See VPRN Services Command Reference for the command descriptions.
Refer to the section “Card, Adapter Card, and Port Command Reference” in the 7705 SAR OS Interface Configuration Guide for information on the show>mda commands.
Refer to the section “IP Router Command Reference” in the 7705 SAR OS Router Configuration Guide for information on the show>router >interface statistics command.
This command creates a text description stored in the configuration file for a configuration context.
The no form of this command removes the string from the context.
No description is associated with the configuration context.
The shutdown command administratively disables an entity. The operational state of the entity is disabled as well as the operational state of any entities contained within. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many objects must be shut down before they may be deleted. Many entities must be explicitly enabled using the no shutdown command.
The no form of this command places the entity into an administratively enabled state.
Services are created in the administratively down state (shutdown). When a no shutdown command is entered, the service becomes administratively up and then tries to enter the operationally up state.
This command creates an ISA tunnel configuration context.
The no form of this command removes the context.
n/a
This command enables a tunnel group to be created or edited. The 7705 SAR can have only one tunnel group (tunnel-group 1).
The no form of the command deletes the specified tunnel group from the configuration.
n/a
This command enables the context to configure Internet Protocol security (IPSec) parameters. IPSec is a structure of open standards to ensure private, secure communications over Internet Protocol (IP) networks by using cryptographic security services.
This command enables provisioning of IKE policy parameters.
The no form of the command removes the IKE policy.
This command specifies which hashing algorithm to use for the IKE authentication function. The no form of the command returns the parameter to its default value.
sha1
This command specifies the authentication method used with this IKE policy. Configuring the policy for pre-shared key (PSK) or no auth-method produces the same result since PSK is both the default value and the only option.
The no form of the command returns the parameter to its default value (psk).
no auth-method
This command specifies which Diffie-Hellman group is used to calculate session keys:
More bits provide a higher level of security but require more processing.
The no form of the command returns the parameter to its default value (Group2).
no dh-group (Group2)
This command controls the dead peer detection (DPD) mechanism to detect a dead IKE peer.
The no form of the command disables DPD and returns the parameters to their default values.
no dpd
This command specifies the encryption algorithm to use for the IKE session.
The no form of the command returns the algorithm to its default value (aes128).
aes128
This command specifies the mode of operation for IKEv1 phase 1, either main mode or aggressive mode. The difference between the modes is the number of messages used to establish the session. IKEv1 phase 1 main mode uses three pairs of messages (for a total of six messages) between IPSec peers. IKEv1 phase 1 aggressive mode has only three message exchanges.
This command does not apply to IKEv2.
The no form of the command removes the mode of operation.
main
This command configures the version of the IKE protocol that the IKE policy will use.
The no form of the command removes the configured version.
2
This parameter specifies the lifetime of a phase 2 SA.
The no form of the command returns the ipsec-lifetime value to the default.
3600 (1 hr)
This command specifies the lifetime of a phase 1 SA. ISAKMP stands for Internet Security Association and Key Management Protocol.The no form of the command returns the isakmp-lifetime value to the default value.
86400
This command specifies whether NAT-T (Network Address Translation Traversal) is enabled, disabled, or in force mode. Enabling NAT-T enables the NAT detection mechanism. If a NAT device is detected in the path between the 7705 SAR and its IPSec peer, then UDP encapsulation is done on the IPSec packet to allow the IPSec traffic to traverse the NAT device.
When nat-traversal is used without any parameters, NAT-T is enabled and sending keepalive packets is disabled (keep-alive-interval is 0 s).
When the force keyword is used, the IPSec tunnel always uses a UDP value in its header, regardless of whether a NAT device is detected.
The force-keep-alive keyword specifies whether keepalive packets are sent only when a NAT device is detected or are always sent (regardless of detection of a NAT device). When force-keep-alive is used, packets are always sent and the “Behind NAT Only” field in the show>ipsec>ike-policy ike-policy-id indicates False. When force-keep-alive is not used, packets are may or may not be sent, depending on the whether NAT-T is enabled or disabled. In this case, the “Behind NAT Only” field indicates True.
The keep-alive-timer keyword defines the frequency, where “0” means that keepalives are disabled.
The no form of the command returns the parameters to the default values (NAT-T is disabled, keep-alive-interval is 0 s, and force-keep-alive is True).
no nat-traversal
This command specifies the authentication method used by the 7705 SAR OS to self-authenticate. This command (own-auth-method) applies only to IKEv2.
