MANUAL PAGE     2/190 80-CRA 119 1170/1-V1 Uen B    

IPsec VPN Command Reference

© Ericsson AB 2009–2010. All rights reserved. No part of this document may be reproduced in any form without the written permission of the copyright owner.

Disclaimer

The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this document.

Trademark List

SmartEdge is a registered trademark of Telefonaktiebolaget LM Ericsson.
NetOp is a trademark of Telefonaktiebolaget LM Ericsson.

Contents

1Commands
1.1ah
1.2ah key
1.3ah spi
1.4anti-replay-window
1.5authentication algorithm
1.6bind interface (IPsec)
1.7both
1.8clear ike sa tunnel
1.9clear ipsec sa tunnel
1.10connection-type
1.11debug ike asp
1.12debug ike config
1.13debug ipsec asp
1.14debug ipsec config
1.15description (IPsec)
1.16df-bit
1.17dh-group
1.18encryption algorithm
1.19esp authentication
1.20esp authentication key
1.21esp encryption
1.22esp encryption key
1.23esp spi
1.24identity local
1.25ike keepalive
1.26ike policy
1.27ike proposal
1.28in
1.29interface (context)
1.30ip-comp
1.31ipsec access-list
1.32ipsec policy
1.33ipsec profile
1.34ipsec proposal
1.35ipsec security-association
1.36lifetime seconds
1.37lifetime kbytes
1.38max-tunnels
1.39mode
1.40mtu (IPsec profile)
1.41out
1.42peer-end-point
1.43perfect-forward-secrecy dh-group
1.44pre-shared-key
1.45remote-id
1.46seq (IPsec)
1.47seq ipsec-policy
1.48seq proposal
1.49seq security-association
1.50show configuration ike
1.51show configuration ipsec
1.52show configuration tunnel
1.53show ike policy
1.54show ike proposal
1.55show ike statistics tunnel
1.56show ipsec access-list
1.57show ipsec profile
1.58show ipsec policy
1.59show ipsec proposal
1.60show ipsec security-association
1.61show tunnel ipsec
1.62show tunnel ipsec statistics
1.63tunnel ipsec

Glossary

Reference List


1   Commands

This document provides command syntax and usage guidelines for commands used in the configuration and operation of the Internet Protocol Security (IPsec) Virtual Private Network (VPN) application. For an overview of IPsec VPN, see Reference [1]. For configuration tasks, see Reference [2].

1.1   ah

ah [hmac-md5-96 | hmac-sha1-96 | hmac-aes-xcbc]

no ah

1.1.1   Command Mode

IPsec proposal configuration

1.1.2   Syntax Description

hmac-md5-96

hmac-md5-96 algorithm

hmac-sha1-96

hmac-sha1-96 algorithm

hmac-aes-xcbc

hmac-aes-xcbc algorithm

1.1.3   Default

hmac-sha1-96

1.1.4   Usage Guidelines

This command configures the Authentication Header (AH) authentication algorithm for an IPsec proposal. Using the no form of the command removes the AH configuration.

1.1.5   Examples

[local]Redback(config-ipsec-proposal)#ah hmac-aes-xcbc

1.2   ah key

ah [hmac-md5-96 | hmac-sha1-96 | hmac-aes-xcbc] key {hex hex-number |ASCII-value}

no ah [hmac-md5-96 | hmac-sha1-96 | hmac-aes-xcbc] key {hex-argument |ASCII-value}

1.2.1   Command Mode

IPsec Security Association (SA) Security Parameter Index (SPI) configuration (manual key mode)

1.2.2   Syntax Description

hex hex-number

Hexadecimal number. The length of the value is specified in Table 1.

ASCII-value

ASCII value. The length of the value is specified in Table 1.

1.2.3   Default

aes-128-cbc

1.2.4   Usage Guidelines

Specifies the AH authentication algorithm and the manual key for authenticating inbound, outbound, or bidirectional traffic SAs.

Table 1 lists the valid key length values for each of the supported AH authentication algorithms.

Table 1    Valid Key Length Values for AH Authentication Algorithms

Keyword

ASCII Text Key Length

Hexadecimal Number Key Length

hmac-md5-96,

16

32

hmac-sha1-96

20

40

hmac-aes-xcbc

16

32

1.2.5   Examples

[local]Redback(config-ipsec-sa-spi)#ah hmac-md5-96 key hex 0fa20fa20fa20fa2

1.3   ah spi

ah spi spi-value

no ah spi spi-value

1.3.1   Command Mode

IPsec SA SPI configuration

1.3.2   Syntax Description

spi-value

256-0x1ffff: in, both; 1-0xffffffff: out

1.3.3   Default

No SPI value is configured.

1.3.4   Usage Guidelines

Specifies the AH SPI value for the inbound traffic, outbound traffic, or bidirectional traffic SAs. Using the no value of the command removes the SPI value.

1.3.5   Examples

[local]Redback(config-ipsec-sa-spi)#ah spi 48354

1.4   anti-replay-window

anti-replay-window window_size

no anti-replay-window

1.4.1   Command Mode

IPsec policy configuration

IPsec SA configuration

1.4.2   Syntax Description

window_size

0, 32 to 1024, in multiples of 32.

1.4.3   Default

64

1.4.4   Usage Guidelines

Configures the anti-replay window size. The anti-replay window prevents the replay attack and potential Denial of Service (DoS) attack. Size 0 disables the anti-replay window. Using the no form of the command resets the configuration to the default.

1.4.5   Examples

[local]Redback(config-ipsec-policy)#anti-replay-window 128

1.5   authentication algorithm

authentication algorithm {hmac-md5-96 | hmac-sha1-96}

no authentication algorithm

1.5.1   Command Mode

IKE proposal configuration

1.5.2   Syntax Description

hmac-md5-96

hmac-md5-96 algorithm

hmac-sha1-96

hmac-sha1-96 algorithm

1.5.3   Default

hmac-sha1-96

1.5.4   Usage Guidelines

Specifies the authentication algorithm of an Internet Key Exchange(IKE) proposal. Using the no form of the command resets the configuration to the default.

1.5.5   Examples

[local]Redback(config-ike-proposal)#authentication algorithm hmac-md5-96

1.6   bind interface (IPsec)

bind interface if-name context-name

no bind interface if-name [context-name]

1.6.1   Command Mode

tunnel configuration

1.6.2   Syntax Description

if-name

Name of a previously created interface.

context-name

Name of the context under which the specified interface is bound.

1.6.3   Default

No IPsec tunnel endpoints are bound.

1.6.4   Usage Guidelines

Statically binds the IPsec tunnel to a previously created interface. For on-demand IPsec tunnels, bind the on-demand tunnel to the IPsec multibind interface configured for this on-demand IPsec tunnel.

Use the no form of this command to remove the binding. You must remove any existing binding before you can create a new binding for the IPsec tunnel.

1.6.5   Examples

The following example shows how to create or modify the rec_2_1 tunnel and bind it to the ipsec-if1 interface in the Security service enabled ipsec-context context:

[local]Redback(config)#tunnel ipsec rec_2_1
[local]Redback(config-tunnel)#bind interface ipsec-if1 ipsec-context
[local]Redback(config)#tunnel ipsec profile1-se on-demand
[local]Redback(config-tunnel)#bind interface ipsec-mb-se local 

1.7   both

both

no both

1.7.1   Command Mode

IPsec SA configuration

1.7.2   Syntax Description

This command has no keywords or arguments.

1.7.3   Default

No SA values for traffic are configured.

1.7.4   Usage Guidelines

Enters IPsec SA SPI configuration mode for configuring the same SA values for both inbound and outbound traffic. Using the no form of the command removes the bidirectional traffic configuration.

This command cannot be used with either the in or out command. If the both command is configured, neither inbound nor outbound SA traffic attributes can be configured separately. To configure the different SA traffic attributes for inbound and outbound traffic see the in and out commands, respectively.

1.7.5   Examples

[local]Redback(config-ipsec-sa)#both

1.8   clear ike sa tunnel

clear ike sa tunnel tunnel-name

1.8.1   Command Mode

exec

1.8.2   Syntax Description

tunnel-name

Name of a previously created IPsec tunnel.

1.8.3   Usage Guidelines

Clears the SAs associated with the specified IKE tunnel name. Commands that clear SAs delete and renegotiate the SAs (with the new IKE configuration). Does not apply to on-demand IPsec tunnels.

1.8.4   Examples

[local]Redback#clear ike sa tunnel rec_2_1

1.9   clear ipsec sa tunnel

clear ipsec sa tunnel tunnel-name

1.9.1   Command Mode

exec

1.9.2   Syntax Description

tunnel-name

Name of a previously created IPsec tunnel.

1.9.3   Usage Guidelines

Clears the IPsec SAs associated with the given tunnel name. Commands that clear SAs delete and renegotiate the SAs (with the new IPsec configuration). For on-demand IPsec tunnels, the tunnel-name argument is dynamically assigned by the system.

1.9.4   Examples

[local]Redback#clear ipsec sa tunnel rec_2_1

1.10   connection-type

connection-type {initiator-only | responder-only | both}

no connection-type

1.10.1   Command Mode

IKE policy configuration

1.10.2   Syntax Description

initiator-only

 

responder-only

 

both

 

1.10.3   Default

both

1.10.4   Usage Guidelines

Specifies the IKE connection type of an IKE policy, which assigns the role for the local IKE peer when establishing connections to setup an IPsec tunnel. For on-demand IPsec tunnels, you cannot change the connection-type to initiator-only when using aggressive mode. Using the no form of the command resets it to the default.

