![]() |
MANUAL PAGE 2/190 80-CRA 119 1170/1-V1 Uen B | ![]() |
Copyright
© Ericsson AB 2009–2010. All rights reserved. No part of this document may be reproduced in any form without the written permission of the copyright owner.
Disclaimer
The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this document.
Trademark List
SmartEdge | is a registered trademark of Telefonaktiebolaget LM Ericsson. | |
NetOp | is a trademark of Telefonaktiebolaget LM Ericsson. |
This document provides command syntax and usage guidelines for commands used in the configuration and operation of the Internet Protocol Security (IPsec) Virtual Private Network (VPN) application. For an overview of IPsec VPN, see Reference [1]. For configuration tasks, see Reference [2].
ah [hmac-md5-96 | hmac-sha1-96 | hmac-aes-xcbc]
no ah
IPsec proposal configuration
hmac-md5-96 |
hmac-md5-96 algorithm |
hmac-sha1-96 |
hmac-sha1-96 algorithm |
hmac-aes-xcbc |
hmac-aes-xcbc algorithm |
hmac-sha1-96
This command configures the Authentication Header (AH) authentication algorithm for an IPsec proposal. Using the no form of the command removes the AH configuration.
[local]Redback(config-ipsec-proposal)#ah hmac-aes-xcbc
ah [hmac-md5-96 | hmac-sha1-96 | hmac-aes-xcbc] key {hex hex-number |ASCII-value}
no ah [hmac-md5-96 | hmac-sha1-96 | hmac-aes-xcbc] key {hex-argument |ASCII-value}
IPsec Security Association (SA) Security Parameter Index (SPI) configuration (manual key mode)
hex hex-number |
Hexadecimal number. The length of the value is specified in Table 1. |
ASCII-value |
ASCII value. The length of the value is specified in Table 1. |
aes-128-cbc
Specifies the AH authentication algorithm and the manual key for authenticating inbound, outbound, or bidirectional traffic SAs.
Table 1 lists the valid key length values for each of the supported AH authentication algorithms.
Keyword |
ASCII Text Key Length |
Hexadecimal Number Key Length |
---|---|---|
hmac-md5-96, |
16 |
32 |
hmac-sha1-96 |
20 |
40 |
hmac-aes-xcbc |
16 |
32 |
[local]Redback(config-ipsec-sa-spi)#ah hmac-md5-96 key hex 0fa20fa20fa20fa2
ah spi spi-value
no ah spi spi-value
IPsec SA SPI configuration
spi-value |
256-0x1ffff: in, both; 1-0xffffffff: out |
No SPI value is configured.
Specifies the AH SPI value for the inbound traffic, outbound traffic, or bidirectional traffic SAs. Using the no value of the command removes the SPI value.
[local]Redback(config-ipsec-sa-spi)#ah spi 48354
anti-replay-window window_size
no anti-replay-window
IPsec policy configuration
IPsec SA configuration
window_size |
0, 32 to 1024, in multiples of 32. |
64
Configures the anti-replay window size. The anti-replay window prevents the replay attack and potential Denial of Service (DoS) attack. Size 0 disables the anti-replay window. Using the no form of the command resets the configuration to the default.
[local]Redback(config-ipsec-policy)#anti-replay-window 128
authentication algorithm {hmac-md5-96 | hmac-sha1-96}
no authentication algorithm
IKE proposal configuration
hmac-md5-96 |
hmac-md5-96 algorithm |
hmac-sha1-96 |
hmac-sha1-96 algorithm |
hmac-sha1-96
Specifies the authentication algorithm of an Internet Key Exchange(IKE) proposal. Using the no form of the command resets the configuration to the default.
[local]Redback(config-ike-proposal)#authentication algorithm hmac-md5-96
bind interface if-name context-name
no bind interface if-name [context-name]
tunnel configuration
if-name |
Name of a previously created interface. |
context-name |
Name of the context under which the specified interface is bound. |
No IPsec tunnel endpoints are bound.
Statically binds the IPsec tunnel to a previously created interface. For on-demand IPsec tunnels, bind the on-demand tunnel to the IPsec multibind interface configured for this on-demand IPsec tunnel.
Use the no form of this command to remove the binding. You must remove any existing binding before you can create a new binding for the IPsec tunnel.
The following example shows how to create or modify the rec_2_1 tunnel and bind it to the ipsec-if1 interface in the Security service enabled ipsec-context context:
[local]Redback(config)#tunnel ipsec rec_2_1 [local]Redback(config-tunnel)#bind interface ipsec-if1 ipsec-context
[local]Redback(config)#tunnel ipsec profile1-se on-demand [local]Redback(config-tunnel)#bind interface ipsec-mb-se local
both
no both
IPsec SA configuration
This command has no keywords or arguments.
No SA values for traffic are configured.
Enters IPsec SA SPI configuration mode for configuring the same SA values for both inbound and outbound traffic. Using the no form of the command removes the bidirectional traffic configuration.
This command cannot be used with either the in or out command. If the both command is configured, neither inbound nor outbound SA traffic attributes can be configured separately. To configure the different SA traffic attributes for inbound and outbound traffic see the in and out commands, respectively.
[local]Redback(config-ipsec-sa)#both
clear ike sa tunnel tunnel-name
exec
tunnel-name |
Name of a previously created IPsec tunnel. |
Clears the SAs associated with the specified IKE tunnel name. Commands that clear SAs delete and renegotiate the SAs (with the new IKE configuration). Does not apply to on-demand IPsec tunnels.
[local]Redback#clear ike sa tunnel rec_2_1
clear ipsec sa tunnel tunnel-name
exec
tunnel-name |
Name of a previously created IPsec tunnel. |
Clears the IPsec SAs associated with the given tunnel name. Commands that clear SAs delete and renegotiate the SAs (with the new IPsec configuration). For on-demand IPsec tunnels, the tunnel-name argument is dynamically assigned by the system.
[local]Redback#clear ipsec sa tunnel rec_2_1
connection-type {initiator-only | responder-only | both}
no connection-type
IKE policy configuration
initiator-only |
|
responder-only |
|
both |
both
Specifies the IKE connection type of an IKE policy, which assigns the role for the local IKE peer when establishing connections to setup an IPsec tunnel. For on-demand IPsec tunnels, you cannot change the connection-type to initiator-only when using aggressive mode. Using the no form of the command resets it to the default.
The following example shows how to assign the role of initiator-only to any local peer that has this IKE policy assigned to it:
[local]Redback(config-ike-policy)#connection-type initiator-only
debug ike asp slot-id/asp-id message-type {trace | log} {console | external} [level level ]
exec
slot-id |
Chassis slot number where the Advanced Services Engine (ASE) card is installed. The range of values depends on the chassis:
|
asp-id |
The ID of the Advanced Services Processor (ASP) on the ASE card. Possible values are 1 and 2. |
message-type |
Type of debug message to forward:
|
trace |
Enables generation of trace messages. |
log |
Enables generation of log messages. |
console |
Sends debug information to the console. |
external |
Sends debug information to an external system. |
level level |
Optional. Specifies the debug logging level, where level is one of the following (in descending severity order):
|
Enables the generation of debug messages for the IKE configuration of a specific ASP on a specific ASE card.
Caution! | ||
Risk of performance loss. Enabling the generation of debug messages
can severely affect system performance. To reduce the risk, exercise
caution when enabling the generation of debug messages on a production
system.
|
The following example shows how to enable the generation of IKE debug messages for the IKE configuration on the ASP:
[local]Redback#debug ike asp 2/1 ikev1 log console level warning
debug ike config
exec
This command has no keywords or arguments.
Enables the generation of debug messages for the IKE configuration.
Caution! | ||
Risk of performance loss. Enabling the generation of debug messages
can severely affect system performance. To reduce the risk, exercise
caution when enabling the generation of debug messages on a production
system.
|
[local]Redback#debug ike config
debug ipsec asp slot-id/asp-id message-type {trace | log} {buffer | console} [level level ]
exec
slot-id |
Chassis slot number where the ASE card is installed. The range of values depends on the chassis:
|
asp-id |
ID of the ASP on the ASE card. Possible values are 1 and 2. |
message-type |
Type of debug message to forward:
|
trace |
Enables generation of trace messages. |
log |
Enables generation of log messages. |
buffer |
Sends debug information to the circular buffer on the controller card. |
console |
Sends debug information to the console. |
level level |
Optional. Specifies the debug logging level, where level is one of the following (in descending severity order):
|
Enables the generation of debug messages for the IPsec configuration of a specific ASP on a specific ASE card.
