![]() |
MANUAL PAGE 2/190 80-CRA 119 1170/1-V1 Uen C | ![]() |
Copyright
© Ericsson AB 2009–2010. All rights reserved. No part of this document may be reproduced in any form without the written permission of the copyright owner.
Disclaimer
The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this document.
Trademark List
SmartEdge | is a registered trademark of Telefonaktiebolaget LM Ericsson. | |
NetOp | is a trademark of Telefonaktiebolaget LM Ericsson. |
This document provides command syntax and usage guidelines for commands used in the configuration and operation of the Internet Protocol Security (IPsec) Virtual Private Network (VPN) application. For an overview of IPsec VPN, see Reference [1]. For configuration tasks, see Reference [2].
add pki key-pair key-pair-name rsa size
exec
key-pair |
Unique name for the key pair; up to 39 characters. |
rsa |
Size of the key (in bits). One of:
|
No key pair is configured.
This command configures a private-public key pair for use by the Public Key Infrastructure (PKI) in the specified context.
The following example configures the key pair first_key_pair with 1028-bit keys in the vpn1 context.
[local]Redback#context vpn1 [vpn1]Redback#add pki key-pair first_key_pair rsa 1028
add pki certificate-request rsa cert-req-name file file-name
exec
cert-req-name |
The name of the certificate request. |
file file-name |
Full path to the location where the file is created. |
No certificate request is configured.
This command configures a certificate request and prompts for the information to create a file in PEM format required by a Certificate Authority (CA) to generate a self certificate. After the command is issued, you are prompted for the information required for the file required by the CA:
Key-Pair: key-name Subject: DN IPv4-Address: pv4-addr FQDN: fqdn-name Domain-Name: name File: file-name
[local]Redback#add pki certificate-request rsa cert.req Key-Pair: key1 Subject : cn=se1,ou=rbak,o=Ericsson,c=us IPv4-Address : 10.1.1.1 Domain-Name : se1.rbak.com File : /flash/cert1.req
address-allocation aaa
IKEv2 policy configuration
This command has no keywords or arguments.
None
This command configures specifies AAA as the source of address allocation for the remote access clients using this IKEv2 policy. Using the no form of the command removes the address allocation from the IKEv2 policy.
[local]Redback(config-ike2-policy)#address-allocation aaa
ah [hmac-md5-96|hmac-sha1-96|hmac-aes-xcbc]
no ah
IPsec proposal configuration
hmac-md5-96 |
hmac-md5-96 algorithm |
hmac-sha1-96 |
hmac-sha1-96 algorithm |
hmac-aes-xcbc |
hmac-aes-xcbc algorithm |
hmac-sha1-96
This command configures the Authentication Header (AH) authentication algorithm for an IPsec proposal. Using the no form of the command removes the AH configuration.
[local]Redback(config-ipsec-proposal)#ah hmac-aes-xcbc
ah [hmac-md5-96|hmac-sha1-96|hmac-aes-xcbc] key {hex hex-number |ASCII-value}
no ah [hmac-md5-96|hmac-sha1-96|hmac-aes-xcbc] key {hex hex-number |ASCII-value}
IPsec Security Association (SA) Security Parameter Index (SPI) configuration (manual key mode)
hex hex-number |
Hexadecimal number. The length of the value is specified in Table 1. |
ASCII-value |
ASCII value. The length of the value is specified in Table 1. |
aes-128-cbc
Specifies the AH authentication algorithm and the manual key for authenticating inbound, outbound, or bidirectional traffic SAs.
Table 1 lists the valid key length values for each of the supported AH authentication algorithms.
Keyword |
ASCII Text Key Length |
Hexadecimal Number Key Length |
---|---|---|
hmac-md5-96, |
16 |
32 |
hmac-sha1-96 |
20 |
40 |
hmac-aes-xcbc |
16 |
32 |
[local]Redback(config-ipsec-sa-spi)#ah hmac-md5-96 key hex 0fa20fa20fa20fa2
ah spi spi-value
no ah spi spi-value
IPsec SA SPI configuration
spi-value |
256-0x1ffff: in, both; 1-0xffffffff: out |
No SPI value is configured.
Specifies the AH SPI value for the inbound traffic, outbound traffic, or bidirectional traffic SAs. Using the no value of the command removes the SPI value.
[local]Redback(config-ipsec-sa-spi)#ah spi 48354
anti-replay-window window_size
no anti-replay-window
IPsec policy configuration
IPsec SA configuration
window_size |
0, 32 to 1024, in multiples of 32. |
64
Configures the anti-replay window size. The anti-replay window prevents the replay attack and potential Denial of Service (DoS) attack. Size 0 disables the anti-replay window. Using the no form of the command resets the configuration to the default.
[local]Redback(config-ipsec-policy)#anti-replay-window 128
authentication {preshared-key|rsa-signature}
IKEv2 policy configuration
IKE proposal configuration
preshared-key |
Authenticate using pre-shared keys |
rsa-signature |
Authenticate using certificates |
Pre-shared key
This command configures the authentication method used by the Internet Key Exchange version 2 (IKEv2) policy or Internet Key Exchange version 1 (IKEv1) proposal. The authentication method specified using IKEv2 protocol in an IKEv2 policy need not match on both peers. The authentication method specified using IKEv1 protocol in an IKE proposal must match on both peers. Using the no form of the command removes the authentication configuration.
The following example shows the authentication specified by an IKEv2 policy.
[local]Redback(config-ctx)#ike2 policy ike2-pol1 [local]Redback(config-ike-policy)#authentication rsa-signature
The following example shows the authentication specified by an IKE proposal.
[local]Redback(config)#ike proposal ike-prop1 [local]Redback(config-ike-proposal)#authentication rsa-signature
authentication algorithm {hmac-md5-96|hmac-sha1-96}
no authentication algorithm
IKEv1 proposal configuration
IKEv2 proposal configuration
hmac-md5-96 |
hmac-md5-96 algorithm |
hmac-sha1-96 |
hmac-sha1-96 algorithm |
hmac-sha1-96
Specifies the authentication algorithm of an IKE proposal. Using the no form of the command resets the configuration to the default.
[local]Redback(config-ike-proposal)#authentication algorithm hmac-md5-96
bind interface if-name context-name
no bind interface if-name [context-name]
tunnel configuration
if-name |
Name of a previously created interface. |
context-name |
Name of the context under which the specified interface is bound. |
No IPsec tunnel endpoints are bound.
Statically binds the IPsec tunnel to a previously created interface. For on-demand IPsec tunnels, bind the on-demand tunnel to the IPsec multibind interface configured for this on-demand IPsec tunnel.
Use the no form of this command to remove the binding. You must remove any existing binding before you can create a new binding for the IPsec tunnel.
The following example shows how to create or modify the rec_2_1 tunnel and bind it to the ipsec-if1 interface in the Security service enabled ipsec-context context:
[local]Redback(config)#tunnel ipsec rec_2_1 [local]Redback(config-tunnel)#bind interface ipsec-if1 ipsec-context
[local]Redback(config)#tunnel ipsec profile1-se on-demand [local]Redback(config-tunnel)#bind interface ipsec-mb-se local
both
no both
IPsec SA configuration
This command has no keywords or arguments.
No SA values for traffic are configured.
Enters IPsec SA SPI configuration mode for configuring the same SA values for both inbound and outbound traffic. Using the no form of the command removes the bidirectional traffic configuration.
This command cannot be used with either the in or out command. If the both command is configured, neither inbound nor outbound SA traffic attributes can be configured separately. To configure the different SA traffic attributes for inbound and outbound traffic see the in command in Section 1.36 and the out command in Section 1.52, respectively.
[local]Redback(config-ipsec-sa)#both
clear ike sa tunnel tunnel-name
exec
tunnel tunnel-name |
Name of a previously created IPsec tunnel. |
remote-ip remote-ip-addr |
IP address of the remote peer. |
local-ip local-ip-addr |
IP address of the local peer. |
Clears any Service Association (SA) associated with the specified Internet Protocol Security (IPsec) tunnel name or remote and local endpoints. Commands that clear SAs delete and renegotiate the SAs (with the new IKE configuration). Does not apply to on-demand IPsec tunnels.
[local]Redback#clear ike sa tunnel rec_2_1
clear ipsec sa tunnel tunnel-name
exec
tunnel-name |
Name of a previously created IPsec tunnel. |
Clears the IPsec SAs associated with the given tunnel name. Commands that clear SAs delete and renegotiate the SAs (with the new IPsec configuration). For on-demand IPsec tunnels, the tunnel-name argument is dynamically assigned by the system.
[local]Redback#clear ipsec sa tunnel rec_2_1
connection-type {initiator-only|responder-only|both}
no connection-type
IKE policy configuration
IKEv2 policy configuration
initiator-only |
|
responder-only |
|
both |
both
Specifies the IKE connection type of an IKE policy, which assigns the role for the local IKE peer when establishing connections to set up an IPsec tunnel. For on-demand IPsec tunnels, you cannot change the connection type to initiator-only when using aggressive mode. You cannot change the connection type from responder-only if more than one IKE proposal exists in the IKE policy when using aggressive mode. Using the no form of the command resets it to the default.
The following example shows how to assign the role of initiator-only to any local peer that has this IKE policy assigned to it:
[local]Redback(config-ike-policy)#connection-type initiator-only
debug ike card slot-id/asp-id message-type {trace|log} {console|external} [level level ]
exec
card slot-id |
Chassis slot number where the Advanced Services Engine (ASE) card is installed. The range of values depends on the chassis:
|
asp-id |
The ID of the Advanced Services Processor (ASP) on the ASE card. Possible values are 1 and 2. |
message-type |
Type of debug message to forward:
|
trace |
Enables generation of trace messages. |
log |
Enables generation of log messages. |
console |
Sends debug information to the console. |
external |
Sends debug information to an external system. |
level level |
Optional. Specifies the debug logging level, where level is one of the following (in descending severity order):
|
Enables the generation of debug messages for the IKE configuration of a specific ASP on a specific ASE card.
Caution! | ||
Risk of performance loss. Enabling the generation of debug messages
can severely affect system performance. To reduce the risk, exercise
caution when enabling the generation of debug messages on a production
system.
|
The following example shows how to enable the generation of IKE debug messages for the IKE configuration on the ASP:
[local]Redback#debug ike card 2/1 ikev1 log console level 4
debug ike config
exec
This command has no keywords or arguments.
Enables the generation of debug messages for the IKE configuration.
Caution! | ||
Risk of performance loss. Enabling the generation of debug messages
can severely affect system performance. To reduce the risk, exercise
caution when enabling the generation of debug messages on a production
system.
|
[local]Redback#debug ike config
debug ipsec card slot-id/asp-id message-type {trace|log} {console|external|trace buffer} [level level ]
exec
card slot-id |
Chassis slot number where the ASE card is installed. The range of values depends on the chassis:
|
asp-id |
ID of the ASP on the ASE card. Possible values are 1 and 2. |
message-type |
Type of debug message to forward:
|
trace |
Enables generation of trace messages. |
log |
Enables generation of log messages. |
trace-buffer |
Sends debug information to the circular buffer on the controller card. |
console |
Sends debug information to the console. |
external |
Sends debug information to an external system. |
level level |
Optional. Specifies the debug logging level, where level is one of the following (in descending severity order):
|
Enables the generation of debug messages for the IPsec configuration of a specific ASP on a specific ASE card.
Caution! | ||
Risk of performance loss. Enabling the generation of debug messages
can severely affect system performance. To reduce the risk, exercise
caution when enabling the generation of debug messages on a production
system.
|
The following example shows how to enable the generation of packet debug messages for the IPsec configuration on the ASP:
[local]Redback#debug ipsec card 1/1 packet log console level warning
debug ipsec config
exec
This command has no keywords or arguments.
Enables the generation of debug messages for the IPsec configuration.
Caution! | ||
Risk of performance loss. Enabling the generation of debug messages
can severely affect system performance. To reduce the risk, exercise
caution when enabling the generation of debug messages on a production
system.
|
[local]Redback#debug ipsec config
description string
no description
IKE policy configuration
IKE proposal configuration
IKEv2 policy configuration
IKEv2 proposal configuration
IPsec Access Control List (ACL) configuration
IPsec policy configuration
IPsec proposal configuration
IPsec security association configuration
string |
Descriptive text; up to 255 characters. |
No description is configured.