1.10.5   Examples

The following example shows how to assign the role of initiator-only to any local peer that has this IKE policy assigned to it:

[local]Redback(config-ike-policy)#connection-type initiator-only

1.11   debug ike asp

debug ike asp slot-id/asp-id message-type {trace | log} {console | external} [level level ]

1.11.1   Command Mode

exec

1.11.2   Syntax Description

slot-id

Chassis slot number where the Advanced Services Engine (ASE) card is installed. The range of values depends on the chassis:


  • SmartEdge® 800 or 1200: 1 to 6 and 9 to 14

  • SmartEdge 400: 1 to 4

asp-id

The ID of the Advanced Services Processor (ASP) on the ASE card. Possible values are 1 and 2.

message-type

Type of debug message to forward:


  • all

  • ikebase — Base IKE messages

  • ikev1—IKE version 1 messages

  • packet—Packet messages

  • policy—IKE policy messages

trace

Enables generation of trace messages.

log

Enables generation of log messages.

console

Sends debug information to the console.

external

Sends debug information to an external system.

level level

Optional. Specifies the debug logging level, where level is one of the following (in descending severity order):


  • emergency—Only emergency events.

  • alert—Alert and more severe events.

  • critical—Critical and more severe events.

  • error—Error and more severe events.

  • warning—Warning and more severe events.

  • notice—Notice and more severe events.

  • informational—Informational and more severe events.

  • debug–All events, including debug events.

  • all

1.11.3   Usage Guidelines

Enables the generation of debug messages for the IKE configuration of a specific ASP on a specific ASE card.


 Caution! 
Risk of performance loss. Enabling the generation of debug messages can severely affect system performance. To reduce the risk, exercise caution when enabling the generation of debug messages on a production system.

1.11.4   Examples

The following example shows how to enable the generation of IKE debug messages for the IKE configuration on the ASP:

[local]Redback#debug ike asp 2/1 ikev1 log console level warning

1.12   debug ike config

debug ike config

1.12.1   Command Mode

exec

1.12.2   Syntax Description

This command has no keywords or arguments.

1.12.3   Usage Guidelines

Enables the generation of debug messages for the IKE configuration.


 Caution! 
Risk of performance loss. Enabling the generation of debug messages can severely affect system performance. To reduce the risk, exercise caution when enabling the generation of debug messages on a production system.

1.12.4   Examples

[local]Redback#debug ike config

1.13   debug ipsec asp

debug ipsec asp slot-id/asp-id message-type {trace | log} {buffer | console} [level level ]

1.13.1   Command Mode

exec

1.13.2   Syntax Description

slot-id

Chassis slot number where the ASE card is installed. The range of values depends on the chassis:


  • SmartEdge 800 or 1200: 1 to 6 and 9 to 14

  • SmartEdge 400: 1 to 4

asp-id

ID of the ASP on the ASE card. Possible values are 1 and 2.

message-type

Type of debug message to forward:


  • all

  • infra — IPsec infrastructure messages

  • packet—Packet messages

  • sad—SAD messages

  • spd — SPD messages

  • tunnel—Tunnel messages

trace

Enables generation of trace messages.

log

Enables generation of log messages.

buffer

Sends debug information to the circular buffer on the controller card.

console

Sends debug information to the console.

level level

Optional. Specifies the debug logging level, where level is one of the following (in descending severity order):


  • emergency—Only emergency events.

  • alert—Alert and more severe events.

  • critical—Critical and more severe events.

  • error—Error and more severe events.

  • warning—Warning and more severe events.

  • notice—Notice and more severe events.

  • informational—Informational and more severe events.

  • debug–All events, including debug events.

  • all

1.13.3   Usage Guidelines

Enables the generation of debug messages for the IPsec configuration of a specific ASP on a specific ASE card.


 Caution! 
Risk of performance loss. Enabling the generation of debug messages can severely affect system performance. To reduce the risk, exercise caution when enabling the generation of debug messages on a production system.

1.13.4   Examples

The following example shows how to enable the generation of packet debug messages for the IPsec configuration on the ASP:

[local]Redback#debug ipsec asp 1/1 packet log console level warning

1.14   debug ipsec config

debug ipsec config

1.14.1   Command Mode

exec

1.14.2   Syntax Description

This command has no keywords or arguments.

1.14.3   Usage Guidelines

Enables the generation of debug messages for the IPsec configuration.


 Caution! 
Risk of performance loss. Enabling the generation of debug messages can severely affect system performance. To reduce the risk, exercise caution when enabling the generation of debug messages on a production system.

1.14.4   Examples

[local]Redback#debug ipsec config

1.15   description (IPsec)

description string

no description

1.15.1   Command Mode

IKE policy configuration

IKE proposal configuration

IPsec Access Control List (ACL) configuration

IPsec policy configuration

IPsec proposal configuration

IPsec security association configuration

1.15.2   Syntax Description

string

Descriptive text; up to 255 characters.

1.15.3   Default

No description is configured.

1.15.4   Usage Guidelines

Specifies the description of the IKE policy, IKE proposal, IPsec ACL, IPsec policy, IPsec proposal, or IPsec SA.

1.15.5   Examples

[local]Redback(config-ipsec-proposal)#description IPsec-Proposal-1

1.16   df-bit

df-bit {propagate | set | clear}

no df-bit

1.16.1   Command Mode

tunnel configuration

IPsec profile configuration

1.16.2   Syntax Description

propagate

Propagate DF bit from inner IP to outer IP header.

set

Set the DF bit in the outer IP header

clear

Clear the DF bit from the outer IP header

1.16.3   Default

Propagate

1.16.4   Usage Guidelines

Specifies how to configure the Don't Fragment (DF) bit for the IP header. The default value, propagate, copies to DF bit setting used in the inner IP heading to the outer IP heading. Using the no form of the command resets the configuration to the default.

1.16.5   Examples

[local]Redback(config-tunnel)#df-bit clear

1.17   dh-group

dh-group dh-group

no dh-group

1.17.1   Command Mode

IKE proposal configuration

1.17.2   Syntax Description

dh-group

The Diffie-Hellman group to use: 1, 2, or 5

1.17.3   Default

1

1.17.4   Usage Guidelines

Specifies the Diffie-Hellman group for IKE key exchanges in an IKE proposal. Using the no form of the command resets the configuration to the default.

1.17.5   Examples

[local]Redback(config-ike-proposal)#dh-group 2

1.18   encryption algorithm

encryption algorithm {aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc | 3des-cbc}

no encryption algorithm

1.18.1   Command Mode

IKE proposal configuration

1.18.2   Syntax Description

aes-128-cbc

aes-128-cbc protocol.

aes-192-cbc

aes-192-cbc protocol

aes-256-cbc

aes-256-cbc protocol

des-cbc

des-cbc protocol

3des-cbc

3des-cbc protocol

1.18.3   Default

aes-128-cbc

1.18.4   Usage Guidelines

Specifies the encryption algorithm for an IKE proposal. Using the no form of the command resets the configuration to the default.

1.18.5   Examples

[local]Redback(config-ike-proposal)#encryption algorithm aes-192-cbc

1.19   esp authentication

esp authentication {hmac-md5-96 | hmac-sha1-96 | hmac-aes-xcbc}

no esp authentication

1.19.1   Command Mode

IPsec proposal configuration

1.19.2   Syntax Description

hmac-md5-96

hmac-md5-96 algorithm

hmac-sha1-96

hmac-sha1-96 algorithm

hmac-aes-xcbc

hmac-aes-xcbc algorithm

1.19.3   Default

hmac-sha1-96

1.19.4   Usage Guidelines

Specifies the ESP authentication algorithm of an IPsec proposal.

If ESP authentication is configured without ESP encryption, the ESP encryption is set to null.

When neither ESP or AH authentication is configured, using the no form of the command sets the ESP authentication (and ESP encryption) to the default. If either ESP or AH authentication is configured, using the no form of the command removes the ESP authentication configuration.

1.19.5   Examples

[local]Redback(config-ipsec-proposal)#esp authentication hmac-aes-xcbc

1.20   esp authentication key

esp authentication [hmac-md5-96 | hmac-sha1-96 | hmac-aes-xcbc] key {hex hex-number | ASCII-value}

no esp authentication [hmac-md5-96 | hmac-sha1-96 | hmac-aes-xcbc] key {hex hex-number | ASCII-value}

1.20.1   Command Mode

IPsec SA SPI configuration

1.20.2   Syntax Description

hmac-md5-96

hmac-md5-96 algorithm

hmac-sha1-96

hmac-sha1-96 algorithm

hmac-aes-xcbc

hmac-aes-xcbc algorithm

hex hex-number

Hexadecimal number. The length of the value is specified in Table 2.

ASCII-value

ASCII value. The length of the value is specified in Table 2

1.20.3   Default

hmac-sha1-96

1.20.4   Usage Guidelines

Specifies the ESP authentication algorithm and the manual key for encrypting inbound, outbound, or bidirectional traffic SAs. The no form of the command removes the ESP authentication algorithm from the configuration.

If ESP encryption is configured without ESP authentication, only encryption is done. If ESP authentication is configured without ESP encryption, the encryption is set to null.

Table 2 lists the valid key lengths for each of the supported authentication algorithms.

Table 2    Valid Key Length Values for ESP Authentication Algorithms

Keyword

ASCII Text Key Length

Hexadecimal Number Key Length

hmac-md5-96,

16

32

hmac-sha1-96

20

40

hmac-aes-xcbc

16

32

1.20.5   Examples

[local]Redback(config-ipsec-sa-spi)#esp authentication hmac-aes-xcbc key 1234123412341234

1.21   esp encryption

esp encryption {aes-128-cbc | aes-192-cbc | aes-256-cbc | aes-128-ctr | aes-192-ctr | aes-256-ctr | des-cbc | 3des-cbc | null}

no esp encryption

1.21.1   Command Mode

IPsec proposal configuration

1.21.2   Syntax Description

aes-128-cbc

aes-128-cbc algorithm

aes-192-cbc

aes-192-cbc algorithm

aes-256-cbc

aes-256-cbc algorithm

aes-128-ctr

aes-128-ctr algorithm

aes-192-ctr

aes-192-ctr algorithm

aes-256-ctr

aes-256-ctr algorithm

des-cbc

des-cbc algorithm

3des-cbc

3des-cbc algorithm

null

null encryption algorithm

1.21.3   Default

aes-128-cbc

1.21.4   Usage Guidelines

Specifies the ESP encryption algorithm of an IPsec proposal.

