8.5. Configuring IPSec with CLI

This section provides information to configure IPSec using the command line interface.

Topics in this section include:

8.6. Basic Configuration Overview

The following list provides a high-level outline for setting up IPSec on the 7705 SAR.

  1. Create an IPSec tunnel group.
  2. Configure an IPSec IKE policy.
  3. Configure an IPSec transform policy.
  4. Create a private-side tunnel interface on a VPRN service.
    1. Create an interface using the tunnel keyword and private tunnel SAP.
    2. Create the IPSec tunnel and configure its parameters, which include local and peer gateway IP addresses, IP MTU, keying (manual or dynamic), and so on.
  5. Create a public-side tunnel interface on an IES or VPRN service.
    1. Create an interface and public tunnel SAP.
  6. Configure a VPRN static route for the IPSec tunnel.

8.7. Common Configuration Tasks

This section provides a brief overview of the following common configuration tasks that must be performed to configure IPSec:

8.7.1. Configuring an IPSec Tunnel Group

The following output displays an IPSec group configuration in the ISA context. The 7705 SAR supports only one tunnel-group. The tunnel-group-id is always 1.

*A:7705custDoc:Sar18>config>isa# info detail
----------------------------------------------
        tunnel-group 1 create
            shutdown
            no description
        exit
----------------------------------------------
*A:7705custDoc:Sar18>config>isa#

8.7.2. Configuring Router Interfaces for IPSec

An IPSec tunnel requires the following three interfaces:

  1. public tunnel interface (under IES or VPRN)
  2. private tunnel interface (under VPRN)
  3. physical untrusted network/Internet-facing interface: IES, VPRN, or router

The physical interface is the one that must reside on an encryption-capable adapter card.

The following example displays an interface (“internet”) configured using a network port (1/1/1) and an IES interface (“public”) configuration using SAP 1/1/8.

*A:ALU-49>config>router# info
----------------------------------------------
...
    router
        interface "internet"
            address 10.10.7.118/11
            port 1/1/1
        exit
        interface "system"
            address 10.20.1.118/12
        exit
         autonomous-system 123
    exit
...
----------------------------------------------
*A:ALU-49>config>router#
*A:7705:Dut-A>config>service>ies# info
----------------------------------------------
            description "ies interface towards internet"
            interface "public" create
                address 10.1.1.1/1
                sap 1/1/8 create
                    description "sap-100-10.1.1.1"
                exit
            exit
            no shutdown
----------------------------------------------

8.7.3. Configuring IPSec Parameters

Under the IPSec context, configure the IKE policy and IPSec transform parameters.

The following example displays the IPSec parameter configuration output.

*A:7705custDoc:Sar18>config>ipsec# info
#--------------------------------------------------
    ipsec
        ike-policy 2 create
            ike-version 2
            own-auth-method psk
            dh-group 14
            ipsec-lifetime 48000
            isakmp-lifetime 60000
            pfs dh-group 5
            auth-algorithm sha384
            encryption-algorithm aes192
            nat-traversal keep-alive-interval 240
            no ikev2-fragment
            dpd interval 25
        exit
        ipsec-transform 2 create
            esp-auth-algorithm md5
            esp-encryption-algorithm 3des
        exit
    exit
#--------------------------------------------------

8.7.4. Configuring IPSec and IPSec Tunnels in Services

IPSec is configured under IES and VPRN services.

For the private-side IPSec tunnel interface and SAP, under the VPRN service context, configure IPSec security policies, and create tunnel interfaces, private tunnel SAPs, IPSec tunnels, and IPSec tunnel parameters. The tunnel keyword must be used when creating an interface for a private tunnel SAP.

For a public-side IPSec tunnel interface and SAP, under the IES or VPRN service context, create an interface and public tunnel SAP. The tunnel keyword is not used when creating an interface for a public tunnel SAP.

Private-side and public-side tunnels function in pairs, where a pair is defined by the service ID and the interface subnet.

The local gateway address and delivery service configured using the VPRN ipsec-tunnel>local-gateway-address command correspond to the IES or VPRN interface address and service ID where the public-side tunnel interface is defined. In the example below, the local-gateway-address is 10.10.10.11 and the delivery-service is 10.

The following example displays the configuration output when configuring IPSec for a private-side VPRN service and a public-side IES.

