the 'route-based' tunnel mode.
The use of a negative form (no) of the command removes a bind to tunnel interface.
Syntax
bind-interface vti <VTI>
no bind-interface vti
Parameters
<VTI> – VTI ID.
Required privilege level
10
Command mode
CONFIG-IKE-GATEWAY
Example
esr(config-ike-gw)# bind-interface vti 1
certificate
This command specifies the necessary certificates.
The use of a negative form (no) of the command removes certificate name from the configuration.
Syntax
certificate <CERTIFICATE-TYPE> <NAME>
no certificate <CERTIFICATE-TYPE>
Parameters
<CERTIFICATE-TYPE> – certificate or key type, may take the following values:
- ca – certificate authority certificate;
- crl – certificate revocation list;
- local-crt – local side certificate;
- local-crt-key – RSA key of the local side certificate;
- local-id – local side ID. The key «any» is used to disable the verification of the Subject attribute fields of the local certificate;
- remote-crt – remote side certificate. Instead of the file name, it is possible to use the key «any» to set the mode of reception of the public key of the remote party over the network;
- remote-id – remote side ID. The key «any» is used to disable the verification of the Subject attribute fields of the remote party certificate;
<NAME> – certificate or key name, set by the string of up to 31 characters.
Default value
None
Required privilege level
15
Command mode
CONFIG-IKE-POLICY
Example
esr(config-ike-policy)# certificate ca KEY
data-tunnel address
This command specifies the IP address for building a GRE data tunnel that is sent to the client, connected via IPsec using dynamic parameter configuration. GRE data tunnel must be supported on the client side. (Requires ELTEX_DATA_IP(28684).
The use of a negative form (no) of the command removes the IP address for GRE data tunnel building.
Syntax
data-tunnel address <ADDR>
no data-tunnel address
Parameters
<ADDR> – IP address for GRE data tunnel building, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
Default value
None
Required privilege level
10
Command mode
CONFIG-POOL
Example
esr(config-pool)# data-tunnel address 192.168.2.66
dead-peer-detection action
This command sets the action that the device should take, in case of detection of unavailability of IPSec neighbor, by the mechanism of Dead Peer Detection.
Dead Peer Detection (DPD) is a mechanism for checking the status and availability of neighboring devices. The mechanism periodically sends R-U-THERE messages (for IKE version 1) or empty INFORMATIONAL messages (for IKE version 2) to check the availability of the IPsec neighbor.
The use of a negative form (no) of the command sets the default value.
Syntax
dead-peer-detection action <MODE>
no dead-peer-detection action
Parameters
<MODE> – DPD operation mode:
- restart – connection restarts;
- clear – conection stops;
- hold – connection holds;
- none - the mechanism is disabled, no action is taken.
Default value
none
Required privilege level
10
Command mode
CONFIG-IKE-GATEWAY
Example
esr(config-ike-gw)# dead-peer-detection action clear
dead-peer-detection interval
This command sets the interval between sending messages by the DPD mechanism.
The DPD mechanism is described in section certificate.
The use of a negative form (no) of the command sets the default value.
Syntax
dead-peer-detection interval <SEC>
no dead-peer-detection interval
Parameters
<SEC> – interval between sending messages via DPD mechanism, takes values of [1..180] seconds.
Default value
2 seconds
Required privilege level
10
Command mode
CONFIG-IKE-GATEWAY
Example
esr(config-ike-gw)# dead-peer-detection interval 15
dead-peer-detection timeout
This command sets the response timeout for messages sent by the DPD mechanism.
The DPD mechanism is described in section certificate.
The use of a negative form (no) of the command sets the default value.
Syntax
dead-peer-detection timeout <SEC>
no dead-peer-detection timeout
Parameters
<SEC> – time interval of response to DPD mechanism messages, takes values of [1..180] seconds.
Default value
30 seconds
Required privilege level
10
Command mode
CONFIG-IKE-GATEWAY
Example
esr(config-ike-gw)# dead-peer-detection timeout 60
description
The command changes the profile, policy, or gateway to the IKE protocol description.
The use of a negative form (no) of the command removes description.
Syntax
description <DESCRIPTION>
no description
Parameters
<DESCRIPTION> – profile description, set by the string of up to 255 characters.
Required privilege level
10
Command mode
CONFIG-IKE-PROPOSAL
CONFIG-IKE-POLICY
CONFIG-IKE-GATEWAY
Example
esr(config-ike-proposal)# description "my proposal"
dh-group
This command sets the group number of the Diffie-Hellman method. The group number defines the level of security of the IKE connection when exchanging keys — security increases as the group number increases, but the connection establishment time increases.
The use of a negative form (no) of the command sets the default value.
Syntax
dh-group <DH-GROUP>
no dh-group
Parameters
<DH-GROUP> – Diffie-Hellman group number, takes values of [1, 2, 5, 14, 15, 16, 17, 18].
Default value
1
Required privilege level
15
Command mode
CONFIG-IKE-PROPOSAL
Example
esr(config-ike-proposal)# dh-group 5
encryption algorithm
This command selects the encryption algorithm used when establishing an IKE connection.
