Tunnels configuration and monitoring
auth-nocache
This command disables the password caching of the OPENVPN client user.
The use of a negative form (no) of the command activates caching the password of the OPENVPN client user.
Syntax
[no] auth-nocache
Parameters
None.
Default value
Caching is allowed.
Required privilege level
15
Command mode
CONFIG-OPENVPN
Example
esr(config)# auth-nocacheauthentication algorithm
This command sets the authentication algorithm, which is used for authentication when connecting to the OPENVPN server.
The use of a negative form (no) of the command removes the authentication algorithm.
Syntax
authentication algorithm <ALGORITHM>
no authentication algorithm
Parameters
<ALGORITHM> – authentication algorithm, may take values: md4, rsa-md4, md5, rsa-md5, mdc2, rsa-mdc2, sha, sha1, rsa-sha, rsa-sha1, rsa-sha1-2, dsa, dsa-sha, dsa-sha1, dsa-sha1-old, ripemd160, rsa-ripemd160, ecdsa-with-sha1, sha-224, rsa-sha-224, sha-256, rsa-sha-256, sha-384, rsa-sha-384, sha-512, rsa-sha-512, whirlpool.
Default value
Unspecified.
Required privilege level
15
Command mode
CONFIG-OPENVPN
Example
esr(config-openvpn)# authentication algorithm md5authentication method
The command specifies authentication method which will be used when establishing a remote connection by PPPoE, PPTP and L2TP clients.
The use of a negative form (no) of the command removes a specified authentication method.
Syntax
authentication method <METHOD>
no authentication method <METHOD>
Parameters
<METHOD> – authentication method, possible values: chap, mschap, mschap-v2, eap, pap.
Default value
chap
Required privilege level
10
Command mode
CONFIG-PPPOE
CONFIG-PPTP
CONFIG-L2TP
Example
esr(config-pppoe)# authentication method mschap-v2
certificate
This command specifies the necessary certificates for connecting to the OPENVPN server.
The use of a negative form (no) of the command removes certificate name from the configuration.
Syntax
certificate <CERTIFICATE-TYPE> <NAME>
no certificate <CERTIFICATE-TYPE>
Parameters
<CERTIFICATE-TYPE> – certificate or key type, may take the following values:
- ca – certificate authority certificate;
- client-crt – client certificate;
- client-key – client key;
- crl – Certificate Revocation List;
- dh – Diffie-Hellman key;
- ta – HMAC key.
<NAME> – certificate or key name, set by the string of up to 31 characters.
Default value
None
Required privilege level
15
Command mode
CONFIG-OPENVPN
Example
esr(config-openvpn)# certificate ca KEYclear ip nhrp
This command clears NHRP records from the router.
Syntax
clear ip nhrp [ { dynamic | static | incomplete | nhs} ] [ { nbma-address <ADDR> | tunnel gre <ID> | tunnel-address <ADDR> } ] [ vrf <VRF> ]Parameters
<ID> – tunnel identifier;
<ADDR> – IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];
<VRF> – VRF instance name, set by the string of up to 31 characters. When this parameter is specified, the NHRP records specified in this VRF will be deleted;
dynamic – clear dynamically acquired information;
incomplete – clear blank entries;
nbma-address – clear entries regarding a specific NBMA address;
nhs – clear entries regarding a specific NHS;
static – clear statically set records;
tunnel – clear entries regarding a specific tunnel;
tunnel-address – clear entries regarding a specific tunnel;
vrf – clear records in a specific VRF.
Required privilege level
10
Command mode
ROOT
Example
esr# clear ip nhrp vrf vrf_test tunnel gre 9 staticclear tunnels counters
The command performs the reset of specified tunnel/tunnel group counters.
Syntax
clear tunnels counters [ <TUN> ]
Parameters
<TUN> – the name of the tunnel is specified as described in section Types and naming order of router tunnels;
You can specify several tunnels separated by commas ',' or you can specify the range of ports with '-'. If tunnel indexes are not specified, then the counters of all tunnels of a specified group will be cleared.
Required privilege level
10
Command mode
ROOT
Example
esr# clear tunnels counters gre 25
clear tunnels softgre
This command breaks the softgre tunnel/tunnels.
Syntax
clear tunnels softgre [ remote-address <REMOTE-IP> ]
Parameters
<REMOTE-IP> – remote IP address from which the softgre-tunnel was set.
Required privilege level
15
Command mode
ROOT
Example
esr# clear tunnels softgre esr#clear tunnels softgre remote-address10.10.42.10compression
This command enables the mechanism of transmitted data compression between clients and the OPENVPN server.
The use of a negative form (no) of the command disables the mechanism of transmitted data compression.
Syntax
[no] compression
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
10
Command mode
CONFIG-OPENVPN
Example
esr(config-openvpn)# compressiondefault-profile
The command allows you to use the SoftGRE tunnel configuration to automatically create tunnels with the same mode and local address.
The use of a negative form (no) of the command prohibits the use of tunnel configuration to automatically create tunnels.
Syntax
[no] default-profile
Parameters
The command does not contain parameters.
Required privilege level
10
Command mode
CONFIG-SOFTGRE
Example
esr(config-softgre)# default-profiledescription
The command is used to change a description of configured tunnel.
The use of a negative form (no) of the command removes a specified description.
