26. ipsec commands
26.1. ipsec command descriptions
ipsec
Synopsis
Enter the ipsec context
Tree
Description
Commands in this context configure Internet Protocol Security (IPsec) commands.
Introduced
16.0.R4
Platforms
All
cert-profile [name] string
Synopsis
Enter the cert-profile list instance
Context
configure ipsec cert-profile string
Tree
Description
Commands in this context configure the certificate profile.
Max. Elements
10200
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
[name] string
Synopsis
Certificate profile name
Context
configure ipsec cert-profile string
String Length
1 to 32
Notes
This element is part of a list key.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
admin-state keyword
Synopsis
Administrative state of the certificate profile
Context
configure ipsec cert-profile string admin-state keyword
Tree
Default
disable
Options
enable, disable
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
entry [id] number
Synopsis
Enter the entry list instance
Context
configure ipsec cert-profile string entry number
Tree
Description
Commands in this context configure the certificate profile entry.
Max. Elements
8
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
[id] number
Synopsis
Certificate profile entry ID
Context
configure ipsec cert-profile string entry number
Range
1 to 8
Notes
This element is part of a list key.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
cert string
Synopsis
File name of the imported certificate for the entry
Context
configure ipsec cert-profile string entry number cert string
Tree
String Length
1 to 95
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
key string
Synopsis
File name of the imported key used for authentication
Context
configure ipsec cert-profile string entry number key string
Tree
String Length
1 to 95
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
rsa-signature keyword
Synopsis
Signature scheme for the RSA key
Context
configure ipsec cert-profile string entry number rsa-signature keyword
Tree
Default
pkcs1
Options
pkcs1, pss
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
send-chain
Synopsis
Enter the send-chain context
Context
configure ipsec cert-profile string entry number send-chain
Tree
Description
Commands in this context allow the system to send additional CA certificates to the peer. These additional CA certificates must be in the certificate chain of the certificate specified by the cert command in the same entry.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ca-profile reference
Synopsis
CA certificate to send to the peer
Context
configure ipsec cert-profile string entry number send-chain ca-profile reference
Tree
Reference
configure system security pki ca-profile string
Max. Elements
7
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
client-db [name] string
Synopsis
Enter the client-db list instance
Tree
Max. Elements
1000
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
[name] string
Synopsis
IPsec client database name
String Length
1 to 32
Notes
This element is part of a list key.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
admin-state keyword
Synopsis
Administrative state of the client database
Context
configure ipsec client-db string admin-state keyword
Tree
Default
disable
Options
enable, disable
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
client [id] number
 | Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Enter the client list instance
Tree
Description
Commands in this context configure the IPsec client entry in the client database.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
[id] number
Synopsis
Client ID
Range
1 to 8000
Notes
This element is part of a list key.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
admin-state keyword
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Administrative state of the database client
Context
configure ipsec client-db string client number admin-state keyword
Tree
Default
disable
Options
enable, disable
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
client-name string
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Client name
Context
configure ipsec client-db string client number client-name string
Tree
String Length
1 to 32
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
credential
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Enter the credential context
Context
configure ipsec client-db string client number credential
Tree
Description
Commands in this context authenticate peers.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
pre-shared-key string
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Pre-shared key used to authenticate peers
Context
configure ipsec client-db string client number credential pre-shared-key string
Tree
String Length
1 to 115
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
identification
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Enter the identification context
Context
configure ipsec client-db string client number identification
Tree
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
idi
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Enable the idi context
Tree
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
any boolean
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Accept any IDi value as a match
Tree
Notes
The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
fqdn string
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
FQDN used as the match criteria for the IDi
Tree
String Length
0 to 255
Notes
The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
fqdn-suffix string
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
FQDN suffix used as the match criteria for the IDi
Context
configure ipsec client-db string client number identification idi fqdn-suffix string
Tree
String Length
0 to 255
Notes
The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ipv4-prefix string
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
IPv4 prefix used as the match criteria for the IDi
Context
configure ipsec client-db string client number identification idi ipv4-prefix string
Tree
Notes
The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ipv4-prefix-any boolean
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Accept any valid IPv4 prefix as a match for the IDi
Context
configure ipsec client-db string client number identification idi ipv4-prefix-any boolean
Tree
Notes
The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ipv6-prefix string
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
IPv6 prefix used as the match criteria for the IDi
Context
configure ipsec client-db string client number identification idi ipv6-prefix string
Tree
Notes
The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ipv6-prefix-any boolean
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Accept any valid IPv6 prefix as a match for the IDi
Context
configure ipsec client-db string client number identification idi ipv6-prefix-any boolean
Tree
Notes
The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
rfc822 string
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Email address (RFC 822) used as match criteria for IDi
Tree
String Length
0 to 255
Notes
The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
rfc822-suffix string
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Email address domain (RFC 822) as IDi match criteria
Context
configure ipsec client-db string client number identification idi rfc822-suffix string
Tree
String Length
0 to 255
Notes
The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
peer-ip-prefix
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Enable the peer-ip-prefix context
Context
configure ipsec client-db string client number identification peer-ip-prefix
Tree
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ip-prefix (ipv4-prefix | ipv6-prefix)
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
IP prefix used as the match criteria
Context
configure ipsec client-db string client number identification peer-ip-prefix ip-prefix (ipv4-prefix | ipv6-prefix)
Tree
Notes
The following elements are part of a mandatory choice: ip-prefix, ipv4-only, or ipv6-only.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ipv4-only boolean
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Accept any valid IPv4 address as a match
Context
configure ipsec client-db string client number identification peer-ip-prefix ipv4-only boolean
Tree
Notes
The following elements are part of a mandatory choice: ip-prefix, ipv4-only, or ipv6-only.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ipv6-only boolean
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Accept any valid IPv6 address as a match
Context
configure ipsec client-db string client number identification peer-ip-prefix ipv6-only boolean
Tree
Notes
The following elements are part of a mandatory choice: ip-prefix, ipv4-only, or ipv6-only.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
private-interface string
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Private interface name used for tunnel setup
Context
configure ipsec client-db string client number private-interface string
Tree
String Length
1 to 32
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
private-service-name string
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Name of the private service used for tunnel setup
Context
configure ipsec client-db string client number private-service-name string
Tree
String Length
1 to 64
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ts-list string
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Traffic selector list used by the tunnel
Tree
String Length
1 to 32
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
tunnel-template number
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Tunnel template ID
Context
configure ipsec client-db string client number tunnel-template number
Tree
Range
1 to 2048
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
description string
Synopsis
Text description
Context
configure ipsec client-db string description string
Tree
String Length
1 to 80
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
match-list
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Enter the match-list context
Context
configure ipsec client-db string match-list
Tree
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
idi boolean
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Use IDi type in the IPsec client matching process
Context
configure ipsec client-db string match-list idi boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
peer-ip-prefix boolean
| Warning: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. |
Synopsis
Use the peer's tunnel IP address in matching process
Context
configure ipsec client-db string match-list peer-ip-prefix boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ike-policy [id] number
Synopsis
Enter the ike-policy list instance
Context
configure ipsec ike-policy number
Tree
Description
Commands in this context configure an Internet Key Exchange (IKE) policy.
