8.10. IPSec Command Reference

This command creates a text description stored in the configuration file for a configuration context.

The no form of this command removes the string from the context.

The shutdown command administratively disables an entity. The operational state of the entity is disabled as well as the operational state of any entities contained within. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many objects must be shut down before they may be deleted. Many entities must be explicitly enabled using the no shutdown command.

The no form of this command places the entity into an administratively enabled state.

Services are created in the administratively down state (shutdown). When a no shutdown command is entered, the service becomes administratively up and then tries to enter the operationally up state.

This command creates an ISA tunnel configuration context.

The no form of this command removes the context.

This command enables a tunnel group to be created or edited. The 7705 SAR can have only one tunnel group (tunnel-group 1).

The no form of the command deletes the specified tunnel group from the configuration.

This command enables the context to configure Internet Protocol security (IPSec) parameters. IPSec is a structure of open standards to ensure private, secure communications over Internet Protocol (IP) networks by using cryptographic security services.

This command enables provisioning of IKE policy parameters.

The no form of the command removes the IKE policy.

This command specifies which hashing algorithm to use for the IKE authentication function. The no form of the command returns the parameter to its default value.

This command specifies the authentication method used with this IKE policy. Configuring the policy for pre-shared key (PSK) or no auth-method produces the same result since PSK is both the default value and the only option.

The no form of the command returns the parameter to its default value (psk).

This command specifies which Diffie-Hellman group is used to calculate session keys:

More bits provide a higher level of security but require more processing.

The no form of the command returns the parameter to its default value (Group2).

This command controls the dead peer detection (DPD) mechanism to detect a dead IKE peer.

The no form of the command disables DPD and returns the parameters to their default values.

This command specifies the encryption algorithm to use for the IKE session.

The no form of the command returns the algorithm to its default value (aes128).

This command specifies the mode of operation for IKEv1 phase 1, either main mode or aggressive mode. The difference between the modes is the number of messages used to establish the session. IKEv1 phase 1 main mode uses three pairs of messages (for a total of six messages) between IPSec peers. IKEv1 phase 1 aggressive mode has only three message exchanges.

This command does not apply to IKEv2.

The no form of the command removes the mode of operation.

This command configures the version of the IKE protocol that the IKE policy will use.

The no form of the command removes the configured version.

This parameter specifies the lifetime of a phase 2 SA.

The no form of the command returns the ipsec-lifetime value to the default.

This command specifies the lifetime of a phase 1 SA. ISAKMP stands for Internet Security Association and Key Management Protocol.The no form of the command returns the isakmp-lifetime value to the default value.

This command specifies whether NAT-T (Network Address Translation Traversal) is enabled, disabled, or in force mode. Enabling NAT-T enables the NAT detection mechanism. If a NAT device is detected in the path between the 7705 SAR and its IPSec peer, then UDP encapsulation is done on the IPSec packet to allow the IPSec traffic to traverse the NAT device.

When nat-traversal is used without any parameters, NAT-T is enabled and sending keepalive packets is disabled (keep-alive-interval is 0 s).

When the force keyword is used, the IPSec tunnel always uses a UDP value in its header, regardless of whether a NAT device is detected.

The force-keep-alive keyword specifies whether keepalive packets are sent only when a NAT device is detected or are always sent (regardless of detection of a NAT device). When force-keep-alive is used, packets are always sent and the “Behind NAT Only” field in the show>ipsec>ike-policy ike-policy-id indicates False. When force-keep-alive is not used, packets are may or may not be sent, depending on the whether NAT-T is enabled or disabled. In this case, the “Behind NAT Only” field indicates True.

The keep-alive-timer keyword defines the frequency, where “0” means that keepalives are disabled.

The no form of the command returns the parameters to the default values (NAT-T is disabled, keep-alive-interval is 0 s, and force-keep-alive is True).

This command specifies the authentication method used by the 7705 SAR to self-authenticate. This command (own-auth-method) applies only to IKEv2.

The default self-authentication method used by the 7705 SAR is symmetric, which means the self-authentication method is the same as the authentication method used by this IKE policy for the remote peer (that is, the own-auth-method is the same as auth-method).

The no form of the command returns the parameter to the default value (symmetric).