Syntax
description <DESCRIPTION>
no description
Parameters
<DESCRIPTION> – tunnel description, set by the string of up to 255 characters.
Required privilege level
10
Command mode
CONFIG-IP4IP4
CONFIG-SUBTUNNEL
CONFIG-GRE
CONFIG-L2TP
CONFIG-L2TPV3
CONFIG-VTI
CONFIG-LT
CONFIG-PPTP
CONFIG-PPPOE
CONFIG-OPENVPN
Example
esr(config-gre)# description "tunnel to branch"dscp
The command sets the DSCP code value for the use in IP headers of encapsulate packets.
The use of a negative form (no) of the command sets the default DSCP value.
Syntax
dscp <DSCP>
no dscp
Parameters
<DSCP> – DSCP code value, takes values in the range of [0..63].
Default value
Inherited from encapsulated packet.
Required privilege level
10
Command mode
CONFIG-IP4IP4
CONFIG-GRE
Example
esr(config-ip4ip4)# dscp 40enable
The command enables a tunnel.
The use of a negative form (no) of the command disables the tunnel.
Syntax
[no] enable
Parameters
The command does not contain parameters.
Default value
Tunnel is disabled.
Required privilege level
10
Command mode
CONFIG-IP4IP4
CONFIG-GRE
CONFIG-SUBTUNNEL
CONFIG-L2TP
CONFIG-L2TPV3
CONFIG-VTI
CONFIG-LT
CONFIG-PPTP
CONFIG-PPPOE
CONFIG-OPENVPN
Example
esr(config-gre)# enableencryption algorithm
This command selects the encryption algorithm used when data transmission.
The use of a negative form (no) of the command disables the encryption.
Syntax
encryption algorithm <ALGORITHM>
no encryption algorithm
Parameters
<ALGORITHM> – encryption protocol identifier, may take following values: des, blowfish128, aes128, des-ede, aes192, 3des, desx, aes256.
Default value
Encryption disabled.
Required privilege level
15
Command mode
CONFIG-OPENVPN
Example
esr(config-openvpn)# encryption algorithm aes128history statistics
The command enables maintenance of a current tunnel usage statistics.
The use of a negative (no) form of the command disable maintenance of a current tunnel usage statistics.
Syntax
[no] history statistics
Parameters
None.
Required privilege level
10
Command mode
CONFIG-GRE
CONFIG-SOFTGRE
CONFIG-SUBTUNNEL
CONFIG-IP4IP4
CONFIG-L2TPV3
CONFIG-LT
CONFIG-VTI
CONFIG-PPTP
CONFIG-PPPOE
CONFIG-OPENVPN
Example
esr(config-ip4ip4)# history statisticsignore-default-route
The command enables the mode in which a default route received from the server is not set in the routing table.
The use of a negative form (no) of the command sets the default value.
Syntax
[no] ignore-default-route
Parameters
The command does not contain parameters.
Default value
A default route received from the server is set in the routing table.
Required privilege level
10
Command mode
CONFIG-L2TP
CONFIG-PPTP
CONFIG-PPPOE
Example
esr(config-pptp)# ignore-default-routeinterface
The command specifies the interface for PPPoE connection establishing.
The use of a negative form (no) of the command removes a specified interface.
Syntax
interface <IF>
no interface
Parameters
<IF> – an interface or a group of interfaces is specified in the form described in Section Types and naming order of router interfaces.
Required privilege level
10
Command mode
CONFIG-PPPOE
Example
esr(config-pppoe)# interface gigabitethernet 1/0/5.100ip nhrp authentication
The command enables authentication for NHRP protocol. All participants in the NHRP process must have the same password.
The use of a negative form (no) of the command disables the authentication.
Syntax
ip nhrp authentication <WORD>
[no] ip nhrp authentication
Parameters
<WORD> – unencrypted password, set by the string of [1..8] characters, may include [0-9a-fA-F] characters.
Required privilege level
10
Command mode
CONFIG-GRE
Example
esr(config-gre)# ip nhrp authentication passip nhrp enable
This command enables NHRP in the router tunnel.
The use of a negative form (no) of the command disables the NHRP protocol on the router.
Syntax
[no] ip nhrp enable
Parameters
The command does not contain parameters.
Required privilege level
10
Command mode
CONFIG-GRE
Example
esr(config-gre)# ip nhrp enableip nhrp holding-time
This command sets the time during which a client record will exist on the NHRP server. This command also sets the frequency of client sending requests for registration to the NHRP server; it is equal to 1/3 of NHRP holding time.
The use of a negative form (no) of the command sets the default value.
Syntax
ip nhrp holding-time <TIME>
[no] ip nhrp holding-time
Parameters
<TIME> – the time in seconds during which a record about this client will exist on the server takes the values [1..65535].
Default value
7200 seconds
Required privilege level
10
Command mode
CONFIG-GRE
Example
esr(config-gre)# ip nhrp holding-timeip nhrp ipsec
This command specifies the use of the previously created IPsec-VPN on the mGRE tunnel.
The use of a negative form (no) of the command disables the use of IPsec-VPN with the mGRE tunnel.
Syntax
ip nhrp ipsec <WORD> { static | dynamic }no ip nhrp ipsec <WORD> { static | dynamic }Parameters
<WORD> – VPN name, set by the string of up to 31 characters.
static – static connection, used to communicate with the NHRP server, set on the client, unlimited in time;
dynamic – dynamically established connection, configured to communicate with the NHRP client.
