See VPRN Services Command Reference for the command descriptions.
Refer to the section “Card, Adapter Card, and Port Command Reference” in the 7705 SAR OS Interface Configuration Guide for information on the show>mda commands.
Refer to the section “IP Router Command Reference” in the 7705 SAR OS Router Configuration Guide for information on the show>router >interface statistics command.
This command creates a text description stored in the configuration file for a configuration context.
The no form of this command removes the string from the context.
No description is associated with the configuration context.
The shutdown command administratively disables an entity. The operational state of the entity is disabled as well as the operational state of any entities contained within. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many objects must be shut down before they may be deleted. Many entities must be explicitly enabled using the no shutdown command.
The no form of this command places the entity into an administratively enabled state.
Services are created in the administratively down state (shutdown). When a no shutdown command is entered, the service becomes administratively up and then tries to enter the operationally up state.
This command creates an ISA tunnel configuration context.
The no form of this command removes the context.
n/a
This command enables a tunnel group to be created or edited. The 7705 SAR can have only one tunnel group (tunnel-group 1).
The no form of the command deletes the specified tunnel group from the configuration.
n/a
This command enables the context to configure Internet Protocol security (IPSec) parameters. IPSec is a structure of open standards to ensure private, secure communications over Internet Protocol (IP) networks by using cryptographic security services.
This command enables provisioning of IKE policy parameters.
The no form of the command removes the IKE policy.
This command specifies which hashing algorithm to use for the IKE authentication function. The no form of the command returns the parameter to its default value.
sha1
This command specifies the authentication method used with this IKE policy. Configuring the policy for pre-shared key (PSK) or no auth-method produces the same result since PSK is both the default value and the only option.
The no form of the command returns the parameter to its default value (psk).
no auth-method
This command specifies which Diffie-Hellman group is used to calculate session keys:
More bits provide a higher level of security but require more processing.
The no form of the command returns the parameter to its default value (Group2).
no dh-group (Group2)
This command controls the dead peer detection (DPD) mechanism to detect a dead IKE peer.
The no form of the command disables DPD and returns the parameters to their default values.
no dpd
This command specifies the encryption algorithm to use for the IKE session.
The no form of the command returns the algorithm to its default value (aes128).
aes128
This parameter specifies the lifetime of a phase 2 SA.
The no form of the command returns the ipsec-lifetime value to the default.
3600 (1 hr)
This command specifies the lifetime of a phase 1 SA. ISAKMP stands for Internet Security Association and Key Management Protocol.The no form of the command returns the isakmp-lifetime value to the default value.
86400
This command specifies whether NAT-T (Network Address Translation Traversal) is enabled, disabled, or in force mode. Enabling NAT-T enables the NAT detection mechanism. If a NAT device is detected in the path between the 7705 SAR and its IPSec peer, then UDP encapsulation is done on the IPSec packet to allow the IPSec traffic to traverse the NAT device.
When nat-traversal is used without any parameters, NAT-T is enabled and sending keepalive packets is disabled (keep-alive-interval is 0 s).
When the force keyword is used, the IPSec tunnel always uses a UDP value in its header, regardless of whether a NAT device is detected.
The force-keep-alive keyword specifies whether keepalive packets are sent only when a NAT device is detected or are always sent (regardless of detection of a NAT device). When force-keep-alive is used, packets are always sent and the “Behind NAT Only” field in the show>ipsec>ike-policy ike-policy-id indicates False. When force-keep-alive is not used, packets are may or may not be sent, depending on the whether NAT-T is enabled or disabled. In this case, the “Behind NAT Only” field indicates True.
The keep-alive-timer keyword defines the frequency, where “0” means that keepalives are disabled.
The no form of the command returns the parameters to the default values (NAT-T is disabled, keep-alive-interval is 0 s, and force-keep-alive is True).
no nat-traversal
This command specifies the authentication method used by the 7705 SAR OS to self-authenticate. This command (own-auth-method) applies only to IKEv2.
The default self-authentication method used by the 7705 SAR OS is symmetric, which means the self-authentication method is the same as the authentication method used by this IKE policy for the remote peer (that is, the own-auth-method is the same as auth-method).