The use of a negative form (no) of the command sets the default value.
Syntax
encryption algorithm <ALGORITHM>
no encryption algorithm
Parameters
<ALGORITHM> – encryption protocol ID, takes the following values: des, 3des, blowfis28, blowfis92, blowfish256, aes128, aes192, aes256, aes128ctr, aes192ctr, aes256ctr, camellia128, camellia192, camellia256.
Default value
3des
Required privilege level
15
Command mode
CONFIG-IKE-PROPOSAL
Example
esr(config-ike-proposal)# encryption algorithm aes128
ike-policy
This command establishes the binding of the IKE protocol policy to the gateway.
The use of a negative form (no) of the command removes poilitics binding.
Syntax
[no] ike-policy <NAME>
Parameters
<NAME> – IKE protocol policy name, set by the string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG-IKE-GATEWAY
Example
esr(config-ike-gw)# ike-policy ike_pol1
ip prefix
This command specifies the address pool from which addresses will be issued to IPsec clients.
The use of a negative form (no) of the command removes the address pool from which addresses will be issued to IPsec clients.
Syntax
ip prefix <ADDR/LEN>
no ip prefix
Parameters
<ADDR/LEN> – IP subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].
Default value
Unspecified.
Required privilege level
10
Command mode
CONFIG-POOL
Example
esr(config-pool)# ip prefix 192.168.0.0/16
lifetime seconds
This command sets the lifetime of the IKE protocol connection.
The use of a negative form (no) of the command sets the default value.
Syntax
lifetime seconds <SEC>
no lifetime seconds
Parameters
<SEC> – time interval, takes values of [4..86400] seconds.
Default value
10800 seconds
Required privilege level
10
Command mode
CONFIG-IKE-POLICY
Example
esr(config-ike-proposal)# lifetime 21600
local address
The command sets IP address of a local IPsec tunnel gateway.
The use of a negative form (no) of the command removes local gateway IP address.
Syntax
local address <ADDR>
no local address
Parameters
<ADDR> – IP address of a local gateway.
Required privilege level
10
Command mode
CONFIG-IKE-GATEWAY
Example
esr(config-ike-gw)# local address 192.168.1.1
local interface
The command sets the use of IP address assigned to the interface as a IPsec tunnel local gateway.
The use of a negative form (no) of the command stops the use of IP address assigned to the interface as a local gateway.
Syntax
local interface <IF>
no local interface
Parameters
<IF> – interface type and identifier specified in the form described in Section Types and naming order of router interfaces.
Required privilege level
10
Command mode
CONFIG-IKE-GW
Example
esr(config-ike-gw)# local interface gigabitethernet 1/0/1
local network
This command sets sender's subnet IP address as well as IP and port. Traffic that meets the specified criteria will be sent to the IPsec tunnel.
The use of a negative form (no) of the command removes senders subnet IP address.
Syntax
[no] local network <ADDR/LEN> [ protocol { <TYPE> | <ID> } [ port <PORT> ] ]
Parameters
<ADDR/LEN> – IP subnet of a sender. The parameter is defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32];
<TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre;
<ID> – IP identification number, takes values of [0x00-0xFF];
<PORT> – TCP/UDP port, takes values of [1..65535].
Required privilege level
10
Command mode
CONFIG-IKE-GATEWAY
Example
esr(config-ike-gw)# local network 192.168.1.0/24 protocol tcp port 22
management-tunnel address
This command specifies the tunnel IP address for building a GRE management tunnel that is sent to the client, connected via IPsec using dynamic parameter configuration. GRE management tunnel must be supported on the client side. (Requires ELTEX_MANAGEMENT_IP(28683).
The use of a negative form (no) of the command removes the tunnel IP address for GRE management tunnel building.
Syntax
management-tunnel address <ADDR>
no management-tunnel address
Parameters
<ADDR> – IP address for GRE management tunnel building, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
Default value
None
Required privilege level
10
Command mode
CONFIG-POOL
Example
esr(config-pool)# management-tunnel address 192.168.2.87
mobike disable
This command disables the ability of the connection initiator to change its network connection point (to use the IP address as the local address parameter).
The use of a negative form (no) of the command activates the automatic selection of local addres when the described in the configuration is not available.
Syntax
[ no ] mobike disable
Parameters
None.
Default value
Enabled.
Required privilege level
10
Command mode
CONFIG-IKE-GATEWAY
Example
esr(config-ike-gateway)# mobike disable
mode
This command sets the negotiation mode for the first phase of the IKE protocol.
The use of a negative form (no) of the command sets the default value.
Syntax
mode <MODE>
no mode
Parameters
<MODE> – first IKE phase mode, may take values:
- main – consists of three bilateral exchanges between the sender and the recipient:
- During the first exchange, the authentication and encryption algorithms that will be used to protect the IKE connection by matching the IKE protocol profiles of each node will be matched;
- Using the Diffie-Hellman algorithm, the parties exchange a common secret key. The nodes also check each other's identification by sending and confirming a sequence of pseudo-random numbers;
- The identity of the opposite side is checked. As a result of the main mode execution, a secure channel is created for the second phase of the IKE protocol.