Required privilege level
15
Command mode
CONFIG-GRE
Example
esr(config-gre)# ip nhrp ipsec VPN staticip nhrp map
This command sets the match between 'internal' tunnel address and the 'external' NBMA address.
The use of a negative form (no) of the command removes the match.
Syntax
[no] ip nhrp map <ADDR-IN> <ADDR-OUT>
Parameters
<ADDR-IN> –tunnel interface IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
<ADDR-OUT> – external interface IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
Required privilege level
10
Command mode
CONFIG-GRE
Example
esr(config-gre)# ip nhrp map 192.168.1.2 67.86.141.231ip nhrp multicast
This command defines the destination of multicast traffic.
The use of a negative form (no) of the command removes the destination.
Syntax
[no] ip nhrp multicast { dynamic | nhs | <ADDR> }Parameters
dynamic — sends traffic to all peers with which there is a connection;
nhs — sends to all static configured NHRP servers;
<ADDR> – sends to specifically configured IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
Required privilege level
10
Command mode
CONFIG-GRE
Example
esr(config-gre)# ip nhrp multicast nhsip nhrp nhs
This command is used to set the 'logical (tunnel)' address of the NHRP server.
The use of a negative form (no) of the command removes the entry about server.
Syntax
ip nhrp nhs <ADDR/LEN> [ no-registration ]
no ip nhrp nhs <ADDR/LEN>
Parameters
<ADDR/LEN> – address, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32];
no-registration — do not register on the NHRP server.
Required privilege level
10
Command mode
CONFIG-GRE
Example
esr(config-gre)# ip nhrp nhs 192.168.1.2ip nhrp redirect
This command enables the mode in which the NHRP server can send NHRP Traffic Indication messages.
The use of a negative form (no) of the command disables the mode.
Syntax
[no] ip nhrp redirect
Parameters
The command does not contain parameters.
Required privilege level
10
Command mode
CONFIG-GRE
Example
esr(config-gre)# ip nhrp redirectip nhrp shortcut
This command enables a mode that allows the use of the shortest routes for communication with other clients.
The use of a negative form (no) of the command disables the mode.
Syntax
[no] ip nhrp shortcut
Parameters
The command does not contain parameters.
Required privilege level
10
Command mode
CONFIG-GRE
Example
esr(config-gre)# ip nhrp shortcutip tcp adjust-mss
This command overrides the value of the MSS (Maximum segment size) field in incoming TCP packets.
The use of a negative form (no) of the command disables MSS field value correction.
Syntax
ip tcp adjust-mss <MSS>
no ip tcp adjust-mss
Parameters
<MSS> – MSS value, takes values in the range of [500..1460].
Default value
1460
Required privilege level
10
Command mode
CONFIG-IP4IP4
CONFIG-GRE
CONFIG-L2TP
CONFIG-PPPOE
CONFIG-PPTP
CONFIG-VTI
CONFIG-LT
Example
esr(config-gre)# ip tcp adjust-mss 1400ipsec authentication method
This command selects the key authentication method for the IKE connection. Message authentication by key is used when an IKE connection is established. The key is set by the 'ipsec authentication pre-shared-key' command (see section ipsec authentication pre-shared-key).
The use of a negative form (no) of the command sets the default value.
Syntax
ipsec authentication method pre-shared-key
no ipsec authentication method
Parameters
pre-shared-key – authentication method using pre-received encryption keys.
Required privilege level
10
Command mode
CONFIG-L2TP
Example
esr(config-l2tp-server)# ipsec authentication method pskipsec authentication pre-shared-key
This command specifies a shared secret authentication key that should be the same for both parties of the tunnel.
The use of a negative form (no) of the command removes a set key.
Syntax
ipsec authentication pre-shared-key { ascii-text { <TEXT> | encrypted <ENCRYPTED-TEXT> }| hexadecimal {<HEX> | encrypted <ENCRYPTED-HEX> } }no ipsec authentication pre-shared-key
Parameters
<TEXT> – string [1..64] ASCII characters.
<HEX> – number, [1..32] bytes size, set by the string of [2..128] characters in hexadecimal format (0xYYYY ...) or (YYYY ...).
<ENCRYPTED-TEXT> – encrypted password, [1..32] bytes size, set by the string of [2..128] characters.
<ENCRYPTED-TEXT> – encrypted number, [2..64] bytes size, set by the string of [2..256] characters.
Default value
none
Required privilege level
10
Command mode
CONFIG-L2TP
Example
esr(config-l2tp-server)# ipsec authentication pre-shared-key ascii-text password
keepalive dhcp dependent-interface
The command enables the mechanism of IP addresses iterative query using DHCP on the specified interfaces when the GRE tunnel is disconnected via keepalive. You can specify up to 8 interfaces for each GRE tunnel.
The use of a negative form (no) of the command disables the mechanism of IP addresses iterative query using DHCP.
Syntax
keepalive dhcp dependent-interface <IF>
no keepalive dst-address
Parameters
<IF> – physical or aggregated interface, specified in the form described in Section Types and naming order of router interfaces.