Max. Elements
2048
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
[id] number
Synopsis
IKE policy ID
Context
configure ipsec ike-policy number
Range
1 to 2048
Notes
This element is part of a list key.
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
description string
Synopsis
Text description
Context
configure ipsec ike-policy number description string
Tree
String Length
1 to 80
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
dpd
Synopsis
Enable the dpd context
Context
configure ipsec ike-policy number dpd
Tree
Description
Commands in this context configure the dead peer detection mechanism.
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
interval number
Synopsis
DPD interval
Context
configure ipsec ike-policy number dpd interval number
Tree
Description
This command specifies the DPD interval.
Because more time is necessary to determine if there is incoming traffic, the actual time needed to bring down the tunnel is larger than the DPD interval multiplied by the value configured for maximum retry attempts.
Range
10 to 300
Default
30
Units
seconds
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
max-retries number
Synopsis
Maximum number of retries before the tunnel is removed
Context
configure ipsec ike-policy number dpd max-retries number
Tree
Range
2 to 5
Default
3
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
reply-only boolean
Synopsis
Initiate DPD request for incoming ESP or IKE packets
Context
configure ipsec ike-policy number dpd reply-only boolean
Tree
Default
false
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ike-transform reference
Synopsis
IKE transform instance associated with the IKE policy
Context
configure ipsec ike-policy number ike-transform reference
Tree
Description
This command specifies the IKE transform instance associated with the IKE policy. If multiple IDs are specified, the system selects an IKE transform based on the proposal of the peer. If the system is a tunnel initiator, it uses the configured IKE transform to generate the SA payload.
Reference
configure ipsec ike-transform number
Max. Elements
4
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ike-version-1
Synopsis
Enter the ike-version-1 context
Context
configure ipsec ike-policy number ike-version-1
Tree
Description
Commands in this context configure the IKE version 1 mode of operation that the IKE policy uses.
Notes
The following elements are part of a choice: ike-version-1 or ike-version-2.
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
auth-method keyword
Synopsis
Authentication method used with the IKE policy
Context
configure ipsec ike-policy number ike-version-1 auth-method keyword
Tree
Default
psk
Options
psk, plain-psk-xauth
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ike-mode keyword
Synopsis
Mode of operation
Context
configure ipsec ike-policy number ike-version-1 ike-mode keyword
Tree
Default
main
Options
main, aggressive
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
own-auth-method keyword
Synopsis
Authentication method used with policy on its own side
Context
configure ipsec ike-policy number ike-version-1 own-auth-method keyword
Tree
Default
symmetric
Options
symmetric
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ph1-responder-delete-notify boolean
Synopsis
Send delete notification for IKEv1 phase 1 removal
Context
configure ipsec ike-policy number ike-version-1 ph1-responder-delete-notify boolean
Description
When configured to true, a delete notification is sent to the peer when deleting an IKEv1 phase 1 SA for which it was the responder.
When configured to false, no notification is sent.
Default
true
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ike-version-2
Synopsis
Enable the ike-version-2 context
Context
configure ipsec ike-policy number ike-version-2
Tree
Description
Commands in this context configure the IKE version 2 mode of operation that the IKE policy uses.
Notes
The following elements are part of a choice: ike-version-1 or ike-version-2.
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
auth-method keyword
Synopsis
Authentication method used with the IKE policy
Context
configure ipsec ike-policy number ike-version-2 auth-method keyword
Tree
Default
psk
Options
psk, cert, psk-radius, cert-radius, eap, auto-eap-radius, auto-eap
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
auto-eap-method keyword
Synopsis
Authentication method used for the remote peer
Context
configure ipsec ike-policy number ike-version-2 auto-eap-method keyword
Tree
Description
This command specifies the behavior for the IKEv2 remote-access tunnel when the authentication method uses EAP or potentially another method to authenticate the remote peer.
Default
cert
Options
psk, cert, psk-or-cert
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ikev2-fragment
Synopsis
Enable the ikev2-fragment context
Context
Tree
Description
Commands in this context configure IKEv2 protocol level fragmentation (RFC 7383).
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
mtu number
Synopsis
Maximum size of the IKEv2 packet
Context
configure ipsec ike-policy number ike-version-2 ikev2-fragment mtu number
Tree
Range
512 to 9000
Default
1500
Units
octets
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
reassembly-timeout number
Synopsis
Timeout for reassembly of IKEv2 message fragments
Context
configure ipsec ike-policy number ike-version-2 ikev2-fragment reassembly-timeout number
Tree
Range
1 to 5
Default
2
Units
seconds
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
own-auth-method keyword
Synopsis
Authentication method used with IKE policy on own side
Context
configure ipsec ike-policy number ike-version-2 own-auth-method keyword
Tree
Default
symmetric
Options
symmetric, psk, cert, eap-only
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
own-auto-eap-method keyword
Synopsis
Authentication method used on its own side
Context
configure ipsec ike-policy number ike-version-2 own-auto-eap-method keyword
Tree
Description
This command specifies the behavior for the IKEv2 remote-access tunnel when the authentication method uses EAP or potentially another method to authenticate the peer.
Default
cert
Options
psk, cert
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
send-idr-after-eap-success boolean
Synopsis
Send IDr payload in last IKE authentication response
Context
configure ipsec ike-policy number ike-version-2 send-idr-after-eap-success boolean
Description
When configured to true, the Identification Responder (IDr) payload is added in the last IKE authentication response after an Extensible Authentication Protocol (EAP) Success packet is received.
When configured to false, the IDr payload is not included in the last IKE.
Default
true
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ipsec-lifetime number
Synopsis
Lifetime of the Phase 2 IKE key
Context
configure ipsec ike-policy number ipsec-lifetime number
Tree
Range
1200 to 31536000
Default
3600
Units
seconds
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
limit-init-exchange
Synopsis
Enter the limit-init-exchange context
Context
Tree
Description
Commands in this context limit the number of ongoing IKEv2 initial exchanges per tunnel.
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
admin-state keyword
Synopsis
Administrative state of limiting initial IKE exchanges
Context
configure ipsec ike-policy number limit-init-exchange admin-state keyword
Tree
Default
enable
Options
enable, disable
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
reduced-max-exchange-timeout (number | keyword)
Synopsis
Maximum timeout for in-progress initial IKE exchange
Context
configure ipsec ike-policy number limit-init-exchange reduced-max-exchange-timeout (number | keyword)
Description
This command configures the maximum timeout for the in-progress initial IKE exchange. If a new IKEv2 IKE_SA_INIT request is received when there is an ongoing IKEv2 initial exchange from the same peer, the timeout value of the existing exchange is set to this specified value. If the none option is configured for this command, the timeout value remains unchanged.
Range
2 to 60
Default
2
Units
seconds
Options
none
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
lockout
Synopsis
Enable the lockout context
Context
configure ipsec ike-policy number lockout
Tree
Description
Commands in this context specify the lockout mechanism for the IPsec tunnel. These commands apply only when the system acts as a tunnel responder.
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
block (number | keyword)
Synopsis
Time a client is blocked for failed authentications
Context
configure ipsec ike-policy number lockout block (number | keyword)
Tree
Description
This command configures the time the client is blocked if the number of failed authentications exceeds the configured value within the specified duration.