Caution! | ||
Risk of performance loss. Enabling the generation of debug messages
can severely affect system performance. To reduce the risk, exercise
caution when enabling the generation of debug messages on a production
system.
|
The following example shows how to enable the generation of packet debug messages for the IPsec configuration on the ASP:
[local]Redback#debug ipsec asp 1/1 packet log console level warning
debug ipsec config
exec
This command has no keywords or arguments.
Enables the generation of debug messages for the IPsec configuration.
Caution! | ||
Risk of performance loss. Enabling the generation of debug messages
can severely affect system performance. To reduce the risk, exercise
caution when enabling the generation of debug messages on a production
system.
|
[local]Redback#debug ipsec config
description string
no description
IKE policy configuration
IKE proposal configuration
IPsec Access Control List (ACL) configuration
IPsec policy configuration
IPsec proposal configuration
IPsec security association configuration
string |
Descriptive text; up to 255 characters. |
No description is configured.
Specifies the description of the IKE policy, IKE proposal, IPsec ACL, IPsec policy, IPsec proposal, or IPsec SA.
[local]Redback(config-ipsec-proposal)#description IPsec-Proposal-1
df-bit {propagate | set | clear}
no df-bit
tunnel configuration
IPsec profile configuration
propagate |
Propagate DF bit from inner IP to outer IP header. |
set |
Set the DF bit in the outer IP header |
clear |
Clear the DF bit from the outer IP header |
Propagate
Specifies how to configure the Don't Fragment (DF) bit for the IP header. The default value, propagate, copies to DF bit setting used in the inner IP heading to the outer IP heading. Using the no form of the command resets the configuration to the default.
[local]Redback(config-tunnel)#df-bit clear
dh-group dh-group
no dh-group
IKE proposal configuration
dh-group |
The Diffie-Hellman group to use: 1, 2, or 5 |
1
Specifies the Diffie-Hellman group for IKE key exchanges in an IKE proposal. Using the no form of the command resets the configuration to the default.
[local]Redback(config-ike-proposal)#dh-group 2
encryption algorithm {aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc | 3des-cbc}
no encryption algorithm
IKE proposal configuration
aes-128-cbc |
aes-128-cbc protocol. |
aes-192-cbc |
aes-192-cbc protocol |
aes-256-cbc |
aes-256-cbc protocol |
des-cbc |
des-cbc protocol |
3des-cbc |
3des-cbc protocol |
aes-128-cbc
Specifies the encryption algorithm for an IKE proposal. Using the no form of the command resets the configuration to the default.
[local]Redback(config-ike-proposal)#encryption algorithm aes-192-cbc
esp authentication {hmac-md5-96 | hmac-sha1-96 | hmac-aes-xcbc}
no esp authentication
IPsec proposal configuration
hmac-md5-96 |
hmac-md5-96 algorithm |
hmac-sha1-96 |
hmac-sha1-96 algorithm |
hmac-aes-xcbc |
hmac-aes-xcbc algorithm |
hmac-sha1-96
Specifies the ESP authentication algorithm of an IPsec proposal.
If ESP authentication is configured without ESP encryption, the ESP encryption is set to null.
When neither ESP or AH authentication is configured, using the no form of the command sets the ESP authentication (and ESP encryption) to the default. If either ESP or AH authentication is configured, using the no form of the command removes the ESP authentication configuration.
[local]Redback(config-ipsec-proposal)#esp authentication hmac-aes-xcbc
esp authentication [hmac-md5-96 | hmac-sha1-96 | hmac-aes-xcbc] key {hex hex-number | ASCII-value}
no esp authentication [hmac-md5-96 | hmac-sha1-96 | hmac-aes-xcbc] key {hex hex-number | ASCII-value}
IPsec SA SPI configuration
hmac-md5-96 |
hmac-md5-96 algorithm |
hmac-sha1-96 |
hmac-sha1-96 algorithm |
hmac-aes-xcbc |
hmac-aes-xcbc algorithm |
hex hex-number |
Hexadecimal number. The length of the value is specified in Table 2. |
ASCII-value |
ASCII value. The length of the value is specified in Table 2 |
hmac-sha1-96
Specifies the ESP authentication algorithm and the manual key for encrypting inbound, outbound, or bidirectional traffic SAs. The no form of the command removes the ESP authentication algorithm from the configuration.
If ESP encryption is configured without ESP authentication, only encryption is done. If ESP authentication is configured without ESP encryption, the encryption is set to null.
Table 2 lists the valid key lengths for each of the supported authentication algorithms.
Keyword |
ASCII Text Key Length |
Hexadecimal Number Key Length |
---|---|---|
hmac-md5-96, |
16 |
32 |
hmac-sha1-96 |
20 |
40 |
hmac-aes-xcbc |
16 |
32 |
[local]Redback(config-ipsec-sa-spi)#esp authentication hmac-aes-xcbc key 1234123412341234
esp encryption {aes-128-cbc | aes-192-cbc | aes-256-cbc | aes-128-ctr | aes-192-ctr | aes-256-ctr | des-cbc | 3des-cbc | null}
no esp encryption
IPsec proposal configuration
aes-128-cbc |
aes-128-cbc algorithm |
aes-192-cbc |
aes-192-cbc algorithm |
aes-256-cbc |
aes-256-cbc algorithm |
aes-128-ctr |
aes-128-ctr algorithm |
aes-192-ctr |
aes-192-ctr algorithm |
aes-256-ctr |
aes-256-ctr algorithm |
des-cbc |
des-cbc algorithm |
3des-cbc |
3des-cbc algorithm |
null |
null encryption algorithm |
aes-128-cbc
Specifies the ESP encryption algorithm of an IPsec proposal.
When neither ESP nor AH authentication is specified, the default is the ESP encryption aes-128-cbc with ESP authentication hmac-sha1-96. If ESP authentication is configured without ESP encryption, the ESP encryption is set to null.
If AH authentication is configured, using the no form of the command removes the encryption. If neither ESP authentication or AH is specified, using the no form of the command resets the configuration to the default.
[local]Redback(config-ipsec-proposal)#esp encryption aes-256-cbc
esp encryption [aes-128-cbc | aes-192-cbc | aes-256-cbc | aes-128-ctr | aes-192-ctr | aes-256-ctr | des-cbc | 3des-cbc] key {hex hex-number | ASCII-value}
no esp encryption [aes-128-cbc | aes-192-cbc | aes-256-cbc | aes-128-ctr | aes-192-ctr | aes-256-ctr | des-cbc | 3des-cbc] key {hex hex-number | ASCII-value}
IPsec SA SPI configuration (manual key mode)
aes-128-cbc |
aes-128-cbc algorithm |
aes-192-cbc |
aes-192-cbc algorithm |
aes-256-cbc |
aes-256-cbc algorithm |
aes-128-ctr |
aes-128-ctr algorithm |
aes-192-ctr |
aes-192-ctr algorithm |
aes-256-ctr |
aes-256-ctr algorithm |
des-cbc |
des-cbc algorithm |
3des-cbc |
3des-cbc algorithm |
hex hex-number |
Hexadecimal number. The length of the value is specified in Table 3. |
ASCII-value |
ASCII value. The length of the value is specified in Table 3 |
aes-128-cbc
Specifies the ESP encryption algorithm and the manual key for encrypting inbound, outbound, or bidirectional traffic SAs. If no encryption algorithm is specified, the default algorithm (aes-128-cbc) is used.
If ESP is configured without ESP authentication, only encryption is done. If ESP authentication is configured without ESP encryption, the encryption is set to null.
Table 3 lists the valid key length values for each of the supported ESP encryption algorithms.