The default self-authentication method used by the 7705 SAR OS is symmetric, which means the self-authentication method is the same as the authentication method used by this IKE policy for the remote peer (that is, the own-auth-method is the same as auth-method).
The no form of the command returns the parameter to the default value (symmetric).
no own-auth-method
This command enables Perfect Forward Secrecy (PFS) on the IPSec tunnel using this policy. PFS provides for a new Diffie-Hellman key exchange each time the SA key is renegotiated. After each SA expires, the key is forgotten and another key is generated (if the SA remains up). This means that an attacker who cracks part of the exchange can only read the part that used the key before the key changed. Thus, there is no advantage to cracking the other parts of the exchange if an attacker has already cracked one.
When pfs is used without the dh-group command, the default DH group (Group 2) is used.
The no form of the command disables PFS. If pfs is turned off during an active SA, then when the SA expires and it is time to re-key the session, the original Diffie-Hellman primes is used to generate the new keys.
no pfs
This command enables the context to create an ipsec-transform policy. IPSec transform policies can be shared between IPSec tunnels by using the transform command.
IPSec transform policy assignments to a tunnel require the tunnel to be shut down.
The no form of the command removes the transform ID from the configuration.
This command specifies which hashing algorithm should be used for the authentication function Encapsulating Security Payload (ESP). Both ends of a tunnel must share the same configuration parameters in order for the IPSec tunnel to enter the operational state.
The null keyword in this command and the null keyword in the esp-encryption-algorithm command are mutually exclusive.
The no form of the command returns the parameter to its default value.
sha1
This command specifies the encryption algorithm to use for the IPSec session. Encryption only applies to Encapsulating Security Payload (ESP) configurations.
For IPSec tunnels to come up, both ends of the IPSec tunnel (both private-side endpoints) must be configured with the same encryption algorithm. That is, the configuration for vprn>if>sap> ipsec-tunnel transform must match at both nodes.
The null keyword in this command and the null keyword in the esp-auth-algorithm command are mutually exclusive.
The no form of the command returns the parameter to its default value.
aes128
This command configures an IPSec static security association (SA).
no static-sa
This command configures the authentication algorithm to use for the specified static SA.
The no form of the command resets to command to the default value.
sha1
This command configures the direction for the specified static SA.
The no form of the command resets the command to the default value.
bidirectional
This command configures the security protocol to use for the specified static SA. The no form of the command resets th command to the default value.
esp
This command configures the Security Parameter Index (SPI) key value for the specified IPSec SA.
The SPI is used to look up the instruction to verify and decrypt the incoming IPSec packets when the value of the direction command is inbound.
The SPI value specifies the SPI that will be used in the encoding of the outgoing packets when the value of the direction command is outbound. The remote node can use this SPI to look up the instruction to verify and decrypt the packet.
If no SPI is configured, the static SA cannot be used. The no form of the command removes the configured SPI.
none
This command enables the context to configure IPSec policies.
n/a
This command configures a security policy to use for an IPSec tunnel. An entry specifying local and remote IP addresses must be defined before the policy can be used.
The no form of the command removes the policy. Policy entries must be deleted before the policy can be removed.
n/a
This command configures an IPSec security policy entry.
The no form of the command removes the entry.
n/a
This command configures the local (from the VPN) IP prefix/mask for the policy parameter entry.
Only one entry is necessary to describe a potential traffic flow. The local-ip and remote-ip commands can be defined only once. The system will evaluate the local IP as the source IP when traffic is examined in the direction of the VPN to the tunnel and as the destination IP when traffic flows from the tunnel to the VPN. The remote IP will be evaluated as the source IP when traffic flows from the tunnel, and as the destination IP to the VPN when traffic flows from the VPN to the tunnel.]
The no form of the command clears the IP entry.
no local-ip
This command configures the local (from the VPN) IPv6 address for the policy parameter entry.
Only one entry is necessary to describe a potential traffic flow. The local-v6-ip and remote-v6-ip commands can be defined only once. The system will evaluate the local IPv6 address as the source IPv6 address when traffic is examined in the direction of the VPN to the tunnel and as the destination IPv6 address when traffic flows from the tunnel to the VPN. The remote IPv6 address will be evaluated as the source IPv6 address when traffic flows from the tunnel to the VPN and as the destination IPv6 address when traffic flows from the VPN to the tunnel.
The no form of the command clears the IPv6 address entry.
no local-v6-ip
This command configures the remote (from the tunnel) IP prefix/mask for the policy parameter entry.