Range
1 to 1440
Default
10
Units
minutes
Options
infinite
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
duration number
Synopsis
Time interval for failed attempts threshold
Context
configure ipsec ike-policy number lockout duration number
Tree
Description
This command specifies the time interval in which the configured failed authentication count must be exceeded to trigger a lockout.
Range
1 to 60
Default
5
Units
minutes
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
failed-attempts number
Synopsis
Maximum failed authentications allowed in the duration
Context
configure ipsec ike-policy number lockout failed-attempts number
Tree
Range
1 to 64
Default
3
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
max-port-per-ip number
Synopsis
Max number of ports allowed behind the same IP address
Context
configure ipsec ike-policy number lockout max-port-per-ip number
Tree
Description
This command configures the maximum number of ports allowed under the same IP address. When the threshold is exceeded and the client is locked out, all ports behind the IP address are blocked.
Range
1 to 32000
Default
16
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
match-peer-id-to-cert boolean
Synopsis
Check IKE peer ID during certificate authentication
Context
configure ipsec ike-policy number match-peer-id-to-cert boolean
Default
false
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
nat-traversal
Synopsis
Enable the nat-traversal context
Context
configure ipsec ike-policy number nat-traversal
Tree
Description
Commands in this context configure the Network Address Translation Traversal (NAT-T) functionality.
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
force boolean
Synopsis
Enable NAT-T in forced mode
Context
configure ipsec ike-policy number nat-traversal force boolean
Tree
Default
false
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
force-keep-alive boolean
Synopsis
Continue sending keepalive packets (no expiry)
Context
configure ipsec ike-policy number nat-traversal force-keep-alive boolean
Tree
Default
true
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
keep-alive-interval number
Synopsis
Keepalive interval for NAT-T
Context
configure ipsec ike-policy number nat-traversal keep-alive-interval number
Tree
Range
120 to 600
Units
seconds
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
pfs
Synopsis
Enable the pfs context
Context
configure ipsec ike-policy number pfs
Tree
Description
Commands in this context configure perfect forward secrecy on the IPsec tunnel using the policy. PFS provides for a new Diffie-Hellman (DH) key exchange each time the Security Association (SA) key is renegotiated. When the SA key expires, another key is generated (if the SA remains up).
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
dh-group keyword
Synopsis
Diffie-Helman group used to calculate session keys
Context
configure ipsec ike-policy number pfs dh-group keyword
Tree
Description
This command specifies which DH group to use for calculating session keys. More bits provide a higher level of security, but require more processing.
Default
group-2
Options
group-1, group-2, group-5, group-14, group-15, group-19, group-20, group-21
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
relay-unsolicited-cfg-attribute
Synopsis
Enter the relay-unsolicited-cfg-attribute context
Context
Description
Commands in this context configure attributes returned from the source (such as a RADIUS server) that are returned to the IKEv2 remote-access tunnel client regardless if the client has requested the attribute in the CFG_REQUEST payload.
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
internal-ip4-address boolean
Synopsis
Return the IPv4 address from the source to the client
Context
configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip4-address boolean
Tree
Description
When configured to true, the system returns the IPv4 address from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the address in the CFG_REQUEST payload.
Default
false
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
internal-ip4-dns boolean
Synopsis
Return IPv4 DNS server address from source to client
Context
configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip4-dns boolean
Tree
Description
When configured to true, the system returns the IPv4 DNS server address from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the address in the CFG_REQUEST payload.
Default
false
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
internal-ip4-netmask boolean
Synopsis
Return the IPv4 netmask from the source to the client
Context
configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip4-netmask boolean
Tree
Description
When configured to true, the system returns the IPv4 netmask from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the netmask in the CFG_REQUEST payload.
Default
false
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
internal-ip6-address boolean
Synopsis
Return the IPv6 address from the source to the client
Context
configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip6-address boolean
Tree
Description
When configured to true, the system returns the IPv6 address from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the address in the CFG_REQUEST payload.
Default
false
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
internal-ip6-dns boolean
Synopsis
Return IPv6 DNS server address from source to client
Context
configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip6-dns boolean
Tree
Description
When configured to true, the system returns the IPv6 DNS server address from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the address in the CFG_REQUEST payload.
Default
false
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ike-transform [id] number
Synopsis
Enter the ike-transform list instance
Context
configure ipsec ike-transform number
Tree
Max. Elements
4096
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
[id] number
Synopsis
IKE transform instance ID
Context
configure ipsec ike-transform number
Range
1 to 4096
Notes
This element is part of a list key.
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
dh-group keyword
Synopsis
Diffie-Helman group used to calculate session keys
Context
configure ipsec ike-transform number dh-group keyword
Tree
Default
group-2
Options
group-1, group-2, group-5, group-14, group-15, group-19, group-20, group-21
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ike-auth-algorithm keyword
Synopsis
IKE authentication algorithm for IKE transform instance
Context
configure ipsec ike-transform number ike-auth-algorithm keyword
Tree
Default
sha-1
Options
md-5, sha-1, sha-256, sha-384, sha-512, aes-xcbc, auth-encryption
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ike-encryption-algorithm keyword
Synopsis
IKE encryption algorith for the IKE transform instance
Context
configure ipsec ike-transform number ike-encryption-algorithm keyword
Default
aes-128
Options
des, des-3, aes-128, aes-192, aes-256, aes128-gcm8, aes128-gcm16, aes256-gcm8, aes256-gcm16
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ike-prf-algorithm keyword
Synopsis
PRF algorithm for the IKE transform instance
Context
configure ipsec ike-transform number ike-prf-algorithm keyword
Tree
Description
This command specifies the pseudo-random function algorithm used for IKE security association.
If an encrypted algorithm such as AES-GCM is used for the IKE encryption algorithm, same-as-auth cannot be used for the IKE PRF algorithm.
Default
same-as-auth
Options
md-5, sha-1, sha-256, sha-384, sha-512, aes-xcbc, same-as-auth
Introduced
16.0.R6
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
isakmp-lifetime number
Synopsis
Phase 1 lifetime for the IKE transform instance
Context
configure ipsec ike-transform number isakmp-lifetime number
Tree
Range
1200 to 31536000
Default
86400
Units
seconds
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ipsec-transform [id] number
Synopsis
Enter the ipsec-transform list instance
Context
configure ipsec ipsec-transform number
Tree
Description
Commands in this context create an IPsec transform policy. IPsec transform policies can be shared. A change to the IPsec transform is allowed at any time. The change does not impact tunnels that have been established until they are renegotiated. If the change is required immediately, the tunnel must be cleared (reset) for force renegotiation.
IPsec transform policy assignments to a tunnel require the tunnel to be shut down.
Max. Elements
2048
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
[id] number
Synopsis
IPsec transform policy ID
Context
configure ipsec ipsec-transform number
Range
1 to 2048
Notes
This element is part of a list key.
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
esp-auth-algorithm keyword
Synopsis
Encapsulating Security Payload (ESP) authentication
Context
configure ipsec ipsec-transform number esp-auth-algorithm keyword
Tree
Description
This command specifies the hashing algorithm used for the authentication function. Both ends of a manually configured tunnel must share the same configuration for the IPsec tunnel to enter the operational state.
