8.10. IPSec Command Reference

8.10.1. Command Hierarchies

8.10.1.1. IPSec Configuration Commands

8.10.1.1.1. ISA Tunnel Commands

config
[no] isa
tunnel-group tunnel-group-id [create]
— no tunnel-group tunnel-group-id
description description-string
— no description
[no] shutdown

8.10.1.1.2. IPSec Commands

— config
ipsec
ike-policy ike-policy-id [create]
— no ike-policy ike-policy-id
auth-algorithm {md5 | sha1 | sha256 | sha384 | sha512}
auth-method psk
description description-string
— no description
dh-group {1 | 2 | 5 | 14 | 15}
— no dh-group
dpd [interval interval] [max-retries max-retries] [reply-only]
— no dpd
encryption-algorithm {des | 3des | aes128 | aes192 | aes256}
ike-mode {main | aggressive}
— no ike-mode
ike-version {1 | 2}
— no ike-version
ikev2-fragment mtu octets reassembly-timeout seconds
ipsec-lifetime ipsec-lifetime
isakmp-lifetime isakmp-lifetime
nat-traversal [force] [keep-alive-interval keep-alive-interval] [force-keep-alive]
pfs [dh-group {1 | 2 | 5}]
— no pfs
ipsec-transform transform-id [create]
— no ipsec-transform transform-id
esp-auth-algorithm {null | md5 | sha1| sha256 | sha384 | sha512}
esp-encryption-algorithm {null | des | 3des | aes128 | aes192 | aes256}
static-sa sa-name [create]
— no static-sa sa-name
authentication auth-algorithm ascii-key ascii-string
authentication auth-algorithm hex-key hex-string [hash | hash2]
direction ipsec-direction
— no direction
protocol ipsec-protocol
— no protocol
spi spi
— no spi

8.10.1.1.3. Service Configuration Commands

config
— service
— vprn service-id
ipsec
security-policy security-policy-id [create]
— no security-policy security-policy-id
entry entry-id [create]
— no entry entry-id
local-ip {ip-prefix/prefix-length | ip-prefix netmask | any}
— no local-ip
local-v6-ip {ipv6-prefix/prefix-length | any}
remote-ip {ip-prefix/prefix-length | ip-prefix netmask | any}
— no remote-ip
remote-v6-ip {ipv6-prefix/prefix-length | any}

8.10.1.1.4. Service Interface Tunnel Commands

config
— service
— ies
interface ip-int-name [tunnel] [create]
— no interface ip-int-name
sap sap-id [create]
— no sap sap-id
config
— service
— vprn
interface ip-int-name [tunnel] [create]
— no interface ip-int-name
sap sap-id [create]
— no sap sap-id
ipsec-tunnel ipsec-tunnel-name [create]
— no ipsec-tunnel ipsec-tunnel-name
[no] bfd-designate
bfd-enable service service-id interface interface-name dst-ip b ip-address
— no bfd-enable
[no] clear-df-bit
[no] copy-df-bit
description description-string
[no] dynamic-keying
[no] auto-establish
ike-policy ike-policy-id
— no ike-policy
local-id type {ipv4 | fqdn | ipv6} value value
— no local-id
pre-shared-key key [hash | hash2]
transform transform-id [transform-id...(up to 4 max) ]
— no transform
ip-mtu octets
— no ip-mtu
local-gateway-address ip-address peer ip-address delivery-service service-id
[no] manual-keying
security-association security-entry-id authentication-key authentication-key encryption-key encryption-key spi spi transform transform-id direction {inbound | outbound}
— no security-association security-entry-id direction {inbound | outbound}
security-policy security-policy-id

8.10.1.1.5. Service Static Route Commands

config
— service
— vprn service-id
[no] static-route-entry ip-prefix/prefix-length
[no] ipsec-tunnel ipsec-tunnel-name
[no] description description-string
[no] metric metric
[no] preference preference
[no] shutdown
[no] tag tag

See VPRN Service Configuration Commands in VPRN Services Command Reference for the command descriptions.

8.10.1.2. PKI Configuration Commands

8.10.1.2.1. X.509 and Certificate Commands

admin
— certificate
clear-ocsp-cache [entry-id]
cmpv2
cert-request ca ca-profile-name current-key key-filename current-cert cert-filename [hash-alg hash-algorithm] newkey key-filename subject-dn subject-dn save-as save-path-of-result-cert
clear-request ca ca-profile-name
initial-registration ca ca-profile-name key-to-certify key-filename protection-alg {password password reference ref-number | signature [cert cert-file-name [send-chain [with-ca ca-profile-name]]] [protection-key key-filename] [hash-alg {md5 | sha1 | sha224 | sha256 | sha384 | sha512}]} subject-dn dn save-as save-path-of-result-cert
key-update ca ca-profile-name newkey key-filename oldkey key-filename oldcert cert-filename [hash-alg hash-algorithm] save-as save-path-of-result-cert
poll ca ca-profile-name
show-request [ca ca-profile-name]
display type {cert | key | crl | cert-request} url-string format {pkcs10 | pkcs12 | pkcs7-der | pkcs7-pem | pem | der} [password password]
export type {cert | key |crl} input input-filename output url-string format output-format [password password] [pkey pkey-filename]
gen-keypair url-string [size {512 | 1024 | 2048}] [type {rsa | dsa}]
gen-local-cert-req keypair url-string subject-dn subject-dn [domain-name domain-name] [ip-addr {ip-address | ipv6-address}] file url-string [hash-alg hash-algorithm] [use-printable]
import type {cert | key | crl} input url-string output filename format input-format [password password]
reload type {cert | key} filename [key-file filename]

8.10.1.2.2. PKI Infrastructure Commands

configure
— system
— security
pki
ca-profile name [create]
— no ca-profile name
cert-file filename
— no cert-file
cmpv2
http-version {1.0 | 1.1}
key password [hash | hash2] reference reference-number
— no key reference reference-number
url url-string [service-id service-id]
— no url
crl-file filename
— no crl-file
description description-string
— no description
ocsp
responder-url url-string
service service-id
— no service
[no] shutdown
certificate-display-format {ascii | utf8}
certificate-expiration-warning hours [repeat repeat-hours]
crl-expiration-warning hours [repeat repeat-hours]

8.10.1.2.3. IPSec PKI Commands

config
— ipsec
cert-profile profile-name [create]
— no cert-profile profile-name
entry entry-id [create]
— no entry entry-id
cert cert-filename
— no cert
key key-filename
— no key
[no] send-chain
[no] ca-profile name
ike-policy ike-policy-id [create]
— no ike-policy ike-policy-id
auth-method {psk | cert-auth}
— no auth-method
own-auth-method {psk |cert}
— no auth-method
[no] shutdown
trust-anchor-profile name [create]

8.10.1.2.4. IKE PKI Commands

config
— service
— vprn
interface ip-int-name [tunnel] [create]
— no interface ip-int-name
sap sap-id [create]
— no sap sap-id
ipsec-tunnel ipsec-tunnel-name [create]
— no ipsec-tunnel ipsec-tunnel-name
— cert
cert-profile profile
— no cert-profile
default-result {revoked | good}
primary {crl | ocsp}
— no primary
secondary {crl | ocsp}
— no secondary
trust-anchor-profile profile-name

8.10.1.2.5. Automatic CRL Update Commands

admin
— certificate
crl-update ca ca-profile-name
config
— system
file-transmission-profile name [create]
ipv4-source-address ip-address
ipv6-source-address ipv6-address
redirection level
retry count
— no retry
router router-instance
router service vprn-service-name
timeout seconds
— security
pki
ca-profile name [create]
— no ca-profile name
auto-crl-update [create]
url-entry entry-id [create]
— no url-entry entry-id
file-transmission-profile profile-name
url url
— no url
periodic-update-interval [days days] [hrs hours] [min minutes] [sec seconds]
pre-update-time [days days] [hrs hours] [min minutes] [sec seconds]
retry-interval seconds
schedule-type schedule-type
[no] shutdown

8.10.1.3. Show Commands

show
— certificate
ca-profile name [association]
ocsp-cache entry-id
— ipsec
cert-profile name association
cert-profile [name]
cert-profile name entry [1..8]
ike-policy ike-policy-id
security-policy service service-id [security-policy-id security-policy-id]
transform [transform-id]
trust-anchor-profile trust-anchor-profile association
trust-anchor-profile [trust-anchor-profile]
tunnel
tunnel ipsec-tunnel-name
tunnel count
show
— mda slot/mda
— statistics {source-mda | dest-mda | security [encryption]}      (for 7705 SAR-8 Shelf V2 and 7705 SAR-18)
— mda aggregate-statistics       (for 7705 SAR-Ax, 7705 SAR-H, 7705 SAR-Hc, 7705 SAR-W, and 7705 SAR-Wx)

Refer to the section “Show, Monitor, Clear, and Debug Command Reference” in the 7705 SAR Interface Configuration Guide for information on the show>mda commands.

show
— router
— interface ip-int-name statistics

Refer to the section “IP Router Command Reference” in the 7705 SAR Router Configuration Guide for information on the show>router >interface statistics command.

8.10.1.4. Clear Commands

clear
mda {slot/mda | all}
mda all statistics
mda slot/mda statistics security [encryption]

8.10.1.5. Debug Commands

debug
[no] cmpv2
[no] ca-profile profile-name
— ipsec
[no] certificate filename
tunnel [ipsec-tunnel-name] [detail]
— no tunnel [ipsec-tunnel-name]

8.10.2. Command Descriptions

8.10.2.1. IPSec Configuration Commands

8.10.2.1.1. Generic Commands

description

Syntax 
description description-string
no description
Context 
config>ipsec>ike-policy
config>isa>tunnel-group
config>service>ies>interface
config>service>ies>if>sap
config>service>vprn>interface
config>service>vprn>if>sap
config>service>vprn>if>sap>ipsec-tunnel
Description 

This command creates a text description stored in the configuration file for a configuration context.

The no form of this command removes the string from the context.

Default 

No description is associated with the configuration context.

Parameters 
description-string—
the description character string. Allowed values are any string up to 80 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, etc.), the entire string must be enclosed within double quotes.

shutdown

Syntax 
[no] shutdown
Context 
config>isa>tunnel-group
config>service>ies>interface
config>service>ies>if>sap
config>service>vprn>interface
config>service>vprn>if>sap
Description 

The shutdown command administratively disables an entity. The operational state of the entity is disabled as well as the operational state of any entities contained within. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many objects must be shut down before they may be deleted. Many entities must be explicitly enabled using the no shutdown command.

The no form of this command places the entity into an administratively enabled state.

Services are created in the administratively down state (shutdown). When a no shutdown command is entered, the service becomes administratively up and then tries to enter the operationally up state.

8.10.2.1.2. ISA Tunnel Commands

isa

Syntax 
[no] isa
Context 
config
Description 

This command creates an ISA tunnel configuration context.

The no form of this command removes the context.

Default 

n/a

tunnel-group

Syntax 
tunnel-group tunnel-group-id [create]
no tunnel-group tunnel-group-id
Context 
config>isa
Description 

This command enables a tunnel group to be created or edited. The 7705 SAR can have only one tunnel group (tunnel-group 1).

The no form of the command deletes the specified tunnel group from the configuration.

Default 

n/a

Parameters 
tunnel-group-id—
specifies an integer value that uniquely identifies the tunnel group
Values—
1 to 16 (1 is the only valid value)

 

create—
mandatory keyword required when creating a tunnel group. The create keyword requirement can be enabled/disabled in the environment>create context.

8.10.2.1.3. Internet Key Exchange (IKE) and Transform Commands

ipsec

Syntax 
ipsec
Context 
config
Description 

This command enables the context to configure Internet Protocol security (IPSec) parameters. IPSec is a structure of open standards to ensure private, secure communications over Internet Protocol (IP) networks by using cryptographic security services.

ike-policy

Syntax 
ike-policy ike-policy-id [create]
no ike-policy ike-policy-id
Context 
config>ipsec
Description 

This command enables provisioning of IKE policy parameters.

The no form of the command removes the IKE policy.

Parameters 
ike-policy-id—
specifies a policy ID value to identify the IKE policy
Values—
1 to 2048

 

create—
mandatory keyword required when creating an IKE policy. The create keyword requirement can be enabled/disabled in the environment>create context.

auth-algorithm

Syntax 
auth-algorithm {md5 | sha1 | sha256 | sha384 | sha512}
no auth-algorithm
Context 
config>ipsec>ike-policy
Description 

This command specifies which hashing algorithm to use for the IKE authentication function. The no form of the command returns the parameter to its default value.

Default 

sha1

Parameters 
md5—
specifies the hmac-md5 algorithm for authentication
sha1—
specifies the hmac-sha1 algorithm for authentication
sha256—
specifies the sha256 algorithm for authentication
sha384—
specifies the sha384 algorithm for authentication
sha512—
specifies the sha512 algorithm for authentication

auth-method

Syntax 
auth-method psk
no auth-method
Context 
config>ipsec>ike-policy
Description 

This command specifies the authentication method used with this IKE policy. Configuring the policy for pre-shared key (PSK) or no auth-method produces the same result since PSK is both the default value and the only option.

The no form of the command returns the parameter to its default value (psk).

Default 

no auth-method

Parameters 
psk—
both the client and the gateway authenticate each other by a hash derived from a secret PSK. Both client and gateway must have the PSK. This works with both IKEv1 and IKEv2.

dh-group

Syntax 
dh-group {1 | 2 | 5 | 14 | 15}
no dh-group
Context 
config>ipsec>ike-policy
Description 

This command specifies which Diffie-Hellman group is used to calculate session keys:

  1. Group1: 768 bits
  2. Group2: 1024 bits
  3. Group5: 1536 bits
  4. Group14: 2048 bits
  5. Group15: 3072 bits

More bits provide a higher level of security but require more processing.

The no form of the command returns the parameter to its default value (Group2).

Default 

no dh-group (Group2)

dpd

Syntax 
dpd [interval interval] [max-retries max-retries] [reply-only]
no dpd
Context 
config>ipsec>ike-policy
Description 

This command controls the dead peer detection (DPD) mechanism to detect a dead IKE peer.

The no form of the command disables DPD and returns the parameters to their default values.