Default value
None
Required privilege level
10
Command mode
CONFIG-GRE
Example
esr(config-gre)# keepalive dhcp dependent-interface gi 1/0/1keepalive dhcp link-timeout
The command specifies the time interval between GRE tunnel disabling and IP address iterative query on the interface/interfaces specified by the keepalive dhcp dependent-interface command (see Section keepalive dhcp dependent-interface)
The use of a negative form (no) of the command sets the default value.
Syntax
keepalive dhcp link-timeout <SEC>
no keepalive dhcp link-timeout
Parameters
<SEC> – interval in seconds between GRE tunnel disabling and IP address iterative query on the interface/interfaces specified by the keepalive dhcp dependent-interface command, takes the value of [1..32767] seconds.
Default value
10
Required privilege level
10
Command mode
CONFIG-GRE
Example
esr(config-gre)# keepalive dhcp link-timeout 90keepalive dst-address
The command configures IP address to send keepalive packets for checking tunnel capability. If a specified IP address is not available, the tunnel switches the operational status to DOWN. The parameter has a value only with keepalive mechanism enabled (see Section keepalive enable).
The use of a negative form (no) of the command disables the checking.
Syntax
keepalive dst-address <ADDR>
no keepalive dst-address
Parameters
<ADDR> – IP address to check GRE tunnel capability.
Default value
None
Required privilege level
10
Command mode
CONFIG-GRE
Example
esr(config-gre)# keepalive dst-address 192.168.1.57
keepalive enable
The command enables the checking of remote tunnel gateway availability. If a remote tunnel gateway is not available, the tunnel switches the operational status to DOWN.
The use of a negative form (no) of the command disables the checking.
Syntax
[no] keepalive enable
Parameters
The command does not contain parameters.
Default value.
Disabled.
Required privilege level
10
Command mode
CONFIG-GRE
Example
esr(config-gre)# keepalive enablekeepalive retries
The command defines the number of attempts to check the remote tunnel gateway availability. Upon reaching the specified number of failed attempts, the tunnel will be considered inactive.
The use of a negative form (no) of the command sets the default value.
Syntax
keepalive retries <VALUE>
no keepalive retries
Parameters
<VALUE> – number of attempts, takes values in the range of [1..255].
Default value
6
Required privilege level
10
Command mode
CONFIG-GRE
Example
esr(config-gre)# keepalive retries 8keepalive timeout
The command controls the period of sending keepalive packets to opposing party.
The use of a negative form (no) of the command sets the default value.
Syntax
keepalive timeout <TIME>
no keepalive timeout
Parameters
<TIME> – time in seconds, takes values of [1..32767].
Default value
10
Required privilege level
10
Command mode
CONFIG-GRE
Example
esr(config-gre)# keepalive timeout 18keepalive timeout ipsec
This command sets the time that is allowed to restore the IPsec VPN connection, after which the router will reboot. This functionality only works when the router is in OTT mode. The operating mode of the OTT is enabled when the device is manufactured.
The use of a negative form (no) of the command reduces the value to the default – 180.
Syntax
keepalive timeout ipsec <TIME>
no keepalive timeout ipsec
Parameters
<TIME> – time in seconds, takes values of [30..32767].
Default value
180
Required privilege level
10
Command mode
CONFIG-GRE
Example
esr(config-gre)# keepalive timeout ipsec 1000key
The command enables key transmission in GRE tunnel header (according to RFC 2890) and sets the key value. The key can be used to identify traffic streams in GRE tunnel.
The use of a negative form (no) of the command disables key transmission.
Syntax
key <KEY>
no key
Parameters
<KEY> – KEY value, takes values in the range of [1..2000000].
Default value
Key is not transmitted.
Required privilege level
10
Command mode
CONFIG-GRE
Example
esr(config-gre)# key 40load-average
The command specifies the time interval during which the statistics on tunnel load is averaged.
The use of a negative form (no) of the command sets the default value.
Syntax
load-average <TIME>
no load-average
Parameters
<TIME> – interval in seconds, takes values of [5..150].
Default value
5
Required privilege level
10
Command mode
CONFIG-GRE
CONFIG-IP4IP4
CONFIG-LT
CONFIG-SUBTUNNEL
CONFIG-L2TPv3
CONFIG-VTI
CONFIG-L2TP
CONFIG-PPTP
CONFIG-PPPOE
CONFIG-OPENVPN
Example
esr(config-gre)# load-averagelocal address
The command sets IP address of a local tunnel gateway.
The use of a negative form (no) of the command removes local gateway IP address.
Syntax
local address <ADDR>
no local address
Parameters
<ADDR> – IP address of a local gateway.
Required privilege level
10
Command mode
CONFIG-IP4IP4
CONFIG-GRE
CONFIG-L2TPV3
CONFIG-VTI
Example
esr(config-ip4ip4)# local address 192.168.1.1local address xauth
This command sets the use of the address issued by mode config when using the previously configured IPsec VPN in the XAUTH client mode.
The use of a negative form (no) of the command removes the configuration.
Syntax
local address xauth <NAME>
no local address
Parameters
<NAME> – name of the created before IPsec VPN, set by the string of up to 31 characters.
Default value
None
Required privilege level
10
Command mode
CONFIG-GRE
Example
esr(config-)# local address xauth IPsecVPNlocal checksum
The command enables the calculation of the checksum and entry it to the GRE header of the packets to be sent.
The use of a negative form (no) of the command disables the calculation and sending of the checksum.