Default
sha-1
Options
null, md-5, sha-1, sha-256, sha-384, sha-512, aes-xcbc, auth-encryption
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
esp-encryption-algorithm keyword
Synopsis
Encryption algorithm for the IPsec transform session
Context
configure ipsec ipsec-transform number esp-encryption-algorithm keyword
Description
This command specifies the encryption algorithm used for the IPsec session. Encryption applies only to ESP configurations. If encryption is not defined, ESP is not used.
Both ends of a manually configured tunnel must share the same encryption algorithm for the IPsec tunnel to enter the operational state.
When AES-GCM or AES-GMAC is configured:
- the authentication encryption must be set to auth-encryption
- the system does not include the authentication algorithm in the ESP proposal of the SA payload
- IPsec transform cannot be used for manual keying
Default
aes-128
Options
null, des, des-3, aes-128, aes-192, aes-256, aes128-gcm8, aes128-gcm12, aes128-gcm16, aes192-gcm8, aes192-gcm12, aes192-gcm16, aes256-gcm8, aes256-gcm12, aes256-gcm16, null-aes128-gmac, null-aes192-gmac, null-aes256-gmac
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
extended-sequence-number boolean
Synopsis
Enable extended sequence numbering support
Context
configure ipsec ipsec-transform number extended-sequence-number boolean
Description
When configured to true, this command enables 64-bit extended sequence numbering support. This numbering is used for high throughput CHILD_SA to avoid frequent re-keying caused by sequence numbering wrap around.
When configured to false, only 32-bit sequence numbering is supported.
Default
false
Introduced
21.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ipsec-lifetime number
Synopsis
Phase 2 lifetime for the IPsec transform session
Context
configure ipsec ipsec-transform number ipsec-lifetime number
Tree
Description
This command configures the lifetime of the Phase 2 IKE key.
When unconfigured, the value is inherited from the IPsec lifetime configured in the corresponding IKE policy configured for the same IPsec gateway or IPsec tunnel.
Range
1200 to 31536000
Units
seconds
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
pfs-dh-group keyword
Synopsis
Diffie-Hellman group used for PFS compilation
Context
configure ipsec ipsec-transform number pfs-dh-group keyword
Tree
Description
This command specifies the DH group used for Perfect Forward Secrecy (PFS) compilation during CHILD_SA rekeying.
When unconfigured, the value is inherited from the DH group value from the IPsec gateway or IPsec tunnel.
Options
none, group-1, group-2, group-5, group-14, group-15, group-19, group-20, group-21
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ipsec-transport-mode-profile [name] string
Synopsis
Enter the ipsec-transport-mode-profile list instance
Context
Description
Commands in this context configure IPsec-specific attributes that allow an IP tunnel (for example, GRE) to be protected by using IPsec transport mode.
Introduced
21.10.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
[name] string
Synopsis
IPsec transport mode profile name string
Context
Description
This command specifies the name of the IPsec transport mode profile.
String Length
1 to 32
Notes
This element is part of a list key.
Introduced
21.10.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
description string
Synopsis
Text description
Context
configure ipsec ipsec-transport-mode-profile string description string
Tree
String Length
1 to 80
Introduced
21.10.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
key-exchange
Synopsis
Enter the key-exchange context
Context
Tree
Description
Commands in this context configure the key exchange used each time the Security Association (SA) key is renegotiated.
Introduced
21.10.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
dynamic
Synopsis
Enter the dynamic context
Context
Tree
Description
Commands in this context configure dynamic keying for the transport mode profile.
Introduced
21.10.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
auto-establish boolean
Synopsis
Attempt to establish automatic phase 1 exchange
Context
configure ipsec ipsec-transport-mode-profile string key-exchange dynamic auto-establish boolean
Tree
Default
false
Introduced
21.10.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
cert
Synopsis
Enter the cert context
Context
Tree
Description
Commands in this context configure the attributes of the dynamic keying certificate.
Introduced
21.10.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
cert-profile reference
Synopsis
Certificate profile name
Context
configure ipsec ipsec-transport-mode-profile string key-exchange dynamic cert cert-profile reference
Tree
Reference
configure ipsec cert-profile string
Introduced
21.10.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
status-verify
Synopsis
Enter the status-verify context
Context
Tree
Description
Commands in this context configure attributes of Certificate Status Verification (CSV).
Introduced
21.10.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
default-result keyword
Synopsis
Default result for Certificate Status Verification
Context
Tree
Description
This command specifies the default certificate revocation status result to use when all configured CSV methods fail to return result.
Default
revoked
Options
revoked, good
Introduced
21.10.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
primary keyword
Synopsis
Primary method of CSV to verify the revocation status
Context
configure ipsec ipsec-transport-mode-profile string key-exchange dynamic cert status-verify primary keyword
Tree
Description
This command configures primary method of Certificate Status Verification (CSV) that is used to verify the revocation status of the certificate of the peer.
Default
crl
Options
crl, ocsp
Introduced
21.10.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
secondary keyword
Synopsis
Secondary method used to verify certificate revocation
Context
configure ipsec ipsec-transport-mode-profile string key-exchange dynamic cert status-verify secondary keyword
Tree
Description
This command specifies the secondary method of Certificate Status Verification (CSV) that is used to verify the revocation status of the peer certificate.
Default
none
Options
none, crl, ocsp
Introduced
21.10.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
trust-anchor-profile reference
Synopsis
Trust anchor profile name
Context
configure ipsec ipsec-transport-mode-profile string key-exchange dynamic cert trust-anchor-profile reference
Tree
Reference
configure ipsec trust-anchor-profile string
Introduced
21.10.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
id
Synopsis
Enter the id context
Context
Tree
Description
Commands in this context specifies the local ID for 7750 SRs used for IDi or IDr for IKEv2 tunnels.
The default behavior depends on the local auth-method as follows:
- Psk: local tunnel IP address
- Cert-auth: subject of the local certificate
Introduced
21.10.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
fqdn string
Synopsis
FQDN used as the local ID IKE type
Context
configure ipsec ipsec-transport-mode-profile string key-exchange dynamic id fqdn string
Tree
String Length
1 to 255
Notes
The following elements are part of a choice: fqdn, ipv4, or ipv6.
Introduced
21.10.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ipv4 string
Synopsis
IPv4 as the local ID type
Context
configure ipsec ipsec-transport-mode-profile string key-exchange dynamic id ipv4 string
Tree
Notes
The following elements are part of a choice: fqdn, ipv4, or ipv6.
Introduced
21.10.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ipv6 (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis
IPv6 used as the local IKE ID type
Context
configure ipsec ipsec-transport-mode-profile string key-exchange dynamic id ipv6 (ipv4-address-no-zone | ipv6-address-no-zone)
Tree
Notes
The following elements are part of a choice: fqdn, ipv4, or ipv6.
Introduced
21.10.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ike-policy reference
Synopsis
IKE policy ID
Context
configure ipsec ipsec-transport-mode-profile string key-exchange dynamic ike-policy reference
Tree
Description
This command specifies the ID of the IKE policy used for IKE negotiation.