Default 

no dpd

Parameters 
interval
specifies the interval that will be used to test connectivity to the tunnel peer. If the peer initiates the connectivity check before the interval timer, it will be reset.
Values—
10 to 300 s

 

Default—
30
max-retries
specifies the maximum number of retries before the tunnel is removed
Values—
2 to 5

 

Default—
3
reply-only—
specifies to only reply to DPD keepalives. Issuing the command without the reply-only keyword disables the reply-only behavior.

encryption-algorithm

Syntax 
encryption-algorithm {des | 3des | aes128 | aes192 | aes256}
no encryption-algorithm
Context 
config>ipsec>ike-policy
Description 

This command specifies the encryption algorithm to use for the IKE session.

The no form of the command returns the algorithm to its default value (aes128).

Default 

aes128

Parameters 
des—
configures the 56-bit des algorithm for encryption. This is an older algorithm, with relatively weak security. It should only be used when a strong algorithm is not available at both ends at an acceptable performance level.
3des—
configures the 3-des algorithm for encryption. This is a modified application of the des algorithm that uses multiple des operations for more security.
aes128—
configures the aes algorithm with a block size of 128 bits. This is the mandatory implementation size for aes.
aes192—
configures the aes algorithm with a block size of 192 bits. This is a stronger version of aes.
aes256—
configures the aes algorithm with a block size of 256 bits. This is the strongest available version of aes.

ike-mode

Syntax 
ike-mode {main | aggressive}
no ike-mode
Context 
config>ipsec>ike-policy
Description 

This command specifies the mode of operation for IKEv1 phase 1, either main mode or aggressive mode. The difference between the modes is the number of messages used to establish the session. IKEv1 phase 1 main mode uses three pairs of messages (for a total of six messages) between IPSec peers. IKEv1 phase 1 aggressive mode has only three message exchanges.

This command does not apply to IKEv2.

The no form of the command removes the mode of operation.

Default 

main

Parameters 
main—
specifies that IKEv1 phase 1 will operate in main mode
aggressive—
specifies that IKEv1 phase 1 will operate in aggressive mode

ike-version

Syntax 
ike-version {1 | 2}
no ike-version
Context 
config>ipsec>ike-policy
Description 

This command configures the version of the IKE protocol that the IKE policy will use.

The no form of the command removes the configured version.

Default 

2

Parameters 
1—
specifies that the IKE policy will use IKEv1
2—
specifies that the IKE policy will use IKEv2

ikev2-fragment

Syntax 
ikev2-fragment mtu octets reassembly-timeout seconds
no ikev2-fragment
Context 
config>ipsec>ike-policy
Description 

This command enables IKEv2 protocol-level fragmentation (per RFC 7383). The MTU specified is the maximum size of the IKEv2 packet.

IKEv2 fragmentation is enabled for a tunnel only if this command is configured and if the peer also announces its support by sending an IKEV2_FRAGMENTATION_SUPPORTED notification.

Default 

no ikev2-fragment

Parameters 
octets—
the MTU for IKEv2 messages
Values—
512 to 9000

 

seconds—
the time allowed for fragment reassembly before the fragments are discarded
Values—
1 to 5

 

ipsec-lifetime

Syntax 
ipsec-lifetime ipsec-lifetime
no ipsec-lifetime
Context 
config>ipsec>ike-policy
Description 

This parameter specifies the lifetime of a phase 2 SA.

The no form of the command returns the ipsec-lifetime value to the default.

Default 

3600 (1 hr)

Parameters 
ipsec-lifetime—
specifies the lifetime of the phase 2 IKE key, in seconds
Values—
1200 to 172800

 

isakmp-lifetime

Syntax 
isakmp-lifetime isakmp-lifetime
no isakmp-lifetime
Context 
config>ipsec>ike-policy
Description 

This command specifies the lifetime of a phase 1 SA. ISAKMP stands for Internet Security Association and Key Management Protocol.The no form of the command returns the isakmp-lifetime value to the default value.

Default 

86400

Parameters 
isakmp-lifetime—
specifies the lifetime of the phase 1 IKE key, in seconds
Values—
1200 to 172800

 

nat-traversal

Syntax 
nat-traversal [force] [keep-alive-interval keep-alive-interval] [force-keep-alive]
no nat-traversal
Context 
config>ipsec>ike-policy
Description 

This command specifies whether NAT-T (Network Address Translation Traversal) is enabled, disabled, or in force mode. Enabling NAT-T enables the NAT detection mechanism. If a NAT device is detected in the path between the 7705 SAR and its IPSec peer, then UDP encapsulation is done on the IPSec packet to allow the IPSec traffic to traverse the NAT device.

When nat-traversal is used without any parameters, NAT-T is enabled and sending keepalive packets is disabled (keep-alive-interval is 0 s).

When the force keyword is used, the IPSec tunnel always uses a UDP value in its header, regardless of whether a NAT device is detected.

The force-keep-alive keyword specifies whether keepalive packets are sent only when a NAT device is detected or are always sent (regardless of detection of a NAT device). When force-keep-alive is used, packets are always sent and the “Behind NAT Only” field in the show>ipsec>ike-policy ike-policy-id indicates False. When force-keep-alive is not used, packets are may or may not be sent, depending on the whether NAT-T is enabled or disabled. In this case, the “Behind NAT Only” field indicates True.

The keep-alive-timer keyword defines the frequency, where “0” means that keepalives are disabled.

The no form of the command returns the parameters to the default values (NAT-T is disabled, keep-alive-interval is 0 s, and force-keep-alive is True).

Default 

no nat-traversal

Parameters 
force—
when specified, forces NAT-T to be enabled
keep-alive-interval
specifies the keepalive interval for NAT-T. If the value is 0 s, then keepalive messages are disabled.
Values—
120 to 600 s

 

Default—
0 s
force-keep-alive—
specifies that NAT-T keepalive packets are always sent, regardless of NAT detection results

own-auth-method

Syntax 
own-auth-method psk
no own-auth-method
Context 
config>ipsec>ike-policy
Description 

This command specifies the authentication method used by the 7705 SAR to self-authenticate. This command (own-auth-method) applies only to IKEv2.

The default self-authentication method used by the 7705 SAR is symmetric, which means the self-authentication method is the same as the authentication method used by this IKE policy for the remote peer (that is, the own-auth-method is the same as auth-method).

The no form of the command returns the parameter to the default value (symmetric).

Default 

no own-auth-method

Parameters 
psk—
specifies the use of a pre-shared key to self-authenticate

pfs

Syntax 
pfs [dh-group {1 | 2 | 5}]
no pfs
Context 
config>ipsec>ike-policy
Description 

This command enables Perfect Forward Secrecy (PFS) on the IPSec tunnel using this policy. PFS provides for a new Diffie-Hellman key exchange each time the SA key is renegotiated. After each SA expires, the key is forgotten and another key is generated (if the SA remains up). This means that an attacker who cracks part of the exchange can only read the part that used the key before the key changed. Thus, there is no advantage to cracking the other parts of the exchange if an attacker has already cracked one.

When pfs is used without the dh-group command, the default DH group (Group 2) is used.

The no form of the command disables PFS. If pfs is turned off during an active SA, then when the SA expires and it is time to re-key the session, the original Diffie-Hellman primes is used to generate the new keys.

Default 

no pfs

Parameters 
dh-group {1 | 2 | 5}—
when dh-group is used, specifies which Diffie-Hellman group to use for calculating session keys. Higher dh-group values translate to higher level of security, but require more processing. Three groups are supported:
  1. Group 1: 768 bits
  2. Group 2: 1024 bits
  3. Group 5: 1536 bits

ipsec-transform

Syntax 
ipsec-transform transform-id [create]
no ipsec-transform transform-id
Context 
config>ipsec
Description 

This command enables the context to create an ipsec-transform policy. IPSec transform policies can be shared between IPSec tunnels by using the transform command.

IPSec transform policy assignments to a tunnel require the tunnel to be shut down.

The no form of the command removes the transform ID from the configuration.

Parameters 
transform-id—
specifies a policy ID value to identify the IPSec transform policy
Values—
1 to 2048

 

create—
mandatory keyword required when creating an ipsec-transform policy. The create keyword requirement can be enabled/disabled in the environment>create context.

esp-auth-algorithm

Syntax 
esp-auth-algorithm {null | md5 | sha1 | sha256 | sha384 | sha512}
no esp-auth-algorithm
Context 
config>ipsec>transform
Description 

This command specifies which hashing algorithm should be used for the authentication function Encapsulating Security Payload (ESP). Both ends of a tunnel must share the same configuration parameters in order for the IPSec tunnel to enter the operational state.

The null keyword in this command and the null keyword in the esp-encryption-algorithm command are mutually exclusive.

The no form of the command returns the parameter to its default value.

Default 

sha1

Parameters 
null—
a very fast algorithm specified in RFC 2410, which provides no authentication
md5—
configures ESP to use the hmac-md5 algorithm for authentication
sha1—
configures ESP to use the hmac-sha1 algorithm for authentication
sha256—
configures ESP to use the sha256 algorithm for authentication
sha384—
configures ESP to use the sha384 algorithm for authentication
sha512—
configures ESP to use the sha512 algorithm for authentication

esp-encryption-algorithm

Syntax 
esp-encryption-algorithm {null | des | 3des | aes128 | aes192 | aes256}
no esp-encryption-algorithm
Context 
config>ipsec>transform
Description 

This command specifies the encryption algorithm to use for the IPSec session. Encryption only applies to Encapsulating Security Payload (ESP) configurations.

For IPSec tunnels to come up, both ends of the IPSec tunnel (both private-side endpoints) must be configured with the same encryption algorithm. That is, the configuration for vprn>if>sap> ipsec-tunnel transform must match at both nodes.

The null keyword in this command and the null keyword in the esp-auth-algorithm command are mutually exclusive.

The no form of the command returns the parameter to its default value.

Default 

aes128

Parameters 
null—
configures the high-speed null algorithm, which does nothing. This is the same as not having encryption turned on.
des—
configures the 56-bit des algorithm for encryption. This is an older algorithm, with relatively weak security. Although slightly better than no encryption, it should only be used when a strong algorithm is not available at both ends at an acceptable performance level.
3des—
configures the 3-des algorithm for encryption. This is a modified application of the des algorithm that uses multiple des operations to make things more secure.
aes128—
configures the aes algorithm with a block size of 128 bits. This is the mandatory implementation size for aes. This is a very strong algorithm choice.
aes192—
configures the aes algorithm with a block size of 192 bits. This is a stronger version of aes.
aes256—
configures the aes algorithm with a block size of 256 bits. This is the strongest available version of aes.

static-sa

Syntax 
static-sa sa-name [create]
no static-sa sa-name
Context 
config>ipsec
Description 

This command configures an IPSec static security association (SA).

Default 

no static-sa

Parameters 
sa-name—
specifies the name of the IPSec static SA, up to 32 characters

authentication

Syntax 
authentication auth-algorithm ascii-key ascii-string
authentication auth-algorithm hex-key hex-string [hash | hash2]
no authentication
Context 
config>ipsec>static-sa
Description 

This command configures the authentication algorithm to use for the specified static SA.

The no form of the command resets to command to the default value.

Default 

sha1

Parameters 
auth-algorithm —
specifies an authentication algorithm
Values—
md5 | sha1

 

ascii-string—
specifies a string for an ASCII key
Values—
md5: must be 16 characters
sha1: must be characters

 

hex-string—
specifies a string for a hexadecimal key
Values—
md5: must be 2 hexadecimal nibbles
sha1: must be 40 hexadecimal nibbles

 

hash—
specifies that the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.
hash2—
specifies that the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

direction

Syntax 
direction ipsec-direction
no direction
Context 
config>ipsec>static-sa
Description 

This command configures the direction for the specified static SA.

The no form of the command resets the command to the default value.

Default 

bidirectional

Parameters 
ipsec-direction—
specifies the direction in which this static SA entry can be applied
Values—
inbound | outbound | bidirectional

 

protocol

Syntax 
protocol ipsec-protocol
no protocol
Context 
config>ipsec>static-sa
Description 

This command configures the security protocol to use for the specified static SA. The no form of the command resets th command to the default value.

Default 

esp

Parameters 
ipsec-protocol—
specifies the IPSec protocol used with this static SA
Values—
ah — specifies the Authentication Header protocol esp — specifies the Encapsulation Security Payload protocol

 

spi

Syntax 
spi spi
no spi
Context 
config>ipsec>static-sa
Description 

This command configures the Security Parameter Index (SPI) key value for the specified IPSec SA.

The SPI is used to look up the instruction to verify and decrypt the incoming IPSec packets when the value of the direction command is inbound.

The SPI value specifies the SPI that will be used in the encoding of the outgoing packets when the value of the direction command is outbound. The remote node can use this SPI to look up the instruction to verify and decrypt the packet.

If no SPI is configured, the static SA cannot be used. The no form of the command removes the configured SPI.

Default 

none

Parameters 
spi—
specifies the SPI for this SA
Values—
256 to 16383

 

8.10.2.1.4. Service Configuration Commands

ipsec

Syntax 
ipsec
Context 
config>service>vprn
Description 

This command enables the context to configure IPSec policies.

Default 

n/a

security-policy

Syntax 
security-policy security-policy-id [create]
no security-policy security-policy-id
Context 
config>service>vprn>ipsec
Description 

This command configures a security policy to use for an IPSec tunnel. An entry specifying local and remote IP addresses must be defined before the policy can be used.

The no form of the command removes the policy. Policy entries must be deleted before the policy can be removed.

Default 

n/a

Parameters 
security-policy-id—
specifies an identifier value to be assigned to a security policy
Values—
1 to 8192

 

create—
mandatory keyword used to create the security policy instance. The create keyword requirement can be enabled/disabled in the environment>create context.

entry

Syntax 
entry entry-id [create]
no entry entry-id
Context 
config>service>vprn>ipsec>sec-plcy
Description 

This command configures an IPSec security policy entry.

The no form of the command removes the entry.

Default 

n/a

Parameters 
entry-id—
specifies an identifier value for the IPSec security policy entry
Values—
1 to 16

 

create—
mandatory keyword used to create the security policy entry. The create keyword requirement can be enabled/disabled in the environment>create context.

local-ip

Syntax 
local-ip {ip-prefix l prefix-length | ip-prefix netmask | any}
no local-ip
Context 
config>service>vprn>ipsec>sec-plcy>entry
Description 

This command configures the local (from the VPN) IP prefix/mask for the policy parameter entry.