Only one entry is necessary to describe a potential traffic flow. The local-ip and remote-ip commands can be defined only once. The system will evaluate the local IP as the source IP when traffic is examined in the direction of the VPN to the tunnel and as the destination IP when traffic flows from the tunnel to the VPN. The remote IP will be evaluated as the source IP when traffic flows from the tunnel to the VPN and as the destination IP when traffic flows from the VPN to the tunnel.
The no form of the command clears the IP entry.
no remote-ip
This command configures the remote (from the tunnel) IPv6 address for the policy parameter entry.
Only one entry is necessary to describe a potential traffic flow. The local-v6-ip and remote-v6-ip commands can be defined only once. The system will evaluate the local IPv6 address as the source IPv6 address when traffic is examined in the direction of the VPN to the tunnel and as the destination IPv6 address when traffic flows from the tunnel to the VPN. The remote IPv6 address will be evaluated as the source IPv6 address when traffic flows from the tunnel to the VPN and as the destination IPv6 address when traffic flows from the VPN to the tunnel.
The no form of the command clears the IPv6 address entry.
no remote-v6-ip
This command creates a logical IP routing interface.
The tunnel keyword is not used for IES interfaces. An IES public tunnel SAP is created when the sap-id includes the tunnel and public keywords (see sap below). For VPRN interfaces, tunnel is used to create an IP interface that supports a private tunnel SAP. The VPRN private tunnel SAP allows provisioning of an IPSec tunnel, and is created when the VPRN sap-id includes the tunnel and private keywords.
n/a
This command creates a SAP. For IES and VPRN services using tunnel interfaces, the sap-id for private and public tunnel interfaces are shown below. See sap In the VLL Services Command Reference for details on configuring all SAPs.
n/a
This command specifies an IPSec tunnel name. Configuring the commands under the ipsec-tunnel context defines where the IPSec tunnel originates and terminates, and how it is secured.
n/a
This command specifies whether this IPSec tunnel is the BFD-designated tunnel.
A BFD-designated tunnel is the tunnel over which a BFD session is established. A BFD-designated tunnel does not go down when BFD goes down. Other tunnels that use that BFD-designated tunnel’s BFD session will go down based on the state of the BFD session.
no bfd-designate
This command assigns a BFD session to provide the heart-beat mechanism for the specified IPSec tunnel. There can be only one BFD session assigned to any given IPSec tunnel, but there can be multiple IPSec tunnels using same BFD session. BFD controls the state of the associated tunnel; if the BFD session goes down, the system will also bring down the associated non-designated IPSec tunnel.
n/a
IPv4 address: | a.b.c.d |
This command clears the do-not-fragment (DF) bit on incoming unencrypted IP traffic, allowing traffic to be fragmented, if necessary, before it enters the tunnel.
The no form of the command, corresponding to the default behavior, leaves the DF bit unchanged.
no clear-df-bit
This command specifies whether to copy the do-not-fragment (DF) bit from the customer clear traffic and insert it into the IPSec tunnel header of the outgoing packet. When disabled, the DF bit of the IPSec tunnel header is always set to 1 (do not copy the DF bit).
The no form of the command, corresponding to the default behavior, does not copy the customer DF bit to the IPSec tunnel header.
no copy-df-bit
This command enables dynamic keying for the IPSec tunnel. Dynamic keying means that the IKE protocol is used to dynamically exchange keys and establish IPSec-SAs. When IKE is used, a tunnel will have ISAKMP-SA for phase 1 (used by IKE) and IPSEC-SA for phase 2 (used for traffic encryption).
The dynamic-keying and manual-keying commands are mutually exclusive. One of these commands must be configured to make the tunnel operational.
The no form of the command returns the SA keying type to its default value.
no dynamic-keying
This command specifies whether to attempt to establish a phase 1 exchange automatically. The auto-establish command should only be enabled on one side of the tunnel. A tunnel with auto-establish enabled acts as an IKE initiator and does not respond to a new phase 1 request.
The no form of the command disables the automatic attempts to establish a phase 1 exchange.
no auto-establish
This command configures the IKE policy for dynamic keying, which will be used by the tunnel.
The no form of the command removes the IKE policy.
no ike-policy
This command allows the specification of the IKEv2 local ID value for a dynamic keyed IPSec tunnel. The allowed local ID types are a valid IPv4 address or an FQDN (fully qualified domain name) string.
If local-id is configured, the tunnel’s local ID is set to the explicit type and value specified by the local-id command. If local-id is not configured, the tunnel’s local gateway IP address is used in the ID field of IKEv2 (see local-gateway-address).