Keyword |
ASCII Text Key Length |
Hexadecimal Number Key Length |
---|---|---|
des-cbc |
8 |
16 |
3des-cbc |
24 |
48 |
aes-128-cbc (default) |
16 |
32 |
aes-192-cbc |
24 |
48 |
aes-256-cbc |
32 |
64 |
aes-128-ctr |
16 |
32 |
aes-192-ctr |
24 |
48 |
aes-256-ctr |
32 |
64 |
[local]Redback(config-ipsec-sa-spi)#esp encryption des-cbc key 12345678
esp spi spi-value
no esp spi spi-value
IPsec SA SPI configuration
spi-value |
256-0x1ffff: in, both; 1-0xffffffff: out |
No SPI value is configured.
Specifies the ESP SPI value for the inbound traffic, outbound traffic, or bidirectional traffic SAs.
[local]Redback(config-ipsec-sa-spi)#esp spi 65535
identity local {value | fqdn fqdn-string}
no identity local
IKE policy configuration
value |
IP address |
fqdn fqdn-string |
Fully qualified domain name |
No local identity is configured.
Specifies the identity of the local IPsec tunnel endpoint in an IKE policy to use when negotiating IKE requests with a remote peer. Use the IP address or FQDN of the loopback interface defined to provide the identity of the gateway for IPsec tunnels configured on this SmartEdge router as the value. When IKE sessions are negotiated, the local identity configured in the IKE policy on one peer must match the remote ID configured in the IPsec tunnel endpoint on the other peer. Only one local identity is allowed for each policy. The same local identity can appear in multiple policies. Using the no form of the command will remove the configuration.
[local]Redback(config-ike-policy)#identity local 30.0.1.3
[local]Redback(config-ike-policy)#identity local fqdn peer1.redback.com
ike keepalive
no ike keepalive
context configuration
This command has no keywords or arguments.
Disabled.
Enables the sending of Dead Peer Detection (DPD) messages to IKE peers. When enabled, a DPD message is sent to the remote peer when there is traffic to be sent to the remote peer, but there has been no traffic received from the remote peer for 10 seconds. If a response is received, no further messages are sent unless the previous condition is met. If no response is received from the remote peer, the keepalive is retried three times at an interval of 10 seconds. If there is no response from the remote peer, the tunnel is brought down. Using the no form of the command disables the sending of DPD messages (the default setting).
The following example shows how to enable the sending of DPD messages to IKE peers:
[local]Redback(config-ctx)#ike keepalive
ike policy ike-policy-name
no ike policy ike-policy-name
context configuration
tunnel configuration
ike-policy-name |
In context configuration mode, name of the IKE policy, which must be unique; up to 39 characters. In tunnel configuration mode, name of a previously created IKE policy. |
No IKE policy is configured in a context by default. No IKE policy is specified for an IPsec tunnel by default.
In context configuration mode, creates (with default attributes), or selects an IKE policy and enters IKE policy configuration mode. Using the no form of the command removes the IKE policy.
In tunnel configuration mode, specifies the IKE policy used by the IPsec tunnel. Using the no form of the command removes the IKE policy from the IPsec tunnel.
The following example shows how to configure the IKE_Pol1 IKE policy in the local context:
[local]Redback(config-ctx)#ike policy IKE_Pol1
The following example shows how to associate the IKE_Pol1 IKE policy to the rec_2_1 tunnel in the local context.
[local]Redback(config)#tunnel ipsec rec_2_1 [local]Redback(config-tunnel)#ike-policy IKE_Pol1
ike proposal ike-proposal-name
no ike proposal ike-proposal-name
global configuration
ike-proposal-name |
Name of an IKE proposal, which must be unique; up to 39 characters. |
No IKE proposal is configured.
Creates (with default attributes) or selects an IKE proposal and enters IKE proposal configuration mode. Using the no form of the command removes the IKE proposal.
[local]Redback(context)#ike proposal IKE_Prop1
in
no in
IPsec SA configuration
This command has no keywords or arguments.
None.
Enters IPsec SA SPI configuration mode for configuring the SA attributes for inbound traffic. Using the no form of the command removes the inbound traffic configuration.
This command cannot be used with the both command. If the both command is configured, neither inbound nor outbound SA traffic attributes can be configured separately. To configure the same SA attributes for inbound and outbound traffic, see the both command.
[local]Redback(config-ipsec-sa)#in
interface if-name [bridge | {intercontext if-type grp-num} | ipsec [multibind] | loopback | multibind [lastresort] | p2p]
no interface if-name [bridge | {intercontext if-type grp-num} | ipsec [multibind] | loopback | multibind [lastresort] | p2p]
Creates a new interface, or selects an existing one for modification, and enters interface configuration mode.
context configuration
if-name |
Name of the interface; an alphanumeric string with up to 127 characters. |
bridge |
Optional. Specifies that the interface is a bridged interface. |
intercontext |
Optional. Specifies that the interface is to link two or more contexts. Use an intercontext interface only for:
If you provide an IP address to an intercontext interface, the netmask 255.255.255.255 is not allowed. |
if-type |
Optional. Type of intercontext interface, according to the following keywords:
|
grp-num |
Optional. Intercontext group number; the range of values is 1 to 1,023. |
ipsec |
Optional. Specifies that the interface is an IPsec interface. |
loopback |
Optional. Specifies that the interface is a loopback interface. |
multibind |
Optional. Enables the interface to have multiple circuits bound to it. |
lastresort |
Optional. Specifies that this multibind interface, called a last-resort interface, is used for any subscriber circuit that attempts to come up and cannot bind to any other interface. |
p2p |
Optional. When binding to a LAN circuit, indicates to routing protocols, such as IS-IS or Open Shortest Path First (OSPF), that the circuit should be treated as a point-to-point interface from an Interior Gateway Protocol (IGP) perspective. |
None
Use the interface command to create a new interface, or select an existing one for modification, and enter interface configuration mode. Optionally, you can specify the interface as an intercontext interface or a loopback interface, or enable the interface to have multiple circuits bound to it.
You must bind a port or circuit to an interface (other than a bridged or loopback interface) for data to flow across the interface.
For an IPsec multibind interface, the interface is always unnumbered. Most of the operations listed for the interface command are not supported when you configure interface ipsec multibind. If a routing protocol is enabled over an IPsec multibind interface, then all tunnels bound to a multibind interface will run the same routing protocol. Static routes cannot be configured to use the IPsec multibind interface.
When there are only two routers over the LAN media, you can configure the interface as a point-to-point interface from a routing protocol perspective by using the p2p keyword. For more detailed information, see the Internet Draft, draft-ietf-isis-igp-p2p-over-lan-03.txt.
Use the bind interface command (in link configuration mode) to bind a port or circuit to a previously created interface in the specified context. Both the interface and the specified context must exist before you enter the bind interface command. If either is missing, an error message displays. For more information about this command, see the Command List.
Use the bridge command (in interface configuration mode) to associates the bridge with the interface or subscriber. For more information on this command, see the Command List.
Use the no form of this command to delete the interface.
Caution! | ||
Risk of data loss. Deleting an interface removes all bindings to
the interface. To reduce the risk, do not delete an interface, unless
you are certain it is no longer needed.
|
The following example configures an interface, enet1:
[local]Redback(config-ctx)#interface enet1 [local]Redback(config-if)#ip address 10.1.1.1 255.255.255.0
The following example configures a loopback interface, local-loopback, for the local context:
[local]Redback(config-ctx)#interface local-loopback loopback [local]Redback(config-if)#ip address 10.1.1.1/32
The following example configures three intercontext interfaces in three different contexts all with group 10:
[local]Redback(config-config)#context isp1 [local]Redback(config-ctx)#interface isp1-lan intercontext lan 10 [local]Redback(config-if)#ip address 10.1.1.1/24 [local]Redback(config-if)#exit [local]Redback(config-ctx)#exit !Configure the second interface [local]Redback(config-config)#context isp2 [local]Redback(config-ctx)#interface isp2-lan intercontext lan 10 [local]Redback(config-if)#ip address 10.1.1.2/24 [local]Redback(config-if)#exit [local]Redback(config-ctx)#exit !Configure the third interface [local]Redback(config-config)#context isp3 [local]Redback(config-ctx)#interface isp3-lan intercontext lan 10 [local]Redback(config-if)#ip address 10.1.1.3/24 [local]Redback(config-if)#exit [local]Redback(config-ctx)#exit
The following example deletes the atm3 interface:
[local]Redback(config-ctx)#no interface atm3
The following example configures a last-resort interface and borrows an IP address for it from the enet1 interface:
[local]Redback(config-ctx)#interface last multibind lastresort [local]Redback(config-if)#ip unnumbered enet1
The following example configures a bridged interface and binds it to an existing bridge group, isp1:
[local]Redback(config-config)#context bridge [local]Redback(config-ctx)#interface if-isp1 bridge [local]Redback(config-if)#bridge name isp1
The following example configures an IPsec multibind interface:
[local]ipsec-se1(config)#context ctx-1 [local]ipsec-se1(config-ctx)#interface ipsec_mb_se_1 ipsec multibind
ip-comp
no ip-comp
IPsec proposal configuration
IPsec security association configuration
This command has no keywords or arguments.
