ipsec commands

configure 
   —  ipsec 
      —  apply-groups reference
      —  apply-groups-exclude reference
      —  cert-profile string 
         —  admin-state keyword
         —  apply-groups reference
         —  apply-groups-exclude reference
         —  entry number 
            —  apply-groups reference
            —  apply-groups-exclude reference
            —  cert string
            —  key string
            —  rsa-signature keyword
            —  send-chain 
               —  ca-profile reference
      —  client-db string 
         —  admin-state keyword
         —  apply-groups reference
         —  apply-groups-exclude reference
         —  client number 
            —  admin-state keyword
            —  apply-groups reference
            —  apply-groups-exclude reference
            —  client-name string
            —  credential 
               —  pre-shared-key string
            —  identification 
               —  idi 
                  —  any boolean
                  —  fqdn string
                  —  fqdn-suffix string
                  —  ipv4-prefix string
                  —  ipv4-prefix-any boolean
                  —  ipv6-prefix string
                  —  ipv6-prefix-any boolean
                  —  rfc822 string
                  —  rfc822-suffix string
               —  peer-ip-prefix 
                  —  ip-prefix (ipv4-prefix | ipv6-prefix)
                  —  ipv4-only boolean
                  —  ipv6-only boolean
            —  private-interface string
            —  private-service-name string
            —  ts-list string
            —  tunnel-template number
         —  description string
         —  match-list 
            —  idi boolean
            —  peer-ip-prefix boolean
      —  ike-policy number 
         —  apply-groups reference
         —  apply-groups-exclude reference
         —  description string
         —  dpd 
            —  interval number
            —  max-retries number
            —  reply-only boolean
         —  ike-transform reference
         —  ike-version-1 
            —  auth-method keyword
            —  ike-mode keyword
            —  own-auth-method keyword
            —  ph1-responder-delete-notify boolean
         —  ike-version-2 
            —  auth-method keyword
            —  auto-eap-method keyword
            —  ikev2-fragment 
               —  mtu number
               —  reassembly-timeout number
            —  own-auth-method keyword
            —  own-auto-eap-method keyword
            —  send-idr-after-eap-success boolean
         —  ipsec-lifetime number
         —  limit-init-exchange 
            —  admin-state keyword
            —  reduced-max-exchange-timeout (number | keyword)
         —  lockout 
            —  block (number | keyword)
            —  duration number
            —  failed-attempts number
            —  max-port-per-ip number
         —  match-peer-id-to-cert boolean
         —  nat-traversal 
            —  force boolean
            —  force-keep-alive boolean
            —  keep-alive-interval number
         —  pfs 
            —  dh-group keyword
         —  relay-unsolicited-cfg-attribute 
            —  internal-ip4-address boolean
            —  internal-ip4-dns boolean
            —  internal-ip4-netmask boolean
            —  internal-ip6-address boolean
            —  internal-ip6-dns boolean
      —  ike-transform number 
         —  apply-groups reference
         —  apply-groups-exclude reference
         —  dh-group keyword
         —  ike-auth-algorithm keyword
         —  ike-encryption-algorithm keyword
         —  ike-prf-algorithm keyword
         —  isakmp-lifetime number
      —  ipsec-transform number 
         —  apply-groups reference
         —  apply-groups-exclude reference
         —  esp-auth-algorithm keyword
         —  esp-encryption-algorithm keyword
         —  extended-sequence-number boolean
         —  ipsec-lifetime number
         —  pfs-dh-group keyword
      —  ipsec-transport-mode-profile string 
         —  apply-groups reference
         —  apply-groups-exclude reference
         —  description string
         —  key-exchange 
            —  dynamic 
               —  auto-establish boolean
               —  cert 
                  —  cert-profile reference
                  —  status-verify 
                     —  default-result keyword
                     —  primary keyword
                     —  secondary keyword
                  —  trust-anchor-profile reference
               —  id 
                  —  fqdn string
                  —  ipv4 string
                  —  ipv6 (ipv4-address-no-zone | ipv6-address-no-zone)
               —  ike-policy reference
               —  ipsec-transform reference
               —  pre-shared-key string
         —  max-history-key-records 
            —  esp number
            —  ike number
         —  replay-window number
      —  radius 
         —  accounting-policy string 
            —  apply-groups reference
            —  apply-groups-exclude reference
            —  include-radius-attribute 
               —  acct-stats boolean
               —  called-station-id boolean
               —  calling-station-id boolean
               —  framed-ip-addr boolean
               —  framed-ipv6-prefix boolean
               —  nas-identifier boolean
               —  nas-ip-addr boolean
               —  nas-port-id boolean
            —  radius-server-policy reference
            —  update-interval 
               —  jitter number
               —  value number
         —  authentication-policy string 
            —  apply-groups reference
            —  apply-groups-exclude reference
            —  include-radius-attribute 
               —  called-station-id boolean
               —  calling-station-id boolean
               —  client-cert-subject-key-id boolean
               —  nas-identifier boolean
               —  nas-ip-addr boolean
               —  nas-port-id boolean
            —  password string
            —  radius-server-policy reference
      —  show-ipsec-keys boolean
      —  static-sa string 
         —  apply-groups reference
         —  apply-groups-exclude reference
         —  authentication 
            —  algorithm keyword
            —  key string
         —  description string
         —  direction keyword
         —  protocol keyword
         —  spi number
      —  trust-anchor-profile string 
         —  apply-groups reference
         —  apply-groups-exclude reference
         —  trust-anchor reference 
      —  ts-list string 
         —  apply-groups reference
         —  apply-groups-exclude reference
         —  local 
            —  entry number 
               —  address 
                  —  prefix (ipv4-prefix | ipv6-prefix)
                  —  range 
                     —  begin (ipv4-address-no-zone | ipv6-address-no-zone)
                     —  end (ipv4-address-no-zone | ipv6-address-no-zone)
               —  apply-groups reference
               —  apply-groups-exclude reference
               —  protocol 
                  —  any 
                  —  id 
                     —  icmp 
                        —  opaque 
                        —  port-range 
                           —  begin-icmp-code number
                           —  begin-icmp-type number
                           —  end-icmp-code number
                           —  end-icmp-type number
                     —  icmp6 
                        —  opaque 
                        —  port-range 
                           —  begin-icmp-code number
                           —  begin-icmp-type number
                           —  end-icmp-code number
                           —  end-icmp-type number
                     —  mipv6 
                        —  opaque 
                        —  port-range 
                           —  begin number
                           —  end number
                     —  protocol-id-with-any-port (keyword | number)
                     —  sctp 
                        —  opaque 
                        —  port-range 
                           —  begin number
                           —  end number
                     —  tcp 
                        —  opaque 
                        —  port-range 
                           —  begin number
                           —  end number
                     —  udp 
                        —  opaque 
                        —  port-range 
                           —  begin number
                           —  end number
         —  remote 
            —  entry number 
               —  address 
                  —  prefix (ipv4-prefix | ipv6-prefix)
                  —  range 
                     —  begin (ipv4-address-no-zone | ipv6-address-no-zone)
                     —  end (ipv4-address-no-zone | ipv6-address-no-zone)
               —  apply-groups reference
               —  apply-groups-exclude reference
               —  protocol 
                  —  any 
                  —  id 
                     —  icmp 
                        —  opaque 
                        —  port-range 
                           —  begin-icmp-code number
                           —  begin-icmp-type number
                           —  end-icmp-code number
                           —  end-icmp-type number
                     —  icmp6 
                        —  opaque 
                        —  port-range 
                           —  begin-icmp-code number
                           —  begin-icmp-type number
                           —  end-icmp-code number
                           —  end-icmp-type number
                     —  mipv6 
                        —  opaque 
                        —  port-range 
                           —  begin number
                           —  end number
                     —  protocol-id-with-any-port (keyword | number)
                     —  sctp 
                        —  opaque 
                        —  port-range 
                           —  begin number
                           —  end number
                     —  tcp 
                        —  opaque 
                        —  port-range 
                           —  begin number
                           —  end number
                     —  udp 
                        —  opaque 
                        —  port-range 
                           —  begin number
                           —  end number
      —  tunnel-template number 
         —  apply-groups reference
         —  apply-groups-exclude reference
         —  clear-df-bit boolean
         —  copy-traffic-class-upon-decapsulation boolean
         —  description string
         —  encapsulated-ip-mtu number
         —  icmp-generation 
            —  frag-required 
               —  admin-state keyword
               —  interval number
               —  message-count number
         —  icmp6-generation 
            —  pkt-too-big 
               —  admin-state keyword
               —  interval number
               —  message-count number
         —  ignore-default-route boolean
         —  ip-mtu number
         —  ipsec-transform reference
         —  pmtu-discovery-aging number
         —  private-tcp-mss-adjust number
         —  propagate-pmtu-v4 boolean
         —  propagate-pmtu-v6 boolean
         —  public-tcp-mss-adjust (number | keyword)
         —  replay-window number
         —  sp-reverse-route keyword

ipsec command descriptions

ipsec

	Synopsis	Enter the ipsec context
	Context	configure ipsec
	Tree	ipsec
	Description	Commands in this context configure Internet Protocol Security (IPsec) commands.
	Introduced	16.0.R4
	Platforms	All

cert-profile [name] string

	Synopsis	Enter the cert-profile list instance
	Context	configure ipsec cert-profile string
	Tree	cert-profile
	Description	Commands in this context configure the certificate profile.
	Max. Instances	10200
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[name] string