Specifies the description of the IKE policy, IKE proposal, IPsec ACL, IPsec policy, IPsec proposal, or IPsec SA.
[local]Redback(config-ipsec-proposal)#description IPsec-Proposal-1
df-bit {propagate|set|clear}
no df-bit
tunnel configuration
IPsec profile configuration
propagate |
Propagate DF bit from inner IP to outer IP header. |
set |
Set the DF bit in the outer IP header |
clear |
Clear the DF bit from the outer IP header |
Propagate
Specifies how to configure the Don't Fragment (DF) bit for the IP header. The default value, propagate, copies to the DF bit setting used in the inner IP heading to the outer IP heading. Using the no form of the command resets the configuration to the default.
[local]Redback(config-tunnel)#df-bit clear
dh-group dh-group
no dh-group
IKE proposal configuration
IKEv2 proposal configuration
dh-group dh-group |
The Diffie-Hellman group to use: 1, 2, 5, or 14 |
1
Specifies the Diffie-Hellman group for IKE key exchanges in an IKE proposal. Using the no form of the command resets the configuration to the default.
[local]Redback(config-ike-proposal)#dh-group 2
encryption algorithm {aes-128-cbc|aes-192-cbc|aes-256-cbc|des-cbc|3des-cbc}
no encryption algorithm
IKE proposal configuration
IKEv2 proposal configuration
aes-128-cbc |
aes-128-cbc protocol. |
aes-192-cbc |
aes-192-cbc protocol |
aes-256-cbc |
aes-256-cbc protocol |
des-cbc |
des-cbc protocol |
3des-cbc |
3des-cbc protocol |
aes-128-cbc
Specifies the encryption algorithm for an IKE proposal. Using the no form of the command resets the configuration to the default.
[local]Redback(config-ike-proposal)#encryption algorithm aes-192-cbc
esp authentication {hmac-md5-96|hmac-sha1-96|hmac-aes-xcbc}
no esp authentication
IPsec proposal configuration
hmac-md5-96 |
hmac-md5-96 algorithm |
hmac-sha1-96 |
hmac-sha1-96 algorithm |
hmac-aes-xcbc |
hmac-aes-xcbc algorithm |
hmac-sha1-96
Specifies the ESP authentication algorithm of an IPsec proposal.
If ESP authentication is configured without ESP encryption, the ESP encryption is set to null.
When neither ESP or AH authentication is configured, using the no form of the command sets the ESP authentication (and ESP encryption) to the default. If either ESP or AH authentication is configured, using the no form of the command removes the ESP authentication configuration.
[local]Redback(config-ipsec-proposal)#esp authentication hmac-aes-xcbc
esp authentication [hmac-md5-96|hmac-sha1-96|hmac-aes-xcbc] key {hex hex-number|ASCII-value}
no esp authentication [hmac-md5-96|hmac-sha1-96|hmac-aes-xcbc] key {hex hex-number|ASCII-value}
IPsec SA SPI configuration
hmac-md5-96 |
hmac-md5-96 algorithm |
hmac-sha1-96 |
hmac-sha1-96 algorithm |
hmac-aes-xcbc |
hmac-aes-xcbc algorithm |
hex hex-number |
Hexadecimal number. The length of the value is specified in Table 2. |
ASCII-value |
ASCII value. The length of the value is specified in Table 2 |
hmac-sha1-96
Specifies the ESP authentication algorithm and the manual key for encrypting inbound, outbound, or bidirectional traffic SAs. The no form of the command removes the ESP authentication algorithm from the configuration.
If ESP encryption is configured without ESP authentication, only encryption is done. If ESP authentication is configured without ESP encryption, the encryption is set to null.
Table 2 lists the valid key lengths for each of the supported authentication algorithms.
Keyword |
ASCII Text Key Length |
Hexadecimal Number Key Length |
---|---|---|
hmac-md5-96, |
16 |
32 |
hmac-sha1-96 |
20 |
40 |
hmac-aes-xcbc |
16 |
32 |
[local]Redback(config-ipsec-sa-spi)#esp authentication hmac-aes-xcbc key 1234123412341234
esp encryption {aes-128-cbc|aes-192-cbc|aes-256-cbc|aes-128-ctr|aes-192-ctr|aes-256-ctr|des-cbc|3des-cbc|null}
no esp encryption
IPsec proposal configuration
aes-128-cbc |
aes-128-cbc algorithm |
aes-192-cbc |
aes-192-cbc algorithm |
aes-256-cbc |
aes-256-cbc algorithm |
aes-128-ctr |
aes-128-ctr algorithm |
aes-192-ctr |
aes-192-ctr algorithm |
aes-256-ctr |
aes-256-ctr algorithm |
des-cbc |
des-cbc algorithm |
3des-cbc |
3des-cbc algorithm |
null |
null encryption algorithm |
aes-128-cbc
Specifies the ESP encryption algorithm of an IPsec proposal.
When neither ESP nor AH authentication is specified, the default is the ESP encryption aes-128-cbc with ESP authentication hmac-sha1-96. If ESP authentication is configured without ESP encryption, the ESP encryption is set to null.
If AH authentication is configured, using the no form of the command removes the encryption. If neither ESP authentication or AH is specified, using the no form of the command resets the configuration to the default.
[local]Redback(config-ipsec-proposal)#esp encryption aes-256-cbc
esp encryption [aes-128-cbc|aes-192-cbc|aes-256-cbc|aes-128-ctr|aes-192-ctr|aes-256-ctr|des-cbc|3des-cbc] key {hex hex-number|ASCII-value}
no esp encryption [aes-128-cbc|aes-192-cbc|aes-256-cbc|aes-128-ctr|aes-192-ctr|aes-256-ctr|des-cbc|3des-cbc] key {hex hex-number|ASCII-value}
IPsec SA SPI configuration (manual key mode)
aes-128-cbc |
aes-128-cbc algorithm |
aes-192-cbc |
aes-192-cbc algorithm |
aes-256-cbc |
aes-256-cbc algorithm |
aes-128-ctr |
aes-128-ctr algorithm |
aes-192-ctr |
aes-192-ctr algorithm |
aes-256-ctr |
aes-256-ctr algorithm |
des-cbc |
des-cbc algorithm |
3des-cbc |
3des-cbc algorithm |
hex hex-number |
Hexadecimal number. The length of the value is specified in Table 3. |
ASCII-value |
ASCII value. The length of the value is specified in Table 3 |
aes-128-cbc
Specifies the ESP encryption algorithm and the manual key for encrypting inbound, outbound, or bidirectional traffic SAs. If no encryption algorithm is specified, the default algorithm (aes-128-cbc) is used.
If ESP is configured without ESP authentication, only encryption is done. If ESP authentication is configured without ESP encryption, the encryption is set to null.
Table 3 lists the valid key length values for each of the supported ESP encryption algorithms.
Keyword |
ASCII Text Key Length |
Hexadecimal Number Key Length |
---|---|---|
des-cbc |
8 |
16 |
3des-cbc |
24 |
48 |
aes-128-cbc (default) |
16 |
32 |
aes-192-cbc |
24 |
48 |
aes-256-cbc |
32 |
64 |
aes-128-ctr |
16 |
32 |
aes-192-ctr |
24 |
48 |
aes-256-ctr |
32 |
64 |
[local]Redback(config-ipsec-sa-spi)#esp encryption des-cbc key 12345678
esp spi spi-value
no esp spi spi-value
IPsec SA SPI configuration
spi-value |
256-0x1ffff: in, both; 1-0xffffffff: out |
No SPI value is configured.
Specifies the ESP SPI value for the inbound traffic, outbound traffic, or bidirectional traffic SAs.
[local]Redback(config-ipsec-sa-spi)#esp spi 65535
identity local {value|fqdn fqdn-string}
no identity local
IKE policy configuration
IKEv2 policy configuration
value |
IP address |
fqdn fqdn-string |
Fully qualified domain name |
No local identity is configured.
Specifies the identity of the local IPsec tunnel endpoint in an IKE policy to use when negotiating IKE requests with a remote peer. Use the IP address or FQDN of the loopback interface defined to provide the identity of the gateway for IPsec tunnels configured on this SmartEdge router as the value. When IKE sessions are negotiated, the local identity configured in the IKE policy on one peer must match the remote ID configured in the IPsec tunnel endpoint on the other peer. Only one local identity is allowed for each policy. The same local identity can appear in multiple policies. Using the no form of the command will remove the configuration.
[local]Redback(config-ike-policy)#identity local 30.0.1.3
[local]Redback(config-ike-policy)#identity local fqdn peer1.redback.com
ike keepalive
no ike keepalive
context configuration
This command has no keywords or arguments.
Disabled.
Enables the sending of Dead Peer Detection (DPD) messages to IKE peers. When enabled, a DPD message is sent to the remote peer when there is traffic to be sent to the remote peer, but there has been no traffic received from the remote peer for 10 seconds. If a response is received, no further messages are sent unless the previous condition is met. If no response is received from the remote peer, the keepalive is retried three times at an interval of 10 seconds. If there is no response from the remote peer, the tunnel is brought down. Using the no form of the command disables the sending of DPD messages (the default setting).
The following example shows how to enable the sending of DPD messages to IKE peers:
[local]Redback(config-ctx)#ike keepalive
ike policy ike-policy-name
no ike policy ike-policy-name
context configuration
tunnel configuration
ike-policy-name |
In context configuration mode, name of the IKEv1 policy, which must be unique; up to 39 characters. In tunnel configuration mode, name of a previously created IKEv1 policy. |
No IKEv1 policy is configured in a context by default. No IKEv1 policy is specified for an IPsec tunnel by default.
In context configuration mode, creates (with default attributes), or selects an IKEv1 policy and enters IKE policy configuration mode. Using the no form of the command removes the IKE policy.
In tunnel configuration mode, specifies the IKEv1 policy used by the IPsec tunnel. Using the no form of the command removes the IKEv1 policy from the IPsec tunnel configuration. When a tunnel configuration specifies an IKEv1 policy, the IKEv1 protocol is used for all IKE exchanges for that tunnel.
The following example shows how to configure the IKE_Pol1 IKE policy in the local context:
[local]Redback(config-ctx)#ike policy IKE_Pol1
The following example shows how to associate the IKE_Pol1 IKE policy to the rec_2_1 tunnel in the local context.
[local]Redback(config)#tunnel ipsec rec_2_1 [local]Redback(config-tunnel)#ike-policy IKE_Pol1
ike2 policy ike2-policy-name
no ike2 policy ike2-policy-name
context configuration
tunnel configuration
ike2-policy-name |
In context configuration mode, name of the IKEv2 policy, which must be unique; up to 39 characters. In tunnel configuration mode, name of a previously created IKEv2 policy. |
No IKEv2 policy is configured in a context by default. No IKEv2 policy is specified for an IPsec tunnel by default.
In context configuration mode, creates (with default attributes), or selects an IKEv2 policy and enters IKEv2 policy configuration mode. Using the no form of the command removes the IKEv2 policy.
In tunnel configuration mode, specifies the IKEv2 policy used by the IPsec tunnel. Using the no form of the command removes the IKEv2 policy from the IPsec tunnel configuration. . When a tunnel configuration specifies an IKEv2 policy, the IKEv2 protocol is used for all IKE exchanges for that tunnel.
The following example shows how to configure the IKE2_Pol1 IKE policy in the local context:
[local]Redback(config-ctx)#ike2 policy IKE2_Pol1
The following example shows how to associate the IKE2_Pol1 IKE policy to the rec_2_1 tunnel in the local context.
[local]Redback(config)#tunnel ipsec rec_2_1 [local]Redback(config-tunnel)#ike2-policy IKE2_Pol1
ike proposal ike-proposal-name
no ike proposal ike-proposal-name
global configuration
ike-proposal-name |
Name of an IKE proposal, which must be unique; up to 39 characters. |
No IKE proposal is configured.
Creates (with default attributes) or selects an IKEv1 proposal and enters IKE proposal configuration mode. Using the no form of the command removes the IKEv1 proposal.
[local]Redback(context)#ike proposal IKE_Prop1
ike2 proposal ike2-proposal-name
no ike2 proposal ike2-proposal-name
global configuration
ike2-proposal-name |
Name of an IKEv2 proposal, which must be unique; up to 39 characters. |
No IKEV2 proposal is configured.
Creates (with default attributes) or selects an IKEv2 proposal and enters IKEv2 proposal configuration mode. Using the no form of the command removes the IKE proposal.
[local]Redback(context)#ike2 proposal IKE2_Prop1
import pki certificate {self rsa key-pair key-pair-name|trusted rsa} file file-name
exec
key-pair key-pair-name |
Unique name for the key pair; up to 39 characters. |
file file-name |
Full path to the location of the file (in PEM format) from which the private key is to be imported. |
No certificate is imported.
This command imports either a self certificate or a trusted certificate generated by a CA from a file in PEM format into the SmartEdge router configuration. The certificate is encrypted using the RSA algorithm. When you specify a self certificate, you must provide both the name of the public-private key-pair used to generate the certificate and the full path and name of the file containing the certificate. When you specify a trusted certificate you must provide the full path and name of the file containing the certificate.
The following example imports the self certificate generated by the CA with the key pair first_key_pair from the file selfcert1.cert in the CF partition into the vpn1 context.
[local]Redback#context vpn1 [vpn1]Redback#import pki certificate self rsa key-pair first_key_pair file /flash/selfcert1.cert
The following example imports the trusted certificate generated by the CA from file trustcert1.cert in the CF partition into the vpn1 context.
[local]Redback#context vpn1 [vpn1]Redback#import pki certificate trusted rsa file /flash/selfcert1.cert
import pki key-pair key-pair-name file file-name
exec
key-pair key-pair-name |
Unique name for the key pair; up to 39 characters. |
file file-name |
Full path to the location of the file (in PEM format) from which the private key is to be imported. |
No key pair is imported.
This command allows a private key generated on a CA to be imported into the SmartEdge router configuration.
The following example imports the key pair first_key_pair from file key1.key in the CF partition into the vpn1 context.
[local]Redback#context vpn1 [vpn1]Redback#import pki key-pair first_key_pair file /flash/key1.key
in
no in
IPsec SA configuration
This command has no keywords or arguments.
None.
Enters IPsec SA SPI configuration mode for configuring the SA attributes for inbound traffic. Using the no form of the command removes the inbound traffic configuration.
This command cannot be used with the both command. If the both command is configured, neither inbound nor outbound SA traffic attributes can be configured separately. To configure the same SA attributes for inbound and outbound traffic, see the both command.
[local]Redback(config-ipsec-sa)#in
interface if-name [bridge|intercontext if-type grp-num|ipsec [multibind]|loopback|multibind [lastresort]|p2p]
no interface if-name[bridge|intercontext if-type grp-num|ipsec[multibind]|loopback|multibind [lastresort]|p2p]
Creates a new interface, or selects an existing one for modification, and enters interface configuration mode.
context configuration
if-name |
Name of the interface; an alphanumeric string with up to 127 characters. |
bridge |
Optional. Specifies that the interface is a bridged interface. |
intercontext |
Optional. Specifies that the interface is to link two or more contexts. Use an intercontext interface only for:
If you provide an IP address to an intercontext interface, the netmask 255.255.255.255 is not allowed. |
if-type |
Optional. Type of intercontext interface, according to the following keywords:
|
grp-num |
Optional. Intercontext group number; the range of values is 1 to 1,023. |
ipsec |
Optional. Specifies that the interface is an IPsec interface. |
loopback |
Optional. Specifies that the interface is a loopback interface. |
multibind |
Optional. Enables the interface to have multiple circuits bound to it. |
lastresort |
Optional. Specifies that this multibind interface, called a last-resort interface, is used for any subscriber circuit that attempts to come up and cannot bind to any other interface. |
p2p |
Optional. When binding to a LAN circuit, indicates to routing protocols, such as IS-IS or Open Shortest Path First (OSPF), that the circuit should be treated as a point-to-point interface from an Interior Gateway Protocol (IGP) perspective. |
None
Use the interface command to create a new interface, or select an existing one for modification, and enter interface configuration mode. Optionally, you can specify the interface as an intercontext interface or a loopback interface, or enable the interface to have multiple circuits bound to it.
You must bind a port or circuit to an interface (other than a bridged or loopback interface) for data to flow across the interface.
For an IPsec multibind interface, the interface is always unnumbered. Most of the operations listed for the interface command are not supported when you configure interface ipsec multibind. If a routing protocol is enabled over an IPsec multibind interface, then all tunnels bound to a multibind interface will run the same routing protocol. Static routes cannot be configured to use the IPsec multibind interface.
When there are only two routers over the LAN media, you can configure the interface as a point-to-point interface from a routing protocol perspective by using the p2p keyword. For more detailed information, see the Internet Draft, draft-ietf-isis-igp-p2p-over-lan-03.txt.
Use the bind interface command (in link configuration mode) to bind a port or circuit to a previously created interface in the specified context. Both the interface and the specified context must exist before you enter the bind interface command. If either is missing, an error message displays. For more information about this command, see the Command List.
Use the bridge command (in interface configuration mode) to associates the bridge with the interface or subscriber. For more information on this command, see the Command List.
Use the no form of this command to delete the interface.
Caution! | ||
Risk of data loss. Deleting an interface removes all bindings to
the interface. To reduce the risk, do not delete an interface, unless
you are certain it is no longer needed.
|
The following example configures an interface, enet1:
[local]Redback(config-ctx)#interface enet1 [local]Redback(config-if)#ip address 10.1.1.1 255.255.255.0
The following example configures a loopback interface, local-loopback, for the local context:
[local]Redback(config-ctx)#interface local-loopback loopback [local]Redback(config-if)#ip address 10.1.1.1/32
The following example configures three intercontext interfaces in three different contexts all with group 10:
[local]Redback(config-config)#context isp1 [local]Redback(config-ctx)#interface isp1-lan intercontext lan 10 [local]Redback(config-if)#ip address 10.1.1.1/24 [local]Redback(config-if)#exit [local]Redback(config-ctx)#exit !Configure the second interface [local]Redback(config-config)#context isp2 [local]Redback(config-ctx)#interface isp2-lan intercontext lan 10 [local]Redback(config-if)#ip address 10.1.1.2/24 [local]Redback(config-if)#exit [local]Redback(config-ctx)#exit !Configure the third interface [local]Redback(config-config)#context isp3 [local]Redback(config-ctx)#interface isp3-lan intercontext lan 10 [local]Redback(config-if)#ip address 10.1.1.3/24 [local]Redback(config-if)#exit [local]Redback(config-ctx)#exit
The following example deletes the atm3 interface:
[local]Redback(config-ctx)#no interface atm3
The following example configures a last-resort interface and borrows an IP address for it from the enet1 interface:
[local]Redback(config-ctx)#interfacelast multibind lastresort [local]Redback(config-if)#ip unnumbered enet1
The following example configures a bridged interface and binds it to an existing bridge group, isp1:
[local]Redback(config-config)#context bridge [local]Redback(config-ctx)#interfaceif-isp1 bridge [local]Redback(config-if)#bridge name isp1
The following example configures an IPsec multibind interface:
[local]ipsec-se1(config)#context ctx-1 [local]ipsec-se1(config-ctx)#interface ipsec_mb_se_1 ipsec multibind
ip-comp
no ip-comp
IPsec proposal configuration
IPsec security association configuration
This command has no keywords or arguments.
Disabled
Enables IP compression using the IP Compression (IPComp) protocol. Using the no form of the command disables IP compression.
[local]Redback(config-ipsec-proposal)#ip-comp
ip route traffic-selector-guided
no ip route traffic-selector-guided
tunnel configuration
This command has no keywords or arguments.
Traffic selectors
Enables traffic-selector guided route addition in a static or on-demand auto key IPsec tunnel configuration. Traffic-selector guided route addition uses the traffic selectors negotiated as part of the IKE negotiations used to establish the IPsec SAs to add routes from the local endpoint to the network protected by the remote peer. Traffic selectors specify the IP address, protocol, or ports secured by each IPsec SA, and exist in pairs: source traffic selector and destination traffic selector. When enabled, traffic-selector guided route addition automatically adds and deletes IP routes dynamically that point to the IPsec tunnel as the tunnel comes up or goes down. If it is not enabled, you must explicitly add static IP routes to point to the IPsec tunnel or run dynamic routing protocols over the tunnel. Using the no form of the command disables traffic-selector guided route addition.
The following example enables traffic-selector guided route addition in the static or on-demand auto key IPsec tunnel configuration currently being configured.
[local]Redback(config-tunnel)#ip route traffic-selector-guided
ipsec access-list ipsec-acl-name
no ipsec access-list ipsec-acl-name
context configuration
ipsec-acl-name |
Name of an IPsec access list, which must be unique; up to 39 characters |
No IPsec access list is configured.
Creates (with default attributes) or selects an IPsec access list and enters IPsec ACL configuration mode. Using the no form of the command will remove an existing configuration.
[local]Redback(config-ctx)#ipsec access-list ipsec_ACL1
ipsec policy ipsec-policy-name
no ipsec policy ipsec-policy-name
global configuration
ipsec-policy-name |
Name of an IPsec policy, which must be unique; up to 39characters. |
No IPsec policy is configured.
Creates (with default attributes) or selects an IPsec policy and enters IPsec policy configuration mode. Using the no form of the command will remove an existing configuration.
[local]Redback(context)#ipsec policy ipsec_Pol1
ipsec profile profile-name
no ipsec profile profile-name
context configuration
profile-name |
Name of the IPsec profile. Must match the name of the on-demand IPsec tunnel created with the tunnel ipsec name on-demand command in global configuration mode. |
None.
Creates an IPsec profile, which specifies how traffic in the on-demand IPsec tunnel should be handled. The IPsec profile must be created in the same context as the multibind interface to which the on-demand IPsec tunnel is bound.
[local]Redback(config)#context ctx-1 [local]Redback(config-ctx)#ipsec profile profile_se_1 [local]Redback(cfg-ipsec-profile)#
ipsec proposal ipsec-proposal-name
no ipsec proposal ipsec-proposal-name
global configuration
ipsec-proposal-name |
Name of the IPsec proposal, which must be unique; up to 39 characters. |
No IPsec proposal configuration.
Creates (with default attributes) or selects an IPsec proposal and enters IPsec proposal configuration mode. Using the no form of the command will remove an existing configuration.
[local]Redback(context)#ipsec proposal ipsec_Prop1
ipsec qos policy name pq
no ipsec qos policy name pq
global configuration
This command has no keywords or arguments.
ipsec qos policy name |
Unique name of the IPsec QoS policy |
No IPsec Quality of Service (QoS) policies are configured.
This command configures an IPsec QoS policy for priority queuing and enters IPsec QoS policy configuration mode. Using the no form of the command removes the IPsec QoS policy
[local]Redback(config)#ipsec qos policy ipsec-qos-pq-3 pq
ipsec security-association sa-name
no ipsec security-association sa-name
global configuration
sa-name |
Name of an IPsec security association, which must be unique; up to 39 characters. |
No IPsec security association configuration.
Creates or selects an IPsec security association and enters IPsec security association configuration mode. Using the no form of the command will remove an existing configuration.
[local]Redback(context)#ipsec security-association ipsec_sa_1
lifetime seconds seconds
no lifetime seconds
IKE2 policy configuration
IKE proposal configuration
IPsec proposal configuration
seconds |
300 to 99999999 |
86400 (one day)
Specifies the lifetime for IKE SAs in seconds for an IKEv2 policy, IKE proposal or IPsec proposal. Specify 0 seconds for no timeout; any number of seconds from 1 to 299 is rejected. Using the no form of the command resets the configuration to the default.
[local]Redback(config-ike-proposal)#lifetime seconds 43200
lifetime kbytes kbytes
no lifetime
IPsec proposal configuration
kbytes |
128 to 2147483647 |
0 kbytes
Specifies the lifetime for IPsec SAs in kbytes for an IPsec proposal. Specify 0 kbytes for no timeout. The lifetime is expected to be tied to the strength of the encryption and authentication algorithms configured. Using the no form of the command resets the configuration to the default.
[local]Redback(config-ipsec-proposal)#lifetime kbytes 256
max-tunnels value
no max-tunnels
tunnel configuration
value |
Maximum number of tunnels per IPsec profile for the on-demand IPsec tunnel being configured. 1 to 1024. |
8 tunnels per IPsec profile
Specifies the maximum number of tunnels per profile in this on-demand tunnel.
[local]Redback(config)#tunnel ipsec rec_2_1 [local]Redback(config-tunnel)#max-tunnels 50
mode {main|aggressive}
no mode
IKE policy configuration
main |
The slower, but more secure, negotiation mode. Six messages are exchanged. Endpoint IDs are exchanged after a secure channel has been set up. |
aggressive |
The faster, but less secure, negotiation mode. Only three messages are exchanged; however, because endpoint IDs are exchanged in clear text, it is less secure. |
main
Specifies the negotiation mode to use for key exchanges. The IKE policy can accept multiple IKE proposals in main mode regardless of connection type, and in aggressive mode only if the connection type is set to responder-only. The no form of the command resets the mode to the default.
The following example shows how to set the mode for key exchange to aggressive.
[local]Redback(config-ike-policy)#mode aggressive
mtu size
no mtu
IPsec profile configuration
tunnel configuration
size |
MTU size in bytes. Range: 256 to 16,384. |
Maximum Transmission Unit (MTU) size for the interface to which the IPsec tunnel is bound
Sets the MTU for packets sent into an IPsec tunnel. The MTU is used by the ASP for pre-encryption fragmentation. The MTU for a manual key IPsec tunnel or a static auto key IPsec tunnel is set in tunnel configuration mode when the IPsec tunnel is configured; for an on-demand IPsec tunnel it is set in IPsec profile configuration mode when the IPsec profile associated with the tunnel is configured. If a packet exceeds the MTU, the ASP fragments that packet.
A tunnel uses the MTU for the interface to which you have bound it (using the bind interface command in tunnel configuration mode), unless you explicitly configure the MTU using this command. After you configure an MTU for the tunnel, the system determines the effective MTU by comparing the configured MTU with the interface MTU and selecting the lesser of the two values.
Post-encryption fragmentation can also occur on the outgoing line card based on the MTU of the outgoing interface.
Use the no form of this command to set the MTU to the default value.
The following example shows how to specify the MTU in an IPsec profile for an on-demand IPsec tunnel:
[local]Redback(config-ctx)#ipsec profile profile_se_1 [local]Redback(cfg-ipsec-profile)#mtu 256
The following example shows how to specify the MTU in an IPsec tunnel for a static auto key IPsec tunnel:
[local]Redback(config)#tunnel ipsec ipsec-tun-1 [local]Redback(config-tunnel)#mtu 256
num-queues num
no num-queues
IPsec QoS policy for priority queuing configuration
num-queues num |
The number of priority queues to instantiate in each SA when a tunnel becomes operational. |
By default no priority queues are instantiated.
This command configures the number of priority queues to instantiate for each SA when a tunnel becomes operational. Using the no form of the command removes the configuration. When the number of queues is not specified, all data traffic is processed by a single queue.
The following example shows the number of queues set to 3 for the IPSec QoS policy for priority queuing ipsec-qos-pq-3.
[local]Redback(config)#ipsec qos policy ipsec-qos-pq-3 pq [local]Redback(config-ipsec-policy-pq)#num-queues 3
out
no out
IPsec SA configuration
This command has no keywords or arguments.
No SA values for traffic are configured.
Enters IPsec SA SPI configuration mode for configuring the SA attributes for outbound traffic. Using the no form of the command removes the outbound traffic configuration.
This command cannot be used with the both command. If the both command is configured, neither inbound nor outbound SA traffic attributes can be configured separately. To configure the same SA attributes for inbound and outbound traffic, see the both command.
[local]Redback(config-ipsec-sa)#out
peer-end-point local loc-ip-addr [remote rem-ip-addr ] [context ctx-name ]
no peer-end-point
tunnel configuration
local loc-ip-addr |
IP address of the local end of the tunnel. The format is A.B.C.D. |
remote rem-ip-addr |
Optional. IP address of the remote end of the tunnel. Required except when you have created an overlay tunnel for which you have specified that the system assign the remote IP address. The format is A.B.C.D. |
context ctx-name |
Optional. Name of the context that contains the interface to the local end of the tunnel. If no context is specified, the interface to the local end of the tunnel is assumed to be in the local context. |
None
Use the peer-end-point command to assign IP addresses to the tunnel endpoints. This command creates the tunnel between the two endpoints.
The remote IP address at one end of the tunnel is the same as the local IP address at the other end of the tunnel. If the remote IP address is not adjacent to the local IP address, and the remote site cannot be reached with a routing protocol, you must also enter the ip route command in context configuration mode.
If you create an overlay tunnel using the tunnel command with the ipv6v4-auto keyword, the system assigns an IP address to the remote endpoint. In this case, you do not include the remote rem-ip-addr construct when you enter this command.
The local loc-ip-addr construct must match the IP address of an interface.
If you are creating more than one tunnel, you can use the same IP address for the local endpoint (the IP address assigned to the interface) as long as the remote IP addresses are all different.
To use an interface and its local IP address for more than one tunnel, you must specify the loopback keyword with the interface command (in context configuration mode) when you create the interface for the tunnels. The loopback keyword allows you to reuse the IP address for more than one tunnel.
Use the no form of this command to delete this tunnel and any associated parameters that have been specified in tunnel configuration mode. The keywords are not available for the no form of this command.
The following example shows how to create an interface, toDenver, with a public IP address of 172.16.1.1; then it creates an overlay tunnel, DenverTnl, with a remote IP address of 172.16.1.2 and a local IP address of 172.16.1.1:
[local]Redback(config)#context local [local]Redback(config-ctx)#interface toDenver [local]Redback(config-if)#ip address 172.16.1.1/30 [local]Redback(config-if)#exit [local]Redback(config-ctx)#exit [local]Redback(config)#tunnel ipv6v4-manual DenverTnl [local]Redback(config-tunnel)#peer-end-point local 172.16.1.1 remote 172.16.1.2
The following example shows how to create two overlay tunnels each using an interface, LocalEnd. Both tunnels use the same local IP address; it is assumed that the remote IP address for Tun2 can be reached with a routing protocol, so the ip route command in context configuration mode is not needed:
[local]Redback(config)#context local [local]Redback(config-ctx)#interface LocalEnd loopback [local]Redback(config-if)#ip address 172.16.1.1/32 [local]Redback(config-if)#exit [local]Redback(config-ctx)#tunnel Tunl [local]Redback(config-tunnel)#peer-end-point local 172.16.1.1 remote 172.16.1.2 [local]Redback(config-tunnel)#no shutdown [local]Redback(config-tunnel)#exit [local]Redback(config-ctx)#tunnel Tun2 [local]Redback(config-tunnel)#peer-end-point local 172.16.1.1 remote 172.20.1.2 [local]Redback(config-tunnel-peer)#no shutdown [local]Redback(config-tunnel-peer)#end
perfect-forward-secrecy dh-group dh-group
no perfect-forward-secrecy dh-group
IPsec policy configuration
dh-group |
1, 2, or 5 |
No DH group is configured.
This command configures the Diffie-Hellman group for Perfect Forward Secrecy (PFS) in an IPsec policy. Using the no form of the command resets the configuration to the default.
[local]Redback(config-ipsec-policy)#perfect-forward-secrecy dh-group 5
pre-shared-key {hex hex-value|ASCII-value|use-aaa}
no pre-shared-key
IKE policy configuration
IKEv2 policy configuration
hex hex-value |
Hexadecimal number (24 to 98 characters). |
ASCII-value |
ASCII value (12 to 49 characters). |
use-aaa |
Specifies that the pre-shared key is configured on the AAA server. The format expected by the node is: ike pre-shared-key {hex hex-value|ASCII-value} Applies only to on-demand IPsec tunnels. Can only be specified for an IKE policy configured to use aggressive mode for key exchange. |
No pre-shared key is configured.
Specifies the local pre-shared key in an IKE policy. Using the no form of the command will remove the configuration.
[local]Redback(config-ike-policy)#pre-shared-key 0x4d794865785061353577307264
pseudo-random-function [hmac-md5|hmac-sha1|aes-128-xcbc]
no pseudo-random-function
IKEv2 proposal configuration
hmac-md5 |
hmac-md5 algorithm |
hmac-sha1 |
hmac-sha1 algorithm |
aes-i28-xcbc |
aes-128-xcbc algorithm |
hmac-sha1
This command configures the prf algorithm for an IKEcv2 proposal. Using the no form of the command removes the pseudo random function configuration.
[local]Redback(context)#pseudo-random-function aes-128-xcbc
qos policy queuing policy-name
no qos policy queuing policy-name
tunnel configuration
qos policy queuing name |
Unique name of the IPsec QoS policy for priority queuing associated with the tunnel |
No IPsec QoS policy is specified for the tunnel.
This command configures the IPsec QoS policy for priority queuing used by the tunnel. Using the no form of the command removes the IPsec QoS policy for priority queuing from the tunnel configuration.
The following example configures the IPsec QoS policy for priority queuing ipsec-qos-pq-3 for use with the tunnel currently being configured.
[local]Redback(config-tunnel)#qos policy queuing ipsec-qos-pq-3
remote-id remote_id
tunnel configuration
remote_id |
IP address or FQDN. |
No remote ID is specified for an IPsec tunnel.
Specifies the identity of the remote IPsec tunnel endpoint. This value is used when negotiating IKE requests with a remote peer. When IKE sessions are negotiated, the remote ID in the IPsec tunnel endpoint configured on one peer must match the local identity configured in the IKE policy on the other peer.
[local]Redback(config)#tunnel ipsec rec_2_1 [local]Redback(config-tunnel)#remote-id 72.0.0.1
remove pki {all|certificate handle handle|certificate request request-name|key-pair key-pair-name|unused}
exec
certificate handle handle |
|
certificate request request-name |
|
key-pair key-pair-name |
Unique name for the key pair; up to 39 characters. |
No PKI object is removed from the configuration.
This command removes specified PKI objects from the configuration. The all keyword removes all PKI objects. The certificate handle keyword removes the certificate specified by the handle value. The certificate request keyword removes the specified certificate request. The key pair keyword removes the specified key pair. The unused keyword removes unused PKI objects.
The following example removes the key pair first_key_pair from the context vpn1.
[local]Redback#context vpn1 [vpn1]Redback#remove pki key-pair first_key_pair
seq sequence-number [protocol] {source-network-prefix/source-prefix-length|any } {eq source-port } [dest-network-prefix/dest-prefix-length|any ] [eq dest-port ]
no seq sequence-number
IPsec ACL configuration
IPsec profile configuration
sequence-number |
Sequence number for the statement. Range: 1 to 429496729. |
protocol |
Optional. Number indicating a protocol as specified in RFC 1700, Assigned Numbers. Range: 0 to 255or one of the keywords listed in Table 4. |
source-network-prefix |
Source IP address to be included in the criteria. |
source-prefix-length |
Number of prefix bits for the source IP address. Range: 0 to 32. |
dest-network-prefix |
Optional. Destination IP address to be included in the criteria. |
dest-prefix-length |
Optional. Number of prefix bits for the destination IP address. Range: 0 to 32. |
any |
Optional. Indicates that IP traffic from all IP addresses is to be included in the criteria. Used instead of specifying the network-prefix and prefix-length. |
eq |
Optional. Specifies that values must be equal to those specified by the source-port or dest-port argument. |
source-port |
Optional. Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source port. This argument is available only if you specify TCP or UDP as the protocol. Range: 1 to 65535 or one of the keywords listed in Table 5 and Table 6. |
dest-port |
Optional. TCP or UDP destination port. This argument is available only if you specify TCP or UDP as the protocol. Range: 1 to 65535 or one of the keywords listed in Table 5 and Table 6. |
No ACLs are configured.
Creates an ACL rule to allow packets that meet the specified criteria. Up to 32 rules can be specified in an IPsec ACL.
Table 4 lists the valid keyword substitutions for the protocol argument.
Keyword |
Definition |
---|---|
ah |
Authentication Header |
esp |
Encapsulation Security Payload |
gre |
Generic Routing Encapsulation (GRE) |
host |
Host source address |
icmp |
Internet Control Message Protocol (ICMP) |
igmp |
Internet Group Management Protocol (IGMP) |
ip |
Internet Protocol v4 |
ipinip |
IP-in-IP tunneling |
ospf |
Open Shortest Path First (OSPF) |
pcp |
Payload Compression Protocol (PCP) |
pim |
Protocol Independent Multicast (PIM) |
tcp |
Transmission Control Protocol (TCP) |
udp |
User Datagram Protocol (UDP) |
Table 5 lists the valid keyword substitutions for the source-port and dest-port argument when they are used to specify a TCP port.
Keyword |
Definition |
Corresponding Port Number |
---|---|---|
bgp |
Border Gateway Protocol (BGP) |
179 |
chargen |
Character generator |
19 |
cmd |
Remote commands (rcmd) |
514 |
daytime |
Daytime |
13 |
discard |
Discard |
9 |
domain |
Domain Name System (DNS) |
53 |
echo |
Echo |
7 |
exec |
Exec (rsh) |
512 |
finger |
Finger |
79 |
ftp |
File Transfer Protocol (FTP) |
21 |
ftp-data |
FTP data connections (used infrequently) |
20 |
gopher |
Gopher |
70 |
hostname |
Network Interface Card (NIC) hostname server |
101 |
ident |
Identification protocol |
113 |
irc |
Internet Relay Chat |
194 |
klogin |
Kerberos login |
543 |
kshell |
Kerberos Shell |
544 |
login |
Login (rlogin) |
513 |
lpd |
Printer service |
515 |
nntp |
Network News Transport Protocol (NNTP) |
119 |
pim-auto-rp |
Protocol Independent Multicast Auto-RP |
496 |
pop2 |
Post Office Protocol Version 2 (POP2) |
109 |
pop3 |
Post Office Protocol Version 3 (POP3) |
110 |
shell |
Remote command shell |
514 |
smtp |
Simple Mail Transport Protocol (SMTP) |
25 |
ssh |
Secure Shell (SSH) |
22 |
sunrpc |
Sun Remote Procedure Call |
111 |
syslog |
System logger |
514 |
tacacs |
Terminal Access Controller Access Control System (TACACS) |
49 |
talk |
talk |
517 |
telnet |
Telnet |
23 |
time |
Time |
37 |
uucp |
UNIX-to-UNIX Copy Program |
540 |
whois |
Nickname |
43 |
www |
World Wide Web (HTTP) |
80 |
Table 6 lists the valid keyword substitutions for the source-port and dest-port arguments when they are used to specify a UDP port.
Keyword |
Definition |
Corresponding Port Number |
---|---|---|
biff |
Biff (Mail Notification, Comsat) |
512 |
bootpc |
Bootstrap Protocol client |
68 |
bootps |
Bootstrap Protocol server |
67 |
discard |
Discard |
9 |
dnsix |
DNSIX Security Protocol Auditing |
195 |
domain |
Domain Name System (DNS) |
53 |
echo |
Echo |
7 |
isakmp |
Internet Security Association and Key Management Protocol (ISAKMP) |
500 |
mobile-ip |
Mobile IP Registration |
434 |
nameserver |
IEN116 Name Service (obsolete) |
42 |
netbios-dgm |
NetBIOS Datagram Service |
138 |
netbios-ns |
NetBIOS Name Service |
137 |
netbios-ss |
NetBIOS Session Service |
139 |
ntp |
Network Time Protocol (NTP) |
123 |
pim-auto-rp |
Protocol Independent Multicast Auto-RP |
496 |
rip |
Router Information Protocol (RIP) |
520 |
snmp |
Simple Network Management Protocol (SNMP) |
161 |
snmptrap |
SNMP Traps |
162 |
sunrpc |
Sun Remote Procedure Call |
111 |
syslog |
System logger |
514 |
tacacs |
Terminal Access Controller Access Control System |
49 |
talk |
Talk |
517 |
tfpt |
Trivial File Transfer Protocol (TFPT) |
69 |
time |
Time |
37 |
who |
Who Service (rwho) |
513 |
xdmcp |
X Display Manager Control Protocol |
177 |
[local]Redback(config-ipsec-acl)#seq 10 tcp 1.1.1.0/24 eq 20000 [local]Redback(config-ipsec-acl)#seq 20 1.1.1.0/24 2.2.2.0/24 [local]Redback(config-ipsec-acl)#seq 30 any any
seq id ipsec-policy ipsec-pol-name [access-group ipsec-acl-name ]
no seq id ipsec-policy ipsec-policy-name [access-group ipsec-acl-name
tunnel configuration
IPsec profile configuration
id |
Sequence number for the statement. Range: 1 to 429496729.You can configure up to eight sequenced entries for each tunnel. |
ipsec-policy ipsec-policy-name |
Name of a previously created IPsec policy. |
access-group ipsec-acl-name |
Optional. Name of a previously created IPsec ACL. |
No IPsec policies are configured for a IPsec tunnel using IKE.
This command applies only to IPsec tunnels using IKE. It specifies up to eight sequenced IPsec policies, each optionally with an IPsec ACL. When no IPsec ACL is specified, a wildcard selector is added by default. Using the no form of the command will remove the configuration.
[local]Redback(config)#tunnel ipsec rec_2_1 [local]Redback(config-tunnel)#seq 10 ipsec-policy ipsec_Pol1 access-group ipsec_ACL1 [local]Redback(config-tunnel)#seq 20 ipsec-policy ipsec_Pol2 access-group ipsec_ACL2
seq sequence-number proposal ike-proposal-name
IKE policy configuration
IKEv2 policy configuration
IPsec policy configuration
sequence-number |
1 to 429496729. |
proposal ike-proposal-name |
Name of a previously created IKE proposal (in IKE policy or IKEv2 policy configuration mode) or IPsec policy proposal (in IPsec policy configuration mode). |
No IKE proposals are configured for an IKE policy. No IPsec proposals are configured for an IPsec policy.
When configuring an IKE policy, specifies the IKE proposals used by the IKE policy. When configuring an IPsec policy, specifies the IPsec proposals used by the IPsec policy. Up to 16 sequenced proposals can be specified for each policy. Using the no form of the command will remove the configuration.
The following example shows how to add a reference to the IKE_Prop1 IKE proposal to the IKE policy:
[local]Redback(config-ike-policy)#seq 10 IKE_Prop1
The following example shows how to add a reference to the IPsec_Prop1 IPsec proposal to the IPsec policy:
[local]Redback(config-ipsec-policy)#seq 10 IPsec_Prop1
seq id security-association sa-name [access-group ipsec-acl-name ]
no seq id security-association sa-name [access-group ipsec-acl-name ]
tunnel configuration
id |
Sequence number for the statement. Range: 1 to 429496729.You can configure up to 8 sequenced entries per tunnel. |
security-association sa-name |
Name of a previously created IPsec SA. |
access-group ipsec-acl-name |
Name of a previously created IPsec ACL. |
No security associations with manual keys are configured for a manual mode IPsec tunnel.
This command applies only to manual mode IPsec tunnels. It specifies up to eight sequenced manual-keyed SAs, each optionally with an IPsec ACL, for a manual mode IPsec tunnel. When no IPsec ACL is specified, a wildcard selector is added by default. Using the no form of the command will remove the configuration.
[local]Redback(config)#tunnel ipsec rec_2_1 [local]Redback(config-tunnel)#seq 10 security association ipsec_sa_1 access-group ipsec_ACL1 [local]Redback(config-tunnel)#seq 20 security association ipsec_sa_2 access-group ipsec_ACL2
show configuration ike [all-contexts] [verbose]
all modes
all-contexts |
Optional. Displays the configuration for IKE in all contexts. |
verbose |
Optional. Displays all defaulted parameters. |
Displays configuration information for IKE in the current context, or all contexts if the optional all-contexts keyword is specified. The optional verbose keyword list all defaulted parameters.
[local]Redback#show configuration ike Building configuration... Current configuration: context local ! ! ** End Context ** ike proposal ikeProp1 authentication algorithm hmac-sha1-96 encryption algorithm des-cbc dh-group 1 lifetime seconds 3600 ! ike proposal simple-ike-proposal authentication algorithm hmac-sha1-96 encryption algorithm des-cbc dh-group 1 lifetime seconds 3600 ! ! end
show configuration ipsec [all-contexts] [verbose]
all modes
all-contexts |
Optional. Displays the configuration for IKE in all contexts. |
verbose |
Optional. Displays all defaulted parameters. |
Displays configuration information for IPsec in the current context, or all contexts if the optional all-contexts keyword is specified. The optional verbose keyword list all defaulted parameters.
[local]subzero#show configuration ipsec Building configuration... Current configuration: context local ! ! ** End Context ** ipsec proposal ipsecProp1 esp encryption des-cbc esp authentication hmac-sha1-96 ip-comp lifetime seconds 1800 ! ipsec proposal simple-ipsec-proposal esp encryption des-cbc esp authentication hmac-sha1-96 ip-comp lifetime seconds 1800 ! ipsec policy ipsecPol1 anti-replay-window 64 seq 1 proposal ipsecProp1 ! ipsec policy simple-ipsec-policy anti-replay-window 64 seq 1 proposal simple-ipsec-proposal ! ! end
show configuration tunnel [all-contexts] [verbose]
all modes
all-contexts |
Optional. Displays the configuration for IKE in all contexts. |
verbose |
Optional. Displays all defaulted parameters. |
Displays configuration information for tunnels in the current context, or all contexts if the optional all-contexts keyword is specified. The optional verbose keyword list all defaulted parameters.
[local]Redback#show configuration tunnel Building configuration... Current configuration: context local ! ! ** End Context ** tunnel ipsec rec_1_2_m manual peer-end-point local 1.1.1.1 remote 2.1.1.1 context vpn1 bind interface tunnel_ipsec_1 vpn1 seq 10 security-association sa1_2 access-group acl1_2 ! ! end
show ike [card slot-id/asp-id] [policy policy-name
all modes
card slot-id |
Optional. Number of the chassis slot where the card is installed. The range of values depends on the chassis:
|
asp-id |
Optional. ID of the ASP on the ASE card. Possible values are 1 and 2. |
policy policy-name |
Optional. Name of a previously created IKE policy. |
Displays configuration information for IKE policies in the current context. If no IKE policy is specified, one line of configuration information for each IKE policy with the name, local ID, and mode is displayed. If an IKE policy is specified, all attributes, including defaults, are displayed for the specified policy. If no ASP is specified, the information is retrieved from the SmartEdge controller card; otherwise, it is retrieved from the specified ASP.
[local]Redback#show ike policy Name Local-ID Mode ike-policy1 1.1.1.1 aggressive
[local]Redback#show ike policy ike-policy1 IKE Policy: ike-policy1 Description: IKE policy for aggressive mode Mode: aggressive Connection Type: both Local Identity: 1.1.1.1 Remote Identity: 2.2.2.2 3.3.3.3 4.4.4.4 5.5.5.5 Pre-shared Key: 0x123456789101234567890 // For the administrators Pre-shared Key: ********** // For the operators seq 10 proposal IKE-Prop1 seq 20 proposal IKE-Prop2
show ike [card slot-id/asp-id] [proposal proposal-name ]
all modes
card slot-id |
Optional. Number of the chassis slot where the card is installed. Possible values are 1 to 14. The actual slots that can contain an ASE card depend on the chassis:
|
asp-id |
Optional. ID of the ASP on the ASE card. Possible values are 1 and 2. |
proposal proposal-name |
Optional. Name of a previously created IKE proposal. |
Displays configuration information for IKE proposals. If no IKE proposal is specified, one line of configuration information for each IKE proposal with the name, encryption algorithm, authentication algorithm, and Diffie-Hellman group is displayed. If an IKE proposal is specified, all attributes, including defaults, are displayed for the specified proposal. If no ASP is specified, the information is retrieved from the SmartEdge controller card; otherwise, it is retrieved from the specified ASP.
[local]Redback#show ike proposal Encryption Authentication DH-Group IKE-Prop1 des-cbc hmac-md5-96 1 IKE-Prop2 3des-cbc hmac-sha1-96 2
[local]Redback#show ike card 2/1 proposal IKE-Prop1 IKE Proposal : IKE-Prop11 Encryption Algorithm : 3des-cbc Authentication Algorithm : hmac-md5-96 DH Group : 1 Lifetime : 86400 seconds
show ike [card slot-id/asp-id] statistics global {ike1|ike2}
all modes
card slot-id |
Optional. Number of the chassis slot where the card is installed. Possible values are 1 to 14. The actual slots that can contain an ASE card depend on the chassis:
|
asp-id |
Optional. ID of the ASP on the ASE card. Possible values are 1 and 2. |
ike1|ike2 |
Specify either IKEv1 or IKE v2 protocol counters be shown. |
Displays ASP level IKE statistics. You must specify whether you want to show either IKEv1 or IKEv2 protocol counters.
[local]Redback#show card 2/1 statistics global ike1 # Main Mode 1st messages sent : 28 # Main Mode 1st messages received : 27 # Main Mode 2nd messages sent : 27 # Main Mode 2nd messages received : 27 # Main Mode 3rd messages sent : 27 # Main Mode 3rd messages received : 27 # Main Mode 4th messages sent : 27 # Main Mode 4th messages received : 27 # Main Mode 5th messages sent : 27 # Main Mode 5th messages received : 27 # Main Mode 6th messages sent : 27 # Main Mode 6th messages received : 27 # Aggressive Mode 1st messages sent : 0 # Aggressive Mode 1st messages received : 0 # Aggressive Mode 2nd messages sent : 0 # Aggressive Mode 2nd messages received : 0 # Aggressive Mode 3rd messages sent : 0 # Aggressive Mode 3rd messages received : 0 # Xauth request messages sent : 0 # Xauth request messages received : 0 # Xauth reply messages sent : 0 # Xauth reply messages received : 0 # Xauth status messages sent : 0 # Xauth status messages received : 0 # Xauth ack messages sent : 0 # XAUTH ack messages received : 0 # New Group Mode 1st messages sent : 0 # New Group Mode 1st messages received : 0 # New Group Mode 2nd messages sent : 0 # New Group Mode 2nd messages received : 0 # Mode Config request messages sent : 0 # Mode Config request messages received : 0 # Mode Config reply messages sent : 0 # Mode Config reply messages received : 0 # Mode Config set messages sent : 0 # Mode Config set messages received : 0 # Mode Config ack messages sent : 0 # Mode Config ack messages received : 0 # Quick Mode 1st messages sent : 9079 # Quick Mode 1st messages received : 36183 # Quick Mode 2nd messages sent : 40 # Quick Mode 2nd messages received : 40 # Quick Mode 3rd messages sent : 40 # Quick Mode 3rd messages received : 40 # DPD R_U_THERE messages sent : 0 # DPD R_U_THERE messages received : 0 # DPD R_U_THERE_ACK messages sent : 0 # DPD R_U_THERE_ACK messages received : 0 # DPTD PING messages sent : 0 # DPTD PING messages received : 0 # DPTD PONG messages sent : 0 # DPTD PONG messages received : 0 # Ike Delete notifications sent : 48 # Ike Delete notifications for received : 4 # IPSec Delete notifications sent : 58 # IPSec Delete notifications received : 58 # QM Connect notifications received : 0 # Responder Life Time notifications sent : 0 # Responder Life Time notifications received : 0 # Reply Status notifications sent : 0 # Reply Status notifications received : 0 # Initial Contact messages sent : 18 # Initial Contact messages received : 18 # Other Notifications sent : 17 # Other Notifications received : 17 # Informational Exchanges sent : 123 # Informational Exchanges received : 79 # retries done : 27109 # IKE SAs matured : 54 # Phase-1 negotiations dropped due to rate-limit : 0 # Phase-2 negotiations dropped due to rate-limit : 0 # negotiation requests dropped from IPSec when IKE SA is responder and not matured : 0 # XAUTH changes failed due to auth failures : 0 # negotiation requests dropped from IPSec when VSG status disabled : 0 # messages dropped from peer when VSG status disabled : 0 # negotiation requests dropped from IPSec when Ike policy not found : 0 # Messages dropped from peer due to invalid Isakmp header length: 0 # Messages dropped from peer due to SA life time KB value getting exeeded : 0 # Messages dropped from peer due to Ike policy configured as initiator only : 0 # negotiation requests dropped from IPSec Ike policy configured as responder only : 0 # QM 1st messages dropped from peer due to received peer Id is not matching with IPSec policy peer Id : 0 # Messages dropped from peer due to more number of certificate requests(>=8) exist : 0 # Current phase-1 negotiations : 0 # Current phase-2 negotiations : 1 # Queued QMs in IKE SA for which phase-2 not started : 0 # Phase-1 negotiations dropped due to rate-limit : 0 # Phase-2 negotiations dropped due to rate-limit : 0 # Dropped negotiation requests from IPSec : 0 # Create SA negotiation requests from IPSec : 18004 # Renew SA negotiation requests from IPSec : 38
[local]Redback#show ike asp 2/1 statistics global ike2 # IKE packets sent: 0 # IKE packets received: 159787 # SAs Created: 31486 # SAs Active: 0 # SAs Matured: 0 # Remote User's ID Verify Failures : 31459 # Cookie Verify Failures : 0 # MessageID Check Failures : 0 # Local Informational Exchg attempts : 9 # Remote Informational Exchg attempts: 0 # Invalid Major Version Errors : 0 # Payload Errors : 18 # Non_Matured SAs Deleted : 31486 # Retries : 9 # Duplicate SA_INIT responses : 0 # Cookie Notify messages Sent : 0 # Cookie Notify messages Received : 0 # Invalid KE Payloads Sent : 0 # Invalid KE Payloads Received : 0 # CP Payload Requests Sent : 0 # CP Payload Requests Received : 0 # CP Payload Reply Msgs Sent : 0 # CP Payload Reply Msgs Received : 0
show ipsec [card slot-id/asp-id] [access-list ipsec-acl-name ]
all modes
card slot-id |
Optional. Number of the chassis slot where the card is installed. Possible values are 1 to 14. The actual slots that can contain an ASE card depend on the chassis:
|
asp-id |
Optional. ID of the ASP on the ASE card. Possible values are 1 and 2. |
access-list [ipsec-acl-name |
Optional. Name of a previously created IPsec ACL. |
Displays configuration information for IPsec ACLs configured in the current context. If no ACL is specified, one line of configuration information for each ACL with the name and description is displayed. If an ACL is specified, all attributes, including defaults, are displayed for the specified proposal. If no ASP is specified, the information is retrieved from the SmartEdge controller card; otherwise, it is retrieved from the specified ASP.
[local]Redback#show ipsec access-list Name Description Ipsec-ACL1 IPsec Access List #1
[local]Redback#show ipsec access-list Ipsec-ACL1 IPsec Access-List: Ipsec-ACL1 Description: IPsec Access List #1 Seq 1 tcp 1.1.1.0/24 eq 200000 2.2.2.0/24 eq 200000 Seq 2 1.1.1.0/24 2.2.2.0/24 Seq 3 any any
show ipsec [card slot/asp-id] [profile profile-name]
all modes
card slot-id |
Optional. Number of the chassis slot where the card is installed. Possible values are 1 to 14. The actual slots that can contain an ASE card depend on the chassis:
|
asp-id |
Optional. ID of the ASP on the ASE card. Possible values are 1 and 2. |
profile profile-name |
Optional. Name of an IPsec profile. |
Displays configuration information for IPsec profiles configured in the current context. If no ASP is specified, the information is retrieved from the SmartEdge controller card; otherwise, it is retrieved from the specified ASP.
[vpn1]l4l7-1#show ipsec profile IPsec Profile: rec1_1 DF Bit: 0 MTU: 1480 1 IPSec Policy: ipsec_policy1 Access List: acl1_1
show ipsec [card slot-id/asp-id] [policy policy-name]
all modes
card slot-id |
Optional. Number of the chassis slot where the card is installed. Possible values are 1 to 14. The actual slots that can contain an ASE card depend on the chassis:
|
asp-id |
Optional. ID of the ASP on the ASE card. Possible values are 1 and 2. |
policy policy-name |
Name of a previously created IPsec policy. |
Displays configuration information for IPsec policies in the current context. If no IPsec policy is specified, one line of configuration information for each IPsec policy with the name and Diffie-Hellman group is displayed. If an IKE policy is specified, all attributes, including defaults, are displayed for the specified policy. If no ASP is specified, the information is retrieved from the SmartEdge controller card; otherwise, it is retrieved from the specified ASP.
[local]Redback#show ipsec policy Name PFS Ipsec-Policy1 dh-group 2
[local]Redback#show ipsec policy Ipsec-Policy1 IPsec Policy: ipsec-Pol1 Perfect-forward-secrecy: dh-group 2 Anti-replay-window: 64 seq 10 ipsec-Prop1 seq 20 ipsec-Prop2
show ipsec [card slot-id/asp-id] proposal proposal-name
all modes
card slot-id |
Optional. Number of the chassis slot where the card is installed. Possible values are 1 to 14. The actual slots that can contain an ASE card depend on the chassis:
|
asp-id |
Optional. ID of the ASP on the ASE card. Possible values are 1 and 2. |
proposal proposal-name |
Name of a previously created IPsec proposal. |
Displays configuration information for IPsec proposals. If no IPsec proposal is specified, one line of configuration information for each IPsec proposal with the name, encryption algorithm, authentication algorithm, and ip-comp flag is displayed. If an IKE proposal is specified, all attributes, including defaults, are displayed for the specified proposal. If no ASP is specified, the information is retrieved from the SmartEdge controller card; otherwise, it is retrieved from the specified ASP.
[local]Redback#show ipsec proposal Name Encryption Authentication IP-Comp ipsec-Prop1 des-cbc hmac-md5-96 Enabled ipsec-Prop2 3des-cbc hmac-sha1-96 Disabled
[local]Redback#show ipsec proposal ipsec-Prop1 IPsec Proposal: ipsec-Prop1 Description: IPsec Proposal 1 ESP: encryption: aes-128-ctr authentication: hmac-sha1-96 AH: authentication: hmac-md5-96 IP-Comp: Enabled Lifetime: 86400 seconds, 50000 KBytes
show ipsec [card slot-id/asp-id] [security-association sa-name]
all modes
card slot-id |
Optional. Number of the chassis slot where the card is installed. Possible values are 1 to 14. The actual slots that can contain an ASE card depend on the chassis:
|
asp-id |
Optional. ID of the ASP on the ASE card. Possible values are 1 and 2. |
security-association sa-name |
Name of a previously created IPsec SA. |
Displays configuration information for IPsec SAs configured in the current context. If no SA is specified, one line of configuration information for each SA with the name and description is displayed. If an SA is specified, all attributes, including defaults, are displayed for the specified proposal. If no ASP is specified, the information is retrieved from the SmartEdge controller card; otherwise, it is retrieved from the specified ASP.
[local]Redback#show ipsec security-association Name Description ipsec-sa1 IPsec Security Association #1
[local]Redback#show ipsec security-association IPsec-SA1 IPsec Security-Association: ipsec-sa1 Description: IPsec Security Association #1 Anti Replay Window Size: 64 Ip-Compression: Enable Security Association: both esp spi 0x00001111 encryption 3des-cbc key 0x010203040506070809 // For the administrators key ********** // For the operators authentication hmac-sha1-96 key 0x010203040506070809 // For the administrators key ********** // For the operators ah spi 0x00002222 hmac-md5-96 key 0x0102030405060708
show ipsec card slot-id/asp-id statistics global context context-name
all modes
card slot-id |
Optional. Number of the chassis slot where the card is installed. Possible values are 1 to 14. The actual slots that can contain an ASE card depend on the chassis:
|
asp-id |
Optional. ID of the ASP on the ASE card. Possible values are 1 and 2. |
global context context-name |
Name of a previously created context. |
Displays IPsec statistics for the specified context.
The following example shows the global IPsec statistics for the context vpn1.
[local]Redback#show ipsec card 2/1 statistics global context vpn1 ---------------------------------------------------------------------- IPSec4 Global Packet Processing Stats:: ---------------------------------------------------------------------- # Packets Received for Inbound Processing : 0 # Packets Processed by Inbound Processing : 0 # Packets Received for Outbound Processing : 0 # Packets Processed by Outbound Processing : 0 # Inbound Secured Packets Received : 0 # Inbound Secured Packets Processed : 0 # Outbound Packets Received to Apply Security : 0 # Outbound Packets Security has Applied : 0 # Inbound UDP Encapsulated Packets : 0 (Errors) # Inbound Packet has Dropped, Because of SA is Deleted or not Complete SA : 0 # Inbound ICMP Error Packets : 0 # Unable to Find Subscriber Network ID : 0 # Can't Handle ICMP Error Messages : 0 # Invalid IP Header Length : 0 # Can't Allow this ICMP Error Message Type and Code to Process : 0 # Updated Out SA PMTU Value with Received ICMP MTU Error Message Value : 0 # SPD Policy has Modified, Pkt Selectors not matched with Policy Selectors : 0 # Packet Length is less than Minimum ESP Header Length : 0 # Packet Length is less than Minimum AH Header Length : 0 # Unable to Allocate memory for SA Info : 0 # Unable to Allocate memory for Packet Queue Node : 0 # Can't Process the Packet, Because of Delete Mark Set in SA : 0 # Unable to Allocate memory for IKE request Info Node : 0 # Updating of NAT IP and Port Change of Ihappi Reg Function returns Failure : 0 # Unable to Allocate Memory for HA Data Node : 0 # Unable to Allocate Memory for New buffer(igwbuf) : 0 # Dropping the Packet, Invalid Sequence Number Recieved : 0 # Dropping the Packet, Late Packets Received : 0 # Dropping the Packet, Duplicate Packets Received : 0 # Dropping the Packet, Invalid Buffer Length : 0 # Inbound Packet IP Comp Header Flag field is not Zero : 0 # Inbound Packet AH Header Reserved field is not Zero : 0 # Wrong AH Header Payload length of Inbound Packet : 0 # Dropping the Packet, IP Header Placement Error : 0 # Dropping the Packet, Decompression of Inbound packet Failure : 0 # Dropping the Packet, Authentication of Inbound packet Failure : 0 # Possibly Decryption is done with wrong key : 0 # Received in Transport mode, but Expected to Tunnel mode packet : 0 # Received in Tunnel mode, but Expected to Transport mode packet : 0 # Inbound Packet has Dropped, SA Hard Life Time KB is Expired : 0 # Pkts Recieved with IPv6 selector and IPv6 Engine has not been Registered : 0 # Matching SA Selectors with Packet Selectors Failed : 0 # Inner IP Header has IPv6, Submit to IPv6 Engine : 0 # Unable to Allocate Memory for Tasklet Group Node : 0 # Unable to Allocate Memory for Tasklet Data Node : 0 # Unable to Schedule the Tasklet : 0 # Packet has Bypassed, Subscriber Network Id has disabled : 0 # Unable to Allocate memory for IP Selector Node : 0 # Dropping the Pkts, Apply Policy Configured for Received ICMP Error Message: 0 # Dropping the Pkts, Discard Policy Matched for Outbound ICMP Error Message: 0 # Dropping the Pkts, Discard Policy Matched for Inbound ICMP Error Message: 0 # Unable to Find Matching Selector Set from Packet Selectors : 0 # No policy or Non Bypass policy found for ICMP Error Massage Inner Payload : 0 # Unable to Allocate Memory for FW VPN Info Node : 0 # Dropping the Packet, Apply Policy Configured for Received Plain Packet : 0 # Dropping the Packet, Discard Policy Matched for Outbound Packet : 0 # Dropping the Packet, Discard Policy Matched for Inbound Packet : 0 # Dropping the Packet, No Matching Policy Found for Outbound Packet : 0 # Dropping the Packet, No Matching Policy Found for Inbound Packet : 0 # Matching Policy Found for Outbound Packet, but Mark has Delete Policy : 0 # Unable to Find Another Policy for Non Initial Fragments : 0 # Matching Policy for Non Initial Fragments is not Apply Policy : 0 # Starting of SA Negotiations must not be with ICMP Error Message : 0 # Dropping the packet, Negotiations would be under process : 0 # Packet DSCP Value Doesn't Fall Under Policy DSCP Ranges : 0 # Unable to Get the SPI and Create Redundant SA : 0 # Unable to Find the Created Redundant SA : 0 # Preparing Negotiation Request Information to IKE Failure : 0 # Queuing of Request Information to IKE Failure : 0 # Unable to Allocate Memory for Negotiating Response Info Node : 0 # Unable to Create Manual SA, No Local and Remote Gateway in Policy : 0 # Unable to Create Manual SA, More than One Attribute in Proposal : 0 # Unable to Create Manual SA, More than One Proposal in Manual Policy : 0 # Unable to Create Manual SA, Conversion of Selector to TS Info Failure : 0 # Manual SA Creation Failures : 0 # Dropping the Packet, SA is not in Complete State or Backup SA : 0 # Dropping the Packet, Time to Live is Zero : 0 # Formation of Chain of Fragments for Fragmentation before Encap Failures : 0 # Packet Submit to IPv6 Engine for Outbound Processing : 0 # Dropping the Packet, Packet Size more than SA Path MTU size : 0 # Invalid SA IP Compression Information : 0 # Dropping the Outbound Packet, Sequence Number Overflow : 0 # Applying Crypto Operation or Compression on Plain Packet Failures : 0 # Outbound Packet has Dropped, SA Hard Life Time KB Expired : 0 # Addition of Encapsulated UDP Header on Packet Failure : 0 # Dropping the packet, Request send to IKE for SA Negotiations : 0 # Dropping the packet, Request send for Manual Outbound SA Creation : 0 # Mismatch SA Selectors IP Version, Inner IP is IPv4,SA Selector is IPv6 : 0 # Invalid ESP header Pad Length Field value of Inbound Packet : 0 # Packets dropped since tunnel is in unbind/unoperational/disable state : 0 # Packets dropped since SA backlogQ threshold cnt reached : 0 # Packets dropped due to bDeleteSAMatched, no kick to IKE : 0
show pki [asp slot-id/asp-id] certificate {trusted|self} rsa [identity identity|handle handle]
all modes
asp slot-id |
Optional. Number of the chassis slot where the card is installed. Possible values are 1 to 14. The actual slots that can contain an ASE card depend on the chassis:
|
asp-id |
Optional. ID of the ASP on the ASE card. Possible values are 1 and 2. |
trusted |
Displays information about trusted certificates. |
self |
Displays information about self certificates. |
handle handle |
The handle of a specific certificate. |
identity identity |
The identity of a specific certificate. |
This command displays information about the trusted or self certificate specified, either trusted or self. If the certificate identity or handle is specified, information about the specified certificate is shown. Use the handle keyword to specify a specific imported certificate. The value for handle is a unique number assigned to each certificate when it is imported and is never reused; the value for handle assigned to the first imported certificate is 0, and the value increments each time a new certificate is imported. The value for the identity keyword is the subject name of the certificate. If you do not know the value for the handle or identity keywords, you must first show all the self or trusted certificates.
The following example displays information about the key pair first_key_pair in the vpn1 context.
[local]Redback#context vpn1 [vpn1]Redback#show pki key-pair first_key_pair
show pki key-pair[key-pair-name
all modes
key-pair |
Unique name for the key pair; up to 39 characters. |
This command displays a minimal amount of information about the keys, and does not display the actual keys.
The following example displays information about the key pair first_key_pair in the vpn1 context.
[local]Redback#context vpn1 [vpn1]Redback#show pki key-pair first_key_pair
show tunnel ipsec [[name tunnel-name|remote ip-address] [detail]]|[[name tunnel-name] on-demand]
all modes
name tunnel-name |
Optional. Name of a previously created IPsec tunnel. |
remote ip-address |
Optional. IP address of the remote endpoint. |
detail |
Optional. Displays detailed configuration information. |
tunnel-name |
Optional. Tunnel name. |
on-demand |
Optional. Displays information about on-demand IPsec tunnels. |
Displays configuration information for IPsec tunnels. If no IPsec tunnel is specified, generic information about all IPsec tunnels is displayed. You can specify a single IPsec tunnel by name. Specify IPsec tunnels that share the same remote endpoint by specifying the IP address of the remote endpoint. All generic attributes, including the name, endpoints, ASP slot/ID, state, bound interface, circuit ID, and circuit handle are displayed. If you use the optional detail keyword in addition to specifying the tunnel or remote endpoint, IPsec-specific attributes, including encryption algorithms, authentication algorithms, active SAs, and the operational status are also displayed. Use the on-demand keyword to display on-demand tunnel names and count; use the on-demand tunnel name to list information for the specified on-demand tunnel.
[local]Redback#show tunnel ipsec ::::: Tunnel : rec_2_1 Key : - Remote IP : 77.0.0.1 Local IP : 77.0.0.2 Tnl Type : IPsec ASP Slot/Id : 2/1 State : Up Bound to : tunnel_ipsec2@ipsec_context2 Circuit ID: 18 Internal Hdl: 255/28:1023:63/0/1/18 ::::: Tunnel : rec_1_2 Key : - Remote IP : 77.0.0.2 Local IP : 77.0.0.1 Tnl Type : IPsec ASP Slot/Id : 2/1 State : Up Bound to : tunnel_ipsec2@ipsec_context Circuit ID: 17 Internal Hdl: 255/28:1023:63/0/1/17
[local]Redback#show tunnel ipsec name rec_2_1 ::::: Tunnel : rec_2_1 Key : - Remote IP : 77.0.0.1 Local IP : 77.0.0.2 Tnl Type : IPsec ASP Slot/Id : 2/1 State : Up Bound to : tunnel_ipsec2@ipsec_context2 Circuit ID: 18 Internal Hdl: 255/28:1023:63/0/1/18
[local]Redback#show tunnel ipsec remote 77.0.0.2 detail ::::: Tunnel : rec_1_2_d Key : - Remote IP : 77.0.0.2 Local IP : 77.0.0.1 Tnl Type : IPsec ASP Slot/Id : 2/1 State : Up Bound to : tunnel_ipsec2@vpn1 Circuit ID: 3 Internal Hdl: 255/28:1023:63/0/1/3 [local]router# show tunnel ipsec name rec_1_2_d detail ::::: Tunnel : rec_1_2_d Key : - Remote IP : 77.0.0.2 Local IP : 77.0.0.1 Tnl Type : IPsec ASP Slot/Id : 2/1 State : Up Bound to : tunnel_ipsec2@vpn1 Circuit ID: 3 Internal Hdl: 255/28:1023:63/0/1/3 Tunnel is User Configured local-ip 77.0.0.1, context-for-local-ip: vpn1 mtu 1480 log-state-changes no clear-df no destination UP on nhop resolved in valid intf resolved on to_ipsec_peer2 grid 0x10000003 Tunnel ID: ipsec 3 Circuit ID Internal: 255/28:1023:63/0/1/3 # of IKE SAs : 1 # of IPsec SAs : 4 IKE Policy: ike_pol1 ************ IKE SA's *************** ------------------------------------------------------------------------- SA Number : 1 Initiator State: (SA_MATURE) ------------------------------------------------------------------------- Policy Name: ike_pol1 Authentication Mode: Pre-shared Key Peer Address: 77.0.0.2 Remote Id Type: IPV4_ADDR RemoteId: 77.0.0.2 Initiator Cookie : 0x2d154957844f95ca Responder Cookie : 0xb83c7d1dd8cb26d5 Life Time in Sec: 86291 Life Time In Bytes: 0 Negotiated Life Time in Sec : 86400 Negotiated Life Time In Bytes: 0 Authentication Algorithm : HMAC-MD5-96 Encryption Algorithm : 3DES-CBC DH Group: 1 SA Status : Active seq 10 ipsec-policy pol1 access-group acl1_2 ************ IPSEC SA's *************** ------------------------------------------------------------------------- SA #1: Outbound ESP -------------------- SPI : 0x2005d9 Encr: 3des-cbc Auth: hmac-md5-96 Selector: IP 55.0.0.0/16 -> 60.0.0.0/16 Proto tcp port [0 - 0] -> [0 - 0] Path MTU: 1388 Negotiated Lifetime in Seconds: 86400 Negotiated Lifetime in Bytes : 0 (Soft / Hard) Lifetime in Seconds: 11639 / 11873 (Soft / Hard) Lifetime in Bytes : 0 / 0 Packets processed: 0 Bytes processed : 0 IP Compression Status: Disabled SA #2: Inbound ESP -------------------- SPI : 0x2005c9 Encr: 3des-cbc Auth: hmac-md5-96 Selector: IP 60.0.0.0/16 -> 55.0.0.0/16 Proto tcp port [0 - 0] -> [0 - 0] Negotiated Lifetime in Seconds: 86400 Negotiated Lifetime in Bytes : 0 (Soft / Hard) Lifetime in Seconds: 11637 / 11873 (Soft / Hard) Lifetime in Bytes : 0 / 0 Packets processed: 0 Bytes processed : 0 IP Compression Status: Disabled SA #3: Outbound AH -------------------- SPI : 0x2005df Auth: hmac-md5-96 Selector: IP 55.0.0.0/16 -> 60.0.0.0/16 Proto tcp port [0 - 0] -> [0 - 0] Path MTU: 1388 Negotiated Lifetime in Seconds: 86400 Negotiated Lifetime in Bytes : 0 (Soft / Hard) Lifetime in Seconds: 11727 / 11873 (Soft / Hard) Lifetime in Bytes : 0 / 0 Packets processed: 0 Bytes processed : 0 IP Compression Status: Disabled SA #4: Inbound AH -------------------- SPI : 0x2005cf Auth: hmac-md5-96 Selector: IP 60.0.0.0/16 -> 55.0.0.0/16 Proto tcp port [0 - 0] -> [0 - 0] Negotiated Lifetime in Seconds: 86400 Negotiated Lifetime in Bytes : 0 (Soft / Hard) Lifetime in Seconds: 11357 / 11873 (Soft / Hard) Lifetime in Bytes : 0 / 0 Packets processed: 0 Bytes processed : 0 IP Compression Status: Disabled
[local]l4l7-1#show tunnel ipsec rec1_1 on-demand IKE Policy : ike_policy1_1 Local IP : 1.1.1.1 Bind Interface : tunnel_ipsec_multibind_1_1 Bind Context : vpn1 AAA Authentication : Disabled Maximum Tunnels : 1 Number of Tunnels : 1 Number of Active Tunnels: 1 Local IP: 1.1.1.1 Remote-IP ASP Tunnel-Name Bind Context Creation Time 2.1.1.1 2/1 _*DynTun*_23000001_00310000 tunnel_ipsec_multibind_1_1 vpn1 Today [local]l4l7-1#show tunnel ipsec on-demand Tunnel Count rec1_1 1
show tunnel ipsec name tunnel-name [on-demand] statistics [detail]
all modes
name tunnel-name |
Name of a previously created IPsec tunnel. |
on-demand |
Optional. Displays statistics at the tunnel profile level. |
detail |
Optional. Displays basic cumulative statistics for the tunnel and the statistics for each SA. |
Displays the IPsec statistics associated with the specified tunnel. Identify only the tunnel to show basic cumulative statistics for the tunnel. Use the detail keyword to show basic cumulative statistics for the tunnel and the statistics for each SA. Use the on-demand keyword to show statistics for the on-demand tunnel at the tunnel profile level.
The following example shows the results following a ping test in which 215 packets were sent.
[local]Redback#show tunnel ipsec name rec_2_1 statistics IPsec Decryption Errors : 0 IPsec Authentication Errors : 0 IPsec Policy Errors : 0 IPsec Padding Errors : 0 Anti-Replay Errors in IPsec : 0 Other Errors in IPsec : 0 Number of IN IPsec packets : 215 IPsec IN packets HO value : 0 Number of OUT IPsec packets : 215 IPsec OUT packets HO value : 0 Send OUT IPsec pkts Errors : 0 Total IN Bytes Processed By IPsec : 15480 IN Bytes Processed HO value : 0 Total OUT Bytes Processed By IPsec : 15480 OUT Bytes Processed HO value : 0
show tunnel ipsec name tunnel-name statistics ike [detail]
all modes
name tunnel-name |
Name of a previously created IPsec tunnel. |
detail |
Optional. Displays detailed IKE SA statistics for the tunnel. |
Displays the IKE SA statistics associated with the specified tunnel. Identify only the tunnel to show basic cumulative IKE SA statistics for the tunnel.
Use the detail keyword to show detailed IKE SA statistics for the tunnel.
The following example shows the basic cumulative statistics for the tunnel rec_1_2_d.
[local]Redback#show tunnel ipsec name rec_1_2_d statistics ike Tunnel name: rec_1_2_d IKE policy : ike_pol1 ************ IKE SA's Statistics******* ------------------------------------------------------------------------- SA Number : 1 Peer Address: 77.0.0.2 Initiator Cookie : 0x7e297db914b66772 Responder Cookie : 0xdaa84093bef72c32 ------------------------------------------------------------------------- IKEv1 SA Stats: # IN Pkts: 2291 # OUT Pkts: 3 # IN Bytes: 430600 # OUT Bytes: 364 # Phase1 Request Dropped Awaiting Auth Response: 0 # Phase2 Local Attempts: 0 # Phase2 Remote Attempts: 2288 # Phase2 Local Attempts Failed: 0 # Phase2 Remote Attempts Failed: 2288 (Errors) # Invalid Protocol Id: 0 # Invalid SPI: 0 # Invalid TransformId: 0 # Invalid PayloadType: 0 # Invalid PayloadFmt: 0 # Invalid KeyInfo: 0 # Invalid IdInfo: 0 IKEv2 SA Stats: # IN Pkts: 0 # OUT Pkts: 0 # IN Bytes: 0 # OUT Bytes: 0 # Local CCSAExchg Attempts: 0 # Remote CCSAExchg Attempts: 0 # Local CCSAExchg Attempts Failed: 0 # Local CCSAExchg Attempts Failed: 0
The following example shows the detailed IKE statistics for the tunnel rec_1_2_d.
[local]Redback#show tunnel ipsec name rec_1_2_d statistics ike detail Tunnel name: rec_1_2_d IKE policy : ike_pol1 ************ IKE SA's Statistics******* ------------------------------------------------------------------------- SA Number : 1 Peer Address: 77.0.0.2 Initiator Cookie : 0x7e297db914b66772 Responder Cookie : 0xdaa84093bef72c32 ------------------------------------------------------------------------- IKEv1 SA Stats: # IN Pkts: 2291 # OUT Pkts: 3 # IN Bytes: 430600 # OUT Bytes: 364 # Phase1 Request Dropped Awaiting Auth Response: 0 # Phase2 Local Attempts: 0 # Phase2 Remote Attempts: 2288 # Phase2 Local Attempts Failed: 0 # Phase2 Remote Attempts Failed: 2288 (Errors) # Invalid Protocol Id: 0 # Invalid SPI: 0 # Invalid TransformId: 0 # Invalid PayloadType: 0 # Invalid PayloadFmt: 0 # Invalid KeyInfo: 0 # Invalid IdInfo: 0 ************ IKEv1 Policy Statistics******* # IKE Local Attempts: 10 # IKE Remote Attempts: 5 # IKE Local Attempts Failed: 0 # IKE Remote Attempts Failed: 0 # Phase2 SA created as Initiator: 23 # Phase2 SA created as responder: 6 # IKE local Phase2 attempts: 15 # IKE remote Phase2 attempts: 2518 # IKE local Phase2 attempts failed: 0 # IKE remote Phase2 attempts failed: 2504 (Errors) # Phase2 Proposal mismatch: 0 # Phase2 Traffic Selector mismatch: 2430 # Invalid IKE Cookie: 0 # Invalid Major Version in IKE: 0 # Invalid Minor Version in IKE: 0 # Invalid IKE Exchange Type: 0 # Invalid Flags: 0 # Invalid IKE Message ID: 0 # Invalid Protocol ID: 0 # Invalid SPI: 0 # Invalid Transform ID: 0 # Invalid Payload Type: 0 # Invalid Payload Type format: 0 # Invalid Key Info: 0 # Invalid ID Info: 0 # Invalid Encoding in cert payload: 0 # Invalid Encoding in cert data: 0 # Invalid CA data in CERT_REQ payload: 0 # Invalid hash data in hash payload: 0 # Invalid signature: 0 # Authentication Failed: 0 # Phase1 proposal mismatch: 0 # Bad Proposal syntax: 0 # payload lengths mismatched: 0 # Certificate requested is unavailable: 0 # Lack of support for DOI in SA payload: 0 # Lack of protection for the situation: 0 # Lack of matching attribute: 0 # The Certificate type is not supported: 0 # Mismatch in Exchange Type is detected: 0 ************ IKEv2 Policy Statistics******* # Local IKE Renewal Attempts: 0 # Remote IKE Renewal Attempts: 0 # Local IPSec Create Or Renewal Attempts: 0 # Remote IPSec Create Or Renewal Attempts: 0 # Local IKE Exchg Attempts: 0 # Local IKE Exchg Attempt Failures: 0 # Remote IKE ExchgAttempts: 0 # Remote IKE Exchg Attempt Failures: 0 # Local IKE Renewal Attempt Failures: 0 # Remote IKE Renewal Attempt Failures: 0 # Local IPSec Create Or Renewal Attempt Failures: 0 # Remote IPSec Create Or Renewal Attempt Failures: 0 # Auth Failures: 0 # ID Verify Failures: 0 # EAP Auth Failures: 0 # Cert Verify Failures: 0 # IKE Proposal mismatches: 0 # IPSec Proposal mismatches: 0 # Traffic Selector mismatches: 0 # Certs Unavailable: 0
tunnel ipsec name [manual|on-demand] [economical]
no tunnel ipsec name
global configuration
name |
Unique name for the IPsec tunnel; up to 50 characters. Do not use the reserved prefix _*DynTun*_. |
manual |
Optional. The tunnel must be configured with manually configured SAs. |
on-demand |
Optional. Creates the remote tunnel endpoint on demand during connection. |
economical |
Optional. Creates the tunnel in economical mode, which routes data traffic directly to the ASE card for encryption and does not consume a circuit on a traffic card. An economical mode tunnel bypasses the circuit-based services on the traffic cards. The number of tunnels is not limited by the capacity of the traffic card. |
No IPsec tunnels are configured.
Creates (with default attributes) or selects an IPsec tunnel, and enters tunnel configuration mode. Use the economical keyword to create an IPsec tunnel that does not require any traffic card services and whose traffic can be routed directly to the SE card for encryption. Use the manual keyword to create an IPsec tunnel that uses SAs manually configured with the ipsec security-association command. Otherwise, the IPsec tunnel uses SAs negotiated using IKE. Once an IPsec tunnel is created, you cannot change its mode. Using the no form of the command will remove an existing configuration.
[local]Redback(config)#tunnel ipsec rec_2_1
[local]Redback(config)#tunnel ipsec rec_3_2 on-demand
validate-certificate-identity
IKEv1 policy configuration
IKEv2 policy configuration
This command has no keywords or arguments.
Checking of the IKE remote ID provided by the peer in the identification payload against the contents of the certificate provided by the peer is not enabled.
This command enables checking of the IKE remote ID provided by the peer in the identification payload against the contents of the certificate provided by the peer. Using the no form of the command disables checking.
[local]Redback(config-ctx)#ike policy ike_pol1 [local]Redback(config-ike-policy)#validate-certificate-identity
ACL |
Access Control List |
AH |
Authentication Header |
ASE |
Advanced Services Engine |
ASP |
Advanced Services Processor |
BGP |
Border Gateway Protocol |
CA |
Certificate Authority |
DF |
Don't Fragment |
DNS |
Domain Name System |
DoS |
Denial of Service |
DPD |
Dead Peer Detection |
ESP |
Encapsulating Security Payload |
FTP |
File Transfer Protocol |
GRE |
Generic Routing Encapsulation |
ICMP |
Internet Control Message Protocol |
IGMP |
Internet Group Management Protocol |
IGP |
Interior Gateway Protocol |
IKEv1 |
Internet Key Exchange version 1 |
IKEv2 |
Internet Key Exchange version 2 |
IPComp |
IP Compression |
IPsec |
Internet Protocol Security |
IPsec |
Specified Internet Protocol Security |
IS-IS |
Intermediate System-to-Intermediate System |
MTU |
Maximum Transmission Unit |
NIC |
Network Interface Card |
NNTP |
Network News Transport Protocol |
NTP |
Network Time Protocol |
OSPF |
Open Shortest Path First |
PCP |
Payload Compression Protocol |
PFS |
Perfect Forward Secrecy |
PIM |
Protocol Independent Multicast |
PKI |
Public Key Infrastructure |
POP2 |
Post Office Protocol Version 2 |
POP3 |
Post Office Protocol Version 3 |
QoS |
Quality of Service |
RIP |
Router Information Protocol |
SA |
Security Association |
SA |
Service Association |
SMTP |
Simple Mail Transport Protocol |
SNMP |
Simple Network Management Protocol |
SPI |
Security Parameter Index |
TACACS |
Terminal Access Controller Access Control System |
TCP |
Transmission Control Protocol |
TFPT |
Trivial File Transfer Protocol |
UDP |
User Datagram Protocol |
VPN |
Virtual Private Network |
[1] IPsec VPN Overview, 2/221 02-CRA 119 1170/1. |
[2] IPsec VPN Configuration and Operation Using the SmartEdge OS CLI, 1/1543-CRA 119 1170/1. |
[3] Command List, 1/19077-CRA 119 1170/1. |