When neither ESP nor AH authentication is specified, the default is the ESP encryption aes-128-cbc with ESP authentication hmac-sha1-96. If ESP authentication is configured without ESP encryption, the ESP encryption is set to null.

If AH authentication is configured, using the no form of the command removes the encryption. If neither ESP authentication or AH is specified, using the no form of the command resets the configuration to the default.

1.21.5   Examples

[local]Redback(config-ipsec-proposal)#esp encryption aes-256-cbc

1.22   esp encryption key

esp encryption [aes-128-cbc | aes-192-cbc | aes-256-cbc | aes-128-ctr | aes-192-ctr | aes-256-ctr | des-cbc | 3des-cbc] key {hex hex-number | ASCII-value}

no esp encryption [aes-128-cbc | aes-192-cbc | aes-256-cbc | aes-128-ctr | aes-192-ctr | aes-256-ctr | des-cbc | 3des-cbc] key {hex hex-number | ASCII-value}

1.22.1   Command Mode

IPsec SA SPI configuration (manual key mode)

1.22.2   Syntax Description

aes-128-cbc

aes-128-cbc algorithm

aes-192-cbc

aes-192-cbc algorithm

aes-256-cbc

aes-256-cbc algorithm

aes-128-ctr

aes-128-ctr algorithm

aes-192-ctr

aes-192-ctr algorithm

aes-256-ctr

aes-256-ctr algorithm

des-cbc

des-cbc algorithm

3des-cbc

3des-cbc algorithm

hex hex-number

Hexadecimal number. The length of the value is specified in Table 3.

ASCII-value

ASCII value. The length of the value is specified in Table 3

1.22.3   Default

aes-128-cbc

1.22.4   Usage Guidelines

Specifies the ESP encryption algorithm and the manual key for encrypting inbound, outbound, or bidirectional traffic SAs. If no encryption algorithm is specified, the default algorithm (aes-128-cbc) is used.

If ESP is configured without ESP authentication, only encryption is done. If ESP authentication is configured without ESP encryption, the encryption is set to null.

Table 3 lists the valid key length values for each of the supported ESP encryption algorithms.

Table 3    Valid Key Length Values for Different ESP Encryption Algorithms

Keyword

ASCII Text Key Length

Hexadecimal Number Key Length

des-cbc

8

16

3des-cbc

24

48

aes-128-cbc (default)

16

32

aes-192-cbc

24

48

aes-256-cbc

32

64

aes-128-ctr

16

32

aes-192-ctr

24

48

aes-256-ctr

32

64

1.22.5   Examples

[local]Redback(config-ipsec-sa-spi)#esp encryption des-cbc key 12345678

1.23   esp spi

esp spi spi-value

no esp spi spi-value

1.23.1   Command Mode

IPsec SA SPI configuration

1.23.2   Syntax Description

spi-value

256-0x1ffff: in, both; 1-0xffffffff: out

1.23.3   Default

No SPI value is configured.

1.23.4   Usage Guidelines

Specifies the ESP SPI value for the inbound traffic, outbound traffic, or bidirectional traffic SAs.

1.23.5   Examples

[local]Redback(config-ipsec-sa-spi)#esp spi 65535

1.24   identity local

identity local {value | fqdn fqdn-string}

no identity local

1.24.1   Command Mode

IKE policy configuration

1.24.2   Syntax Description

value

IP address

fqdn fqdn-string

Fully qualified domain name

1.24.3   Default

No local identity is configured.

1.24.4   Usage Guidelines

Specifies the identity of the local IPsec tunnel endpoint in an IKE policy to use when negotiating IKE requests with a remote peer. Use the IP address or FQDN of the loopback interface defined to provide the identity of the gateway for IPsec tunnels configured on this SmartEdge router as the value. When IKE sessions are negotiated, the local identity configured in the IKE policy on one peer must match the remote ID configured in the IPsec tunnel endpoint on the other peer. Only one local identity is allowed for each policy. The same local identity can appear in multiple policies. Using the no form of the command will remove the configuration.

1.24.5   Examples

[local]Redback(config-ike-policy)#identity local 30.0.1.3
[local]Redback(config-ike-policy)#identity local fqdn peer1.redback.com

1.25   ike keepalive

ike keepalive

no ike keepalive

1.25.1   Command Mode

context configuration

1.25.2   Syntax Description

This command has no keywords or arguments.

1.25.3   Default

Disabled.

1.25.4   Usage Guidelines

Enables the sending of Dead Peer Detection (DPD) messages to IKE peers. When enabled, a DPD message is sent to the remote peer when there is traffic to be sent to the remote peer, but there has been no traffic received from the remote peer for 10 seconds. If a response is received, no further messages are sent unless the previous condition is met. If no response is received from the remote peer, the keepalive is retried three times at an interval of 10 seconds. If there is no response from the remote peer, the tunnel is brought down. Using the no form of the command disables the sending of DPD messages (the default setting).

1.25.5   Examples

The following example shows how to enable the sending of DPD messages to IKE peers:

[local]Redback(config-ctx)#ike keepalive

1.26   ike policy

ike policy ike-policy-name

no ike policy ike-policy-name

1.26.1   Command Mode

context configuration

tunnel configuration

1.26.2   Syntax Description

ike-policy-name

In context configuration mode, name of the IKE policy, which must be unique; up to 39 characters.


In tunnel configuration mode, name of a previously created IKE policy.

1.26.3   Default

No IKE policy is configured in a context by default. No IKE policy is specified for an IPsec tunnel by default.

1.26.4   Usage Guidelines

In context configuration mode, creates (with default attributes), or selects an IKE policy and enters IKE policy configuration mode. Using the no form of the command removes the IKE policy.

In tunnel configuration mode, specifies the IKE policy used by the IPsec tunnel. Using the no form of the command removes the IKE policy from the IPsec tunnel.

1.26.5   Examples

The following example shows how to configure the IKE_Pol1 IKE policy in the local context:

[local]Redback(config-ctx)#ike policy IKE_Pol1

The following example shows how to associate the IKE_Pol1 IKE policy to the rec_2_1 tunnel in the local context.

[local]Redback(config)#tunnel ipsec rec_2_1
[local]Redback(config-tunnel)#ike-policy IKE_Pol1

1.27   ike proposal

ike proposal ike-proposal-name

no ike proposal ike-proposal-name

1.27.1   Command Mode

global configuration

1.27.2   Syntax Description

ike-proposal-name

Name of an IKE proposal, which must be unique; up to 39 characters.

1.27.3   Default

No IKE proposal is configured.

1.27.4   Usage Guidelines

Creates (with default attributes) or selects an IKE proposal and enters IKE proposal configuration mode. Using the no form of the command removes the IKE proposal.

1.27.5   Examples

[local]Redback(context)#ike proposal IKE_Prop1

1.28   in

in

no in

1.28.1   Command Mode

IPsec SA configuration

1.28.2   Syntax Description

This command has no keywords or arguments.

1.28.3   Default

None.

1.28.4   Usage Guidelines

Enters IPsec SA SPI configuration mode for configuring the SA attributes for inbound traffic. Using the no form of the command removes the inbound traffic configuration.

This command cannot be used with the both command. If the both command is configured, neither inbound nor outbound SA traffic attributes can be configured separately. To configure the same SA attributes for inbound and outbound traffic, see the both command.

1.28.5   Examples

[local]Redback(config-ipsec-sa)#in

1.29   interface (context)

interface if-name [bridge | {intercontext if-type grp-num} | ipsec [multibind] | loopback | multibind [lastresort] | p2p]

no interface if-name [bridge | {intercontext if-type grp-num} | ipsec [multibind] | loopback | multibind [lastresort] | p2p]

1.29.1   Purpose

Creates a new interface, or selects an existing one for modification, and enters interface configuration mode.

1.29.2   Command Mode

context configuration

1.29.3   Syntax Description

if-name

Name of the interface; an alphanumeric string with up to 127 characters.

bridge

Optional. Specifies that the interface is a bridged interface.

intercontext

Optional. Specifies that the interface is to link two or more contexts. Use an intercontext interface only for:


  • Intermediate System-to-Intermediate System (IS-IS) routing

  • Intercontext static routes

  • Interfacing to the default multicast domain tree (MDT) group in multicast virtual private networks (VPNs).


If you provide an IP address to an intercontext interface, the netmask 255.255.255.255 is not allowed.

if-type

Optional. Type of intercontext interface, according to the following keywords:


  • lan—Specifies a point-to-multipoint (LAN) interface.

  • p2p—Specifies a point-to-point interface.

grp-num

Optional. Intercontext group number; the range of values is 1 to 1,023.

ipsec

Optional. Specifies that the interface is an IPsec interface.


loopback

Optional. Specifies that the interface is a loopback interface.

multibind

Optional. Enables the interface to have multiple circuits bound to it.

lastresort

Optional. Specifies that this multibind interface, called a last-resort interface, is used for any subscriber circuit that attempts to come up and cannot bind to any other interface.

p2p

Optional. When binding to a LAN circuit, indicates to routing protocols, such as IS-IS or Open Shortest Path First (OSPF), that the circuit should be treated as a point-to-point interface from an Interior Gateway Protocol (IGP) perspective.

1.29.4   Default

None

1.29.5   Usage Guidelines

Use the interface command to create a new interface, or select an existing one for modification, and enter interface configuration mode. Optionally, you can specify the interface as an intercontext interface or a loopback interface, or enable the interface to have multiple circuits bound to it.

You must bind a port or circuit to an interface (other than a bridged or loopback interface) for data to flow across the interface.

For an IPsec multibind interface, the interface is always unnumbered. Most of the operations listed for the interface command are not supported when you configure interface ipsec multibind. If a routing protocol is enabled over an IPsec multibind interface, then all tunnels bound to a multibind interface will run the same routing protocol. Static routes cannot be configured to use the IPsec multibind interface.

When there are only two routers over the LAN media, you can configure the interface as a point-to-point interface from a routing protocol perspective by using the p2p keyword. For more detailed information, see the Internet Draft, draft-ietf-isis-igp-p2p-over-lan-03.txt.