The no form of the command removes the local ID.
no local-id
This command specifies the pre-shared key (PSK), or secret passphrase, that will be used to initiate the tunnel IKE session. If the hash or hash2 parameter is not used, the key is a clear text key; otherwise, the key text is encrypted. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.
The no form of the command removes the pre-shared key.
no pre-shared-key
This command associates the IPSec transform set allowed for this tunnel. A maximum of four transforms can be specified. The transforms are listed in decreasing order of preference (the first one specified is the most preferred). The list of transform-ids is overwritten each time the command is issued. Transforms are defined using the ipsec-transform command.
The no form of the command returns the command to its default state.
no transform
This command configures the IP maximum transmit unit (MTU) (packet) for this interface.
The ip-mtu command instructs the 7705 SAR to perform IP packet fragmentation prior to IPSec encryption and encapsulation, based on the configured MTU value.
On the 7705 SAR, unencrypted IP packets arriving on a VPRN access interface and destined for an IPSec uplink will be fragmented if the incoming packet is larger than:
The actual overhead depends on the payload size, and the encryption and authentication algorithms used.
The no ip-mtu command, corresponding to the default behavior, disables fragmentation of IP packets by the 7705 SAR; all IP packets, regardless of size or DF bit setting, are allowed into the tunnel.
no ip-mtu
This command specifies the local gateway address used by the tunnel and the remote gateway address at the other end of the tunnel.
The local gateway address is the source address of the outgoing encrypted packet and the peer gateway address is the destination address. The delivery service is the IES service that has the corresponding public tunnel interface configured under it.
The local gateway address must be in the same subnet as the public tunnel interface.
This command allows manual configuration of tunnel Security Associations. Manual keying can be used in lieu of dynamic keying and IKE.
The dynamic-keying and manual-keying commands are mutually exclusive. One of these commands must be configured to make the tunnel operational.
When manual keying is used, both encryption and authentication must be entered manually for inbound and outbound SAs. Encryption and authentication modes, along with associated keys, must match on both sides of the tunnel. Inbound SA configuration on the near-end system must match outbound SA configuration on the far-end system, and vice versa. Make sure to use the correct key length, based on the ipsec-transform configuration.
A configuration example for manual keying is shown below:
The no form of the command returns the SA keying type to its default value.
no manual-keying
This command configures the information required for manual keying SA creation.
n/a
This command identifies an IPSec security policy (defined under the vprn>ipsec context) that is to be used for this IPSec tunnel.
The no form of the command returns the security-policy to its default state (n/a).
n/a
This command clears the current OCSP response cache. If the optional issuer and serial number are not specified, then all current cached results are cleared.
This command enables the context to configure CMPv2 parameters. Changes are not allowed when the CA profile is enabled (no shutdown).
This command requests an additional certificate after the system has obtained the initial certificate from the CA.
The request is authenticated by a signature signed by the current-key, along with the current-cert. The hash algorithm used for the signature depends on the key type:
In some cases, the CA may not return a certificate immediately, due to reasons such as the request processing needs manual intervention. In such cases, the admin certificate cmpv2 poll command can be used to poll the status of the request.
n/a
This command clears current pending CMPv2 requests toward the specified CA. If there are no pending requests, it will clear the saved results of prior requests.
n/a
This command requests the initial certificate from the CA by using the CMPv2 initial registration procedure.
The ca keyword specifies a ca-profile that includes CMP server information.
The key-to-certify keyword is an imported key file to be certified by the CA.
The protection-key keyword is an imported key file used to for message protection if protection-alg is configured as signature.
The request is authenticated using either of the following methods:
Optionally, the system could also send a certificate or a chain of certificates in the extraCerts field. The certificate is specified by the cert cert-file-name parameter; it must include the public key of the key used for message protection.
Sending a chain is enabled by specifying the send-chain keyword.
The subject-dn keyword specifies the subject of the requesting certificate.
The save-as keyword specifies the full path name to save the result certificate to.
In some cases, the CA may not return the certificate immediately; for example, because the request processing requires manual intervention. In such cases, the admin certificate cmpv2 poll command could be used to poll the status of the request. If the key-list command is not configured in the corresponding ca-profile, then the system will use the existing password to authenticate the CMPv2 packets from the server if it is in password protection.
If key-list is configured in the corresponding ca-profile and the server does not send a SenderKID message, then the system will use the lexicographical first key in the key-list to authenticate the CMPv2 packets from the server in case it is in password protection.
n/a
This command requests a new certificate from the certificate authority to update an existing certificate.