The no form of the command returns the parameter to the default value (symmetric).
no own-auth-method
This command enables Perfect Forward Secrecy (PFS) on the IPSec tunnel using this policy. PFS provides for a new Diffie-Hellman key exchange each time the SA key is renegotiated. After each SA expires, the key is forgotten and another key is generated (if the SA remains up). This means that an attacker who cracks part of the exchange can only read the part that used the key before the key changed. Thus, there is no advantage to cracking the other parts of the exchange if an attacker has already cracked one.
When pfs is used without the dh-group command, the default DH group (Group 2) is used.
The no form of the command disables PFS. If pfs is turned off during an active SA, then when the SA expires and it is time to re-key the session, the original Diffie-Hellman primes is used to generate the new keys.
no pfs
This command enables the context to create an ipsec-transform policy. IPSec transform policies can be shared between IPSec tunnels by using the transform command.
IPSec transform policy assignments to a tunnel require the tunnel to be shut down.
The no form of the command removes the transform ID from the configuration.
This command specifies which hashing algorithm should be used for the authentication function Encapsulating Security Payload (ESP). Both ends of a tunnel must share the same configuration parameters in order for the IPSec tunnel to enter the operational state.
The null keyword in this command and the null keyword in the esp-encryption-algorithm command are mutually exclusive.
The no form of the command returns the parameter to its default value.
sha1
This command specifies the encryption algorithm to use for the IPSec session. Encryption only applies to Encapsulating Security Payload (ESP) configurations.
For IPSec tunnels to come up, both ends of the IPSec tunnel (both private-side endpoints) must be configured with the same encryption algorithm. That is, the configuration for vprn>if>sap> ipsec-tunnel transform must match at both nodes.
The null keyword in this command and the null keyword in the esp-auth-algorithm command are mutually exclusive.
The no form of the command returns the parameter to its default value.
aes128
This command enables the context to configure IPSec policies.
n/a
This command configures a security policy to use for an IPSec tunnel. An entry specifying local and remote IP addresses must be defined before the policy can be used.
The no form of the command removes the policy. Policy entries must be deleted before the policy can be removed.
n/a
This command configures an IPSec security policy entry.
The no form of the command removes the entry.
n/a
This command configures the local (from the VPN) IP prefix/mask for the policy parameter entry.
Only one entry is necessary to describe a potential traffic flow. The local-ip and remote-ip commands can be defined only once. The system will evaluate the local IP as the source IP when traffic is examined in the direction of the VPN to the tunnel and as the destination IP when traffic flows from the tunnel to the VPN. The remote IP will be evaluated as the source IP when traffic flows from the tunnel, and as the destination IP to the VPN when traffic flows from the VPN to the tunnel.]
The no form of the command clears the IP entry.
no local-ip
This command configures the remote (from the tunnel) IP prefix/mask for the policy parameter entry.
Only one entry is necessary to describe a potential traffic flow. The local-ip and remote-ip commands can be defined only once. The system will evaluate the local IP as the source IP when traffic is examined in the direction of the VPN to the tunnel and as the destination IP when traffic flows from the tunnel to the VPN. The remote IP will be evaluated as the source IP when traffic flows from the tunnel to the VPN and as the destination IP when traffic flows from the VPN to the tunnel.
The no form of the command clears the IP entry.
no remote-ip
This command creates a logical IP routing interface.
The tunnel keyword is not used for IES interfaces. An IES public tunnel SAP is created when the sap-id includes the tunnel and public keywords (see sap below). For VPRN interfaces, tunnel is used to create an IP interface that supports a private tunnel SAP. The VPRN private tunnel SAP allows provisioning of an IPSec tunnel, and is created when the VPRN sap-id includes the tunnel and private keywords.
n/a
This command creates a SAP. For IES and VPRN services using tunnel interfaces, the sap-id for private and public tunnel interfaces are shown below. See sap for details on configuring all SAPs.
n/a
This command specifies an IPSec tunnel name. Configuring the commands under the ipsec-tunnel context defines where the IPSec tunnel originates and terminates, and how it is secured.
n/a
This command specifies whether this IPSec tunnel is the BFD-designated tunnel.