	Synopsis	Certificate profile name
	Context	configure ipsec cert-profile string
	String Length	1 to 32
	Notes	This element is part of a list key.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

admin-state keyword

	Synopsis	Administrative state of the certificate profile
	Context	configure ipsec cert-profile string admin-state keyword
	Tree	admin-state
	Default	disable
	Options	enable, disable
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

entry [id] number

	Synopsis	Enter the entry list instance
	Context	configure ipsec cert-profile string entry number
	Tree	entry
	Description	Commands in this context configure the certificate profile entry.
	Max. Instances	8
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[id] number

	Synopsis	Certificate profile entry ID
	Context	configure ipsec cert-profile string entry number
	Range	1 to 8
	Notes	This element is part of a list key.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

cert string

	Synopsis	File name of the imported certificate for the entry
	Context	configure ipsec cert-profile string entry number cert string
	Tree	cert
	String Length	1 to 95
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

key string

	Synopsis	File name of the imported key used for authentication
	Context	configure ipsec cert-profile string entry number key string
	Tree	key
	String Length	1 to 95
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

rsa-signature keyword

	Synopsis	Signature scheme for the RSA key
	Context	configure ipsec cert-profile string entry number rsa-signature keyword
	Tree	rsa-signature
	Default	pkcs1
	Options	pkcs1, pss
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

send-chain

	Synopsis	Enter the send-chain context
	Context	configure ipsec cert-profile string entry number send-chain
	Tree	send-chain
	Description	Commands in this context allow the system to send additional CA certificates to the peer. These additional CA certificates must be in the certificate chain of the certificate specified by the cert command in the same entry.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ca-profile reference

	Synopsis	CA certificate to send to the peer
	Context	configure ipsec cert-profile string entry number send-chain ca-profile reference
	Tree	ca-profile
	Reference	configure system security pki ca-profile string
	Max. Instances	7
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

client-db [name] string

	Synopsis	Enter the client-db list instance
	Context	configure ipsec client-db string
	Tree	client-db
	Max. Instances	1000
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[name] string

	Synopsis	IPsec client database name
	Context	configure ipsec client-db string
	String Length	1 to 32
	Notes	This element is part of a list key.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

admin-state keyword

	Synopsis	Administrative state of the client database
	Context	configure ipsec client-db string admin-state keyword
	Tree	admin-state
	Default	disable
	Options	enable, disable
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

client [id] number

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Enter the client list instance
	Context	configure ipsec client-db string client number
	Tree	client
	Description	Commands in this context configure the IPsec client entry in the client database.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[id] number

	Synopsis	Client ID
	Context	configure ipsec client-db string client number
	Range	1 to 8000
	Notes	This element is part of a list key.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

admin-state keyword

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Administrative state of the database client
	Context	configure ipsec client-db string client number admin-state keyword
	Tree	admin-state
	Default	disable
	Options	enable, disable
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

client-name string

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Client name
	Context	configure ipsec client-db string client number client-name string
	Tree	client-name
	String Length	1 to 32
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

credential

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Enter the credential context
	Context	configure ipsec client-db string client number credential
	Tree	credential
	Description	Commands in this context authenticate peers.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

pre-shared-key string

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Pre-shared key used to authenticate peers
	Context	configure ipsec client-db string client number credential pre-shared-key string
	Tree	pre-shared-key
	String Length	1 to 115
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

identification

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Enter the identification context
	Context	configure ipsec client-db string client number identification
	Tree	identification
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

idi

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Enable the idi context
	Context	configure ipsec client-db string client number identification idi
	Tree	idi
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

any boolean

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Accept any IDi value as a match
	Context	configure ipsec client-db string client number identification idi any boolean
	Tree	any
	Notes	The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

fqdn string

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	FQDN used as the match criteria for the IDi
	Context	configure ipsec client-db string client number identification idi fqdn string
	Tree	fqdn
	String Length	0 to 255
	Notes	The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

fqdn-suffix string

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	FQDN suffix used as the match criteria for the IDi
	Context	configure ipsec client-db string client number identification idi fqdn-suffix string
	Tree	fqdn-suffix
	String Length	0 to 255
	Notes	The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ipv4-prefix string

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	IPv4 prefix used as the match criteria for the IDi
	Context	configure ipsec client-db string client number identification idi ipv4-prefix string
	Tree	ipv4-prefix
	Notes	The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ipv4-prefix-any boolean

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Accept any valid IPv4 prefix as a match for the IDi
	Context	configure ipsec client-db string client number identification idi ipv4-prefix-any boolean
	Tree	ipv4-prefix-any
	Notes	The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ipv6-prefix string

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	IPv6 prefix used as the match criteria for the IDi
	Context	configure ipsec client-db string client number identification idi ipv6-prefix string
	Tree	ipv6-prefix
	Notes	The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ipv6-prefix-any boolean

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Accept any valid IPv6 prefix as a match for the IDi
	Context	configure ipsec client-db string client number identification idi ipv6-prefix-any boolean
	Tree	ipv6-prefix-any
	Notes	The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

rfc822 string

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Email address (RFC 822) used as match criteria for IDi
	Context	configure ipsec client-db string client number identification idi rfc822 string
	Tree	rfc822
	String Length	0 to 255
	Notes	The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

rfc822-suffix string

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Email address domain (RFC 822) as IDi match criteria
	Context	configure ipsec client-db string client number identification idi rfc822-suffix string
	Tree	rfc822-suffix
	String Length	0 to 255
	Notes	The following elements are part of a mandatory choice: any, fqdn, fqdn-suffix, ipv4-prefix, ipv4-prefix-any, ipv6-prefix, ipv6-prefix-any, rfc822, or rfc822-suffix.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

peer-ip-prefix

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Enable the peer-ip-prefix context
	Context	configure ipsec client-db string client number identification peer-ip-prefix
	Tree	peer-ip-prefix
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ip-prefix (ipv4-prefix | ipv6-prefix)

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	IP prefix used as the match criteria
	Context	configure ipsec client-db string client number identification peer-ip-prefix ip-prefix (ipv4-prefix \| ipv6-prefix)
	Tree	ip-prefix
	Notes	The following elements are part of a mandatory choice: ip-prefix, ipv4-only, or ipv6-only.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ipv4-only boolean

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Accept any valid IPv4 address as a match
	Context	configure ipsec client-db string client number identification peer-ip-prefix ipv4-only boolean
	Tree	ipv4-only
	Notes	The following elements are part of a mandatory choice: ip-prefix, ipv4-only, or ipv6-only.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ipv6-only boolean

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Accept any valid IPv6 address as a match
	Context	configure ipsec client-db string client number identification peer-ip-prefix ipv6-only boolean
	Tree	ipv6-only
	Notes	The following elements are part of a mandatory choice: ip-prefix, ipv4-only, or ipv6-only.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

private-interface string

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Private interface name used for tunnel setup
	Context	configure ipsec client-db string client number private-interface string
	Tree	private-interface
	String Length	1 to 32
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

private-service-name string

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Name of the private service used for tunnel setup
	Context	configure ipsec client-db string client number private-service-name string
	Tree	private-service-name
	String Length	1 to 64
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ts-list string

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Traffic selector list used by the tunnel
	Context	configure ipsec client-db string client number ts-list string
	Tree	ts-list
	String Length	1 to 32
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

tunnel-template number

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Tunnel template ID
	Context	configure ipsec client-db string client number tunnel-template number
	Tree	tunnel-template
	Range	1 to 2048
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

description string

	Synopsis	Text description
	Context	configure ipsec client-db string description string
	Tree	description
	String Length	1 to 80
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

match-list

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Enter the match-list context
	Context	configure ipsec client-db string match-list
	Tree	match-list
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

idi boolean

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Use IDi type in the IPsec client matching process
	Context	configure ipsec client-db string match-list idi boolean
	Tree	idi
	Default	false
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

peer-ip-prefix boolean

WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.
	Synopsis	Use the peer tunnel IP address in the matching process
	Context	configure ipsec client-db string match-list peer-ip-prefix boolean
	Tree	peer-ip-prefix
	Default	false
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ike-policy [id] number

	Synopsis	Enter the ike-policy list instance
	Context	configure ipsec ike-policy number
	Tree	ike-policy
	Description	Commands in this context configure an Internet Key Exchange (IKE) policy.
	Max. Instances	2048
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[id] number

	Synopsis	IKE policy ID
	Context	configure ipsec ike-policy number
	Range	1 to 2048
	Notes	This element is part of a list key.
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

description string

	Synopsis	Text description
	Context	configure ipsec ike-policy number description string
	Tree	description
	String Length	1 to 80
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

dpd

	Synopsis	Enable the dpd context
	Context	configure ipsec ike-policy number dpd
	Tree	dpd
	Description	Commands in this context configure the dead peer detection mechanism.
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

interval number

	Synopsis	DPD interval
	Context	configure ipsec ike-policy number dpd interval number
	Tree	interval
	Description	This command specifies the DPD interval. Because more time is necessary to determine if there is incoming traffic, the actual time needed to bring down the tunnel is larger than the DPD interval multiplied by the value configured for maximum retry attempts.
	Range	10 to 300
	Default	30
	Units	seconds
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

max-retries number

	Synopsis	Maximum number of retries before the tunnel is removed
	Context	configure ipsec ike-policy number dpd max-retries number
	Tree	max-retries
	Range	2 to 5
	Default	3
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

reply-only boolean

	Synopsis	Initiate DPD request for incoming ESP or IKE packets
	Context	configure ipsec ike-policy number dpd reply-only boolean
	Tree	reply-only
	Default	false
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ike-transform reference