- aggressive – this mode is costing fewer exchanges and, accordingly, the number of packets:
- The first message (from the initiator) sends information that is used to establish an IKE connection: a suggestion of the SA parameters, the initiation of a Diffie-Hellman exchange, the sending of a pseudo-random number and a packet identifier;
- In the second message, the responder accepts the SA, authenticates the initiator, sends a pseudo-random number and its IKE-identifier;
- In the third message, the initiator authenticates the responder and confirms the exchange.
Default value
main
Required privilege level
15
Command mode
CONFIG-IKE-POLICY
Example
esr(config-ike-policy)# mode aggressive
mode
This command sets the mode of traffic redirection to the tunnel.
The use of a negative form (no) of the command sets the default value.
Syntax
mode <MODE>
no mode
Parameters
<MODE> – mode of traffic redirection into the tunnel, takes the following values:
- policy-based — traffic is redirected based on the subnets specified in the policies;
- route-based — traffic is redirected based on routes whose gateway is a tunnel interface.
Required privilege level
10
Command mode
CONFIG-IKE-GATEWAY
Example
esr(config-ike-gw)# mode route-based
password
This command is used to set the user password for IKE-GETWAY. The password can be set both in clear text and in the form of sha512 hash.
The use of a negative form (no) of the command removes user's password for IKE-GETWAY from the system.
Syntax
password ascii-text { <CLEAR-TEXT> | encrypted <HASH_SHA512> }
no password
Parameters
<CLEAR-TEXT> – password, set by the string of 8 to 32 characters, takes the value of [0-9a-fA-F].
<HASH_SHA512> – hash password via sha512 algorithm, set by the string of 110 characters;
Required privilege level
15
Command mode
CONFIG-PROFILE
Example
esr(config-profile) password tteesstt
password local-crt-key
This command is used to set the password from the encrypted certificate chain (certificates are assigned using the certificate command)
The use of a negative form (no) of the command removes the password.
Syntax
password local-crt-key ascii-text { <CLEAR-TEXT> | encrypted <HASH_SHA512> }
no password local-crt-key
Parameters
<CLEAR-TEXT> – password, set by the string of 8 to 32 characters, takes the value of [0-9a-fA-F].
<HASH_SHA512> – hash password via sha512 algorithm, set by the string of 110 characters;
Required privilege level
15
Command mode
CONFIG-IKE-POLICY
Example
esr(config-ike-policy) password tteesstt
pfs dh-group
This command sets the group number of the Diffie-Hellman method. The group number defines the level of security of the IPsec connection when exchanging keys — security increases as the group number increases, but the connection establishment time increases.
The use of a negative form (no) of the command sets the default value.
Syntax
pfs dh-group <DH-GROUP>
no pfs dh-group
Parameters
<DH-GROUP> – Diffie-Hellman group number, takes values of [1, 2, 5, 14, 15, 16, 17, 18].
Default value
1
Required privilege level
15
Command mode
CONFIG-IPSEC-PROPOSAL
Example
esr(config-isec-proposal)# pfs dh-group 5
pre-shared-key
This command specifies a shared secret authentication key that should be the same for both parties of the tunnel.
The use of a negative form (no) of the command removes a set key.
Syntax
pre-shared-key { ascii-text { <TEXT> | encrypted <ENCRYPTED-TEXT> } | hexadecimal { <HEX> | encrypted <ENCRYPTED-HEX> } }
no pre-shared-key
Parameters
<TEXT> – string [1..64] ASCII characters;
<HEX> – number, [1..32] bytes size, set by the string of [2..128] characters in hexadecimal format (0xYYYY ...) or (YYYY ...).
<ENCRYPTED-TEXT> – encrypted password, [1..32] bytes size, set by the string of [2..128] characters.
<ENCRYPTED-TEXT> – encrypted number, [2..64] bytes size, set by the string of [2..256] characters.
Default value
none
Required privilege level
15
Command mode
CONFIG-IKE-POLICY
Example
esr(config-ike-policy)# pre-shared-key hexadecimal abc123
proposal
This command establishes the binding of the IKE protocol profile to the policy.
The use of a negative form (no) of the command removes IKE protocol profile binding.
Syntax
[no] proposal <NAME>
Parameters
<NAME> – IKE protocol name, set by the string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG-IKE-POLICY
Example
esr(config-ike-policy)# proposal ike_prop1
remote address
The command sets IP address of a remote IPsec tunnel gateway.
The use of a negative form (no) of the command removes remote gateway IP address.
Syntax
remote address { <ADDR> | any }
no remote address
Parameters
<ADDR> – IP address of a remote gateway.
any – key that allows you to receive requests to establish an IKE session from any IP address.
Required privilege level
10
Command mode
CONFIG-IKE-GATEWAY
Example
esr(config-ike-gw)# remote address 192.168.1.2
remote network
This command sets the IP address of the receiver's subnet, as well as the IP protocol and port, or assigns a dynamic address pool for remote clients using XAUTH. Traffic that meets the specified criteria will be sent to the IPsec tunnel.
