23. ipsec Commands
23.1. ipsec Command Descriptions
ipsec
Synopsis
Enter the ipsec context
Tree
Introduced
16.0.R4
Platforms
All
cert-profile [name] string
Synopsis
Enter the cert-profile list instance
Context
configure ipsec cert-profile string
Tree
Max. Elements
10200
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
[name] string
Synopsis
Certificate profile name.
Context
configure ipsec cert-profile string
String Length
1 to 32
Notes
This element is part of a list key.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
admin-state keyword
Synopsis
Administrative state of the certificate profile.
Context
configure ipsec cert-profile string admin-state keyword
Tree
Default
disable
Options
enable, disable
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
entry [id] number
Synopsis
Enter the entry list instance
Context
configure ipsec cert-profile string entry number
Tree
Max. Elements
8
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
[id] number
Synopsis
Certificate profile entry ID
Context
configure ipsec cert-profile string entry number
Range
1 to 8
Notes
This element is part of a list key.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
cert string
Synopsis
Certificate file name for the certificate profile entry
Context
configure ipsec cert-profile string entry number cert string
Tree
String Length
1 to 95
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
key string
Synopsis
File name of imported key used for authentication
Context
configure ipsec cert-profile string entry number key string
Tree
String Length
1 to 95
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
rsa-signature keyword
Synopsis
Signature scheme for the RSA key
Context
configure ipsec cert-profile string entry number rsa-signature keyword
Tree
Default
pkcs1
Options
pkcs1, pss
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
send-chain
Synopsis
Enter the send-chain context
Context
configure ipsec cert-profile string entry number send-chain
Tree
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ca-profile reference
Synopsis
CA certificate to send to the peer
Context
configure ipsec cert-profile string entry number send-chain ca-profile reference
Tree
Reference
configure system security pki ca-profile string
Max. Elements
7
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
client-db [name] string
Synopsis
Enter the client-db list instance
Tree
Max. Elements
1000
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
[name] string
Synopsis
IPsec client database name.
String Length
1 to 32
Notes
This element is part of a list key.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
admin-state keyword
 | Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Administrative state of the client database.
Context
configure ipsec client-db string admin-state keyword
Tree
Default
disable
Options
enable, disable
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
client [id] number
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Enter the client list instance
Tree
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
[id] number
Synopsis
Client ID
Range
1 to 8000
Notes
This element is part of a list key.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
admin-state keyword
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Administrative state of the database client.
Context
configure ipsec client-db string client number admin-state keyword
Tree
Default
disable
Options
enable, disable
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
client-name string
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Client name
Context
configure ipsec client-db string client number client-name string
Tree
String Length
1 to 32
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
credential
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Enter the credential context
Context
configure ipsec client-db string client number credential
Tree
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
pre-shared-key string
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Pre-shared key used to authenticate peers
Context
configure ipsec client-db string client number credential pre-shared-key string
Tree
String Length
1 to 115
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
identification
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Enter the identification context
Context
configure ipsec client-db string client number identification
Tree
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
idi
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Enable the idi context
Tree
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
any boolean
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Accept any IDi value as a match
Tree
Notes
The following are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
fqdn string
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
FQDN used as the match criteria for the IDi
Tree
String Length
0 to 255
Notes
The following are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
fqdn-suffix string
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
FQDN suffix used as the match criteria for the IDi
Context
configure ipsec client-db string client number identification idi fqdn-suffix string
Tree
String Length
0 to 255
Notes
The following are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ipv4-prefix string
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
IPv4 prefix used as the match criteria for the IDi
Context
configure ipsec client-db string client number identification idi ipv4-prefix string
Tree
Notes
The following are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ipv4-prefix-any boolean
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Accept any valid IPv4 prefix as a match for the IDi
Context
configure ipsec client-db string client number identification idi ipv4-prefix-any boolean
Tree
Notes
The following are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ipv6-prefix string
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
IPv6 prefix used as the match criteria for the IDi
Context
configure ipsec client-db string client number identification idi ipv6-prefix string
Tree
Notes
The following are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ipv6-prefix-any boolean
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Accept any valid IPv6 prefix as a match for the IDi
Context
configure ipsec client-db string client number identification idi ipv6-prefix-any boolean
Tree
Notes
The following are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
rfc822 string
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Email address (RFC 822) used as match criteria for IDi
Tree
String Length
0 to 255
Notes