	Synopsis	IKE transform instance associated with the IKE policy
	Context	configure ipsec ike-policy number ike-transform reference
	Tree	ike-transform
	Description	This command specifies the IKE transform instance associated with the IKE policy. If multiple IDs are specified, the system selects an IKE transform based on the proposal of the peer. If the system is a tunnel initiator, it uses the configured IKE transform to generate the SA payload.
	Reference	configure ipsec ike-transform number
	Max. Instances	4
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ike-version-1

	Synopsis	Enter the ike-version-1 context
	Context	configure ipsec ike-policy number ike-version-1
	Tree	ike-version-1
	Description	Commands in this context configure the IKE version 1 mode of operation that the IKE policy uses.
	Notes	The following elements are part of a choice: ike-version-1 or ike-version-2.
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

auth-method keyword

	Synopsis	Authentication method used with the IKE policy
	Context	configure ipsec ike-policy number ike-version-1 auth-method keyword
	Tree	auth-method
	Default	psk
	Options	psk, plain-psk-xauth
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ike-mode keyword

	Synopsis	Mode of operation
	Context	configure ipsec ike-policy number ike-version-1 ike-mode keyword
	Tree	ike-mode
	Default	main
	Options	main, aggressive
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

own-auth-method keyword

	Synopsis	Authentication method used with policy on its own side
	Context	configure ipsec ike-policy number ike-version-1 own-auth-method keyword
	Tree	own-auth-method
	Default	symmetric
	Options	symmetric
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ph1-responder-delete-notify boolean

	Synopsis	Send delete notification for IKEv1 phase 1 removal
	Context	configure ipsec ike-policy number ike-version-1 ph1-responder-delete-notify boolean
	Tree	ph1-responder-delete-notify
	Description	When configured to true, a delete notification is sent to the peer when deleting an IKEv1 phase 1 SA for which it was the responder. When configured to false, no notification is sent.
	Default	true
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ike-version-2

	Synopsis	Enable the ike-version-2 context
	Context	configure ipsec ike-policy number ike-version-2
	Tree	ike-version-2
	Description	Commands in this context configure the IKE version 2 mode of operation that the IKE policy uses.
	Notes	The following elements are part of a choice: ike-version-1 or ike-version-2.
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

auth-method keyword

	Synopsis	Authentication method used with the IKE policy
	Context	configure ipsec ike-policy number ike-version-2 auth-method keyword
	Tree	auth-method
	Default	psk
	Options	psk, cert, psk-radius, cert-radius, eap, auto-eap-radius, auto-eap
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

auto-eap-method keyword

	Synopsis	Authentication method used for the remote peer
	Context	configure ipsec ike-policy number ike-version-2 auto-eap-method keyword
	Tree	auto-eap-method
	Description	This command specifies the behavior for the IKEv2 remote-access tunnel when the authentication method uses EAP or potentially another method to authenticate the remote peer.
	Default	cert
	Options	psk, cert, psk-or-cert
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ikev2-fragment

	Synopsis	Enable the ikev2-fragment context
	Context	configure ipsec ike-policy number ike-version-2 ikev2-fragment
	Tree	ikev2-fragment
	Description	Commands in this context configure IKEv2 protocol level fragmentation (RFC 7383).
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

mtu number

	Synopsis	Maximum size of the IKEv2 packet
	Context	configure ipsec ike-policy number ike-version-2 ikev2-fragment mtu number
	Tree	mtu
	Range	512 to 9000
	Default	1500
	Units	octets
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

reassembly-timeout number

	Synopsis	Timeout for reassembly of IKEv2 message fragments
	Context	configure ipsec ike-policy number ike-version-2 ikev2-fragment reassembly-timeout number
	Tree	reassembly-timeout
	Range	1 to 5
	Default	2
	Units	seconds
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

own-auth-method keyword

	Synopsis	Authentication method used with IKE policy on own side
	Context	configure ipsec ike-policy number ike-version-2 own-auth-method keyword
	Tree	own-auth-method
	Default	symmetric
	Options	symmetric, psk, cert, eap-only
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

own-auto-eap-method keyword

	Synopsis	Authentication method used on its own side
	Context	configure ipsec ike-policy number ike-version-2 own-auto-eap-method keyword
	Tree	own-auto-eap-method
	Description	This command specifies the behavior for the IKEv2 remote-access tunnel when the authentication method uses EAP or potentially another method to authenticate the peer.
	Default	cert
	Options	psk, cert
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

send-idr-after-eap-success boolean

	Synopsis	Send IDr payload in last IKE authentication response
	Context	configure ipsec ike-policy number ike-version-2 send-idr-after-eap-success boolean
	Tree	send-idr-after-eap-success
	Description	When configured to true, the Identification Responder (IDr) payload is added in the last IKE authentication response after an Extensible Authentication Protocol (EAP) Success packet is received. When configured to false, the IDr payload is not included in the last IKE.
	Default	true
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ipsec-lifetime number

	Synopsis	Lifetime of the Phase 2 IKE key
	Context	configure ipsec ike-policy number ipsec-lifetime number
	Tree	ipsec-lifetime
	Range	1200 to 31536000
	Default	3600
	Units	seconds
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

limit-init-exchange

	Synopsis	Enter the limit-init-exchange context
	Context	configure ipsec ike-policy number limit-init-exchange
	Tree	limit-init-exchange
	Description	Commands in this context limit the number of ongoing IKEv2 initial exchanges per tunnel.
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

admin-state keyword

	Synopsis	Administrative state of limiting initial IKE exchanges
	Context	configure ipsec ike-policy number limit-init-exchange admin-state keyword
	Tree	admin-state
	Default	enable
	Options	enable, disable
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

reduced-max-exchange-timeout (number | keyword)

	Synopsis	Maximum timeout for in-progress initial IKE exchange
	Context	configure ipsec ike-policy number limit-init-exchange reduced-max-exchange-timeout (number \| keyword)
	Tree	reduced-max-exchange-timeout
	Description	This command configures the maximum timeout for the in-progress initial IKE exchange. If a new IKEv2 IKE_SA_INIT request is received when there is an ongoing IKEv2 initial exchange from the same peer, the timeout value of the existing exchange is set to this specified value. If the none option is configured for this command, the timeout value remains unchanged.
	Range	2 to 60
	Default	2
	Units	seconds
	Options	none
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

lockout

	Synopsis	Enable the lockout context
	Context	configure ipsec ike-policy number lockout
	Tree	lockout
	Description	Commands in this context specify the lockout mechanism for the IPsec tunnel. These commands apply only when the system acts as a tunnel responder.
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

block (number | keyword)

	Synopsis	Time a client is blocked for failed authentications
	Context	configure ipsec ike-policy number lockout block (number \| keyword)
	Tree	block
	Description	This command configures the time the client is blocked if the number of failed authentications exceeds the configured value within the specified duration.
	Range	1 to 1440
	Default	10
	Units	minutes
	Options	infinite
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

duration number

	Synopsis	Time interval for failed attempts threshold
	Context	configure ipsec ike-policy number lockout duration number
	Tree	duration
	Description	This command specifies the time interval in which the configured failed authentication count must be exceeded to trigger a lockout.
	Range	1 to 60
	Default	5
	Units	minutes
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

failed-attempts number

	Synopsis	Maximum failed authentications allowed in the duration
	Context	configure ipsec ike-policy number lockout failed-attempts number
	Tree	failed-attempts
	Range	1 to 64
	Default	3
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

max-port-per-ip number

	Synopsis	Maximum number of ports allowed under same IP address
	Context	configure ipsec ike-policy number lockout max-port-per-ip number
	Tree	max-port-per-ip
	Description	This command configures the maximum number of ports allowed under the same IP address. When the threshold is exceeded and the client is locked out, all ports behind the IP address are blocked.
	Range	1 to 32000
	Default	16
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

match-peer-id-to-cert boolean

	Synopsis	Check IKE peer ID during certificate authentication
	Context	configure ipsec ike-policy number match-peer-id-to-cert boolean
	Tree	match-peer-id-to-cert
	Default	false
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

nat-traversal

	Synopsis	Enable the nat-traversal context
	Context	configure ipsec ike-policy number nat-traversal
	Tree	nat-traversal
	Description	Commands in this context configure the Network Address Translation Traversal (NAT-T) functionality.
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

force boolean

	Synopsis	Enable NAT-T in forced mode
	Context	configure ipsec ike-policy number nat-traversal force boolean
	Tree	force
	Default	false
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

force-keep-alive boolean

	Synopsis	Continue sending keepalive packets (no expiry)
	Context	configure ipsec ike-policy number nat-traversal force-keep-alive boolean
	Tree	force-keep-alive
	Default	true
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

keep-alive-interval number

	Synopsis	Keepalive interval for NAT-T
	Context	configure ipsec ike-policy number nat-traversal keep-alive-interval number
	Tree	keep-alive-interval
	Range	120 to 600
	Units	seconds
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