The ipsec-transport-mode-profile configuration only supports IKEv2.
Reference
configure ipsec ike-policy number
Introduced
21.10.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ipsec-transform reference
Synopsis
IPsec transform IDs used by the dynamic key
Context
configure ipsec ipsec-transport-mode-profile string key-exchange dynamic ipsec-transform reference
Tree
Description
This command specifies IPsec transform IDs used for CHILD_SA negotiation.
Reference
configure ipsec ipsec-transform number
Max. Elements
4
Introduced
21.10.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
pre-shared-key string
Synopsis
Pre-shared key for IKE authentication
Context
configure ipsec ipsec-transport-mode-profile string key-exchange dynamic pre-shared-key string
Tree
String Length
1 to 115
Introduced
21.10.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
max-history-key-records
Synopsis
Enter the max-history-key-records context
Context
Introduced
21.10.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
esp number
Synopsis
Maximum number of recent records
Context
configure ipsec ipsec-transport-mode-profile string max-history-key-records esp number
Tree
Range
1 to 48
Introduced
21.10.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ike number
Synopsis
Maximum number of historical IKE key records
Context
configure ipsec ipsec-transport-mode-profile string max-history-key-records ike number
Tree
Range
1 to 3
Introduced
21.10.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
replay-window number
Synopsis
Anti-replay window size
Context
configure ipsec ipsec-transport-mode-profile string replay-window number
Tree
Description
This command specifies the size of an IPsec anti-replay window. If not configured, then IPsec anti-replay is disabled.
Range
32 | 64 | 128 | 256 | 512
Units
packets
Introduced
21.10.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
radius
Synopsis
Enter the radius context
Tree
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
accounting-policy [name] string
Synopsis
Enter the accounting-policy list instance
Context
configure ipsec radius accounting-policy string
Tree
Description
Commands in this context configure RADIUS accounting policies to collect accounting statistics.
Max. Elements
100
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
[name] string
Synopsis
RADIUS accounting policy name
Context
configure ipsec radius accounting-policy string
String Length
1 to 32
Notes
This element is part of a list key.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
include-radius-attribute
Synopsis
Enter the include-radius-attribute context
Context
Description
Commands in this context specify the RADIUS attributes that are to be included in the RADIUS Authentication-Request messages.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
acct-stats boolean
Synopsis
Include accounting attributes in RADIUS packets
Context
configure ipsec radius accounting-policy string include-radius-attribute acct-stats boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
called-station-id boolean
Synopsis
Include the Called-Station-Id attribute
Context
configure ipsec radius accounting-policy string include-radius-attribute called-station-id boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
calling-station-id boolean
Synopsis
Include the Calling-Station-Id attribute
Context
configure ipsec radius accounting-policy string include-radius-attribute calling-station-id boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
framed-ip-addr boolean
Synopsis
Include the Framed-IP-Address attribute
Context
configure ipsec radius accounting-policy string include-radius-attribute framed-ip-addr boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
framed-ipv6-prefix boolean
Synopsis
Include the Framed-IPv6-Prefix attribute
Context
configure ipsec radius accounting-policy string include-radius-attribute framed-ipv6-prefix boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
nas-identifier boolean
Synopsis
Include the NAS-Identifier attribute
Context
configure ipsec radius accounting-policy string include-radius-attribute nas-identifier boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
nas-ip-addr boolean
Synopsis
Include the NAS-IP-Address attribute
Context
configure ipsec radius accounting-policy string include-radius-attribute nas-ip-addr boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
nas-port-id boolean
Synopsis
Include the NAS-Port-Id attribute
Context
configure ipsec radius accounting-policy string include-radius-attribute nas-port-id boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
radius-server-policy reference
Synopsis
Referenced RADIUS server policy
Context
configure ipsec radius accounting-policy string radius-server-policy reference
Tree
Reference
configure aaa radius server-policy string
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
update-interval
Synopsis
Enter the update-interval context
Context
Tree
Description
Commands in this context determine how RADIUS interim-update packets are sent for IKEv2 remote-access tunnels.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
jitter number
Synopsis
Jitter interval for sending each interim-update packet
Context
configure ipsec radius accounting-policy string update-interval jitter number
Tree
Description
This command specifies the jitter interval for the RADIUS interim-update packets.
When unconfigured, the system uses 10% of the update interval value.
Range
0 to 3600
Units
seconds
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
value number
Synopsis
Update interval of the RADIUS accounting data
Context
configure ipsec radius accounting-policy string update-interval value number
Tree
Description
This command configures the update interval of the RADIUS accounting data. If a value of 0 is configured, no intermediate updates are sent.
Range
0 | 5 to 259200
Default
10
Units
minutes
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
authentication-policy [name] string
Synopsis
Enter the authentication-policy list instance
Context
Description
Commands in this context configure the RADIUS authentication policy associated with the IPsec gateway.
Max. Elements
100
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
[name] string
Synopsis
RADIUS authentication policy name
Context
String Length
1 to 32
Notes
This element is part of a list key.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
include-radius-attribute
Synopsis
Enter the include-radius-attribute context
Context
Description
Commands in this context specify the RADIUS attributes to be included in the RADIUS Authentication-Request messages.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
called-station-id boolean
Synopsis
Include the Called-Station-Id attribute
Context
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
calling-station-id boolean
Synopsis
Include the Calling-Station-Id attribute
Context
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
client-cert-subject-key-id boolean
Synopsis
Include the Subject Key Identifier
Context
Description
When configured to true, the Subject Key Identifier of the certificate of the peer is included in the RADIUS Access-Request packet as VSA: Alc-Subject-Key-Identifier.
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
nas-identifier boolean
Synopsis
Include the NAS-Identifier attribute
Context
configure ipsec radius authentication-policy string include-radius-attribute nas-identifier boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
nas-ip-addr boolean
Synopsis
Include the NAS-IP-Address attribute
Context
configure ipsec radius authentication-policy string include-radius-attribute nas-ip-addr boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
nas-port-id boolean
Synopsis
Include the NAS-Port-Id attribute
Context
configure ipsec radius authentication-policy string include-radius-attribute nas-port-id boolean
Tree
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
password string
Synopsis
Password used in RADIUS access requests
Context
configure ipsec radius authentication-policy string password string
Tree
String Length
1 to 115
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
radius-server-policy reference
Synopsis
Referenced RADIUS server policy
Context
configure ipsec radius authentication-policy string radius-server-policy reference
Tree
Reference
configure aaa radius server-policy string
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
show-ipsec-keys boolean
Synopsis
Show IPsec IKE and ESP keys in the output
Context
configure ipsec show-ipsec-keys boolean
Tree
Description
When configured to true, this command allows IPsec keys to be (optionally) included in the display output of certain debug and admin commands.
When configured to false, the key display is disabled.
Default
false
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
static-sa [name] string
Synopsis
Enter the static-sa list instance
Tree
Max. Elements
1000
Introduced
16.0.R6
Platforms
All
[name] string
Synopsis
Static SA name
String Length
1 to 32
Notes
This element is part of a list key.