Only one entry is necessary to describe a potential traffic flow. The local-ip and remote-ip commands can be defined only once. The system will evaluate the local IP as the source IP when traffic is examined in the direction of the VPN to the tunnel and as the destination IP when traffic flows from the tunnel to the VPN. The remote IP will be evaluated as the source IP when traffic flows from the tunnel, and as the destination IP to the VPN when traffic flows from the VPN to the tunnel.]

The no form of the command clears the IP entry.

Default 

no local-ip

Parameters 
ip-prefix—
the destination address of the aggregate route in dotted-decimal notation
Values—
a.b.c.d (host bits must be 0) (0.0.0.0 is not allowed)
prefix-length:  1 to 32

 

netmask—
the subnet mask in dotted-decimal notation
Values—
a.b.c.d (network bits all 1 and host bits all 0) (0.0.0.0 is not allowed

 

any—
keyword to specify that it can be any address

local-v6-ip

Syntax 
local-v6-ip {ipv6-prefix l prefix-length | any}
no local-v6-ip
Context 
config>service>vprn>ipsec>sec-plcy>entry
Description 

This command configures the local (from the VPN) IPv6 address for the policy parameter entry.

Only one entry is necessary to describe a potential traffic flow. The local-v6-ip and remote-v6-ip commands can be defined only once. The system will evaluate the local IPv6 address as the source IPv6 address when traffic is examined in the direction of the VPN to the tunnel and as the destination IPv6 address when traffic flows from the tunnel to the VPN. The remote IPv6 address will be evaluated as the source IPv6 address when traffic flows from the tunnel to the VPN and as the destination IPv6 address when traffic flows from the VPN to the tunnel.

The no form of the command clears the IPv6 address entry.

Default 

no local-v6-ip

Parameters 
ipv6-prefix / prefix-length—
the local IPv6 address
Values—
ipv6-prefix         x:x:x:x:x:x:x:x (eight 16-bit pieces)
                           x:x:x:x:x:x:d.d.d.d
                           x:   [0 to FFFF]H
                           d:   [0 to 255]D
                            (host bits must be 0)
                            ( :: not allowed)
prefix-length      0 to 128

 

any—
keyword to specify that it can be any address

remote-ip

Syntax 
remote-ip {ip-prefix / prefix-length | ip-prefix netmask | any}
no remote-ip
Context 
config>service>vprn>ipsec>sec-plcy>entry
Description 

This command configures the remote (from the tunnel) IP prefix/mask for the policy parameter entry.

Only one entry is necessary to describe a potential traffic flow. The local-ip and remote-ip commands can be defined only once. The system will evaluate the local IP as the source IP when traffic is examined in the direction of the VPN to the tunnel and as the destination IP when traffic flows from the tunnel to the VPN. The remote IP will be evaluated as the source IP when traffic flows from the tunnel to the VPN and as the destination IP when traffic flows from the VPN to the tunnel.

The no form of the command clears the IP entry.

Default 

no remote-ip

Parameters 
ip-prefix—
specifies the destination address of the aggregate route in dotted-decimal notation
Values—
a.b.c.d (host bits must be 0) (0.0.0.0 is not allowed)
prefix-length:  1 to 32

 

netmask—
the subnet mask in dotted-decimal notation
Values—
a.b.c.d (network bits all 1 and host bits all 0) (0.0.0.0 is not allowed

 

any—
keyword to specify that it can be any address

remote-v6-ip

Syntax 
remote-v6-ip {ipv6-prefix / prefix-length | any}
no remote-v6-ip
Context 
config>service>vprn>ipsec>sec-plcy>entry
Description 

This command configures the remote (from the tunnel) IPv6 address for the policy parameter entry.

Only one entry is necessary to describe a potential traffic flow. The local-v6-ip and remote-v6-ip commands can be defined only once. The system will evaluate the local IPv6 address as the source IPv6 address when traffic is examined in the direction of the VPN to the tunnel and as the destination IPv6 address when traffic flows from the tunnel to the VPN. The remote IPv6 address will be evaluated as the source IPv6 address when traffic flows from the tunnel to the VPN and as the destination IPv6 address when traffic flows from the VPN to the tunnel.

The no form of the command clears the IPv6 address entry.

Default 

no remote-v6-ip

Parameters 
ipv6-prefix—
the remote IPv6 address
Values—
ipv6-prefix         x:x:x:x:x:x:x:x (eight 16-bit pieces)
                           x:x:x:x:x:x:d.d.d.d
                           x:   [0 to FFFF]H
                           d:   [0 to 255]D
                            (host bits must be 0)
                            ( :: not allowed)
prefix-length      0 to 128

 

any—
keyword to specify that it can be any address

8.10.2.1.5. Service Interface Tunnel Commands

interface

Syntax 
interface ip-int-name [tunnel] [create]
no interface ip-int-name
Context 
config>service>vprn
config>service>ies
Description 

This command creates a logical IP routing interface.

When creating tunnel interfaces, the tunnel keyword must be used for private-side (VPRN) interfaces. The tunnel keyword is not used for public-side (IES or VPRN) interfaces.

Default 

n/a

Parameters 
ip-int-name—
specifies an IP interface name up to 32 characters in length
tunnel—
specifies that the interface is a private tunnel
create—
mandatory keyword required when creating an IP interface. The create keyword requirement can be enabled/disabled in the environment>create context.

sap

Syntax 
sap sap-id [create]
no sap sap-id
Context 
config>service>vprn>if
config>service>ies>if
Description 

This command creates a SAP.

For IES and VPRN services using tunnel interfaces, the sap-id for private and public tunnel interfaces are shown below. An IES or VPRN public tunnel SAP is created when the sap-id includes the tunnel and public keywords.The VPRN private tunnel SAP allows provisioning of an IPSec tunnel, and is created when the VPRN sap-id includes the tunnel and private keywords

See sap In the VLL Services Command Reference for details on configuring all SAPs.

Default 

n/a

Parameters 
sap-id—
specifies the port identifier portion of the SAP definition. For a tunnel interface, the sap-id is as follows:
Values—
tunnel-id.[private | public]:tag
   tunnel          keyword
   id                 1 to 16 (only the value 1 is allowed)
   private         keyword
   public          keyword
   tag               0 to 4094

 

create—
mandatory keyword required when creating a SAP. The create keyword requirement can be enabled/disabled in the environment>create context.

ipsec-tunnel

Syntax 
ipsec-tunnel ipsec-tunnel-name [create]
no ipsec-tunnel ipsec-tunnel-name
Context 
config>service>vprn>if>sap
Description 

This command specifies an IPSec tunnel name. Configuring the commands under the ipsec-tunnel context defines where the IPSec tunnel originates and terminates, and how it is secured.

Default 

n/a

Parameters 
ipsec-tunnel-name—
specifies an IPSec tunnel name up to 32 characters in length
create—
mandatory keyword required when creating an IPSec tunnel instance. The create keyword requirement can be enabled/disabled in the environment>create context.

bfd-designate

Syntax 
[no] bfd-designate
Context 
config>service>vprn>if>sap>ipsec-tunnel
Description 

This command specifies whether this IPSec tunnel is the BFD-designated tunnel.

A BFD-designated tunnel is the tunnel over which a BFD session is established. A BFD-designated tunnel does not go down when BFD goes down. Other tunnels that use that BFD-designated tunnel’s BFD session will go down based on the state of the BFD session.

Default 

no bfd-designate

bfd-enable

Syntax 
bfd-enable service service-id interface interface-name dst-ip ip-address
no bfd-enable
Context 
config>service>vprn>if>sap>ipsec-tunnel
Description 

This command assigns a BFD session to provide the heartbeat mechanism for the specified IPSec tunnel. There can be only one BFD session assigned to any given IPSec tunnel, but there can be multiple IPSec tunnels using same BFD session. BFD controls the state of the associated tunnel; if the BFD session goes down, the system will also bring down the associated non-designated IPSec tunnel.

Default 

n/a

Parameters 
service-id—
specifies the service ID or name where the BFD session resides
Values—
service-id:   1 to 2147483647 or svc-name (up to 64 characters)

 

interface —
the name of the interface used by the BFD session
interface-name—
specifies the interface name
Values—
1 to 32 characters (must start with a letter)

 

ip-address—
specifies the IPv4 destination address to be used for the BFD session
dst-ip —
the IPv4 or IPv6 destination address to be used for the BFD session
ip-address
the IPv4 destination address
Values—

IPv4 address:

a.b.c.d

 

clear-df-bit

Syntax 
[no] clear-df-bit
Context 
config>service>vprn>if>sap>ipsec-tunnel
Description 

This command clears the do-not-fragment (DF) bit on incoming unencrypted IP traffic, allowing traffic to be fragmented, if necessary, before it enters the tunnel.

The no form of the command, corresponding to the default behavior, leaves the DF bit unchanged.

Default 

no clear-df-bit

copy-df-bit

Syntax 
[no] copy-df-bit
Context 
config>service>vprn>if>sap>ipsec-tunnel
Description 

This command specifies whether to copy the do-not-fragment (DF) bit from the customer clear traffic and insert it into the IPSec tunnel header of the outgoing packet. When disabled, the DF bit of the IPSec tunnel header is always set to 1 (do not copy the DF bit).

The no form of the command, corresponding to the default behavior, does not copy the customer DF bit to the IPSec tunnel header.

Default 

no copy-df-bit

dynamic-keying

Syntax 
[no] dynamic-keying
Context 
config>service>vprn>if>sap>ipsec-tunnel
Description 

This command enables dynamic keying for the IPSec tunnel. Dynamic keying means that the IKE protocol is used to dynamically exchange keys and establish IPSec-SAs. When IKE is used, a tunnel will have ISAKMP-SA for phase 1 (used by IKE) and IPSEC-SA for phase 2 (used for traffic encryption).

The dynamic-keying and manual-keying commands are mutually exclusive. One of these commands must be configured to make the tunnel operational.

The no form of the command returns the SA keying type to its default value.

Default 

no dynamic-keying

auto-establish

Syntax 
[no] auto-establish
Context 
config>service>vprn>if>sap>ipsec-tunnel>dynamic-keying
Description 

This command specifies whether to attempt to establish a phase 1 exchange automatically. The auto-establish command should only be enabled on one side of the tunnel. A tunnel with auto-establish enabled acts as an IKE initiator and does not respond to a new phase 1 request.

The no form of the command disables the automatic attempts to establish a phase 1 exchange.

Default 

no auto-establish

ike-policy

Syntax 
ike-policy ike-policy-id
no ike-policy
Context 
config>service>vprn>if>sap>ipsec-tunnel>dynamic-keying
Description 

This command configures the IKE policy for dynamic keying, which will be used by the tunnel.

The no form of the command removes the IKE policy.

Default 

no ike-policy

Parameters 
ike-policy-id—
specifies the IKE policy ID
Values—
1 to 2048

 

local-id

Syntax 
local-id type {ipv4 | fqdn | ipv6} value value
no local-id
Context 
config>service>vprn>if>sap>ipsec-tunnel>dynamic-keying
Description 

This command allows the specification of the IKEv2 local ID value for a dynamic keyed IPSec tunnel. The allowed local ID types are a valid IPv4 address or IPv6 address, or a fully qualified domain name (FQDN) string.

If local-id is configured, the tunnel local ID is set to the explicit type and value specified by the local-id command. If local-id is not configured, the tunnel local gateway IP address is used in the ID field of IKEv2 (see local-gateway-address).

The no form of the command removes the local ID.

Default 

no local-id

Parameters 
type—
specifies the type of local ID payload
Values—
ipv4:  specifies IPv4 as the local ID type. The default value is the local gateway IP address.
fqdn:  specifies FQDN as the local ID type. A value must be configured.
ipv6:  specifies IPv6 as the local ID type. The default value is the local gateway IP address.

 

value—
specifies an IPv4 or IPV6 address, or an FQDN value.
Values—
ipv4-address:      a.b.c.d
ipv6-address:      x:x:x:x:x:x:x:x (eight 16-bit pieces)
                            x:x:x:x:x:x:d.d.d.d
                           x: [0 to FFFF]H
                           d: [0 to 255]D
fqdn:    specifies a fully qualified domain name value (for example, “myhost.example.com”), up to 255 characters maximum

 

pre-shared-key

Syntax 
pre-shared-key key [hash | hash2]
no pre-shared-key
Context 
config>service>vprn>if>sap>ipsec-tunnel>dynamic-keying
Description 

This command specifies the pre-shared key (PSK), or secret passphrase, that will be used to initiate the tunnel IKE session. If the hash or hash2 parameter is not used, the key is a clear text key; otherwise, the key text is encrypted. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

The no form of the command removes the pre-shared key.

Default 

no pre-shared-key

Parameters 
key—
specifies a pre-shared key for dynamic keying, where the key is up to 64 ASCII characters. If the string contains special characters (#, $, spaces, etc.), the entire string must be enclosed within parentheses.
hash—
specifies that the key is entered in an encrypted form
hash2 —
specifies that the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted

transform

Syntax 
transform transform-id [transform-id...(up to 4 max)]
no transform
Context 
config>service>vprn>if>sap>ipsec-tunnel>dynamic-keying
Description 

This command associates the IPSec transform set allowed for this tunnel. A maximum of four transforms can be specified. The transforms are listed in decreasing order of preference (the first one specified is the most preferred). The list of transform-ids is overwritten each time the command is issued. Transforms are defined using the ipsec-transform command.

The no form of the command returns the command to its default state.

Default 

no transform

Parameters 
transform-id—
specifies the value used for transforms for dynamic keying
Values—
1 to 2048

 

ip-mtu

Syntax 
ip-mtu octets
no ip-mtu
Context 
config>service>vprn>if>sap>ipsec-tunnel
Description 

This command configures the IP maximum transmit unit (MTU) (packet) for this interface.

The ip-mtu command instructs the 7705 SAR to perform IP packet fragmentation prior to IPSec encryption and encapsulation, based on the configured MTU value.

On the 7705 SAR, unencrypted IP packets arriving on a VPRN access interface and destined for an IPSec uplink will be fragmented if the incoming packet is larger than:

  1. the VPRN private interface MTU
  2. the IPSec tunnel MTU
  3. the difference between the uplink MTU and the IPSec overhead (uplink interface MTU minus IPSec overhead), where the IPSec overhead values are calculated as follows:
    1. IPSec overhead if NAT-T is enabled
      IPSec overhead = outer IPSec (20) + UDP (8) + ESP (24) + trailer (17) + ICV (32) = 101 bytes
    2. IPSec overhead if NAT-T is disabled
      (no nat-t) IPSec overhead = outer IP (20) + ESP (24) + trailer (17) + ICV (32) = 93 bytes
    1. IPv6 IPSec overhead if NAT-T is enabled or disabled (a UDP header is not inserted for IPv6 IPSec)
      IPv6 IPSec overhead = outer IPSec (40) + ESP (24) + trailer (17) + ICV (32) = 113 bytes

The actual overhead depends on the payload size and the encryption and authentication algorithms used.