The following are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
rfc822-suffix string
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Email address domain (RFC 822) as IDi match criteria
Context
configure ipsec client-db string client number identification idi rfc822-suffix string
Tree
String Length
0 to 255
Notes
The following are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
peer-ip-prefix
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Enable the peer-ip-prefix context
Context
configure ipsec client-db string client number identification peer-ip-prefix
Tree
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ip-prefix (ipv4-prefix | ipv6-prefix)
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
IP prefix used as the match criteria
Context
configure ipsec client-db string client number identification peer-ip-prefix ip-prefix (ipv4-prefix | ipv6-prefix)
Tree
Notes
The following are part of a mandatory choice: ip-prefix, ipv4-only, or ipv6-only.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ipv4-only boolean
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Accept any valid IPv4 address as a match
Context
configure ipsec client-db string client number identification peer-ip-prefix ipv4-only boolean
Tree
Notes
The following are part of a mandatory choice: ip-prefix, ipv4-only, or ipv6-only.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ipv6-only boolean
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Accept any valid IPv6 address as a match
Context
configure ipsec client-db string client number identification peer-ip-prefix ipv6-only boolean
Tree
Notes
The following are part of a mandatory choice: ip-prefix, ipv4-only, or ipv6-only.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
private-interface string
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Private interface name used for tunnel setup
Context
configure ipsec client-db string client number private-interface string
Tree
String Length
1 to 32
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
private-service-name string
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Name of the private service used for tunnel setup
Context
configure ipsec client-db string client number private-service-name string
Tree
String Length
1 to 64
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ts-list string
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Traffic selector list used by the tunnel
Tree
String Length
1 to 32
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
tunnel-template number
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Tunnel template ID
Context
configure ipsec client-db string client number tunnel-template number
Tree
Range
1 to 2048
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
description string
Synopsis
Text description
Context
configure ipsec client-db string description string
Tree
String Length
1 to 80
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
match-list
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Enter the match-list context
Context
configure ipsec client-db string match-list
Tree
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
idi boolean
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Use IDi type in the IPsec client matching process
Context
configure ipsec client-db string match-list idi boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
peer-ip-prefix boolean
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Use the peer's tunnel IP address in matching process
Context
configure ipsec client-db string match-list peer-ip-prefix boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ike-policy [id] number
Synopsis
Enter the ike-policy list instance
Context
configure ipsec ike-policy number
Tree
Max. Elements
2048
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
[id] number
Synopsis
The unique identifier of an IKE policy.
Context
configure ipsec ike-policy number
Range
1 to 2048
Notes
This element is part of a list key.
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
description string
Synopsis
Text description
Context
configure ipsec ike-policy number description string
Tree
String Length
1 to 80
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
dpd
Synopsis
Enable the dpd context
Context
configure ipsec ike-policy number dpd
Tree
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
interval number
Synopsis
DPD interval
Context
configure ipsec ike-policy number dpd interval number
Tree
Range
10 to 300
Default
30
Units
seconds
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
max-retries number
Synopsis
Maximum number of retries before the tunnel is removed
Context
configure ipsec ike-policy number dpd max-retries number
Tree
Range
2 to 5
Default
3
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
reply-only boolean
Synopsis
Initiate DPD request for incoming ESP or IKE packets
Context
configure ipsec ike-policy number dpd reply-only boolean
Tree
Default
false
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ike-transform reference
Synopsis
IKE transform instance associated with the IKE policy
Context
configure ipsec ike-policy number ike-transform reference
Tree
Reference
configure ipsec ike-transform number
Max. Elements
4
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ike-version-1
Synopsis
Enter the ike-version-1 context
Context
configure ipsec ike-policy number ike-version-1
Tree
Notes
The following are part of a choice: ike-version-1 or ike-version-2.
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
auth-method keyword
Synopsis
Authentication method used with the IKE policy
Context
configure ipsec ike-policy number ike-version-1 auth-method keyword
Tree
Default
psk
Options
psk, plain-psk-xauth
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ike-mode keyword
Synopsis
Mode of operation
Context
configure ipsec ike-policy number ike-version-1 ike-mode keyword
Tree
Default
main
Options
main, aggressive
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
own-auth-method keyword
Synopsis
Authentication method used with policy on its own side
Context
configure ipsec ike-policy number ike-version-1 own-auth-method keyword
Tree
Default
symmetric
Options
symmetric
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ph1-responder-delete-notify boolean
Synopsis
Send delete notification for IKEv1 phase 1 removal
Context
configure ipsec ike-policy number ike-version-1 ph1-responder-delete-notify boolean
Default
true
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ike-version-2
Synopsis
Enable the ike-version-2 context
Context
configure ipsec ike-policy number ike-version-2
Tree
Notes
The following are part of a choice: ike-version-1 or ike-version-2.