Introduced
16.0.R6
Platforms
All
authentication
Synopsis
Enable the authentication context
Context
configure ipsec static-sa string authentication
Tree
Introduced
16.0.R6
Platforms
All
algorithm keyword
Synopsis
Authentication algorithm used for an IPsec manual SA
Context
configure ipsec static-sa string authentication algorithm keyword
Tree
Options
md5, sha1
Notes
This element is mandatory.
Introduced
16.0.R6
Platforms
All
key string
Synopsis
Key used for the authentication algorithm
Context
configure ipsec static-sa string authentication key string
Tree
String Length
1 to 54
Notes
This element is mandatory.
Introduced
16.0.R6
Platforms
All
description string
Synopsis
Text description
Context
configure ipsec static-sa string description string
Tree
String Length
1 to 32
Introduced
16.0.R6
Platforms
All
direction keyword
Synopsis
Direction to which the static SA entry can be applied
Tree
Default
bidirectional
Options
inbound, outbound, bidirectional
Introduced
16.0.R6
Platforms
All
protocol keyword
Synopsis
IPsec protocol used with the static SA
Tree
Default
esp
Options
ah, esp
Introduced
16.0.R6
Platforms
All
spi number
Synopsis
Security Parameter Index (SPI) for the static SA
Tree
Description
This command specifies the SPI for the static SA.
When the direction command is set to inbound, the SPI is used to look up the instruction to verify and decrypt the incoming IPsec packets. When the direction command is set to outbound, the SPI is used in the encoding of the outgoing packets. The remote node can use the SPI to look up the instruction to verify and decrypt the packet.
When unconfigured, the static SA cannot be used.
Range
256 to 16383
Introduced
16.0.R6
Platforms
All
trust-anchor-profile [name] string
Synopsis
Enter the trust-anchor-profile list instance
Context
configure ipsec trust-anchor-profile string
Tree
Max. Elements
10128
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
[name] string
Synopsis
Trust anchor profile name for IPsec tunnel or gateway
Context
configure ipsec trust-anchor-profile string
String Length
1 to 32
Notes
This element is part of a list key.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
trust-anchor [ca-profile] reference
Synopsis
Add a list entry for trust-anchor
Context
configure ipsec trust-anchor-profile string trust-anchor reference
Tree
Description
Commands in this context configure a CA profile as a trust anchor CA.
Max. Elements
8
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
[ca-profile] reference
Synopsis
Name of the CA profile as a trust anchor profile
Context
configure ipsec trust-anchor-profile string trust-anchor reference
Reference
configure system security pki ca-profile string
Notes
This element is part of a list key.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ts-list [name] string
Synopsis
Enter the ts-list list instance
Tree
Description
Commands in this context configure Traffic Selector (TS) settings.
Max. Elements
32768
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
[name] string
Synopsis
Traffic Selector (TS) list name
String Length
1 to 32
Notes
This element is part of a list key.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
local
Synopsis
Enter the local context
Tree
Description
Commands in this context configure a local TS list, a traffic selector, such as TSr, when the system acts as an IKEv2 responder.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
entry [id] number
Synopsis
Enter the entry list instance
Tree
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
[id] number
Synopsis
TS list entry ID
Range
1 to 32
Notes
This element is part of a list key.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
address
Synopsis
Enable the address context
Tree
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
prefix (ipv4-prefix | ipv6-prefix)
Synopsis
IP prefix for address range in IKEv2 traffic selector
Context
Tree
Notes
The following elements are part of a mandatory choice: prefix or range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
range
Synopsis
Enable the range context
Tree
Notes
The following elements are part of a mandatory choice: prefix or range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
begin (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis
Lower bound of the IP address range for the entry
Context
Tree
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
end (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis
Upper bound of the IP address range
Context
Tree
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
protocol
Synopsis
Enable the protocol context
Tree
Description
Commands in this context specify the protocol settings for the IKEv2 traffic selector.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
any
Synopsis
Match any protocol ID
Tree
Notes
The following elements are part of a mandatory choice: any or id.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
id
Synopsis
Enable the id context
Tree
Notes
The following elements are part of a mandatory choice: any or id.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
icmp
Synopsis
Enter the icmp context
Tree
Notes
The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
opaque
Synopsis
Support OPAQUE ports
Tree
Description
This command allows the protocol ID to be accepted even when the port information is not available.
Notes
The following elements are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
port-range
Synopsis
Enable the port-range context
Tree
Description
Commands in this context configure port range information for the protocol.
Notes
The following elements are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
begin-icmp-code number
Synopsis
Lower bound of the ICMP code range
Context
configure ipsec ts-list string local entry number protocol id icmp port-range begin-icmp-code number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
begin-icmp-type number
Synopsis
Lower bound of the ICMP type range
Context
configure ipsec ts-list string local entry number protocol id icmp port-range begin-icmp-type number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
end-icmp-code number
Synopsis
Upper bound of the ICMP code range
Context
configure ipsec ts-list string local entry number protocol id icmp port-range end-icmp-code number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
end-icmp-type number
Synopsis
Upper bound of the ICMP type range
Context
configure ipsec ts-list string local entry number protocol id icmp port-range end-icmp-type number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
icmp6
Synopsis
Enter the icmp6 context
Tree
Notes
The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
opaque
Synopsis
Support OPAQUE ports
Tree
Description
This command allows the protocol ID to be accepted even when the port information is not available.
Notes
The following elements are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
port-range
Synopsis
Enable the port-range context
Tree
Description
Commands in this context configure port range information for the protocol.
Notes
The following elements are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
begin-icmp-code number
Synopsis
Lower bound of the ICMP code range
Context
configure ipsec ts-list string local entry number protocol id icmp6 port-range begin-icmp-code number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
begin-icmp-type number
Synopsis
Lower bound of the ICMP type range
Context
configure ipsec ts-list string local entry number protocol id icmp6 port-range begin-icmp-type number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
end-icmp-code number
Synopsis
Upper bound of the ICMP code range
Context
configure ipsec ts-list string local entry number protocol id icmp6 port-range end-icmp-code number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
end-icmp-type number
Synopsis
Upper bound of the ICMP type range
Context
configure ipsec ts-list string local entry number protocol id icmp6 port-range end-icmp-type number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
mipv6
Synopsis
Enter the mipv6 context
Tree
Notes
The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
opaque
Synopsis
Support OPAQUE ports
Tree
Description
This command allows the protocol ID to be accepted even when the port information is not available.
Notes
The following elements are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
port-range
Synopsis
Enable the port-range context
Tree
Notes
The following elements are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
begin number
Synopsis
Lower bound of the port range
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
end number
Synopsis
Upper bound of the port range
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
protocol-id-with-any-port (keyword | number)
Synopsis
Protocol ID that accepts any port value
Context
Range
1 to 255
Options
icmp, tcp, udp, icmp6, sctp, mipv6
Notes
The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
sctp
Synopsis
Enter the sctp context
Tree
Notes
The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
opaque
Synopsis
Support OPAQUE ports
Tree
Description
This command allows the protocol ID to be accepted even when the port information is not available.
