IP Tunnel Command Reference

This command creates a text description which is stored in the configuration file to help identify the content of the entity.

The no form of the command removes the string from the configuration.

This command administratively disables the entity. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many entities must be explicitly enabled using the no shutdown command.

The shutdown command administratively disables an entity. The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.

This command provisions or de-provisions an MDA to or from the device configuration for the slot.

This command enables the context to configure Integrated Services Adapter (ISA) parameters.

This command allows a tunnel group to be created or edited. A tunnel group is a set of one or more MS-ISAs that support the origination and termination of IPsec and IP/GRE tunnels. All of the MS-ISAs in a tunnel group must have isa-tunnel as their configured mda-type.

The no form of the command deletes the specified tunnel group from the configuration

This command specifies the number of active MS-ISA within all configured MS-ISA in the tunnel-group with multi-active enabled. IPsec traffic will be load balanced across all active MS-ISAs. If the number of configured MS-ISA is greater than the active-mda-number then the delta number of MS-ISA will be backup.

This command assigns an ISA IPsec module configured in the specified slot to this IPsec group. The backup module provides the IPsec group with warm redundancy when the primary module in the group is configured. An IPsec group must always have a primary configured.

Primary and backup modules have equal operational status and when both modules are coming up, the one that becomes operational first becomes the active module. An IPsec module can serve as a backup for multiple IPsec groups but the backup can become active for only one ISA IPsec group at a time.

All configuration information is pushed down to the backup MDA from the CPM once the CPM gets notice that the primary module has gone down. This allows multiple IPsec groups to use the same backup module. Any statistics not yet spooled will be lost. Auto-switching from the backup to primary, once the primary becomes available again, is supported.

The operator is notified through SNMP events when:

The no form of the command removes the specified module from the IPsec group.

This command specifies the MDA id of the MS-ISA as the member of tunnel-group with multi-active enabled. Up to 16 MDA could be configured under the same tunnel-group.

This command enables configuring multiple active MS-ISA in the tunnel-group. IPsec traffic will be load balanced to configured active MS-ISAs.

Operational notes:

This command assigns an ISA IPsec module configured in the specified slot to this IPsec group. The backup ISA IPsec provides the IPsec group with warm redundancy when the primary ISA IPsec in the group is configured. Primary and backup ISA IPsec have equal operational status and when both MDAs are coming up, the one that becomes operational first becomes the active ISA IPsec.

All configuration information is pushed down to the backup MDA from the CPM once the CPM gets notice that the primary module has gone down. This allows multiple IPsec groups to use the same backup module. Any statistics not yet spooled will be lost. Auto-switching from the backup to primary, once the primary becomes available again, is supported.

The operator is notified through SNMP events when:

The no form of the command removes the specified primary ID from the group’s configuration.

This command configures IP packet reassembly for IPsec and GRE tunnels supported by an MS-ISA. The reassembly command at the tunnel-group level configures IP packet reassembly for all IPsec and GRE tunnels associated with the tunnel-group. The reassembly command at the GRE tunnel level configures IP packet reassembly for that one specific GRE tunnel, overriding the tunnel-group configuration.

The no form of the command disables IP packet reassembly.

With this command configured, system will only act as IKE responder except for the automatic CHILD_SA re-key upon MC-IPsec switchover.

This command creates a new cert-profile or enters the configuration context of an existing cert-profile.

The no form of the command removes the profile name from the cert-profile configuration.

This command configures the certificate profile entry information

The no form of the command removes the entry-id from the cert-profile configuration.

This command specifies the file name of an imported certificate for the cert-profile entry.

The no form of the command removes the cert-file-name from the entry configuration.

This command specifies the filename of an imported key for the cert-profile entry.

The no form of the command removes the key-filename from the entry configuration.

This command enters the configuration context of send-chain in the cert-profile entry.

The configuration of this command is optional, by default system will only send the certificate specified by cert command in the selected entry to the peer. This command allows system to send additional CA certificates to the peer. These additional CA certificates must be in the certificate chain of the certificate specified by the cert command in the same entry.