The no ip-mtu command, corresponding to the default behavior, disables fragmentation of IP packets by the 7705 SAR; all IP packets, regardless of size or DF bit setting, are allowed into the tunnel.

Default 

no ip-mtu

Parameters 
octets—
specifies the MTU for the IP packet, expressed as the number of octets
Values—
512 to 9000

 

local-gateway-address

Syntax 
local-gateway-address ip-address peer ip-address delivery-service service-id
no local-gateway-address
Context 
config>service>vprn>if>sap>ipsec-tunnel
Description 

This command specifies the local gateway address used by the IPSec tunnel and the remote gateway address at the other end of the tunnel.

The local gateway address is the source address of the outgoing encrypted packet and the peer gateway address is the destination address. The delivery service is the IES service that has the corresponding public tunnel interface configured under it.

The local gateway address must be in the same subnet as the public tunnel interface.

The no form of the command removes the configured information.

Parameters 
ip-address—
IPv4 or IPv6 address of the local and peer ends of the tunnel
Values—
ipv4-address:      a.b.c.d
ipv6-address:      x:x:x:x:x:x:x:x (eight 16-bit pieces)
                            x:x:x:x:x:x:d.d.d.d
                           x: [0 to FFFF]H
                           d: [0 to 255]D

 

service-id—
specifies the ID of the IES or VPRN (front-door) delivery service of this IPSec tunnel. Use this service-id to find the VPRN used for delivery.
Values—
service-id: 1 to 2147483647 or svc-name, which specifies an existing service name up to 64 characters in length

 

manual-keying

Syntax 
[no] manual-keying
Context 
config>service>vprn>if>sap>ipsec-tunnel
Description 

This command allows manual configuration of tunnel Security Association (SA) manual keying can be used in lieu of dynamic keying and IKE.

The dynamic-keying and manual-keying commands are mutually exclusive. One of these commands must be configured to make the tunnel operational.

When manual keying is used, both encryption and authentication must be entered manually for inbound and outbound SAs. Encryption and authentication modes, along with associated keys, must match on both sides of the tunnel. Inbound SA configuration on the near-end system must match outbound SA configuration on the far-end system, and vice versa. Make sure to use the correct key length, based on the ipsec-transform configuration.

A configuration example for manual keying is shown below:

Example:
ipsec-transform 2 create
   esp-auth-algorithm sha512
   esp-encryption-algorithm aes128
exit
ipsec-tunnel "privateTunnel" create
   security-policy 4
   local-gateway-address 10.1.1.2 peer 10.3.3.2 delivery-service 100
   manual-keying
      security-association 8 direction inbound spi 500
       transform 2 encryption-key 5253c408a123817358
        authentication-key 0x1c4a94f71e5366f3760863
      security-association 8 direction outbound spi 600
        transform 2 encryption-key 0xe9ffb43d2ddd
        authentication-key 0x1db443f855693f0fe45d
      exit
      no shutdown
   exit

The no form of the command returns the SA keying type to its default value.

Default 

no manual-keying

security-association

Syntax 
security-association security-entry-id authentication-key authentication-key encryption-key encryption-key spi spi transform transform-id direction {inbound | outbound}
no security-association security-entry-id direction {inbound | outbound}
Context 
config>service>vprn>if>sap>ipsec-tunnel>manual-keying
Description 

This command configures the information required for manual keying SA creation.

Default 

n/a

Parameters 
security-entry-id—
specifies the ID of an SA entry
Values—
1 to 16

 

authentication-key—
specifies the key used for the authentication algorithm
Values—
none or 0x0 to 0xFFFFFFFF...(max 128 hex nibbles)

 

encryption-key—
specifies the key used for the encryption algorithm
Values—
none or 0x0 to 0xFFFFFFFF...(max 64 hex nibbles)

 

spi—
specifies the SPI (Security Parameter Index) used to look up the instruction to verify and decrypt the incoming IPSec packets when the direction is inbound. When the direction is outbound, the SPI will be used in the encoding of the outgoing packets. The remote node can use this SPI to look up the instruction to verify and decrypt the packet.
Values—
256 to 16383

 

transform-id—
specifies the transform entry that will be used by this SA entry. This object should be specified for all the entries created that are manual SAs.
Values—
1 to 2048

 

direction {inbound | outbound}—
specifies the direction of the IPSec tunnel

security-policy

Syntax 
security-policy security-policy-id
no security-policy
Context 
config>service>vprn>if>sap>ipsec-tunnel
Description 

This command identifies an IPSec security policy (defined under the vprn>ipsec context) that is to be used for this IPSec tunnel.

The no form of the command returns the security-policy to its default state (n/a).

Default 

n/a

Parameters 
security-policy-id—
specifies the IPSec security policy that the tunnel will use
Values—
1 to 8192

 

8.10.2.2. PKI Configuration Commands

8.10.2.2.1. X.509 and Certificate Commands

clear-ocsp-cache

Syntax 
clear-ocsp-cache [entry-id]
Context 
admin>certificate
Description 

This command clears the current OCSP response cache. If the optional issuer and serial number are not specified, then all current cached results are cleared.

Parameters 
entry-id—
the local cache entry identifier of the certificate to clear
Values—
1 to 2000

 

cmpv2

Syntax 
cmpv2
Context 
admin>certificate
Description 

This command enables the context to configure CMPv2 parameters. Changes are not allowed when the CA profile is enabled (no shutdown).

cert-request

Syntax 
cert-request ca ca-profile-name current-key key-filename current-cert cert-filename [hash-alg hash-algorithm] newkey key-filename subject-dn subject-dn save-as save-path-of-result-cert
Context 
admin>certificate>cmpv2
Description 

This command requests an additional certificate after the system has obtained the initial certificate from the CA.

The request is authenticated by a signature signed by the current-key, along with the current-cert. The hash algorithm used for the signature depends on the key type:

  1. DSA key: SHA1
  2. RSA key: MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512; the default is SHA1

In some cases, the CA may not return a certificate immediately, due to reasons such as the request processing needs manual intervention. In such cases, the admin certificate cmpv2 poll command can be used to poll the status of the request.

Default 

n/a

Parameters 
ca-profile-name—
specifies a certificate authority profile name that includes CMP server information, up to 32 characters
current-key key-filename
the corresponding certificate issued by the CA, up to 95 characters
cert-filename—
the filename of an imported certificate that is attached to the certificate request, up to 95 characters
newkey key-filename
the filename of the imported key, up to 95 characters.
hash-algorithm
the hash algorithm for the RSA key
Values—
md5, sha1, sha224, sha256, sha384, sha512

 

dn—
the subject of the requesting certificate, up to 256 characters
Values—
attr1=val1,attr2=val2 ... where: attrN = {C | ST | O | OU | CN}

 

save-path-of-result-cert—
the full path name to save the result certificate to, up to 200 characters

clear-request

Syntax 
clear-request ca ca-profile-name
Context 
admin>certificate>cmpv2
Description 

This command clears current pending CMPv2 requests toward the specified CA. If there are no pending requests, it will clear the saved results of prior requests.

Default 

n/a

Parameters 
ca-profile-name—
a CA profile name, up to 32 characters

initial-registration

Syntax 
initial-registration ca ca-profile-name key-to-certify key-filename protection-alg {password password reference ref-number | signature [cert cert-file-name [send-chain [with-ca ca-profile-name]]] [protection-key key-file-name] [hash-alg {md5 | sha1 | sha224 | sha256 | sha384 | sha512}]} subject-dn dn save-as save-path-of-result-cert
Context 
admin>certificate>cmpv2
Description 

This command requests the initial certificate from the CA by using the CMPv2 initial registration procedure.

The ca keyword specifies a ca-profile that includes CMP server information.

The key-to-certify keyword is an imported key file to be certified by the CA.

The protection-key keyword is an imported key file used to for message protection if protection-alg is configured as signature.

The request is authenticated using either of the following methods:

  1. a password and a reference number that is predistributed by the CA using out-of-band means. The specified password and reference number are not necessarily in the CMP key-list configured in the corresponding ca-profile.
  2. a signature signed by the protection-key or key-to-certify, optionally along with the corresponding certificate. If the protection-key is not specified, the system will use the key-to-certify keyword for message protection. The hash algorithm used for the signature depends on the key type:
    1. DSA key: SHA1
    2. RSA key: MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512; the default is SHA1

Optionally, the system could also send a certificate or a chain of certificates in the extraCerts field. The certificate is specified by the cert cert-file-name parameter; it must include the public key of the key used for message protection.

Sending a chain is enabled by specifying the send-chain keyword.

The subject-dn keyword specifies the subject of the requesting certificate.

The save-as keyword specifies the full path name to save the result certificate to.

In some cases, the CA may not return the certificate immediately; for example, because the request processing requires manual intervention. In such cases, the admin certificate cmpv2 poll command could be used to poll the status of the request. If the key-list command is not configured in the corresponding ca-profile, then the system will use the existing password to authenticate the CMPv2 packets from the server if it is in password protection.

If key-list is configured in the corresponding ca-profile and the server does not send a SenderKID message, then the system will use the lexicographical first key in the key-list to authenticate the CMPv2 packets from the server in case it is in password protection.

Default 

n/a

Parameters 
ca ca-profile-name
specifies a certificate authority profile name that includes CMP server information, up to 32 characters
key-to-certify key-filename
the filename of the key to certify, up to 95 characters
password—
an ASCII string, up to 64 characters
ref-number—
the reference number for this CA initial authentication key, up to 64 characters
cert-file-name—
specifies the certificate filename, up to 95 characters
send-chain with-ca ca-profile-name
sends the chain
protection-key key-file-name
the protection key associated with the action on the CA profile
hash-alg—
the hash algorithm for the RSA key
Values—
md5, sha1, sha224, sha256, sha384, sha512

 

dn—
the subject of the requesting certificate, up to 256 characters
Values—
attr1=val1,attr2=val2 ... where: attrN = {C | ST | O | OU | CN}

 

save-path-of-result-cert—
the full path name to save the result certificate to, up to 200 characters

key-update

Syntax 
key-update ca ca-profile-name newkey key-filename oldkey key-filename oldcert cert-filename [hash-alg hash-algorithm] save-as save-path-of-result-cert
Context 
admin>certificate>cmpv2
Description 

This command requests a new certificate from the certificate authority to update an existing certificate.

In some cases, the CA may not return a certificate immediately; for example, because the request processing requires manual intervention. In such cases, the admin>certificate>cmpv2>poll command can be used to poll the status of the request.

Parameters 
ca-profile-name—
specifies a certificate authority profile name that includes CMP server information, up to 32 characters
newkey key-filename
the key file of the requesting certificate, up to 95 characters
oldkey key-filename
the key to be replaced, up to 95 characters
cert-filename—
the filename of an imported certificate to be replaced, up to 95 characters
hash-algorithm—
the hash algorithm for the RSA key
Values—
md5, sha1, sha224, sha256, sha384, sha512

 

save-path-of-result-cert—
the full path name to save the result certificate to, up to 200 characters

poll

Syntax 
poll ca ca-profile-name
Context 
admin>certificate>cmpv2
Description 

This command polls the status of the pending CMPv2 request toward the specified CA.

If the response is ready, this command will resume the CMPv2 protocol exchange with the server as the original command would do. If the request is still pending, then this command could be used again to poll the status.

The 7705 SAR allows only one pending CMP request per CA, which means that no new request is allowed when a pending request is present.

Default 

n/a

Parameters 
ca-profile-name—
specifies a CA profile name, up to 32 characters

show-request

Syntax 
show-request [ca ca-profile-name]
Context 
admin>certificate>cmpv2
Description 

This command displays the current CMPv2 pending request toward the specified CA. If there is no pending request, the last pending request is displayed including the status (one of success, fail, or rejected) and the receive time of the last CMPv2 message from the server.

The following information is included in the output:

  1. request type
  2. original input parameter (password is not displayed)
  3. checkAfter and reason of last PollRepContent
  4. time of original command input
Default 

n/a

Parameters 
ca-profile-name—
specifies a CA profile, up to 32 characters. If not specified, the system will display the pending requests of all CA profile.

display

Syntax 
display type {cert | key | crl | cert-request} url-string format {pkcs10 | pkcs12 | pkcs7-der | pkcs7-pem | pem | der} [password password]
Context 
admin>certificate
Description 

This command displays the contents of an input file in plain text. When displaying the key file contents, only the key size and type are displayed.

The following list summarizes the formats supported by this command:

  1. System
    1. system format
    2. PKCS #12
    3. PKCS #7 PEM encoded
    4. PKCS #7 DER encoded
    5. RFC4945
  2. Certificate Request
    1. PKCS #10
  3. Key
    1. system format
    2. PKCS #12
  4. CRL
    1. system format
    2. PKCS #7 PEM encoded
    3. PKCS #7 DER encoded
    4. RFC4945
Default 

n/a

Parameters 
url-string—
the local compact flash URL of the input file
Values—
url-string            : local-url, 99 characters maximum
   local-url           : cflash-id/file-path
   cflash-id         : cf1:, cf2:, cf3:

 

type—
the type of input file; possible values are cert, key, crl, or cert-request
Values—
cert, key, crl, cert-request

 

format—
the format of the input file
Values—
pkcs10, pkcs12, pkcs7-der, pkcs7-pem, pem, der

 

password—
the password to decrypt the input file if it is an encrypted PKCS# 12 file, up to 32 characters

export

Syntax 
export type {cert | key | crl} input filename output url-string format output-format [password password] [pkey pkey-filename]
Context 
admin>certificate
Description 

This command performs certificate operations.

gen-keypair

Syntax 
gen-keypair url-string [size {512 | 1024 | 2048}] [type {rsa | dsa}]
Context 
admin>certificate
Description 

This command generates an RSA or DSA private key/public key pair and stores it in a local file in the cf3:\system-pki\key directory.