A BFD-designated tunnel is the tunnel over which a BFD session is established. A BFD-designated tunnel does not go down when BFD goes down. Other tunnels that use that BFD-designated tunnel’s BFD session will go down based on the state of the BFD session.
no bfd-designate
This command assigns a BFD session to provide the heart-beat mechanism for the specified IPSec tunnel. There can be only one BFD session assigned to any given IPSec tunnel, but there can be multiple IPSec tunnels using same BFD session. BFD controls the state of the associated tunnel; if the BFD session goes down, the system will also bring down the associated non-designated IPSec tunnel.
n/a
This command clears the do-not-fragment (DF) bit on incoming unencrypted IP traffic, allowing traffic to be fragmented, if necessary, before it enters the tunnel.
The no form of the command, corresponding to the default behavior, leaves the DF bit unchanged.
no clear-df-bit
This command specifies whether to copy the do-not-fragment (DF) bit from the customer clear traffic and insert it into the IPSec tunnel header of the outgoing packet. When disabled, the DF bit of the IPSec tunnel header is always set to 1 (do not copy the DF bit).
The no form of the command, corresponding to the default behavior, does not copy the customer DF bit to the IPSec tunnel header.
no copy-df-bit
This command enables dynamic keying for the IPSec tunnel. Dynamic keying means that the IKE protocol is used to dynamically exchange keys and establish IPSec-SAs. When IKE is used, a tunnel will have ISAKMP-SA for phase 1 (used by IKE) and IPSEC-SA for phase 2 (used for traffic encryption).
The dynamic-keying and manual-keying commands are mutually exclusive. One of these commands must be configured to make the tunnel operational.
The no form of the command returns the SA keying type to its default value.
no dynamic-keying
This command specifies whether to attempt to establish a phase 1 exchange automatically. The auto-establish command should only be enabled on one side of the tunnel. A tunnel with auto-establish enabled acts as an IKE initiator and does not respond to a new phase 1 request.
The no form of the command disables the automatic attempts to establish a phase 1 exchange.
no auto-establish
This command configures the IKE policy for dynamic keying, which will be used by the tunnel.
The no form of the command removes the IKE policy.
no ike-policy
This command allows the specification of the IKEv2 local ID value for a dynamic keyed IPSec tunnel. The allowed local ID types are a valid IPv4 address or an FQDN (fully qualified domain name) string.
If local-id is configured, the tunnel’s local ID is set to the explicit type and value specified by the local-id command. If local-id is not configured, the tunnel’s local gateway IP address is used in the ID field of IKEv2 (see local-gateway-address).
The no form of the command removes the local ID.
no local-id
This command specifies the pre-shared key (PSK), or secret passphrase, that will be used to initiate the tunnel IKE session.
The no form of the command removes the pre-shared key.
no pre-shared-key
This command associates the IPSec transform set allowed for this tunnel. A maximum of four transforms can be specified. The transforms are listed in decreasing order of preference (the first one specified is the most preferred). The list of transform-ids is overwritten each time the command is issued. Transforms are defined using the ipsec-transform command.
The no form of the command returns the command to its default state.
no transform
This command configures the IP maximum transmit unit (MTU) (packet) for this interface.
The ip-mtu command instructs the 7705 SAR to perform IP packet fragmentation prior to IPSec encryption and encapsulation, based on the configured MTU value.
On the 7705 SAR, unencrypted IP packets arriving on a VPRN access interface and destined for an IPSec uplink will be fragmented if the incoming packet is larger than:
The actual overhead depends on the payload size, and the encryption and authentication algorithms used.
The no ip-mtu command, corresponding to the default behavior, disables fragmentation of IP packets by the 7705 SAR; all IP packets, regardless of size or DF bit setting, are allowed into the tunnel.
no ip-mtu
This command specifies the local gateway address used by the tunnel and the remote gateway address at the other end of the tunnel.
The local gateway address is the source address of the outgoing encrypted packet and the peer gateway address is the destination address. The delivery service is the IES service that has the corresponding public tunnel interface configured under it.
The local gateway address must be in the same subnet as the public tunnel interface.
This command allows manual configuration of tunnel Security Associations. Manual keying can be used in lieu of dynamic keying and IKE.