This command enables Perfect Forward Secrecy (PFS) on the IPSec tunnel using this policy. PFS provides for a new Diffie-Hellman key exchange each time the SA key is renegotiated. After each SA expires, the key is forgotten and another key is generated (if the SA remains up). This means that an attacker who cracks part of the exchange can only read the part that used the key before the key changed. Thus, there is no advantage to cracking the other parts of the exchange if an attacker has already cracked one.

When pfs is used without the dh-group command, the default DH group (Group 2) is used.

The no form of the command disables PFS. If pfs is turned off during an active SA, then when the SA expires and it is time to re-key the session, the original Diffie-Hellman primes is used to generate the new keys.

This command enables the context to create an ipsec-transform policy. IPSec transform policies can be shared between IPSec tunnels by using the transform command.

IPSec transform policy assignments to a tunnel require the tunnel to be shut down.

The no form of the command removes the transform ID from the configuration.

This command specifies which hashing algorithm should be used for the authentication function Encapsulating Security Payload (ESP). Both ends of a tunnel must share the same configuration parameters in order for the IPSec tunnel to enter the operational state.

The null keyword in this command and the null keyword in the esp-encryption-algorithm command are mutually exclusive.

The no form of the command returns the parameter to its default value.

This command specifies the encryption algorithm to use for the IPSec session. Encryption only applies to Encapsulating Security Payload (ESP) configurations.

For IPSec tunnels to come up, both ends of the IPSec tunnel (both private-side endpoints) must be configured with the same encryption algorithm. That is, the configuration for vprn>if>sap> ipsec-tunnel transform must match at both nodes.

The null keyword in this command and the null keyword in the esp-auth-algorithm command are mutually exclusive.

The no form of the command returns the parameter to its default value.

This command configures an IPSec static security association (SA).

This command configures the authentication algorithm to use for the specified static SA.

The no form of the command resets to command to the default value.

This command configures the direction for the specified static SA.

The no form of the command resets the command to the default value.

This command configures the security protocol to use for the specified static SA. The no form of the command resets th command to the default value.

This command configures the Security Parameter Index (SPI) key value for the specified IPSec SA.

The SPI is used to look up the instruction to verify and decrypt the incoming IPSec packets when the value of the direction command is inbound.

The SPI value specifies the SPI that will be used in the encoding of the outgoing packets when the value of the direction command is outbound. The remote node can use this SPI to look up the instruction to verify and decrypt the packet.

If no SPI is configured, the static SA cannot be used. The no form of the command removes the configured SPI.

This command enables the context to configure IPSec policies.

This command configures a security policy to use for an IPSec tunnel. An entry specifying local and remote IP addresses must be defined before the policy can be used.

The no form of the command removes the policy. Policy entries must be deleted before the policy can be removed.

This command configures an IPSec security policy entry.

The no form of the command removes the entry.

This command configures the local (from the VPN) IP prefix/mask for the policy parameter entry.

Only one entry is necessary to describe a potential traffic flow. The local-ip and remote-ip commands can be defined only once. The system will evaluate the local IP as the source IP when traffic is examined in the direction of the VPN to the tunnel and as the destination IP when traffic flows from the tunnel to the VPN. The remote IP will be evaluated as the source IP when traffic flows from the tunnel, and as the destination IP to the VPN when traffic flows from the VPN to the tunnel.]

The no form of the command clears the IP entry.

This command configures the local (from the VPN) IPv6 address for the policy parameter entry.

Only one entry is necessary to describe a potential traffic flow. The local-v6-ip and remote-v6-ip commands can be defined only once. The system will evaluate the local IPv6 address as the source IPv6 address when traffic is examined in the direction of the VPN to the tunnel and as the destination IPv6 address when traffic flows from the tunnel to the VPN. The remote IPv6 address will be evaluated as the source IPv6 address when traffic flows from the tunnel to the VPN and as the destination IPv6 address when traffic flows from the VPN to the tunnel.

The no form of the command clears the IPv6 address entry.

This command configures the remote (from the tunnel) IP prefix/mask for the policy parameter entry.