Parameters 
url-string—
the name of the key file
Values—
url-string            : local-url, 99 characters maximum
   local-url           : cflash-id/file-path
   cflash-id         : cf1:, cf2:, cf3:

 

size—
the key size in bits (the minimum key size is 1024 bits when running in FIPS-140-2 mode)
Values—
512, 1024, or 2048

 

Default—
2048
type—
the type of key
Values—
rsa, dsa

 

Default—
rsa

gen-local-cert-req

Syntax 
gen-local-cert-req keypair url-string subject-dn subject-dn [domain-name domain-name] [ip-addr {ip-address | ipv6-address}] file url-string [hash-alg hash-algorithm] [use-printable]
Context 
admin>certificate
Description 

This command generates a PKCS# 10 formatted certificate request by using a local existing key pair file.

Default 

n/a

Parameters 
url-string—
the name of the key file in cf3:\system-pki\key that is used to generate a certificate request
Values—
url-string            : local-url, 99 characters maximum
   local-url           : cflash-id/file-path
   cflash-id         : cf1:, cf2:, cf3:

 

subject-dn—
the distinguishing name that is used as the subject in a certificate request, including:
  1. C – Country
  2. ST – State
  3. O – Organization name
  4. OU – Organization Unit name
  5. CN – common name

This parameter is formatted as a text string including any of the above attributes. The attribute and its value are linked by using “=”, and “,” is used to separate different attributes.

For example: C=US,ST=CA,O=ALU,CN=SR12

Values—
attr1=val1,attr2=val2... where: attrN = {C | ST | O | OU | CN}, up to 256 characters

 

domain-name—
optionally, a domain name string can be specified and included as the dNSName in the Subject Alternative Name extension of the certificate request, up to 255 characters
ip-address | ipv6-address—
optionally, an IPv4 or IPv6 address string can be specified and included as the ipAddress in the Subject Alternative Name extension of the certificate request
url-string—
a local compact flash path and filename to save the certificate request to, or an FTP URL to upload the certificate request
hash-algorithm—
the hash algorithm to be used in a certificate request
Values—
sha1, sha224, sha256, sha384, sha512

 

use-printable—
encodes the certificate in printable text format instead of in UTF8

import

Syntax 
import type {cert | key | crl} input url-string output filename format input-format [password password]
Context 
admin>certificate
Description 

This command converts an input file (either key, certificate, or CRL) to a system format file. The following list summarizes the formats supported by this command.

  1. Certificate
    1. PKCS #12
    2. PKCS #7 PEM encoded
    3. PKCS #7 DER encoded
    4. PEM
    5. DER
  2. Key
    1. PKCS #12
    2. PEM
    3. DER
  3. CRL
    1. PKCS #7 PEM encoded
    2. PKCS #7 DER encoded
    3. PEM
    4. DER

If there are multiple objects with same type in the input file, only the first object will be extracted and converted.

Default 

n/a

Parameters 
input url-string
the URL for the input file. This URL could be either a local compact flash URL file or an FTP URL to download the input file.
output filename
the name of output file, up to 95 characters in length. The output directory depends on the file type:
  1. Key: cf3:\system-pki\key
  2. Cert: cf3:\system-pki\cert
  3. CRL: cf3:\system-pki\CRL
Values—
url-string            : local-url, 99 characters maximum
   local-url           : cflash-id/file-path
   cflash-id         : cf1:, cf2:, cf3:

 

type—
the type of input file
Values—
cert, key, crl

 

input-format—
the format of the input file
Values—
pkcs12, pkcs7-der, pkcs7-pem, pem, der

 

password —
the password to decrypt the input file if it is an encrypted PKCS# 12 file, up to 32 characters

reload

Syntax 
reload type {cert | key} filename [key-file filename]
Context 
admin>certificate
Description 

This command reloads an imported certificate or key file or both at the same time. This command is typically used to update a certificate and/or key file without shutting down the IPSec tunnel, cert-profile, or ca-profile.

  1. If the new file exists and is valid, then for each tunnel using it:
    1. if the key matches the certificate, then the new file will be downloaded to the 7705 SAR to be used the next time. Tunnels currently up are not affected.
    2. if the key does not match the certificate:
      1. if the cert and key configuration is used instead of cert-profile, then the tunnel will be brought down
      2. if the cert-profile is used, then cert-profile will be brought down. The next authentication will fail but the established tunnels are not affected.

If the new file does not exist or is invalid, then this command will abort.

Default 

n/a

Parameters 
cert—
reload a certificate file
key—
reload a key file
filename —
the filename of the imported certificate or key
key-file filename
the imported key file

8.10.2.2.2. PKI Infrastructure Commands

pki

Syntax 
pki
Context 
config>system>security
Description 

This command enables the context to configure certificate parameters.

Default 

n/a

ca-profile

Syntax 
ca-profile name [create]
no ca-profile name
Context 
config>system>security>pki
Description 

This command creates a new certificate authority profile or enters the configuration context of an existing certificate authority profile. Up to 128 CA profiles can be created in the system. A shutdown of the ca-profile will not affect the current up and running ipsec-tunnel associated with the ca-profile; however, subsequent authentication will fail.

Executing a no shutdown command in this context will cause the system to reload the configured cert-file and crl-file.

A ca-profile can be applied under the ipsec-tunnel configuration.

The no form of the command removes the name parameter from the configuration. A CA profile cannot be removed until all the associations (IPSec tunnels) have been removed.

Parameters 
name—
the name of the ca-profile, a string up to 32 characters
create—
the keyword used to create a new ca-profile. The create keyword requirement can be enabled or disabled in the environment>create context.

cert-file

Syntax 
cert-file filename
no cert-file
Context 
config>system>security>pki>ca-profile
Description 

This command specifies the name of a file in the cf3:\system-pki\cert directory as the CA’s certificate of the CA profile.

The system performs the following checks against a configured cert-file when a no shutdown command is issued.

  1. The configured cert-file is a DER-formatted X.509v3 certificate file.
  2. All mandatory fields defined in section 4.1 of RFC 5280 exist and conform to the RFC 5280-defined format.
  3. The Version field has a value of 0x2.
  4. The Validity field indicates that the certificate is still valid.
  5. The X.509 basic constraints extension exists, and the CA Boolean is true.
  6. If the Key Usage extension exists, then at least keyCertSign and cRLSign are asserted.
  7. If the certificate is not a self-signing certificate, then the system will look for the issuer’s CA’s certificate to verify that this certificate is signed by the issuer’s CA. If there is no such CA profile configured, then the system will just proceed with a warning message.
  8. If the certificate is not a self-signing certificate, then the system will look for the issuer’s CA’s CRL to verify that it has not been revoked. If there is no such CA profile configured or there is no such CRL, then the system will just proceed with a warning message.

If any of above checks fails, then the no shutdown command will fail.

Changing or removing the cert-file is only allowed when the ca-profile is in a shutdown state.

The no form of the command removes the filename from the configuration.

Parameters 
filename—
the local compact flash file URL

cmpv2

Syntax 
cmpv2
Context 
config>system>security>pki>ca-profile
Description 

This command enables the context to configure CMPv2 parameters. Changes are not allowed when the CA profile is enabled (no shutdown).

accept-unprotected-errormsg

Syntax 
[no] accept-unprotected-errormsg
Context 
config>system>security>pki>ca-profile>cmpv2
Description 

This command enables the system to accept both protected and unprotected CMPv2 error messages. Without this command, the system will accept only protected error messages.

The no form of the command causes the system to accept only protected PKI error messages.

Default 

no accept-unprotected-errormsg

accept-unprotected-pkiconf

Syntax 
[no] accept-unprotected-pkiconf
Context 
config>system>security>pki>ca-profile>cmpv2
Description 

This command enables the system to accept both protected and unprotected CMPv2 PKI confirmation messages. Without this command, the system will accept only protected PKI confirmation messages.

The no form of the command causes the system to accept only protected PKI confirmation messages.

Default 

n/a

always-set-sender-for-ir

Syntax 
[no] always-set-sender-for-ir
Context 
config>system>security>pki>ca-profile>cmpv2
Description 

This command specifies to always set the sender field in the CMPv2 header of all Initial Registration (IR) messages with the subject name. By default, the sender field is only set if an optional certificate is specified in the CMPv2 request.

Default 

no always-set-sender-for-ir

http-response-timeout

Syntax 
http-response-timeout timeout
no http-response-timeout
Context 
config>system>security>pki>ca-profile>cmpv2
Description 

This command specifies the timeout value for the HTTP response that is used by CMPv2.

The no form of the command reverts to the default value.

Default 

30 s

Parameters 
timeout—
the HTTP response timeout in seconds
Values—
1 to 3600

 

http-version

Syntax 
http-version {1.0 | 1.1}
Context 
config>system>security>pki>ca-profile>cmpv2
Description 

This command configures the HTTP version for CMPv2 messages.

Default 

1.1

key-list

Syntax 
key-list
Context 
config>system>security>pki>ca-profile>cmpv2
Description 

This command enables the context to configure pre-shared key list parameters.

key

Syntax 
key password [hash | hash2] reference reference-number
no key reference reference-number
Context 
config>system>security>pki>ca-profile>cmpv2>key-list
Description 

This command specifies a pre-shared key used for CMPv2 initial registration. Multiples of key commands are allowed to be configured under this context.

The password and reference-number parameters are distributed by the CA using out-of-band means.

The configured password is stored in a configuration file in an encrypted form by using a 7705 SAR hash2 algorithm.

The no form of the command removes the parameters from the configuration.

Default 

n/a

Parameters 
password—
a printable ASCII string, up to 64 characters
hash—
specifies that the given password is already hashed using hashing algorithm version 1. A semantic check is performed on the given password field to verify that it is a valid hash 1 key to store in the database.
hash2 —
specifies that the given password is already hashed using hashing algorithm version 2. A semantic check is performed on the given password field to verify that it is a valid hash 2 key to store in the database.
reference-number—
Specifies a printable ASCII string, up to 64 characters.

response-signing-cert

Syntax 
response-signing-cert filename
no response-signing-cert
Context 
config>system>security>pki>ca-profile>cmpv2
Description 

This command specifies an imported certificate that is used to verify the CMP response messages if they are protected by a signature. If this command is not configured, then the CA’s certificate is used.

Default 

n/a

Parameters 
filename—
the filename of the imported certificate

same-recipnonce-for-pollreq

Syntax 
[no] same-recipnonce-for-pollreq
Context 
config>system>security>pki>ca-profile>cmpv2
Description 

This command enables the system to use the same recipNonce as the last CMPv2 response for a poll request.

Default 

n/a

url

Syntax 
url url-string [service-id service-id]
no url
Context 
config>system>security>pki>ca-profile>cmpv2
Description 

This command specifies the HTTP URL of the CMPv2 server. The URL must be unique across all configured CA profiles.

The URL will be resolved by the DNS server configured (if configured) in the corresponding router context.

If the service-id is 0 or omitted, then the system will try to resolve the FQDN using the DNS server configured in bof.cfg. After resolution, the system will first connect to the address in the management routing instance, then to the address in the base routing instance.

If the service is VPRN, then the system only allows HTTP ports 80 and 8080.

Default 

n/a

Parameters 
url-string—
Specifies the HTTP URL of the CMPv2 server, up to 180 characters.
service-id service-id
the service or router instance that is used to reach the CMPv2 server
Values—
service-id: 1 to 2147483647 base-router: 0

 

crl-file

Syntax 
crl-file filename
no crl-file
Context 
config>system>security>pki>ca-profile
Description 

This command specifies the name of a file in the cf3:\system-pki\crl directory as the Certification Revoke List file of the ca-profile.

The system performs the following checks against a configured crl-file when a no shutdown command is issued.

  1. A valid cert-file of the ca-profile is already configured.
  2. A configured crl-file is a DER-formatted CRLv2 file.
  3. All mandatory fields defined in section 5.1 of RFC 5280 exist and conform to the RFC 5280-defined format.
  4. The version field has a value of 0x1.
  5. The delta CRL Indicator does not exist (delta CRL is not supported).
  6. The CRL’s signature is verified by using the cert-file of the ca-profile.

If any of above checks fail, the no shutdown command will fail.

Changing or removing the crl-file is only allowed when the ca-profile is in a shutdown state.

The no form of the command removes the filename from the configuration.

Default 

n/a

Parameters 
filename—
the name of CRL file stored in cf3:\system-pki\crl

description

Syntax 
description description-string
no description
Context 
config>system>security>pki>ca-profile
Description 

This command configures a description of the specified CA profile.

Default 

n/a

Parameters 
description-string —
describe the CA profile, up to 80 characters

ocsp

Syntax 
ocsp
Context 
config>system>security>pki>ca-profile
Description 

This command enables the context to configure OCSP parameters.

responder-url

Syntax 
responder-url url-string
no responder-url
Context 
config>system>security>pki>ca-profile>ocsp
Description 

This command specifies the HTTP URL of the OCSP responder for the CA. This URL will only be used if there is no OCSP responder defined in the AIA extension of the certificate to be verified.

Default 

no responder-url

Parameters 
url-string—
the HTTP URL of the OCSP responder

service

Syntax 
service service-id
no service
Context 
config>system>security>pki>ca-profile>ocsp
Description 

This command specifies the service or routing instance that is used to contact the OCSP responder. This applies to OCSP responders that are either configured in the CLI or defined in the AIA extension of the certificate to be verified.

The responder-url is resolved by using the DNS server configured in the configured routing instance.

For a VPRN service, the system verifies that the specified service-id or service-name is an existing VPRN service at the time of CLI configuration; if it is not, the configuration will fail.

Parameters 
service-id —
specifies an existing service or router instance to be used in the match criteria
Values—
service-id: 1 to 2147483647 base-router: 0

 

shutdown

Syntax 
[no] shutdown
Context 
config>system>security>pki>ca-profile
config>ipsec>cert-profile
Description 

This command enables or disables the ca-profile. The system will verify the configured cert-file and crl-file. If the verification fails, then the no shutdown command will fail.

A ca-profile in a shutdown state cannot be used in certificate authentication.

In the config>ipsec>cert-profile context, this command enables or disables the certificate profile.

Default 

shutdown

certificate-display-format

Syntax 
certificate-display-format {ascii | utf8}
Context 
config>system>security>pki
Description 

This command specifies the display format used for the Certificates and Certificate Revocation Lists.