pfs

	Synopsis	Enable the pfs context
	Context	configure ipsec ike-policy number pfs
	Tree	pfs
	Description	Commands in this context configure perfect forward secrecy on the IPsec tunnel using the policy. PFS provides for a new Diffie-Hellman (DH) key exchange each time the Security Association (SA) key is renegotiated. When the SA key expires, another key is generated (if the SA remains up).
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

dh-group keyword

	Synopsis	Diffie-Helman group used to calculate session keys
	Context	configure ipsec ike-policy number pfs dh-group keyword
	Tree	dh-group
	Description	This command specifies which DH group to use for calculating session keys. More bits provide a higher level of security, but require more processing.
	Default	group-2
	Options	group-1, group-2, group-5, group-14, group-15, group-19, group-20, group-21
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

relay-unsolicited-cfg-attribute

	Synopsis	Enter the relay-unsolicited-cfg-attribute context
	Context	configure ipsec ike-policy number relay-unsolicited-cfg-attribute
	Tree	relay-unsolicited-cfg-attribute
	Description	Commands in this context configure attributes returned from the source (such as a RADIUS server) that are returned to the IKEv2 remote-access tunnel client regardless if the client has requested the attribute in the CFG_REQUEST payload.
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

internal-ip4-address boolean

	Synopsis	Return the IPv4 address from the source to the client
	Context	configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip4-address boolean
	Tree	internal-ip4-address
	Description	When configured to true, the system returns the IPv4 address from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the address in the CFG_REQUEST payload.
	Default	false
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

internal-ip4-dns boolean

	Synopsis	Return IPv4 DNS server address from source to client
	Context	configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip4-dns boolean
	Tree	internal-ip4-dns
	Description	When configured to true, the system returns the IPv4 DNS server address from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the address in the CFG_REQUEST payload.
	Default	false
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

internal-ip4-netmask boolean

	Synopsis	Return the IPv4 netmask from the source to the client
	Context	configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip4-netmask boolean
	Tree	internal-ip4-netmask
	Description	When configured to true, the system returns the IPv4 netmask from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the netmask in the CFG_REQUEST payload.
	Default	false
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

internal-ip6-address boolean

	Synopsis	Return the IPv6 address from the source to the client
	Context	configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip6-address boolean
	Tree	internal-ip6-address
	Description	When configured to true, the system returns the IPv6 address from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the address in the CFG_REQUEST payload.
	Default	false
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

internal-ip6-dns boolean

	Synopsis	Return IPv6 DNS server address from source to client
	Context	configure ipsec ike-policy number relay-unsolicited-cfg-attribute internal-ip6-dns boolean
	Tree	internal-ip6-dns
	Description	When configured to true, the system returns the IPv6 DNS server address from the source (such as a RADIUS server) to the IKEv2 remote-access tunnel client regardless if the client has requested the address in the CFG_REQUEST payload.
	Default	false
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ike-transform [id] number

	Synopsis	Enter the ike-transform list instance
	Context	configure ipsec ike-transform number
	Tree	ike-transform
	Max. Instances	4096
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[id] number

	Synopsis	IKE transform instance ID
	Context	configure ipsec ike-transform number
	Range	1 to 4096
	Notes	This element is part of a list key.
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

dh-group keyword

	Synopsis	Diffie-Helman group used to calculate session keys
	Context	configure ipsec ike-transform number dh-group keyword
	Tree	dh-group
	Default	group-2
	Options	group-1, group-2, group-5, group-14, group-15, group-19, group-20, group-21
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ike-auth-algorithm keyword

	Synopsis	IKE authentication algorithm for IKE transform instance
	Context	configure ipsec ike-transform number ike-auth-algorithm keyword
	Tree	ike-auth-algorithm
	Default	sha-1
	Options	md-5, sha-1, sha-256, sha-384, sha-512, aes-xcbc, auth-encryption
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ike-encryption-algorithm keyword

	Synopsis	IKE encryption algorith for the IKE transform instance
	Context	configure ipsec ike-transform number ike-encryption-algorithm keyword
	Tree	ike-encryption-algorithm
	Default	aes-128
	Options	des, des-3, aes-128, aes-192, aes-256, aes128-gcm8, aes128-gcm16, aes256-gcm8, aes256-gcm16
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ike-prf-algorithm keyword

	Synopsis	PRF algorithm for the IKE transform instance
	Context	configure ipsec ike-transform number ike-prf-algorithm keyword
	Tree	ike-prf-algorithm
	Description	This command specifies the pseudo-random function algorithm used for IKE security association. If an encrypted algorithm such as AES-GCM is used for the IKE encryption algorithm, same-as-auth cannot be used for the IKE PRF algorithm.
	Default	same-as-auth
	Options	md-5, sha-1, sha-256, sha-384, sha-512, aes-xcbc, same-as-auth
	Introduced	16.0.R6
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

isakmp-lifetime number

	Synopsis	Phase 1 lifetime for the IKE transform instance
	Context	configure ipsec ike-transform number isakmp-lifetime number
	Tree	isakmp-lifetime
	Range	1200 to 31536000
	Default	86400
	Units	seconds
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ipsec-transform [id] number

	Synopsis	Enter the ipsec-transform list instance
	Context	configure ipsec ipsec-transform number
	Tree	ipsec-transform
	Description	Commands in this context create an IPsec transform policy. IPsec transform policies can be shared. A change to the IPsec transform is allowed at any time. The change does not impact tunnels that have been established until they are renegotiated. If the change is required immediately, the tunnel must be cleared (reset) for force renegotiation. IPsec transform policy assignments to a tunnel require the tunnel to be shut down.
	Max. Instances	2048
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[id] number

	Synopsis	IPsec transform policy ID
	Context	configure ipsec ipsec-transform number
	Range	1 to 2048
	Notes	This element is part of a list key.
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

esp-auth-algorithm keyword

	Synopsis	Encapsulating Security Payload (ESP) authentication
	Context	configure ipsec ipsec-transform number esp-auth-algorithm keyword
	Tree	esp-auth-algorithm
	Description	This command specifies the hashing algorithm used for the authentication function. Both ends of a manually configured tunnel must share the same configuration for the IPsec tunnel to enter the operational state.
	Default	sha-1
	Options	null, md-5, sha-1, sha-256, sha-384, sha-512, aes-xcbc, auth-encryption
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

esp-encryption-algorithm keyword

	Synopsis	Encryption algorithm for the IPsec transform session
	Context	configure ipsec ipsec-transform number esp-encryption-algorithm keyword
	Tree	esp-encryption-algorithm
	Description	This command specifies the encryption algorithm used for the IPsec session. Encryption applies only to ESP configurations. If encryption is not defined, ESP is not used. Both ends of a manually configured tunnel must share the same encryption algorithm for the IPsec tunnel to enter the operational state. When AES-GCM or AES-GMAC is configured: the authentication encryption must be set to auth-encryption the system does not include the authentication algorithm in the ESP proposal of the SA payload IPsec transform cannot be used for manual keying
	Default	aes-128
	Options	null, des, des-3, aes-128, aes-192, aes-256, aes128-gcm8, aes128-gcm12, aes128-gcm16, aes192-gcm8, aes192-gcm12, aes192-gcm16, aes256-gcm8, aes256-gcm12, aes256-gcm16, null-aes128-gmac, null-aes192-gmac, null-aes256-gmac
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

extended-sequence-number boolean

	Synopsis	Enable extended sequence numbering support
	Context	configure ipsec ipsec-transform number extended-sequence-number boolean
	Tree	extended-sequence-number
	Description	When configured to true, this command enables 64-bit extended sequence numbering support. This numbering is used for high throughput CHILD_SA to avoid frequent re-keying caused by sequence numbering wrap around. When configured to false, only 32-bit sequence numbering is supported.
	Default	false
	Introduced	21.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ipsec-lifetime number

	Synopsis	Phase 2 lifetime for the IPsec transform session
	Context	configure ipsec ipsec-transform number ipsec-lifetime number
	Tree	ipsec-lifetime
	Description	This command configures the lifetime of the Phase 2 IKE key. When unconfigured, the value is inherited from the IPsec lifetime configured in the corresponding IKE policy configured for the same IPsec gateway or IPsec tunnel.
	Range	1200 to 31536000
	Units	seconds
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

pfs-dh-group keyword

	Synopsis	Diffie-Hellman group used for PFS compilation
	Context	configure ipsec ipsec-transform number pfs-dh-group keyword
	Tree	pfs-dh-group
	Description	This command specifies the DH group used for Perfect Forward Secrecy (PFS) compilation during CHILD_SA rekeying. When unconfigured, the value is inherited from the DH group value from the IPsec gateway or IPsec tunnel.
	Options	none, group-1, group-2, group-5, group-14, group-15, group-19, group-20, group-21
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ipsec-transport-mode-profile [name] string

	Synopsis	Enter the ipsec-transport-mode-profile list instance
	Context	configure ipsec ipsec-transport-mode-profile string
	Tree	ipsec-transport-mode-profile
	Description	Commands in this context configure IPsec-specific attributes that allow an IP tunnel (for example, GRE) to be protected by using IPsec transport mode.
	Introduced	21.10.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[name] string