Syntax
[no] local checksum
Parameters
The command does not contain parameters.
Required privilege level
10
Command mode
CONFIG-GRE
Example
esr(config-gre)# local checksumlocal cookie
The command defines cookie value to check the conformance of data being transmitted and session.
The use of a negative form (no) of the command removes a local cookie.
Syntax
local cookie <COOKIE>
no local cookie
Parameters
<COOKIE> – COOKIE value, the parameter takes values of 8 or 16 characters in hexadecimal form.
Required privilege level
10
Command mode
CONFIG-L2TPV3
Example
esr(config-l2tpv3)# local cookie 8FB51B8FBlocal interface
The command sets the use of IP address assigned to the interface as a GRE tunnel local gateway.
The use of a negative form (no) of the command stops the use of IP address assigned to the interface as a local gateway.
Syntax
local interface { <IF> | <TUN> }no local interface
Parameters
<IF> – interface type and identifier specified in the form described in Section Types and naming order of router interfaces;
<TUN> – the name of the tunnel is specified as described in section Types and naming order of router tunnels;
Required privilege level
10
Command mode
CONFIG-GRE
Example
esr(config-gre)# local interface gigabitethernet 1/0/1local port
The command defines local UDP port if UDP was selected as encapsulation method.
The use of a negative form (no) of the command removes a local UDP port number.
Syntax
local port <UDP>
no local port
Parameters
<UDP> – UDP port number in the range of [1..65535].
Required privilege level
10
Command mode
CONFIG-L2TPV3
Example
esr(config-l2tpv3)# local port 1501local session-id
Set local session identifier.
The use of a negative form (no) of the command removes a local session identifier.
Syntax
local session-id <SESSION-ID>
no local session-id
Parameters
<SESSION-ID> – session identifier, takes values in the range of [1..200000].
Required privilege level
10
Command mode
CONFIG-L2TPV3
Example
esr(config-l2tpv3)# local session-id 200mode
The command sets SoftGRE tunnel operation mode.
The use of a negative form (no) of the command disables a set mode.
Syntax
mode <MODE>
no mode
Parameters
<MODE> – tunnel operation mode, takes the following values:
- data – data mode;
- management – management mode.
Required privilege level
10
Command mode
CONFIG-SOFTGRE
Example
esr(config-softgre)# mode datamode
The command specifies the encapsulation mode for GRE tunnel.
The use of a negative form (no) of the command sets the default encapsulation.
Syntax
mode <MODE>
Parameters
<MODE> – GRE tunnel encapsulation mode:
- ip – encapsulation of IP packets in GRE;
- ethernet – encapsulation of Ethernet frames in GRE.
Default value
ip
Required privilege level
10
Command mode
CONFIG-GRE
Example
esr(config-gre)# mode ethernetmtu
The command specifies MTU (Maximum Transmission Unit) size for tunnels
The use of a negative form (no) of the command sets the default MTU value.
Syntax
mtu <MTU>
no mtu
Parameters
<MTU> – MTU value, takes values in the range of [552..10000].
Default value
1500
Required privilege level
10
Command mode
CONFIG-IP4IP4
CONFIG-GRE
CONFIG-SUBTUNNEL
CONFIG-L2TP
CONFIG-L2TPV3
CONFIG-VTI
CONFIG-LT
CONFIG-PPTP
CONFIG-PPPOE
CONFIG-OPENVPN
Example
esr(config-l2tpv3)# mtu 1400multipoint
This command puts the tunnel in multipoint mode. In this mode, it is possible to establish several connections from one tunnel interface.
The use of a negative form (no) of the command puts it into normal point-to-point mode.
Syntax
[no] multipoint
Parameters
The command does not contain parameters.
Required privilege level
10
Command mode
CONFIG-GRE
Example
esr(config-gre)# multipointpassword
This command sets the user password for the OPENVPN server.
The use of a negative form (no) of the command removes a user’s password.
Syntax
password { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> }no password
Parameters
<CLEAR-TEXT> – unencrypted password, set by the string of [8..32] characters, may include [0-9a-fA-F] characters;
<ENCRYPTED-TEXT> – unencrypted password, set by the string of [8..32] characters.
The password are kept in encrypted form independently of format used when entering the command.
Required privilege level
15
Command mode
CONFIG-OPENVPN
Example
esr(config-openvpn)# password 01234567peer lt
The command specifies a remote party (in another VRF) of a logical tunnel.
The use of a negative form (no) of the command removes a bind of tunnel remote party.
Syntax
[no] peer lt <ID>
Parameters
<ID> – logical tunnel remote party identifier.
Required privilege level
10
Command mode
CONFIG-LT
Example
esr(config-lt)# peer lt 2ppp failure-count
This command sets the number of failed data-link tests before breaking the session.
The use of a negative form (no) of the command sets the default value.
Syntax
ppp failure-count <NUM>
no ppp failure-count
Parameters
<NUM> – the number of failed data-link tests, specified in the range [1..100].
Default value
10
Required privilege level
10
Command mode
CONFIG-L2TP
CONFIG-PPPOE
CONFIG-PPTP
Example
esr(config-l2tp)# ppp failure-count 20ppp timeout keepalive
The command specifies the time interval in seconds after which the router sends a keepalive message.
The use of a negative form (no) of the command sets the default value.