Default 

ascii

Parameters 
ascii—
use the ASCII format for the Certificates and Certificate Revocation Lists
utf8—
use the UTF8 format for the Certificates and Certificate Revocation Lists

certificate-expiration-warning

Syntax 
certificate-expiration-warning hours [repeat repeat-hours]
no certificate-expiration-warning
Context 
config>system>security>pki
Description 

This command enables the system to issue two types of warning messages related to certificate expiration:

  1. BeforeExp — a warning message issued before a certificate expires
  2. AfterExp — a warning message issued when a certificate expires

The hours parameter configures how many hours before a certificate expiry the system will issue a BeforeExp message. For example, with certificate-expiration-warning 5, the system issues a BeforeExp message 5 hours before the certificate expires. The optional repeat parameter causes the system to repeat the BeforeExp message at the configured hourly intervals until the certificate expires.

To receive only the AfterExp message after the certificate has expired, set the hours parameter to 0.

There are several ways to clear BeforeExp and AfterExp warning messages.

  1. If the certificate is reloaded with the admin>certificate>reload command and the reloaded certificate has not expired, the AfterExp message is cleared. If the reloaded certificate is outside of the configured warning window, the BeforeExp message is also cleared.
  2. If the CA profile is shut down, both the BeforeExp and AfterExp messages for the corresponding certificates are cleared.
  3. If the no certificate-expiration-warning command is issued, all existing BeforeExp and AfterExp messages are cleared.
  4. If the certificate-expiration-warning command is configured so that any certificates are no longer in the warning window, the BeforeExp messages for the corresponding certificates are cleared.
  5. If the system time changes and the new time causes any certificate to no longer be in the warning window, the corresponding BeforeExp message is cleared. If the new time causes an expired certificate to become unexpired, the AfterExp message is cleared.
Default 

no certificate-expiration-warning

Parameters 
hours—
the number of hours before a certificate expires that the system issues a BeforeExp message
Values—
0 to 8760

 

repeat-hours—
specifies the intervals at which the system will repeat the BeforeExp message
Values—
0 to 8760

 

crl-expiration-warning

Syntax 
crl-expiration-warning hours [repeat repeat-hours]
no crl-expiration-warning
Context 
config>system>security>pki
Description 

This command enables the system to issue two types of warning messages related to CRL expiration:

  1. BeforeExp — a warning message issued before a CRL expires
  2. AfterExp — a warning message issued when a CRL expires

The hours parameter configures how many hours before a CRL expiry the system will issue a BeforeExp message. For example, with crl-expiration-warning 5, the system issues a BeforeExp message 5 hours before the CRL expires. The optional repeat parameter causes the system to repeat the BeforeExp message at the configured hourly intervals until the CRL expires.

To receive only the AfterExp message after the CRL has expired, set the hours parameter to 0.

There are several ways to clear BeforeExp and AfterExp warning messages.

  1. If the CRL is reloaded with the admin>certificate>reload command and the reloaded file has not expired, the AfterExp message is cleared. If the reloaded file is outside of the configured warning window, the BeforeExp message is also cleared.
  2. If the CA profile is shut down, both the BeforeExp and AfterExp messages for the corresponding CRLs are cleared.
  3. If the no crl-expiration-warning command is issued, all existing BeforeExp and AfterExp messages are cleared.
  4. If the crl-expiration-warning command is configured so that the CRL file is no longer in the warning window, the BeforeExp message for the corresponding file is cleared.
  5. If the system time changes and the new time causes the CRL to no longer be in the warning window, the corresponding BeforeExp message is cleared. If the new time causes an expired CRL to become unexpired, the AfterExp message is cleared.
Default 

no crl-expiration-warning

Parameters 
hours—
the number of hours before a CRL expires that the system issues a BeforeExp message
Values—
0 to 8760

 

repeat-hours—
specifies the intervals at which the system will repeat the BeforeExp message
Values—
0 to 8760

 

maximum-cert-chain-depth

Syntax 
maximum-cert-chain-depth level
no maximum-cert-chain-depth
Context 
config>system>security>pki
Description 

This command defines the maximum depth of certificate chain verification. This value is applied system-wide.

The no form of the command reverts to the default value.

Default 

7

Parameters 
level—
specifies the maximum depth of certificate chain verification. The certificate under verification is not counted in the chain. For example, if this parameter is set to 1, then the certificate under verification must be directly signed by the trust anchor CA.
Values—
1 to 7

 

8.10.2.2.3. IPSec PKI Commands

cert-profile

Syntax 
cert-profile profile-name [create]
no cert-profile profile-name
Context 
config>ipsec
Description 

This command creates a new certificate profile or enters the configuration context of an existing certificate profile.

The no form of the command removes the profile name from the cert-profile configuration.

Default 

n/a

Parameters 
profile-name—
the name of the certificate profile, up to 32 characters in length

entry

Syntax 
entry entry-id [create]
no entry entry-id
Context 
config>ipsec>cert-profile
Description 

This command configures an entry for the specified certificate profile.

The no form of the command removes the specified entry from the specified cert-profile.

Default 

n/a

Parameters 
entry-id—
the entry ID
Values—
1 to 8

 

cert

Syntax 
cert cert-filename
no cert
Context 
config>ipsec>cert-profile>entry
Description 

This command configures an imported certificate for the cert-profile entry.

The no form of the command removes the cert-filename from the entry configuration.

Default 

n/a

Parameters 
cert-filename—
the name of the imported certificate, up to 32 characters in length

key

Syntax 
key key-filename
no key
Context 
config>ipsec>cert-profile>entry
Description 

This command configures an imported key for the cert-profile entry.

The no form of the command removes the key-filename from the entry configuration.

Default 

n/a

Parameters 
key-filename—
the filename of an imported key

send-chain

Syntax 
[no] send-chain
Context 
config>ipsec>cert-profile>entry
Description 

This command enters the configuration context of send-chain in the cert-profile entry.

This command is optional. By default, the system sends the certificate specified by the cert command in the selected entry to the peer. This command allows the system to send additional CA certificates to the peer. These additional CA certificates must be in the certificate chain of the certificate specified by the cert command in the same entry.

ca-profile

Syntax 
[no] ca-profile name
Context 
config>ipsec>cert-profile>entry>send-chain
Description 

This command specifies that a certificate authority (CA) certificate in the specified ca-profile is to be sent to the peer.

Multiple configurations (up to seven) of this command are allowed in the same entry.

Default 

n/a

Parameters 
name—
the profile name, up to 32 characters in length

ike-policy

Syntax 
ike-policy ike-policy-id [create]
no ike-policy ike-policy-id
Context 
config>ipsec
Description 

This command enables the context to configure an IKE policy.

The no form of the command deletes the IKE policy.

Parameters 
ike-policy-id—
specifies a policy ID value to identify the IKE policy
Values—
1 to 2048

 

auth-method

Syntax 
auth-method {psk | cert-auth}
no auth-method
Context 
config>ipsec>ike-policy
Description 

This command specifies the authentication method used with this IKE policy.

The no form of the command removes the parameter from the configuration.

Default 

no auth-method

Parameters 
psk—
both the client and gateway authenticate each other by a hash derived from a pre-shared secret. Both client and gateway must have the PSK. This works with both IKEv1 and IKEv2.
cert-radius—
use the certificate, public/private key and RADIUS to authenticate. This parameter applies to IKEv2 remote-access tunnel only.

own-auth-method

Syntax 
own-auth-method {psk | cert}
no own-auth-method
Context 
config>ipsec>ike-policy
Description 

This command configures the authentication method used with this IKE policy on its own side.

trust-anchor-profile

Syntax 
trust-anchor-profile name [create]
no trust-anchor-profile name
Context 
config>ipsec
Description 

This command specifies the trust-anchor-profile for the IPSec tunnel. This command will override the trust-anchor-profile configuration in the config>service>vprn>if>sap>ipsec-tunnel>cert context.

Default 

no trust-anchor-profile

Parameters 
profile-name—
the trust-anchor-profile name

8.10.2.2.4. IKE PKI Commands

cert-profile

Syntax 
cert-profile profile-name [create]
no cert-profile profile-name
Context 
config>service>vprn>if>sap>ipsec-tunnel>cert
Description 

This command creates a new certificate profile or enters the configuration context of an existing certificate profile.

The no form of the command removes the profile name from the cert-profile configuration.

Default 

n/a

Parameters 
profile-name—
the name of the certificate profile, up to 32 characters in length

status-verify

Syntax 
status-verify
Context 
config>service>vprn>if>sap>ipsec-tunnel>cert
Description 

This command enters the context to configure verification parameters for certificate revocation status.

Default 

n/a

default-result

Syntax 
default-result {revoked | good}
no default-result
Context 
config>service>vprn>if>sap>ipsec-tunnel>cert>status-verify
Description 

This command specifies the default result when both the primary and secondary methods fail to provide an answer.

Default 

revoked

Parameters 
good—
the certificate is considered acceptable
revoked—
the certificate is considered revoked

primary

Syntax 
primary {crl | ocsp}
no primary
Context 
config>service>vprn>if>sap>ipsec-tunnel>cert>status-verify
Description 

This command configures the primary method used to verify the revocation status of the peer’s certificate. The method can be either CRL or OCSP.

To verify the revocation status of the peer’s certificate, the CRL or OCSP uses the corresponding configuration in the CA profile of the issuer of the certificate in question.

Default 

crl

Parameters 
crl—
the CRL file is configured in the corresponding CA profile
ocsp—
the OCSP server is configured in the corresponding CA profile

secondary

Syntax 
secondary {crl | ocsp}
no secondary
Context 
config>service>vprn>if>sap>ipsec-tunnel>cert>status-verify
Description 

This command specifies the secondary method used to verify the revocation status of the peer’s certificate. The method can be either CRL or OCSP.

To verify the revocation status of the peer’s certificate, the CRL or OCSP uses the corresponding configuration in the CA profile of the issuer of the certificate in question.

The secondary method is used only when the primary method fails to provide an answer.

  1. CRL: CRL expired
  2. OCSP — unreachable / any answer other than “good” or “revoked” / OCSP is not configured in ca-profile/ OCSP response is not signed / Invalid nextUpdate
Default 

no secondary

Parameters 
crl—
the CRL file is configured in the corresponding CA profile
ocsp—
the OCSP server is configured in the corresponding CA profile

trust-anchor-profile

Syntax 
trust-anchor-profile profile-name
no trust-anchor-profile
Context 
config>service>vprn>if>sap>ipsec-tunnel>cert
Description 

This command configures the trust-anchor-profile for the specified IPSec tunnel. This command overrides the trust-anchor-profile configured in the config>ipsec context.

Default 

no trust-anchor-profile

Parameters 
profile-name—
the name of the trust-anchor-profile

8.10.2.2.5. Automatic CRL Update Commands

crl-update

Syntax 
crl-update ca ca-profile-name
Context 
admin>certificate
Description 

This command manually initiates a CRL update for the specified CA profile.

Automatic CRL update must be shutdown before this command can be issued.

Default 

n/a

Parameters 
ca-profile-name—
the name of the CA profile

file-transmission-profile

Syntax 
file-transmission-profile name [create]
no file-transmission-profile name
Context 
config>system
Description 

This command creates a new file transmission profile. The profile can be configured with transport parameters for protocols such as HTTP and additional file transmission options.

Default 

n/a

Parameters 
name—
the file transmission profile name, up to 32 characters
create —
keyword required when first creating the configuration context. When the context is created, you can navigate into the context without the create keyword.

ipv4-source-address

Syntax 
ipv4-source-address ip-address
no ipv4-source-address
Context 
config>system>file-trans-prof
Description 

This command specifies the IPv4 source address used for the transport protocol. The address should be a local interface.

The no form of this command reverts to the default IPv4 source address, typically the address of the egress interface.

Default 

no ipv4-source-address

Parameters 
ip-address—
The IPv4 source address
Values—
a.b.c.d

 

ipv6-source-address

Syntax 
ipv6-source-address ipv6-address
no ipv6-source-address
Context 
config>system>file-trans-prof
Description 

This command specifies the IPv6 source address used for the transport protocol. The address should be a local interface.

The no form of this command reverts to the default IPv6 source address, typically the address of the egress interface.

Default 

no ipv6-source-address

Parameters 
ipv6-address—
The IPv6 source address
Values—
x:x:x:x:x:x:x:x (eight 16-bit pieces)
x:x:x:x:x:x:d.d.d.d
     x: [0 to FFFF]H
     d: [0 to 255]D

 

redirection

Syntax 
redirection level
no redirection
Context 
config>system>file-trans-prof
Description 

This command allows the system to accept HTTP redirection responses and configures the maximum level of redirection. The router can send a new request to another server if the CRL files are not available or are temporarily available to another server.

Default 

no redirection

Parameters 
level—
the maximum level of HTTP redirection
Values—
1 to 8

 

retry

Syntax 
retry count
no retry
Context 
config>system>file-trans-prof
Description 

This command specifies the number of times the system attempts to reconnect to a server that returns no data in the time configured with the timeout command.

The no form of this command disables any retry attempt.

Default 

no retry

Parameters 
count—
the maximum number of retry attempts
Values—
1 to 256

 

router

Syntax 
router router-instance
router service vprn-service-name
Context 
config>system>file-trans-prof
Description 

This command specifies the routing instance that the transport protocol uses.

Default 

Base

Parameters 
router-instance—
the router instance used to establish the file transmission connection
Values—
{router-name | vprn-svc-id}

router-name:

Base or Management

router-name is an alias used for input only and is automatically replaced with an ID value by the 7705 SAR

vprn-svc-id:

1 to 2147483647

 

vprn-service-name—
the VPRN service name

timeout

Syntax 
timeout seconds
Context 
config>system>file-trans-prof
Description 

This command configures how long the system will wait to receive any data from a server, such an HTTP server. If no data is received before the timeout period expires, the system will attempt to reconnect to the server if the file transmission profile is configured for one or more retries with the retry command.

Default 

60 s

Parameters 
seconds—
the connection timeout for the file transmission
Values—
1 to 3600

 

auto-crl-update

Syntax 
auto-crl-update [create]
no auto-crl-update
Context 
config>system>security>pki>ca-profile
Description 

This command creates the context to configure automatic CRL update parameters.

When automatic CRL update is configured and enabled with the no shutdown command, the system downloads a CRL file from a list of configured HTTP URLs, either periodically or before an existing CRL expires. If the downloaded CRL is a valid CRL signed by the CA and is more recent than the existing CRL, the existing CRL is replaced.

The no form of this command deletes the automatic CRL update context and any configurations inside it.