	Synopsis	IPsec transport mode profile name string
	Context	configure ipsec ipsec-transport-mode-profile string
	Description	This command specifies the name of the IPsec transport mode profile.
	String Length	1 to 32
	Notes	This element is part of a list key.
	Introduced	21.10.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

description string

	Synopsis	Text description
	Context	configure ipsec ipsec-transport-mode-profile string description string
	Tree	description
	String Length	1 to 80
	Introduced	21.10.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

key-exchange

	Synopsis	Enter the key-exchange context
	Context	configure ipsec ipsec-transport-mode-profile string key-exchange
	Tree	key-exchange
	Description	Commands in this context configure the key exchange used each time the Security Association (SA) key is renegotiated.
	Introduced	21.10.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

dynamic

	Synopsis	Enter the dynamic context
	Context	configure ipsec ipsec-transport-mode-profile string key-exchange dynamic
	Tree	dynamic
	Description	Commands in this context configure dynamic keying for the transport mode profile.
	Introduced	21.10.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

auto-establish boolean

	Synopsis	Attempt to establish automatic phase 1 exchange
	Context	configure ipsec ipsec-transport-mode-profile string key-exchange dynamic auto-establish boolean
	Tree	auto-establish
	Default	false
	Introduced	21.10.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

cert

	Synopsis	Enter the cert context
	Context	configure ipsec ipsec-transport-mode-profile string key-exchange dynamic cert
	Tree	cert
	Description	Commands in this context configure the attributes of the dynamic keying certificate.
	Introduced	21.10.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

cert-profile reference

	Synopsis	Certificate profile name
	Context	configure ipsec ipsec-transport-mode-profile string key-exchange dynamic cert cert-profile reference
	Tree	cert-profile
	Reference	configure ipsec cert-profile string
	Introduced	21.10.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

status-verify

	Synopsis	Enter the status-verify context
	Context	configure ipsec ipsec-transport-mode-profile string key-exchange dynamic cert status-verify
	Tree	status-verify
	Description	Commands in this context configure attributes of Certificate Status Verification (CSV).
	Introduced	21.10.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

default-result keyword

	Synopsis	Default result for Certificate Status Verification
	Context	configure ipsec ipsec-transport-mode-profile string key-exchange dynamic cert status-verify default-result keyword
	Tree	default-result
	Description	This command specifies the default certificate revocation status result to use when all configured CSV methods fail to return a result.
	Default	revoked
	Options	revoked, good
	Introduced	21.10.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

primary keyword

	Synopsis	Primary method of CSV to verify the revocation status
	Context	configure ipsec ipsec-transport-mode-profile string key-exchange dynamic cert status-verify primary keyword
	Tree	primary
	Description	This command configures the primary method of Certificate Status Verification (CSV) that is used to verify the revocation status of the certificate of the peer.
	Default	crl
	Options	crl, ocsp
	Introduced	21.10.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

secondary keyword

	Synopsis	Secondary method used to verify certificate revocation
	Context	configure ipsec ipsec-transport-mode-profile string key-exchange dynamic cert status-verify secondary keyword
	Tree	secondary
	Description	This command specifies the secondary method of Certificate Status Verification (CSV) that is used to verify the revocation status of the peer certificate.
	Default	none
	Options	none, crl, ocsp
	Introduced	21.10.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

trust-anchor-profile reference

	Synopsis	Trust anchor profile name
	Context	configure ipsec ipsec-transport-mode-profile string key-exchange dynamic cert trust-anchor-profile reference
	Tree	trust-anchor-profile
	Reference	configure ipsec trust-anchor-profile string
	Introduced	21.10.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

id

	Synopsis	Enter the id context
	Context	configure ipsec ipsec-transport-mode-profile string key-exchange dynamic id
	Tree	id
	Description	Commands in this context specify the local ID used for IDi or IDr for IKEv2 negotiation. The default behavior depends on the local authentication method as follows: Psk: local tunnel IP address Cert-auth: subject of the local certificate
	Introduced	21.10.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

fqdn string

	Synopsis	FQDN used as the local ID IKE type
	Context	configure ipsec ipsec-transport-mode-profile string key-exchange dynamic id fqdn string
	Tree	fqdn
	String Length	1 to 255
	Notes	The following elements are part of a choice: fqdn, ipv4, or ipv6.
	Introduced	21.10.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ipv4 string

	Synopsis	IPv4 as the local ID type
	Context	configure ipsec ipsec-transport-mode-profile string key-exchange dynamic id ipv4 string
	Tree	ipv4
	Notes	The following elements are part of a choice: fqdn, ipv4, or ipv6.
	Introduced	21.10.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ipv6 (ipv4-address-no-zone | ipv6-address-no-zone)

	Synopsis	IPv6 used as the local IKE ID type
	Context	configure ipsec ipsec-transport-mode-profile string key-exchange dynamic id ipv6 (ipv4-address-no-zone \| ipv6-address-no-zone)
	Tree	ipv6
	Notes	The following elements are part of a choice: fqdn, ipv4, or ipv6.
	Introduced	21.10.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ike-policy reference

	Synopsis	IKE policy ID
	Context	configure ipsec ipsec-transport-mode-profile string key-exchange dynamic ike-policy reference
	Tree	ike-policy
	Description	This command specifies the ID of the IKE policy used for IKE negotiation. The ipsec-transport-mode-profile configuration only supports IKEv2.
	Reference	configure ipsec ike-policy number
	Introduced	21.10.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ipsec-transform reference

	Synopsis	IPsec transform IDs used by the dynamic key
	Context	configure ipsec ipsec-transport-mode-profile string key-exchange dynamic ipsec-transform reference
	Tree	ipsec-transform
	Description	This command specifies IPsec transform IDs used for CHILD_SA negotiation.
	Reference	configure ipsec ipsec-transform number
	Max. Instances	4
	Introduced	21.10.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

pre-shared-key string

	Synopsis	Pre-shared key for IKE authentication
	Context	configure ipsec ipsec-transport-mode-profile string key-exchange dynamic pre-shared-key string
	Tree	pre-shared-key
	String Length	1 to 115
	Introduced	21.10.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

max-history-key-records

	Synopsis	Enter the max-history-key-records context
	Context	configure ipsec ipsec-transport-mode-profile string max-history-key-records
	Tree	max-history-key-records
	Description	Commands in this context configure the settings for recording historical IPsec keys.
	Introduced	21.10.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

esp number

	Synopsis	Maximum number of recent records
	Context	configure ipsec ipsec-transport-mode-profile string max-history-key-records esp number
	Tree	esp
	Range	1 to 48
	Introduced	21.10.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ike number

	Synopsis	Maximum number of historical IKE key records
	Context	configure ipsec ipsec-transport-mode-profile string max-history-key-records ike number
	Tree	ike
	Range	1 to 3
	Introduced	21.10.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

replay-window number

	Synopsis	Anti-replay window size
	Context	configure ipsec ipsec-transport-mode-profile string replay-window number
	Tree	replay-window
	Description	This command specifies the size of an IPsec anti-replay window. If unconfigured, IPsec anti-replay is disabled.
	Range	32 \| 64 \| 128 \| 256 \| 512
	Units	packets
	Introduced	21.10.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

radius

	Synopsis	Enter the radius context
	Context	configure ipsec radius
	Tree	radius
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

accounting-policy [name] string

	Synopsis	Enter the accounting-policy list instance
	Context	configure ipsec radius accounting-policy string
	Tree	accounting-policy
	Description	Commands in this context configure RADIUS accounting policies to collect accounting statistics.
	Max. Instances	100
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[name] string

	Synopsis	RADIUS accounting policy name
	Context	configure ipsec radius accounting-policy string
	String Length	1 to 32
	Notes	This element is part of a list key.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

include-radius-attribute

	Synopsis	Enter the include-radius-attribute context
	Context	configure ipsec radius accounting-policy string include-radius-attribute
	Tree	include-radius-attribute
	Description	Commands in this context specify the RADIUS attributes that are to be included in the RADIUS Authentication-Request messages.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

acct-stats boolean

	Synopsis	Include accounting attributes in RADIUS packets
	Context	configure ipsec radius accounting-policy string include-radius-attribute acct-stats boolean
	Tree	acct-stats
	Default	false
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

called-station-id boolean

	Synopsis	Include the Called-Station-Id attribute
	Context	configure ipsec radius accounting-policy string include-radius-attribute called-station-id boolean
	Tree	called-station-id
	Default	false
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

calling-station-id boolean

	Synopsis	Include the Calling-Station-Id attribute
	Context	configure ipsec radius accounting-policy string include-radius-attribute calling-station-id boolean
	Tree	calling-station-id
	Default	false
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

framed-ip-addr boolean

	Synopsis	Include the Framed-IP-Address attribute
	Context	configure ipsec radius accounting-policy string include-radius-attribute framed-ip-addr boolean
	Tree	framed-ip-addr
	Default	false
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

framed-ipv6-prefix boolean

	Synopsis	Include the Framed-IPv6-Prefix attribute
	Context	configure ipsec radius accounting-policy string include-radius-attribute framed-ipv6-prefix boolean
	Tree	framed-ipv6-prefix
	Default	false
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

nas-identifier boolean

	Synopsis	Include the NAS-Identifier attribute
	Context	configure ipsec radius accounting-policy string include-radius-attribute nas-identifier boolean
	Tree	nas-identifier
	Default	false
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