The dynamic-keying and manual-keying commands are mutually exclusive. One of these commands must be configured to make the tunnel operational.
When manual keying is used, both encryption and authentication must be entered manually for inbound and outbound SAs. Encryption and authentication modes, along with associated keys, must match on both sides of the tunnel. Inbound SA configuration on the near-end system must match outbound SA configuration on the far-end system, and vice versa. Make sure to use the correct key length, based on the ipsec-transform configuration.
A configuration example for manual keying is shown below:
The no form of the command returns the SA keying type to its default value.
no manual-keying
This command configures the information required for manual keying SA creation.
n/a
This command identifies an IPSec security policy (defined under the vprn>ipsec context) that is to be used for this IPSec tunnel.
The no form of the command returns the security-policy to its default state (n/a).
n/a
This command displays provisioning parameters for a given IKE policy. When an ike-policy-id is not specified then a summary display showing all IKE policies is displayed. When an ike-policy-id is specified then a detailed display showing IKE policy settings for the specific IKE policy is displayed.
The following output is an example of IPSec security policy information, and Table 129 describes the fields.
Label | Description |
IPsec IKE Policies | |
Id | The IKE policy identifier |
Ike Mode | The IKE mode |
Ike Ver | The IKE version |
DH | The Diffie-Hellman group (DH) used for the IKE policy |
Pfs | Displays whether or not perfect forward secrecy (PFS) is used on the IPSec tunnel using this policy |
Pfs DH | The Diffie-Hellman group (DH) used for calculating PFS keys |
Auth Alg | The hashing algorithm used for the IKE authentication function |
Encr Alg | The encryption algorithm used for the IKE session |
Isakmp Life-time | The lifetime of a phase 1 IKE key, in seconds |
IPsec Life-time | The lifetime of a phase 2 IKE key, in seconds |
Auth Method | The authentication method |
DPD | The state of the dead peer detection (DPD) mechanism: Enabled or Disabled |
NAT | The state of Network Address Translation Traversal (NAT-T) |
No. of IPsec IKE Policies: | The number of IPSec IKE policies |
IPsec IKE Policy Configuration Detail | |
Policy Id | The IKE policy identifier |
IKE Mode | The IKE mode |
DH Group | The Diffie-Hellman group (DH) used for the IKE policy |
Auth Method | The authentication method |
PFS | Displays whether or not perfect forward secrecy (PFS) is used on the IPSec tunnel using this policy |
PFS DH Group | The Diffie-Hellman group (DH) used for calculating PFS keys |
Auth Algorithm | The hashing algorithm used for the IKE authentication function |
Encr Algorithm | The encryption algorithm used for the IKE session |
ISAKMP Lifetime | The lifetime of a phase 1 IKE key, in seconds |
IPsec Lifetime | The lifetime of a phase 2 IKE key, in seconds |
NAT Traversal | The state of Network Address Translation Traversal (NAT-T): Enabled, Disabled, or Force |
NAT-T Keep Alive | Displays the configured NAT-T keepalive interval, in seconds |
Behind NAT Only | Indicates when NAT-T keepalive messages are sent True—keepalive messages are sent if a NAT device is detected. Detection is done by each IKE session, for each IPSec tunnel. False—keepalive messages are always sent Note that when force-keep-alive is specified, the state of Behind NAT Only is False, otherwise it is True. |
DPD | The state of the Dead Peer Detection (DPD) mechanism: Enabled or Disabled |
DPD Interval | The interval used to test connectivity to the tunnel peer |
DPD Max Retries | The maximum number of retries before the tunnel is removed |
Description | A user-configured description of the IKE policy |
IKE Version | The IKE version |
Own Auth Method | Indicates the authentication method used with this IKE policy to authenticate on the local side of the tunnel |
This command displays the provisioning parameters for a given security policy.
The following output is an example of IPSec security policy information, and Table 130 describes the fields.