Syntax
ppp timeout keepalive <TIME >
no ppp timeout keepalive
Parameters
<TIME> – time in seconds, takes values of [1..32767].
Default value
10
Required privilege level
10
Command mode
CONFIG-L2TP
CONFIG-PPPOE
CONFIG-PPTP
Example
esr(config-l2tp)# ppp timeout keepalive 5000protocol
Select encapsulation method for L2TPv3 tunnel.
Syntax
protocol <TYPE>
no protocol
Parameters
<TYPE> – encapsulation type, possible values:
- IP – encapsulation in IP packet;
- UDP – encapsulation in UDP datagrams.
Required privilege level
15
Command mode
CONFIG-L2TPV3
Example
esr(config-l2tpv3)# protocol ipprotocol
Select encapsulation method for OPENVPN tunnel.
Syntax
protocol <TYPE>
no protocol
Parameters
<TYPE> – encapsulation type, possible values:
- TCP – encapsulation in TCP segments;
- UDP – encapsulation in UDP datagrams.
Default value
TCP
Required privilege level
15
Command mode
CONFIG-OPENVPN
Example
esr(config-openvpn)# protocol tcpremote address
The command sets IP address of a remote tunnel gateway.
The use of a negative form (no) of the command removes remote gateway IP address.
Syntax
remote address <ADDR>
no remote address
Parameters
<ADDR> – IP address of a remote gateway.
Required privilege level
10
Command mode
CONFIG-IP4IP4
CONFIG-GRE
CONFIG-SOFTGRE
CONFIG-L2TP
CONFIG-L2TPV3
CONFIG-VTI
CONFIG-PPTP
Example
esr(config-ip4ip4)# remote address 192.168.1.2remote address
This command sets the IP address and TCP/UDP port of the remote tunnel gateway.
The use of a negative form (no) of the command removes remote gateway IP address.
Syntax
[no] remote address <ADDR> [ port <PORT>]
Parameters
<ADDR> – remote gateway IP address;
<PORT> – number of remote gateway TCP/UDP port in the range of [1..65535].
Default value
<PORT> – 1194.
Required privilege level
10
Command mode
CONFIG-OPENVPN
Example
esr(config-openvpn)# remote address 192.168.1.2 port 1233remote address xauth
This command sets the use of the management-ip or data-ip address issued by mode config when using the previously configured IPsec VPN in the XAUTH client mode. Requires appropriate settings on the IPsec-VPN server.
The use of a negative form (no) of the command removes the configuration.
Syntax
remote address xauth <NAME> {management-ip|data-ip}no remote address
Parameters
<NAME> – name of the created before IPsec VPN, set by the string of up to 31 characters;
management-ip – address obtained by mode config when installing IPsec VPN in the XAUTH client mode. Requires an ELTEX_MANAGEMENT_IP (28683) in the router IPsec-VPN server settings.
data-ip – address obtained by mode config when installing IPsec VPN in the XAUTH client mode. Requires an ELTEX_DATA_IP (28684) in the router IPsec-VPN server settings.
Default value
Not specified.
Required privilege level
10
Command mode
CONFIG-GRE
Example
esr(config-gre)# remote address xauth IPsecVPNremote checksum
The command enables verification of the presence and consistency of checksum values in the headers of GRE packets being received.
The use of a negative form (no) of the command disables the checksum verification..
Syntax
[no] remote checksum
Parameters
The command does not contain parameters.
Default value
The checksum verification is disabled by default.
Required privilege level
10
Command mode
CONFIG-GRE
Example
esr(config-gre)# remote checksumremote cookie
The command defines cookie value to check the conformance of data being transmitted and session.
The use of a negative form (no) of the command removes a deleted cookie.
Syntax
remote cookie <COOKIE>
no remote cookie
Parameters
<COOKIE> – COOKIE value, the parameter takes values of 8 or 16 characters in hexadecimal form.
Required privilege level
10
Command mode
CONFIG-L2TPV3
Example
esr(config-l2tpv3)# remote cookie 8FB51B8FBremote port
The command defines remote UDP port if UDP was selected as encapsulation method.
The use of a negative form (no) of the command removes a specified UDP port number.
Syntax
remote port <UDP>
no remote port
Parameters
<UDP> – UDP port number in the range of [1..65535].
Default value
None
Required privilege level
10
Command mode
CONFIG-L2TPV3
Example
esr(config-l2tpv3)# remote port 65000remote session-id
The command sets remote session identifier.
The use of a negative form (no) of the command removes a remote session identifier.
Syntax
remote session-id <SESSION-ID>
no remote session-id
Parameters
<SESSION-ID> – session identifier, takes values in the range of [1..200000].
Required privilege level
10
Command mode
CONFIG-L2TPV3
Example
esr(config-l2tpv3)# remote session-id 2route-metric
This command assigns the metric of routes received by the client from the OPENVPN server.
The use of a negative form (no) of the command sets the default value.
Syntax
route-metric <METRIC>
no route-metric
Parameters
<METRIC> – route metric, takes values of [0..255].
Default value
0
Required privilege level
15
Command mode
CONFIG-OPENVPN
Example
esr(config)# route-metric 100route-nopull
This command disables the use of routes transmitted by the OPENVPN server.
The use of a negative form (no) of the command sets the default value.
Syntax
[no] route-nopull
Parameters
None.