This command specifies a CA certificate in the specified ca-profile to be sent to the peer.

Multiple configurations (up to seven) of this command are allowed in the same entry.

This command creates a new IPsec client-db or enters the configuration context of an existing client-db.

An IPsec client-db can be used for IKEv2 dynamic LAN-to-LAN tunnel authentication and authorization. When a new tunnel request is received, the system will match the request to the client entries configured in client-db and use credentials returned by the matched client entry for authentication. If authentication succeeds, the system could also use the IPsec configuration parameters (such as private-service-id) returned by the matched entry to set up the tunnel.

The configured client-db is referenced under the ipsec-gw configuration context using the client-db command.

The no form of the command removes the db-name from the configuration.

This command creates a new IPsec client entry in the client-db or enters the configuration context of an existing client entry.

There may be multiple client entries defined in the same client-db. If there are multiple entries that match the new tunnel request, then the system will select the entry that has smallest client-index.

The no form of the command reverts to the default.

This command enables the context to configure client ID information of this IPsec client.

If there are multiple match input are configured in the match-list of the client-db, then all corresponding match criteria must be configured for the client-entry.

This command specifies a match criteria that uses the peer’s identification initiator (IDi) as the input, only one IDi criteria can be configured for a given client entry. This command supports the following matching methods:

The no form of the command reverts to the default.

This command specifies match criteria that uses the peer’s tunnel IP address as the input. Only one peer-ip-prefix criteria can be configured for a given client entry.

The no form of the command reverts to the default.

This command specifies the name of the client entry. The client name can be used in CLI navigation or in show commands.

This command enables the context to configure the parameters used to authenticate peers.

This command specifies a pre-shared key used to authenticate peers.

The no form of the command reverts to the default.

This command specifies the private interface name that is used for tunnel setup.

The no form of the command reverts to the default.

This command specifies the private service ID that is used for tunnel setup.

The no form of the command reverts to the default.

This command specifies the traffic selector (TS) to be used for tunnel setup.

The no form of the command reverts to the default.

This command specifies the tunnel template to be used for tunnel setup.

The no form of the command reverts to the default.

This command enables the context of the client-db’s match list. The match list defines the match input used during IPsec’s tunnel setup. If there are multiple inputs configured in the match list, then they all must have matches before the system considers a client entry is a match.

This command enables the Identification Initiator (IDi) type in the IPsec client matching process.

The no form of the command disables the IDi matching process.

This command enables the use of the peer’s tunnel IP address as the match input.

The no form of the command disables the peer IP prefix matching process.

This command enables the context to configure Internet Protocol Security (IPsec) parameters. IPsec is a structure of open standards to ensure private, secure communications over Internet Protocol (IP) networks by using cryptographic security services.

This command specifies a ca-profile as a trust-anchor CA. multiple trust-anchors (up to 8) could be specified in a single trust-anchor-profile.

This command enables the context to configured an IKE policy.

The no form of the command

The command specifies which hashing algorithm to use for the IKE authentication function.

The no form of the command removes the parameter from the configuration.

This command specifies the authentication method used with this IKE policy.

The no form of the command removes the parameter from the configuration.

This command enables following behavior for IKEv2 remote-access tunnel when auth-method is configured as auto-eap-radius:

This command only applies when auth-method is configured as auto-eap-radius.

This command enables following behavior for IKEv2 remote-access tunnel when auth-method is configured as auto-eap-radius:

This command only applies when auth-method is configured as auto-eap-radius.

This command specifies which Diffie-Hellman group to calculate session keys. Three groups are supported with IKE-v1:

More bits provide a higher level of security, but require more processing.

This command controls the dead peer detection mechanism.

The no form of the command removes the parameters from the configuration.

This command specifies the encryption algorithm to use for the IKE session.

The no form of the command removes the encryption algorithm from the configuration.

This command specifies one of either two modes of operation. IKE version 1 can support main mode and aggressive mode. The difference lies in the number of messages used to establish the session.

The no form of the command removes the mode of operation from the configuration.