Label | Description |
IPsec Security Policies | |
ServiceId | The service identifier |
SecurityPolicyId | The security policy identifier applied to the service |
Security Policy Params Entry count | The number of entries in the security policy |
No. of IPsec Security Policies: | The number of IPSec security policies on the router |
Security Policy Param Entries | |
SvcId | The service identifier |
Security PlcyId | The security policy identifier applied to the service |
Policy ParamsId | The parameter entry number for the security policy |
LocalIp | The IP address of the local IP interface |
RemoteIp | The IP address of the remote IP interface |
No. of IPsec Security Policy Param Entries: | The number of parameter entries for the IPSec security policy |
This command displays IPSec transforms.
The following output is an example of IPSec transform information, and Table 131 describes the fields.
Label | Description |
IPsec Transforms | |
TransformId | The identifier of the IPSec transform policy |
EspAuthAlgorithm | Displays the type of Encapsulating Security Payload (ESP) authorization algorithm defined in the transform policy |
EspEncryptionAlgorithm | Displays the type of Encapsulating Security Payload (ESP) encryption algorithm defined in the transform policy |
No. of IPsec Transforms: | The number of IPSec transform policies |
This command displays the IPSec tunnel information for existing tunnels.
The following output is an example of IPSec tunnel information, and Table 132 describes the fields.
Label | Description |
IPsec Tunnels | |
TunnelName | The specified name of the IPSec tunnel |
LocalAddress | The IPv4 address of the local router |
SvcId | The service identifier |
Admn | The administrative state of the IPSec tunnel |
Keying | The type of security keying for the tunnel: None, Manual, or Dynamic |
SapId | The SAP identifier |
RemoteAddress | The IPv4 address of the remote router |
DlvrySvcId | The service identifier of the delivery service |
Oper | The operational state of the IPSec tunnel |
Sec Plcy | The identifier of the security policy used |
IPsec Tunnels: | The number of IPSec tunnels |
IPsec Tunnel Configuration Detail | |
Service Id | The service identifier |
Sap Id | The SAP identifier |
Tunnel Name | The specified name of the IPSec tunnel |
Description | The description configured for the IPSec tunnel |
Local Address | The IPv4 address of the local router |
Remote Address | The IPv4 address of the remote router |
Delivery Service | The service identifier of the delivery service |
Security Policy | The identifier of the security policy used |
Admin State | The administrative state of the IPSec tunnel |
Oper State | The operational state of the IPSec tunnel |
Keying Type | The type of security keying for the tunnel: None, Manual, or Dynamic |
Replay Window | The size of the replay window used for anti-replay |
Clear DF Bit | Indicates whether the tunnel is clearing the DF bit: true (clearing) or false (not clearing) |
IP MTU | The interface IP MTU. The value “max” indicates that the tunnel will receive whatever IP payload is sent to it. |
Oper Flags | Displays the operational flags currently in effect |
BFD Interface | |
BFD Designate | Displays whether a BFD designate has been specified: yes or no |
Dynamic Keying Parameters | |
Transform Id1 Transform Id2 Transform Id3 Transform Id4 | The ipsec-transform IDs that are assigned under the VPRN ipsec-tunnel context |
Ike Policy Id | The IKE policy ID |
Auto Establish | Displays whether automatic establishing of an IPSec tunnel has been specified: yes or no |
PreShared Key | The PSK or shared secret used with dynamic keying as defined under the VPRN ipsec-tunnel context |
Isakmp State | The state of ISAKMP: Up or Down |
ISAKMP Statistics | ISAKMP statistics are for traffic sent and received by the IKE protocol |
Tx Packets | The number of IKE packets transmitted |
Rx Packets | The number of IKE packets received |
Tx Errors | The number of IKE packet errors transmitted |
Rx Errors | The number of IKE packet errors received |
Tx DPD | The number of IKE Dead Peer Detection (DPD) packets transmitted |
Rx DPD | The number of IKE DPD packets received |
Tx DPD ACK | The number of IKE DPD acknowledged packets transmitted |
Rx DPD ACK | The number of IKE DPD acknowledged packets received |
DPD Timeouts | The number of IKE DPD timeouts |
Rx DPD Errors | The number of IKE DPD packet errors received |
IPsec Tunnel Count | |
Total IPsec Tunnels | The total number of IPSec tunnels on the local router |
This command clears statistics.
This command can be used to facilitate debugging related to IPSec tunnels.
keyword - optional to