Default value
Route ignore is disabled.
Required privilege level
15
Command mode
CONFIG-OPENVPN
Example
esr(config)# route-nopullsnmp init-trap
The command enables sending snmp-trap about tunnel enabling/disabling.
The use of a negative form (no) of the command disables sending snmp-trap about tunnel enabling/disabling.
Syntax
[no] snmp init-trap
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG-GRE
CONFIG-SUBTUNNEL
Example
esr(config-gre)# snmp init-trapshow ip nhrp
This command is used to view NHRP records.
Syntax
show ip nhrp [ { dynamic | static | incomplete | nhs } ] [ { nbma-address <ADDR> | tunnel gre <ID> | tunnel-address <ADDR> } ] [ vrf <VRF> ]Parameters
<ID> – tunnel identifier;
<ADDR> – IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];
<VRF> – VRF instance name, specified by the string from 1 to 31 characters long. When this parameter is specified, the NHRP records specified in this VRF will be displayed;
dynamic – show information acquired dynamically;
incomplete – show blank entries;
nbma-address – show entries with a specific NBMA address;
nhs – show entries of a specific NHS;
static – show statically set records;
tunnel – show entries of a specific tunnel;
tunnel-address – show entries with a specific tunnel address;
vrf – show records in a specific VRF.
Required privilege level
10
Command mode
ROOT
Example
esr# hub-12# sh ip nhrp
Tunnel address NBMA address Interface Peer type Expire Created Flags
---------------- ---------------- --------- --------------- --------- --------- ---------
12.1.1.3 192.168.3.4 gre 1 dynamic 0:04:38 00:23:18 lower-up,
up
12.1.1.9 192.168.9.4 gre 1 dynamic 0:04:45 00:23:49 lower-up,
up
12.1.1.99 120.12.120.12 gre 1 dynamic 0:01:14 00:24:11 lower-up,
up show tunnels configuration
The command displays tunnel configuration.
Syntax
show tunnels configuration [ <TUN> ]
Parameters
<TUN> – the name of the tunnel is specified as described in section Types and naming order of router tunnels;
Required privilege level
1
Command mode
ROOT
Example
esr# show tunnels configuration gre 25
State: enabled
Description:
Local address: 14.0.0.2
Remote address: 14.0.0.1
Calculates checksums for outgoing GRE packets: no
Requires that all input GRE packets were checksum: no
key: -
TTL: Inherit
DSCP: 0
MTU: 1500
Security zone: remoteshow tunnels counters
The command displays tunnel counters.
Syntax
show tunnels counters [ <TUN> ]
Parameters
<TUN> – the name of the tunnel is specified as described in section Types and naming order of router tunnels;
You may specify several tunnels. If tunnel indexes are not specified, then the counters of all tunnels of a specified group will be displayed. If a certain tunnel is specified, the detailed information on this tunnel will be displayed.
Required privilege level
1
Command mode
ROOT
Example
esr# show tunnels counters l2tpv3 1
Tunnel 'l2tpv3 1' counters:
Packets received: 0
Bytes received: 0
Dropped on receive: 0
Receive errors: 0
Multicasts received: 0
Receive length errors: 0
Receive buffer overflow errors: 0
Receive CRC errors: 0
Receive frame errors: 0
Receive FIFO errors: 0
Receive missed errors: 0
Receive compressed: 0
Packets transmitted: 658
Bytes transmitted: 56588
Dropped on transmit: 0
Transmit errors: 0
Transmit aborted errors: 0
Transmit carrier errors: 0
Transmit FIFO errors: 0
Transmit heartbeat errors: 0
Transmit window errors: 0
Transmit comressed: 0
Collisions: 0show tunnels history
The command is used to view tunnel usage statistics.
Syntax
show tunnels history [ <TUN> ] [<timer {TIMER}>]Parameters
<TUN> – the name of the tunnel is specified as described in section Types and naming order of router tunnels.
<TIMER > – timer optional key. Has the following parameters:
- hours displays history in the last 72 hours;
- minutes displays history in the last 60 hours;
- seconds displays history in the last 60 seconds;
- When timer is missing, 3 tables containing tunnel usage history are displayed.
Required privilege level
5
Command mode
ROOT
Example
esr# show tunnel history gre 1 timer minutes
gre 1
Last 60 minutes:
Timer Recv utilization, Kbit/s Sent utilization, Kbit/s Recv errors Sent errors Output drops
------ ------------------------- ------------------------- ------------ ------------ --------------
0-1 240 16 0 0 0
1-2 961 64 0 0 0
2-3 962 64 0 0 0
3-4 962 64 0 0 0
4-5 960 64 0 0 0
5-6 961 64 0 0 0
6-7 719 64 0 0 0
7-8 960 64 0 0 0
8-9 800 65 0 0 0
9-10 962 64 0 0 0
10-11 865 64 0 0 0
11-12 962 64 0 0 0
12-13 817 65 0 0 0
13-14 962 65 0 0 0
14-15 961 65 0 0 0
15-16 880 60 0 0 0
16-17 960 63 0 0 0
17-18 0 0 0 0 0
18-19 0 0 0 0 0
19-20 0 0 0 0 0
20-21 0 0 0 0 0
21-22 0 0 0 0 0
show tunnels status
The command is used to display system interfaces status.