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
auth-method keyword
Synopsis
Authentication method used with the IKE policy
Context
configure ipsec ike-policy number ike-version-2 auth-method keyword
Tree
Default
psk
Options
psk, cert, psk-radius, cert-radius, eap, auto-eap-radius, auto-eap
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
auto-eap-method keyword
Synopsis
Authentication method used for the remote peer
Context
configure ipsec ike-policy number ike-version-2 auto-eap-method keyword
Tree
Default
cert
Options
psk, cert, psk-or-cert
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ikev2-fragment
Synopsis
Enable the ikev2-fragment context
Context
Tree
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
mtu number
Synopsis
Maximum size of the IKEv2 packet
Context
configure ipsec ike-policy number ike-version-2 ikev2-fragment mtu number
Tree
Range
512 to 9000
Default
1500
Units
octets
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
reassembly-timeout number
Synopsis
Timeout for reassembly of IKEv2 message fragments
Context
configure ipsec ike-policy number ike-version-2 ikev2-fragment reassembly-timeout number
Tree
Range
1 to 5
Default
2
Units
seconds
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
own-auth-method keyword
Synopsis
Authentication method used with IKE policy on own side
Context
configure ipsec ike-policy number ike-version-2 own-auth-method keyword
Tree
Default
symmetric
Options
symmetric, psk, cert, eap-only
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
own-auto-eap-method keyword
Synopsis
Authentication method
Context
configure ipsec ike-policy number ike-version-2 own-auto-eap-method keyword
Tree
Default
cert
Options
psk, cert
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
send-idr-after-eap-success boolean
Synopsis
Send IDr payload in last IKE authentication response
Context
configure ipsec ike-policy number ike-version-2 send-idr-after-eap-success boolean
Default
true
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ipsec-lifetime number
Synopsis
Phase 1 lifetime for the IKE transform session
Context
configure ipsec ike-policy number ipsec-lifetime number
Tree
Range
1200 to 31536000
Default
3600
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
limit-init-exchange
Synopsis
Enter the limit-init-exchange context
Context
Tree
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
admin-state keyword
Synopsis
Administrative state of limiting initial IKE exchanges
Context
configure ipsec ike-policy number limit-init-exchange admin-state keyword
Tree
Default
enable
Options
enable, disable
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
reduced-max-exchange-timeout (number | keyword)
Synopsis
Max timeout for the in-progress initial IKE exchange
Context
configure ipsec ike-policy number limit-init-exchange reduced-max-exchange-timeout (number | keyword)
Range
2 to 60
Default
2
Units
seconds
Options
none
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
lockout
Synopsis
Enable the lockout context
Context
configure ipsec ike-policy number lockout
Tree
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
block (number | keyword)
Synopsis
Time a client is blocked for failed authentications
Context
configure ipsec ike-policy number lockout block (number | keyword)
Tree
Range
1 to 1440
Default
10
Units
minutes
Options
infinite
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
duration number
Synopsis
Time interval for failed attempts threshold
Context
configure ipsec ike-policy number lockout duration number
Tree
Range
1 to 60
Default
5
Units
minutes
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
failed-attempts number
Synopsis
Maximum failed authentications allowed in the duration
Context
configure ipsec ike-policy number lockout failed-attempts number
Tree
Range
1 to 64
Default
3
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
max-port-per-ip number
Synopsis
Max number of ports allowed behind the same IP address
Context
configure ipsec ike-policy number lockout max-port-per-ip number
Tree
Range
1 to 32000
Default
16
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
match-peer-id-to-cert boolean
Synopsis
Check IKE peer ID during certificate authentication
Context
configure ipsec ike-policy number match-peer-id-to-cert boolean
Default
false
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
nat-traversal
Synopsis
Enable the nat-traversal context
Context
configure ipsec ike-policy number nat-traversal
Tree
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
force boolean
Synopsis
Enable NAT-T in forced mode
Context
configure ipsec ike-policy number nat-traversal force boolean
Tree
Default
false
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
force-keep-alive boolean
Synopsis
Continue sending keepalive packets (no expiry)
Context
configure ipsec ike-policy number nat-traversal force-keep-alive boolean
Tree
Default
true
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
keep-alive-interval number
Synopsis
The keep alive interval for NAT-T.
Context
configure ipsec ike-policy number nat-traversal keep-alive-interval number
Tree
Range
120 to 600
Units
seconds
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
pfs
Synopsis
Enable the pfs context
Context
configure ipsec ike-policy number pfs
Tree
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
dh-group keyword
Synopsis
The new Diffie-Hellman (DH) group used when each time the SA(Security Association) key is renegotiated.
Context
configure ipsec ike-policy number pfs dh-group keyword
Tree
Default
group-2
Options
group-1, group-2, group-5, group-14, group-15, group-19, group-20, group-21
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
relay-unsolicited-cfg-attribute
Synopsis
Enter the relay-unsolicited-cfg-attribute context
Context
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
internal-ip4-address boolean
Synopsis
Return the IPv4 address from the source to the client
Context
configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip4-address boolean
Tree
Default
false
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
internal-ip4-dns boolean
Synopsis
Return IPv4 DNS server address from source to client
Context
configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip4-dns boolean
Tree
Default
false
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
internal-ip4-netmask boolean
Synopsis
Return the IPv4 netmask from the source to the client
Context
configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip4-netmask boolean
Tree
Default
false
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
internal-ip6-address boolean
Synopsis
Return the IPv6 address from the source to the client
Context
configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip6-address boolean
Tree
Default
false
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
internal-ip6-dns boolean
Synopsis
Return IPv6 DNS server address from source to client
Context
configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip6-dns boolean
Tree
Default
false
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ike-transform [id] number
Synopsis
Enter the ike-transform list instance
Context
configure ipsec ike-transform number
Tree
Max. Elements
4096
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
[id] number
Synopsis
The unique identifier of an IKE transform.
Context
configure ipsec ike-transform number
Range
1 to 4096
Notes
This element is part of a list key.