The use of a negative form (no) of the command removes senders subnet IP address.
Syntax
remote network { dynamic pool <POOL> | <ADDR/LEN> [ protocol { <TYPE> | <ID> } [ port <PORT> ] ] | any }
no remote network { dynamic pool |<ADDR/LEN> [ protocol { <TYPE> | <ID> } [ port <PORT> ] ] | any }
Parameters
<POOL> – dedicated dynamic address pool for XAUTH clients;
<ADDR/LEN> – IP subnet of a recipient. The parameter is defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32];
<TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre;
<ID> – IP identification number, takes values of [0x00-0xFF];
<PORT> – TCP/UDP port, takes values of [1..65535];
any – key indicating the need to encrypt any outgoing traffic.
Required privilege level
10
Command mode
CONFIG-IKE-GATEWAY
Example
esr(config-ike-gw)# remote network 192.168.0.0/24 protocol tcp port 22
remote network dynamic client
This command enables receiving a list of remote networks from an IPsec-VPN server.
The use of a negative form of the command (no) disables the receiption of a list of remote networks from the IPsec-VPN server.
Syntax
[no] remote network dynamic client
Parameters
None.
Default value
Disabled.
Required privilege level
10
Command mode
CONFIG-IKE-GW
Example
esr(config-ike-gw)# remote network dynamic client
security ike gateway
This command switches to the command configuration mode of the IKE SECURITY IKE GATEWAY gateway. If an IKE gateway with the specified name does not exist in the configuration, it will be created. Gateway parameters include the VTI interface to which the traffic will be sent, the policy and version of the IKE protocol, and also the mode of forwarding traffic to the tunnel.
The use of a negative form (no) of the command removes IKE protocol gateway.
Syntax
[no] security ike gateway <NAME>
Parameters
<NAME> – IKE protocol gateway name, set by the string of up to 31 characters. The use of a negative form (no) of the command with ‘all’ parameter removes all IKE gateways.
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# security ike gateway ike_gw1
esr(config-ike-gw)#
security ike policy
This command creates an IKE policy that includes IKE protocol profiles, a shared secret key for authentication, and a negotiation mode for the first phase of the IKE protocol.
The use of a negative form (no) of the command removes a specified policy. The command sets the command line mode to SECURITY IKE POLICY.
Syntax
[no] security ike policy <NAME>
Parameters
<NAME> – IKE policy name, set by the string of up to 31 characters. The use of a negative form (no) of the command with ‘all’ parameter removes all IKE policy.
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# security ike policy ike_pol1
esr(config-ike-policy)#
security ike proposal
This command creates an Internet Key Exchange (IKE) protocol profile that includes the encryption and authentication parameters of the Diffie-Hellman method, which will be used when negotiating IKE parameters with the opposite side of the VPN connection when creating the Security Association (SA). In addition, the profile sets the SA limit time. The use of a negative form (no) of the command removes a specified profile.
Syntax
[no] security ike proposal <NAME>
Parameters
<NAME> – IKE protocol name, set by the string of up to 31 characters. The use of a negative form (no) of the command with 'all' parameter removes all IKE profiles.
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# security ike proposal ike_prop1
esr(config-ike-proposal)#
security ike session uniqueids
This command sets the mode for reconnecting XAUTH clients with one login/password.
The use of a negative form (no) of the command sets the default value.
Syntax
security ike session uniqueids <MODE>
no security ike session uniqueids
Parameters
<MODE> – reconnect mode, may take the following values:
- no – established XAUTH connection will be deleted if an «INITIAL_CONTACT» notification is sent for a new XAUTH connection by the initiator of the connection, the previously used IP address will be assigned. Otherwise, the established XAUTH connection will be withheld. A new IP address will be assigned to the new XAUTH connection.
- never – established XAUTH connection will be withheld. A new IP address will be assigned to the new XAUTH connection. The «INITIAL_CONTACT» notification will be ignored anyway.
- replace – established XAUTH connection will be deleted. The previously used IP address will be used for the new XAUTH connection.
- keep – established XAUTH connection will be withheld. A new XAUTH connection will be rejected.
Default value
never
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# security ike session uniqueids replace
show security ike
The command is used to view a list of gateways, policies or profiles.
Syntax
show security ike { gateway | policy | proposal } [<NAME>]
Parameters
gateway - if the 'gateway' command is specified, the list of configured gateways will be displayed;
policy - when specifying the 'policy' command, a list of configured policies will be displayed;
proposal - if you specify the 'proposal' command, a list of configured profiles will be displayed;
<NAME> – name. If you specify a specific gateway name, policy, profile, detailed information will be displayed.
Required privilege level
10
Command mode
ROOT
Example
esr# show security ike proposal
Proposal
~~~~~~~~
Name Auth Encryption DH Hash Lifetime
------------ ------- ---------------- -- ---------- ----------
aaa pre-sha 3des 1 sha1 3600
red-key
esr# show security ike policy
Policy
~~~~~~
Name Mode Proposal
---------------------------- ---------- -----------------------------------
ike_pol1 main ike_prop1
esr# show security ike gateway ik_gw
Description: --
IKE Policy: ike_pol1
IKE Version: v1-only
Mode: route-based
Binding interface: vti1
IKE Dead Peer Detection:
Action: none
Interval: 2
Timeout: 30
user
This command sets the username for IKE-GATEWAY authentication.