Disabled
Enables IP compression using the IP Compression (IPComp) protocol. Using the no form of the command disables IP compression.
[local]Redback(config-ipsec-proposal)#ip-comp
ipsec access-list ipsec-acl-name
no ipsec access-list ipsec-acl-name
context configuration
ipsec-acl-name |
Name of an IPsec access list, which must be unique; up to 39 characters |
No IPsec access list is configured.
Creates (with default attributes) or selects an IPsec access list and enters IPsec ACL configuration mode. Using the no form of the command will remove an existing configuration.
[local]Redback(config-ctx)#ipsec access-list ipsec_ACL1
ipsec policy ipsec-policy-name
no ipsec policy ipsec-policy-name
global configuration
ipsec-policy-name |
Name of an IPsec policy, which must be unique; up to 39characters. |
No IPsec policy is configured.
Creates (with default attributes) or selects an IPsec policy and enters IPsec policy configuration mode. Using the no form of the command will remove an existing configuration.
[local]Redback(context)#ipsec policy ipsec_Pol1
ipsec profile profile-name
no ipsec profile profile-name
context configuration
profile-name |
Name of the IPsec profile. Must match the name of the on-demand IPsec tunnel created with the tunnel ipsec name on-demand command in global configuration mode. |
None.
Creates an IPsec profile, which specifies how traffic in the on-demand IPsec tunnel should be handled. The IPsec profile must be created in the same context as the multibind interface to which the on-demand IPsec tunnel is bound.
[local]Redback(config)#context ctx-1 [local]Redback(config-ctx)#ipsec profile profile_se_1 [local]Redback(cfg-ipsec-profile)#
ipsec proposal ipsec-proposal-name
no ipsec proposal ipsec-proposal-name
global configuration
ipsec-proposal-name |
Name of the IPsec proposal, which must be unique; up to 39 characters. |
No IPsec proposal configuration.
Creates (with default attributes) or selects an IPsec proposal and enters IPsec proposal configuration mode. Using the no form of the command will remove an existing configuration.
[local]Redback(context)#ipsec proposal ipsec_Prop1
ipsec security-association sa-name
no ipsec security-association sa-name
global configuration
sa-name |
Name of an IPsec security association, which must be unique; up to 39 characters. |
No IPsec security association configuration.
Creates or selects an IPsec security association and enters IPsec security association configuration mode. Using the no form of the command will remove an existing configuration.
[local]Redback(context)#ipsec security-association ipsec_sa_1
lifetime seconds seconds
no lifetime seconds
IKE proposal configuration
IPsec proposal configuration
seconds |
300 to 99999999 |
86400 (one day)
Specifies the lifetime for IKE SAs in seconds for an IKE proposal or IPsec proposal. Specify 0 seconds for no time-out; any number of seconds from 1 to 299 is rejected. Using the no form of the command resets the configuration to the default.
[local]Redback(config-ike-proposal)#lifetime seconds 43200
lifetime kbytes kbytes
no lifetime
IPsec proposal configuration
kbytes |
128 to 2147483647 |
0 kbytes
Specifies the lifetime for IPsec SAs in kbytes for an IPsec proposal. Specify 0 kbytes for no time-out. The lifetime is expected to be tied to the strength of the encryption and authentication algorithms configured. Using the no form of the command resets the configuration to the default.
[local]Redback(config-ipsec-proposal)#lifetime kbytes 256
max-tunnels value
no max-tunnels
tunnel configuration
value |
Maximum number of tunnels per IPsec profile for the on-demand IPsec tunnel being configured. 1 to 32. |
8 tunnels per IPsec profile
Specifies the maximum number of tunnels per profile in this on-demand tunnel.
[local]Redback(config)#tunnel ipsec rec_2_1 [local]Redback(config-tunnel)#max-tunnels 50
mode {main | aggressive}
no mode
IKE policy configuration
main |
|
aggressive |
main
Specifies the mode to use for key exchanges. The no form of the command resets the mode to the default.
The following example shows how to set the mode for key exchange to aggressive.
[local]Redback(config-ike-policy)#mode aggressive
mtu size
no mtu
IPsec profile configuration
size |
MTU size in bytes. Range: 256 to 1,480. |
MTU for the interface to which the IPsec tunnel is bound
Sets the MTU for packets sent in an on-demand IPsec tunnel associated with the IPsec profile. If a packet exceeds the MTU, the system fragments that packet.
A tunnel uses the MTU for the interface to which you have bound it (using the bind interface command in tunnel configuration mode), unless you explicitly configure the MTU using this command. After you configure an MTU for the tunnel, the system determines the effective MTU by comparing the configured MTU with the interface MTU and selecting the lesser of the two values.
Use the no form of this command to set the MTU to the default value.
[local]Redback(config-ctx)#ipsec profile profile_se_1 [local]Redback(cfg-ipsec-profile)#mtu 256
out
no out
IPsec SA configuration
This command has no keywords or arguments.
No SA values for traffic are configured.
Enters IPsec SA SPI configuration mode for configuring the SA attributes for outbound traffic. Using the no form of the command removes the outbound traffic configuration.
This command cannot be used with the both command. If the both command is configured, neither inbound nor outbound SA traffic attributes can be configured separately. To configure the same SA attributes for inbound and outbound traffic, see the both command.
[local]Redback(config-ipsec-sa)#out
peer-end-point local loc-ip-addr [remote rem-ip-addr] [context ctx-name]
no peer-end-point
Assigns IP addresses to the tunnel endpoints.
tunnel configuration
local loc-ip-addr |
IP address of the local end of the tunnel. The format is A.B.C.D. |
remote rem-ip-addr |
Optional. IP address of the remote end of the tunnel. Required except when you have created an overlay tunnel for which you have specified that the system assign the remote IP address. The format is A.B.C.D. |
context ctx-name |
Optional. Name of the context that contains the interface to the local end of the tunnel. If no context is specified, the interface to the local end of the tunnel is assumed to be in the local context. |
None
Use the peer-end-point command to assign IP addresses to the tunnel endpoints. This command creates the tunnel between the two endpoints.
The remote IP address at one end of the tunnel is the same as the local IP address at the other end of the tunnel. If the remote IP address is not adjacent to the local IP address, and the remote site cannot be reached with a routing protocol, you must also enter the ip route command in context configuration mode.
If you create an overlay tunnel using the tunnel command with the ipv6v4-auto keyword, the system assigns an IP address to the remote endpoint. In this case, you do not include the remote rem-ip-addr construct when you enter this command.
The local loc-ip-addr construct must match the IP address of an interface.
If you are creating more than one tunnel, they can use the same IP address for the local endpoint (the IP address assigned to the interface) as long as the remote IP addresses are all different.
To use an interface and its local IP address for more than one tunnel, you must specify the loopback keyword with the interface command (in context configuration mode) when you create the interface for the tunnels. The loopback keyword allows you to reuse the IP address for more than one tunnel.
Use the no form of this command to delete this tunnel and any associated parameters that have been specified in tunnel configuration mode. The keywords are not available for the no form of this command.