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
dh-group keyword
Synopsis
Diffie-Helman group used to calculate session keys
Context
configure ipsec ike-transform number dh-group keyword
Tree
Default
group-2
Options
group-1, group-2, group-5, group-14, group-15, group-19, group-20, group-21
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ike-auth-algorithm keyword
Synopsis
IKE authentication algorithm for IKE transform instance
Context
configure ipsec ike-transform number ike-auth-algorithm keyword
Tree
Default
sha-1
Options
md-5, sha-1, sha-256, sha-384, sha-512, aes-xcbc, auth-encryption
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ike-encryption-algorithm keyword
Synopsis
IKE encryption algorith for the IKE transform instance
Context
configure ipsec ike-transform number ike-encryption-algorithm keyword
Default
aes-128
Options
des, des-3, aes-128, aes-192, aes-256, aes128-gcm8, aes128-gcm16, aes256-gcm8, aes256-gcm16
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ike-prf-algorithm keyword
Synopsis
PRF algorithm for the IKE transform instance
Context
configure ipsec ike-transform number ike-prf-algorithm keyword
Tree
Default
same-as-auth
Options
md-5, sha-1, sha-256, sha-384, sha-512, aes-xcbc, same-as-auth
Introduced
16.0.R6
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
isakmp-lifetime number
Synopsis
Phase 1 lifetime for the IKE transform instance
Context
configure ipsec ike-transform number isakmp-lifetime number
Tree
Range
1200 to 31536000
Default
86400
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ipsec-transform [id] number
Synopsis
Enter the ipsec-transform list instance
Context
configure ipsec ipsec-transform number
Tree
Max. Elements
2048
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
[id] number
Synopsis
IPsec transform ID.
Context
configure ipsec ipsec-transform number
Range
1 to 2048
Notes
This element is part of a list key.
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
esp-auth-algorithm keyword
Synopsis
The authentication algorithm for this IPsec transform.
Context
configure ipsec ipsec-transform number esp-auth-algorithm keyword
Tree
Default
sha-1
Options
null, md-5, sha-1, sha-256, sha-384, sha-512, aes-xcbc, auth-encryption
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
esp-encryption-algorithm keyword
Synopsis
Encryption algorithm for the IPsec transform session
Context
configure ipsec ipsec-transform number esp-encryption-algorithm keyword
Default
aes-128
Options
null, des, des-3, aes-128, aes-192, aes-256, aes128-gcm8, aes128-gcm12, aes128-gcm16, aes192-gcm8, aes192-gcm12, aes192-gcm16, aes256-gcm8, aes256-gcm12, aes256-gcm16, null-aes128-gmac, null-aes192-gmac, null-aes256-gmac
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ipsec-lifetime number
Synopsis
Phase 2 lifetime for the IPsec transform session
Context
configure ipsec ipsec-transform number ipsec-lifetime number
Tree
Range
1200 to 31536000
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
pfs-dh-group keyword
Synopsis
Diffie-Hellman group used for PFS compilation
Context
configure ipsec ipsec-transform number pfs-dh-group keyword
Tree
Options
none, group-1, group-2, group-5, group-14, group-15, group-19, group-20, group-21
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
radius
Synopsis
Enter the radius context
Tree
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
accounting-policy [name] string
Synopsis
Enter the accounting-policy list instance
Context
configure ipsec radius accounting-policy string
Tree
Max. Elements
100
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
[name] string
Synopsis
RADIUS accounting policy name
Context
configure ipsec radius accounting-policy string
String Length
1 to 32
Notes
This element is part of a list key.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
include-radius-attribute
Synopsis
Enter the include-radius-attribute context
Context
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
acct-stats boolean
Synopsis
Include accounting attributes in RADIUS packets
Context
configure ipsec radius accounting-policy string include-radius-attribute acct-stats boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
called-station-id boolean
Synopsis
Include the Called-Station-Id attribute
Context
configure ipsec radius accounting-policy string include-radius-attribute called-station-id boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
calling-station-id boolean
Synopsis
Include the Calling-Station-Id attribute
Context
configure ipsec radius accounting-policy string include-radius-attribute calling-station-id boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
framed-ip-addr boolean
Synopsis
Include the Framed-IP-Address attribute
Context
configure ipsec radius accounting-policy string include-radius-attribute framed-ip-addr boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
framed-ipv6-prefix boolean
Synopsis
Include the Framed-IPv6-Prefix attribute
Context
configure ipsec radius accounting-policy string include-radius-attribute framed-ipv6-prefix boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
nas-identifier boolean
Synopsis
Include the NAS-Identifier attribute
Context
configure ipsec radius accounting-policy string include-radius-attribute nas-identifier boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
nas-ip-addr boolean
Synopsis
Include the NAS-IP-Address attribute
Context
configure ipsec radius accounting-policy string include-radius-attribute nas-ip-addr boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
nas-port-id boolean
Synopsis
Include the NAS-Port-Id attribute
Context
configure ipsec radius accounting-policy string include-radius-attribute nas-port-id boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
radius-server-policy reference
Synopsis
Referenced RADIUS server policy
Context
configure ipsec radius accounting-policy string radius-server-policy reference
Tree
Reference
configure aaa radius server-policy string
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
update-interval
Synopsis
Enter the update-interval context
Context
Tree
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
jitter number
Synopsis
The jitter of the update interval. If not specified, the system will use 10% of the update interval value
Context
configure ipsec radius accounting-policy string update-interval jitter number
Tree
Range
0 to 3600
Units
seconds
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
value number
Synopsis
The update interval of the RADIUS accounting data. Zero specifies that no intermediate updates will be sent.