This command sets the IKE version (1 or 2) that the ike-policy will use.

This command specifies the system, when deleting an IKEv1 phase 1 for which it was the responder, to send a delete notification to the peer. This object is only meaningful when the value of IKE version is 1. This command is ignored with IKE version 2.

The no form of the command reverts to the default.

This command enables IKEv2 protocol level fragmentation (RFC 7383). The specified MTU is the maximum size of IKEv2 packet.

This parameter specifies the lifetime of a phase two SA.

The no form of the command reverts the ipsec-lifetime value to the default.

This command specifies the lifetime of a phase one SA. ISAKMP stands for Internet Security Association and Key Management Protocol

The no form of the command reverts the isakmp-lifetime value to the default.

This command enables the lockout mechanism for the IPsec tunnel. The system will lock out an IPsec client for the configured time interval if the number of failed authentications exceeds the configured value within the specified duration. This command only applies when the system acts as a tunnel responder.

A client is defined as the tunnel IP address plus the port.

Optionally, the max-port-per-ip parameter can be configured as the maximum number of ports allowed behind the same IP address. If this threshold is exceeded, then all ports behind the IP address are blocked.

The no form of this command disables the lockout mechanism.

This command enables checking the IKE peer's ID matches the peer's certificate when performing certificate authentication.

This command specifies whether NAT-T (Network Address Translation Traversal) is enabled, disabled or in forced mode.

The no form of the command reverts the parameters to the default.

This command configures the authentication method used with this IKE policy on its own side.

This command enables perfect forward secrecy on the IPsec tunnel using this policy. PFS provides for a new Diffie-Hellman key exchange each time the SA key is renegotiated. After that SA expires, the key is forgotten and another key is generated (if the SA remains up). This means that an attacker who cracks part of the exchange can only read the part that used the key before the key changed. There is no advantage in cracking the other parts if they attacker has already cracked one.

The no form of the command disables PFS. If this it turned off during an active SA, when the SA expires and it is time to re-key the session, the original Diffie-Hellman primes will be used to generate the new keys.

This command enters relay unsolicited configuration attributes context. With this configuration, the configured attributes returned from source (such as a RADIUS server) will be returned to IKEv2 remote-access tunnel client regardless if the client has requested it in the CFG_REQUEST payload.

This command will return IPv4 DNS server address from source (such as a RADIUS server) to IKEv2 remote-access tunnel client regardless if the client has requested it in the CFG_REQUEST payload.

This command will return IPv4 netmask from source (such as a RADIUS server) to IKEv2 remote-access tunnel client regardless if the client has requested it in the CFG_REQUEST payload.

This command will return IPv6 DNS server address from source (e.g. RADIUS server) to IKEv2 remote-access tunnel client regardless if the client has requested it in the CFG_REQUEST payload.

This command enables the system to add the Identification Responder (IDr) payload in the last IKE authentication response after the Extensible Authentication Protocol (EAP) success. When disabled, the system will not include IDr payload.

The no form of the command disables the feature.

This command enables the context to create an ipsec-transform policy. IPsec transforms policies can be shared. A change to the ipsec-transform is allowed at any time. The change will not impact tunnels that have been established until they are renegotiated. If the change is required immediately the tunnel must be cleared (reset) for force renegotiation.

IPsec transform policy assignments to a tunnel require the tunnel to be shutdown.

The no form of the command removes the ID from the configuration.

The command specifies which hashing algorithm should be used for the authentication function Encapsulating Security Payload (ESP). Both ends of a manually configured tunnel must share the same configuration parameters for the IPsec tunnel to enter the operational state.

The no form of the command disables the authentication.

This command specifies the encryption algorithm to use for the IPsec session. Encryption only applies to esp configurations. If encryption is not defined, esp will not be used.

For IPsec tunnels to come up, both ends need to be configured with the same encryption algorithm.

The no form of the command removes the specified encryption algorithm.

This command configures an IPsec static SA.

This command configures the authentication algorithm to use for an IPsec manual SA.