The use of a negative form (no) of the command removes a specified user.
After executing this command, the router enters the user password configuration mode (config-profile).
Syntax
[no] user <NAME>
Parameters
<NAME> – user name, set by the string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG-ACCESS-PROFILE
Example
esr(config-access-profile)# user connecter963
version
This command sets the IKE protocol version.
The use of a negative form (no) of the command sets the default value.
Syntax
version <VERSION>
no version
Parameters
<version> – IKE protocol version: v1-only or v2-only.
Default value
v1-only
Required privilege level
15
Command mode
CONFIG-IKE-GATEWAY
Example
esr(config-ike-gw)# version v2-only
xauth access-profile
This command specifies the local list of users for authorization XAUTH.
The use of a negative form (no) of the command removes a specified profile.
Syntax
[no] xauth access-profile <NAME> [client <USER-NAME>
Parameters
<NAME> – local XAUTH user list name, set by the string of up to 31 characters;
<USER-NAME> – username from the attached xauth-profile is specified by a string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG-IKE-GATEWAY
Example
esr(config-ike-gateway)# xauth access-profile OFFICE
VPN management. IPsec configuration
authentication algorithm
The command sets an authentication algorithm. The use of a negative form (no) of the command sets the default value.
Syntax
authentication algorithm <ALGORITHM>
no authentication algorithm
Parameters
<ALGORITHM> – authentication algorithm, takes values of: md5, sha1, sha2-256, sha2‑384, sha2-512.
Default value
sha1
Required privilege level
15
Command mode
CONFIG-IPSEC-PROPOSAL
Example
esr(config-ipsec-proposal)# authentication algorithm md5
description
This command changes the description.
The use of a negative form (no) of the command removes description.
Syntax
description <DESCRIPTION>
no description
Parameters
<DESCRIPTION> – profile description, set by the string of up to 255 characters.
Required privilege level
10
Command mode
CONFIG-IPSEC-VPN
CONFIG-IPSEC-PROPOSAL
CONFIG-IPSEC-POLICY
Example
esr(config-ipsec-vpn)# description "VPN to Moscow Office"
enable
This command enables IPsec VPN.
The use of a negative form of the command (no) disables IPsec VPN.
Syntax
[no] enable
Parameters
The command does not contain parameters.
Default value
Disabled
Required privilege level
10
Command mode
CONFIG-IPSEC-VPN
Example
esr(config-ipsec-vpn)# enable
encryption algorithm
The command sets encryption algorithm. The use of a negative form (no) of the command sets the default value.
Syntax
encryption algorithm <ALGORITHM>
no encryption algorithm
Parameters
<ALGORITHM> – encryption protocol, takes the following values: null, des, 3des, blowfis28, blowfish192, blowfish256, aes128, aes192, aes256, aes128ctr, aes192ctr, aes256ctr, camellia128, camellia192, camellia256.
Default value
3des
Required privilege level
15
Command mode
CONFIG-IPSEC-PROPOSAL
Example
esr(config-ipsec-proposal)# encryption algorithm blowfish128
ike dscp
The command sets the DSCP code value for the use in IP headers of IKE protocol outgoing packets.
The use of a negative form (no) of the command sets the default DSCP value.
Syntax
ike dscp <DSCP>
no ike dscp
Parameters
<DSCP> – DSCP code value, takes values in the range of [0..63].
Default value
63
Required privilege level
10
Command mode
CONFIG-IPSEC-VPN
Example
esr(config-ipsec-vpn)# ike dscp 40
ike establish-tunnel
This command sets VPN activation mode. This command is relevant only if the 'ike' key agreement mode is selected in VPN. Key agreement mode configuration is described in mode.
The use of a negative form (no) of the command sets the default value.
Syntax
ike establish-tunnel <MODE>
no Ike establish-tunnel
Parameters
<MODE> – VPN activation mode:
- by-request – connection is enabled by an opposing party;
- route – connection is enabled when there is traffic routed to the tunnel;
- immediate – tunnel is enabled automatically after applying the configuration.
Required privilege level
15
Command mode
CONFIG-IPSEC-VPN
Example
esr(config-ipsec-vpn)# ike establish-tunnel route
ike gateway
This command binds the IKE gateway to the VPN. This command is relevant only if the 'ike' key agreement mode is selected in VPN. Key agreement mode configuration is described in mode.
Syntax
ike gateway <NAME>
no ike gateway
Parameters
<NAME> – IKE gateway name, set by the string of up to 31 characters.
Required privilege level
10
Command mode
CONFIG-IPSEC-VPN
Example
esr(config-ipsec-vpn)# ike gateway ike_gw1
ike idle-time
This command sets the time interval value in seconds after which the connection is closed, if no packet has been received or sent via SA (optionally)
The use of a negative form (no) of the command disables this timer.