Context
configure ipsec radius accounting-policy string update-interval value number
Tree
Range
0 | 5 to 259200
Default
10
Units
minutes
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
authentication-policy [name] string
Synopsis
Enter the authentication-policy list instance
Context
Max. Elements
100
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
[name] string
Synopsis
RADIUS authentication policy name.
Context
String Length
1 to 32
Notes
This element is part of a list key.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
include-radius-attribute
Synopsis
Enter the include-radius-attribute context
Context
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
called-station-id boolean
Synopsis
Include the Called-Station-Id attribute
Context
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
calling-station-id boolean
Synopsis
Include the Calling-Station-Id attribute
Context
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
client-cert-subject-key-id boolean
Synopsis
Include the Subject-Key-Id attribute.
Context
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
nas-identifier boolean
Synopsis
Include the NAS-Identifier attribute
Context
configure ipsec radius authentication-policy string include-radius-attribute nas-identifier boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
nas-ip-addr boolean
Synopsis
Include the NAS-IP-Address attribute
Context
configure ipsec radius authentication-policy string include-radius-attribute nas-ip-addr boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
nas-port-id boolean
Synopsis
Include the NAS-Port-Id attribute
Context
configure ipsec radius authentication-policy string include-radius-attribute nas-port-id boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
password string
Synopsis
Password used in RADIUS access requests
Context
configure ipsec radius authentication-policy string password string
Tree
String Length
1 to 115
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
radius-server-policy reference
Synopsis
Referenced RADIUS server policy
Context
configure ipsec radius authentication-policy string radius-server-policy reference
Tree
Reference
configure aaa radius server-policy string
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
show-ipsec-keys boolean
Synopsis
Show IPsec IKE and ESP keys.
Context
configure ipsec show-ipsec-keys boolean
Tree
Default
false
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
static-sa [name] string
Synopsis
Enter the static-sa list instance
Tree
Max. Elements
1000
Introduced
16.0.R6
Platforms
All
[name] string
Synopsis
Static Security Association (SA) name.
String Length
1 to 32
Notes
This element is part of a list key.
Introduced
16.0.R6
Platforms
All
authentication
Synopsis
Enable the authentication context
Context
configure ipsec static-sa string authentication
Tree
Introduced
16.0.R6
Platforms
All
algorithm keyword
Synopsis
Authentication algorithm used for an IPsec manual SA
Context
configure ipsec static-sa string authentication algorithm keyword
Tree
Options
md5, sha1
Notes
This element is mandatory.
Introduced
16.0.R6
Platforms
All
key string
Synopsis
Key used for the authentication algorithm
Context
configure ipsec static-sa string authentication key string
Tree
String Length
1 to 54
Notes
This element is mandatory.
Introduced
16.0.R6
Platforms
All
description string
Synopsis
Text description
Context
configure ipsec static-sa string description string
Tree
String Length
1 to 32
Introduced
16.0.R6
Platforms
All
direction keyword
Synopsis
Direction to which the static SA entry can be applied
Tree
Default
bidirectional
Options
inbound, outbound, bidirectional
Introduced
16.0.R6
Platforms
All
protocol keyword
Synopsis
IPsec protocol used with the static SA
Tree
Default
esp
Options
ah, esp
Introduced
16.0.R6
Platforms
All
spi number
Synopsis
Security Parameter Index (SPI) for the static SA
Tree
Range
256 to 16383
Introduced
16.0.R6
Platforms
All
trust-anchor-profile [name] string
Synopsis
Enter the trust-anchor-profile list instance
Context
configure ipsec trust-anchor-profile string
Tree
Max. Elements
10128
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
[name] string
Synopsis
Trust anchor profile name.
Context
configure ipsec trust-anchor-profile string
String Length
1 to 32
Notes
This element is part of a list key.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
trust-anchor [ca-profile] reference
Synopsis
Add a list entry for trust-anchor
Context
configure ipsec trust-anchor-profile string trust-anchor reference
Tree
Max. Elements
8
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
[ca-profile] reference
Synopsis
Name of the CA profile as a trust anchor profile
Context
configure ipsec trust-anchor-profile string trust-anchor reference
Reference
configure system security pki ca-profile string
Notes
This element is part of a list key.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ts-list [name] string
Synopsis
Enter the ts-list list instance
Tree
Max. Elements
32768
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
[name] string
Synopsis
IPsec Traffic Selector (TS) list name.
String Length
1 to 32
Notes
This element is part of a list key.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
local
Synopsis
Enter the local context
Tree
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
entry [id] number
Synopsis
Enter the entry list instance
Tree
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
[id] number
Synopsis
The unique ID of this TS list entry.
Range
1 to 32
Notes
This element is part of a list key.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
address
Synopsis
Enable the address context
Tree
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
prefix (ipv4-prefix | ipv6-prefix)
Synopsis
IP prefix for address range in IKEv2 traffic selector
Context
Tree
Notes
The following are part of a mandatory choice: prefix or range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
range
Synopsis
Enable the range context
Tree
Notes
The following are part of a mandatory choice: prefix or range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
begin (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis
Lower bound of the IP address range for the entry
Context
Tree
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
end (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis
The end IP address.