The following example shows how to create an interface, toDenver, with a public IP address of 172.16.1.1; then it creates an overlay tunnel, DenverTnl, with a remote IP address of 172.16.1.2 and a local IP address of 172.16.1.1:
[local]Redback(config)#context local [local]Redback(config-ctx)#interface toDenver [local]Redback(config-if)#ip address 172.16.1.1/30 [local]Redback(config-if)#exit [local]Redback(config-ctx)#exit [local]Redback(config)#tunnel ipv6v4-manual DenverTnl [local]Redback(config-tunnel)#peer-end-point local 172.16.1.1 remote 172.16.1.2
The following example shows how to create two overlay tunnels each using an interface, LocalEnd. Both tunnels use the same local IP address; it is assumed that the remote IP address for Tun2 can be reached with a routing protocol, so the ip route command in context configuration mode is not needed:
[local]Redback(config)#context local [local]Redback(config-ctx)#interface LocalEnd loopback [local]Redback(config-if)#ip address 172.16.1.1/32 [local]Redback(config-if)#exit [local]Redback(config-ctx)#tunnel Tunl [local]Redback(config-tunnel)#peer-end-point local 172.16.1.1 remote 172.16.1.2 [local]Redback(config-tunnel)#no shutdown [local]Redback(config-tunnel)#exit [local]Redback(config-ctx)#tunnel Tun2 [local]Redback(config-tunnel)#peer-end-point local 172.16.1.1 remote 172.20.1.2 [local]Redback(config-tunnel-peer)#no shutdown [local]Redback(config-tunnel-peer)#end
perfect-forward-secrecy dh-group dh-group
no perfect-forward-secrecy dh-group
IPsec policy configuration
dh-group |
1, 2, or 5 |
No DH group is configured.
This command configures the Diffie-Hellman group for Perfect Forward Secrecy (PFS) in an IPsec policy. Using the no form of the command resets the configuration to the default.
[local]Redback(config-ipsec-policy)#perfect-forward-secrecy dh-group 5
pre-shared-key {hex hex-value | ASCII-value | use-aaa}
no pre-shared-key
IKE policy configuration
hex hex-value |
Hexadecimal number (24 to 98 characters). |
ASCII-value |
ASCII value (12 to 49 characters). |
use-aaa |
Specifies that the preshared key is configured on the AAA server. The format expected by the node is: ike pre-shared-key {hex hex-value | ASCII-value} Applies only to on-demand IPsec tunnels. Can only be specified for an IKE policy configured to use aggressive mode for key exchange. |
No preshared key is configured.
Specifies the local preshared key in an IKE policy. Using the no form of the command will remove the configuration.
[local]Redback(config-ike-policy)#pre-shared-key 0x4d794865785061353577307264
remote-id remote_id
tunnel configuration
remote_id |
IP address or FQDN. |
No remote ID is specified for an IPsec tunnel.
Specifies the identity of the remote IPsec tunnel endpoint. This value is used when negotiating IKE requests with a remote peer. When IKE sessions are negotiated, the remote ID in the IPsec tunnel endpoint configured on one peer must match the local identity configured in the IKE policy on the other peer.
If not specified, the remote ID is set to the remote IP address of the IPsec tunnel.
[local]Redback(config)#tunnel ipsec rec_2_1 [local]Redback(config-tunnel)#remote-id 72.0.0.1
seq sequence-number [protocol] {source-network-prefix/source-prefix-length | any } {eq source-port } [dest-network-prefix/dest-prefix-length | any ] [eq dest-port]
no seq sequence-number
IPsec ACL configuration
IPsec profile configuration
sequence-number |
Sequence number for the statement. Range: 1 to 429496729. |
protocol |
Optional. Number indicating a protocol as specified in RFC 1700, Assigned Numbers. Range: 0 to 255or one of the keywords listed in Table 4. |
source-network-prefix |
Source IP address to be included in the criteria. |
source-prefix-length |
Number of prefix bits for the source IP address. Range: 0 to 32. |
dest-network-prefix |
Optional. Destination IP address to be included in the criteria. |
dest-prefix-length |
Optional. Number of prefix bits for the destination IP address. Range: 0 to 32. |
any |
Optional. Indicates that IP traffic from all IP addresses is to be included in the criteria. Used instead of specifying the network-prefix and prefix-length. |
eq |
Optional. Specifies that values must be equal to those specified by the source-port or dest-port argument. |
source-port |
Optional. Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source port. This argument is available only if you specify TCP or UDP as the protocol. Range: 1 to 65535 or one of the keywords listed in Table 5 and Table 6. |
dest-port |
Optional. TCP or UDP destination port. This argument is available only if you specify TCP or UDP as the protocol. Range: 1 to 65535 or one of the keywords listed in Table 5 and Table 6. |
No ACLs are configured.
Creates an ACL rule to allow packets that meet the specified criteria. Up to 32 rules can be specified in an IPsec ACL.
Table 4 lists the valid keyword substitutions for the protocol argument.
Keyword |
Definition |
---|---|
ah |
Authentication Header |
esp |
Encapsulation Security Payload |
gre |
Generic Routing Encapsulation (GRE) |
host |
Host source address |
icmp |
Internet Control Message Protocol (ICMP) |
igmp |
Internet Group Management Protocol (IGMP) |
ip |
Internet Protocol v4 |
ipinip |
IP-in-IP tunneling |
ospf |
Open Shortest Path First (OSPF) |
pcp |
Payload Compression Protocol (PCP) |
pim |
Protocol Independent Multicast (PIM) |
tcp |
Transmission Control Protocol |
udp |
User Datagram Protocol |
Table 5 lists the valid keyword substitutions for the source-port and dest-port argument when they are used to specify a TCP port.
Keyword |
Definition |
Corresponding Port Number |
---|---|---|
bgp |
Border Gateway Protocol (BGP) |
179 |
chargen |
Character generator |
19 |
cmd |
Remote commands (rcmd) |
514 |
daytime |
Daytime |
13 |
discard |
Discard |
9 |
domain |
Domain Name System |
53 |
echo |
Echo |
7 |
exec |
Exec (rsh) |
512 |
finger |
Finger |
79 |
ftp |
File Transfer Protocol (FTP) |
21 |
ftp-data |
FTP data connections (used infrequently) |
20 |
gopher |
Gopher |
70 |
hostname |
Network interface card (NIC) hostname server |
101 |
ident |
Identification protocol |
113 |
irc |
Internet Relay Chat |
194 |
klogin |
Kerberos login |
543 |
kshell |
Kerberos Shell |
544 |
login |
Login (rlogin) |
513 |
lpd |
Printer service |
515 |
nntp |
Network News Transport Protocol (NNTP) |
119 |
pim-auto-rp |
Protocol Independent Multicast Auto-RP |
496 |
pop2 |
Post Office Protocol Version 2 (POP2) |
109 |
pop3 |
Post Office Protocol Version 3 (POP3) |
110 |
shell |
Remote command shell |
514 |
smtp |
Simple Mail Transport Protocol (SMTP) |
25 |
ssh |
Secure Shell |
22 |
sunrpc |
Sun Remote Procedure Call |
111 |
syslog |
System logger |
514 |
tacacs |
Terminal Access Controller Access Control System (TACACS) |
49 |
talk |
talk |
517 |
telnet |
Telnet |
23 |
time |
Time |
37 |
uucp |
UNIX-to-UNIX Copy Program |
540 |
whois |
Nickname |
43 |
www |
World Wide Web (HTTP) |
80 |
Table 6 lists the valid keyword substitutions for the source-port and dest-port arguments when they are used to specify a UDP port.