Use the bind interface command (in link configuration mode) to bind a port or circuit to a previously created interface in the specified context. Both the interface and the specified context must exist before you enter the bind interface command. If either is missing, an error message displays. For more information about this command, see the Command List.

Use the bridge command (in interface configuration mode) to associates the bridge with the interface or subscriber. For more information on this command, see the Command List.

Use the no form of this command to delete the interface.


 Caution! 
Risk of data loss. Deleting an interface removes all bindings to the interface. To reduce the risk, do not delete an interface, unless you are certain it is no longer needed.
Note:  
To enable OSPF routing on an interface, see Configuring OSPF .

1.29.6   Examples

The following example configures an interface, enet1:

[local]Redback(config-ctx)#interface enet1

[local]Redback(config-if)#ip address 10.1.1.1 255.255.255.0

The following example configures a loopback interface, local-loopback, for the local context:

[local]Redback(config-ctx)#interface local-loopback loopback

[local]Redback(config-if)#ip address 10.1.1.1/32

The following example configures three intercontext interfaces in three different contexts all with group 10:

[local]Redback(config-config)#context isp1

[local]Redback(config-ctx)#interface isp1-lan intercontext lan 10

[local]Redback(config-if)#ip address 10.1.1.1/24

[local]Redback(config-if)#exit

[local]Redback(config-ctx)#exit

!Configure the second interface

[local]Redback(config-config)#context isp2

[local]Redback(config-ctx)#interface isp2-lan intercontext lan 10

[local]Redback(config-if)#ip address 10.1.1.2/24

[local]Redback(config-if)#exit

[local]Redback(config-ctx)#exit

!Configure the third interface

[local]Redback(config-config)#context isp3

[local]Redback(config-ctx)#interface isp3-lan intercontext lan 10

[local]Redback(config-if)#ip address 10.1.1.3/24

[local]Redback(config-if)#exit

[local]Redback(config-ctx)#exit

The following example deletes the atm3 interface:

[local]Redback(config-ctx)#no interface atm3

The following example configures a last-resort interface and borrows an IP address for it from the enet1 interface:

[local]Redback(config-ctx)#interface last multibind lastresort

[local]Redback(config-if)#ip unnumbered enet1

The following example configures a bridged interface and binds it to an existing bridge group, isp1:

[local]Redback(config-config)#context bridge
[local]Redback(config-ctx)#interface if-isp1 bridge
[local]Redback(config-if)#bridge name isp1

The following example configures an IPsec multibind interface:

[local]ipsec-se1(config)#context ctx-1
[local]ipsec-se1(config-ctx)#interface ipsec_mb_se_1 ipsec multibind

1.30   ip-comp

ip-comp

no ip-comp

1.30.1   Command Mode

IPsec proposal configuration

IPsec security association configuration

1.30.2   Syntax Description

This command has no keywords or arguments.

1.30.3   Default

Disabled

1.30.4   Usage Guidelines

Enables IP compression using the IP Compression (IPComp) protocol. Using the no form of the command disables IP compression.

1.30.5   Examples

[local]Redback(config-ipsec-proposal)#ip-comp

1.31   ipsec access-list

ipsec access-list ipsec-acl-name

no ipsec access-list ipsec-acl-name

1.31.1   Command Mode

context configuration

1.31.2   Syntax Description

ipsec-acl-name

Name of an IPsec access list, which must be unique; up to 39 characters

1.31.3   Default

No IPsec access list is configured.

1.31.4   Usage Guidelines

Creates (with default attributes) or selects an IPsec access list and enters IPsec ACL configuration mode. Using the no form of the command will remove an existing configuration.

1.31.5   Examples

[local]Redback(config-ctx)#ipsec access-list ipsec_ACL1

1.32   ipsec policy

ipsec policy ipsec-policy-name

no ipsec policy ipsec-policy-name

1.32.1   Command Mode

global configuration

1.32.2   Syntax Description

ipsec-policy-name

Name of an IPsec policy, which must be unique; up to 39characters.

1.32.3   Default

No IPsec policy is configured.

1.32.4   Usage Guidelines

Creates (with default attributes) or selects an IPsec policy and enters IPsec policy configuration mode. Using the no form of the command will remove an existing configuration.

1.32.5   Examples

[local]Redback(context)#ipsec policy ipsec_Pol1

1.33   ipsec profile

ipsec profile profile-name

no ipsec profile profile-name

1.33.1   Command Mode

context configuration

1.33.2   Syntax Description

profile-name

Name of the IPsec profile. Must match the name of the on-demand IPsec tunnel created with the tunnel ipsec name on-demand command in global configuration mode.

1.33.3   Default

None.

1.33.4   Usage Guidelines

Creates an IPsec profile, which specifies how traffic in the on-demand IPsec tunnel should be handled. The IPsec profile must be created in the same context as the multibind interface to which the on-demand IPsec tunnel is bound.

1.33.5   Examples

[local]Redback(config)#context ctx-1
[local]Redback(config-ctx)#ipsec profile profile_se_1
[local]Redback(cfg-ipsec-profile)#

1.34   ipsec proposal

ipsec proposal ipsec-proposal-name

no ipsec proposal ipsec-proposal-name

1.34.1   Command Mode

global configuration

1.34.2   Syntax Description

ipsec-proposal-name

Name of the IPsec proposal, which must be unique; up to 39 characters.

1.34.3   Default

No IPsec proposal configuration.

1.34.4   Usage Guidelines

Creates (with default attributes) or selects an IPsec proposal and enters IPsec proposal configuration mode. Using the no form of the command will remove an existing configuration.

1.34.5   Examples

[local]Redback(context)#ipsec proposal ipsec_Prop1

1.35   ipsec security-association

ipsec security-association sa-name

no ipsec security-association sa-name

1.35.1   Command Mode

global configuration

1.35.2   Syntax Description

sa-name

Name of an IPsec security association, which must be unique; up to 39 characters.

1.35.3   Default

No IPsec security association configuration.

1.35.4   Usage Guidelines

Creates or selects an IPsec security association and enters IPsec security association configuration mode. Using the no form of the command will remove an existing configuration.

1.35.5   Examples

[local]Redback(context)#ipsec security-association ipsec_sa_1

1.36   lifetime seconds

lifetime seconds seconds

no lifetime seconds

1.36.1   Command Mode

IKE proposal configuration

IPsec proposal configuration

1.36.2   Syntax Description

seconds

300 to 99999999

1.36.3   Default

86400 (one day)

1.36.4   Usage Guidelines

Specifies the lifetime for IKE SAs in seconds for an IKE proposal or IPsec proposal. Specify 0 seconds for no time-out; any number of seconds from 1 to 299 is rejected. Using the no form of the command resets the configuration to the default.

1.36.5   Examples

[local]Redback(config-ike-proposal)#lifetime seconds 43200

1.37   lifetime kbytes

lifetime kbytes kbytes

no lifetime

1.37.1   Command Mode

IPsec proposal configuration

1.37.2   Syntax Description

kbytes

128 to 2147483647

1.37.3   Default

0 kbytes

1.37.4   Usage Guidelines

Specifies the lifetime for IPsec SAs in kbytes for an IPsec proposal. Specify 0 kbytes for no time-out. The lifetime is expected to be tied to the strength of the encryption and authentication algorithms configured. Using the no form of the command resets the configuration to the default.

1.37.5   Examples

[local]Redback(config-ipsec-proposal)#lifetime kbytes 256

1.38   max-tunnels

max-tunnels value

no max-tunnels

1.38.1   Command Mode

tunnel configuration

1.38.2   Syntax Description

value

Maximum number of tunnels per IPsec profile for the on-demand IPsec tunnel being configured. 1 to 32.

1.38.3   Default

8 tunnels per IPsec profile

1.38.4   Usage Guidelines

Specifies the maximum number of tunnels per profile in this on-demand tunnel.

1.38.5   Examples

[local]Redback(config)#tunnel ipsec rec_2_1
[local]Redback(config-tunnel)#max-tunnels 50

1.39   mode

mode {main | aggressive}

no mode

1.39.1   Command Mode

IKE policy configuration

1.39.2   Syntax Description

main

 

aggressive

 

1.39.3   Default

main

1.39.4   Usage Guidelines

Specifies the mode to use for key exchanges. The no form of the command resets the mode to the default.

1.39.5   Examples

The following example shows how to set the mode for key exchange to aggressive.

[local]Redback(config-ike-policy)#mode aggressive

1.40   mtu (IPsec profile)

mtu size

no mtu

1.40.1   Command Mode

IPsec profile configuration

1.40.2   Syntax Description

size

MTU size in bytes. Range: 256 to 1,480.

1.40.3   Default

MTU for the interface to which the IPsec tunnel is bound

1.40.4   Usage Guidelines

Sets the MTU for packets sent in an on-demand IPsec tunnel associated with the IPsec profile. If a packet exceeds the MTU, the system fragments that packet.

A tunnel uses the MTU for the interface to which you have bound it (using the bind interface command in tunnel configuration mode), unless you explicitly configure the MTU using this command. After you configure an MTU for the tunnel, the system determines the effective MTU by comparing the configured MTU with the interface MTU and selecting the lesser of the two values.

Use the no form of this command to set the MTU to the default value.

1.40.5   Examples

[local]Redback(config-ctx)#ipsec profile profile_se_1
[local]Redback(cfg-ipsec-profile)#mtu 256

1.41   out

out

no out

1.41.1   Command Mode

IPsec SA configuration

1.41.2   Syntax Description

This command has no keywords or arguments.

1.41.3   Default

No SA values for traffic are configured.

1.41.4   Usage Guidelines

Enters IPsec SA SPI configuration mode for configuring the SA attributes for outbound traffic. Using the no form of the command removes the outbound traffic configuration.

This command cannot be used with the both command. If the both command is configured, neither inbound nor outbound SA traffic attributes can be configured separately. To configure the same SA attributes for inbound and outbound traffic, see the both command.