Notes
The following elements are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
port-range
Synopsis
Enable the port-range context
Tree
Notes
The following elements are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
begin number
Synopsis
Lower bound of the port range
Tree
Range
0 to 65535
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
end number
Synopsis
Upper bound of the port range
Tree
Range
0 to 65535
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
tcp
Synopsis
Enter the tcp context
Tree
Notes
The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
opaque
Synopsis
Support OPAQUE ports
Tree
Description
This command allows the protocol ID to be accepted even when the port information is not available.
Notes
The following elements are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
port-range
Synopsis
Enable the port-range context
Tree
Notes
The following elements are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
begin number
Synopsis
Lower bound of the port range
Tree
Range
0 to 65535
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
end number
Synopsis
Upper bound of the port range
Tree
Range
0 to 65535
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
udp
Synopsis
Enter the udp context
Tree
Notes
The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
opaque
Synopsis
Support OPAQUE ports
Tree
Description
This command allows the protocol ID to be accepted even when the port information is not available.
Notes
The following elements are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
port-range
Synopsis
Enable the port-range context
Tree
Notes
The following elements are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
begin number
Synopsis
Lower bound of the port range
Tree
Range
0 to 65535
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
end number
Synopsis
Upper bound of the port range
Tree
Range
0 to 65535
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
remote
Synopsis
Enter the remote context
Tree
Description
Commands in this context configure a remote TS list, a traffic selector, such as TSr, when the system acts as an IKEv2 responder.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
entry [id] number
Synopsis
Enter the entry list instance
Tree
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
[id] number
Synopsis
TS list entry ID
Range
1 to 32
Notes
This element is part of a list key.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
address
Synopsis
Enable the address context
Tree
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
prefix (ipv4-prefix | ipv6-prefix)
Synopsis
IP prefix for address range in IKEv2 traffic selector
Context
Tree
Notes
The following elements are part of a mandatory choice: prefix or range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
range
Synopsis
Enable the range context
Tree
Notes
The following elements are part of a mandatory choice: prefix or range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
begin (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis
Lower bound of the IP address range for the entry
Context
Tree
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
end (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis
Upper bound of the IP address range
Context
Tree
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
protocol
Synopsis
Enable the protocol context
Tree
Description
Commands in this context specify the protocol settings for the IKEv2 traffic selector.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
any
Synopsis
Match any protocol ID
Tree
Notes
The following elements are part of a mandatory choice: any or id.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
id
Synopsis
Enable the id context
Tree
Notes
The following elements are part of a mandatory choice: any or id.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
icmp
Synopsis
Enter the icmp context
Tree
Notes
The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
opaque
Synopsis
Support OPAQUE ports
Tree
Description
This command allows the protocol ID to be accepted even when the port information is not available.
Notes
The following elements are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
port-range
Synopsis
Enable the port-range context
Tree
Description
Commands in this context configure port range information for the protocol.
Notes
The following elements are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
begin-icmp-code number
Synopsis
Lower bound of the ICMP code range
Context
configure ipsec ts-list string remote entry number protocol id icmp port-range begin-icmp-code number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
begin-icmp-type number
Synopsis
Lower bound of the ICMP type range
Context
configure ipsec ts-list string remote entry number protocol id icmp port-range begin-icmp-type number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
end-icmp-code number
Synopsis
Upper bound of the ICMP code range
Context
configure ipsec ts-list string remote entry number protocol id icmp port-range end-icmp-code number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
end-icmp-type number
Synopsis
Upper bound of the ICMP type range
Context
configure ipsec ts-list string remote entry number protocol id icmp port-range end-icmp-type number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
icmp6
Synopsis
Enter the icmp6 context
Tree
Notes
The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
opaque
Synopsis
Support OPAQUE ports
Tree
Description
This command allows the protocol ID to be accepted even when the port information is not available.
Notes
The following elements are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
port-range
Synopsis
Enable the port-range context
Tree
Description
Commands in this context configure port range information for the protocol.
Notes
The following elements are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
begin-icmp-code number
Synopsis
Lower bound of the ICMP code range
Context
configure ipsec ts-list string remote entry number protocol id icmp6 port-range begin-icmp-code number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
begin-icmp-type number
Synopsis
Lower bound of the ICMP type range
Context
configure ipsec ts-list string remote entry number protocol id icmp6 port-range begin-icmp-type number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
end-icmp-code number
Synopsis
Upper bound of the ICMP code range
Context
configure ipsec ts-list string remote entry number protocol id icmp6 port-range end-icmp-code number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
end-icmp-type number
Synopsis
Upper bound of the ICMP type range
Context
configure ipsec ts-list string remote entry number protocol id icmp6 port-range end-icmp-type number
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
mipv6
Synopsis
Enter the mipv6 context
Tree
Notes
The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
opaque
Synopsis
Support OPAQUE ports
Tree
Description
This command allows the protocol ID to be accepted even when the port information is not available.
Notes
The following elements are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
port-range
Synopsis
Enable the port-range context
Tree
Notes
The following elements are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
begin number
Synopsis
Lower bound of the port range
Context
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
end number
Synopsis
Upper bound of the port range
Tree
Range
0 to 255
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
protocol-id-with-any-port (keyword | number)
Synopsis
Protocol ID that accepts any port value
Context
Range
1 to 255
Options
icmp, tcp, udp, icmp6, sctp, mipv6
Notes
The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
sctp
Synopsis
Enter the sctp context
Tree
Notes
The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
opaque
Synopsis
Support OPAQUE ports
Tree
Description
This command allows the protocol ID to be accepted even when the port information is not available.
Notes
The following elements are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
port-range
Synopsis
Enable the port-range context
Tree
Notes
The following elements are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
begin number
Synopsis
Lower bound of the port range
Tree
Range
0 to 65535
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
end number
Synopsis
Upper bound of the port range
Tree
Range
0 to 65535
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
tcp
Synopsis
Enter the tcp context
Tree
Notes
The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
opaque
Synopsis
Support OPAQUE ports
Tree
Description
This command allows the protocol ID to be accepted even when the port information is not available.
Notes
The following elements are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
port-range
Synopsis
Enable the port-range context
Tree
Notes
The following elements are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
begin number
Synopsis
Lower bound of the port range
Tree
Range
0 to 65535
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
end number
Synopsis
Upper bound of the port range
Tree
Range
0 to 65535
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
udp
Synopsis
Enter the udp context
Tree
Notes
The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
opaque
Synopsis
Support OPAQUE ports
Tree
Description
This command allows the protocol ID to be accepted even when the port information is not available.
Notes
The following elements are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
port-range
Synopsis
Enable the port-range context
Tree
Notes
The following elements are part of a choice: opaque or port-range.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
begin number
Synopsis
Lower bound of the port range
Tree
Range
0 to 65535
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
end number
Synopsis
Upper bound of the port range
Tree
Range
0 to 65535
Notes
This element is mandatory.
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
tunnel-template [id] number
Synopsis
Enter the tunnel-template list instance
Context
configure ipsec tunnel-template number
Tree
Max. Elements
2048
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
[id] number
Synopsis
Tunnel template ID
Context
configure ipsec tunnel-template number
Range
1 to 2048
Notes
This element is part of a list key.