*A:7705custDoc:Sar18>config>service>vprn# info detail
----------------------------------------------
...
            ipsec
                security-policy 1 create
                    entry 1 create
                        local-ip any
                        remote-ip any
                    exit
                    entry 2 create
                        local-ip 198.51.100.0/24
                        remote-ip 198.51.100.0/24 
                    exit
                exit
                security-policy 15 create
                    entry 15 create
                        no local-ip
                        no remote-ip
                    exit
                exit
            exit
...
            interface "vprn_tunnel" tunnel create
                no ip-mtu
                sap tunnel-1.private:22 create
                    no description
                    ingress
                        qos 1
                    exit
                    egress
                        qos 1
                        no filter
                        no agg-rate-limit
                    exit
                    ipsec-tunnel "ipsec_tunnel_tag1" create
                        shutdown
                        no description
                        security-policy 1 2
                        local-gateway address 10.10.10.11 peer 10.10.10.11 
                           delivery-service 10
                        no bfd-designate
                        no clear-df-bit
                        no ip-mtu
                    exit
                    no shutdown
                exit 
                no shutdown
            exit
            no service-name
            static-route-entry 192.100.200.10/32 
                ipsec-tunnel "ipsec_tunnel_tag1" 
                    no shutdown
                exit
            exit
----------------------------------------------
*A:7705custDoc:Sar18>config>service>vprn#
 
*A:7705custDoc:Sar18>config>service>ies# info detail
----------------------------------------------
  ...
        ies 10 customer 1 create
            interface "ies_tunnelPublicSide_1" create
                address 10.10.10.1/8 
                sap tunnel-1.public:22 create
                    no description
                    ingress
                        qos 1
                    exit
                    egress
                        qos 1
                        no filter
                        no agg-rate-limit
                    exit
                    no collect-stats
                    no accounting-policy
                    no shutdown
                exit
            exit
            no service-name
----------------------------------------------
*A:7705custDoc:Sar18>config>service>ies#

8.7.5. Configuring IPSec IPv6 Parameters for a VPRN Private Service

Use the following CLI syntax to configure IPSec IPv6 parameters for a VPRN private service:

CLI Syntax:
config>service# vprn service-id [customer customer-id] [create]
ipsec
security-policy security-policy-id [create]
entry entry-id [create]
local-v6-ip {ipv6-prefix/prefix-length | any}
remote-v6-ip {ipv6-prefix/prefix-length | any}
Example:
A:ALU-41>config>service# vprn 1011
A:ALU-41>config>service>vprn$ ipsec
A:ALU-41>config>service>vprn>ipsec>security-policy$ 1 create
A:ALU-41>config>service>vprn>ipsec>sec-plcy>entry$ 1 create
A:ALU-41>config>service>vprn>ipsec>sec-plcy>entry>local-v6-ip$ 2001:db8:a::123/64
A:ALU-41>config>service>vprn>ipsec>sec-plcy>entry>local-v6-ip$ exit
A:ALU-41>config>service>vprn>ipsec>sec-plcy>entry>remote-v6-ip$ 2001:db8:a::222/64
A:ALU-41>config>service>vprn>ipsec>sec-plcy>entry>remote-v6-ip$ exit
A:ALU-41>config>service>vprn>ipsec>sec-plcy>entry$ exit
A:ALU-41>config>service>vprn>ipsec>security-policy$ exit
A:ALU-41>config>service>vprn>ipsec$ exit

The following example displays IPSec IPv6 parameters configuration output.

*A:7705:Dut-A>config>service>vprn# info
----------------------------------------------
            ipsec
                security-policy 1 create
                    entry 1 create
                        local-v6-ip 2001:db8:a::123/64
                        remote-v6-ip 2001:db8:a::222/64
                    exit
                exit
            exit

8.7.6. Configuring X.509v3 Certificate Parameters

Perform the following steps to configure certificate enrollment.

  1. Generate a key:
    admin certificate gen-keypair cf3:/key_plain_rsa2048 size 2048 type rsa
  2. Generate a certificate request:
    admin certificate gen-local-cert-req keypair cf3:/key_plain_rsa2048 subject-dn "C=US,ST=CA,CN=7705" file 7705_req.csr
  3. Send the certificate request to CA-1 to sign and get the signed certificate.
  4. Import the key:
    admin certificate import type key input cf3:/key_plain_rsa2048 output key1_rsa2048 format der
  5. Import the signed certificate:
    admin certificate import type cert input cf3:/7705_cert.pem output 7705cert format pem

Perform the following steps to import the CA certificate and CRL.