The no form of the command reverts to the default value.

This command configures the direction for an IPsec manual SA.

The no form of the command reverts to the default value.

This command configures the security protocol to use for an IPsec manual SA. The no statement resets to the default value.

This command configures the SPI key value for an IPsec manual SA.

This command specifies the SPI (Security Parameter Index) used to lookup the instruction to verify and decrypt the incoming IPsec packets when the value of the direction command is inbound.

The SPI value specifies the SPI that will be used in the encoding of the outgoing packets when the when the value of the direction command is outbound. The remote node can use this SPI to lookup the instruction to verify and decrypt the packet.

If no spi is selected, then this static SA cannot be used.

The no form of the command reverts to the default value.

The system will automatically establish phase 1 SA as soon as the tunnel is provisioned and enabled (no shutdown). This option should only be configured on one side of the tunnel.

Any associated static routes will remain up as long as the tunnel could be up, even though it may actually be Oper down according to the CLI.

This command specifies the trust-anchor-profile for the ipsec-tunnel or ipsec-gw. This command will override “trust-anchor” configuration under the ipsec-tunnel or ipsec-gw.

This command creates a new traffic selector (TS).

The no form of the command removes the list name from the configuration.

This command enables the context to configure local TS-list parameters. The TS-list is the traffic selector of the local system, such as TSr, when the system acts as an IKEv2 responder.

This command enables the context to configure remote TS-list parameters. The TS-list is the traffic selector of the local system, such as TSi, when the system acts as an IKEv2 responder.

This command creates a new TS-list entry or enables the context to configure an existing TS-list entry.

The no form of the command removes the entry from the local or remote configuration.

This command specifies the address range in the IKEv2 traffic selector.

This command specifies the protocol and port range in the IKEv2 traffic selector.

The SR OS supports OPAQUE ports and port ranges for the following protocols:

For ICMP and ICMPv6, the port value takes the form icmp-type/icmp-code. For MIPv6, the port value is the mobility header type. For other protocols, only the port any configuration can be used.

This command enables the IKEv2 traffic selector negotiation with the specified ts-list.

This command creates a tunnel template. Up to 2,000 templates are allowed.

This command enables clearing of the Do-not-Fragment bit.

This command specifies the max size of encapsulated tunnel packet for the ipsec-tunnel/ip-tunnel or the dynamic tunnels terminated on the ipsec-gw. If the encapsulated v4/v6 tunnel packet exceeds the encapsulated-ip-mtu, then system will fragment the packet against the encapsulated-ip-mtu.

This command enters ICMPv6 packet generation configuration context.

This command enables system to send ICMPv6 PTB (Packet Too Big) message on private side and optionally specifies the rate.

With this command configured, system will send PTB back if received v6 packet on private side is bigger than 1280 bytes and also exceeds the private MTU of the tunnel.

The ip-mtu command (under ipsec-tunnel or tunnel-template) specifies the private MTU for the ipsec-tunnel or dynamic tunnel.

This command configures the template IP MTU.

This command sets the anti-replay window.

The no form of the command removes the parameter from the configuration.

This command specifies whether the node using this template will accept framed-routes sent by the RADIUS server and install them for the lifetime of the tunnel as managed routes.

The no form of the command disables sp-reverse-route.

This command configures IPsec transform.

This command enables the context to configure IPsec policies.

This command specifies the cert-profile for the ipsec-tunnel or ipsec-gw. This command will override cert and key configuration under the ipsec-tunnel or ipsec-gw.

This command configures a security policy to use for an IPsec tunnel.

This command configures an IPsec security policy entry.

This command configures the local (from the VPN) IP prefix/mask for the policy parameter entry.

Only one entry is necessary to describe a potential flow. The local-ip and remote-ip commands can be defined only once. The system will evaluate the local IP as the source IP when traffic is examined in the direction of VPN to the tunnel and as the destination IP when traffic flows from the tunnel to the VPN. The remote IP will be evaluated as the source IP when traffic flows from the tunnel to the VPN when traffic flows from the VPN to the tunnel.