In some cases, the CA may not return a certificate immediately; for example, because the request processing requires manual intervention. In such cases, the admin>certificate>cmpv2>poll command can be used to poll the status of the request.
This command polls the status of the pending CMPv2 request toward the specified CA.
If the response is ready, this command will resume the CMPv2 protocol exchange with the server as the original command would do. If the request is still pending, then this command could be used again to poll the status.
The 7705 SAR allows only one pending CMP request per CA, which means that no new request is allowed when a pending request is present.
n/a
This command displays the current CMPv2 pending request toward the specified CA. If there is no pending request, the last pending request is displayed including the status (one of success, fail, or rejected) and the receive time of the last CMPv2 message from the server.
The following information is included in the output:
n/a
This command displays the contents of an input file in plain text. When displaying the key file contents, only the key size and type are displayed.
The following list summarizes the formats supported by this command:
n/a
This command performs certificate operations.
This command generates an RSA or DSA private key/public key pair and stores it in a local file in the cf3:\system-pki\key directory.
This command generates a PKCS# 10 formatted certificate request by using a local existing key pair file.
n/a
This parameter is formatted as a text string including any of the above attributes. The attribute and its value are linked by using “=”, and “,” is used to separate different attributes.
For example: C=US,ST=CA,O=ALU,CN=SR12
This command converts an input file (either key, certificate, or CRL) to a system format file. The following list summarizes the formats supported by this command.
If there are multiple objects with same type in the input file, only the first object will be extracted and converted.
n/a
This command reloads an imported certificate or key file or both at the same time. This command is typically used to update a certificate and/or key file without shutting down the IPSec tunnel, cert-profile, or ca-profile.
If the new file does not exist or is invalid, then this command will abort.
n/a
This command enables the context to configure certificate parameters.
n/a
This command creates a new certificate authority profile or enters the configuration context of an existing certificate authority profile. Up to 128 CA profiles can be created in the system. A shutdown of the ca-profile will not affect the current up and running ipsec-tunnel associated with the ca-profile; however, subsequent authentication will fail.
Executing a no shutdown command in this context will cause the system to reload the configured cert-file and crl-file.
A ca-profile can be applied under the ipsec-tunnel configuration.
The no form of the command removes the name parameter from the configuration. A CA profile cannot be removed until all the associations (IPSec tunnels) have been removed.
This command specifies the name of a file in the cf3:\system-pki\cert directory as the CA’s certificate of the CA profile.
The system performs the following checks against a configured cert-file when a no shutdown command is issued.
If any of above checks fails, then the no shutdown command will fail.
Changing or removing the cert-file is only allowed when the ca-profile is in a shutdown state.
The no form of the command removes the filename from the configuration.
This command enables the context to configure CMPv2 parameters. Changes are not allowed when the CA profile is enabled (no shutdown).
This command enables the system to accept both protected and unprotected CMPv2 error messages. Without this command, the system will accept only protected error messages.
The no form of the command causes the system to accept only protected PKI error messages.
no accept-unprotected-errormsg
This command enables the system to accept both protected and unprotected CMPv2 PKI confirmation messages. Without this command, the system will accept only protected PKI confirmation messages.
The no form of the command causes the system to accept only protected PKI confirmation messages.
n/a
This command specifies to always set the sender field in the CMPv2 header of all Initial Registration (IR) messages with the subject name. By default, the sender field is only set if an optional certificate is specified in the CMPv2 request.
no always-set-sender-for-ir
This command specifies the timeout value for the HTTP response that is used by CMPv2.
The no form of the command reverts to the default value.
30 s
This command configures the HTTP version for CMPv2 messages.
1.1
This command enables the context to configure pre-shared key list parameters.
This command specifies a pre-shared key used for CMPv2 initial registration. Multiples of key commands are allowed to be configured under this context.
The password and reference-number parameters are distributed by the CA using out-of-band means.
The configured password is stored in a configuration file in an encrypted form by using a 7705 SAR hash2 algorithm.
The no form of the command removes the parameters from the configuration.
n/a
This command specifies an imported certificate that is used to verify the CMP response messages if they are protected by a signature. If this command is not configured, then the CA’s certificate is used.
n/a
This command enables the system to use the same recipNonce as the last CMPv2 response for a poll request.
n/a
This command specifies the HTTP URL of the CMPv2 server. The URL must be unique across all configured CA profiles.
The URL will be resolved by the DNS server configured (if configured) in the corresponding router context.