  1. Import the CA certificate:
    admin certificate import type cert input cf3:/CA_1_cert.pem output ca_cert format pem
  2. Import the CA’s CRL:
    admin certificate import type crl input cf3:/CA_1_crl.pem output ca_crl format pem

The following example displays a certificate authentication for IKEv2 static LAN-to-LAN tunnel configuration.

config>system>security>pki# info 
----------------------------------------------
                ca-profile "alu-root" create
                    cert-file "alu_root.cert"
                    crl-file "alu_root.crl"
                    no shutdown
                exit
----------------------------------------------
config>ipsec# info 
----------------------------------------------
        ike-policy 1 create
            auth-method cert-auth
        exit
        ipsec-transform 1 create
        exit
       cert-profile "segw" create
            entry 1 create
                cert segw.cert
                key segw.key
            exit                      
            no shutdown
        exit
        trust-anchor-profile "alu" create
            trust-anchor "alu-root"
        exit
 
config>service>vprn>if>sap
----------------------------------------------
                ipsec-tunnel "t50" create
                    security-policy 1
                local-gateway-address 192.168.55.30 peer 192.168.33.100 delivery-
                                service 300
                    dynamic-keying
                        ike-policy 1
                        transform 1
                        cert
                            trust-anchor-profile "alu"
                            cert-profile "segw"
                        exit
                    exit
                    no shutdown
                exit

The following example displays the syntax to import a certificate from the PEM format.

*A:ALU-A# admin certificate import type cert input cf3:/pre-import/R1-
0cert.pem output R1-0cert.der format pem

The following example displays the syntax to export a certificate to the PEM format.

*A:ALU-A#  admin certificate export type cert input R1-0cert.der output cf3:/
R1-0cert.pem format pem

8.7.7. Configuring CMPv2

CMPv2 server information is configured under a corresponding ca-profile by using the following CLI commands:

CLI Syntax:
config>system>security>pki>ca-profile
cmpv2
url url-string [service-id service-id]
response-signing-cert filename
key-list
key password [hash | hash2] reference reference-number

The url command specifies the HTTP URL of the CMPv2 server and the service-id specifies the routing instance that the system used to access the CMPv2 server (if the service ID is omitted, the system uses the base routing instance).

The service ID is only needed for in-band connections to the server via VPRN services. IES services are not referenced by the service ID, since an IES service routing instance is considered to be a base routing instance.

The response-signing-cert command specifies an imported certificate that is used to verify CMP response messages if they are protected by a signature. If this command is not configured, the CA’s certificate is used.

The key-list command specifies a list of pre-shared-keys used for CMPv2 initial registration message protection.

Example:
config>system>security>pki>ca-profile>
cmpv2
url "http://cmp.example.com/request" service-id 100
key-list
key passwordToBeUsed [hash | hash2] reference "1"

All CMPv2 operations are invoked by using the admin certificate cmpv2 command.

If there is no key-list defined under the cmpv2 configuration, the system defaults to the cmpv2 transaction that was input for the command line related to authenticating a message without a sender ID. If there is no sender ID in the response message and there is a key-list defined, the system chooses the lexicographical first entry only, and if that fails, there is a fail result for the transaction.

The system supports optional commands (such as always-set-sender-ir) to support inter-operation with CMPv2 servers. Refer to the IPSec Command Reference for details about syntax and usage.

8.7.8. Configuring OCSP

OCSP server information is configured under the corresponding ca-profile:

CLI Syntax:
config>system>security>pki>ca-profile>
ocsp
responder-url url-string
service service-id

The responder-url command specifies the HTTP URL of the OCSP responder. The service command specifies the routing instance that the system used to access the OCSP responder.

Example:
config>system>security>pki>ca-profile>
ocsp
responder-url “http://ocsp.example.com/request”
service 100

For a given IPSec tunnel, the user can configure a primary method, a secondary method, and a default result.