Only one entry is necessary to describe a potential traffic flow. The local-ip and remote-ip commands can be defined only once. The system will evaluate the local IP as the source IP when traffic is examined in the direction of the VPN to the tunnel and as the destination IP when traffic flows from the tunnel to the VPN. The remote IP will be evaluated as the source IP when traffic flows from the tunnel to the VPN and as the destination IP when traffic flows from the VPN to the tunnel.

The no form of the command clears the IP entry.

This command configures the remote (from the tunnel) IPv6 address for the policy parameter entry.

Only one entry is necessary to describe a potential traffic flow. The local-v6-ip and remote-v6-ip commands can be defined only once. The system will evaluate the local IPv6 address as the source IPv6 address when traffic is examined in the direction of the VPN to the tunnel and as the destination IPv6 address when traffic flows from the tunnel to the VPN. The remote IPv6 address will be evaluated as the source IPv6 address when traffic flows from the tunnel to the VPN and as the destination IPv6 address when traffic flows from the VPN to the tunnel.

The no form of the command clears the IPv6 address entry.

This command creates a logical IP routing interface.

The tunnel keyword is not used for IES interfaces. An IES public tunnel SAP is created when the sap-id includes the tunnel and public keywords (see sap below). For VPRN interfaces, tunnel is used to create an IP interface that supports a private tunnel SAP. The VPRN private tunnel SAP allows provisioning of an IPSec tunnel, and is created when the VPRN sap-id includes the tunnel and private keywords.

This command creates a SAP. For IES and VPRN services using tunnel interfaces, the sap-id for private and public tunnel interfaces are shown below. See sap In the VLL Services Command Reference for details on configuring all SAPs.

This command specifies an IPSec tunnel name. Configuring the commands under the ipsec-tunnel context defines where the IPSec tunnel originates and terminates, and how it is secured.

This command specifies whether this IPSec tunnel is the BFD-designated tunnel.

A BFD-designated tunnel is the tunnel over which a BFD session is established. A BFD-designated tunnel does not go down when BFD goes down. Other tunnels that use that BFD-designated tunnel’s BFD session will go down based on the state of the BFD session.

This command assigns a BFD session to provide the heartbeat mechanism for the specified IPSec tunnel. There can be only one BFD session assigned to any given IPSec tunnel, but there can be multiple IPSec tunnels using same BFD session. BFD controls the state of the associated tunnel; if the BFD session goes down, the system will also bring down the associated non-designated IPSec tunnel.

This command clears the do-not-fragment (DF) bit on incoming unencrypted IP traffic, allowing traffic to be fragmented, if necessary, before it enters the tunnel.

The no form of the command, corresponding to the default behavior, leaves the DF bit unchanged.

This command specifies whether to copy the do-not-fragment (DF) bit from the customer clear traffic and insert it into the IPSec tunnel header of the outgoing packet. When disabled, the DF bit of the IPSec tunnel header is always set to 1 (do not copy the DF bit).

The no form of the command, corresponding to the default behavior, does not copy the customer DF bit to the IPSec tunnel header.

This command enables dynamic keying for the IPSec tunnel. Dynamic keying means that the IKE protocol is used to dynamically exchange keys and establish IPSec-SAs. When IKE is used, a tunnel will have ISAKMP-SA for phase 1 (used by IKE) and IPSEC-SA for phase 2 (used for traffic encryption).

The dynamic-keying and manual-keying commands are mutually exclusive. One of these commands must be configured to make the tunnel operational.

The no form of the command returns the SA keying type to its default value.

This command specifies whether to attempt to establish a phase 1 exchange automatically. The auto-establish command should only be enabled on one side of the tunnel. A tunnel with auto-establish enabled acts as an IKE initiator and does not respond to a new phase 1 request.

The no form of the command disables the automatic attempts to establish a phase 1 exchange.

This command configures the IKE policy for dynamic keying, which will be used by the tunnel.

The no form of the command removes the IKE policy.

This command allows the specification of the IKEv2 local ID value for a dynamic keyed IPSec tunnel. The allowed local ID types are a valid IPv4 address or an FQDN (fully qualified domain name) string.

If local-id is configured, the tunnel’s local ID is set to the explicit type and value specified by the local-id command. If local-id is not configured, the tunnel’s local gateway IP address is used in the ID field of IKEv2 (see local-gateway-address).