Syntax
ike idle-time <TIME>
no ike idle-time
Parameters
<TIME> – interval in seconds, takes values of [4..86400].
Required privilege level
10
Command mode
CONFIG-IPSEC-VPN
Example
esr(config-ipsec-vpn)# ike idle-time 3600
ike rekey disable
Disable key re-approval before the IKE connection is lost due to the timeout, the number of transmitted packets or bytes.
The use of a negative form (no) of the command enables the renegotiation of keys.
Syntax
[no] ike rekey disable
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG-IPSEC-VPN
Example
esr(config-ipsec-vpn)# ike rekey disable
ike rekey margin
This command allows you to configure the start of the renegotiation of the keys of an IKE connection before the expiration of the lifetime.
The use of a negative form (no) of the command sets the default value.
Syntax
Ike rekey margin { seconds <SEC> | packets <PACKETS> | kilobytes <KB> }
no ike rekey margin { seconds | packets | kilobytes }
Parameters
<SEC> – time interval in seconds remaining before the connection release (set by the lifetime seconds command, see lifetime). Takes values in the range of [4..86400].
<PACKETS> – number of packets remaining before the connection release (set by the lifetime packets command, see lifetime). Takes values in the range of [4..86400].
<KB> – traffic volume in kilobytes remaining before the connection release (set by the lifetime kilobytes command, see lifetime). Takes values in the range of [4..86400].
Default value
- Keys re-approval before the expire of time – 540 seconds before.
- Keys re-approval before the expire of traffic volume and amount of packets – disabled.
Required privilege level
15
Command mode
CONFIG-IPSEC-VPN
Example
esr(config-ipsec-vpn)# ike rekey margin seconds 1800
ike rekey randomization
This command sets the level of margin seconds, margin packets, margin kilobytes values random spread (optionally).
The use of a negative form (no) of the command sets the default value.
Syntax
ike rekey randomization <VALUE>
no ike rekey randomization
Parameters
<VALUE> – maximum ratio of values spread, takes values of [1..100].
Default value
100%
Required privilege level
15
Command mode
CONFIG-IPSEC-VPN
Example
esr(config-ipsec-vpn)# ike rekey randomization 10
ike ipsec-policy
This command associates the IPsec policy with the VPN. This command is relevant only if the 'ike' key agreement mode is selected in VPN. Key agreement mode configuration is described in mode.
Syntax
ike ipsec-policy <NAME>
no ike ipsec-policy
Parameters
<NAME> – IPsec policy name, set by the string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG-IPSEC-VPN
Example
esr(config-ipsec-vpn)# ike ipsec-policy ipsec_pol1
lifetime
This command sets the lifetime of the IPsec tunnel.
The use of a negative form (no) of the command sets the default value.
Syntax
lifetime { seconds <SEC> | packets <PACKETS> | kilobytes <KB> }
no lifetime { seconds | packets | kilobytes }
Parameters
<SEC> – IPsec tunnel lifetime after which the re-approval is carried out. Takes values in the range of [1140..86400] seconds.
<PACKETS> – number of packets after transmitting of which the IPsec tunnel re-approval is carried out. Takes values in the range of [4..86400].
<KB> – traffic amount after transmitting of which the IPsec tunnel re-approval is carried out. Takes values in the range of [4..86400] seconds.
Default value
3600 seconds
Required privilege level
10
Command mode
CONFIG-IPSEC-POLICY
Example
esr(config-ipsec-proposal)# lifetime seconds 3600
manual authentication algorithm
The command sets an authentication algorithm. This command is relevant only if the 'manual' key matching mode is selected in VPN. Key agreement mode configuration is described in mode.
The use of a negative form (no) of the command sets the default value.
Syntax
manual authentication algorithm <ALGORITHM>
no manual authentication algorithm
Parameters
<ALGORITHM> – authentication algorithm, takes values of: md5, md5-128, sha1, sha1-160, aesxcbc, sha2-256, sha2-384, sha2-512].
Default value
none
Required privilege level
15
Command mode
CONFIG-IPSEC-VPN
Example
esr(config-ipsec-vpn)# manual authentication algorithm sha1
manual authentication key
The command sets an authentication key. This command is relevant only if the 'manual' key agreement mode is selected in VPN. Key agreement mode configuration is described in mode.
Syntax
manual authentication key { ascii-text {<TEXT> | encrypted <ENCRYPTED-TEXT>} | hexadecimal {<HEX> | encrypted <ENCRYPTED-HEX> } }
no manual authentication key
Parameters
<TEXT> – string [1..64] ASCII characters;
<HEX> – number, [1..32] bytes size, set by the string of [2..128] characters in hexadecimal format (0xYYYY ...) or (YYYY ...);
<ENCRYPTED_TEXT> – encrypted password, [1..32] bytes size, set by the string of [2..128] characters.
<ENCRYPTED_HEX> – encrypted number, [2..64] bytes size, set by the string of [2..256] characters.
Required privilege level
15
Command mode
CONFIG-IPSEC-VPN
Example
esr(config-ipsec-vpn)# manual authentication key hexadecimal abcdef
manual bind-interface vti
This command specifies the tunnel interface through which traffic will pass in the 'route-based' tunnel mode. This command is relevant only if the 'manual' key agreement mode is selected in VPN. Key agreement mode configuration is described in mode.