CLI Syntax:
config>service>vprn>if>sap>ipsec-tun>
cert
status-verify
primary {ocsp | crl}
secondary {ocsp | crl}
default-result {revoked | good}
Example:
config>service>vprn>if>sap>ipsec-tun>
cert
status-verify
primary ocsp
secondary crl

8.8. Configuring IPSec over MPLS

On the 7705 SAR, IPSec routes to the secure gateway address can be resolved by using either a BGP 3107 label route or an IGP shortcut. When BGP learns IPv4 addressed as BGP 3107 label routes, BGP resolves the next hops for these routes with an LDP or RSVP-TE tunnel. These BGP routes create BGP tunnels that can be used to resolve an IPSec secure gateway address. When an IGP shortcut is enabled on the 7705 SAR by using the config>router>ospf>rsvp-shortcut command, OSPF installs an OSPF route in the RIB, with an RSVP-TE LSP as the next hop. If this OSPF route is determined as the overall best route, then the next hop is an RSVP-TE tunnel.

The IPSec implementation on the 7705 SAR is VPN-based. In order to configure IPSec, a private VPRN and a public IES or VPRN must both be configured; the encryption and decryption functions occur between these two services.

This section shows a configuration example of an IPSec route resolved by a BGP 3107 label route and a configuration example of an IPSec route resolved by an IGP shortcut.

8.8.1. IPSec over BGP 3107 Label Route

To route IPSec traffic using BGP 3107 label routes, the following components must be configured:

  1. a static LAN-to-LAN tunnel for IPSec traffic
  2. a policy option to advertise the IPSec gateway using BGP
  3. BGP with a BGP 3107 label route configured
  4. an LDP or RSVP-TE tunnel to resolve the BGP 3107 label route

Figure 138 shows a scenario where IPSec traffic is routed over a BGP 3107 label route. In this example, both the BGP 3107 tunnel and the IPSec tunnel are set up between Dut-A and Dut-F. The nature of BGP 3107 requires the LDP or RSVP-TE tunnel to be set up inside the autonomous system between Dut-A and Dut-E.

Figure 138:  IPSec over BGP 3107 Label Route 

8.8.1.1. Static LAN-to-LAN Tunnel Configuration

Setting up a static LAN-to-LAN tunnel for IPSec traffic involves configuring a number of elements, including:

  1. VPRN private-side service parameters, including the following:
    1. BGP parameters
    2. route distinguisher parameter
    3. auto-bind-tunnel parameter or VPRN spoke SDP
    4. VRF route-target associations or VRF import/export policies
    5. OSPF parameters
    6. a VPRN interface and its SAP parameters
    7. spoke-SDP parameters on the VPRN interface
  2. IES or VPRN public-side service parameters
  3. IPSec parameters

The CLI output below is an example of a static LAN-to-LAN tunnel configuration.

*A:7705:Dut-A>config>service>vprn# info 
----------------------------------------------
            description "Default Description For VPRN ID 90"
            snmp-community "Ku/I.yvsMoQ" hash2 version both
            ipsec
                security-policy 1 create
                    entry 1 create
                        local-ip any
                        remote-ip any
                    exit
                exit
            exit
            router-id 10.20.1.1
            autonomous-system 900
            route-distinguisher 10.20.1.1:90
            auto-bind-tunnel
                resolution-filter
                    ldp
                exit
                resolution filter
            exit
            vrf-target target:65000:90
            interface "ies-90-192.168.90.1" create
                address 192.168.90.1/24
                sap 1/2/1:900 create
                    description "sap-90-192.168.90.1"
                exit
            exit
            interface "ies-90-192.168.90.2" create
                address 192.168.90.2/24
                loopback
            exit
            interface "vprn-90-sap-tunnelPrivate-1" tunnel create
                sap tunnel-1.private:1 create
                    description "sap-90-IPSEC"
                    ipsec-tunnel "tunnelPrivateSide1" create
                        security-policy 1
                        local-gateway-address 10.30.90.1 peer 10.40.90.1 delivery-
service 9090
                        dynamic-keying
                            ike-policy 1
                            pre-shared-key "SmS3kjoVVF8ovXfOfxudQJ/
tw3MPVYZp1x1v2z2KkYJ5xY0hdURJyU" hash2
                            transform 1
                        exit
                        no shutdown
                    exit
                exit
            exit
            static-route-entry 10.1.1.1/8 
                ipsec-tunnel "tunnelPrivateSide1"
                    no shutdown
                exit
            exit
            bgp
                min-route-advertisement 1
                import "BgpVpn_to_Bgp" 
                export "BgpVpn_to_Bgp" 
                router-id 10.20.1.1
                group "ce-peers"
                    neighbor 10.1.1.4
                        local-address 10.1.1.3
                        peer-as 90000
                    exit
                    neighbor 10.1.1.5
                        local-address 10.1.1.6
                        med-out 100
                        peer-as 9001
                    exit
                exit
                no shutdown
            exit
            service-name "XYZ Vprn 90"
            no shutdown
----------------------------------------------
*A:7705:Dut-A>config>service>vprn#  
*A:7705:Dut-A>config>service>vprn# exit all 
*A:7705:Dut-A# configure  service ies 9090 
*A:7705:Dut-A>config>service>ies# info 
----------------------------------------------
            description "Default Ies description for service id 9090"
            interface "tunnelPublicSide1" create
                address 10.30.90.3/8
                sap tunnel-1.public:1 create
                    description "sap-9090-10.30.90.3"
                exit
            exit
            service-name "XYZ Ies 9090"
            no shutdown
----------------------------------------------
*A:7705:Dut-A>config>service>ies#