If the service-id is 0 or omitted, then the system will try to resolve the FQDN using the DNS server configured in bof.cfg. After resolution, the system will first connect to the address in the management routing instance, then to the address in the base routing instance.
If the service is VPRN, then the system only allows HTTP ports 80 and 8080.
n/a
This command specifies the name of a file in the cf3:\system-pki\crl directory as the Certification Revoke List file of the ca-profile.
The system performs the following checks against a configured crl-file when a no shutdown command is issued.
If any of above checks fail, the no shutdown command will fail.
Changing or removing the crl-file is only allowed when the ca-profile is in a shutdown state.
The no form of the command removes the filename from the configuration.
n/a
This command configures a description of the specified CA profile.
n/a
This command enables the context to configure OCSP parameters.
This command specifies the HTTP URL of the OCSP responder for the CA. This URL will only be used if there is no OCSP responder defined in the AIA extension of the certificate to be verified.
no responder-url
This command specifies the service or routing instance that is used to contact the OCSP responder. This applies to OCSP responders that are either configured in the CLI or defined in the AIA extension of the certificate to be verified.
The responder-url is resolved by using the DNS server configured in the configured routing instance.
For a VPRN service, the system verifies that the specified service-id or service-name is an existing VPRN service at the time of CLI configuration; if it is not, the configuration will fail.
This command enables or disables the ca-profile. The system will verify the configured cert-file and crl-file. If the verification fails, then the no shutdown command will fail.
A ca-profile in a shutdown state cannot be used in certificate authentication.
In the config>ipsec>cert-profile context, this command enables or disables the certificate profile.
shutdown
This command specifies the display format used for the Certificates and Certificate Revocation Lists.
ascii
This command defines the maximum depth of certificate chain verification. This value is applied system-wide.
The no form of the command reverts to the default value.
7
This command creates a new certificate profile or enters the configuration context of an existing certificate profile.
The no form of the command removes the profile name from the cert-profile configuration.
n/a
This command configures an entry for the specified certificate profile.
The no form of the command removes the specified entry from the specified cert-profile.
n/a
This command configures an imported certificate for the cert-profile entry.
The no form of the command removes the cert-filename from the entry configuration.
n/a
This command configures an imported key for the cert-profile entry.
The no form of the command removes the key-filename from the entry configuration.
n/a
This command enters the configuration context of send-chain in the cert-profile entry.
This command is optional. By default, the system sends the certificate specified by the cert command in the selected entry to the peer. This command allows the system to send additional CA certificates to the peer. These additional CA certificates must be in the certificate chain of the certificate specified by the cert command in the same entry.
This command specifies that a certificate authority (CA) certificate in the specified ca-profile is to be sent to the peer.
Multiple configurations (up to seven) of this command are allowed in the same entry.
n/a
This command enables the context to configure an IKE policy.
The no form of the command deletes the IKE policy.
This command specifies the authentication method used with this IKE policy.
The no form of the command removes the parameter from the configuration.
no auth-method
This command configures the authentication method used with this IKE policy on its own side.
This command specifies the trust-anchor-profile for the IPSec tunnel. This command will override the trust-anchor-profile configuration in the config>service>vprn>if>sap>ipsec-tunnel>cert context.
no trust-anchor-profile
This command creates a new certificate profile or enters the configuration context of an existing certificate profile.
The no form of the command removes the profile name from the cert-profile configuration.
n/a
This command enters the context to configure verification parameters for certificate revocation status.
n/a
This command specifies the default result when both the primary and secondary methods fail to provide an answer.
revoked
This command configures the primary method used to verify the revocation status of the peer’s certificate. The method can be either CRL or OCSP.
To verify the revocation status of the peer’s certificate, the CRL or OCSP uses the corresponding configuration in the CA profile of the issuer of the certificate in question.
crl
This command specifies the secondary method used to verify the revocation status of the peer’s certificate. The method can be either CRL or OCSP.
To verify the revocation status of the peer’s certificate, the CRL or OCSP uses the corresponding configuration in the CA profile of the issuer of the certificate in question.
The secondary method is used only when the primary method fails to provide an answer.
no secondary
This command configures the trust-anchor-profile for the specified IPSec tunnel. This command overrides the trust-anchor-profile configured in the config>ipsec context.
no trust-anchor-profile
Note: The following command outputs are examples only; actual displays may differ depending on supported functionality and user configuration. |
This command displays IPSec certificate profile information for root and subordinate CAs.
The following output is an example of CA profile information.
This command displays OCSP cache information.
This command displays certificate-related statistics.
The following output is an example of certificate-related statistics information.