The use of a negative form (no) of the command sets the default value.
Syntax
manual bind-interface vti <VTI>
no manual bind-interface vti
Parameters
<VTI> – VTI interface index, takes the values:
ESR-10/12V/12VF/14VF – [1..10];
ESR-20/21/100/200 – [1..250];
ESR-1000/1200/1500/1511/1700/3100 – [1..500].
Required privilege level
10
Command mode
CONFIG-IPSEC-VPN
Example
esr(config-ipsec-vpn)# manual bind-interface vti 0
manual encryption algorithm
The command sets encryption algorithm. This command is relevant only if the 'manual' key agreement mode is selected in VPN. Key agreement mode configuration is described in mode.
The use of a negative form (no) of the command removes a specified value.
Syntax
manual encryption algorithm <ALGORITHM>
no manual encryption algorithm
Parameters
<ALGORITHM> – encryption algorithm, takes the following values: des, 3des, blowfis28, blowfis92, blowfish256, aes128, aes192, aes256, aes128ctr, aes192ctr, aes256ctr, camellia128, camellia192, camellia256.
Default value
3des
Required privilege level
15
Command mode
CONFIG-IPSEC-VPN
Example
esr(config-ipsec-vpn)# manual encryption algorithm blowfis28
manual encryption key
The command sets encryption key. This command is relevant only if the 'manual' key agreement mode is selected in VPN. Key agreement mode configuration is described in mode.
The use of a negative form (no) of the command removes a specified value.
Syntax
manual encryption key { ascii-text { < TEXT> | encrypted <ENCRYPTED-TEXT> } | hexadecimal { <HEX> | encrypted <ENCRYPTED-HEX> } }
no manual encryption key
Parameters
<TEXT> – string [1..36] ASCII characters;
<HEX> – number, [1..24] bytes size, set by the string of [2..72] characters in hexadecimal format (0xYYYY ...) or (YYYY ...);
<ENCRYPTED-TEXT> – encrypted password, [1..24] bytes size, set by the string of [2..72] characters;
<ENCRYPTED-HEX> – encrypted number, [2..36] bytes size, set by the string of [2..144] characters.
Required privilege level
15
Command mode
CONFIG-IPSEC-VPN
Example
esr(config-ipsec-vpn)# manual encryption key hexadecimal 0x123456
manual mode
This command sets the mode of traffic redirection to the tunnel. This command is relevant only if the 'manual' key agreement mode is selected in VPN. Key agreement mode configuration is described in mode.
The use of a negative form (no) of the command sets the default value.
Syntax
manual mode <MODE>
no manual mode
Parameters
<MODE> - traffic passing mode:
- policy-based — traffic is redirected based on the subnets specified in the policies;
- route-based — traffic is redirected based on routes whose gateway is a tunnel interface.
Required privilege level
10
Command mode
CONFIG-IPSEC-VPN
Example
esr(config-ipsec-vpn)# manual mode route-based
manual protocol
The command sets encapsulation protocol. This command is relevant only if the 'manual' key agreement mode is selected in VPN. Key agreement mode configuration is described in mode.
The use of a negative form (no) of the command sets the default value.
Syntax
manual protocol <TYPE>
no manual protocol
Parameters
<TYPE> – protocol type, takes the following values:
- ah - this protocol performs only traffic authentication, data encryption is not performed;
- esp - this protocol authenticates and encrypts traffic.
Default value
esp
Required privilege level
15
Command mode
CONFIG-IPSEC-VPN
Example
esr(config-ipsec-vpn)# manual protocol ah
manual spi
This command sets the index of security settings. This command is relevant only if the 'manual' key agreement mode is selected in VPN. Key agreement mode configuration is described in mode.
The use of a negative form (no) of the command removes a specified security parameters index.
Syntax
manual spi <HEX>
no manual spi
Parameters
<HEX> – an index of security parameters, set to 32 bits (8 characters) in hexadecimal format (0xYYYY ...) or (YYYY ...).
Required privilege level
15
Command mode
CONFIG-IPSEC-VPN
Example
esr(config-ipsec-vpn)# manual spi FF
mode
This command defines the matching mode of data required for VPN activation.
Syntax
mode <MODE>
no mode
Parameters
<MODE> – VPN operation mode:
- ike – coordination of authentication and encryption algorithms, authentication and encryption keys, security parameter index and other data is carried out through the IKE protocol;
- manual - the user must configure identical parameters on both nodes for the VPN to work. This mode does not establish an IKE connection between nodes. Each node encrypts and decrypts packets based only on the specified parameters.
Required privilege level
15
Command mode
CONFIG-IPSEC-VPN
Example
esr(config-ipsec-vpn)# mode ike
proposal
This command binds IPsec protocol set profiles to the policy.
The use of a negative form (no) of the command removes a bind to a specified profile.
Syntax
[no] proposal <NAME>
Parameters
<NAME> – IPsec protocol set profile name, set by the string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG-IPSEC-POLICY
Example
esr(config-ipsec-policy)# proposal ipsec_prop1
protocol
The command sets encapsulation protocol.