Syntax
show tunnels status [ <TUN> ]
Parameters
<TUN> – the name of the tunnel is specified as described in section Types and naming order of router tunnels;
You may specify several tunnels in command. If tunnel indexes are not specified, then the statuses of all tunnels of a specified group will be displayed. If a certain tunnel is specified, the detailed information on this tunnel will be displayed.
Required privilege level
1
Command mode
ROOT
Example
esr# show tunnels status
Tunnel Admin state MTU Local IP Remote IP Uptime
------ ---------- ----- ------------ ----------- ---------------
ip4ip4 4 Up 1500 115.0.0.100 115.0.0.30 1 minute and 4 secondsshow tunnels utilization
The command displays the average load in tunnels over the specified period.
Syntax
show tunnels utilization [ <TUN> ]
Parameters
<TUN> – the name of the tunnel is specified as described in section Types and naming order of router tunnels;
You can specify several tunnels separated by commas ',' or you can specify the range of interfaces with '-'. If tunnel indexes are not specified, then the counters of all tunnels of a specified group will be cleared.
Required privilege level
10
Command mode
ROOT
Example
esr# show tunnels utilization gre 2
Tunnel Period, s Sent, Recv, Frames Sent Frames Recv
Kbit/s Kbit/s
--------- ----------- ----------- ----------- ----------- -----------
gre 2 15 0 0 0 0ttl
The command specifies the TTL lifetime for tunnel packets.
The use of a negative form (no) of the command sets the default TTL value.
Syntax
ttl <TTL>
no ttl
Parameters
<TTL> – TTL value, takes values in the range of [1..255].
Default value
Inherited from encapsulated packet.
Required privilege level
10
Command mode
CONFIG-IP4IP4
CONFIG-GRE
Example
esr(config-ip4ip4)# ttl 10tunnel
The command allows you to switch to the tunnel configuration mode.
The use of a negative form (no) of the command removes the tunnel.
Syntax
[no] tunnel <TUN>
Parameters
<TUN> – the name of the tunnel is specified as described in section Types and naming order of router tunnels;
Required privilege level
10
Command mode
CONFIG
Example 1
Switch to tunnel l2tp 1/10/1 configuration mode:
esr(config)# tunnel l2tp 10
esr(config-l2tp)#Example 2
Switch to tunnel l2tpv3 1/10/1 configuration mode:
esr(config)# tunnel l2tpv3 10
esr(config-l2tpv3)#Example 3
Switch to tunnel ip4ip4 1/200/1 configuration mode:
esr(config)# tunnel ip4ip4 200
esr(config-ip4ip4)#Example 4
Switch to tunnel gre 25 configuration mode:
esr(config)# tunnel gre 25
esr(config-gre)#Example 5
Switch to tunnel vti 125 configuration mode:
esr(config)# tunnel vti 125
esr(config-vti)#Example 6
Switch to tunnel pptp 10 configuration mode:
esr(config)# tunnel pptp 10
esr(config-pptp)#Example 7
Switch to tunnel pppoe 8 configuration mode:
esr(config)# tunnel pppoe 8
esr(config-pppoe)#tunnel
The command specifies the encapsulation mode for OPENVPN client.
The use of a negative form (no) of the command sets the default encapsulation.
Syntax
tunnel <MODE>
Parameters
<MODE> – OPENVPN client encapsulation mode:
- ip – encapsulation of IP packets in OPENVPN;
- ethernet – encapsulation of Ethernet frames in OPENVPN.
Default value
ip
Required privilege level
10
Command mode
CONFIG-OPENVPN
Example
esr(config-openvpn)# mode ethernettunnel-source
This command specifies the VRF name from the IP-interface of which this GRE tunnel will be built. This command is relevant if the GRE-tunnel is built through a different VRF than the VRF of the tunnel itself.
The use of the negative form of the command (no) sets the mode when the GRE tunnel and the IP interface from which the GRE-tunnel is built are in one VRF.
Syntax
tunnel-source [ vrf <VRF> ]
[no] tunnel-source
Parameters
<VRF> – VRF instance name, set by the string of up to 31 characters.
Without specifying the «vrf» key and the VRF instance name, the global configuration IP interface will be used.
Default value
Disabled (GRE tunnel and IP interface belong to the same VRF).
Required privilege level
10
Command mode
CONFIG-GRE
Example
esr(config-gre)# tunnel-source vrf magistralusername
The command specifies the user and password to connect to L2TP, PPPoE or PPTP server.
The use of a negative form (no) of the command removes a specified user.
Syntax
username <NAME> password ascii-text { <CLEAR-TEXT> | encrypted <ENCRYPTED-TEXT> }no username <NAME>
Parameters
<NAME> – user name, set by the string of up to 31 characters;
<CLEAR-TEXT> – password, set by the string of 1 to 64 characters;
<ENCRYPTED-TEXT> – encrypted password, set by the string of [2..128] characters.
Required privilege level
15
Command mode
CONFIG-L2TP
CONFIG-PPPOE
CONFIG-PPTP
Example
esr(config-pptp)# username fedor password ascii-text passwordusername
This command creates the user to connect to the OPENVPN server.
The use of a negative form (no) of the command removes a specified user.
Syntax
username <NAME>
no username <NAME>
Parameters
<NAME> – user name, set by the string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG-OPENVPN
Example
esr(config-openvpn)# username fedor