This command specifies the local v6 prefix for the security-policy entry.

This command configures the remote (from the tunnel) IP prefix/mask for the policy parameter entry.

Only one entry is necessary to describe a potential flow. The local-ip and remote-ip commands can be defined only once. The system will evaluate the local IP as the source IP when traffic is examined in the direction of VPN to the tunnel and as the destination IP when traffic flows from the tunnel to the VPN. The remote IP will be evaluated as the source IP when traffic flows from the tunnel to the VPN when traffic flows from the VPN to the tunnel.

This command specifies the remote v6 prefix for the security-policy entry.

This command add an IPv6 address to the tunnel interface.

The prefix length must be 96 or higher.

This command specifies the link-local-address for the tunnel interface.

Only one link-local-address is allowed per interface.

This command configures the dynamic ISA tunnel redundant next-hop address.

This command specifies redundant next-hop address on public or private IPsec interface (with public or private tunnel-sap) for static IPsec tunnel. The specified next-hop address will be used by standby node to shunt IPsec traffic to master in case of it receives them.

The next-hop address will be resolved in routing table of corresponding service.

This command creates a logical IP routing interface for a Virtual Private Routed Network (VPRN). Once created, attributes like an IP address and service access point (SAP) can be associated with the IP interface.

The interface command, under the context of services, is used to create and maintain IP routing interfaces within VPRN service IDs. The interface command can be executed in the context of an VPRN service ID. The IP interface created is associated with the service core network routing instance and default routing table. The typical use for IP interfaces created in this manner is for subscriber internet access.

Interface names are case sensitive and must be unique within the group of defined IP interfaces defined for config router interface and config service vprn interface. Interface names must not be in the dotted decimal notation of an IP address. For example, the name “1.1.1.1” is not allowed, but “int-1.1.1.1” is allowed. Show commands for router interfaces use either interface names or the IP addresses. Use unique IP address values and IP address names to maintain clarity. It could be unclear to the user if the same IP address and IP address name values are used. Although not recommended, duplicate interface names can exist in different router instances.

The available IP address space for local subnets and routes is controlled with the config router service-prefix command. The service-prefix command administers the allowed subnets that can be defined on service IP interfaces. It also controls the prefixes that may be learned or statically defined with the service IP interface as the egress interface. This allows segmenting the IP address space into config router and config service domains.

When a new name is entered, a new logical router interface is created. When an existing interface name is entered, the user enters the router interface context for editing and configuration.

By default, there are no default IP interface names defined within the system. All VPRN IP interfaces must be explicitly defined. Interfaces are created in an enabled state.

The no form of this command removes IP the interface and all the associated configuration. The interface must be administratively shutdown before issuing the no interface command.

For VPRN services, the IP interface must be shutdown before the SAP on that interface may be removed. VPRN services do not have the shutdown command in the SAP CLI context. VPRN service SAPs rely on the interface status to enable and disable them.

This command creates a Service Access Point (SAP) within a service. A SAP is a combination of port and encapsulation parameters which identifies the service access point on the interface and within the router. Each SAP must be unique.

All SAPs must be explicitly created. If no SAPs are created within a service or on an IP interface, a SAP will not exist on that object.

Enter an existing SAP without the create keyword to edit SAP parameters. The SAP is owned by the service in which it was created.

A SAP can only be associated with a single service. A SAP can only be defined on a port that has been configured as an access port using the config interface port-type port-id mode access command. Channelized TDM ports are always access ports.

If a port is shutdown, all SAPs on that port become operationally down. When a service is shutdown, SAPs for the service are not displayed as operationally down although all traffic traversing the service will be discarded. The operational state of a SAP is relative to the operational state of the port on which the SAP is defined.

The no form of this command deletes the SAP with the specified port. When a SAP is deleted, all configuration parameters for the SAP will also be deleted.

This command specifies an IPsec tunnel name. An IPsec client sets up the encrypted tunnel across public network. The 7750 SR IPsec MDA acts as a concentrator gathering, and terminating these IPsec tunnels into an IES or VPRN service. This mechanism allows as service provider to offer a global VPRN service even if node of the VPRN are on an uncontrolled or insecure portion of the network.