8.8.1.2. Policy Option Configuration

The CLI output below is an example of a policy option configuration.

#--------------------------------------------------
*A:7705:Dut-A>config>router>policy-options# info 
#--------------------------------------------------
            prefix-list "pe_sys_pref"
                prefix 10.30.90.0/8 longer
            exit
            policy-statement "pe_sys_to_bgp"
                entry 10
                    from
                        prefix-list "pe_sys_pref"
                    exit
                    to
                        protocol bgp
                    exit
                    action accept
                    exit
                exit
            exit
            commit
        exit

8.8.1.3. BGP Configuration with BGP 3107 Label Route Advertisement

The CLI output below is an example of BGP enabled with label route advertisement.

#--------------------------------------------------
*A:7705:Dut-A>config>router>bgp# info 
#--------------------------------------------------
        bgp
            connect-retry 5
            keepalive 5
            hold-time 15
            min-route-advertisement 2
            transport-tunnel mpls
            group "to_asbr_Dut-E"
                description "Group to ASBR - vpn label v4"
                peer-as 100
                neighbor 10.20.1.5
                    family ipv4 vpn-ipv4 vpn-ipv6
                    export "pe_sys_to_bgp" 
                    peer-as 100
                    advertise-label ipv4
                exit
            exit
            no shutdown
        exit

8.8.1.4. LDP or RSVP-TE Tunnel Configuration

The CLI output below is an example of an LDP tunnel that is configured to resolve the next hop for the BGP 3107 label route. An RSVP-TE tunnel could also be configured to resolve the next hop.

*A:7705:Dut-A>config>router# info     
----------------------------------------------
#--------------------------------------------------
echo "IP Configuration"
#--------------------------------------------------
        interface "system"
            address 10.20.1.1/8
            no shutdown
        exit
        interface "to-P-Dut-C"
            address 10.10.12.1/8
            port 1/2/7:12
            no shutdown
        exit
        interface "to-P-Dut-D"
            address 10.10.3.1/8
            port 1/2/3:1
            no shutdown
        exit
        autonomous-system 100
#--------------------------------------------------
echo "OSPFv2 Configuration"
#--------------------------------------------------
        ospf
            traffic-engineering
            timers
                spf-wait 1000 1000 1000
            exit
            area 0.0.0.0
                interface "system"
                    hello-interval 5
                    dead-interval 15
                    metric 100
                    no shutdown
                exit
                interface "to-P-Dut-D"
                    interface-type broadcast
                    hello-interval 1
                    dead-interval 4
                    mtu 1518
                    metric 100        
                    no shutdown
                exit
                interface "to-P-Dut-C"
                    interface-type broadcast
                    hello-interval 1
                    dead-interval 4
                    mtu 1518
                    metric 100
                    no shutdown
                exit
            exit
        exit
#--------------------------------------------------
echo "MPLS Configuration"
#--------------------------------------------------
        mpls
            interface "system"
                no shutdown
            exit
            interface "to-P-Dut-D"
                no shutdown
            exit
            interface "to-P-Dut-C"
                no shutdown
            exit
        exit
#--------------------------------------------------
echo "MPLS LSP Configuration"
#--------------------------------------------------
        mpls
            path "to-Dut-E"
                hop 1 10.20.1.3 strict
                no shutdown
            exit
            lsp "lsp-to-Dut-E"
                to 10.20.1.5
                cspf
                fast-reroute facility
                exit
                retry-timer 20
                primary "to-Dut-E"
                exit
                no shutdown
            exit
            no shutdown
        exit
#--------------------------------------------------
echo "LDP Configuration"
#--------------------------------------------------
        ldp
            interface-parameters
                interface "to-P-Dut-D"
                exit
                interface "to-P-Dut-C"
                exit
            exit
            targeted-session
            exit
            no shutdown
        exit