Context
Tree
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
protocol
Synopsis
Enable the protocol context
Tree
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
any
Synopsis
Match any protocol ID
Tree
Notes
The following are part of a mandatory choice: any or id.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
id
Synopsis
Enable the id context
Tree
Notes
The following are part of a mandatory choice: any or id.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
icmp
Synopsis
Enter the icmp context
Tree
Notes
The following are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
opaque
Synopsis
Support OPAQUE ports
Tree
Notes
The following are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
port-range
Synopsis
Enable the port-range context
Tree
Notes
The following are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
begin-icmp-code number
Synopsis
Lower bound of the ICMP code range
Context
configure ipsec ts-list string local entry number protocol id icmp port-range begin-icmp-code number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
begin-icmp-type number
Synopsis
Lower bound of the ICMP type range
Context
configure ipsec ts-list string local entry number protocol id icmp port-range begin-icmp-type number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
end-icmp-code number
Synopsis
Upper bound of the ICMP code range
Context
configure ipsec ts-list string local entry number protocol id icmp port-range end-icmp-code number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
end-icmp-type number
Synopsis
Upper bound of the ICMP type range
Context
configure ipsec ts-list string local entry number protocol id icmp port-range end-icmp-type number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
icmp6
Synopsis
Enter the icmp6 context
Tree
Notes
The following are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
opaque
Synopsis
Support OPAQUE ports
Tree
Notes
The following are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
port-range
Synopsis
Enable the port-range context
Tree
Notes
The following are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
begin-icmp-code number
Synopsis
Lower bound of the ICMP code range
Context
configure ipsec ts-list string local entry number protocol id icmp6 port-range begin-icmp-code number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
begin-icmp-type number
Synopsis
Lower bound of the ICMP type range
Context
configure ipsec ts-list string local entry number protocol id icmp6 port-range begin-icmp-type number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
end-icmp-code number
Synopsis
Upper bound of the ICMP code range
Context
configure ipsec ts-list string local entry number protocol id icmp6 port-range end-icmp-code number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
end-icmp-type number
Synopsis
Upper bound of the ICMP type range
Context
configure ipsec ts-list string local entry number protocol id icmp6 port-range end-icmp-type number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
mipv6
Synopsis
Enter the mipv6 context
Tree
Notes
The following are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
opaque
Synopsis
Support OPAQUE ports
Tree
Notes
The following are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
port-range
Synopsis
Enable the port-range context
Tree
Notes
The following are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
begin number
Synopsis
The begin mobility header type.
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
end number
Synopsis
The end mobility header type.
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
protocol-id-with-any-port (keyword | number)
Synopsis
Protocol ID that accepts any port value
Context
Range
1 to 255
Options
icmp, tcp, udp, icmp6, sctp, mipv6
Notes
The following are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
sctp
Synopsis
Enter the sctp context
Tree
Notes
The following are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
opaque
Synopsis
Support OPAQUE ports
Tree
Notes
The following are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
port-range
Synopsis
Enable the port-range context
Tree
Notes
The following are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
begin number
Synopsis
Lower bound of the port range
Tree
Range
0 to 65535
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
end number
Synopsis
Upper bound of the port range
Tree
Range
0 to 65535
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
tcp
Synopsis
Enter the tcp context
Tree
Notes
The following are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
opaque
Synopsis
Support OPAQUE ports
Tree
Notes
The following are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
port-range
Synopsis
Enable the port-range context
Tree
Notes
The following are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
begin number
Synopsis
Lower bound of the port range
Tree
Range
0 to 65535
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
end number
Synopsis
Upper bound of the port range
Tree
Range
0 to 65535
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
udp
Synopsis
Enter the udp context
Tree
Notes
The following are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
opaque
Synopsis
Support OPAQUE ports
Tree
Notes
The following are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
port-range
Synopsis
Enable the port-range context
Tree
Notes
The following are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
begin number
Synopsis
Lower bound of the port range
Tree
Range
0 to 65535
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
end number
Synopsis
Upper bound of the port range
Tree
Range
0 to 65535
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
remote
Synopsis
Enter the remote context
Tree
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
entry [id] number
Synopsis
Enter the entry list instance
Tree
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
[id] number
Synopsis
The unique ID of this TS list entry.
Range
1 to 32
Notes
This element is part of a list key.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
address
Synopsis
Enable the address context
Tree
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
prefix (ipv4-prefix | ipv6-prefix)
Synopsis
IP prefix for address range in IKEv2 traffic selector
Context
Tree
Notes
The following are part of a mandatory choice: prefix or range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
range
Synopsis
Enable the range context
Tree
Notes
The following are part of a mandatory choice: prefix or range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
begin (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis
Lower bound of the IP address range for the entry
Context
Tree
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
end (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis
The end IP address.
Context
Tree
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
protocol
Synopsis
Enable the protocol context
Tree
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
any
Synopsis
Match any protocol ID
Tree
Notes
The following are part of a mandatory choice: any or id.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
id
Synopsis
Enable the id context
Tree
Notes
The following are part of a mandatory choice: any or id.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
icmp
Synopsis
Enter the icmp context
Tree
Notes
The following are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
opaque
Synopsis
Support OPAQUE ports
Tree
Notes
The following are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
port-range
Synopsis
Enable the port-range context
Tree
Notes
The following are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
begin-icmp-code number
Synopsis
Lower bound of the ICMP code range
Context
configure ipsec ts-list string remote entry number protocol id icmp port-range begin-icmp-code number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
begin-icmp-type number
Synopsis
Lower bound of the ICMP type range
Context
configure ipsec ts-list string remote entry number protocol id icmp port-range begin-icmp-type number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
end-icmp-code number
Synopsis
Upper bound of the ICMP code range
Context
configure ipsec ts-list string remote entry number protocol id icmp port-range end-icmp-code number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
end-icmp-type number
Synopsis
Upper bound of the ICMP type range
Context
configure ipsec ts-list string remote entry number protocol id icmp port-range end-icmp-type number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
icmp6
Synopsis
Enter the icmp6 context
Tree
Notes
The following are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
opaque
Synopsis
Support OPAQUE ports
Tree
Notes
The following are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
port-range
Synopsis
Enable the port-range context
Tree
Notes
The following are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
begin-icmp-code number
Synopsis
Lower bound of the ICMP code range
Context
configure ipsec ts-list string remote entry number protocol id icmp6 port-range begin-icmp-code number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
begin-icmp-type number
Synopsis
Lower bound of the ICMP type range
Context
configure ipsec ts-list string remote entry number protocol id icmp6 port-range begin-icmp-type number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
end-icmp-code number
Synopsis
Upper bound of the ICMP code range
Context
configure ipsec ts-list string remote entry number protocol id icmp6 port-range end-icmp-code number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
end-icmp-type number
Synopsis
Upper bound of the ICMP type range
Context
configure ipsec ts-list string remote entry number protocol id icmp6 port-range end-icmp-type number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
mipv6
Synopsis
Enter the mipv6 context
Tree
Notes
The following are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
opaque
Synopsis
Support OPAQUE ports
Tree
Notes
The following are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
port-range
Synopsis
Enable the port-range context
Tree
Notes
The following are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
begin number
Synopsis
The begin mobility header type.
Context
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
end number
Synopsis
The end mobility header type.
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
protocol-id-with-any-port (keyword | number)
Synopsis
Protocol ID that accepts any port value
Context
Range
1 to 255
Options
icmp, tcp, udp, icmp6, sctp, mipv6
Notes
The following are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
sctp
Synopsis
Enter the sctp context
Tree
Notes
The following are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
opaque
Synopsis
Support OPAQUE ports
Tree
Notes
The following are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
port-range
Synopsis
Enable the port-range context
Tree
Notes
The following are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
begin number
Synopsis
Lower bound of the port range
Tree
Range
0 to 65535
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
end number
Synopsis
Upper bound of the port range
Tree
Range
0 to 65535
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
tcp
Synopsis
Enter the tcp context
Tree
Notes
The following are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
opaque
Synopsis
Support OPAQUE ports
Tree
Notes
The following are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
port-range
Synopsis
Enable the port-range context
Tree
Notes
The following are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
begin number
Synopsis
Lower bound of the port range
Tree
Range
0 to 65535
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
end number
Synopsis
Upper bound of the port range
Tree
Range
0 to 65535
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
udp
Synopsis
Enter the udp context
Tree
Notes
The following are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
opaque
Synopsis
Support OPAQUE ports
Tree
Notes
The following are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
port-range
Synopsis
Enable the port-range context
Tree
Notes
The following are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
begin number
Synopsis
Lower bound of the port range
Tree
Range
0 to 65535
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
end number
Synopsis
Upper bound of the port range
Tree
Range
0 to 65535
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
tunnel-template [id] number
Synopsis
Enter the tunnel-template list instance
Context
configure ipsec tunnel-template number
Tree
Max. Elements
2048
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
[id] number
Synopsis
Tunnel template ID
Context
configure ipsec tunnel-template number
Range
1 to 2048
Notes
This element is part of a list key.
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
clear-df-bit boolean
Synopsis
Clear the Do-not-Fragment (DF) bit
Context
configure ipsec tunnel-template number clear-df-bit boolean
Tree
Default
false
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
copy-traffic-class-upon-decapsulation boolean
Synopsis
Enable traffic class copy upon decapsulation
Context
configure ipsec tunnel-template number copy-traffic-class-upon-decapsulation boolean
Description
When configured to true, the system copies the traffic class from the outer tunnel IP packet header to the payload IP packet header in the decapsulating direction (public to private).
When configured to false, the system does not copy the traffic class from the outer IP packet to the payload IP packet header upon decapsulation.
Default
false
Introduced
21.5.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
description string
Synopsis
Text description
Context
configure ipsec tunnel-template number description string
Tree
String Length
1 to 80
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
encapsulated-ip-mtu number
Synopsis
Maximum size of the encapsulated tunnel packet
Context
configure ipsec tunnel-template number encapsulated-ip-mtu number
Tree
Range
512 to 9000
Units
octets
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
icmp-generation
Synopsis
Enter the icmp-generation context
Context
Tree
Introduced
21.5.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
frag-required
Synopsis
Enter the frag-required context
Context
Tree
Description
Commands in this context configure the attributes for sending generated ICMP Destination Unreachable "fragmentation needed and DF set" messages (type 3, code 4) back to the source, if the received size of the IPv4 packet on the private side exceeds the private MTU size.
Introduced
21.5.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
admin-state keyword
Synopsis
Administrative state of sending ICMP messages
Context
configure ipsec tunnel-template number icmp-generation frag-required admin-state keyword
Tree
Description
This command sends the ICMP Destination Unreachable "fragmentation needed and DF set" messages (type 3, code 4) back to the source if the received size of the IPv4 packet on the private side exceeds the private MTU size.
Default
enable
Options
enable, disable
Introduced
21.5.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
interval number
Synopsis
Interval for sending ICMP messages
Context
configure ipsec tunnel-template number icmp-generation frag-required interval number
Tree
Description
This command configures the interval for sending ICMP Destination Unreachable "fragmentation needed and DF set" messages (type 3, code 4). The maximum number of messages that can be sent is configured by the message-count command.
Range
1 to 60
Default
10
Units
seconds
Introduced
21.5.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
message-count number
Synopsis
Maximum number of ICMP messages
Context
configure ipsec tunnel-template number icmp-generation frag-required message-count number
Tree
Description
This command configures the maximum number of ICMP Destination Unreachable "fragmentation needed and DF set" messages (type 3, code 4) that can be sent during the period specified by the interval command.
Range
10 to 1000
Default
100
Introduced
21.5.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
icmp6-generation
Synopsis
Enter the icmp6-generation context
Context
Tree
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
pkt-too-big
Synopsis
Enter the pkt-too-big context
Context
Tree
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
admin-state keyword
Synopsis
Adminstrative state of the generation of ICMPv6 Packet Too Big messages
Context
configure ipsec tunnel-template number icmp6-generation pkt-too-big admin-state keyword
Tree
Default
enable
Options
enable, disable
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
interval number
Synopsis
Maximum interval during which PTB messages can be sent
Context
configure ipsec tunnel-template number icmp6-generation pkt-too-big interval number
Tree
Range
1 to 60
Default
10
Units
seconds
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
message-count number
Synopsis
Max ICMPv6 messages that can be sent during interval
Context
configure ipsec tunnel-template number icmp6-generation pkt-too-big message-count number
Tree
Range
10 to 1000
Default
100
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ignore-default-route boolean
Synopsis
Ignore any full range traffic selector in TSi
Context
configure ipsec tunnel-template number ignore-default-route boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ip-mtu number
Synopsis
Maximum size of the IP MTU for the payload packets
Context
configure ipsec tunnel-template number ip-mtu number
Tree
Range
512 to 9000
Units
octets
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
ipsec-transform reference
Synopsis
IPsec transform ID for the tunnel template
Context
configure ipsec tunnel-template number ipsec-transform reference
Tree
Reference
configure ipsec ipsec-transform number
Max. Elements
4
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
pmtu-discovery-aging number
Synopsis
Aging out time of the learned path MTU
Context
configure ipsec tunnel-template number pmtu-discovery-aging number
Tree
Description
This command configures the temporary public and private MTU expiration time. The temporary MTU is used for MTU propagation.
Range
900 to 3600
Default
900
Units
seconds
Introduced
21.5.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
private-tcp-mss-adjust number
Synopsis
New TCP MSS value on the private side
Context
configure ipsec tunnel-template number private-tcp-mss-adjust number
Range
512 to 9000
Units
octets
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
propagate-pmtu-v4 boolean
Synopsis
Enable propagation of the path MTU to IPv4 hosts
Context
configure ipsec tunnel-template number propagate-pmtu-v4 boolean
Tree
Description
When configured to true, the path MTU is propagated to IPv4 hosts.
When configured to false, the path MTU is not propagated to IPv4 hosts.
Default
true
Introduced
21.5.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
propagate-pmtu-v6 boolean
Synopsis
Enable propagation of the path MTU to IPv6 hosts
Context
configure ipsec tunnel-template number propagate-pmtu-v6 boolean
Tree
Description
When configured to true, the path MTU is propagated to IPv6 hosts.
When configured to false, the path MTU is not propagated to IPv6 hosts.
Default
true
Introduced
21.5.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
public-tcp-mss-adjust (number | keyword)
Synopsis
New TCP MSS value on the public side
Context
configure ipsec tunnel-template number public-tcp-mss-adjust (number | keyword)
Range
512 to 9000
Units
octets
Options
auto
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
replay-window number
Synopsis
Anti-replay window size for the tunnel template
Context
configure ipsec tunnel-template number replay-window number
Tree
Range
32 | 64 | 128 | 256 | 512
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR
sp-reverse-route keyword
Synopsis
Reverse route creation method in private service
Context
configure ipsec tunnel-template number sp-reverse-route keyword
Tree
Default
none
Options
none, use-security-policy
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-1s, 7750 SR-2s, VSR