This command specifies whether this IPsec tunnel is the BFD designated tunnel.

This command assigns a BFD session to provide a heart-beat mechanism for a given IPsec tunnel. There can be only one BFD session assigned to any given IPsec tunnel, but there can be multiple IPsec tunnels using same BFD session. BFD controls the state of the associated tunnel. If the BFD session goes down, the system will also bring down the associated non-designated IPsec tunnel.

This command enables dynamic keying for the IPsec tunnel.

The no form of the command reverts to the default.

This command specifies whether to attempt to establish a phase 1 exchange automatically.

The no form of the command disables the automatic attempts to establish a phase 1 exchange.

This command associates the IPsec transform sets allowed for this tunnel. A maximum of four transforms can be specified. The transforms are listed in decreasing order of preference (the first one specified is the most preferred).

This command configures Security Association (SA) for manual keying. When enabled, the command specifies whether this SA entry is created manually by the user or dynamically by the IPsec sub-system.

This command configures the information required for manual keying SA creation.

This command specifies the size of the anti-replay window. The anti-replay window protocol secures IP against an entity that can inject messages in a message stream from a source to a destination computer on the Internet.

This command configures an IPsec security policy. The policy may then be associated with tunnels defined in the same context.

This command is used to configure an IP-GRE or IP-IP tunnel and associate it with a private tunnel SAP within an IES or VPRN service.

The no form of the command deletes the specified IP/GRE or IP-IP tunnel from the configuration. The tunnel must be administratively shutdown before issuing the no ip-tunnel command.

This command sets the source IPv4 address of GRE encapsulated packets associated with a particular GRE tunnel. It must be an address in the subnet of the associated public tunnel SAP interface. The GRE tunnel does not come up until a valid source address is configured.

The no form of the command deletes the source address from the GRE tunnel configuration. The tunnel must be administratively shutdown before issuing the no source command.

This command sets the primary destination IPv4 address of GRE encapsulated packets associated with a particular GRE tunnel. If this address is reachable in the delivery service (there is a route) then this is the destination IPv4 address of GRE encapsulated packets sent by the delivery service.

The no form of the command deletes the destination address from the GRE tunnel configuration.

This command sets the backup destination IPv4 address of GRE encapsulated packets associated with a particular GRE tunnel. If the primary destination address is not reachable in the delivery service (there is no route) or not defined then this is the destination IPv4 address of GRE encapsulated packets sent by the delivery service.

The no form of the command deletes the backup-destination address from the GRE tunnel configuration.

This command instructs the MS-ISA to reset the DF bit to 0 in all payload IP packets associated with the GRE or IPsec tunnel, before any potential fragmentation resulting from the ip-mtu command. (This will require a modification of the header checksum.) The no clear-df-bit command, corresponding to the default behavior, leaves the DF bit unchanged.

The no form of the command disables the DF bit reset.

This command sets the delivery service for GRE encapsulated packets associated with a particular GRE tunnel. This is the IES or VPRN service where the GRE encapsulated packets are injected and terminated. The delivery service may be the same service that owns the private tunnel SAP associated with the GRE tunnel. The GRE tunnel does not come up until a valid delivery service is configured.

The no form of the command deletes the delivery-service from the GRE tunnel configuration.

This command sets the DSCP code-point in the outer IP header of GRE encapsulated packets associated with a particular GRE tunnel. The default, set using the no form of the command, is to copy the DSCP value from the inner IP header (after remarking by the private tunnel SAP egress qos policy) to the outer IP header.

This command configures a private IPv4 or IPv6 address of the remote tunnel endpoint. A tunnel can have up to 16 dest-ip commands. At least one dest-ip address is required in the configuration of a tunnel. A tunnel does not come up operationally unless all dest-ip addresses are reachable (part of a local subnet).

Unnumbered interfaces are not supported.