8.8.2. IPSec over IGP Shortcut

To route IPSec traffic over an IGP shortcut, the following must be configured:

  1. a static LAN-to-LAN tunnel
  2. an IGP shortcut (by creating an RSVP-TE tunnel in the OSPF context)
  3. an RSVP-TE LSP to the system IP address or loopback address, with CSPF enabled

8.8.2.1. Static LAN-to-LAN Tunnel Configuration

The CLI output below is an example of a static LAN-to-LAN tunnel configuration.

#--------------------------------------------------
echo "IPsec Configuration"
#--------------------------------------------------
    ipsec
        ike-policy 1 create
            description "ikePolicy_1"
            own-auth-method psk
            dh-group 1
            auth-algorithm md5
            dpd interval 10 max-retries 2
        exit
        ipsec-transform 1 create
            esp-auth-algorithm sha512
            esp-encryption-algorithm aes256
        exit
    exit
#--------------------------------------------------
echo "Service Configuration"
#--------------------------------------------------
    service
        customer 1 create
            description "Default customer"
        exit
        ies 101 customer 1 create
            interface "tunnelPublicSide_1" create
            exit
        exit
        vprn 1001 customer 1 create
            interface "tunnelPrivateSide_1" tunnel create
            exit
            interface "toIxia_1" create
            exit
        exit
        ies 101 customer 1 create     
            description "Default Ies description for service id 101"
            interface "tunnelPublicSide_1" create
                address 10.1.254.1/8
                sap tunnel-1.public:1 create
                    description "sap-10-10.1.254.1"
                exit
            exit
            service-name "XYZ Ies 101"
            no shutdown
        exit
        vprn 1001 customer 1 create
            description "Default Description For VPRN ID 1001"
            ipsec
                security-policy 1 create
                    entry 1 create
                        local-ip 10.10.10.0/8
                        remote-ip 10.1.1.0/8
                    exit
                exit
            exit
            route-distinguisher 1.1.1.1:1001
            interface "tunnelPrivateSide_1" tunnel create
                sap tunnel-1.private:1 create
                    description "sap-1001-IPSEC"
                    ipsec-tunnel "tunnelPrivateSide_1.1" create
                        security-policy 1
                        local-gateway-address 10.1.1.1 peer 10.2.2.2 delivery-
service 101
                        dynamic-keying
                            ike-policy 1
                            pre-shared-
key ".7ZAfd0optpg.FzYqTSVYbfFgzc.GZYw7W98X2uDhnHy/VmhkWqkP." hash2
                            auto-establish
                            transform 1
                        exit
                        no shutdown
                    exit
                exit
            exit
            interface "toIxia_1" create
                address 10.254.254.1/8
                sap 1/2/1:101 create  
                exit
            exit
            static-route-entry 10.1.1.0/8 
                ipsec-tunnel "tunnelPrivateSide_1.1"
                    no shutdown
                exit
            exit
            service-name "XYZ Vprn 1001"
            no shutdown
        exit
    exit
#--------------------------------------------------
echo "OSPFv2 Configuration"
#--------------------------------------------------
        ospf
            area 0.0.0.0
                interface "tunnelPublicSide_1"
                    hello-interval 5
                    dead-interval 15
                    no shutdown
                exit
            exit
        exit
#--------------------------------------------------

8.8.2.2. IGP Shortcut Configuration

The CLI output below is an example of an IGP shortcut configuration. An IGP shortcut is created using the rsvp-shortcut command in the ospf context.