The no form of the command removes the local ID.

This command specifies the pre-shared key (PSK), or secret passphrase, that will be used to initiate the tunnel IKE session. If the hash or hash2 parameter is not used, the key is a clear text key; otherwise, the key text is encrypted. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

The no form of the command removes the pre-shared key.

This command associates the IPSec transform set allowed for this tunnel. A maximum of four transforms can be specified. The transforms are listed in decreasing order of preference (the first one specified is the most preferred). The list of transform-ids is overwritten each time the command is issued. Transforms are defined using the ipsec-transform command.

The no form of the command returns the command to its default state.

This command configures the IP maximum transmit unit (MTU) (packet) for this interface.

The ip-mtu command instructs the 7705 SAR to perform IP packet fragmentation prior to IPSec encryption and encapsulation, based on the configured MTU value.

On the 7705 SAR, unencrypted IP packets arriving on a VPRN access interface and destined for an IPSec uplink will be fragmented if the incoming packet is larger than:

The actual overhead depends on the payload size, and the encryption and authentication algorithms used.

The no ip-mtu command, corresponding to the default behavior, disables fragmentation of IP packets by the 7705 SAR; all IP packets, regardless of size or DF bit setting, are allowed into the tunnel.

This command specifies the local gateway address used by the tunnel and the remote gateway address at the other end of the tunnel.

The local gateway address is the source address of the outgoing encrypted packet and the peer gateway address is the destination address. The delivery service is the IES service that has the corresponding public tunnel interface configured under it.

The local gateway address must be in the same subnet as the public tunnel interface.

This command allows manual configuration of tunnel Security Associations. Manual keying can be used in lieu of dynamic keying and IKE.

The dynamic-keying and manual-keying commands are mutually exclusive. One of these commands must be configured to make the tunnel operational.

When manual keying is used, both encryption and authentication must be entered manually for inbound and outbound SAs. Encryption and authentication modes, along with associated keys, must match on both sides of the tunnel. Inbound SA configuration on the near-end system must match outbound SA configuration on the far-end system, and vice versa. Make sure to use the correct key length, based on the ipsec-transform configuration.

A configuration example for manual keying is shown below:

The no form of the command returns the SA keying type to its default value.

This command configures the information required for manual keying SA creation.

This command identifies an IPSec security policy (defined under the vprn>ipsec context) that is to be used for this IPSec tunnel.

The no form of the command returns the security-policy to its default state (n/a).

This command clears the current OCSP response cache. If the optional issuer and serial number are not specified, then all current cached results are cleared.

This command enables the context to configure CMPv2 parameters. Changes are not allowed when the CA profile is enabled (no shutdown).

This command requests an additional certificate after the system has obtained the initial certificate from the CA.

The request is authenticated by a signature signed by the current-key, along with the current-cert. The hash algorithm used for the signature depends on the key type:

In some cases, the CA may not return a certificate immediately, due to reasons such as the request processing needs manual intervention. In such cases, the admin certificate cmpv2 poll command can be used to poll the status of the request.

This command clears current pending CMPv2 requests toward the specified CA. If there are no pending requests, it will clear the saved results of prior requests.

This command requests the initial certificate from the CA by using the CMPv2 initial registration procedure.

The ca keyword specifies a ca-profile that includes CMP server information.

The key-to-certify keyword is an imported key file to be certified by the CA.

The protection-key keyword is an imported key file used to for message protection if protection-alg is configured as signature.

The request is authenticated using either of the following methods:

Optionally, the system could also send a certificate or a chain of certificates in the extraCerts field. The certificate is specified by the cert cert-file-name parameter; it must include the public key of the key used for message protection.

Sending a chain is enabled by specifying the send-chain keyword.

The subject-dn keyword specifies the subject of the requesting certificate.

The save-as keyword specifies the full path name to save the result certificate to.

In some cases, the CA may not return the certificate immediately; for example, because the request processing requires manual intervention. In such cases, the admin certificate cmpv2 poll command could be used to poll the status of the request. If the key-list command is not configured in the corresponding ca-profile, then the system will use the existing password to authenticate the CMPv2 packets from the server if it is in password protection.

If key-list is configured in the corresponding ca-profile and the server does not send a SenderKID message, then the system will use the lexicographical first key in the key-list to authenticate the CMPv2 packets from the server in case it is in password protection.

This command requests a new certificate from the certificate authority to update an existing certificate.

In some cases, the CA may not return a certificate immediately; for example, because the request processing requires manual intervention. In such cases, the admin>certificate>cmpv2>poll command can be used to poll the status of the request.

This command polls the status of the pending CMPv2 request toward the specified CA.

If the response is ready, this command will resume the CMPv2 protocol exchange with the server as the original command would do. If the request is still pending, then this command could be used again to poll the status.

The 7705 SAR allows only one pending CMP request per CA, which means that no new request is allowed when a pending request is present.

This command displays the current CMPv2 pending request toward the specified CA. If there is no pending request, the last pending request is displayed including the status (one of success, fail, or rejected) and the receive time of the last CMPv2 message from the server.

The following information is included in the output:

This command displays the contents of an input file in plain text. When displaying the key file contents, only the key size and type are displayed.

The following list summarizes the formats supported by this command:

This command performs certificate operations.

This command generates an RSA or DSA private key/public key pair and stores it in a local file in the cf3:\system-pki\key directory.

This command generates a PKCS# 10 formatted certificate request by using a local existing key pair file.

This command converts an input file (either key, certificate, or CRL) to a system format file. The following list summarizes the formats supported by this command.

If there are multiple objects with same type in the input file, only the first object will be extracted and converted.

This command reloads an imported certificate or key file or both at the same time. This command is typically used to update a certificate and/or key file without shutting down the IPSec tunnel, cert-profile, or ca-profile.

If the new file does not exist or is invalid, then this command will abort.

This command enables the context to configure certificate parameters.

This command creates a new certificate authority profile or enters the configuration context of an existing certificate authority profile. Up to 128 CA profiles can be created in the system. A shutdown of the ca-profile will not affect the current up and running ipsec-tunnel associated with the ca-profile; however, subsequent authentication will fail.

Executing a no shutdown command in this context will cause the system to reload the configured cert-file and crl-file.

A ca-profile can be applied under the ipsec-tunnel configuration.

The no form of the command removes the name parameter from the configuration. A CA profile cannot be removed until all the associations (IPSec tunnels) have been removed.

This command specifies the name of a file in the cf3:\system-pki\cert directory as the CA’s certificate of the CA profile.

The system performs the following checks against a configured cert-file when a no shutdown command is issued.

If any of above checks fails, then the no shutdown command will fail.

Changing or removing the cert-file is only allowed when the ca-profile is in a shutdown state.

The no form of the command removes the filename from the configuration.

This command enables the context to configure CMPv2 parameters. Changes are not allowed when the CA profile is enabled (no shutdown).

This command enables the system to accept both protected and unprotected CMPv2 error messages. Without this command, the system will accept only protected error messages.

The no form of the command causes the system to accept only protected PKI error messages.

This command enables the system to accept both protected and unprotected CMPv2 PKI confirmation messages. Without this command, the system will accept only protected PKI confirmation messages.

The no form of the command causes the system to accept only protected PKI confirmation messages.

This command specifies to always set the sender field in the CMPv2 header of all Initial Registration (IR) messages with the subject name. By default, the sender field is only set if an optional certificate is specified in the CMPv2 request.

This command specifies the timeout value for the HTTP response that is used by CMPv2.

The no form of the command reverts to the default value.

This command configures the HTTP version for CMPv2 messages.

This command enables the context to configure pre-shared key list parameters.

This command specifies a pre-shared key used for CMPv2 initial registration. Multiples of key commands are allowed to be configured under this context.

The password and reference-number parameters are distributed by the CA using out-of-band means.

The configured password is stored in a configuration file in an encrypted form by using a 7705 SAR hash2 algorithm.

The no form of the command removes the parameters from the configuration.

This command specifies an imported certificate that is used to verify the CMP response messages if they are protected by a signature. If this command is not configured, then the CA’s certificate is used.

This command enables the system to use the same recipNonce as the last CMPv2 response for a poll request.