nas-ip-addr boolean

	Synopsis	Include the NAS-IP-Address attribute
	Context	configure ipsec radius accounting-policy string include-radius-attribute nas-ip-addr boolean
	Tree	nas-ip-addr
	Default	false
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

nas-port-id boolean

	Synopsis	Include the NAS-Port-Id attribute
	Context	configure ipsec radius accounting-policy string include-radius-attribute nas-port-id boolean
	Tree	nas-port-id
	Default	false
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

radius-server-policy reference

	Synopsis	Referenced RADIUS server policy
	Context	configure ipsec radius accounting-policy string radius-server-policy reference
	Tree	radius-server-policy
	Reference	configure aaa radius server-policy string
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

update-interval

	Synopsis	Enter the update-interval context
	Context	configure ipsec radius accounting-policy string update-interval
	Tree	update-interval
	Description	Commands in this context determine how RADIUS interim-update packets are sent for IKEv2 remote-access tunnels.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

jitter number

	Synopsis	Jitter interval for sending each interim-update packet
	Context	configure ipsec radius accounting-policy string update-interval jitter number
	Tree	jitter
	Description	This command specifies the jitter interval for the RADIUS interim-update packets. When unconfigured, the system uses 10% of the update interval value.
	Range	0 to 3600
	Units	seconds
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

value number

	Synopsis	Update interval of the RADIUS accounting data
	Context	configure ipsec radius accounting-policy string update-interval value number
	Tree	value
	Description	This command configures the update interval of the RADIUS accounting data. If a value of 0 is configured, no intermediate updates are sent.
	Range	0 \| 5 to 259200
	Default	10
	Units	minutes
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

authentication-policy [name] string

	Synopsis	Enter the authentication-policy list instance
	Context	configure ipsec radius authentication-policy string
	Tree	authentication-policy
	Description	Commands in this context configure the RADIUS authentication policy associated with the IPsec gateway.
	Max. Instances	100
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[name] string

	Synopsis	RADIUS authentication policy name
	Context	configure ipsec radius authentication-policy string
	String Length	1 to 32
	Notes	This element is part of a list key.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

include-radius-attribute

	Synopsis	Enter the include-radius-attribute context
	Context	configure ipsec radius authentication-policy string include-radius-attribute
	Tree	include-radius-attribute
	Description	Commands in this context specify the RADIUS attributes to be included in the RADIUS Authentication-Request messages.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

called-station-id boolean

	Synopsis	Include the Called-Station-Id attribute
	Context	configure ipsec radius authentication-policy string include-radius-attribute called-station-id boolean
	Tree	called-station-id
	Default	false
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

calling-station-id boolean

	Synopsis	Include the Calling-Station-Id attribute
	Context	configure ipsec radius authentication-policy string include-radius-attribute calling-station-id boolean
	Tree	calling-station-id
	Default	false
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

client-cert-subject-key-id boolean

	Synopsis	Include the Subject Key Identifier
	Context	configure ipsec radius authentication-policy string include-radius-attribute client-cert-subject-key-id boolean
	Tree	client-cert-subject-key-id
	Description	When configured to true, the Subject Key Identifier of the certificate of the peer is included in the RADIUS Access-Request packet as VSA: Alc-Subject-Key-Identifier. See the 7450 ESS, 7750 SR, 7950 XRS, and VSR RADIUS Attributes Reference Guide for more information.
	Default	false
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

nas-identifier boolean

	Synopsis	Include the NAS-Identifier attribute
	Context	configure ipsec radius authentication-policy string include-radius-attribute nas-identifier boolean
	Tree	nas-identifier
	Default	false
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

nas-ip-addr boolean

	Synopsis	Include the NAS-IP-Address attribute
	Context	configure ipsec radius authentication-policy string include-radius-attribute nas-ip-addr boolean
	Tree	nas-ip-addr
	Default	false
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

nas-port-id boolean

	Synopsis	Include the NAS-Port-Id attribute
	Context	configure ipsec radius authentication-policy string include-radius-attribute nas-port-id boolean
	Tree	nas-port-id
	Default	false
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

password string

	Synopsis	Password used in RADIUS access requests
	Context	configure ipsec radius authentication-policy string password string
	Tree	password
	String Length	1 to 115
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

radius-server-policy reference

	Synopsis	Referenced RADIUS server policy
	Context	configure ipsec radius authentication-policy string radius-server-policy reference
	Tree	radius-server-policy
	Reference	configure aaa radius server-policy string
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

show-ipsec-keys boolean

	Synopsis	Show IPsec IKE and ESP keys in the output
	Context	configure ipsec show-ipsec-keys boolean
	Tree	show-ipsec-keys
	Description	When configured to true, this command allows IPsec keys to be (optionally) included in the display output of certain debug and admin commands. When configured to false, the key display is disabled.
	Default	false
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

static-sa [name] string

	Synopsis	Enter the static-sa list instance
	Context	configure ipsec static-sa string
	Tree	static-sa
	Max. Instances	1000
	Introduced	16.0.R6
	Platforms	All

[name] string

	Synopsis	Static SA name
	Context	configure ipsec static-sa string
	String Length	1 to 32
	Notes	This element is part of a list key.
	Introduced	16.0.R6
	Platforms	All

authentication

	Synopsis	Enable the authentication context
	Context	configure ipsec static-sa string authentication
	Tree	authentication
	Introduced	16.0.R6
	Platforms	All

algorithm keyword

	Synopsis	Authentication algorithm used for an IPsec manual SA
	Context	configure ipsec static-sa string authentication algorithm keyword
	Tree	algorithm
	Options	md5, sha1
	Notes	This element is mandatory.
	Introduced	16.0.R6
	Platforms	All

key string

	Synopsis	Key used for the authentication algorithm
	Context	configure ipsec static-sa string authentication key string
	Tree	key
	String Length	1 to 54
	Notes	This element is mandatory.
	Introduced	16.0.R6
	Platforms	All

description string

	Synopsis	Text description
	Context	configure ipsec static-sa string description string
	Tree	description
	String Length	1 to 32
	Introduced	16.0.R6
	Platforms	All

direction keyword

	Synopsis	Direction to which the static SA entry can be applied
	Context	configure ipsec static-sa string direction keyword
	Tree	direction
	Default	bidirectional
	Options	inbound, outbound, bidirectional
	Introduced	16.0.R6
	Platforms	All

protocol keyword

	Synopsis	IPsec protocol used with the static SA
	Context	configure ipsec static-sa string protocol keyword
	Tree	protocol
	Default	esp
	Options	ah, esp
	Introduced	16.0.R6
	Platforms	All

spi number

	Synopsis	Security Parameter Index (SPI) for the static SA
	Context	configure ipsec static-sa string spi number
	Tree	spi
	Description	This command specifies the SPI for the static SA. When the direction command is set to inbound, the SPI is used to look up the instruction to verify and decrypt the incoming IPsec packets. When the direction command is set to outbound, the SPI is used in the encoding of the outgoing packets. The remote node can use the SPI to look up the instruction to verify and decrypt the packet. When unconfigured, the static SA cannot be used.
	Range	256 to 16383
	Introduced	16.0.R6
	Platforms	All

trust-anchor-profile [name] string

	Synopsis	Enter the trust-anchor-profile list instance
	Context	configure ipsec trust-anchor-profile string
	Tree	trust-anchor-profile
	Max. Instances	10128
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[name] string

	Synopsis	Trust anchor profile name for IPsec tunnel or gateway
	Context	configure ipsec trust-anchor-profile string
	String Length	1 to 32
	Notes	This element is part of a list key.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

trust-anchor [ca-profile] reference

	Synopsis	Add a list entry for trust-anchor
	Context	configure ipsec trust-anchor-profile string trust-anchor reference
	Tree	trust-anchor
	Description	Commands in this context configure a CA profile as a trust anchor CA.
	Max. Instances	8
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[ca-profile] reference

	Synopsis	Name of the CA profile as a trust anchor profile
	Context	configure ipsec trust-anchor-profile string trust-anchor reference
	Reference	configure system security pki ca-profile string
	Notes	This element is part of a list key.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ts-list [name] string

	Synopsis	Enter the ts-list list instance
	Context	configure ipsec ts-list string
	Tree	ts-list
	Description	Commands in this context configure Traffic Selector (TS) settings.
	Max. Instances	32768
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[name] string

	Synopsis	Traffic Selector (TS) list name
	Context	configure ipsec ts-list string
	String Length	1 to 32
	Notes	This element is part of a list key.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

local

	Synopsis	Enter the local context
	Context	configure ipsec ts-list string local
	Tree	local
	Description	Commands in this context configure a local TS list, a traffic selector, such as TSr, when the system acts as an IKEv2 responder.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

entry [id] number

	Synopsis	Enter the entry list instance
	Context	configure ipsec ts-list string local entry number
	Tree	entry
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[id] number

	Synopsis	TS list entry ID
	Context	configure ipsec ts-list string local entry number
	Range	1 to 32
	Notes	This element is part of a list key.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

address

	Synopsis	Enable the address context
	Context	configure ipsec ts-list string local entry number address
	Tree	address
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

prefix (ipv4-prefix | ipv6-prefix)