Default 

n/a

Parameters 
create —
keyword required when first creating the configuration context. When the context is created, you can navigate into the context without the create keyword.

crl-urls

Syntax 
crl-urls
Context 
config>system>security>pki>ca-prof>auto-crl-update
Description 

This command enables the context to configure CRL URL parameters. Up to eight URL entries can be configured under each CA profile. The configured URLs must point to a DER-encoded CRL file.

When a CRL update is initiated, the system accesses each URL in order, and the first successfully downloaded and qualified CRL is used to update the existing CRL. If the download fails or the downloaded CRL is not qualified, the system moves to the next URL in the list. If no CRL file is successfully downloaded or qualified, the system attempts to contact each URL again at the next scheduled update time (when the schedule type is configured as periodic) or after the time configured with the retry-interval command (when the schedule type is configured as next-update-based).

The CRL download can be manually interrupted by issuing the shutdown command in the auto-crl-update context.

Default 

n/a

url-entry

Syntax 
url-entry entry-id [create]
no url-entry entry-id
Context 
config>system>security>pki>ca-prof>auto-crl-update>crl-urls
Description 

This command creates a new CRL URL entry or enters an existing URL entry configuration context.

The no form of this command removes the specified entry.

Default 

n/a

Parameters 
entry-id —
the URL entry identifier
Values—
1 to 8

 

create —
keyword required when first creating the URL entry. When the URL entry is created, you can navigate into the context without the create keyword.

file-transmission-profile

Syntax 
file-transmission-profile profile-name
no file-transmission-profile
Context 
config>system>security>pki>ca-prof>auto-crl-update>crl-urls>url-entry
Description 

This command specifies an existing file transmission profile to use when the system downloads a CRL from the configured URL in this URL entry. The profile must already be configured with the config>system>file-transmission-profile command.

Automatic CRL update supports base, management, or VPRN routing instances. If VPRN is used, the HTTP server port can only be 80 or 8080.

The no form of this command removes the file transmission profile name from the URL entry.

Default 

no file-transmission-profile

Parameters 
profile-name —
the name of the file transmission profile to be used

url

Syntax 
url url
no url
Context 
config>system>security>pki>ca-prof>auto-crl-update>crl-urls>url-entry
Description 

This command specifies the HTTP URL of the CRL file for the URL entry. The system supports both IPv4 and IPv6 HTTP connections. The URL must point to a DER-encoded CRL.

The no form of this command removes the URL from the URL entry.

Default 

no url

Parameters 
url —
specifies the location of a CRL to be downloaded

periodic-update-interval

Syntax 
periodic-update-interval [days days] [hrs hours] [min minutes] [sec seconds]
Context 
config>system>security>pki>ca-prof>auto-crl-update
Description 

This command specifies the interval between automatic CRL updates when the schedule-type command is configured as periodic. The minimum interval is 1 hour. The maximum interval is 366 days.

Default 

1 day

Parameters 
days —
specifies the number of days for periodic updates
Values—
0 to 366

 

hours —
specifies the number of hours for periodic updates
Values—
0 to 23

 

minutes —
specifies the number of minutes for periodic updates
Values—
0 to 59

 

seconds —
specifies the number of seconds for periodic updates
Values—
0 to 59

 

pre-update-time

Syntax 
pre-update-time [days days] [hrs hours] [min minutes] [sec seconds]
Context 
config>system>security>pki>ca-prof>auto-crl-update
Description 

This command specifies how much time before the next update time that the CRL is downloaded when the schedule-type command is configured as next-update-based.

Default 

1 hr

Parameters 
days —
specifies how many days before the next CRL update that the CRL is downloaded
Values—
0 to 366

 

hours —
specifies how many hours before the next CRL update that the CRL is downloaded
Values—
0 to 23

 

minutes —
specifies how many minutes before the next CRL update that the CRL is downloaded
Values—
0 to 59

 

seconds —
specifies how many seconds before the next CRL update that the CRL is downloaded
Values—
0 to 59

 

retry-interval

Syntax 
retry-interval seconds
no retry-interval
Context 
config>system>security>pki>ca-prof>auto-crl-update
Description 

This command specifies how long the system waits before retrying the configured URL entry list when the schedule-type is configured as next-update-based and no qualifying CRL could be downloaded during a CRL update.

The no form of this command causes the system to retry immediately.

Default 

3600 s

Parameters 
seconds —
specifies the time before retrying to update the CRL
Values—
1 to 31622400

 

schedule-type

Syntax 
schedule-type schedule-type
Context 
config>system>security>pki>ca-prof>auto-crl-update
Description 

This command configures the automatic CRL update schedule. The system supports two types:

  1. periodic — the system initiates a CRL update periodically, at the intervals specified by the periodic-update-interval command. The minimum periodic update interval is 1 hour.
  2. next-update-based — the system initiates a CRL update at the date and time specified in the Next Update field of the existing CRL file, minus the time configured with the pre-update-time command.
Default 

next-update-based

Parameters 
schedule-type —
the schedule type for automatic CRL updates
Values—
periodic or next-update-based

 

shutdown

Syntax 
[no] shutdown
Context 
config>system>security>pki>ca-profile>auto-crl-update
Description 

This command disables automatic CRL update.

The no form of this command enables automatic CRL update. If the no shutdown command is issued, the system immediately initiates a CRL update if the configured CRL file does not exist or is invalid or expired, or if the schedule type is configured as next-update-based and the scheduled update time has already passed.

Default 

shutdown

8.10.2.3. Show Commands

Note:

The following command outputs are examples only; actual displays may differ depending on supported functionality and user configuration.

ca-profile

Syntax 
ca-profile name [association]
Context 
show>certificate
Description 

This command displays IPSec certificate profile information for root and subordinate CAs.

Parameters 
name—
specifies an existing CA profile name, up to 32 characters
association—
displays information for which this CA profile is associated
Output 

The following output is an example of CA profile information.

Output Example
*A:Dut-A# show>certificate# ca-profile "test"
===============================================================================
PKI CA-Profile Information
===============================================================================
CA Profile     : test                           Admin State    : down
Description    : (Not Specified)
CRL File       : (Not Specified)
Cert File      : (Not Specified)
Oper State     : down
Oper Flags     : adminDown
CMPv2
-------------------------------------------------------------------------------
HTTP Timeout   : 30 secs                        Router         : base
CA URL         : (Not Specified)
Sign Cert URL  : (Not Specified)
Unprot Err Msg : disabled                       Unprot Pki Conf: disabled
Same RecipNonce: disabled
for Poll-reqs
Set Sndr for IR: True
HTTP version   : 1.1
OCSP
-------------------------------------------------------------------------------
Responder URL  : (Not Specified)
Router         : base
===============================================================================
*A:Dut-A# show>certificate#

ocsp-cache

Syntax 
ocsp-cache [entry-id
Context 
show>certificate
Description 

This command displays OCSP cache information.

Parameters 
entry-id—
specifies the ID of an entry in the OCSP cache, from 1 to 2000

statistics

Syntax 
statistics
Context 
show>certificate
Description 

This command displays certificate-related statistics.

Output 

The following output is an example of certificate-related statistics information.

Output Example
*A:Dut-A# show>certificate# statistics
===============================================================================
Certificate Statistics
===============================================================================
Auth Failed          : 0                    Auth Passed      : 4
Total Auth Req       : 4
===============================================================================
*A:Dut-A# show>certificate#

trust-anchor-profile

Syntax 
trust-anchor-profile trust-anchor-profile association
trust-anchor-profile [trust-anchor-profile]
Context 
show>ipsec
Description 

This command displays trust anchor profile information. Specifying a trust anchor profile shows the CA certificates associated with that trust anchor profile. When a trust anchor profile is not specified, the command shows all trust anchor profiles configured on the system and the number of CAs that are down in each profile. When a trust anchor profile is specified along with the association keyword, the command displays the names of the IPSec tunnels that are using a particular trust anchor profile.

Parameters 
trust-anchor-profile—
specifies a trust anchor profile name, up to 32 characters
Output 

The following output is an example of trust anchor profile information.

Output Example
*A:7705:Dut-A# show>ipsec# trust-anchor-profile trustAnchorProfile_11
===============================================================================
Trust Anchor CA-Profile List
===============================================================================
CA Profile                       Admin/Oper State
------------------------------------------------------------------
caProfile_11                     down/down
==================================================================
A:7705:Dut-A# show>ipsec>trust-anchor-profile#
A:7705:Dut-A# show>ipsec# trust-anchor-profile
==================================================================
Trust Anchor Profile Information
==================================================================
Name                             CA Profiles Down
------------------------------------------------------------------
trustAnchorProfile_1             0
trustAnchorProfile_11            0
==================================================================
*A:7705:Dut-A# show>ipsec# 
*A:7705:Dut-A# show>ipsec# trust-anchor-profile "trustAnchorProfile_1" association
===============================================================================
IPsec tunnels using trust-anchor-profile
===============================================================================
SvcId      Type   SAP                          Tunnel
-------------------------------------------------------------------------------
2          vprn   tunnel-1.private:1           tunnelPrivateSide_1
===============================================================================
Number of tunnel entries: 1
===============================================================================
===============================================================================
*A:7705:Dut-A# show>ipsec#

cert-profile

Syntax 
cert-profile name association
cert-profile [name]
cert-profile name entry [1..8]
Context 
show>ipsec
Description 

This command displays IPSec certificate profile information.

Parameters 
name—
specifies an existing certificate profile name
association—
displays information for which this IPSec certificate profile is associated
entry [1..8]—
displays information for the specified entry
Output 

The following output is an example of IPSec certificate profile information.

Output Example
*A:Dut-A# show ipsec cert-profile cert "cert-1.der" 
==============================================================================
Certificate Profile Entry 
==============================================================================
Id Cert                     Key                      Status Flags
------------------------------------------------------------------------------
1  cert-1.der               key-1.der                
==============================================================================
*A:Dut-A# 
 
 
*A:Dut-A# show ipsec cert-profile "cert-1.der" entry 1
===============================================================================
IPsec Certificate Profile: cert-1.der Entry: 1 Detail
===============================================================================
Cert File        : cert-1.der
Key File         : key-1.der
Status Flags     : (Not Specified)
Comp Chain       : complete             
 
Compute Chain CA Profiles
-------------------------------------------------------------------------------
CA10
CA9
CA8
CA7
CA6
===============================================================================
*A:Dut-A# exit 

ike-policy

Syntax 
ike-policy
ike-policy ike-policy-id
Context 
show>ipsec
Description 

This command displays provisioning parameters for a given IKE policy. When an ike-policy-id is not specified then a summary display showing all IKE policies is displayed. When an ike-policy-id is specified then a detailed display showing IKE policy settings for the specific IKE policy is displayed.

Parameters 
ike-policy-id—
specifies the ID of an IKE policy entry
Values—
1 to 2048

 

Output 

The following output is an example of IPSec security policy information, and Table 185 describes the fields.

Output Example
*A:7705custDoc:Sar18>show>ipsec# ike-policy
===============================================================================
IPsec IKE Policies
===============================================================================
Id   Ike  Ike DH Pfs   Pfs Auth   Encr   Isakmp IPsec  Auth     DPD     NAT
     Mode Ver          DH  Alg    Alg    Life-  Life-  Method
                                         time   time
-------------------------------------------------------------------------------
1    Main  2  2  False 2   Sha1   Aes128 86400  3600   psk      disable disable
2    Main  2  14 True  5   Sha384 Aes192 60000  48000  psk      enable  enable
-------------------------------------------------------------------------------
No. of IPsec IKE Policies: 2
===============================================================================
*A:7705custDoc:Sar18>show>ipsec# 
*A:7705custDoc:Sar18>show>ipsec# ike-policy 1
===============================================================================
IPsec IKE policy Configuration Detail
===============================================================================
Policy Id        : 1                    IKE Mode         : main
DH Group         : Group2               Auth Method      : psk
PFS              : False                PFS DH Group     : Group2
Auth Algorithm   : Sha1                 Encr Algorithm   : Aes128
ISAKMP Lifetime  : 86400                IPsec Lifetime   : 3600
NAT Traversal    : Disabled
NAT-T Keep Alive : 0                    Behind NAT Only  : True
DPD              : Disabled
DPD Interval     : 30                   DPD Max Retries  : 3
Description      : (Not Specified)
IKE Version      : 2                    Own Auth Method  : symmetric
Table 185:  IPSec IKE-Policy Command Field Descriptions 

Label

Description

IPsec IKE Policies

Id

The IKE policy identifier

Ike Mode

The IKE mode

Ike Ver

The IKE version

DH

The Diffie-Hellman group (DH) used for the IKE policy

Pfs

Displays whether perfect forward secrecy (PFS) is used on the IPSec tunnel using this policy

Pfs DH

The Diffie-Hellman group (DH) used for calculating PFS keys

Auth Alg

The hashing algorithm used for the IKE authentication function

Encr Alg

The encryption algorithm used for the IKE session

Isakmp Life-time

The lifetime of a phase 1 IKE key, in seconds

IPsec Life-time

The lifetime of a phase 2 IKE key, in seconds

Auth Method

The authentication method

DPD

The state of the dead peer detection (DPD) mechanism: Enabled or Disabled

NAT

The state of Network Address Translation Traversal (NAT-T)

No. of IPsec IKE Policies:

The number of IPSec IKE policies

IPsec IKE Policy Configuration Detail

Policy Id

The IKE policy identifier

IKE Mode

The IKE mode

DH Group

The Diffie-Hellman group (DH) used for the IKE policy

Auth Method

The authentication method

PFS

Displays whether perfect forward secrecy (PFS) is used on the IPSec tunnel using this policy

PFS DH Group

The Diffie-Hellman group (DH) used for calculating PFS keys

Auth Algorithm

The hashing algorithm used for the IKE authentication function

Encr Algorithm

The encryption algorithm used for the IKE session

ISAKMP Lifetime

The lifetime of a phase 1 IKE key, in seconds

IPsec Lifetime

The lifetime of a phase 2 IKE key, in seconds

NAT Traversal

The state of Network Address Translation Traversal (NAT-T): Enabled, Disabled, or Force

NAT-T Keep Alive

Displays the configured NAT-T keepalive interval, in seconds

Behind NAT Only

Indicates when NAT-T keepalive messages are sent

True—keepalive messages are sent if a NAT device is detected. Detection is done by each IKE session, for each IPSec tunnel.

False—keepalive messages are always sent

When force-keep-alive is specified, the state of Behind NAT Only is False, otherwise it is True.