This command specifies the HTTP URL of the CMPv2 server. The URL must be unique across all configured CA profiles.

The URL will be resolved by the DNS server configured (if configured) in the corresponding router context.

If the service-id is 0 or omitted, then the system will try to resolve the FQDN using the DNS server configured in bof.cfg. After resolution, the system will first connect to the address in the management routing instance, then to the address in the base routing instance.

If the service is VPRN, then the system only allows HTTP ports 80 and 8080.

This command specifies the name of a file in the cf3:\system-pki\crl directory as the Certification Revoke List file of the ca-profile.

The system performs the following checks against a configured crl-file when a no shutdown command is issued.

If any of above checks fail, the no shutdown command will fail.

Changing or removing the crl-file is only allowed when the ca-profile is in a shutdown state.

The no form of the command removes the filename from the configuration.

This command configures a description of the specified CA profile.

This command enables the context to configure OCSP parameters.

This command specifies the HTTP URL of the OCSP responder for the CA. This URL will only be used if there is no OCSP responder defined in the AIA extension of the certificate to be verified.

This command specifies the service or routing instance that is used to contact the OCSP responder. This applies to OCSP responders that are either configured in the CLI or defined in the AIA extension of the certificate to be verified.

The responder-url is resolved by using the DNS server configured in the configured routing instance.

For a VPRN service, the system verifies that the specified service-id or service-name is an existing VPRN service at the time of CLI configuration; if it is not, the configuration will fail.

This command enables or disables the ca-profile. The system will verify the configured cert-file and crl-file. If the verification fails, then the no shutdown command will fail.

A ca-profile in a shutdown state cannot be used in certificate authentication.

In the config>ipsec>cert-profile context, this command enables or disables the certificate profile.

This command specifies the display format used for the Certificates and Certificate Revocation Lists.

This command defines the maximum depth of certificate chain verification. This value is applied system-wide.

The no form of the command reverts to the default value.

This command creates a new certificate profile or enters the configuration context of an existing certificate profile.

The no form of the command removes the profile name from the cert-profile configuration.

This command configures an entry for the specified certificate profile.

The no form of the command removes the specified entry from the specified cert-profile.

This command configures an imported certificate for the cert-profile entry.

The no form of the command removes the cert-filename from the entry configuration.

This command configures an imported key for the cert-profile entry.

The no form of the command removes the key-filename from the entry configuration.

This command enters the configuration context of send-chain in the cert-profile entry.

This command is optional. By default, the system sends the certificate specified by the cert command in the selected entry to the peer. This command allows the system to send additional CA certificates to the peer. These additional CA certificates must be in the certificate chain of the certificate specified by the cert command in the same entry.

This command specifies that a certificate authority (CA) certificate in the specified ca-profile is to be sent to the peer.

Multiple configurations (up to seven) of this command are allowed in the same entry.

This command enables the context to configure an IKE policy.

The no form of the command deletes the IKE policy.

This command specifies the authentication method used with this IKE policy.

The no form of the command removes the parameter from the configuration.

This command configures the authentication method used with this IKE policy on its own side.

This command specifies the trust-anchor-profile for the IPSec tunnel. This command will override the trust-anchor-profile configuration in the config>service>vprn>if>sap>ipsec-tunnel>cert context.

This command creates a new certificate profile or enters the configuration context of an existing certificate profile.

The no form of the command removes the profile name from the cert-profile configuration.

This command enters the context to configure verification parameters for certificate revocation status.

This command specifies the default result when both the primary and secondary methods fail to provide an answer.

This command configures the primary method used to verify the revocation status of the peer’s certificate. The method can be either CRL or OCSP.

To verify the revocation status of the peer’s certificate, the CRL or OCSP uses the corresponding configuration in the CA profile of the issuer of the certificate in question.

This command specifies the secondary method used to verify the revocation status of the peer’s certificate. The method can be either CRL or OCSP.

To verify the revocation status of the peer’s certificate, the CRL or OCSP uses the corresponding configuration in the CA profile of the issuer of the certificate in question.

The secondary method is used only when the primary method fails to provide an answer.

This command configures the trust-anchor-profile for the specified IPSec tunnel. This command overrides the trust-anchor-profile configured in the config>ipsec context.