	Synopsis	IP prefix for address range in IKEv2 traffic selector
	Context	configure ipsec ts-list string local entry number address prefix (ipv4-prefix \| ipv6-prefix)
	Tree	prefix
	Notes	The following elements are part of a mandatory choice: prefix or range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

range

	Synopsis	Enable the range context
	Context	configure ipsec ts-list string local entry number address range
	Tree	range
	Notes	The following elements are part of a mandatory choice: prefix or range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

begin (ipv4-address-no-zone | ipv6-address-no-zone)

	Synopsis	Lower bound of the IP address range for the entry
	Context	configure ipsec ts-list string local entry number address range begin (ipv4-address-no-zone \| ipv6-address-no-zone)
	Tree	begin
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end (ipv4-address-no-zone | ipv6-address-no-zone)

	Synopsis	Upper bound of the IP address range
	Context	configure ipsec ts-list string local entry number address range end (ipv4-address-no-zone \| ipv6-address-no-zone)
	Tree	end
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

protocol

	Synopsis	Enable the protocol context
	Context	configure ipsec ts-list string local entry number protocol
	Tree	protocol
	Description	Commands in this context specify the protocol settings for the IKEv2 traffic selector.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

any

	Synopsis	Match any protocol ID
	Context	configure ipsec ts-list string local entry number protocol any
	Tree	any
	Notes	The following elements are part of a mandatory choice: any or id.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

id

	Synopsis	Enable the id context
	Context	configure ipsec ts-list string local entry number protocol id
	Tree	id
	Notes	The following elements are part of a mandatory choice: any or id.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

icmp

	Synopsis	Enter the icmp context
	Context	configure ipsec ts-list string local entry number protocol id icmp
	Tree	icmp
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

opaque

	Synopsis	Support OPAQUE ports
	Context	configure ipsec ts-list string local entry number protocol id icmp opaque
	Tree	opaque
	Description	This command allows the protocol ID to be accepted even when the port information is not available.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

port-range

	Synopsis	Enable the port-range context
	Context	configure ipsec ts-list string local entry number protocol id icmp port-range
	Tree	port-range
	Description	Commands in this context configure port range information for the protocol.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

begin-icmp-code number

	Synopsis	Lower bound of the ICMP code range
	Context	configure ipsec ts-list string local entry number protocol id icmp port-range begin-icmp-code number
	Tree	begin-icmp-code
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

begin-icmp-type number

	Synopsis	Lower bound of the ICMP type range
	Context	configure ipsec ts-list string local entry number protocol id icmp port-range begin-icmp-type number
	Tree	begin-icmp-type
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end-icmp-code number

	Synopsis	Upper bound of the ICMP code range
	Context	configure ipsec ts-list string local entry number protocol id icmp port-range end-icmp-code number
	Tree	end-icmp-code
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end-icmp-type number

	Synopsis	Upper bound of the ICMP type range
	Context	configure ipsec ts-list string local entry number protocol id icmp port-range end-icmp-type number
	Tree	end-icmp-type
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

icmp6

	Synopsis	Enter the icmp6 context
	Context	configure ipsec ts-list string local entry number protocol id icmp6
	Tree	icmp6
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

opaque

	Synopsis	Support OPAQUE ports
	Context	configure ipsec ts-list string local entry number protocol id icmp6 opaque
	Tree	opaque
	Description	This command allows the protocol ID to be accepted even when the port information is not available.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

port-range

	Synopsis	Enable the port-range context
	Context	configure ipsec ts-list string local entry number protocol id icmp6 port-range
	Tree	port-range
	Description	Commands in this context configure port range information for the protocol.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

begin-icmp-code number

	Synopsis	Lower bound of the ICMP code range
	Context	configure ipsec ts-list string local entry number protocol id icmp6 port-range begin-icmp-code number
	Tree	begin-icmp-code
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

begin-icmp-type number

	Synopsis	Lower bound of the ICMP type range
	Context	configure ipsec ts-list string local entry number protocol id icmp6 port-range begin-icmp-type number
	Tree	begin-icmp-type
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end-icmp-code number

	Synopsis	Upper bound of the ICMP code range
	Context	configure ipsec ts-list string local entry number protocol id icmp6 port-range end-icmp-code number
	Tree	end-icmp-code
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end-icmp-type number

	Synopsis	Upper bound of the ICMP type range
	Context	configure ipsec ts-list string local entry number protocol id icmp6 port-range end-icmp-type number
	Tree	end-icmp-type
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

mipv6

	Synopsis	Enter the mipv6 context
	Context	configure ipsec ts-list string local entry number protocol id mipv6
	Tree	mipv6
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

opaque

	Synopsis	Support OPAQUE ports
	Context	configure ipsec ts-list string local entry number protocol id mipv6 opaque
	Tree	opaque
	Description	This command allows the protocol ID to be accepted even when the port information is not available.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

port-range

	Synopsis	Enable the port-range context
	Context	configure ipsec ts-list string local entry number protocol id mipv6 port-range
	Tree	port-range
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

begin number

	Synopsis	Lower bound of the port range
	Context	configure ipsec ts-list string local entry number protocol id mipv6 port-range begin number
	Tree	begin
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end number

	Synopsis	Upper bound of the port range
	Context	configure ipsec ts-list string local entry number protocol id mipv6 port-range end number
	Tree	end
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

protocol-id-with-any-port (keyword | number)

	Synopsis	Protocol ID that accepts any port value
	Context	configure ipsec ts-list string local entry number protocol id protocol-id-with-any-port (keyword \| number)
	Tree	protocol-id-with-any-port
	Range	1 to 255
	Options	icmp, tcp, udp, icmp6, sctp, mipv6
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

sctp

	Synopsis	Enter the sctp context
	Context	configure ipsec ts-list string local entry number protocol id sctp
	Tree	sctp
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

opaque

	Synopsis	Support OPAQUE ports
	Context	configure ipsec ts-list string local entry number protocol id sctp opaque
	Tree	opaque
	Description	This command allows the protocol ID to be accepted even when the port information is not available.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

port-range

	Synopsis	Enable the port-range context
	Context	configure ipsec ts-list string local entry number protocol id sctp port-range
	Tree	port-range
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

begin number

	Synopsis	Lower bound of the port range
	Context	configure ipsec ts-list string local entry number protocol id sctp port-range begin number
	Tree	begin
	Range	0 to 65535
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end number

	Synopsis	Upper bound of the port range
	Context	configure ipsec ts-list string local entry number protocol id sctp port-range end number
	Tree	end
	Range	0 to 65535
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

tcp

	Synopsis	Enter the tcp context
	Context	configure ipsec ts-list string local entry number protocol id tcp
	Tree	tcp
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

opaque

	Synopsis	Support OPAQUE ports
	Context	configure ipsec ts-list string local entry number protocol id tcp opaque
	Tree	opaque
	Description	This command allows the protocol ID to be accepted even when the port information is not available.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

port-range

	Synopsis	Enable the port-range context
	Context	configure ipsec ts-list string local entry number protocol id tcp port-range
	Tree	port-range
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

begin number

	Synopsis	Lower bound of the port range
	Context	configure ipsec ts-list string local entry number protocol id tcp port-range begin number
	Tree	begin
	Range	0 to 65535
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end number

	Synopsis	Upper bound of the port range
	Context	configure ipsec ts-list string local entry number protocol id tcp port-range end number
	Tree	end
	Range	0 to 65535
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

udp

	Synopsis	Enter the udp context
	Context	configure ipsec ts-list string local entry number protocol id udp
	Tree	udp
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

opaque

	Synopsis	Support OPAQUE ports
	Context	configure ipsec ts-list string local entry number protocol id udp opaque
	Tree	opaque
	Description	This command allows the protocol ID to be accepted even when the port information is not available.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

port-range

	Synopsis	Enable the port-range context
	Context	configure ipsec ts-list string local entry number protocol id udp port-range
	Tree	port-range
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

begin number

	Synopsis	Lower bound of the port range
	Context	configure ipsec ts-list string local entry number protocol id udp port-range begin number
	Tree	begin
	Range	0 to 65535
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end number

	Synopsis	Upper bound of the port range
	Context	configure ipsec ts-list string local entry number protocol id udp port-range end number
	Tree	end
	Range	0 to 65535
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

remote

	Synopsis	Enter the remote context
	Context	configure ipsec ts-list string remote
	Tree	remote
	Description	Commands in this context configure a remote TS list, a traffic selector, such as TSr, when the system acts as an IKEv2 responder.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

entry [id] number

	Synopsis	Enter the entry list instance
	Context	configure ipsec ts-list string remote entry number
	Tree	entry
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[id] number

	Synopsis	TS list entry ID
	Context	configure ipsec ts-list string remote entry number
	Range	1 to 32
	Notes	This element is part of a list key.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

address

	Synopsis	Enable the address context
	Context	configure ipsec ts-list string remote entry number address
	Tree	address
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

prefix (ipv4-prefix | ipv6-prefix)

	Synopsis	IP prefix for address range in IKEv2 traffic selector
	Context	configure ipsec ts-list string remote entry number address prefix (ipv4-prefix \| ipv6-prefix)
	Tree	prefix
	Notes	The following elements are part of a mandatory choice: prefix or range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

range

	Synopsis	Enable the range context
	Context	configure ipsec ts-list string remote entry number address range
	Tree	range
	Notes	The following elements are part of a mandatory choice: prefix or range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

begin (ipv4-address-no-zone | ipv6-address-no-zone)