This command configures the type of the IP tunnel. If the gre-header command is configured then the tunnel is a GRE tunnel with a GRE header inserted between the outer and inner IP headers. If the no form of the command is configured then the tunnel is a simple IP-IP tunnel.

This command configures the IP maximum transmit unit (packet) for this interface.

Because this connects a Layer 2 to a Layer 3 service, this parameter can be adjusted under the IES interface.

The MTU that is advertised from the IES size is:

MINIMUM((SdpOperPathMtu - EtherHeaderSize), (Configured ip-mtu))

By default (for ethernet network interface) if no ip-mtu is configured it is (1568 - 14) = 1554.

The ip-mtu command instructs the MS-ISA to perform IP packet fragmentation, prior to IPsec encryption and encapsulation, based on the configured MTU value. In particular:

If the length of a payload IP packet (including its header) exceeds the configured MTU value and the DF flag is clear (due to the presence of the clear-df-bit command or because the original DF value was 0) then the MS-ISA fragments the payload packet as efficiently as possible (i.e. it creates the minimum number of fragments each less than or equal to the configured MTU size); in each created fragment the DF bit shall be 0.

If the length of a payload IP packet (including its header) exceeds the configured MTU value and the DF flag is set (because the original DF value was 1 and the tunnel has no clear-df-bit in its configuration) then the MS-ISA discards the payload packet without sending an ICMP type 3/code 4 message back to the packet’s source address.

The no ip-mtu command, corresponding to the default behavior, disables fragmentation of IP packets by the MS-ISA; all IP packets, regardless of size or DF bit setting, are allowed into the tunnel.

The effective MTU for packets entering a tunnel is the minimum of the private tunnel SAP interface IP MTU value (used by the IOM) and the tunnel IP MTU value (configured using the above command and used by the MS-ISA). So if it desired to fragment IP packets larger than X bytes with DF set, rather than discarding them, the tunnel IP MTU should be set to X and the private tunnel SAP interface IP MTU should be set to a value larger than X.

This command configures the reassembly wait time.

This command specifies an existing RADIUS accounting policy to use to collect accounting statistics on this subscriber profile by RADIUS. This command is used independently of the collect-stats command.

This command specifies the radius authentication policy associated with this IPsec gateway.

This command enables the context to specify the RADIUS parameters that the system should include into RADIUS authentication-request messages.

This command includes called station id attributes.

The no form of the command excludes called station id attributes.

This command enables the inclusion of the calling-station-id attribute in RADIUS authentication requests and RADIUS accounting messages.

This command enables the inclusion of the Subject Key Identifier of the peer's certificate in the RADIUS Access-Request packet as VSA: Alc-Subject-Key-Identifier. Refer to the SROS RADIUS Attributes Reference Guide for more information.

This command enables the inclusion of the framed-ip-addr attribute.

This command enables the generation of the nas-identifier RADIUS attribute.

This command enables the generation of the NAS ip-address attribute.

This command enables the generation of the nas-port-id RADIUS attribute. Optionally, the value of this attribute (the SAP-id) can be prefixed by a fixed string and suffixed by the circuit-id or the remote-id of the client connection. If a suffix is configured, but no corresponding data is available, the suffix used will be 0/0/0/0/0/0.

This command references an existing radius-server-policy (available under the config>aaa context) for use in subscriber management authentication and accounting.

When configured in an authentication-policy, following CLI commands are ignored in the policy to avoid conflicts:

When configured in a radius-accounting-policy, following CLI commands are ignored in the policy to avoid conflicts:

The no form of the command removes the radius-server-policy reference from the configuration

This command enables the system to send RADIUS interim-update packets for IKEv2 remote-access tunnels. The RADIUS attributes in the interim-update packet are the as same as acct-start. The value of the Acct-status-type in the interim-update message is 3.

This command specifies the password that is used in the RADIUS access requests.It shall be specified as a string of up to 32 characters in length.

The no form of the command resets the password to its default of ALU and will be stored using hash/hash2 encryption.

This command enables the context to configure PKI related parameters.