1.41.5   Examples

[local]Redback(config-ipsec-sa)#out

1.42   peer-end-point

peer-end-point local loc-ip-addr [remote rem-ip-addr] [context ctx-name]

no peer-end-point

1.42.1   Purpose

Assigns IP addresses to the tunnel endpoints.

1.42.2   Command Mode

tunnel configuration

1.42.3   Syntax Description

local loc-ip-addr

IP address of the local end of the tunnel. The format is A.B.C.D.

remote rem-ip-addr

Optional. IP address of the remote end of the tunnel. Required except when you have created an overlay tunnel for which you have specified that the system assign the remote IP address. The format is A.B.C.D.

context ctx-name

Optional. Name of the context that contains the interface to the local end of the tunnel. If no context is specified, the interface to the local end of the tunnel is assumed to be in the local context.

1.42.4   Default

None

1.42.5   Usage Guidelines

Use the peer-end-point command to assign IP addresses to the tunnel endpoints. This command creates the tunnel between the two endpoints.

Note:  
IP-in-IP and overlay tunnels support a single tunnel circuit in each tunnel; GRE tunnels can support multiple tunnel circuits with the use of keys. For information about GRE tunnel circuits, see Configuring GRE Tunnels.

The remote IP address at one end of the tunnel is the same as the local IP address at the other end of the tunnel. If the remote IP address is not adjacent to the local IP address, and the remote site cannot be reached with a routing protocol, you must also enter the ip route command in context configuration mode.

If you create an overlay tunnel using the tunnel command with the ipv6v4-auto keyword, the system assigns an IP address to the remote endpoint. In this case, you do not include the remote rem-ip-addr construct when you enter this command.

The local loc-ip-addr construct must match the IP address of an interface.

If you are creating more than one tunnel, they can use the same IP address for the local endpoint (the IP address assigned to the interface) as long as the remote IP addresses are all different.

To use an interface and its local IP address for more than one tunnel, you must specify the loopback keyword with the interface command (in context configuration mode) when you create the interface for the tunnels. The loopback keyword allows you to reuse the IP address for more than one tunnel.

Use the no form of this command to delete this tunnel and any associated parameters that have been specified in tunnel configuration mode. The keywords are not available for the no form of this command.

1.42.6   Examples

The following example shows how to create an interface, toDenver, with a public IP address of 172.16.1.1; then it creates an overlay tunnel, DenverTnl, with a remote IP address of 172.16.1.2 and a local IP address of 172.16.1.1:

[local]Redback(config)#context local
[local]Redback(config-ctx)#interface toDenver
[local]Redback(config-if)#ip address 172.16.1.1/30
[local]Redback(config-if)#exit
[local]Redback(config-ctx)#exit
[local]Redback(config)#tunnel ipv6v4-manual DenverTnl 
[local]Redback(config-tunnel)#peer-end-point local 172.16.1.1 remote 172.16.1.2

The following example shows how to create two overlay tunnels each using an interface, LocalEnd. Both tunnels use the same local IP address; it is assumed that the remote IP address for Tun2 can be reached with a routing protocol, so the ip route command in context configuration mode is not needed:

[local]Redback(config)#context local
[local]Redback(config-ctx)#interface LocalEnd loopback
[local]Redback(config-if)#ip address 172.16.1.1/32
[local]Redback(config-if)#exit
[local]Redback(config-ctx)#tunnel Tunl 
[local]Redback(config-tunnel)#peer-end-point local 172.16.1.1 remote 172.16.1.2
[local]Redback(config-tunnel)#no shutdown
[local]Redback(config-tunnel)#exit
[local]Redback(config-ctx)#tunnel Tun2 
[local]Redback(config-tunnel)#peer-end-point local 172.16.1.1 remote 172.20.1.2
[local]Redback(config-tunnel-peer)#no shutdown
[local]Redback(config-tunnel-peer)#end

1.43   perfect-forward-secrecy dh-group

perfect-forward-secrecy dh-group dh-group

no perfect-forward-secrecy dh-group

1.43.1   Command Mode

IPsec policy configuration

1.43.2   Syntax Description

dh-group

1, 2, or 5

1.43.3   Default

No DH group is configured.

1.43.4   Usage Guidelines

This command configures the Diffie-Hellman group for Perfect Forward Secrecy (PFS) in an IPsec policy. Using the no form of the command resets the configuration to the default.

1.43.5   Examples

[local]Redback(config-ipsec-policy)#perfect-forward-secrecy dh-group 5

1.44   pre-shared-key

pre-shared-key {hex hex-value | ASCII-value | use-aaa}

no pre-shared-key

1.44.1   Command Mode

IKE policy configuration

1.44.2   Syntax Description

hex hex-value

Hexadecimal number (24 to 98 characters).

ASCII-value

ASCII value (12 to 49 characters).

use-aaa

Specifies that the preshared key is configured on the AAA server. The format expected by the node is: ike pre-shared-key {hex hex-value | ASCII-value}


Applies only to on-demand IPsec tunnels. Can only be specified for an IKE policy configured to use aggressive mode for key exchange.

1.44.3   Default

No preshared key is configured.

1.44.4   Usage Guidelines

Specifies the local preshared key in an IKE policy. Using the no form of the command will remove the configuration.

1.44.5   Examples

[local]Redback(config-ike-policy)#pre-shared-key 0x4d794865785061353577307264

1.45   remote-id

remote-id remote_id

1.45.1   Command Mode

tunnel configuration

1.45.2   Syntax Description

remote_id

IP address or FQDN.

1.45.3   Default

No remote ID is specified for an IPsec tunnel.

1.45.4   Usage Guidelines

Specifies the identity of the remote IPsec tunnel endpoint. This value is used when negotiating IKE requests with a remote peer. When IKE sessions are negotiated, the remote ID in the IPsec tunnel endpoint configured on one peer must match the local identity configured in the IKE policy on the other peer.

If not specified, the remote ID is set to the remote IP address of the IPsec tunnel.

1.45.5   Examples

[local]Redback(config)#tunnel ipsec rec_2_1
[local]Redback(config-tunnel)#remote-id 72.0.0.1

1.46   seq (IPsec)

seq sequence-number [protocol] {source-network-prefix/source-prefix-length | any } {eq source-port } [dest-network-prefix/dest-prefix-length | any ] [eq dest-port]

no seq sequence-number

1.46.1   Command Mode

IPsec ACL configuration

IPsec profile configuration

1.46.2   Syntax Description

sequence-number

Sequence number for the statement. Range: 1 to 429496729.

protocol

Optional. Number indicating a protocol as specified in RFC 1700, Assigned Numbers. Range: 0 to 255or one of the keywords listed in Table 4.

source-network-prefix

Source IP address to be included in the criteria.

source-prefix-length

Number of prefix bits for the source IP address. Range: 0 to 32.

dest-network-prefix

Optional. Destination IP address to be included in the criteria.

dest-prefix-length

Optional. Number of prefix bits for the destination IP address. Range: 0 to 32.

any

Optional. Indicates that IP traffic from all IP addresses is to be included in the criteria. Used instead of specifying the network-prefix and prefix-length.

eq

Optional. Specifies that values must be equal to those specified by the source-port or dest-port argument.

source-port

Optional. Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source port. This argument is available only if you specify TCP or UDP as the protocol. Range: 1 to 65535 or one of the keywords listed in Table 5 and Table 6.

dest-port

Optional. TCP or UDP destination port. This argument is available only if you specify TCP or UDP as the protocol. Range: 1 to 65535 or one of the keywords listed in Table 5 and Table 6.

1.46.3   Default

No ACLs are configured.

1.46.4   Usage Guidelines

Creates an ACL rule to allow packets that meet the specified criteria. Up to 32 rules can be specified in an IPsec ACL.

Note:  
There is an implicit deny any any statement at the end of every ACL.

Table 4 lists the valid keyword substitutions for the protocol argument.

Table 4    Valid Keyword Substitutions for the protocol Argument

Keyword

Definition

ah

Authentication Header

esp

Encapsulation Security Payload

gre

Generic Routing Encapsulation (GRE)

host

Host source address

icmp

Internet Control Message Protocol (ICMP)

igmp

Internet Group Management Protocol (IGMP)

ip

Internet Protocol v4

ipinip

IP-in-IP tunneling

ospf

Open Shortest Path First (OSPF)

pcp

Payload Compression Protocol (PCP)

pim

Protocol Independent Multicast (PIM)

tcp

Transmission Control Protocol

udp

User Datagram Protocol

Table 5 lists the valid keyword substitutions for the source-port and dest-port argument when they are used to specify a TCP port.

Table 5    Valid Keyword Substitutions for the source-port and dest-port Arguments (TCP Port)

Keyword

Definition

Corresponding Port Number

bgp

Border Gateway Protocol (BGP)

179

chargen

Character generator

19

cmd

Remote commands (rcmd)

514

daytime

Daytime

13

discard

Discard

9

domain

Domain Name System

53

echo

Echo

7

exec

Exec (rsh)

512

finger

Finger

79

ftp

File Transfer Protocol (FTP)

21

ftp-data

FTP data connections (used infrequently)

20

gopher

Gopher

70

hostname

Network interface card (NIC) hostname server

101

ident

Identification protocol

113

irc

Internet Relay Chat

194

klogin

Kerberos login

543

kshell

Kerberos Shell

544

login

Login (rlogin)

513

lpd

Printer service

515

nntp

Network News Transport Protocol (NNTP)

119

pim-auto-rp

Protocol Independent Multicast Auto-RP

496

pop2

Post Office Protocol Version 2 (POP2)

109

pop3

Post Office Protocol Version 3 (POP3)

110

shell

Remote command shell

514

smtp

Simple Mail Transport Protocol (SMTP)

25

ssh

Secure Shell

22

sunrpc

Sun Remote Procedure Call

111

syslog

System logger

514

tacacs

Terminal Access Controller Access Control System (TACACS)

49

talk

talk

517

telnet

Telnet

23

time

Time

37

uucp

UNIX-to-UNIX Copy Program

540

whois

Nickname

43

www

World Wide Web (HTTP)

80

Table 6 lists the valid keyword substitutions for the source-port and dest-port arguments when they are used to specify a UDP port.