The use of a negative form (no) of the command sets the default value.
Syntax
protocol <PROTOCOL>
no protocol
Parameters
<PROTOCOL> – encapsulation protocol, takes the following values:
- ah - this protocol performs only traffic authentication, data encryption is not performed;
- esp - this protocol authenticates and encrypts traffic.
Default value
esp
Required privilege level
15
Command mode
CONFIG-IPSEC-PROPOSAL
Example
esr(config-ipsec-proposal)# protocol ah
security ipsec policy
This command creates an IPsec protocol dial policy that includes IPsec protocol suite profiles for negotiating the second phase of the IKE protocol.
The use of a negative form (no) of the command removes a specified value.
The command sets the command line mode to SECURITY IPSEC POLICY.
Syntax
[no] security ipsec policy <NAME>
Parameters
<NAME> – IPsec policy name, set by the string of up to 31 characters. The use of a negative form (no) of the command with ‘all’ parameter removes all IPsec policy.
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# security ipsec policy ipsec_pol1
esr(config-ipsec-policy)#
security ipsec proposal
This command creates a profile for the IPsec protocol suite. The IPsec profile includes the parameters of the encryption and authentication algorithms, the security protocol of the IPsec tunnel connection, and the lifetime of the connection.
The use of a negative form (no) of the command removes a specified profile.
The command sets the command line mode to SECURITY IPSEC PROPOSAL.
Syntax
[no] security ipsec proposal <NAME>
Parameters
<NAME> – IPsec profile name, set by the string of up to 31 characters. The use of a negative form (no) of the command with 'all' parameter removes all IPsec profiles.
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# security ipsec proposal ipsec_prop1
esr(config-ipsec-proposal)#
security ipsec vpn
This command creates a VPN based on the IPsec protocol suite and sets the SECURITY IPSEC VPN command mode.
The use of a negative form (no) of the command removes a configured VPN.
Syntax
[no] security ipsec vpn <NAME>
Parameters
<NAME> – VPN name, set by the string of up to 31 characters. The use of a negative form (no) of the command with ‘all’ parameter removes all VPN.
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# security ipsec vpn ipsec_vpn1
esr(config-ipsec-vpn)#
show security ipsec
This command displays the VPN configurations, policies, and IPsec protocol suite profiles.
Syntax
show security ipsec { vpn configuration | policy | proposal } [<NAME>]
Parameters
vpn configuration – if this command is specified, the configuration of all VPNs will be displayed;
vpn status – if this command is specified, the operational status of all VPNs will be displayed;
policy — specifying this command will display a list of configured IPsec protocol set policies;
proposal - specifying this command will display a list of configured IPsec protocol set profiles;
<NAME> – name. If you specify a specific name of VPN, policy, or profile detailed information will be displayed.
Required privilege level
10
Command mode
ROOT
Example
esr# show security ipsec proposal
Proposal
~~~~~~~~
Name Prot Enc. alg. Auth. alg. Lifetime
--------------------- ---- ---------------- --------------- -----------
ipsec_prop1 esp aes128 sha1 28800 sec
esr# show secu rity ipsec policy
Name Description Proposal
-------------------- ------------------- -----------------------------------
ipsec_pol1 ipsec_prop1
Master# show security ipsec vpn configuration IPSECVPN
Description: --
State: Enabled
IKE:
Establish tunnel: immediate
IPsec policy: IPSECPOLICY
IKE gateway: IKEGW
IKE DSCP: 63
IKE idle-time: 0s
IKE rekeying: Enabled
Margin time: 540s
Margin kilobytes: 0
Margin packets: 0
Randomization: 100%
show security ipsec vpn authentication
This command allows you to see the list and parameters of the connected IPsec-VPN clients.
Syntax
show security ipsec vpn authentication <NAME> [ vrf <VRF> ]
Parameters
<NAME> – IPsec VPN name, set by the string of up to 31 characters.
<VRF> – VRF instance name, set by the string of up to 31 characters, within which DNS names resolution will be enabled.
Required privilege level
10
Command mode
ROOT
Example
esr# show security ipsec vpn authentication
Local host Remote host Local subnet Remote subnet Authentication State
--------------- --------------- ------------------- ------------------- ----------------------------------------- -----------
2.2.2.1 2.2.2.2 192.168.2.0/24 192.168.1.1/32 Xauth PSK, login: ipsec Established
show security ipsec vpn status
This command shows the status of all VPNs that establish a connection through the IKE protocol or a specific VPN when specifying its name.
Syntax
show security ipsec vpn status [ vrf <VRF> ] [ <NAME> ]
Parameters
<NAME> – VPN name, set by the string of up to 31 characters.
<VRF> – VRF instance name, set by the string of up to 31 characters.
Required privilege level
10
Command mode
ROOT
Example
esr# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
--------- ------------ ------------ --------------- --------------- ------
ipsec_vpn1 10.100.14.1 10.100.14.2 0x05d8e0ac3543f0cb 0xcfa1c4179d001154 Established