DPD

The state of the Dead Peer Detection (DPD) mechanism: Enabled or Disabled

DPD Interval

The interval used to test connectivity to the tunnel peer

DPD Max Retries

The maximum number of retries before the tunnel is removed

Description

A user-configured description of the IKE policy

IKE Version

The IKE version

Own Auth Method

Indicates the authentication method used with this IKE policy to authenticate on the local side of the tunnel

security-policy

Syntax 
security-policy service service-id [security-policy-id security-policy-id]
security-policy
Context 
show>ipsec
Description 

This command displays the provisioning parameters for a given security policy.

Parameters 
service-id—
specifies the service ID or name of the tunnel delivery service
Values—
1 to 2147483690 or service-name

 

security-policy-id—
specifies the IPSec security policy entry that this service will use
Values—
1 to 8192

 

Output 

The following output is an example of IPSec security policy information, and Table 186 describes the fields.

Output Example
*A:7705custDoc:Sar18>show>ipsec# security-policy
=============================================================================
IPsec Security Policies
=============================================================================
ServiceId                SecurityPolicyId            Security Policy Params
                                                     Entry count
-----------------------------------------------------------------------------
20                       1                           2
20                       17                          0
-----------------------------------------------------------------------------
No. of IPsec Security Policies: 2
=============================================================================
*A:7705custDoc:Sar18>show>ipsec# security-policy 20
========================================================================
Security Policy Param Entries
========================================================================
SvcId      Security   Policy     LocalIp             RemoteIp
           PlcyId     ParamsId
------------------------------------------------------------------------
20         1          1          any                 any
20         1          2          10.11.11.11/32      10.10.10.10/32
------------------------------------------------------------------------
No. of IPsec Security Policy Param Entries: 2
========================================================================
========================================================================
Security Policy Param Entries
========================================================================
SvcId      Security   Policy     LocalIp             RemoteIp
           PlcyId     ParamsId
------------------------------------------------------------------------
------------------------------------------------------------------------
No. of IPsec Security Policy Param Entries: 0
========================================================================
*A:7705custDoc:Sar18>show>ipsec# security-policy 20 1
========================================================================
Security Policy Param Entries
========================================================================
SvcId      Security   Policy     LocalIp             RemoteIp
           PlcyId     ParamsId
------------------------------------------------------------------------
20         1          1          any                 any
20         1          2          10.11.11.11/32      10.10.10.10/32
------------------------------------------------------------------------
No. of IPsec Security Policy Param Entries: 2
========================================================================
*A:7705custDoc:Sar18>show>ipsec#
Table 186:  IPSec Security Policy Command Field Descriptions 

Label

Description

IPsec Security Policies

ServiceId

The service identifier

SecurityPolicyId

The security policy identifier applied to the service

Security Policy Params Entry count

The number of entries in the security policy

No. of IPsec Security Policies:

The number of IPSec security policies on the router

Security Policy Param Entries

SvcId

The service identifier

Security PlcyId

The security policy identifier applied to the service

Policy ParamsId

The parameter entry number for the security policy

LocalIp

The IP address of the local IP interface

RemoteIp

The IP address of the remote IP interface

No. of IPsec Security Policy Param Entries:

The number of parameter entries for the IPSec security policy

transform

Syntax 
transform [transform-id]
Context 
show>ipsec
Description 

This command displays IPSec transforms.

Parameters 
transform-id—
specifies an IPSec transform entry
Values—
1 to 2048

 

Output 

The following output is an example of IPSec transform information, and Table 187 describes the fields.

Output Example
*A:7705custDoc:Sar18>show>ipsec# transform
================================================================
IPsec Transforms
================================================================
TransformId    EspAuthAlgorithm    EspEncryptionAlgorithm
----------------------------------------------------------------
1              Sha1                Aes128
2              Md5                 3Des
----------------------------------------------------------------
No. of IPsec Transforms: 2
================================================================
*A:7705custDoc:Sar18>show>ipsec# 
Table 187:  IPSec Transform Command Field Descriptions 

Label

Description

IPsec Transforms

TransformId

The identifier of the IPSec transform policy

EspAuthAlgorithm

Displays the type of Encapsulating Security Payload (ESP) authorization algorithm defined in the transform policy

EspEncryptionAlgorithm

Displays the type of Encapsulating Security Payload (ESP) encryption algorithm defined in the transform policy

No. of IPsec Transforms:

The number of IPSec transform policies

tunnel

Syntax 
tunnel
tunnel ipsec-tunnel-name
tunnel count
Context 
show>ipsec
Description 

This command displays the IPSec tunnel information for existing tunnels.

Parameters 
ipsec-tunnel-name—
specifies the configured name of the IPSec tunnel to be displayed, 32 characters maximum
count—
displays the total number of IPSec tunnels
Output 

The following output is an example of IPSec tunnel information, and Table 188 describes the fields.

Output Example
*A:7705custDoc:Sar18>show>ipsec# tunnel
==============================================================================
IPsec Tunnels
==============================================================================
TunnelName                       LocalAddress      SvcId        Admn   Keying
  SapId                            RemoteAddress     DlvrySvcId   Oper   Sec
                                                                         Plcy
------------------------------------------------------------------------------
vprn_ipsec_tunnel                10.0.0.0           20           Down   Manual
  tunnel-1.private:1               10.10.0.0         None         Down   None
------------------------------------------------------------------------------
IPsec Tunnels: 1
==============================================================================
*A:7705custDoc:Sar18>show>ipsec#
*A:7705custDoc:Sar18>show>ipsec# tunnel vprn_ipsec_tunnel
===============================================================================
IPsec Tunnel Configuration Detail
===============================================================================
Service Id       : 20                   Sap Id           : tunnel-1.private:1
Tunnel Name      : vprn_ipsec_tunnel
Description      : None
Local Address    : 10.0.0.0              
Remote Address   : 10.0.0.0
Delivery Service : None                 Security Policy  : None
Admin State      : Down                 Oper State       : Down
Last Oper Change : 05/29/2015 15:10:01
Keying Type      : Manual               Replay Window    : None
Clear DF Bit     : false                IP MTU           : max
Copy DF Bit      : false                I
Oper Flags       : unresolvedLocalIp tunnelAdminDown sapDown
                   unresolvedPublicSvc
-------------------------------------------------------------------------------
BFD Interface
-------------------------------------------------------------------------------
BFD Designate    : no
===============================================================================
*A:7705custDoc:Sar18>show>ipsec#
*A:7705custDoc:Sar18>show>ipsec# tunnel count
===============================================================================
IPsec Tunnel Count
===============================================================================
Total IPsec Tunnels                    : 1
===============================================================================
*A:7705custDoc:Sar18>show>ipsec#
*A:7705custDoc:Sar18>show>ipsec# tunnel ipsec_tunnel_tag1
===============================================================================
IPsec Tunnel Configuration Detail
===============================================================================
Service Id       : 20                   Sap Id           : tunnel-1.private:1
Tunnel Name      : ipsec_tunnel_tag1
Description      : None
Local Address    : 10.10.10.1
Remote Address   : 10.11.11.11
Delivery Service : 10                   Security Policy  : 1
Admin State      : Down                 Oper State       : Down
Last_Oper_Change : 05/29/2015 15:10:01
Keying Type      : Dynamic              Replay Window    : None
TrustAnchor Prof : certChainTrustAnchorProfile
Match TrustAnchor: CA.Level6
Cert Profile     : certChainProfile
Local Id Type    : none
Clear DF Bit     : false                IP MTU           : max
Copy DF Bit      : false
Oper Flags       : unresolvedLocalIp tunnelAdminDown sapDown
                   unresolvedPublicSvc
-------------------------------------------------------------------------------
BFD Interface
-------------------------------------------------------------------------------
BFD Designate    : no
-------------------------------------------------------------------------------
Dynamic Keying Parameters
-------------------------------------------------------------------------------
Transform Id1    : 1                    Transform Id2    : 2
Transform Id3    : None                 Transform Id4    : None
Ike Policy Id    : 1                    Auto Establish   : disabled
PreShared Key:12345abc!def%67890
Selected Cert    : depth6.cer
Selected Key     : depth6.key
Send Chain Prof  : CA.Level0
                 : CA.Level1
                 : CA.Level2
                 : CA.Level3
                 : CA.Level4
                 : CA.Level5
                 : CA.Level6
Certificate Status Verify
-------------------------------------------------------------------------------
Primary          : crl                  Secondary        : none
Default Result   : revoked
-------------------------------------------------------------------------------
ISAKMP-SA
-------------------------------------------------------------------------------
State            : Up
Established      : 12/02/2015 20:01:54  Lifetime         : 86400
Expires          : 12/03/2015 20:01:54
ISAKMP Statistics
--------------------
Tx Packets       : 2                    Rx Packets       : 2
Tx Errors        : 0                    Rx Errors        : 0
Tx DPD           : 0                    Rx DPD           : 0
Tx DPD ACK       : 0                    Rx DPD ACK       : 0
DPD Timeouts     : 0                    Rx DPD Errors    : 0
===============================================================================
===============================================================================
*A:7705custDoc:Sar18>show>ipsec#
Table 188:  IPSec Tunnel Command Field Descriptions 

Label

Description

IPsec Tunnels

TunnelName

The specified name of the IPSec tunnel

LocalAddress

The IPv4 address of the local router

SvcId

The service identifier

Admn

The administrative state of the IPSec tunnel

Keying

The type of security keying for the tunnel: None, Manual, or Dynamic

SapId

The SAP identifier

RemoteAddress

The IPv4 address of the remote router

DlvrySvcId

The service identifier of the delivery service

Oper

The operational state of the IPSec tunnel

Sec Plcy

The identifier of the security policy used

IPsec Tunnels:

The number of IPSec tunnels

IPsec Tunnel Configuration Detail

Service Id

The service identifier

Sap Id

The SAP identifier

Tunnel Name

The specified name of the IPSec tunnel

Description

The description configured for the IPSec tunnel

Local Address

The IPv4 address of the local router

Remote Address

The IPv4 address of the remote router

Delivery Service

The service identifier of the delivery service

Security Policy

The identifier of the security policy used

Admin State

The administrative state of the IPSec tunnel

Oper State

The operational state of the IPSec tunnel

Last Oper Change

The timestamp indicating the last operational status change for the IPSec tunnel

Keying Type

The type of security keying for the tunnel: None, Manual, or Dynamic

Replay Window

The size of the replay window used for anti-replay

TrustAnchor Prof

The trust anchor profile that is being used

Match TrustAnchor

The actual CA certificate that has been selected from the trust anchor profile

Cert Profile

The certification profile

Clear DF Bit

Indicates whether the tunnel is clearing the DF bit: true (clearing) or false (not clearing)

Copy DF Bit

Indicates whether the tunnel is copying the DF bit: true (copying) or false (not copying)

IP MTU

The interface IP MTU. The value “max” indicates that the tunnel will receive whatever IP payload is sent to it.

Oper Flags

Displays the operational flags currently in effect

BFD Interface

BFD Designate

Displays whether a BFD designate has been specified: yes or no

Dynamic Keying Parameters

Transform Id1

Transform Id2

Transform Id3

Transform Id4

The ipsec-transform IDs that are assigned under the VPRN ipsec-tunnel context

Ike Policy Id

The IKE policy ID

Auto Establish

Displays whether automatic establishing of an IPSec tunnel has been specified: yes or no

PreShared Key

The PSK or shared secret used with dynamic keying as defined under the VPRN ipsec-tunnel context

Selected Cert

The actual certificate being used, selected from the cert-profile

Selected Key

The actual key being used, selected from the cert-profile

Send Chain Prof

The send chain, if configured, under the cert-profile

Certificate Status Verify

Primary

The primary method used to verify the revocation status of the peer’s certificate, either CRL or OCSP

Secondary

The secondary method used to verify the revocation status of the peer’s certificate, either CRL or OCSP

Default Result

The default result when both the primary and secondary methods fail to verify the revocation status of the peer’s certificate, either good or revoked

Isakmp State

The state of ISAKMP: Up or Down

ISAKMP Statistics

ISAKMP statistics are for traffic sent and received by the IKE protocol

Tx Packets

The number of IKE packets transmitted

Rx Packets

The number of IKE packets received

Tx Errors

The number of IKE packet errors transmitted

Rx Errors

The number of IKE packet errors received

Tx DPD

The number of IKE Dead Peer Detection (DPD) packets transmitted

Rx DPD

The number of IKE DPD packets received

Tx DPD ACK

The number of IKE DPD acknowledged packets transmitted

Rx DPD ACK

The number of IKE DPD acknowledged packets received

DPD Timeouts

The number of IKE DPD timeouts

Rx DPD Errors

The number of IKE DPD packet errors received

IPsec Tunnel Count

Total IPsec Tunnels

The total number of IPSec tunnels on the local router

8.10.2.4. Clear Commands

mda

Syntax 
mda {slot/mda | all}
mda all statistics
mda slot/mda statistics security [encryption]
Context 
clear
Description 

This command clears statistics.

Parameters 
slot/mda
the port or module identifier
all—
resets all ports or modules on the node
all statistics—
clears all security statistics on the node
encryption—
specifies the security type
statistics security—
clears only security statistics for the specified port or module

8.10.2.5. Debug Commands

cmpv2

Syntax 
[no] cmpv2
Context 
debug
Description 

This command enables the context to perform CMPv2 debug operations.

ca-profile

Syntax 
[no] ca-profile profile-name
Context 
debug>cmpv2
Description 

This command debugs the output from the specified CA profile.

  1. The protection method of each message is logged.
  2. All HTTP messages are logged. The format allows offline analysis using Wireshark.
  3. In the event of failed transactions, saved certificates are not deleted from the file system in order to allow for further debug and analysis.
  4. The system allows CMPv2 debugging for multiple CA profiles at the same time.

certificate

Syntax 
[no] certificate filename
Context 
debug>ipsec
Description 

This command enables debug for certificate chain computation in cert-profile.

Parameters 
filename—
displays the filename of the imported certificate

tunnel

Syntax 
tunnel [ipsec-tunnel-name] [detail]
no tunnel [ipsec-tunnel-name]
Context 
debug>ipsec
Description 

This command can be used to facilitate debugging related to IPSec tunnels. Multiple IPSec tunnels can be debugged at the same time; up to 16 instances of this command can run concurrently.

Parameters 
ipsec-tunnel-name—
specifies an IPSec tunnel name up to 32 characters in length
detail—
enables detailed debug information