This command creates a new ca-profile or enter the configuration context of an existing ca-profile. Up to 128 ca-profiles could be created in the system. A shutdown the ca-profile will not affect the current up and running ipsec-tunnel or ipsec-gw that associated with the ca-profile. But authentication afterwards will fail with a shutdown ca-profile.

Executing a no shutdown command in this context will cause system to reload the configured cert-file and crl-file.

A ca-profile can be applied under the ipsec-tunnel or ipsec-gw configuration.

The no form of the command removes the name parameter from the configuration. A ca-profile can not be removed until all the associated entities (ipsec-tunnel/gw) have been removed.

This command enables the context to configure X.509 certificate related operational parameters.

This command specifies the certificate subject display format.

This command enables the context to configure CMPv2 parameters. Changes are not allowed when the CA profile is enabled (no shutdown).

This command enables the system to accept both protected and unprotected CMPv2 error message. Without this command, system will only accept protected error messages.

The no form of the command causes the system to only accept protected PKI confirmation message.

This command enables the system to accept both protected and unprotected CMPv2 PKI confirmation messages. Without this command, system will only accept protected PKI confirmation message.

The no form of the command causes the system to only accept protected PKI confirmation message.

This command specifies to always set the sender field in CMPv2 header of all Initial Registration (IR) messages with the subject name. By default, the sender field is only set if an optional certificate is specified in the CMPv2 request.

This command enables the context to configure pre-shared key list parameters.

This command specifies a pre-shared key used for CMPv2 initial registration. Multiples of key commands are allowed to be configured under this context.

The password and reference-number is distributed by the CA via out-of-band means.

The configured password is stored in configuration file in an encrypted form by using SR OS hash2 algorithm.

The no form of the command removes the parameters from the configuration.

This command specifies HTTP URL of the CMPv2 server. The URL must be unique across all configured ca-profiles.

The URL will be resolved by the DNS server configured (if configured) in the corresponding router context.

If the service-id is 0 or omitted, then system will try to resolve the FQDN via DNS server configured in bof.cfg. After resolution, the system will connect to the address in management routing instance first, then base routing instance.

If the service is VPRN, then the system only allows HTTP ports 80 and 8080.

This command specifies the revocation method system used to check the revocation status of certificate issued by the CA, the default value is crl, which will use CRL. But if it is crl-optional, then it means when the user disables the ca-profile, then the system will try to load the configured CRL (specified by the crl-file command). But if the system fails to load it for following reasons, then the system will still bring ca-profile oper-up, but leave the CRL as non-exist.

If the system needs to use the CRL of a specific ca-profile to check the revocation status of an end-entity cert, and the CRL is non-existent due to the above reasons, then the system will treat it as being unable to get an answer from CRL and fall back to the next status-verify method or default-result.

If the system needs to check the revocation of a CA cert in cert chain, and if the CRL is non-existent due to the above reasons, then the system will skip checking the revocation status of the CA cert. For example, if CA1 is issued by CA2, if CA2’s revocation-check is crl-optional and the CA2’s CRL is non-existent, then the system will not check CA1 cert’s revocation status and consider it as “good”.

Note: Users must shutdown the ca-profile to change the revocation-check configuration.

This command specifies the timeout value for HTTP response that is used by CMPv2.

The no form of the command reverts to the default.

This command configures the HTTP version for CMPv2 messages.

This command specifies a imported certificate that is used to verify the CMP response message if they are protected by signature. If this command is not configured, then CA’s certificate will be used.

This command enables the system to use same recipNonce as the last CMPv2 response for poll request.

This command requests an additional certificate after the system has obtained the initial certificate from the CA.

The request is authenticated by a signature signed by the current-key, along with the current-cert. The hash algorithm used for signature is depends on the key type:

In some cases, the CA may not return a certificate immediately, due to reasons such as request processing need manual intervention. In such cases, the admin certificate cmpv2 poll command can be used to poll the status of the request.

This command clears current pending CMPv2 requests toward the specified CA. If there are no pending requests, it will clear the saved result of prior request.