Table 6    Valid Keyword Substitutions for the source-port and dest-port Arguments (UDP Port)

Keyword

Definition

Corresponding Port Number

biff

Biff (Mail Notification, Comsat)

512

bootpc

Bootstrap Protocol client

68

bootps

Bootstrap Protocol server

67

discard

Discard

9

dnsix

DNSIX Security Protocol Auditing

195

domain

Domain Name System (DNS)

53

echo

Echo

7

isakmp

Internet Security Association and Key Management Protocol(ISAKMP)

500

mobile-ip

Mobile IP Registration

434

nameserver

IEN116 Name Service (obsolete)

42

netbios-dgm

NetBIOS Datagram Service

138

netbios-ns

NetBIOS Name Service

137

netbios-ss

NetBIOS Session Service

139

ntp

Network Time Protocol (NTP)

123

pim-auto-rp

Protocol Independent Multicast Auto-RP

496

rip

Router Information Protocol (RIP)

520

snmp

Simple Network Management Protocol (SNMP)

161

snmptrap

SNMP Traps

162

sunrpc

Sun Remote Procedure Call

111

syslog

System logger

514

tacacs

Terminal Access Controller Access Control System

49

talk

Talk

517

tfpt

Trivial File Transfer Protocol (TFPT)

69

time

Time

37

who

Who Service (rwho)

513

xdmcp

X Display Manager Control Protocol

177

1.46.5   Examples

[local]Redback(config-ipsec-acl)#seq 10 tcp 1.1.1.0/24 eq 20000
[local]Redback(config-ipsec-acl)#seq 20 1.1.1.0/24 2.2.2.0/24
[local]Redback(config-ipsec-acl)#seq 30 any any

1.47   seq ipsec-policy

seq id ipsec-policy ipsec-pol-name [access-group ipsec-acl-name]

no seq id ipsec-policy ipsec-policy-name [access-group ipsec-acl-name

1.47.1   Command Mode

tunnel configuration

IPsec profile configuration

1.47.2   Syntax Description

id

Sequence number for the statement. Range: 1 to 429496729.You can configure up to eight sequenced entries for each tunnel.

ipsec-policy ipsec-policy-name

Name of a previously created IPsec policy.

access-group ipsec-acl-name

Optional. Name of a previously created IPsec ACL.

1.47.3   Default

No IPsec policies are configured for a IPsec tunnel using IKE.

1.47.4   Usage Guidelines

This command applies only to IPsec tunnels using IKE. It specifies up to eight sequenced IPsec policies, each optionally with an IPsec ACL. When no IPsec ACL is specified, a wildcard selector is added by default. Using the no form of the command will remove the configuration.

1.47.5   Examples

[local]Redback(config)#tunnel ipsec rec_2_1
[local]Redback(config-tunnel)#seq 10 ipsec-policy ipsec_Pol1 access-group ipsec_ACL1
[local]Redback(config-tunnel)#seq 20 ipsec-policy ipsec_Pol2 access-group ipsec_ACL2

1.48   seq proposal

seq sequence-number proposal ike-proposal-name

1.48.1   Command Mode

IKE policy configuration

IPsec policy configuration

1.48.2   Syntax Description

sequence-number

1 to 429496729.

proposal ike-proposal-name

Name of a previously created IKE proposal (in IKE policy configuration mode) or IPsec policy proposal (in IPsec policy configuration mode).

1.48.3   Default

No IKE proposals are configured for an IKE policy. No IPsec proposals are configured for an IPsec policy.

1.48.4   Usage Guidelines

When configuring an IKE policy, specifies the IKE proposals used by the IKE policy. When configuring an IPsec policy, specifies the IPsec proposals used by the IPsec policy. Up to 16 sequenced proposals can be specified for each policy. Using the no form of the command will remove the configuration.

1.48.5   Examples

The following example shows how to add a reference to the IKE_Prop1 IKE proposal to the IKE policy:

[local]Redback(config-ike-policy)#seq 10 IKE_Prop1

The following example shows how to add a reference to the IPsec_Prop1 IPsec proposal to the IPsec policy:

[local]Redback(config-ipsec-policy)#seq 10 IPsec_Prop1

1.49   seq security-association

seq id security-association sa-name [access-group ipsec-acl-name]

no seq id security-association sa-name [access-group ipsec-acl-name]

1.49.1   Command Mode

tunnel configuration

1.49.2   Syntax Description

id

Sequence number for the statement. Range: 1 to 429496729.You can configure up to 8 sequenced entries per tunnel.

security-association sa-name

Name of a previously created IPsec SA.

access-group ipsec-acl-name

Name of a previously created IPsec ACL.

1.49.3   Default

No security associations with manual keys are configured for a manual mode IPsec tunnel.

1.49.4   Usage Guidelines

This command applies only to manual mode IPsec tunnels. It specifies up to eight sequenced manual-keyed SAs, each optionally with an IPsec ACL, for a manual mode IPsec tunnel. When no IPsec ACL is specified, a wildcard selector is added by default. Using the no form of the command will remove the configuration.

1.49.5   Examples

[local]Redback(config)#tunnel ipsec rec_2_1
[local]Redback(config-tunnel)#seq 10 security association ipsec_sa_1 access-group ipsec_ACL1
[local]Redback(config-tunnel)#seq 20 security association ipsec_sa_2 access-group ipsec_ACL2

1.50   show configuration ike

show configuration ike [all-contexts] [verbose]

1.50.1   Command Mode

all modes

1.50.2   Syntax Description

all-contexts

Optional. Displays the configuration for IKE in all contexts.

verbose

Optional. Displays all defaulted parameters.

1.50.3   Usage Guidelines

Displays configuration information for IKE in the current context, or all contexts if the optional all-contexts keyword is specified. The optional verbose keyword list all defaulted parameters.

1.50.4   Examples

[local]Redback#show configuration ike
Building configuration...

Current configuration:

context local
!
! ** End Context **
ike proposal ikeProp1
 authentication algorithm hmac-sha1-96
 encryption algorithm des-cbc
 dh-group 1
 lifetime seconds 3600
!
ike proposal simple-ike-proposal
 authentication algorithm hmac-sha1-96
 encryption algorithm des-cbc
 dh-group 1
 lifetime seconds 3600
!
!
end

1.51   show configuration ipsec

show configuration ipsec [all-contexts] [verbose]

1.51.1   Command Mode

all modes

1.51.2   Syntax Description

all-contexts

Optional. Displays the configuration for IKE in all contexts.

verbose

Optional. Displays all defaulted parameters.

1.51.3   Usage Guidelines

Displays configuration information for IPsec in the current context, or all contexts if the optional all-contexts keyword is specified. The optional verbose keyword list all defaulted parameters.

1.51.4   Examples

[local]subzero#show configuration ipsec
Building configuration...

Current configuration:

context local
!
! ** End Context **
ipsec proposal ipsecProp1
 esp encryption des-cbc
 esp authentication hmac-sha1-96
 ip-comp
 lifetime seconds 1800
!
ipsec proposal simple-ipsec-proposal
 esp encryption des-cbc
 esp authentication hmac-sha1-96
 ip-comp
 lifetime seconds 1800
!
ipsec policy ipsecPol1
 anti-replay-window 64
 seq 1 proposal ipsecProp1
!
ipsec policy simple-ipsec-policy
 anti-replay-window 64
 seq 1 proposal simple-ipsec-proposal
!
!
end

1.52   show configuration tunnel

show configuration tunnel [all-contexts] [verbose]

1.52.1   Command Mode

all modes

1.52.2   Syntax Description

all-contexts

Optional. Displays the configuration for IKE in all contexts.

verbose

Optional. Displays all defaulted parameters.

1.52.3   Usage Guidelines

Displays configuration information for tunnels in the current context, or all contexts if the optional all-contexts keyword is specified. The optional verbose keyword list all defaulted parameters.

1.52.4   Examples

[local]Redback#show configuration tunnel
Building configuration...

Current configuration:

context local
!
! ** End Context **
tunnel ipsec rec_1_2_m manual
 peer-end-point local 1.1.1.1 remote 2.1.1.1 context vpn1
 bind interface tunnel_ipsec_1 vpn1
 seq 10 security-association sa1_2 access-group acl1_2
!
!
end

1.53   show ike policy

show ike [asp slot-id/asp-id] policy [policy-name]

1.53.1   Command Mode

all modes

1.53.2   Syntax Description

asp slot-id

Optional. Number of the chassis slot where the card is installed. The range of values depends on the chassis:


  • SmartEdge 800 or 1200: 1 to 6 and 9 to 14

  • SmartEdge 400: 1 to 4

asp-id

Optional. ID of the ASP on the ASE card. Possible values are 1 and 2.

policy policy-name

Optional. Name of a previously created IKE policy.

1.53.3   Usage Guidelines

Displays configuration information for IKE policies in the current context. If no IKE policy is specified, one line of configuration information for each IKE policy with the name, local ID, and mode is displayed. If an IKE policy is specified, all attributes, including defaults, are displayed for the specified policy. If no ASP is specified, the information is retrieved from the SmartEdge controller card; otherwise, it is retrieved from the specified ASP.

1.53.4   Examples

[local]Redback#show ike policy
Name                  Local-ID        Mode
ike-policy1           1.1.1.1         aggressive 

[local]Redback#show ike policy ike-policy1
IKE Policy:      ike-policy1
Description:     IKE policy for aggressive mode
Mode:            aggressive
Connection Type: both
Local Identity:  1.1.1.1
Remote Identity: 2.2.2.2   3.3.3.3   4.4.4.4   5.5.5.5
Pre-shared Key:  0x123456789101234567890    
// For the administrators
Pre-shared Key:  **********                 
// For the operators
seq 10  proposal IKE-Prop1
seq 20  proposal IKE-Prop2

1.54   show ike proposal

show ike [asp slot-id/asp-id] proposal [proposal-name]

1.54.1   Command Mode

all modes

1.54.2   Syntax Description

asp slot-id

Optional. Number of the chassis slot where the card is installed. Possible values are 1 to 14. The actual slots that can contain an ASE card depend on the chassis:


  • SmartEdge 800 or 1200: 1 to 6 and 9 to 14

  • SmartEdge 400: 1 to 4

asp-id

Optional. ID of the ASP on the ASE card. Possible values are 1 and 2.

proposal proposal-name

Optional. Name of a previously created IKE proposal.