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
clear-df-bit boolean
Synopsis
Clear the Do-not-Fragment (DF) bit
Context
configure ipsec tunnel-template number clear-df-bit boolean
Tree
Default
false
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
copy-traffic-class-upon-decapsulation boolean
Synopsis
Enable traffic class copy upon decapsulation
Context
configure ipsec tunnel-template number copy-traffic-class-upon-decapsulation boolean
Description
When configured to true, the system copies the traffic class from the outer tunnel IP packet header to the payload IP packet header in the decapsulating direction (public to private).
When configured to false, the system does not copy the traffic class from the outer IP packet to the payload IP packet header upon decapsulation.
Default
false
Introduced
21.5.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
description string
Synopsis
Text description
Context
configure ipsec tunnel-template number description string
Tree
String Length
1 to 80
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
encapsulated-ip-mtu number
Synopsis
Maximum size of the encapsulated tunnel packet
Context
configure ipsec tunnel-template number encapsulated-ip-mtu number
Tree
Description
This command specifies the maximum size of the encapsulated tunnel packet to the IPsec tunnel, the IP tunnel, or the dynamic tunnels terminated on the IPsec Gateway. If the encapsulated IPv4 or IPv6 tunnel packet exceeds this value, the system fragments the packet.
Range
512 to 9000
Units
octets
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
icmp-generation
Synopsis
Enter the icmp-generation context
Context
Tree
Introduced
21.5.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
frag-required
Synopsis
Enter the frag-required context
Context
Tree
Description
Commands in this context configure the attributes for sending generated ICMP Destination Unreachable "fragmentation needed and DF set" messages (type 3, code 4) back to the source, if the received size of the IPv4 packet on the private side exceeds the private MTU size.
Introduced
21.5.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
admin-state keyword
Synopsis
Administrative state of sending ICMP messages
Context
configure ipsec tunnel-template number icmp-generation frag-required admin-state keyword
Tree
Description
This command sends the ICMP Destination Unreachable "fragmentation needed and DF set" messages (type 3, code 4) back to the source if the received size of the IPv4 packet on the private side exceeds the private MTU size.
Default
enable
Options
enable, disable
Introduced
21.5.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
interval number
Synopsis
Interval for sending ICMP messages
Context
configure ipsec tunnel-template number icmp-generation frag-required interval number
Tree
Description
This command configures the interval for sending ICMP Destination Unreachable "fragmentation needed and DF set" messages (type 3, code 4). The maximum number of messages that can be sent is configured by the message-count command.
Range
1 to 60
Default
10
Units
seconds
Introduced
21.5.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
message-count number
Synopsis
Maximum number of ICMP messages
Context
configure ipsec tunnel-template number icmp-generation frag-required message-count number
Tree
Description
This command configures the maximum number of ICMP Destination Unreachable "fragmentation needed and DF set" messages (type 3, code 4) that can be sent during the period specified by the interval command.
Range
10 to 1000
Default
100
Introduced
21.5.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
icmp6-generation
Synopsis
Enter the icmp6-generation context
Context
Tree
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
pkt-too-big
Synopsis
Enter the pkt-too-big context
Context
Tree
Description
Commands in this context configure values for the ICMPv6 Packet Too Big (PTB) messages. The system sends PTB messages if an IPv6 packet is received on the private side that is larger than 1280 bytes and also exceeds the private MTU of the tunnel.
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
admin-state keyword
Synopsis
Administrative state of Packet Too Big message sends
Context
configure ipsec tunnel-template number icmp6-generation pkt-too-big admin-state keyword
Tree
Default
enable
Options
enable, disable
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
interval number
Synopsis
Maximum interval during which PTB messages can be sent
Context
configure ipsec tunnel-template number icmp6-generation pkt-too-big interval number
Tree
Range
1 to 60
Default
10
Units
seconds
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
message-count number
Synopsis
Max ICMPv6 messages that can be sent during interval
Context
configure ipsec tunnel-template number icmp6-generation pkt-too-big message-count number
Tree
Range
10 to 1000
Default
100
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ignore-default-route boolean
Synopsis
Ignore any full range traffic selector in TSi
Context
configure ipsec tunnel-template number ignore-default-route boolean
Tree
Description
When configured to true, any full range traffic selector is ignored when creating a reverse route.
When configured to false, no CHILD_SA is created if any full range traffic selector is included in TSi.
Default
false
Introduced
19.7.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ip-mtu number
Synopsis
Maximum size of the IP MTU for the payload packets
Context
configure ipsec tunnel-template number ip-mtu number
Tree
Range
512 to 9000
Units
octets
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
ipsec-transform reference
Synopsis
IPsec transform ID for the tunnel template
Context
configure ipsec tunnel-template number ipsec-transform reference
Tree
Reference
configure ipsec ipsec-transform number
Max. Elements
4
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
pmtu-discovery-aging number
Synopsis
Aging out time of the learned path MTU
Context
configure ipsec tunnel-template number pmtu-discovery-aging number
Tree
Description
This command configures the temporary public and private MTU expiration time. The temporary MTU is used for MTU propagation.
Range
900 to 3600
Default
900
Units
seconds
Introduced
21.5.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
private-tcp-mss-adjust number
Synopsis
New TCP MSS value on the private side
Context
configure ipsec tunnel-template number private-tcp-mss-adjust number
Description
This command specifies the new (adjusted) TCP MSS value of TCP SYN packets on the private side.
When unconfigured, the MSS value is derived from the received TCP SYN packet on the private side.
Range
512 to 9000
Units
octets
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
propagate-pmtu-v4 boolean
Synopsis
Enable propagation of the path MTU to IPv4 hosts
Context
configure ipsec tunnel-template number propagate-pmtu-v4 boolean
Tree
Description
When configured to true, the path MTU is propagated to IPv4 hosts.
When configured to false, the path MTU is not propagated to IPv4 hosts.
Default
true
Introduced
21.5.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
propagate-pmtu-v6 boolean
Synopsis
Enable propagation of the path MTU to IPv6 hosts
Context
configure ipsec tunnel-template number propagate-pmtu-v6 boolean
Tree
Description
When configured to true, the path MTU is propagated to IPv6 hosts.
When configured to false, the path MTU is not propagated to IPv6 hosts.
Default
true
Introduced
21.5.R1
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
public-tcp-mss-adjust (number | keyword)
Synopsis
New TCP MSS value on the public side
Context
configure ipsec tunnel-template number public-tcp-mss-adjust (number | keyword)
Description
This command specifies the new (adjusted) TCP MSS value for the TCP traffic in an IPsec tunnel which is sent from the public network to the private network. The system can use this value to adjust or insert the MSS option in the TCP SYN packet.
When unconfigured, the MSS value is derived from the public MTU and IPsec overhead.
Range
512 to 9000
Units
octets
Options
auto
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
replay-window number
Synopsis
Anti-replay window size for the tunnel template
Context
configure ipsec tunnel-template number replay-window number
Tree
Range
32 | 64 | 128 | 256 | 512
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR
sp-reverse-route keyword
Synopsis
Reverse route creation method in private service
Context
configure ipsec tunnel-template number sp-reverse-route keyword
Tree
Description
This command allows the system to automatically create a reverse route based on dynamic LAN-to-LAN tunnel's TSi in private service.
Default
none
Options
none, use-security-policy
Introduced
16.0.R4
Platforms
7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR