IP Tunnel Command Reference
Command Hierarchies
Configuration Commands
ISA Commands
IPSec Commands
Service Configuration Commands
IES Commands
VPRN Commands
IPSec Mastership Election Commands
These commands are applicable to the 7750 SR.
Related Commands
CMPv2 Commands
Auto-Update Commands
Show Commands
Tools Commands
Command Descriptions
Generic Commands
description
Syntax
Context
Description
This command creates a text description which is stored in the configuration file to help identify the content of the entity.
The no form of the command removes the string from the configuration.
Default
none
Parameters
shutdown
Syntax
Context
Description
This command administratively disables the entity. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many entities must be explicitly enabled using the no shutdown command.
The shutdown command administratively disables an entity. The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.
Hardware Commands
mda-type
Syntax
Context
Description
This command provisions or de-provisions an MDA to or from the device configuration for the slot.
Parameters
ISA Commands
isa
Syntax
Context
Description
This command enables the context to configure Integrated Services Adapter (ISA) parameters.
tunnel-group
Syntax
Context
Description
This command allows a tunnel group to be created or edited. A tunnel group is a set of one or more MS-ISAs that support the origination and termination of IPSec and IP/GRE tunnels. All of the MS-ISAs in a tunnel group must have isa-tunnel as their configured mda-type.
The no form of the command deletes the specified tunnel group from the configuration
Parameters
active-mda-number
Syntax
Context
Description
This command specifies the number of active MS-ISA within all configured MS-ISA in the tunnel-group with multi-active enabled. IPsec traffic will be load balanced across all active MS-ISAs. If the number of configured MS-ISA is greater than the active-mda-number then the delta number of MS-ISA will be backup.
Default
no
Parameters
backup
Syntax
Context
Description
This command assigns an ISA IPSec module configured in the specified slot to this IPSec group. The backup module provides the IPSec group with warm redundancy when the primary module in the group is configured. An IPSec group must always have a primary configured.
Primary and backup modules have equal operational status and when both modules are coming up, the one that becomes operational first becomes the active module. An IPSec module can serve as a backup for multiple IPSec groups but the backup can become active for only one ISA IPSec group at a time.
All configuration information is pushed down to the backup MDA from the CPM once the CPM gets notice that the primary module has gone down. This allows multiple IPSec groups to use the same backup module. Any statistics not yet spooled will be lost. Auto-switching from the backup to primary, once the primary becomes available again, is supported.
The operator is notified through SNMP events when:
- When the ISA IPSec service goes down (all modules in the group are down) or comes back up (a module in the group becomes active).
- When ISA IPSec redundancy fails (one of the modules in the group is down) or recovers (the failed module comes back up).
- When an ISA IPSec activity switch took place.
The no form of the command removes the specified module from the IPSec group.
Default
no backup
Parameters
mda
Syntax
Context
Description
This command specifies the MDA id of the MS-ISA as the member of tunnel-group with multi-active enabled. Up to 16 MDA could be configured under the same tunnel-group.
Default
no
Parameters
multi-active
Syntax
Context
Description
This command enables configuring multiple active MS-ISA in the tunnel-group. IPsec traffic will be load balanced to configured active MS-ISAs.
Operational notes:
- A shutdown of group and removal of all existing configured tunnels of the tunnel-group are needed before provisioning command “multi-active”.
- If the tunnel-group is admin-up with “multi-active” configured then the configuration of “primary” and “backup” are not allowed.
- The active-mda-number must be =< total number of ISA configured.
- If active-mda-number is less than total number of ISA configured then the delta number of ISA will become backup ISA.
Default
no
primary
Syntax
Context
Description
This command assigns an ISA IPSec module configured in the specified slot to this IPSec group. The backup ISA IPSec provides the IPSec group with warm redundancy when the primary ISA IPSec in the group is configured. Primary and backup ISA IPSec have equal operational status and when both MDAs are coming up, the one that becomes operational first becomes the active ISA IPSec.
All configuration information is pushed down to the backup MDA from the CPM once the CPM gets notice that the primary module has gone down. This allows multiple IPSec groups to use the same backup module. Any statistics not yet spooled will be lost. Auto-switching from the backup to primary, once the primary becomes available again, is supported.
The operator is notified through SNMP events when:
- When the ISA IPSec service goes down (all modules in the group are down) or comes back up (a module in the group becomes active).
- When ISA IPSec redundancy fails (one of the modules in the group is down) or recovers (the failed module comes back up).
- When an ISA IPSec activity switch took place.
The no form of the command removes the specified primary ID from the group’s configuration.
Default
no primary
Parameters
reassembly
Syntax
Context
Description
This command configures IP packet reassembly for IPSec and GRE tunnels supported by an MS-ISA. The reassembly command at the tunnel-group level configures IP packet reassembly for all IPSec and GRE tunnels associated with the tunnel-group. The reassembly command at the GRE tunnel level configures IP packet reassembly for that one specific GRE tunnel, overriding the tunnel-group configuration.
The no form of the command disables IP packet reassembly.
Default
no reassembly (tunnel-group level)
reassembly (gre-tunnel level)
Parameters
Certificate Profile Commands
cert-profile
Syntax
Context
Description
This command creates a new cert-profile or enters the configuration context of an existing cert-profile.
The no form of the command removes the profile name from the cert-profile configuration.
Default
none
Parameters
entry
Syntax
Context
Description
This command configures the certificate profile entry information
The no form of the command removes the entry-id from the cert-profile configuration.
Default
none
Parameters
cert
Syntax
Context
Description
This command specifies the file name of an imported certificate for the cert-profile entry.
The no form of the command removes the cert-file-name from the entry configuration.
Default
none
key
Syntax
Context
Description
This command specifies the filename of an imported key for the cert-profile entry.
The no form of the command removes the key-filename from the entry configuration.
Default
none
Parameters
send-chain
Syntax
Context
Description
This command enters the configuration context of send-chain in the cert-profile entry.
The configuration of this command is optional, by default system will only send the certificate specified by cert command in the selected entry to the peer. This command allows system to send additional CA certificates to the peer. These additional CA certificates must be in the certificate chain of the certificate specified by the cert command in the same entry.
ca-profile
Syntax
Context
Description
This command specifies a CA certificate in the specified ca-profile to be sent to the peer.
Multiple configurations (up to seven) of this command are allowed in the same entry.
Default
none
Parameters
Internet Key Exchange (IKE) Commands
ipsec
Syntax
Context
Description
This command enables the context to configure Internet Protocol security (IPSec) parameters. IPSec is a structure of open standards to ensure private, secure communications over Internet Protocol (IP) networks by using cryptographic security services.
trust-anchor
Syntax
Context
Description
This command specifies a ca-profile as a trust-anchor CA. multiple trust-anchors (up to 8) could be specified in a single trust-anchor-profile.
Parameters
ike-policy
Syntax
Context
Description
This command enables the context to configured an IKE policy.
The no form of the command
Parameters
auth-algorithm
Syntax
Context
Description
The command specifies which hashing algorithm to use for the IKE authentication function.
The no form of the command removes the parameter from the configuration.
Parameters
auth-method
Syntax
Context
Description
This command specifies the authentication method used with this IKE policy.
The no form of the command removes the parameter from the configuration.
Default
no auth-method
Parameters
auto-eap-method
Syntax
Context
Description
This command enables following behavior for IKEv2 remote-access tunnel when auth-method is configured as auto-eap-radius:
- If there is no AUTH payload in IKE_AUTH request, then system use EAP to authenticate client and also will own-auth-method to generate AUTH payload.
- If there is AUTH payload in IKE_AUTH request:
- if auto-eap-method is psk, then system proceed as auth-method:psk-radius
- if auto-eap-method is cert, then system proceed as auth-method:cert-radius
- if auto-eap-method is psk-or-cert, then:
- if the "Auth Method" field of AUTH payload is PSK, then system proceed as auth-method:psk-radius
- if the "Auth Method" field of AUTH payload is RSA or DSS, then system proceed as auth-method:cert-radius
- The system will use auto-eap-own-method to generate AUTH payload.
This command only applies when auth-method is configured as auto-eap-radius.
Default
auto-eap-method cert
Parameters
auto-eap-own-method
Syntax
Context
Description
This command enables following behavior for IKEv2 remote-access tunnel when auth-method is configured as auto-eap-radius:
- If there is no AUTH payload in IKE_AUTH request, then system use EAP to authenticate client and also will own-auth-method to generate AUTH payload.
- If there is AUTH payload in IKE_AUTH request:
- if auto-eap-method is psk,then system proceed as auth-method:psk-radius.
- if auto-eap-method is cert, then system proceed as auth-method:cert-radius.
- if auto-eap-method is psk-or-cert, then:
- if the "Auth Method" field of AUTH payload is PSK, then system proceed as auth-method:psk-radius.
- if the "Auth Method" field of AUTH payload is RSA or DSS, then system proceed as auth-method:cert-radius.
- The system will use auto-eap-own-method to generate AUTH payload.
This command only applies when auth-method is configured as auto-eap-radius.
Default
auto-eap-method cert
Parameters
dh-group
Syntax
Context
Description
This command specifies which Diffie-Hellman group to calculate session keys. Three groups are supported with IKE-v1:
- Group 1: 768 bits
- Group 2: 1024 bits
- Group 5: 1536 bits
- Group 14: 2048 bits
- Group 15: 3072 bits
More bits provide a higher level of security, but require more processing.
Default
5
The no form of the command removes the Diffie-Hellman group specification.
dpd
Syntax
Context
Description
This command controls the dead peer detection mechanism.
The no form of the command removes the parameters from the configuration.
Parameters
encryption-algorithm
Syntax
Context
Description
This command specifies the encryption algorithm to use for the IKE session.
The no form of the command removes the encryption algorithm from the configuration.
Default
aes128
Parameters
ike-mode
Syntax
Context
Description
This command specifies one of either two modes of operation. IKE version 1 can support main mode and aggressive mode. The difference lies in the number of messages used to establish the session.
The no form of the command removes the mode of operation from the configuration.
Default
main
Parameters
ike-version
Syntax
Context
Description
This command sets the IKE version (1 or 2) that the ike-policy will use.
Default
1
Parameters
ipsec-lifetime
Syntax
Context
Description
This parameter specifies the lifetime of a phase two SA.
The no form of the command reverts the ipsec-lifetime value to the default.
Default
3600 (1 hour)
Parameters
isakmp-lifetime
Syntax
Context
Description
This command specifies the lifetime of a phase one SA. ISAKMP stands for Internet Security Association and Key Management Protocol
The no form of the command reverts the isakmp-lifetime value to the default.
Default
86400
Parameters
lockout
Syntax
Context
Description
This command enables the lockout mechanism for the IPSec tunnel. The system will lock out an IPSec client for the configured time interval if the number of failed authentications exceeds the configured value within the specified duration. This command only applies when the system acts as a tunnel responder.
A client is defined as the tunnel IP address plus the port.
Optionally, the max-port-per-ip parameter can be configured as the maximum number of ports allowed behind the same IP address. If this threshold is exceeded, then all ports behind the IP address are blocked.
The no form of this command disables the lockout mechanism.
Default
n/a
Parameters
match-peer-id-to-cert
Syntax
Context
Description
This command enables checking the IKE peer's ID matches the peer's certificate when performing certificate authentication.
nat-traversal
Syntax
Context
Description
This command specifies whether NAT-T (Network Address Translation Traversal) is enabled, disabled or in forced mode.
The no form of the command reverts the parameters to the default.
Default
none
Parameters
own-auth-method
Syntax
Context
Description
This command configures the authentication method used with this IKE policy on its own side.
pfs
Syntax
Context
Description
This command enables perfect forward secrecy on the IPSec tunnel using this policy. PFS provides for a new Diffie-hellman key exchange each time the SA key is renegotiated. After that SA expires, the key is forgotten and another key is generated (if the SA remains up). This means that an attacker who cracks part of the exchange can only read the part that used the key before the key changed. There is no advantage in cracking the other parts if they attacker has already cracked one.
The no form of the command disables PFS. If this it turned off during an active SA, when the SA expires and it is time to re-key the session, the original Diffie-hellman primes will be used to generate the new keys.
Default
15
Parameters
Group 1: 768 bits
Group 2: 1024 bits Group 5:
Group 14: 2048 bits
Group 15: 3072 bits
relay-unsolicited-cfg-attribute
Syntax
Context
Description
This command enters relay unsolicited configuration attributes context. With this configuration, the configured attributes returned from source (such as a RADIUS server) will be returned to IKEv2 remote-access tunnel client regardless if the client has requested it in the CFG_REQUEST payload.
internal-ip4-dns
Syntax
Context
Description
This command will return IPv4 DNS server address from source (such as a RADIUS server) to IKEv2 remote-access tunnel client regardless if the client has requested it in the CFG_REQUEST payload.
internal-ip4-netmask
Syntax
Context
Description
This command will return IPv4 netmask from source (such as a RADIUS server) to IKEv2 remote-access tunnel client regardless if the client has requested it in the CFG_REQUEST payload.
internal-ip6-dns
Syntax
Context
Description
This command will return IPv6 DNS server address from source (e.g. RADIUS server) to IKEv2 remote-access tunnel client regardless if the client has requested it in the CFG_REQUEST payload.
static-sa
Syntax
Context
Description
This command configures an IPSec static SA.
direction
Syntax
Context
Description
This command configures the direction for an IPSec manual SA.
The no form of the command reverts to the default value.
Default
bidirectional
Parameters
protocol
Syntax
Context
Description
This command configures the security protocol to use for an IPSec manual SA. The no statement resets to the default value.
Default
esp
Parameters
authentication
Syntax
Context
Description
This command configures the authentication algorithm to use for an IPSec manual SA.
The no form of the command reverts to the default value.
Default
sha1
Parameters
spi
Syntax
Context
Description
This command configures the SPI key value for an IPSec manual SA.
This command specifies the SPI (Security Parameter Index) used to lookup the instruction to verify and decrypt the incoming IPSec packets when the value of the direction command is inbound.
The SPI value specifies the SPI that will be used in the encoding of the outgoing packets when the when the value of the direction command is outbound. The remote node can use this SPI to lookup the instruction to verify and decrypt the packet.
If no spi is selected, then this static SA cannot be used.
The no form of the command reverts to the default value.
Default
none
Parameters
ipsec-transform
Syntax
Context
Description
This command enables the context to create an ipsec-transform policy. IPSec transforms policies can be shared. A change to the ipsec-transform is allowed at any time. The change will not impact tunnels that have been established until they are renegotiated. If the change is required immediately the tunnel must be cleared (reset) for force renegotiation.
IPSec transform policy assignments to a tunnel require the tunnel to be shutdown.
The no form of the command removes the ID from the configuration.
Parameters
esp-auth-algorithm
Syntax
Context
Description
The command specifies which hashing algorithm should be used for the authentication function Encapsulating Security Payload (ESP). Both ends of a manually configured tunnel must share the same configuration parameters for the IPSec tunnel to enter the operational state.
The no form of the command disables the authentication.
Parameters
esp-encryption-algorithm
Syntax
Context
Description
This command specifies the encryption algorithm to use for the IPSec session. Encryption only applies to esp configurations. If encryption is not defined, esp will not be used.
For IPSec tunnels to come up, both ends need to be configured with the same encryption algorithm.
The no form of the command removes the specified encryption algorithm.
Default
aes128
Parameters
tunnel-template
Syntax
Context
Description
This command creates a tunnel template. Up to 2,000 templates are allowed.
Default
none
Parameters
clear-df-bit
Syntax
Context
Description
This command enables clearing of the Do-not-Fragment bit.
ip-mtu
Syntax
Context
Description
This command configures the template IP MTU.
Parameters
replay-window
Syntax
Context
Description
This command sets the anti-replay window.
The no form of the command removes the parameter from the configuration.
Default
no replay-window
Parameters
sp-reverse-route
Syntax
Context
Description
This command specifies whether the node using this template will accept framed-routes sent by the RADIUS server and install them for the lifetime of the tunnel as managed routes.
The no form of the command disables sp-reverse-route.
Default
no sp-reverse-route
transform
Syntax
Context
Description
This command configures IPSec transform.
encapsulated-ip-mtu
Syntax
Context
Description
This command specifies the max size of encapsulated tunnel packet for the ipsec-tunnel/ip-tunnel or the dynamic tunnels terminated on the ipsec-gw. If the encapsulated v4/v6 tunnel packet exceeds the encapsulated-ip-mtu, then system will fragment the packet against the encapsulated-ip-mtu.
Parameters
icmp6-generation
Syntax
Context
Description
This command enters ICMPv6 packet generation configuration context.
pkt-too-big
Syntax
Context
Description
This command enables system to send ICMPv6 PTB (Packet Too Big) message on private side and optionally specifies the rate.
With this command configured, system will send PTB back if received v6 packet on private side is bigger than 1280 bytes and also exceeds the private MTU of the tunnel.
The ip-mtu command (under ipsec-tunnel or tunnel-template) specifies the private MTU for the ipsec-tunnel or dynamic tunnel.
Parameters
ip-mtu
Syntax
Context
Description
This command continues the template IP MTU.
IPSec Configuration Commands
ipsec
Syntax
Context
Description
This command enables the context to configure IPSec policies.
Default
none
cert-profile
Syntax
Context
Description
This command specifies the cert-profile for the ipsec-tunnel or ipsec-gw. This command will override cert and key configuration under the ipsec-tunnel or ipsec-gw.
Default
none
Parameters
security-policy
Syntax
Context
Description
This command configures a security policy to use for an IPSec tunnel.
Default
none
Parameters
entry
Syntax
Context
Description
This command configures an IPSec security policy entry.
Parameters
local-ip
Syntax
Context
Description
This command configures the local (from the VPN) IP prefix/mask for the policy parameter entry.
Only one entry is necessary to describe a potential flow. The local-ip and remote-ip commands can be defined only once. The system will evaluate the local IP as the source IP when traffic is examined in the direction of VPN to the tunnel and as the destination IP when traffic flows from the tunnel to the VPN. The remote IP will be evaluated as the source IP when traffic flows from the tunnel to the VPN when traffic flows from the VPN to the tunnel.
Parameters
local-v6-ip
Syntax
Context
Description
This command specifies the local v6 prefix for the security-policy entry.
Parameters
ipv6-address/prefix: ipv6-address | x:x:x:x:x:x:x:x (eight 16-bit pieces) |
| x:x:x:x:x:x:d.d.d.d |
| x [0 — FFFF]H |
d [0 — 255]D | |
host bits must be 0 | |
:: not allowed | |
prefix-length [1..128] |
remote-ip
Syntax
Context
Description
This command configures the remote (from the tunnel) IP prefix/mask for the policy parameter entry.
Only one entry is necessary to describe a potential flow. The local-ip and remote-ip commands can be defined only once. The system will evaluate the local IP as the source IP when traffic is examined in the direction of VPN to the tunnel and as the destination IP when traffic flows from the tunnel to the VPN. The remote IP will be evaluated as the source IP when traffic flows from the tunnel to the VPN when traffic flows from the VPN to the tunnel.
Parameters
remote-v6-ip
Syntax
Context
Description
This command specifies the remote v6 prefix for the security-policy entry.
Parameters
ipv6-address/prefix: ipv6-address | x:x:x:x:x:x:x:x (eight 16-bit pieces) |
| x:x:x:x:x:x:d.d.d.d |
| x [0 — FFFF]H |
d [0 — 255]D | |
host bits must be 0 | |
:: not allowed | |
prefix-length [1..128] |
address
Syntax
Context
Description
This command add an IPv6 address to the tunnel interface.
The prefix length must be 96 or higher.
Parameters
ipv6-address/prefix: ipv6-address | x:x:x:x:x:x:x:x (eight 16-bit pieces) |
| x:x:x:x:x:x:d.d.d.d |
| x [0 — FFFF]H |
d [0 — 255]D | |
prefix-length | 1 — 128 |
link-local-address
Syntax
Context
Description
This command specifies the link-local-address for the tunnel interface.
Only one link-local-address is allowed per interface.
Parameters
ipv6-address/prefix: ipv6-address | x:x:x:x:x:x:x:x (eight 16-bit pieces) |
| x:x:x:x:x:x:d.d.d.d |
| x [0 — FFFF]H |
d [0 — 255]D |
dynamic-tunnel-redundant-next-hop
Syntax
Context
Description
This command configures the dynamic ISA tunnel redundant next-hop address.
Default
no dynamic-tunnel-redundant-next-hop
Parameters
static-tunnel-redundant-next-hop
Syntax
Context
Description
This command specifies redundant next-hop address on public or private IPSec interface (with public or private tunnel-sap) for static IPSec tunnel. The specified next-hop address will be used by standby node to shunt IPSec traffic to master in case of it receives them.
The next-hop address will be resolved in routing table of corresponding service.
Default
no static-tunnel-redundant-next-hop
Parameters
interface
Syntax
Context
Description
This command creates a logical IP routing interface for a Virtual Private Routed Network (VPRN). Once created, attributes like an IP address and service access point (SAP) can be associated with the IP interface.
The interface command, under the context of services, is used to create and maintain IP routing interfaces within VPRN service IDs. The interface command can be executed in the context of an VPRN service ID. The IP interface created is associated with the service core network routing instance and default routing table. The typical use for IP interfaces created in this manner is for subscriber internet access.
Interface names are case sensitive and must be unique within the group of defined IP interfaces defined for config router interface and config service vprn interface. Interface names must not be in the dotted decimal notation of an IP address. For example, the name “1.1.1.1” is not allowed, but “int-1.1.1.1” is allowed. Show commands for router interfaces use either interface names or the IP addresses. Use unique IP address values and IP address names to maintain clarity. It could be unclear to the user if the same IP address and IP address name values are used. Although not recommended, duplicate interface names can exist in different router instances.
The available IP address space for local subnets and routes is controlled with the config router service-prefix command. The service-prefix command administers the allowed subnets that can be defined on service IP interfaces. It also controls the prefixes that may be learned or statically defined with the service IP interface as the egress interface. This allows segmenting the IP address space into config router and config service domains.
When a new name is entered, a new logical router interface is created. When an existing interface name is entered, the user enters the router interface context for editing and configuration.
By default, there are no default IP interface names defined within the system. All VPRN IP interfaces must be explicitly defined. Interfaces are created in an enabled state.
The no form of this command removes IP the interface and all the associated configuration. The interface must be administratively shutdown before issuing the no interface command.
For VPRN services, the IP interface must be shutdown before the SAP on that interface may be removed. VPRN services do not have the shutdown command in the SAP CLI context. VPRN service SAPs rely on the interface status to enable and disable them.
Parameters
sap
Syntax
Context
Description
This command creates a Service Access Point (SAP) within a service. A SAP is a combination of port and encapsulation parameters which identifies the service access point on the interface and within the router. Each SAP must be unique.
All SAPs must be explicitly created. If no SAPs are created within a service or on an IP interface, a SAP will not exist on that object.
Enter an existing SAP without the create keyword to edit SAP parameters. The SAP is owned by the service in which it was created.
A SAP can only be associated with a single service. A SAP can only be defined on a port that has been configured as an access port using the config interface port-type port-id mode access command. Channelized TDM ports are always access ports.
If a port is shutdown, all SAPs on that port become operationally down. When a service is shutdown, SAPs for the service are not displayed as operationally down although all traffic traversing the service will be discarded. The operational state of a SAP is relative to the operational state of the port on which the SAP is defined.
The no form of this command deletes the SAP with the specified port. When a SAP is deleted, all configuration parameters for the SAP will also be deleted.
Default
No SAPs are defined.
Special Cases
This context will provide a SAP to the tunnel. The operator may associate an ingress and egress QoS policies as well as filters and virtual scheduling contexts. Internally this creates an Ethernet SAP that will be used to send and receive encrypted traffic to and from the MDA. Multiple tunnels can be associated with this SAP. The “tag” will be a dot1q value. The operator may see it as an identifier. The range is limited to 1 — 4094.
Parameters
If the card in the slot has Media Dependent Adapters (MDAs) installed, the port-id must be in the slot_number/MDA_number/port_number format. For example 61/2/3 specifies port 3 on MDA 2 in slot 61.
Table 24: Port ID Syntax
null | port-id | lag-id | |
dot1q | {port-id | lag-id}:{qtag1 | cp-conn-prof-id | |
qinq | {port-id | lag-id}:{qtag1 | cp-conn-prof-id}.{qtag2 | cp-conn-prof-id} cp: keyword conn-prof-id: 1..8000 | |
port-id | slot/mda/port [.channel] | |
eth-sat-id | esat-id/slot/port | |
esat: keyword | ||
id: 1 to20 | ||
pxc-id | psc-id.sub-port | |
pxc psc-id.sub-port | ||
pxc: keyword | ||
id: 1 to 64 | ||
sub-port: a, b | ||
lag-id | lag-id | lag: keyword |
id: 1 .. 800 | ||
qtag1 | 0..4094 | |
qtag2 | * | null | 0 .. 4094 | |
The port-id must reference a valid port type. When the port-id parameter represents SONET/SDH and TDM channels the port ID must include the channel ID. A period “.” separates the physical port from the channel-id. The port must be configured as an access port.
If the SONET/SDH port is configured as clear-channel then only the port is specified.
ipsec-tunnel
Syntax
Context
Description
This command specifies an IPSec tunnel name. An IPSec client sets up the encrypted tunnel across public network. The 7750 SR IPSec MDA acts as a concentrator gathering, and terminating these IPSec tunnels into an IES or VPRN service. This mechanism allows as service provider to offer a global VPRN service even if node of the VPRN are on an uncontrolled or insecure portion of the network.
Default
none
Parameters
bfd-designate
Syntax
Context
Description
This command specifies whether this IPSec tunnel is the BFD designated tunnel.
Default
none
bfd-enable
Syntax
Context
Description
This command assign a BFD session provide heart-beat mechanism for given IPSec tunnel. There can be only one BFD session assigned to any given IPSec tunnel, but there can be multiple IPSec tunnels using same BFD session. BFD control the state of the associated tunnel, if BFD session goes down, system will also bring down the associated non-designated IPSec tunnel.
Default
none
Parameters
dynamic-keying
Syntax
Context
Description
This command enables dynamic keying for the IPSec tunnel.
Default
none
auto-establish
Syntax
Context
Description
This command specifies whether to attempt to establish a phase 1 exchange automatically.
The no form of the command disables the automatic attempts to establish a phase 1 exchange.
Default
no auto-establish
transform
Syntax
Context
Description
This command associates the IPSec transform sets allowed for this tunnel. A maximum of four transforms can be specified. The transforms are listed in decreasing order of preference (the first one specified is the most preferred).
Default
none
Parameters
manual-keying
Syntax
Context
Description
This command configures Security Association (SA) for manual keying. When enabled, the command specifies whether this SA entry is created manually by the user or dynamically by the IPSec sub-system.
Default
none
security-association
Syntax
Context
Description
This command configures the information required for manual keying SA creation.
Default
none
Parameters
replay-window
Syntax
Context
Description
This command specifies the size of the anti-replay window. The anti-replay window protocol secures IP against an entity that can inject messages in a message stream from a source to a destination computer on the Internet.
Default
none
Parameters
security-policy
Syntax
Context
Description
This command configures an IPSec security policy. The policy may then be associated with tunnels defined in the same context.
Default
none
Parameters
Interface SAP Tunnel Commands
ip-tunnel
Syntax
Context
Description
This command is used to configure an IP-GRE or IP-IP tunnel and associate it with a private tunnel SAP within an IES or VPRN service.
The no form of the command deletes the specified IP/GRE or IP-IP tunnel from the configuration. The tunnel must be administratively shutdown before issuing the no ip-tunnel command.
Default
no IP tunnels are defined.
Parameters
source
Syntax
Context
Description
This command sets the source IPv4 address of GRE encapsulated packets associated with a particular GRE tunnel. It must be an address in the subnet of the associated public tunnel SAP interface. The GRE tunnel does not come up until a valid source address is configured.
The no form of the command deletes the source address from the GRE tunnel configuration. The tunnel must be administratively shutdown before issuing the no source command.
Parameters
remote-ip
Syntax
Context
Description
This command sets the primary destination IPv4 address of GRE encapsulated packets associated with a particular GRE tunnel. If this address is reachable in the delivery service (there is a route) then this is the destination IPv4 address of GRE encapsulated packets sent by the delivery service.
The no form of the command deletes the destination address from the GRE tunnel configuration.
Parameters
backup-remote-ip
Syntax
Context
Description
This command sets the backup destination IPv4 address of GRE encapsulated packets associated with a particular GRE tunnel. If the primary destination address is not reachable in the delivery service (there is no route) or not defined then this is the destination IPv4 address of GRE encapsulated packets sent by the delivery service.
The no form of the command deletes the backup-destination address from the GRE tunnel configuration.
Parameters
clear-df-bit
Syntax
Context
Description
This command instructs the MS-ISA to reset the DF bit to 0 in all payload IP packets associated with the GRE or IPSec tunnel, before any potential fragmentation resulting from the ip-mtu command. (This will require a modification of the header checksum.) The no clear-df-bit command, corresponding to the default behavior, leaves the DF bit unchanged.
The no form of the command disables the DF bit reset.
Default
none
delivery-service
Syntax
Context
Description
This command sets the delivery service for GRE encapsulated packets associated with a particular GRE tunnel. This is the IES or VPRN service where the GRE encapsulated packets are injected and terminated. The delivery service may be the same service that owns the private tunnel SAP associated with the GRE tunnel. The GRE tunnel does not come up until a valid delivery service is configured.
The no form of the command deletes the delivery-service from the GRE tunnel configuration.
Parameters
dscp
Syntax
Context
Description
This command sets the DSCP code-point in the outer IP header of GRE encapsulated packets associated with a particular GRE tunnel. The default, set using the no form of the command, is to copy the DSCP value from the inner IP header (after remarking by the private tunnel SAP egress qos policy) to the outer IP header.
Default
no dscp
Parameters
dest-ip
Syntax
Context
Description
This command configures a private IPv4 or IPv6 address of the remote tunnel endpoint. A tunnel can have up to 16 dest-ip commands. At least one dest-ip address is required in the configuration of a tunnel. A tunnel does not come up operationally unless all dest-ip addresses are reachable (part of a local subnet).
Unnumbered interfaces are not supported.
Default
No default
Parameters
<ip-address> | ipv4-address | a.b.c.d |
ipv6-address | x:x:x:x:x:x:x:x (eight 16-bit pieces) | |
x:x:x:x:x:x:d.d.d.d | ||
x - [0..FFFF]H | ||
d - [0..255]D |
gre-header
Syntax
Context
Description
This command configures the type of the IP tunnel. If the gre-header command is configured then the tunnel is a GRE tunnel with a GRE header inserted between the outer and inner IP headers. If the no form of the command is configured then the tunnel is a simple IP-IP tunnel.
Default
no gre-header
Parameters
ip-mtu
Syntax
Context
Description
This command configures the IP maximum transmit unit (packet) for this interface.
Because this connects a Layer 2 to a Layer 3 service, this parameter can be adjusted under the IES interface.
The MTU that is advertized from the IES size is:
MINIMUM((SdpOperPathMtu - EtherHeaderSize), (Configured ip-mtu))
By default (for ethernet network interface) if no ip-mtu is configured it is (1568 - 14) = 1554.
The ip-mtu command instructs the MS-ISA to perform IP packet fragmentation, prior to IPSec encryption and encapsulation, based on the configured MTU value. In particular:
If the length of a payload IP packet (including its header) exceeds the configured MTU value and the DF flag is clear (due to the presence of the clear-df-bit command or because the original DF value was 0) then the MS-ISA fragments the payload packet as efficiently as possible (i.e. it creates the minimum number of fragments each less than or equal to the configured MTU size); in each created fragment the DF bit shall be 0.
If the length of a payload IP packet (including its header) exceeds the configured MTU value and the DF flag is set (because the original DF value was 1 and the tunnel has no clear-df-bit in its configuration) then the MS-ISA discards the payload packet without sending an ICMP type 3/code 4 message back to the packet’s source address.
The no ip-mtu command, corresponding to the default behavior, disables fragmentation of IP packets by the MS-ISA; all IP packets, regardless of size or DF bit setting, are allowed into the tunnel.
The effective MTU for packets entering a tunnel is the minimum of the private tunnel SAP interface IP MTU value (used by the IOM) and the tunnel IP MTU value (configured using the above command and used by the MS-ISA). So if it desired to fragment IP packets larger than X bytes with DF set, rather than discarding them, the tunnel IP MTU should be set to X and the private tunnel SAP interface IP MTU should be set to a value larger than X.
Default
no ip-mtu
reassembly
Syntax
Context
Description
This command configures the reassembly wait time.
IPSec Gateway Commands
ipsec-gw
Syntax
Context
Description
This command configures an IPSec gateway.
default-secure-service
Syntax
Context
Description
This command specifies a service ID or service name of the default security service used by this SAP IPSec gateway.
Parameters
default-tunnel-template
Syntax
Context
Description
This command configures a default tunnel policy template for the gateway.
dhcp
Syntax
Context
Description
This command enters the context of DHCPv4-based address assignment for IKEv2 remote-access tunnels.
The system will act as a DHCPv4 client on behalf of the IPSec client, and also a relay agent to relay DHCPv4 packets to the DHCPv4 server.
DHCPv4 DORA(Discovery/Offer/Request/Ack) exchange happens during IKEv2 remote-access tunnel setup. And system also supports standard renew
In order to use this feature, the relay-proxy must be enabled on the corresponding interface (either the private interface or the interface that has the gi-address as the interface address.
Default
no dhcp
dhcp6
Syntax
Context
Description
This command enters the context of DHCPv6-based address assignment for IKEv2 remote-access tunnels.
The system will act as a DHCPv6 client on behalf of the IPSec client, and will also act as a relay agent to relay DHCPv6 packets to the DHCPv6 server.
DHCPv6 exchange happens during IKEv2 remote-access tunnel setup. The system also supports standard renew.
Default
no dhcp6
gi-address
Syntax
Context
Description
This command specifies the gateway IP address of the DHCPv4 packets sent by the system. IPsec DHCP Relay uses only the gi-address configuration found under the IPsec gateway and does not take into account gi-address with src-ip-addr configuration below other interfaces
Default
no gi-address
Parameters
link-address
Syntax
Context
Description
This command specifies the link address of the relayed DHCPv6 packets sent by the system.
Default
no link-address
Parameters
send-release
Syntax
Context
Description
This command enables the system to send a DHCPv4/v6 release message when the IPSec tunnel is removed.
Default
no send-release
server
Syntax
Context
Description
This command specifies up to eight DHCPv4/v6 server addresses for DHCPv4/v6-based address assignment. If multiple server addresses are specified, the first advertised DHCPv4/v6 address received will be chosen.
Default
no server
Parameters
ike-policy
Syntax
Context
Description
This command configures IKE policy for the gateway.
Parameters
local-address-assignment
Syntax
Context
Description
This command enables the context to configure local address assignments for the IPSec gateway.
ipv4
Syntax
Context
Description
This command enables the context to configure IPv4 local address assignment parameters for the IPSec gateway.
address-source
Syntax
Context
Description
This command specifies the IPv4 or IPv6 source of the local address assignment for the IPSec gateway, which is a pool of a local DHCPv4 or DHCPv6 server. The system will assign an internal address to an IKEv2 remote-access client from the specified pool.
Beside the IP address, netmask and DNS server can also be returned. For IPv4, the netmask and DNS server address can be returned from the specified pool, as well as the IP address. The netmask returned to the IPsec client is derived from the subnet length from the subnet x.x.x.x/m create configuration, not the subnet-mask configuration in the subnet context. For IPv6, the DNS server address can be returned from the specified pool, as well as the IP address.
For IPv4, a secondary pool can be optionally specified. The secondary pool is used if the system is unable to assign addresses from the primary pool.
Default
no address-source
Parameters
ipv6
Syntax
Context
Description
This command enables the context to configure IPv6 local address assignment parameters for the IPSec gateway.
local-gateway-address
Syntax
Context
Description
This command configures local gateway address of the IPSec gateway..
Default
none
Parameters
local-gateway-address
Syntax
Context
Description
This command specifies the local gateway address used for the tunnel and the address of the remote security gateway at the other end of the tunnelremote peer IP address to use.
Default
The base routing context is used if the delivery-router option is not specified.
Parameters
local-id
Syntax
Context
Description
This command specifies the local ID for 7750 SRs used for IDi or IDr for IKEv2 tunnels.
The no form of the command removes the parameters from the configuration.
Default
Depends on local-auth-method like following:
- Psk:local tunnel ip address
- Cert-auth: subject of the local certificate
Parameters
pre-shared-key
Syntax
Context
Description
This command configures the pre-shared key for the IPSec gateway or IPSec tunnel.
Default
no pre-shared-key
Parameters
radius-accounting-policy
Syntax
Context
Description
This command specifies the radius-accounting-policy to be used for the IKEv2 remote-access tunnels terminated on the ipsec-gw. The radius-accounting-policy is defined under config>ipsec context.
Default
none
Parameters
radius-authentication-policy
Syntax
Context
Description
This command specifies the radius-authentication-policy to be used for the IKEv2 remote-access tunnels terminated on the ipsec-gw. The radius-authentication-policy is is defined under config>ipsec context.
Default
none
Parameters
cert
Syntax
Context
Description
This command configures cert parameters used by this SAP IPSec gateway.
cert
Syntax
Context
Description
This command specifies the certificate that 7750 SR used to identify itself in case peer need it. 7750 SR will load (reload) the certificate from the configured URL when the ipsec-tunnel/ipsec-gw is “no shutdown”.
When system is loading the certificate, it will check if it is a valid X.509v3 certificate by performing following:
- key file must be already configured
- Configured cert file must be a DER formatted X.509v3 certificate file
- All non-optional fields defined in section 4.1 of RFC5280 must exist in the cert-file and conform to the RFC5280 defined format.
- The version field to see if its value is 0x2
- The Validity field to see that if the certificate is still in validity period.
- If Key Usage extension exists, then At least digitalSignature and keyEncipherment shall be set;
- The public key of the certificate can match with the public key in the configured key file.
If any of above checks fails, then the “no shutdown” command will fails.
Configured certificate file url can only be changed or removed when tunnel or gw is shutdown.
Same certificate could be used for multiple ipsec-tunnels or ipsec-gws, however for each certificate file, there is only one memory instance, if a certificate file has been updated, “no shutdown” in any of tunnel that use the certificate file will cause the memory instance updated, which will not impact the current up and running tunnels that use the certificate file, but the new authentication afterwards will use the updated memory instance. Since 12.0R1, user should use cert-profile instead. This command will be deprecated in future release.
Default
None
Parameters
key
Syntax
Context
Description
This command specifies the key pair file 7750 SR will use for X.509 certificate authentication. System will load the key file when the ipsec-tunnel/gw is “no shutdown”
When system is loading the key file, it will check if it is a valid 7750 SR formatted key file.
Key file url can only be changed or removed when tunnel or gw is shutdown.
Same key could be used for multiple ipsec-tunnels or ipsec-gws, however for each key file, there is only one memory instance, if a key file has been updated, “no shutdown” in any of tunnel that use the key file will cause the memory instance updated, which will not impact the current up and running tunnels that use the key file, but the new authentication afterwards will use the updated memory instance. Since 12.0R1, user should use cert-profile instead. This command will be deprecated in future release.
Default
None
Parameters
status-verify
Syntax
Context
Description
This command enables the context to configure certificate recovation status verification parameters.
Default
none
default-result
Syntax
Context
Description
This command specifies the default result when both the primary and secondary method failed to provide an answer.
Default
default-result revoked
Parameters
primary
Syntax
Context
Description
This command specifies the primary method that used to verify revocation status of the peer’s certificate; could be either CRL or OCSP
OCSP or CRL will use the corresponding configuration in the ca-profile of the issuer of the certificate in question.
Default
primary crl
Parameters
secondary
Syntax
Context
Description
This command specifies the secondary method that used to verify revocation status of the peer’s certificate; could be either CRL or OCSP.
OCSP or CRL will use the corresponding configuration in the ca-profile of the issuer of the certificate in question.
secondary method will only be used when the primary method failed to provide an answer:
- OCSP — unreachable / any answer other than “good” or “revoked” / ocsp is NOT configured in ca-profile/ OCSP response is not signed/Invalid nextUpdate
- CRL: CRL expired
Default
no secondary
Parameters
auto-establish
Syntax
Context
Description
The system will automatically establish phase 1 SA as soon as the tunnel is provisioned and enabled (no shutdown). This option should only be configured on one side of the tunnel.
Any associated static routes will remain up as long as the tunnel could be up, even though it may actually be Oper down according to the CLI.
Default
None
trust-anchor-profile
Syntax
Context
Description
This command specifies the trust-anchor-profile for the ipsec-tunnel or ipsec-gw. This command will override “trust-anchor” configuration under the ipsec-tunnel or ipsec-gw.
Default
No
Parameters
trust-anchor
Syntax
Context
Description
This command configures trust anchor with a CA profile used by this SAP IPSec gateway. Since 12.0R1, user should use cert-profile instead. This command will be deprecated in future release.
Parameters
ts-list
Syntax
Context
Description
This command creates a new TS-list.
The no form of the command removes the list name from the configuration.
Parameters
local
Syntax
Context
Description
This command enables the context to configure local TS-list parameters. The TS-list is the traffic selector of the local system, such as TSr when the system acts as an IKEv2 responder.
remote
Syntax
Context
Description
This command enables the context to configure remote TS-list parameters. The TS-list is the traffic selector of the local system, such as TSi when the system acts as an IKEv2 responder.
entry
Syntax
Context
Description
This command creates a new TS-list entry or enables the context to configure an existing TS-list entry.
The no form of the command removes the entry from the local or remote configuration.
Default
n/a
Parameters
address
Syntax
Context
Description
This command specifies the address range in the IKEv2 traffic selector.
Default
n/a
Parameters
protocol
Syntax
Context
Description
This command specifies the protocol and port range in the IKEv2 traffic selector.
The SR OS supports OPAQUE ports and port ranges for the following protocols:
- TCP
- UDP
- SCTP
- ICMP
- ICMPv6
- MIPv6
For ICMP and ICMPv6, the port value takes the form icmp-type/icmp-code. For MIPv6, the port value is the mobility header type. For other protocols, only the port any configuration can be used.
Default
n/a
Parameters
ts-negotiation
Syntax
Context
Description
This command enables the IKEv2 traffic selector negotiation with the specified ts-list.
Parameters
IPSec Mastership Election Commands
The commands described in this section are applicable only to the 7750 SR.
multi-chassis
Syntax
Context
Description
Thiis command enables the context to configure multi-chassis parameters.
peer
Syntax
Context
Description
This command configures a multi-chassis redundancy peer.
Parameters
mc-ipsec
Syntax
Context
Description
This command enables the context to configure multi-chassis peer parameters.
bfd-enable
Syntax
Context
Description
This command enables tracking a central BFD session, if the BFD session goes down, then system consider the peer is down and change the mc-ipsec status of configured tunnel-group accordingly.
The BFD session uses specified the loopback interface (in the specified service) address as the source address and uses specified dst-ip as the destination address. Other BFD parameters are configured with the bfd command on the specified interface.
Default
300
discovery-interval
Syntax
Context
Description
This command specifies the time interval of tunnel-group stays in “Discovery” state. Interval-1 is used as discovery-interval when a new tunnel-group is added to multi-chassis redundancy (mp-ipsec); interval-2 is used as discovery-interval when system boot-up, it is optional, when it is not specified, the interval-1 will be used.
Default
300
Parameters
hold-on-neighbor-failure
Syntax
Context
Description
This command specifies the number of keep-alive failure before consider the peer is down.
The no form of the command reverts to the default.
Default
3
Parameters
keep-alive-interval
Syntax
Context
Description
This command specifies the time interval of mastership election protocol sending keep-alive packet.
The no form of the command reverts to the default.
Default
10
Parameters
tunnel-group
Syntax
Context
Description
This command enables multi-chassis redundancy for specified tunnel-group; or enters an already configured tunnel-group context. The configured tunnel-group could failover independently.
The no form of the command removes the tunnel group ID from the configuration.
Default
none
Parameters
peer-group
Syntax
Context
Description
This command specifies the corresponding tunnel-group id on peer node. The peer tunnel-group id does not necessary equals to local tunnel-group id.
The no form of the command removes the tunnel group ID from the configuration.
Default
none
Parameters
priority
Syntax
Context
Description
This command specifies the local priority of the tunnel-group, this is used to elect master, higher number win. If priority are same, then the peer has more active ISA win; and priority and the number of active ISA are same, then the peer with higher IP address win.
The no form of the command removes the priority value from the configuration.
Default
100
Parameters
protocol
Syntax
Context
Description
This command configures a routing protocol as a match criterion for a route policy statement entry. This command is used for both import and export policies depending how it is used.
When the ipsec is specified this means IPSecroutes.
If no protocol criterion is specified, any protocol is considered a match.
The no form of the command removes the protocol match criterion.
Default
no protocol — Matches any protocol.
Parameters
state
Syntax
Context
Description
This command will configure a match criteria on the state attribute. The state attribute carries the state of an SRRP instance and it can be applied to:
- subscriber-interface routes
- subscriber-management routes (/32 IPv4 and IPv6 PD wan-host)
- managed-routes (applicable only to IPv4).
Based on the state attribute of the route we can manipulate the route advertisement into the network.
We can enable or disable (in case there is no SRRP running) tracking of SRRP state by routes.
This is done on a per subscriber-interface route basis, where a subscriber-interface route is tracking a single SRRP instance state (SRRP instance might be in a Fate Sharing Group).
For subscriber-management and managed-routes, tracking is enabled per group interface under which SRRP is enabled.
Default
none
Parameters
srrp-master | Track routes with the state attribute carrying srrp-master state |
srrp-non-master | Track routes with the state attribute carrying srrp-non-master state. |
psec-master-with-peer | Track routes with the state attribute carrying ipsec-master-with-peer state. |
ipsec-non-master | Track routes with the state attribute carrying ipsec-non-master state. |
ipsec-master-without-peer | Track routes with the state attribute carrying ipsec-master-without-peer state. |
tunnel-group
Syntax
Context
Description
This command enables multi-chassis synchronization of IPsec states of specified tunnel-group with peer. sync-tag is used to match corresponding tunnel-group on both peers. IPsec states will be synchronized between tunnel-group with same sync-tag.
Default
no
Parameters
ipsec
Syntax
Context
Description
This command enables multi-chassis synchronization of IPsec states on system level.
Default
no
ipsec-responder-only
Syntax
Context
Description
With this command configured, system will only act as IKE responder except for the automatic CHILD_SA rekey upon MC-IPsec switchover.
Default
no
IPSec RADIUS Commands
radius-accounting-policy
Syntax
Context
Description
This command specifies an existing RADIUS accounting policy to use to collect accounting statistics on this subscriber profile by RADIUS. This command is used independently of the collect-stats command.
Parameters
radius-authentication-policy
Syntax
Context
Description
This command specifies the radius authentication policy associated with this IPsec gateway.
include-radius-attribute
Syntax
Context
Description
This command enables the context to specify the RADIUS parameters that the system should include into RADIUS authentication-request messages.
called-station-id
Syntax
Context
Description
This command includes called station id attributes.
The no form of the command excludes called station id attributes.
calling-station-id
Syntax
Context
Description
This command enables the inclusion of the calling-station-id attribute in RADIUS authentication requests and RADIUS accounting messages.
Default
no calling-station-id
client-cert-subject-key-id
Syntax
Context
Description
This command enables the inclusion of the Subject Key Identifier of the peer's certificate in the RADIUS Access-Request packet as VSA: Alc-Subject-Key-Identifier. Refer to the SROS RADIUS Attributes Reference Guide for more information.
Default
no client-cert-subject-key-id
framed-ip-addr
Syntax
Context
Description
This command enables the inclusion of the framed-ip-addr attribute.
nas-identifier
Syntax
Context
Description
This command enables the generation of the nas-identifier RADIUS attribute.
nas-ip-addr
Syntax
Context
Description
This command enables the generation of the NAS ip-address attribute.
nas-port-id
Syntax
Context
Description
This command enables the generation of the nas-port-id RADIUS attribute. Optionally, the value of this attribute (the SAP-id) can be prefixed by a fixed string and suffixed by the circuit-id or the remote-id of the client connection. If a suffix is configured, but no corresponding data is available, the suffix used will be 0/0/0/0/0/0.
radius-server-policy
Syntax
Context
Description
This command references an existing radius-server-policy (available under the config>aaa context) for use in subscriber management authentication and accounting.
When configured in an authentication-policy, following CLI commands are ignored in the policy to avoid conflicts:
- all commands in the radius-authentication-server context
- accept-authorization-change
- coa-script-policy
- accept-script-policy
- request-script-policy
When configured in a radius-accounting-policy, following CLI commands are ignored in the policy to avoid conflicts:
- all commands in the radius-accounting-server context
- acct-request-script-policy
The no form of the command removes the radius-server-policy reference from the configuration
Default
no radius-server-policy
Parameters
update-interval
Syntax
Context
Description
This command enables the system to send RADIUS interim-update packets for IKEv2 remote-access tunnels. The RADIUS attributes in the interim-update packet are the as same as acct-start. The value of the Acct-status-type in the interim-update message is 3.
Default
none
Parameters
password
Syntax
Context
Description
This command specifies the password that is used in the RADIUS access requests.It shall be specified as a string of up to 32 characters in length.
The no form of the command resets the password to its default of ALU and will be stored using hash/hash2 encryption.
Default
ALU
Parameters
CMPv2 Commands
pki
Syntax
Context
Description
This command enables the context to configure PKI related parameters.
Default
none
ca-profile
Syntax
Context
Description
This command creates a new ca-profile or enter the configuration context of an existing ca-profile. Up to 128 ca-profiles could be created in the system. A shutdown the ca-profile will not affect the current up and running ipsec-tunnel or ipsec-gw that associated with the ca-profile. But authentication afterwards will fail with a shutdown ca-profile.
Executing a no shutdown command in this context will cause system to reload the configured cert-file and crl-file.
A ca-profile can be applied under the ipsec-tunnel or ipsec-gw configuration.
The no form of the command removes the name parameter from the configuration. A ca-profile can not be removed until all the association(ipsec-tunnel/gw) have been removed.
Parameters
certificate
Syntax
Context
Description
This command enables the context to configure X.509 certificate related operational parameters.
certificate-display-format
Syntax
Context
Description
This command specifies the certificate subject display format.
Default
ascii
Parameters
cmpv2
Syntax
Context
Description
This command enables the context to configure CMPv2 parameters. Changes are not allowed when the CA profile is enabled (no shutdown).
accept-unprotected-errormsg
Syntax
Context
Description
This command enables the system to accept both protected and unprotected CMPv2 error message. Without this command, system will only accept protected error messages.
The no form of the command causes the system to only accept protected PKI confirmation message.
Default
no
accept-unprotected-pkiconf
Syntax
Context
Description
This command enables the system to accept both protected and unprotected CMPv2 PKI confirmation messages. Without this command, system will only accept protected PKI confirmation message.
The no form of the command causes the system to only accept protected PKI confirmation message.
Default
none
always-set-sender-for-ir
Syntax
Context
Description
This command specifies to always set the sender field in CMPv2 header of all Initial Registration (IR) messages with the subject name. By default, the sender field is only set if an optional certificate is specified in the CMPv2 request.
Default
no always-set-sender-for-ir
key-list
Syntax
Context
Description
This command enables the context to configure pre-shared key list parameters.
key
Syntax
Context
Description
This command specifies a pre-shared key used for CMPv2 initial registration. Multiples of key commands are allowed to be configured under this context.
The password and reference-number is distributed by the CA via out-of-band means.
The configured password is stored in configuration file in an encrypted form by using SR OS hash2 algorithm.
The no form of the command removes the parameters from the configuration.
Default
none
Parameters
url
Syntax
Context
Description
This command specifies HTTP URL of the CMPv2 server. The URL must be unique across all configured ca-profiles.
The URL will be resolved by the DNS server configured (if configured) in the corresponding router context.
If the service-id is 0 or omitted, then system will try to resolve the FQDN via DNS server configured in bof.cfg. After resolution, the system will connect to the address in management routing instance first, then base routing instance.
If the service is VPRN, then the system only allows HTTP ports 80 and 8080.
Default
none
Parameters
revocation-check
Syntax
Context
Description
This command specifies the revocation method system used to check the revocation status of certificate issued by the CA, the default value is crl, which will use CRL. But if it is crl-optional, then it means when the user disables the ca-profile, then the system will try to load the configured CRL (specified by the crl-file command). But if the system fails to load it for following reasons, then the system will still bring ca-profile oper-up, but leave the CRL as non-exist.
- CRL file does not exist
- CRL is not properly encoded - maybe due to interrupted file transfer
- CRL does not match cert
- Wrong CRL version
- CRL expired
If the system needs to use the CRL of a specific ca-profile to check the revocation status of an end-entity cert, and the CRL is non-existent due to the above reasons, then the system will treat it as being unable to get an answer from CRL and fall back to the next status-verify method or default-result.
If the system needs to check the revocation of a CA cert in cert chain, and if the CRL is non-existent due to the above reasons, then the system will skip checking the revocation status of the CA cert. For example, if CA1 is issued by CA2, if CA2’s revocation-check is crl-optional and the CA2’s CRL is non-existent, then the system will not check CA1 cert’s revocation status and consider it as “good”.
 | Note:
Users must shutdown the ca-profile to change the revocation-check configuration. |
Default
revocation-check crl
Parameters
http-response-timeout
Syntax
Context
Description
This command specifies the timeout value for HTTP response that is used by CMPv2.
The no form of the command reverts to the default.
Default
30 seconds
Parameters
http-version
Syntax
Context
Description
This command configures the the HTTP version for CMPv2 messages.
Default
1.1
response-signing-cert
Syntax
Context
Description
This command specifies a imported certificate that is used to verify the CMP response message if they are protected by signature. If this command is not configured, then CA’s certificate will be used.
Default
none
Parameters
same-recipnonce-for-pollreq
Syntax
Context
Description
This command enables the system to use same recipNonce as the last CMPv2 response for poll request.
Default
none
cert-request
Syntax
Context
Description
This command requests an additional certificate after the system has obtained the initial certificate from the CA.
The request is authenticated by a signature signed by the current-key, along with the current-cert. The hash algorithm used for signature is depends on the key type:
- DSA key: SHA1
- RSA key: MD5/SHA1/SHA224 | SHA256 | SHA384 | SHA512, by default is SHA1
In some cases, the CA may not return a certificate immediately, due to reasons such as request processing need manual intervention. In such cases, the admin certificate cmpv2 poll command can be used to poll the status of the request.
Default
none
Parameters
clear-request
Syntax
Context
Description
This command clears current pending CMPv2 requests toward the specified CA. If there are no pending requests, it will clear the saved result of prior request.
Default
none
Parameters
initial-registration
Syntax
Context
Description
This command request initial certificate from CA by using CMPv2 initial registration procedure.
The ca parameter specifies a CA-profile which includes CMP server information.
The key-to-certify is an imported key file to be certified by the CA.
The protection-key is an imported key file used to for message protection if protection-alg is signature.
The request is authenticated either of following methods:
- A password and a reference number that pre-distributed by CA via out-of-band means.
- The specified password and reference number are not necessarily in the cmp-keylist configured in the corresponding CA-Profile
- A signature signed by the protection-key or key-to-certify, optionally along with the corresponding certificate. If the protection-key is not specified, system will use the key-to-certify for message protection. The hash algorithm used for signature is depends on key type:
- DSA key: SHA1
- RSA key: MD5/SHA1/SHA224 | SHA256 | SHA384 | SHA512, by default is SHA1
Optionally, the system could also send a certificate or a chain of certificates in extraCerts field. Certificate is specified by the “cert” parameter, it must include the public key of the key used for message protection.
Sending a chain is enabled by specify the send-chain parameter.
subject-dn specifies the subject of the requesting certificate.
save-as specifies full path name of saving the result certificate.
In some cases, CA may not return certificate immediately, due to reason like request processing need manual intervention. In such cases, the admin certificate cmpv2 poll command could be used to poll the status of the request. If key-list is not configured in the corresponding ca-profile, then the system will use the existing password to authenticate the CMPv2 packets from server if it is in password protection.
If key-list is configured in the corresponding ca-profile and server doesn't send SenderKID, then the system will use lexicographical first key in the key-list to authenticate the CMPv2 packets from server in case it is in password protection.
Default
none
Parameters
key-update
Syntax
Context
Description
This command requests a new certificate from the CA to update an existing certificate due to reasons such as key refresh or replacing compromised key.
In some cases, the CA may not return certificate immediately, due to reasons such as request processing need manual intervention. In such cases, the admin certificate cmpv2 poll command can be used to poll the status of the request.
Parameters
poll
Syntax
Context
Description
This command polls the status of the pending CMPv2 request toward the specified CA.
If the response is ready, this command will resume the CMPv2 protocol exchange with server as the original command would do. The requests could be also still be pending as a result, then this command could be used again to poll the status.
SR OS allows only one pending CMP request per CA, which means no new request is allowed when a pending request is present.
Default
none
Parameters
show-request
Syntax
Context
Description
This command displays current the CMPv2 pending request toward the specified CA. If there is no pending request, the last pending request is displayed including the status (success/fail/rejected) and the receive time of last CMPv2 message from server.
The following information is included in the output:
- Request type, original input parameter(password is not displayed), checkAfter and reason in of last PollRepContent, time of original command input.
Default
none
Parameters
Auto-Update Command Descriptions
file-transmission-profile
Syntax
Context
Description
This command creates a new file transmission profile or enters the configuration context of an existing file-transmission-profile.
The file-transmission-profile context defines transport parameters for protocol such as HTTP, include routing instance, source address, timeout value, etc.
Default
n/a
Parameters
ipv4-source-address
Syntax
Context
Description
This command specifies the IPv4 source address used for transport protocol.
The no form of this command uses the default source address which typically is the address of the egress interface.
Default
no ipv4-source-address
Parameters
ipv6-source-address
Syntax
Context
Description
This command specifies the IPv6 source address used for transport protocol.
The no form of this command uses the default source address which typically is the address of egress interface.
Default
no ipv6-source-address
Parameters
redirection
Syntax
Context
Description
This command enables system to accept HTTP redirection response, along with the max level of redirection. The virtual router may send a new request to another server if the requested resources are not available (e.g., temporarily available to another server).
Default
no redirection
Parameters
retry
Syntax
Context
Description
This command specifies the number of retries on transport protocol level.
When the virtual router does not receive any data from a server (e.g., FTP or HTTP server) after the configured timeout seconds, the router may repeat the request to the server. The number of retries specifies the maximum number of repeated requests.
The no form of this command disables the retry.
Default
no retry
Parameters
router
Syntax
Context
Description
This command specifies the routing instance that the transport protocol uses.
Default
router "Base"
Parameters
<router-instance> : | <router-name> | <service-id> | |
router-name | "Base" | "management" | "vpls-management" | |
service-id | [1..2147483647] | |
timeout
Syntax
Context
Description
This command specifies timeout value in seconds for transport protocol. The timeout is the maximum waiting time to receive any data from the server (e.g., FTP or HTTP server).
Default
60
Parameters
auto-crl-update
Syntax
Context
Description
This command creates an auto CRL update configuration context with the create parameter, or enters the auto-crl-update configuration context without the create parameter.
This mechanism auto downloads a CRL file from a list of configured HTTP URLs either periodically or before existing CRL expires. If the downloaded CRL is more recent than the existing one, then the existing one will be replaced.
| Note:
The configured URL must point to a DER encoded CRL file. |
Default
no auto-crl-update
Parameters
crl-urls
Syntax
Context
Description
This command enables the context to configure crl-urls parameters. The system allows up to eight URL entries to be configured and will try each URL in order and stop when a qualified CRL is successfully downloaded. A qualified CRL is a valid CRL signed by the CA and is more recent than the existing CRL.
If none of the configured URLs returns a qualified CRL, then:
- If the schedule-type is next-update-based, system will wait for configure retry-interval before it start from beginning of the list again.
- If the schedule-type is periodic, then system will wait till next periodic update time.
If the user wants to manually stop the download, shutting down of auto-crl-retrieval could be used to achieve this.
Default
n/a
url-entry
Syntax
Context
Description
This command creates a new crl-url entry with the create parameter, or enters an existing url-entry configuration context without create parameter.
The no form of this command removes the specified entry.
Default
n/a
Parameters
file-transmission-profile
Syntax
Context
Description
This command specifies the file-transmission-profile for the url-entry. When the system downloads a CRL from the configured URL in the url-entry it will use the transportation parameter configured in the file-transmission-profile. auto-crl-update supports Base/Management/VPRN routing instance. vpls-management is not supported. In case of VPRN, the HTTP server port can only be 80 or 8080.
The no form of the command removes the specified profile name.
Default
n/a
Parameters
url
Syntax
Context
Description
This command specifies the HTTP URL of the CRL file for the url-entry. The system supports both IPv4 and IPv6 HTTP connections.
| Note:
The URL must point to a DER encoded CRL. |
Default
n/a
Parameters
periodic-update-interval
Syntax
Context
Description
This command specifies the interval for periodic updates. The minimal interval is 1 hour. The maximum interval is 366 days.
Default
days 1
Parameters
retry-interval
Syntax
Context
Description
This command specifies the interval, in seconds, that the system waits before retrying the configured url-entry list when schedule-type is next-update-based and none of the URLs return a qualified CRL.
The no form of the command causes the system to retry immediately without waiting.
Default
3600
Parameters
pre-update-time
Syntax
Context
Description
This command specifies the pre-download time for next-update-based update.
Default
hrs 1
Parameters
schedule-type
Syntax
Context
Description
This command specifies the schedule type for auto CRL update. The system supports two types:
- periodic: — The system will download a CRL periodically at the interval configured via the periodic-update-interval command. For example, if the periodic-update-interval is 1 day, then the system will download a CRL every 1 day. The minimal periodic-update-interval is 1 hour.