This command displays trust anchor profile information. Specifying a trust anchor profile shows the CA certificates associated with that trust anchor profile. When a trust anchor profile is not specified, the command shows all trust anchor profiles configured on the system and the number of CAs that are down in each profile. When a trust anchor profile is specified along with the association keyword, the command displays the names of the IPSec tunnels that are using a particular trust anchor profile.
The following output is an example of trust anchor profile information.
This command displays IPSec certificate profile information.
The following output is an example of IPSec certificate profile information.
This command displays provisioning parameters for a given IKE policy. When an ike-policy-id is not specified then a summary display showing all IKE policies is displayed. When an ike-policy-id is specified then a detailed display showing IKE policy settings for the specific IKE policy is displayed.
The following output is an example of IPSec security policy information, and Table 157 describes the fields.
Label | Description |
IPsec IKE Policies | |
Id | The IKE policy identifier |
Ike Mode | The IKE mode |
Ike Ver | The IKE version |
DH | The Diffie-Hellman group (DH) used for the IKE policy |
Pfs | Displays whether or not perfect forward secrecy (PFS) is used on the IPSec tunnel using this policy |
Pfs DH | The Diffie-Hellman group (DH) used for calculating PFS keys |
Auth Alg | The hashing algorithm used for the IKE authentication function |
Encr Alg | The encryption algorithm used for the IKE session |
Isakmp Life-time | The lifetime of a phase 1 IKE key, in seconds |
IPsec Life-time | The lifetime of a phase 2 IKE key, in seconds |
Auth Method | The authentication method |
DPD | The state of the dead peer detection (DPD) mechanism: Enabled or Disabled |
NAT | The state of Network Address Translation Traversal (NAT-T) |
No. of IPsec IKE Policies: | The number of IPSec IKE policies |
IPsec IKE Policy Configuration Detail | |
Policy Id | The IKE policy identifier |
IKE Mode | The IKE mode |
DH Group | The Diffie-Hellman group (DH) used for the IKE policy |
Auth Method | The authentication method |
PFS | Displays whether or not perfect forward secrecy (PFS) is used on the IPSec tunnel using this policy |
PFS DH Group | The Diffie-Hellman group (DH) used for calculating PFS keys |
Auth Algorithm | The hashing algorithm used for the IKE authentication function |
Encr Algorithm | The encryption algorithm used for the IKE session |
ISAKMP Lifetime | The lifetime of a phase 1 IKE key, in seconds |
IPsec Lifetime | The lifetime of a phase 2 IKE key, in seconds |
NAT Traversal | The state of Network Address Translation Traversal (NAT-T): Enabled, Disabled, or Force |
NAT-T Keep Alive | Displays the configured NAT-T keepalive interval, in seconds |
Behind NAT Only | Indicates when NAT-T keepalive messages are sent True—keepalive messages are sent if a NAT device is detected. Detection is done by each IKE session, for each IPSec tunnel. False—keepalive messages are always sent When force-keep-alive is specified, the state of Behind NAT Only is False, otherwise it is True. |
DPD | The state of the Dead Peer Detection (DPD) mechanism: Enabled or Disabled |
DPD Interval | The interval used to test connectivity to the tunnel peer |
DPD Max Retries | The maximum number of retries before the tunnel is removed |
Description | A user-configured description of the IKE policy |
IKE Version | The IKE version |
Own Auth Method | Indicates the authentication method used with this IKE policy to authenticate on the local side of the tunnel |
This command displays the provisioning parameters for a given security policy.
The following output is an example of IPSec security policy information, and Table 158 describes the fields.
Label | Description |
IPsec Security Policies | |
ServiceId | The service identifier |
SecurityPolicyId | The security policy identifier applied to the service |
Security Policy Params Entry count | The number of entries in the security policy |
No. of IPsec Security Policies: | The number of IPSec security policies on the router |
Security Policy Param Entries | |
SvcId | The service identifier |
Security PlcyId | The security policy identifier applied to the service |
Policy ParamsId | The parameter entry number for the security policy |
LocalIp | The IP address of the local IP interface |
RemoteIp | The IP address of the remote IP interface |
No. of IPsec Security Policy Param Entries: | The number of parameter entries for the IPSec security policy |
This command displays IPSec transforms.
The following output is an example of IPSec transform information, and Table 159 describes the fields.