1.54.3   Usage Guidelines

Displays configuration information for IKE proposals. If no IKE proposal is specified, one line of configuration information for each IKE proposal with the name, encryption algorithm, authentication algorithm, and Diffie-Hellman group is displayed. If an IKE proposal is specified, all attributes, including defaults, are displayed for the specified proposal. If no ASP is specified, the information is retrieved from the SmartEdge controller card; otherwise, it is retrieved from the specified ASP.

1.54.4   Examples

[local]Redback#show ike proposal
               Encryption    Authentication   DH-Group
IKE-Prop1      des-cbc       hmac-md5-96      1
IKE-Prop2      3des-cbc      hmac-sha1-96     2
[local]Redback#show ike asp 2/1 proposal IKE-Prop1
IKE Proposal    : IKE-Prop11
Encryption Algorithm        : 3des-cbc
Authentication Algorithm    : hmac-md5-96
DH Group                    : 1
Lifetime                    : 86400 seconds

1.55   show ike statistics tunnel

show ike statistics tunnel tunnel-name

1.55.1   Command Mode

all modes

1.55.2   Syntax Description

tunnel-name

Name of a previously created IPsec tunnel.

1.55.3   Usage Guidelines

Displays the IKE statistics associated with the given tunnel.

1.55.4   Examples

[local]Redback#show ike statistics tunnel ipsec-tunnel1
Number of IKE local attempts                            : 0
Number of IKE remote attempts                           : 1
Number of Failed IKE local attempts                     : 0
Number of Failed IKE remote attempts                    : 0
Number of P2SA created as Initiator                     : 0
Number of P2SA created as responder                     : 1

Number of P2  Proposal mismatch                         : 0
Number of P2TS mismatch                                 : 8
Invalid IKE Cookie                                      : 0
Invalid Major Version in IKE                            : 0
Invalid Minor Version in IKE                            : 0
Invalid IKE Exchange Type                               : 0
Invalid Flags                                           : 0
Invalid IKE Message ID                                  : 0
Invalid Protocol ID                                     : 0
Invalid SPI                                             : 0
Invalid Transform ID                                    : 0
Invalid Payload  Type                                   : 0
Invalid Payload  Type  format                           : 0
Invalid Key Info                                        : 0
Errors due to Invalid ID Info                           : 0
Errors due to Invalid Encoding in cert payload          : 0
Errors due to  Invalid Encoding in cert data            : 0
Errors due to Invalid CA data in CERT_REQ payload       : 0
Errors due to Invalid hash data in hash payload         : 0
Errors due to Invalid signature                         : 0
Number of times authentication Failed                   : 0
Errors due to  P1 proposal mismatch                     : 0
Errors due to Bad Proposal syntax                       : 0
Number of  times payload lengths mismatched             : 0
Number of times certificate requested is unavailable    : 0
Errors due to lack of support for DOI in SA payload     : 0
Errors due to lack of protection for the situation      : 0
Errors due to lack of matching attribute                : 0
Number of Times the Certificate type is not supported   : 0
Number of times mismatch in Exchange Type is detected   : 0

Number of IKE local Phase2 attempts                     : 1
Number of IKE remote Phase2 attempts                    : 8
Number of IKE local Phase2 attempts failed              : 0
Number of IKE remote Phase2 attempts failed             : 8
Number of in packets                                    : 12
IN Packets' Higher Order Counter Value                  : 0
Number of out packets                                   : 5
OUT Packets' Higher Order Counter value                 : 0
Number of in bytes                                      : 1816
IN Bytes' Higher Order Counter value                    : 0
Number of out bytes                                     : 624
OUT Bytes' Higher Order Counter value                   : 0

Cumulative Statistics of Invalid Protocol ID            : 0
Cumulative Statistics of Invalid SPI                    : 0
Cumulative Statistics of Invalid Transform ID           : 0
Cumulative Statistics of Invalid Payload Type           : 0
Cumulative Statistics of Invalid Payload Format         : 0
Cumulative Statistics of Invalid Key Type               : 0
Cumulative Statistics of Invalid ID Info                : 0

1.56   show ipsec access-list

show ipsec [asp slot-id/asp-id] access-list [ipsec-acl-name]

1.56.1   Command Mode

all modes

1.56.2   Syntax Description

asp slot-id

Optional. Number of the chassis slot where the card is installed. Possible values are 1 to 14. The actual slots that can contain an ASE card depend on the chassis:


  • SmartEdge 800 or 1200: 1 to 6 and 9 to 14

  • SmartEdge 400: 1 to 4

asp-id

Optional. ID of the ASP on the ASE card. Possible values are 1 and 2.

access-list [ipsec-acl-name

Optional. Name of a previously created IPsec ACL.

1.56.3   Usage Guidelines

Displays configuration information for IPsec ACLs configured in the current context. If no ACL is specified, one line of configuration information for each ACL with the name and description is displayed. If an ACL is specified, all attributes, including defaults, are displayed for the specified proposal. If no ASP is specified, the information is retrieved from the SmartEdge controller card; otherwise, it is retrieved from the specified ASP.

1.56.4   Examples

[local]Redback#show ipsec access-list

Name                                 Description
Ipsec-ACL1                           IPsec Access List #1
[local]Redback#show ipsec access-list Ipsec-ACL1
IPsec Access-List: Ipsec-ACL1
Description:    IPsec Access List #1
Seq 1 tcp 1.1.1.0/24 eq 200000 2.2.2.0/24 eq 200000
Seq 2 1.1.1.0/24 2.2.2.0/24
Seq 3 any any

1.57   show ipsec profile

show ipsec [asp slot/asp-id] profile [profile-name]

1.57.1   Command Mode

all modes

1.57.2   Syntax Description

asp slot-id

Optional. Number of the chassis slot where the card is installed. Possible values are 1 to 14. The actual slots that can contain an ASE card depend on the chassis:


  • SmartEdge 800 or 1200: 1 to 6 and 9 to 14

  • SmartEdge 400: 1 to 4

asp-id

Optional. ID of the ASP on the ASE card. Possible values are 1 and 2.

profile profile-name

Optional. Name of an IPsec profile.

1.57.3   Usage Guidelines

Displays configuration information for IPsec profiles configured in the current context. If no ASP is specified, the information is retrieved from the SmartEdge controller card; otherwise, it is retrieved from the specified ASP.

1.57.4   Examples

[vpn1]l4l7-1#show ipsec profile
IPsec Profile: rec1_1
 DF Bit: 0
 MTU: 1480
 1 IPSec Policy: ipsec_policy1 Access List: acl1_1

1.58   show ipsec policy

show ipsec [asp slot/asp-id] policy [policy-name]

1.58.1   Command Mode

all modes

1.58.2   Syntax Description

asp slot-id

Optional. Number of the chassis slot where the card is installed. Possible values are 1 to 14. The actual slots that can contain an ASE card depend on the chassis:


  • SmartEdge 800 or 1200: 1 to 6 and 9 to 14

  • SmartEdge 400: 1 to 4

asp-id

Optional. ID of the ASP on the ASE card. Possible values are 1 and 2.

policy policy-name

Name of a previously created IPsec policy.

1.58.3   Usage Guidelines

Displays configuration information for IPsec policies in the current context. If no IPsec policy is specified, one line of configuration information for each IPsec policy with the name and Diffie-Hellman group is displayed. If an IKE policy is specified, all attributes, including defaults, are displayed for the specified policy. If no ASP is specified, the information is retrieved from the SmartEdge controller card; otherwise, it is retrieved from the specified ASP.

1.58.4   Examples

[local]Redback#show ipsec policy
Name                                   PFS
Ipsec-Policy1                          dh-group 2
[local]Redback#show ipsec policy Ipsec-Policy1
IPsec Policy: ipsec-Pol1
Perfect-forward-secrecy:  dh-group 2
Anti-replay-window:       64
seq 10 ipsec-Prop1
seq 20 ipsec-Prop2 

1.59   show ipsec proposal

show ipsec [asp slot-id/asp-id] proposal proposal-name

1.59.1   Command Mode

all modes

1.59.2   Syntax Description

asp slot-id

Optional. Number of the chassis slot where the card is installed. Possible values are 1 to 14. The actual slots that can contain an ASE card depend on the chassis:


  • SmartEdge 800 or 1200: 1 to 6 and 9 to 14

  • SmartEdge 400: 1 to 4

asp-id

Optional. ID of the ASP on the ASE card. Possible values are 1 and 2.

proposal proposal-name

Name of a previously created IPsec proposal.

1.59.3   Usage Guidelines

Displays configuration information for IPsec proposals. If no IPsec proposal is specified, one line of configuration information for each IPsec proposal with the name, encryption algorithm, authentication algorithm, and ip-comp flag is displayed. If an IKE proposal is specified, all attributes, including defaults, are displayed for the specified proposal. If no ASP is specified, the information is retrieved from the SmartEdge controller card; otherwise, it is retrieved from the specified ASP.