#--------------------------------------------------
echo "OSPFv2 Configuration"
#--------------------------------------------------
        ospf
            traffic-engineering
            timers
                spf-wait 1000 1000 1000
            exit
            rsvp-shortcut
            area 0.0.0.0
                interface "system"
                    hello-interval 5
                    dead-interval 15
                    no shutdown
                exit
                interface "network"
                    hello-interval 5
                    dead-interval 15
                    metric 100
                    no shutdown       
                exit
            exit
        exit
#--------------------------------------------------

8.8.2.3. RSVP-TE LSP Configuration

The CLI output below is an example of an RSVP-TE LSP with CSPF enabled.

#--------------------------------------------------
echo "MPLS Configuration"
#--------------------------------------------------
        mpls
            interface "system"
                no shutdown
            exit
            interface "network"
                no shutdown
            exit
        exit
#--------------------------------------------------
echo "RSVP Configuration"
#--------------------------------------------------
        rsvp
            interface "system"
                no shutdown
            exit
            interface "network"
                no shutdown
            exit
            no shutdown
        exit
#--------------------------------------------------
echo "MPLS LSP Configuration"
#--------------------------------------------------
        mpls
            path "Path1AToC"
                no shutdown
            exit
            lsp "Lsp1AToC"
                to 10.10.20.1
                cspf
                retry-timer 20
                metric 100
                primary "Path1AToC"
                exit                  
                no shutdown
            exit
            no shutdown
        exit
    exit
#--------------------------------------------------

8.9. Service Management Tasks

This section provides a brief overview of the following service management tasks:

8.9.1. Deleting an IPSec IKE Policy or an IPSec Transform

An IPSec IKE policy or transform cannot be deleted if it is being used by an IPSec tunnel. To delete an IKE policy or IPSec transform:

CLI Syntax:
config>service>vprn>if>sap>ipsec-tunnel# dynamic-keying
config>service>vprn>if>sap>ipsec-tunnel>dynamic-keying# no ike-policy
config>service>vprn>if>sap>ipsec-tunnel>dynamic-keying# no transform
config>service>vprn>if>sap>ipsec-tunnel>dynamic-keying# exit all
config>ipsec# no ike-policy ike-policy-id
config>ipsec# no ipsec-transform transform-id
Example:
config>service>vprn>if>sap>ipsec-tunnel# dynamic-keying
config>service>vprn>if>sap>ipsec-tunnel>dynamic-keying# no ike-policy
config>service>vprn>if>sap>ipsec-tunnel>dynamic-keying# no transform
config>service>vprn>if>sap>ipsec-tunnel>dynamic-keying# exit all
config>ipsec# no ike-policy 2
config>ipsec# no ipsec-transform 2

8.9.2. Deleting a Public-Side IPSec Tunnel SAP and Interface

A public-side IPSec tunnel interface and SAP are created under an IES or VPRN service. The output below uses the CLI syntax and an example from the IES context to show how to delete a public-side IPSec tunnel interface and SAP:

CLI Syntax:
config>service>ies>interface# no sap tunnel-id.public:tag
config>service>ies# no interface ip-int-name
Example:
config>service>ies>interface# no sap tunnel-1.public:22
config>service>ies# no interface ies_tunnelPublicSide_1

8.9.3. Deleting a Private-Side IPSec Tunnel SAP and Interface

A private-side IPSec tunnel interface and SAP are created under a VPRN service. To delete a private-side IPSec tunnel interface and SAP:

CLI Syntax:
config>service>vprn>interface# no sap tunnel-id.private:tag
config>service>vprn# no interface ip-int-name
Example:
config>service>vprn>interface# no sap tunnel-1.private:22
config>service>vprn# no interface vprn-tunnel

8.9.4. Deleting an IPSec Security Policy

Security policies are created under the VPRN service. To delete an IPSec security policy:

CLI Syntax:
config>service>vprn>ipsec# no security-policy security-policy-id
Example:
config>service>vprn# no security-policy 35

8.9.5. Deleting an IPSec Tunnel

IPSec tunnels are created under the VPRN service. Although an IPSec tunnel is created on the private side of the tunnel in the CLI, the configuration itself is general and can apply to either the public or private side of the tunnel. To delete an IPSec tunnel:

CLI Syntax:
config>service>vprn>if>sap# no ipsec-tunnel ipsec-tunnel-name
Example:
config>service>vprn>if>sap# no ipsec-tunnel ies_tunnelPublicSide_1