Label | Description |
IPsec Transforms | |
TransformId | The identifier of the IPSec transform policy |
EspAuthAlgorithm | Displays the type of Encapsulating Security Payload (ESP) authorization algorithm defined in the transform policy |
EspEncryptionAlgorithm | Displays the type of Encapsulating Security Payload (ESP) encryption algorithm defined in the transform policy |
No. of IPsec Transforms: | The number of IPSec transform policies |
This command displays the IPSec tunnel information for existing tunnels.
The following output is an example of IPSec tunnel information, and Table 160 describes the fields.
Label | Description |
IPsec Tunnels | |
TunnelName | The specified name of the IPSec tunnel |
LocalAddress | The IPv4 address of the local router |
SvcId | The service identifier |
Admn | The administrative state of the IPSec tunnel |
Keying | The type of security keying for the tunnel: None, Manual, or Dynamic |
SapId | The SAP identifier |
RemoteAddress | The IPv4 address of the remote router |
DlvrySvcId | The service identifier of the delivery service |
Oper | The operational state of the IPSec tunnel |
Sec Plcy | The identifier of the security policy used |
IPsec Tunnels: | The number of IPSec tunnels |
IPsec Tunnel Configuration Detail | |
Service Id | The service identifier |
Sap Id | The SAP identifier |
Tunnel Name | The specified name of the IPSec tunnel |
Description | The description configured for the IPSec tunnel |
Local Address | The IPv4 address of the local router |
Remote Address | The IPv4 address of the remote router |
Delivery Service | The service identifier of the delivery service |
Security Policy | The identifier of the security policy used |
Admin State | The administrative state of the IPSec tunnel |
Oper State | The operational state of the IPSec tunnel |
Last Oper Change | The timestamp indicating the last operational status change for the IPSec tunnel |
Keying Type | The type of security keying for the tunnel: None, Manual, or Dynamic |
Replay Window | The size of the replay window used for anti-replay |
TrustAnchor Prof | The trust anchor profile that is being used |
Match TrustAnchor | The actual CA certificate that has been selected from the trust anchor profile |
Cert Profile | The certification profile |
Clear DF Bit | Indicates whether the tunnel is clearing the DF bit: true (clearing) or false (not clearing) |
Copy DF Bit | Indicates whether the tunnel is copying the DF bit: true (copying) or false (not copying) |
IP MTU | The interface IP MTU. The value “max” indicates that the tunnel will receive whatever IP payload is sent to it. |
Oper Flags | Displays the operational flags currently in effect |
BFD Interface | |
BFD Designate | Displays whether a BFD designate has been specified: yes or no |
Dynamic Keying Parameters | |
Transform Id1 Transform Id2 Transform Id3 Transform Id4 | The ipsec-transform IDs that are assigned under the VPRN ipsec-tunnel context |
Ike Policy Id | The IKE policy ID |
Auto Establish | Displays whether automatic establishing of an IPSec tunnel has been specified: yes or no |
PreShared Key | The PSK or shared secret used with dynamic keying as defined under the VPRN ipsec-tunnel context |
Selected Cert | The actual certificate being used, selected from the cert-profile |
Selected Key | The actual key being used, selected from the cert-profile |
Send Chain Prof | The send chain, if configured, under the cert-profile |
Certificate Status Verify | |
Primary | The primary method used to verify the revocation status of the peer’s certificate, either CRL or OCSP |
Secondary | The secondary method used to verify the revocation status of the peer’s certificate, either CRL or OCSP |
Default Result | The default result when both the primary and secondary methods fail to verify the revocation status of the peer’s certificate, either good or revoked |
Isakmp State | The state of ISAKMP: Up or Down |
ISAKMP Statistics | ISAKMP statistics are for traffic sent and received by the IKE protocol |
Tx Packets | The number of IKE packets transmitted |
Rx Packets | The number of IKE packets received |
Tx Errors | The number of IKE packet errors transmitted |
Rx Errors | The number of IKE packet errors received |
Tx DPD | The number of IKE Dead Peer Detection (DPD) packets transmitted |
Rx DPD | The number of IKE DPD packets received |
Tx DPD ACK | The number of IKE DPD acknowledged packets transmitted |
Rx DPD ACK | The number of IKE DPD acknowledged packets received |
DPD Timeouts | The number of IKE DPD timeouts |
Rx DPD Errors | The number of IKE DPD packet errors received |
IPsec Tunnel Count | |
Total IPsec Tunnels | The total number of IPSec tunnels on the local router |
This command clears statistics.
This command enables the context to perform CMPv2 debug operations.
This command debugs the output from the specified CA profile.
This command enables debug for certificate chain computation in cert-profile.
This command can be used to facilitate debugging related to IPSec tunnels.