1.59.4   Examples

[local]Redback#show ipsec proposal
Name       Encryption    Authentication   IP-Comp
ipsec-Prop1   des-cbc       hmac-md5-96      Enabled
ipsec-Prop2   3des-cbc      hmac-sha1-96     Disabled
[local]Redback#show ipsec proposal ipsec-Prop1
IPsec Proposal: ipsec-Prop1    
Description: IPsec Proposal 1
ESP:         encryption: aes-128-ctr
             authentication: hmac-sha1-96
AH:          authentication: hmac-md5-96
IP-Comp:     Enabled
Lifetime:    86400 seconds, 50000 KBytes

1.60   show ipsec security-association

show ipsec [asp slot-id/asp-id] security-association [sa-name]

1.60.1   Command Mode

all modes

1.60.2   Syntax Description

asp slot-id

Optional. Number of the chassis slot where the card is installed. Possible values are 1 to 14. The actual slots that can contain an ASE card depend on the chassis:


  • SmartEdge 800 or 1200: 1 to 6 and 9 to 14

  • SmartEdge 400: 1 to 4

asp-id

Optional. ID of the ASP on the ASE card. Possible values are 1 and 2.

security-association sa-name

Name of a previously created IPsec SA.

1.60.3   Usage Guidelines

Displays configuration information for IPsec SAs configured in the current context. If no SA is specified, one line of configuration information for each SA with the name and description is displayed. If an SA is specified, all attributes, including defaults, are displayed for the specified proposal. If no ASP is specified, the information is retrieved from the SmartEdge controller card; otherwise, it is retrieved from the specified ASP.

1.60.4   Examples

[local]Redback#show ipsec security-association

Name                     Description
ipsec-sa1                IPsec Security Association #1
[local]Redback#show ipsec security-association IPsec-SA1

IPsec Security-Association: ipsec-sa1
Description:    IPsec Security Association #1
Anti Replay Window Size: 64
Ip-Compression: Enable
Security Association: both
   esp spi 0x00001111
       encryption 3des-cbc
         key 0x010203040506070809
// For the administrators
         key **********
// For the operators
       authentication hmac-sha1-96
         key 0x010203040506070809
// For the administrators
         key **********
// For the operators
   ah spi 0x00002222 hmac-md5-96
         key 0x0102030405060708

1.61   show tunnel ipsec

show tunnel ipsec [name tunnel-name | remote ip-address] [detail]] | [[name tunnel-name] on-demand]

1.61.1   Command Mode

all modes

1.61.2   Syntax Description

name tunnel-name

Optional. Name of a previously created IPsec tunnel.

remote ip-address

Optional. IP address of the remote endpoint.

detail

Optional. Displays detailed configuration information.

tunnel-name

Optional. Tunnel name.

on-demand

Optional. Displays information about on-demand IPsec tunnels.

1.61.3   Usage Guidelines

Displays configuration information for IPsec tunnels. If no IPsec tunnel is specified, generic information about all IPsec tunnels is displayed. You can specify a single IPsec tunnel by name. Specify IPsec tunnels that share the same remote endpoint by specifying the IP address of the remote endpoint. All generic attributes, including the name, endpoints, ASP slot/ID, state, bound interface, circuit ID, and circuit handle are displayed. If you use the optional detail keyword in addition to specifying the tunnel or remote endpoint, IPsec-specific attributes, including encryption algorithms, authentication algorithms, active SAs, and the operational status are also displayed. Use the on-demand keyword to display on-demand tunnel names and count; use the on-demand tunnel name to list information for the specified on-demand tunnel.

1.61.4   Examples

[local]Redback#show tunnel ipsec

::::: Tunnel : rec_2_1
   Key       : -
   Remote IP : 77.0.0.1    Local IP    : 77.0.0.2
   Tnl Type  : IPsec       ASP Slot/Id : 2/1
   State     : Up          Bound to    : tunnel_ipsec2@ipsec_context2
   Circuit ID: 18          Internal Hdl: 255/28:1023:63/0/1/18

::::: Tunnel : rec_1_2
   Key       : -
   Remote IP : 77.0.0.2    Local IP    : 77.0.0.1
   Tnl Type  : IPsec       ASP Slot/Id : 2/1
   State     : Up          Bound to    : tunnel_ipsec2@ipsec_context
   Circuit ID: 17          Internal Hdl: 255/28:1023:63/0/1/17
[local]Redback#show tunnel ipsec name rec_2_1
 ::::: Tunnel : rec_2_1
    Key       : -
    Remote IP : 77.0.0.1    Local IP    : 77.0.0.2
    Tnl Type  : IPsec       ASP Slot/Id : 2/1
    State     : Up          Bound to    : tunnel_ipsec2@ipsec_context2
    Circuit ID: 18          Internal Hdl: 255/28:1023:63/0/1/18
[local]Redback#show tunnel ipsec remote 77.0.0.1 detail


::::: Tunnel : rec_2_1
   Key       : -
   Remote IP : 77.0.0.1    Local IP    : 77.0.0.2
   Tnl Type  : IPsec       ASP Slot/Id : 2/1
   State     : Up          Bound to    : tunnel_ipsec2@ipsec_context2
   Circuit ID: 18          Internal Hdl: 255/28:1023:63/0/1/18
   Tunnel is User Configured
   local-ip 77.0.0.2, context-for-local-ip: ipsec_context2
   mtu 1480
   log-state-changes no
  clear-df no
   destination UP on nhop resolved in valid intf
   resolved on to_ipsec_peer2 grid 0x1000000c
   Tunnel ID: ipsec 18
   Circuit ID Internal: 255/28:1023:63/0/1/18
IPsec Policy: sa2_1   Access Group: acl2_1
SA #1: Inbound ESP
   SPI : 0x1f4
   Encr: aes-128-cbc
   Auth: none
Selector: IP 55.0.0.2/32 -> 55.0.0.1/32
[local]l4l7-1#show tunnel ipsec rec1_1 on-demand
IKE Policy         : ike_policy1_1
Local IP           : 1.1.1.1
Bind Interface     : tunnel_ipsec_multibind_1_1
Bind Context       : vpn1
AAA AUthentication : Disabled
Maximum Tunnels    : 1
Number of Tunnels  : 1
Number of Active Tunnels: 1
Local IP: 1.1.1.1
Remote-IP     ASP   Tunnel-Name                Bind                       Context   Creation Time
2.1.1.1       2/1  _*DynTun*_23000001_00310000 tunnel_ipsec_multibind_1_1 vpn1          Today        

[local]l4l7-1#show tunnel ipsec on-demand       
Tunnel                  Count
rec1_1                   1

1.62   show tunnel ipsec statistics

show tunnel ipsec name tunnel-name [on-demand] statistics

1.62.1   Command Mode

all modes

1.62.2   Syntax Description

name tunnel-name

Name of a previously created IPsec tunnel.

on-demand

Optional. Displays information about on-demand IPsec tunnels.

1.62.3   Usage Guidelines

Displays the IPsec statistics associated with the specified tunnel.

1.62.4   Examples

The following example shows the results following a ping test in which 215 packets were sent.

[local]Redback#show tunnel ipsec name rec_2_1 statistics

IPsec Decryption Errors                                  : 0
IPsec Authentication Errors                              : 0
IPsec Policy Errors                                      : 0
IPsec Padding Errors                                     : 0
Anti-Replay Errors in IPsec                              : 0
Other Errors in IPsec                                    : 0
Number of IN IPsec packets                               : 215
IPsec IN packets HO value                                : 0
Number of OUT IPsec packets                              : 215
IPsec OUT packets HO value                               : 0
Send OUT IPsec pkts Errors                               : 0
Total IN Bytes Processed By IPsec                        : 15480
IN Bytes Processed HO value                              : 0
Total OUT Bytes Processed By IPsec                       : 15480
OUT Bytes Processed HO value                             : 0

1.63   tunnel ipsec

tunnel ipsec name [manual| on-demand]

no tunnel ipsec name

1.63.1   Command Mode

global configuration

1.63.2   Syntax Description

name

Unique name for the IPsec tunnel; up to 50 characters. Do not use the reserved prefix _*DynTun*_.

manual

Optional. The tunnel must be configured with manually configured SAs.

on-demand

Optional. Creates the remote tunnel endpoint on demand during connection.

1.63.3   Default

No IPsec tunnels are configured.

1.63.4   Usage Guidelines

Creates (with default attributes) or selects an IPsec tunnel, and enters tunnel configuration mode. Use the manual keyword to create an IPsec tunnel that uses SAs manually configured with the ipsec security-association command. Otherwise, the IPsec tunnel uses SAs negotiated using IKE. Once an IPsec tunnel is created, you cannot change its mode. Using the no form of the command will remove an existing configuration.

1.63.5   Examples

[local]Redback(config)#tunnel ipsec rec_2_1
[local]Redback(config)#tunnel ipsec rec_3_2 on-demand

Glossary

ACL
Access Control List
 
AH
Authentication Header
 
ASE
Advanced Services Engine
 
BGP
Border Gateway Protocol
 
DF
Don't Fragment
 
DNS
Domain Name System
 
DoS
Denial of Service
 
DPD
Dead Peer Detection
 
ESP
Encapsulating Security Payload
 
FTP
File Transfer Protocol
 
GRE
Generic Routing Encapsulation
 
ICMP
Internet Control Message Protocol
 
IGMP
Internet Group Management Protocol
 
IPComp
IP Compression
 
IPsec
Internet Protocol Security
 
NIC
Network interface card
 
NNTP
Network News Transport Protocol
 
NTP
Network Time Protocol
 
OSPF
Open Shortest Path First
 
PCP
Payload Compression Protocol
 
PFS
Perfect Forward Secrecy
 
PIM
Protocol Independent Multicast
 
POP2
Post Office Protocol Version 2
 
POP3
Post Office Protocol Version 3
 
RIP
Router Information Protocol
 
SA
Security Association
 
SMTP
Simple Mail Transport Protocol
 
SNMP
Simple Network Management Protocol
 
SPI
Security Parameter Index
 
TACACS
Terminal Access Controller Access Control System
 
TCP
Transmission Control Protocol
 
TFPT
Trivial File Transfer Protocol
 
UDP
User Datagram Protocol
 
VPN
Virtual Private Network

Reference List

[1] IPsec VPN Overview, 2/221 02-CRA 119 1170/1.
[2] IPsec VPN Configuration and Operation Using the SmartEdge OS CLI, 1/1543-CRA 119 1170/1.
[3] Command List, 1/19077-CRA 119 1170/1.