- ext-update-based — The system will download a CRL at the time = Next_Update_of_existing_CRL minus pre-update-time. For example, if the Nex-Update of the existing CRL is 2015-06-30 06:00 and pre-update-time is 1 hour, then the system will start downloading at 2015-06-30, 05:00.
Default
next-update-based
Parameters
shutdown
Syntax
Context
Description
This command disables the auto CRL update.
The no form of this command enables an auto CRL update. Upon no shutdown, if the configured CRL file does not exist, is invalid or is expired or if the schedule-type is next-update-based and current time passed (Next-Update_of_existing_CRL - pre-update-time), then system will start downloading CRL right away.
Default
shutdown
crl-update
Syntax
Context
Description
This command manually triggers the CRL update for the specified ca-profile.
Using this command requires shutting down the auto-crl-update.
Default
none
Parameters
Show Commands
cert-profile
Syntax
Context
Description
This command displays IPsec certificate profile information.
Parameters
Output
The following is an example output of the show ipsec cert-profile command.
certificate
Syntax
Context
Description
This command displays certificate-related information.
Parameters
Output
The following is an example output of the show certificate command.
In the following example, the "cert-1.der" is the certificate-profile name, where as above the cert-1.der is the actual file in use.
gateway
Syntax
Context
Description
This command displays IPSec gateway information.
Parameters
Output
The following is an example output of the show ipsec gateway command.
tunnel
Syntax
Context
Description
This command displays information about a particular GRE tunnel or all GRE tunnels.
Parameters
Output
Table 25 lists the information displayed for each GRE tunnel.
Table 25: Show GRE Tunnel Output Fields
Label | Description |
TunnelName (Tunnel Name) | The name of the GRE tunnel. |
SvcID (Service ID) | The service ID of the IES or VPRN service that owns the GRE tunnel. |
SapId (Sap ID) | The ID of the private tunnel SAP that owns the GRE tunnel. |
Description | The description for the GRE tunnel. |
LocalAddress (Source Address) | The source address of the GRE tunnel (public/outer IP) |
RemoteAddress (Remote Address) | The destination address of the GRE tunnel (public/outer IP) |
Bkup RemAddr (Backup Address) | The backup destination address of the GRE tunnel (public/outer IP) |
To (Target Address) | The remote address of the GRE tunnel (private/inner IP). This is the peer’s IP address to the GRE tunnel. This comes from the tunnel configuration. |
DlvrySvcId (Delivery Service) | The service ID of the IES or VPRN service that handles the GRE encapsulated packets belonging to the tunnel. |
DSCP | The forced DSCP codepoint in the outer IP healer of GRE encapsulated packets belonging to the tunnel. |
Admn (Admin State) | Admin state of the tunnel (up/down). |
Oper (Operational State) | Operational state of the tunnel (up/down). |
Oper Rem Addr (Oper Remote Addr) | The destination address of the GRE tunnel (public/outer IP) that is currently being used. |
Pkts Rx | Number of GRE packts received belonging to the tunnel. |
Pkts Tx | Number of GRE packets transmitted belonging to the tunnel. |
Bytes Rx | Number of bytes in received GRE packets associated with the tunnel. |
Bytes Tx | Number of bytes in transmitted GRE packets associated with the tunnel. |
Key Ignored Rx | Incremented every time a GRE packet is received with a GRE key field. |
Too Big Tx | Incremented every time an IP packet with DF=1 is to be forwarded into the GRE tunnel and its size exceeds the interface IP MTU. |
Seq Ignored Rx | Incremented every time a GRE packet is received with a sequence number. |
Vers Unsup. Rx | Incremented every time a GRE packet is dropped because the GRE version is unsupported. |
Invalid Chksum Rx | Incremented every time a GRE packet is dropped because the checksum is invalid. |
Loops Rx | Incremented eery time a GRE packet is dropped because the destination IP address of the un-encapsulated packet would cause it be re-encapsulated into the same tunnel. |
ike-policy
Syntax
Context
Description
This command displays
Parameters
Output
The following is an example output for the show ipsec ike-policy command.
lockout
Syntax
Context
Description
This command displays the lockout status for the specified IPSec clients. If remote address information is not specified, the system will display a list of clients that have been locked out on the specified ISA, along with the IPSec gateway if local-gateway-address is specified.
Parameters
Output
The following output is an example of lockout information.
radius-accounting-policy
Syntax
Context
Description
This command displays RADIUS accounting-policy related information.
Parameters
Output
The following is an example output for the show ipsec radius-acounting-policy command.
radius-authentication-policy
Syntax
Context
Description
This command displays IPSec RADIUS authentication policy information.
Parameters
security-policy
Syntax
Context
Description
This command displays
Parameters
Output
The following is an example output for the show ipsec security-policy command.
static-sa
Syntax
Context
Description
This command displays IPSec static-SA information.
Parameters
transform
Syntax
Context
Description
This command displays IPSec transforms.
Parameters
Output
The following is an example output for the show ipsec transform command.
trust-anchor-profile
Syntax
Context
Description
This command displays trust anchor profile information.
Parameters
Output
The following is an example output for the show ipsec trust-anchor-profile command.
ts-list
Syntax
Context
Description
This command displays IPSec traffic-selector list (TS-list) information.
Entering this command without a parameter will list all configured TS-lists.
Entering this command with the association parameter will list all IPSec gateways that use the specified TS-list.
Entering this command with the local or local-entry parameter will list all or specified local entries of the specified TS-list.
Entering this command with the remote or remote-entry parameter will list all or specified remote entries of the specified TS-list.
Parameters
Output
The following output is an example of TS-list information.
tunnel
Syntax
Context
Description
This command displays
Parameters
tunnel-template
Syntax
Context
Description
This command displays
Parameters
Output
The following is an example output for the show ipsec tunnel-template command.
mc-ipsec
Syntax
Context
Description
This command displays the 7750 SR IPSec multi-chassis states. Optionally, only state of specified tunnel-group will be displayed.
Parameters
Output
Table 26 describes show redundancy multi-chassis mc-ipsec output fields.
Table 26: Show MC-IPSec Peer Output Fields
Label | Description |
Admin State | Displays the admin state of mc-ipsec. |
Mastership/Master State | Displays the current MIMP state. |
Protection Status | Displays nominal or notReady. notReady means the system is not ready for a switchover. There could be major traffic impact if switchover happens in case of notReady. nominal means the tunnel-group is in a better situation to switchover than notReady. However there still might be traffic impact. |
Installed | Displays the number of tunnels that has been successfully installed on MS-ISA |
Installing | Displays the number of tunnels that are being installed on MS-ISA. |
Awaiting Config | Displays the number of synced tunnels that do not have corresponding configuration ready |
Failed | Displays the number of tunnels that have been failed to installed on MS-ISA. |
Debug Commands
gateway
Syntax
Context
Description
This command enables debugging for dynamic IPSec tunnels that terminate on the specified IPSec gateway.
The tunnel to be debugged can be specified by either its source address or source subnet. If a subnet is specified, the system will enable debugging for all tunnels with source addresses in the specified subnet.
Parameters
tunnel
Syntax
Context
Description
This command enables debugging for specified IPSec tunnel.
| Note:
Only one IPSec tunnel is allowed to enable debugging at a time. |
Parameters
certificate
Syntax
Context
Description
This command enables debug for certificate chain computation in cert-profile.
Parameters
cmpv2
Syntax
Context
Description
This command enables the context to perform CMPv2 operations.
ca-profile
Syntax
Context
Description
This command debugs output of the specificied CA profile.
- Protection method of each message is logged.
- All HTTP messages are logged. Format allows offline analysis using Wireshark.
- In the event of failed transactions, saved certificates are not deleted from file system for further debug and analysis.
- The system allows CMPv2 debugging for multiple ca-profile at the same time.
ocsp
Syntax
Context
Description
This command enable debug output of OCSP protocol for the specified CA
Default
no ocsp
Parameters
Tools Commands
mc-ipsec
Syntax
Context
Description
This command enables the 7750 SR mc-ipsec context.
force-switchover
Syntax
Context
Description
This command manually switches over the 7750 SR mc-ipsec mastership of specified tunnel-group.
Parameters
ike-initiate
Syntax
Context
Description
This command initiates tunnel setup for the specified LAN-to-LAN tunnel or for all static LAN-to-LAN tunnels in the specified tunnel group. This command initiates tunnel setup regardless of the configuration of the ipsec-responder-only command under the specified tunnel group.
The command only initiates tunnel setup when the tunnel group is in the MC-IPSec master state, or if MC-IPSec is not enabled for the tunnel group. If MC-IPSec is enabled and the tunnel group is not in the master state, the system will abort tunnel setup if MIMP goes down or if mastership changes during the tunnel setup.
Operationally up tunnels are not affected by this command. The system will not try to initiate a tunnel setup if the tunnel’s operation flags are not clear.
The system does not automatically retry tunnel setup if a tunnel setup fails.
Default
n/a
Parameters
Clear Commands
lockout
Syntax
Context
Description
This command clears the lockout state for the specified clients. If remote address information is not specified, the system will clear the lockout state for all clients within the specified routing instance, along with all clients within the specified IPSec gateway if local-gateway-address is specified.