Keyword |
Definition |
Corresponding Port Number |
---|---|---|
biff |
Biff (Mail Notification, Comsat) |
512 |
bootpc |
Bootstrap Protocol client |
68 |
bootps |
Bootstrap Protocol server |
67 |
discard |
Discard |
9 |
dnsix |
DNSIX Security Protocol Auditing |
195 |
domain |
Domain Name System (DNS) |
53 |
echo |
Echo |
7 |
isakmp |
Internet Security Association and Key Management Protocol(ISAKMP) |
500 |
mobile-ip |
Mobile IP Registration |
434 |
nameserver |
IEN116 Name Service (obsolete) |
42 |
netbios-dgm |
NetBIOS Datagram Service |
138 |
netbios-ns |
NetBIOS Name Service |
137 |
netbios-ss |
NetBIOS Session Service |
139 |
ntp |
Network Time Protocol (NTP) |
123 |
pim-auto-rp |
Protocol Independent Multicast Auto-RP |
496 |
rip |
Router Information Protocol (RIP) |
520 |
snmp |
Simple Network Management Protocol (SNMP) |
161 |
snmptrap |
SNMP Traps |
162 |
sunrpc |
Sun Remote Procedure Call |
111 |
syslog |
System logger |
514 |
tacacs |
Terminal Access Controller Access Control System |
49 |
talk |
Talk |
517 |
tfpt |
Trivial File Transfer Protocol (TFPT) |
69 |
time |
Time |
37 |
who |
Who Service (rwho) |
513 |
xdmcp |
X Display Manager Control Protocol |
177 |
[local]Redback(config-ipsec-acl)#seq 10 tcp 1.1.1.0/24 eq 20000 [local]Redback(config-ipsec-acl)#seq 20 1.1.1.0/24 2.2.2.0/24 [local]Redback(config-ipsec-acl)#seq 30 any any
seq id ipsec-policy ipsec-pol-name [access-group ipsec-acl-name]
no seq id ipsec-policy ipsec-policy-name [access-group ipsec-acl-name
tunnel configuration
IPsec profile configuration
id |
Sequence number for the statement. Range: 1 to 429496729.You can configure up to eight sequenced entries for each tunnel. |
ipsec-policy ipsec-policy-name |
Name of a previously created IPsec policy. |
access-group ipsec-acl-name |
Optional. Name of a previously created IPsec ACL. |
No IPsec policies are configured for a IPsec tunnel using IKE.
This command applies only to IPsec tunnels using IKE. It specifies up to eight sequenced IPsec policies, each optionally with an IPsec ACL. When no IPsec ACL is specified, a wildcard selector is added by default. Using the no form of the command will remove the configuration.
[local]Redback(config)#tunnel ipsec rec_2_1 [local]Redback(config-tunnel)#seq 10 ipsec-policy ipsec_Pol1 access-group ipsec_ACL1 [local]Redback(config-tunnel)#seq 20 ipsec-policy ipsec_Pol2 access-group ipsec_ACL2
seq sequence-number proposal ike-proposal-name
IKE policy configuration
IPsec policy configuration
sequence-number |
1 to 429496729. |
proposal ike-proposal-name |
Name of a previously created IKE proposal (in IKE policy configuration mode) or IPsec policy proposal (in IPsec policy configuration mode). |
No IKE proposals are configured for an IKE policy. No IPsec proposals are configured for an IPsec policy.
When configuring an IKE policy, specifies the IKE proposals used by the IKE policy. When configuring an IPsec policy, specifies the IPsec proposals used by the IPsec policy. Up to 16 sequenced proposals can be specified for each policy. Using the no form of the command will remove the configuration.
The following example shows how to add a reference to the IKE_Prop1 IKE proposal to the IKE policy:
[local]Redback(config-ike-policy)#seq 10 IKE_Prop1
The following example shows how to add a reference to the IPsec_Prop1 IPsec proposal to the IPsec policy:
[local]Redback(config-ipsec-policy)#seq 10 IPsec_Prop1
seq id security-association sa-name [access-group ipsec-acl-name]
no seq id security-association sa-name [access-group ipsec-acl-name]
tunnel configuration
id |
Sequence number for the statement. Range: 1 to 429496729.You can configure up to 8 sequenced entries per tunnel. |
security-association sa-name |
Name of a previously created IPsec SA. |
access-group ipsec-acl-name |
Name of a previously created IPsec ACL. |
No security associations with manual keys are configured for a manual mode IPsec tunnel.
This command applies only to manual mode IPsec tunnels. It specifies up to eight sequenced manual-keyed SAs, each optionally with an IPsec ACL, for a manual mode IPsec tunnel. When no IPsec ACL is specified, a wildcard selector is added by default. Using the no form of the command will remove the configuration.
[local]Redback(config)#tunnel ipsec rec_2_1 [local]Redback(config-tunnel)#seq 10 security association ipsec_sa_1 access-group ipsec_ACL1 [local]Redback(config-tunnel)#seq 20 security association ipsec_sa_2 access-group ipsec_ACL2
show configuration ike [all-contexts] [verbose]
all modes
all-contexts |
Optional. Displays the configuration for IKE in all contexts. |
verbose |
Optional. Displays all defaulted parameters. |
Displays configuration information for IKE in the current context, or all contexts if the optional all-contexts keyword is specified. The optional verbose keyword list all defaulted parameters.
[local]Redback#show configuration ike Building configuration... Current configuration: context local ! ! ** End Context ** ike proposal ikeProp1 authentication algorithm hmac-sha1-96 encryption algorithm des-cbc dh-group 1 lifetime seconds 3600 ! ike proposal simple-ike-proposal authentication algorithm hmac-sha1-96 encryption algorithm des-cbc dh-group 1 lifetime seconds 3600 ! ! end
show configuration ipsec [all-contexts] [verbose]
all modes
all-contexts |
Optional. Displays the configuration for IKE in all contexts. |
verbose |
Optional. Displays all defaulted parameters. |
Displays configuration information for IPsec in the current context, or all contexts if the optional all-contexts keyword is specified. The optional verbose keyword list all defaulted parameters.
[local]subzero#show configuration ipsec Building configuration... Current configuration: context local ! ! ** End Context ** ipsec proposal ipsecProp1 esp encryption des-cbc esp authentication hmac-sha1-96 ip-comp lifetime seconds 1800 ! ipsec proposal simple-ipsec-proposal esp encryption des-cbc esp authentication hmac-sha1-96 ip-comp lifetime seconds 1800 ! ipsec policy ipsecPol1 anti-replay-window 64 seq 1 proposal ipsecProp1 ! ipsec policy simple-ipsec-policy anti-replay-window 64 seq 1 proposal simple-ipsec-proposal ! ! end
show configuration tunnel [all-contexts] [verbose]
all modes
all-contexts |
Optional. Displays the configuration for IKE in all contexts. |
verbose |
Optional. Displays all defaulted parameters. |
Displays configuration information for tunnels in the current context, or all contexts if the optional all-contexts keyword is specified. The optional verbose keyword list all defaulted parameters.
[local]Redback#show configuration tunnel Building configuration... Current configuration: context local ! ! ** End Context ** tunnel ipsec rec_1_2_m manual peer-end-point local 1.1.1.1 remote 2.1.1.1 context vpn1 bind interface tunnel_ipsec_1 vpn1 seq 10 security-association sa1_2 access-group acl1_2 ! ! end
show ike [asp slot-id/asp-id] policy [policy-name]
all modes
asp slot-id |
Optional. Number of the chassis slot where the card is installed. The range of values depends on the chassis:
|
asp-id |
Optional. ID of the ASP on the ASE card. Possible values are 1 and 2. |
policy policy-name |
Optional. Name of a previously created IKE policy. |
Displays configuration information for IKE policies in the current context. If no IKE policy is specified, one line of configuration information for each IKE policy with the name, local ID, and mode is displayed. If an IKE policy is specified, all attributes, including defaults, are displayed for the specified policy. If no ASP is specified, the information is retrieved from the SmartEdge controller card; otherwise, it is retrieved from the specified ASP.
[local]Redback#show ike policy Name Local-ID Mode ike-policy1 1.1.1.1 aggressive
[local]Redback#show ike policy ike-policy1 IKE Policy: ike-policy1 Description: IKE policy for aggressive mode Mode: aggressive Connection Type: both Local Identity: 1.1.1.1 Remote Identity: 2.2.2.2 3.3.3.3 4.4.4.4 5.5.5.5 Pre-shared Key: 0x123456789101234567890 // For the administrators Pre-shared Key: ********** // For the operators seq 10 proposal IKE-Prop1 seq 20 proposal IKE-Prop2
show ike [asp slot-id/asp-id] proposal [proposal-name]
all modes
asp slot-id |
Optional. Number of the chassis slot where the card is installed. Possible values are 1 to 14. The actual slots that can contain an ASE card depend on the chassis:
|
asp-id |
Optional. ID of the ASP on the ASE card. Possible values are 1 and 2. |
proposal proposal-name |
Optional. Name of a previously created IKE proposal. |
Displays configuration information for IKE proposals. If no IKE proposal is specified, one line of configuration information for each IKE proposal with the name, encryption algorithm, authentication algorithm, and Diffie-Hellman group is displayed. If an IKE proposal is specified, all attributes, including defaults, are displayed for the specified proposal. If no ASP is specified, the information is retrieved from the SmartEdge controller card; otherwise, it is retrieved from the specified ASP.
[local]Redback#show ike proposal Encryption Authentication DH-Group IKE-Prop1 des-cbc hmac-md5-96 1 IKE-Prop2 3des-cbc hmac-sha1-96 2
[local]Redback#show ike asp 2/1 proposal IKE-Prop1 IKE Proposal : IKE-Prop11 Encryption Algorithm : 3des-cbc Authentication Algorithm : hmac-md5-96 DH Group : 1 Lifetime : 86400 seconds
show ike statistics tunnel tunnel-name
all modes
tunnel-name |
Name of a previously created IPsec tunnel. |
Displays the IKE statistics associated with the given tunnel.
[local]Redback#show ike statistics tunnel ipsec-tunnel1 Number of IKE local attempts : 0 Number of IKE remote attempts : 1 Number of Failed IKE local attempts : 0 Number of Failed IKE remote attempts : 0 Number of P2SA created as Initiator : 0 Number of P2SA created as responder : 1 Number of P2 Proposal mismatch : 0 Number of P2TS mismatch : 8 Invalid IKE Cookie : 0 Invalid Major Version in IKE : 0 Invalid Minor Version in IKE : 0 Invalid IKE Exchange Type : 0 Invalid Flags : 0 Invalid IKE Message ID : 0 Invalid Protocol ID : 0 Invalid SPI : 0 Invalid Transform ID : 0 Invalid Payload Type : 0 Invalid Payload Type format : 0 Invalid Key Info : 0 Errors due to Invalid ID Info : 0 Errors due to Invalid Encoding in cert payload : 0 Errors due to Invalid Encoding in cert data : 0 Errors due to Invalid CA data in CERT_REQ payload : 0 Errors due to Invalid hash data in hash payload : 0 Errors due to Invalid signature : 0 Number of times authentication Failed : 0 Errors due to P1 proposal mismatch : 0 Errors due to Bad Proposal syntax : 0 Number of times payload lengths mismatched : 0 Number of times certificate requested is unavailable : 0 Errors due to lack of support for DOI in SA payload : 0 Errors due to lack of protection for the situation : 0 Errors due to lack of matching attribute : 0 Number of Times the Certificate type is not supported : 0 Number of times mismatch in Exchange Type is detected : 0 Number of IKE local Phase2 attempts : 1 Number of IKE remote Phase2 attempts : 8 Number of IKE local Phase2 attempts failed : 0 Number of IKE remote Phase2 attempts failed : 8 Number of in packets : 12 IN Packets' Higher Order Counter Value : 0 Number of out packets : 5 OUT Packets' Higher Order Counter value : 0 Number of in bytes : 1816 IN Bytes' Higher Order Counter value : 0 Number of out bytes : 624 OUT Bytes' Higher Order Counter value : 0 Cumulative Statistics of Invalid Protocol ID : 0 Cumulative Statistics of Invalid SPI : 0 Cumulative Statistics of Invalid Transform ID : 0 Cumulative Statistics of Invalid Payload Type : 0 Cumulative Statistics of Invalid Payload Format : 0 Cumulative Statistics of Invalid Key Type : 0 Cumulative Statistics of Invalid ID Info : 0
show ipsec [asp slot-id/asp-id] access-list [ipsec-acl-name]
all modes
asp slot-id |
Optional. Number of the chassis slot where the card is installed. Possible values are 1 to 14. The actual slots that can contain an ASE card depend on the chassis:
|
asp-id |
Optional. ID of the ASP on the ASE card. Possible values are 1 and 2. |
access-list [ipsec-acl-name |
Optional. Name of a previously created IPsec ACL. |
Displays configuration information for IPsec ACLs configured in the current context. If no ACL is specified, one line of configuration information for each ACL with the name and description is displayed. If an ACL is specified, all attributes, including defaults, are displayed for the specified proposal. If no ASP is specified, the information is retrieved from the SmartEdge controller card; otherwise, it is retrieved from the specified ASP.
[local]Redback#show ipsec access-list Name Description Ipsec-ACL1 IPsec Access List #1
[local]Redback#show ipsec access-list Ipsec-ACL1 IPsec Access-List: Ipsec-ACL1 Description: IPsec Access List #1 Seq 1 tcp 1.1.1.0/24 eq 200000 2.2.2.0/24 eq 200000 Seq 2 1.1.1.0/24 2.2.2.0/24 Seq 3 any any
show ipsec [asp slot/asp-id] profile [profile-name]
all modes
asp slot-id |
Optional. Number of the chassis slot where the card is installed. Possible values are 1 to 14. The actual slots that can contain an ASE card depend on the chassis:
|
asp-id |
Optional. ID of the ASP on the ASE card. Possible values are 1 and 2. |
profile profile-name |
Optional. Name of an IPsec profile. |
Displays configuration information for IPsec profiles configured in the current context. If no ASP is specified, the information is retrieved from the SmartEdge controller card; otherwise, it is retrieved from the specified ASP.
[vpn1]l4l7-1#show ipsec profile IPsec Profile: rec1_1 DF Bit: 0 MTU: 1480 1 IPSec Policy: ipsec_policy1 Access List: acl1_1
show ipsec [asp slot/asp-id] policy [policy-name]
all modes
asp slot-id |
Optional. Number of the chassis slot where the card is installed. Possible values are 1 to 14. The actual slots that can contain an ASE card depend on the chassis:
|
asp-id |
Optional. ID of the ASP on the ASE card. Possible values are 1 and 2. |
policy policy-name |
Name of a previously created IPsec policy. |
Displays configuration information for IPsec policies in the current context. If no IPsec policy is specified, one line of configuration information for each IPsec policy with the name and Diffie-Hellman group is displayed. If an IKE policy is specified, all attributes, including defaults, are displayed for the specified policy. If no ASP is specified, the information is retrieved from the SmartEdge controller card; otherwise, it is retrieved from the specified ASP.
[local]Redback#show ipsec policy Name PFS Ipsec-Policy1 dh-group 2
[local]Redback#show ipsec policy Ipsec-Policy1 IPsec Policy: ipsec-Pol1 Perfect-forward-secrecy: dh-group 2 Anti-replay-window: 64 seq 10 ipsec-Prop1 seq 20 ipsec-Prop2
show ipsec [asp slot-id/asp-id] proposal proposal-name
all modes
asp slot-id |
Optional. Number of the chassis slot where the card is installed. Possible values are 1 to 14. The actual slots that can contain an ASE card depend on the chassis:
|
asp-id |
Optional. ID of the ASP on the ASE card. Possible values are 1 and 2. |
proposal proposal-name |
Name of a previously created IPsec proposal. |
Displays configuration information for IPsec proposals. If no IPsec proposal is specified, one line of configuration information for each IPsec proposal with the name, encryption algorithm, authentication algorithm, and ip-comp flag is displayed. If an IKE proposal is specified, all attributes, including defaults, are displayed for the specified proposal. If no ASP is specified, the information is retrieved from the SmartEdge controller card; otherwise, it is retrieved from the specified ASP.
[local]Redback#show ipsec proposal Name Encryption Authentication IP-Comp ipsec-Prop1 des-cbc hmac-md5-96 Enabled ipsec-Prop2 3des-cbc hmac-sha1-96 Disabled
[local]Redback#show ipsec proposal ipsec-Prop1 IPsec Proposal: ipsec-Prop1 Description: IPsec Proposal 1 ESP: encryption: aes-128-ctr authentication: hmac-sha1-96 AH: authentication: hmac-md5-96 IP-Comp: Enabled Lifetime: 86400 seconds, 50000 KBytes
show ipsec [asp slot-id/asp-id] security-association [sa-name]
all modes
asp slot-id |
Optional. Number of the chassis slot where the card is installed. Possible values are 1 to 14. The actual slots that can contain an ASE card depend on the chassis:
|
asp-id |
Optional. ID of the ASP on the ASE card. Possible values are 1 and 2. |
security-association sa-name |
Name of a previously created IPsec SA. |
Displays configuration information for IPsec SAs configured in the current context. If no SA is specified, one line of configuration information for each SA with the name and description is displayed. If an SA is specified, all attributes, including defaults, are displayed for the specified proposal. If no ASP is specified, the information is retrieved from the SmartEdge controller card; otherwise, it is retrieved from the specified ASP.
[local]Redback#show ipsec security-association Name Description ipsec-sa1 IPsec Security Association #1
[local]Redback#show ipsec security-association IPsec-SA1 IPsec Security-Association: ipsec-sa1 Description: IPsec Security Association #1 Anti Replay Window Size: 64 Ip-Compression: Enable Security Association: both esp spi 0x00001111 encryption 3des-cbc key 0x010203040506070809 // For the administrators key ********** // For the operators authentication hmac-sha1-96 key 0x010203040506070809 // For the administrators key ********** // For the operators ah spi 0x00002222 hmac-md5-96 key 0x0102030405060708
show tunnel ipsec [name tunnel-name | remote ip-address] [detail]] | [[name tunnel-name] on-demand]
all modes
name tunnel-name |
Optional. Name of a previously created IPsec tunnel. |
remote ip-address |
Optional. IP address of the remote endpoint. |
detail |
Optional. Displays detailed configuration information. |
tunnel-name |
Optional. Tunnel name. |
on-demand |
Optional. Displays information about on-demand IPsec tunnels. |
Displays configuration information for IPsec tunnels. If no IPsec tunnel is specified, generic information about all IPsec tunnels is displayed. You can specify a single IPsec tunnel by name. Specify IPsec tunnels that share the same remote endpoint by specifying the IP address of the remote endpoint. All generic attributes, including the name, endpoints, ASP slot/ID, state, bound interface, circuit ID, and circuit handle are displayed. If you use the optional detail keyword in addition to specifying the tunnel or remote endpoint, IPsec-specific attributes, including encryption algorithms, authentication algorithms, active SAs, and the operational status are also displayed. Use the on-demand keyword to display on-demand tunnel names and count; use the on-demand tunnel name to list information for the specified on-demand tunnel.
[local]Redback#show tunnel ipsec ::::: Tunnel : rec_2_1 Key : - Remote IP : 77.0.0.1 Local IP : 77.0.0.2 Tnl Type : IPsec ASP Slot/Id : 2/1 State : Up Bound to : tunnel_ipsec2@ipsec_context2 Circuit ID: 18 Internal Hdl: 255/28:1023:63/0/1/18 ::::: Tunnel : rec_1_2 Key : - Remote IP : 77.0.0.2 Local IP : 77.0.0.1 Tnl Type : IPsec ASP Slot/Id : 2/1 State : Up Bound to : tunnel_ipsec2@ipsec_context Circuit ID: 17 Internal Hdl: 255/28:1023:63/0/1/17
[local]Redback#show tunnel ipsec name rec_2_1 ::::: Tunnel : rec_2_1 Key : - Remote IP : 77.0.0.1 Local IP : 77.0.0.2 Tnl Type : IPsec ASP Slot/Id : 2/1 State : Up Bound to : tunnel_ipsec2@ipsec_context2 Circuit ID: 18 Internal Hdl: 255/28:1023:63/0/1/18
[local]Redback#show tunnel ipsec remote 77.0.0.1 detail ::::: Tunnel : rec_2_1 Key : - Remote IP : 77.0.0.1 Local IP : 77.0.0.2 Tnl Type : IPsec ASP Slot/Id : 2/1 State : Up Bound to : tunnel_ipsec2@ipsec_context2 Circuit ID: 18 Internal Hdl: 255/28:1023:63/0/1/18 Tunnel is User Configured local-ip 77.0.0.2, context-for-local-ip: ipsec_context2 mtu 1480 log-state-changes no clear-df no destination UP on nhop resolved in valid intf resolved on to_ipsec_peer2 grid 0x1000000c Tunnel ID: ipsec 18 Circuit ID Internal: 255/28:1023:63/0/1/18 IPsec Policy: sa2_1 Access Group: acl2_1 SA #1: Inbound ESP SPI : 0x1f4 Encr: aes-128-cbc Auth: none Selector: IP 55.0.0.2/32 -> 55.0.0.1/32
[local]l4l7-1#show tunnel ipsec rec1_1 on-demand IKE Policy : ike_policy1_1 Local IP : 1.1.1.1 Bind Interface : tunnel_ipsec_multibind_1_1 Bind Context : vpn1 AAA AUthentication : Disabled Maximum Tunnels : 1 Number of Tunnels : 1 Number of Active Tunnels: 1 Local IP: 1.1.1.1 Remote-IP ASP Tunnel-Name Bind Context Creation Time 2.1.1.1 2/1 _*DynTun*_23000001_00310000 tunnel_ipsec_multibind_1_1 vpn1 Today [local]l4l7-1#show tunnel ipsec on-demand Tunnel Count rec1_1 1
show tunnel ipsec name tunnel-name [on-demand] statistics
all modes
name tunnel-name |
Name of a previously created IPsec tunnel. |
on-demand |
Optional. Displays information about on-demand IPsec tunnels. |
Displays the IPsec statistics associated with the specified tunnel.
The following example shows the results following a ping test in which 215 packets were sent.
[local]Redback#show tunnel ipsec name rec_2_1 statistics IPsec Decryption Errors : 0 IPsec Authentication Errors : 0 IPsec Policy Errors : 0 IPsec Padding Errors : 0 Anti-Replay Errors in IPsec : 0 Other Errors in IPsec : 0 Number of IN IPsec packets : 215 IPsec IN packets HO value : 0 Number of OUT IPsec packets : 215 IPsec OUT packets HO value : 0 Send OUT IPsec pkts Errors : 0 Total IN Bytes Processed By IPsec : 15480 IN Bytes Processed HO value : 0 Total OUT Bytes Processed By IPsec : 15480 OUT Bytes Processed HO value : 0
tunnel ipsec name [manual| on-demand]
no tunnel ipsec name
global configuration
name |
Unique name for the IPsec tunnel; up to 50 characters. Do not use the reserved prefix _*DynTun*_. |
manual |
Optional. The tunnel must be configured with manually configured SAs. |
on-demand |
Optional. Creates the remote tunnel endpoint on demand during connection. |
No IPsec tunnels are configured.
Creates (with default attributes) or selects an IPsec tunnel, and enters tunnel configuration mode. Use the manual keyword to create an IPsec tunnel that uses SAs manually configured with the ipsec security-association command. Otherwise, the IPsec tunnel uses SAs negotiated using IKE. Once an IPsec tunnel is created, you cannot change its mode. Using the no form of the command will remove an existing configuration.
[local]Redback(config)#tunnel ipsec rec_2_1
[local]Redback(config)#tunnel ipsec rec_3_2 on-demand
ACL |
Access Control List |
AH |
Authentication Header |
ASE |
Advanced Services Engine |
BGP |
Border Gateway Protocol |
DF |
Don't Fragment |
DNS |
Domain Name System |
DoS |
Denial of Service |
DPD |
Dead Peer Detection |
ESP |
Encapsulating Security Payload |
FTP |
File Transfer Protocol |
GRE |
Generic Routing Encapsulation |
ICMP |
Internet Control Message Protocol |
IGMP |
Internet Group Management Protocol |
IPComp |
IP Compression |
IPsec |
Internet Protocol Security |
NIC |
Network interface card |
NNTP |
Network News Transport Protocol |
NTP |
Network Time Protocol |
OSPF |
Open Shortest Path First |
PCP |
Payload Compression Protocol |
PFS |
Perfect Forward Secrecy |
PIM |
Protocol Independent Multicast |
POP2 |
Post Office Protocol Version 2 |
POP3 |
Post Office Protocol Version 3 |
RIP |
Router Information Protocol |
SA |
Security Association |
SMTP |
Simple Mail Transport Protocol |
SNMP |
Simple Network Management Protocol |
SPI |
Security Parameter Index |
TACACS |
Terminal Access Controller Access Control System |
TCP |
Transmission Control Protocol |
TFPT |
Trivial File Transfer Protocol |
UDP |
User Datagram Protocol |
VPN |
Virtual Private Network |
[1] IPsec VPN Overview, 2/221 02-CRA 119 1170/1. |
[2] IPsec VPN Configuration and Operation Using the SmartEdge OS CLI, 1/1543-CRA 119 1170/1. |
[3] Command List, 1/19077-CRA 119 1170/1. |