	Synopsis	Lower bound of the IP address range for the entry
	Context	configure ipsec ts-list string remote entry number address range begin (ipv4-address-no-zone \| ipv6-address-no-zone)
	Tree	begin
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end (ipv4-address-no-zone | ipv6-address-no-zone)

	Synopsis	Upper bound of the IP address range
	Context	configure ipsec ts-list string remote entry number address range end (ipv4-address-no-zone \| ipv6-address-no-zone)
	Tree	end
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

protocol

	Synopsis	Enable the protocol context
	Context	configure ipsec ts-list string remote entry number protocol
	Tree	protocol
	Description	Commands in this context specify the protocol settings for the IKEv2 traffic selector.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

any

	Synopsis	Match any protocol ID
	Context	configure ipsec ts-list string remote entry number protocol any
	Tree	any
	Notes	The following elements are part of a mandatory choice: any or id.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

id

	Synopsis	Enable the id context
	Context	configure ipsec ts-list string remote entry number protocol id
	Tree	id
	Notes	The following elements are part of a mandatory choice: any or id.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

icmp

	Synopsis	Enter the icmp context
	Context	configure ipsec ts-list string remote entry number protocol id icmp
	Tree	icmp
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

opaque

	Synopsis	Support OPAQUE ports
	Context	configure ipsec ts-list string remote entry number protocol id icmp opaque
	Tree	opaque
	Description	This command allows the protocol ID to be accepted even when the port information is not available.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

port-range

	Synopsis	Enable the port-range context
	Context	configure ipsec ts-list string remote entry number protocol id icmp port-range
	Tree	port-range
	Description	Commands in this context configure port range information for the protocol.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

begin-icmp-code number

	Synopsis	Lower bound of the ICMP code range
	Context	configure ipsec ts-list string remote entry number protocol id icmp port-range begin-icmp-code number
	Tree	begin-icmp-code
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

begin-icmp-type number

	Synopsis	Lower bound of the ICMP type range
	Context	configure ipsec ts-list string remote entry number protocol id icmp port-range begin-icmp-type number
	Tree	begin-icmp-type
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end-icmp-code number

	Synopsis	Upper bound of the ICMP code range
	Context	configure ipsec ts-list string remote entry number protocol id icmp port-range end-icmp-code number
	Tree	end-icmp-code
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end-icmp-type number

	Synopsis	Upper bound of the ICMP type range
	Context	configure ipsec ts-list string remote entry number protocol id icmp port-range end-icmp-type number
	Tree	end-icmp-type
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

icmp6

	Synopsis	Enter the icmp6 context
	Context	configure ipsec ts-list string remote entry number protocol id icmp6
	Tree	icmp6
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

opaque

	Synopsis	Support OPAQUE ports
	Context	configure ipsec ts-list string remote entry number protocol id icmp6 opaque
	Tree	opaque
	Description	This command allows the protocol ID to be accepted even when the port information is not available.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

port-range

	Synopsis	Enable the port-range context
	Context	configure ipsec ts-list string remote entry number protocol id icmp6 port-range
	Tree	port-range
	Description	Commands in this context configure port range information for the protocol.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

begin-icmp-code number

	Synopsis	Lower bound of the ICMP code range
	Context	configure ipsec ts-list string remote entry number protocol id icmp6 port-range begin-icmp-code number
	Tree	begin-icmp-code
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

begin-icmp-type number

	Synopsis	Lower bound of the ICMP type range
	Context	configure ipsec ts-list string remote entry number protocol id icmp6 port-range begin-icmp-type number
	Tree	begin-icmp-type
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end-icmp-code number

	Synopsis	Upper bound of the ICMP code range
	Context	configure ipsec ts-list string remote entry number protocol id icmp6 port-range end-icmp-code number
	Tree	end-icmp-code
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end-icmp-type number

	Synopsis	Upper bound of the ICMP type range
	Context	configure ipsec ts-list string remote entry number protocol id icmp6 port-range end-icmp-type number
	Tree	end-icmp-type
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

mipv6

	Synopsis	Enter the mipv6 context
	Context	configure ipsec ts-list string remote entry number protocol id mipv6
	Tree	mipv6
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

opaque

	Synopsis	Support OPAQUE ports
	Context	configure ipsec ts-list string remote entry number protocol id mipv6 opaque
	Tree	opaque
	Description	This command allows the protocol ID to be accepted even when the port information is not available.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

port-range

	Synopsis	Enable the port-range context
	Context	configure ipsec ts-list string remote entry number protocol id mipv6 port-range
	Tree	port-range
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

begin number

	Synopsis	Lower bound of the port range
	Context	configure ipsec ts-list string remote entry number protocol id mipv6 port-range begin number
	Tree	begin
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end number

	Synopsis	Upper bound of the port range
	Context	configure ipsec ts-list string remote entry number protocol id mipv6 port-range end number
	Tree	end
	Range	0 to 255
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

protocol-id-with-any-port (keyword | number)

	Synopsis	Protocol ID that accepts any port value
	Context	configure ipsec ts-list string remote entry number protocol id protocol-id-with-any-port (keyword \| number)
	Tree	protocol-id-with-any-port
	Range	1 to 255
	Options	icmp, tcp, udp, icmp6, sctp, mipv6
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

sctp

	Synopsis	Enter the sctp context
	Context	configure ipsec ts-list string remote entry number protocol id sctp
	Tree	sctp
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

opaque

	Synopsis	Support OPAQUE ports
	Context	configure ipsec ts-list string remote entry number protocol id sctp opaque
	Tree	opaque
	Description	This command allows the protocol ID to be accepted even when the port information is not available.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

port-range

	Synopsis	Enable the port-range context
	Context	configure ipsec ts-list string remote entry number protocol id sctp port-range
	Tree	port-range
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

begin number

	Synopsis	Lower bound of the port range
	Context	configure ipsec ts-list string remote entry number protocol id sctp port-range begin number
	Tree	begin
	Range	0 to 65535
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end number

	Synopsis	Upper bound of the port range
	Context	configure ipsec ts-list string remote entry number protocol id sctp port-range end number
	Tree	end
	Range	0 to 65535
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

tcp

	Synopsis	Enter the tcp context
	Context	configure ipsec ts-list string remote entry number protocol id tcp
	Tree	tcp
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

opaque

	Synopsis	Support OPAQUE ports
	Context	configure ipsec ts-list string remote entry number protocol id tcp opaque
	Tree	opaque
	Description	This command allows the protocol ID to be accepted even when the port information is not available.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

port-range

	Synopsis	Enable the port-range context
	Context	configure ipsec ts-list string remote entry number protocol id tcp port-range
	Tree	port-range
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

begin number

	Synopsis	Lower bound of the port range
	Context	configure ipsec ts-list string remote entry number protocol id tcp port-range begin number
	Tree	begin
	Range	0 to 65535
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end number

	Synopsis	Upper bound of the port range
	Context	configure ipsec ts-list string remote entry number protocol id tcp port-range end number
	Tree	end
	Range	0 to 65535
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

udp

	Synopsis	Enter the udp context
	Context	configure ipsec ts-list string remote entry number protocol id udp
	Tree	udp
	Notes	The following elements are part of a mandatory choice: icmp, icmp6, mipv6, protocol-id-with-any-port, sctp, tcp, or udp.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

opaque

	Synopsis	Support OPAQUE ports
	Context	configure ipsec ts-list string remote entry number protocol id udp opaque
	Tree	opaque
	Description	This command allows the protocol ID to be accepted even when the port information is not available.
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

port-range

	Synopsis	Enable the port-range context
	Context	configure ipsec ts-list string remote entry number protocol id udp port-range
	Tree	port-range
	Notes	The following elements are part of a choice: opaque or port-range.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

begin number

	Synopsis	Lower bound of the port range
	Context	configure ipsec ts-list string remote entry number protocol id udp port-range begin number
	Tree	begin
	Range	0 to 65535
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

end number

	Synopsis	Upper bound of the port range
	Context	configure ipsec ts-list string remote entry number protocol id udp port-range end number
	Tree	end
	Range	0 to 65535
	Notes	This element is mandatory.
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

tunnel-template [id] number

	Synopsis	Enter the tunnel-template list instance
	Context	configure ipsec tunnel-template number
	Tree	tunnel-template
	Max. Instances	2048
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[id] number

	Synopsis	Tunnel template ID
	Context	configure ipsec tunnel-template number
	Range	1 to 2048
	Notes	This element is part of a list key.
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

clear-df-bit boolean

	Synopsis	Clear the Do-not-Fragment (DF) bit
	Context	configure ipsec tunnel-template number clear-df-bit boolean
	Tree	clear-df-bit
	Default	false
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

copy-traffic-class-upon-decapsulation boolean

	Synopsis	Enable traffic class copy upon decapsulation
	Context	configure ipsec tunnel-template number copy-traffic-class-upon-decapsulation boolean
	Tree	copy-traffic-class-upon-decapsulation
	Description	When configured to true, the system copies the traffic class from the outer tunnel IP packet header to the payload IP packet header in the decapsulating direction (public to private). When configured to false, the system does not copy the traffic class from the outer IP packet to the payload IP packet header upon decapsulation.
	Default	false
	Introduced	21.5.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

description string

	Synopsis	Text description
	Context	configure ipsec tunnel-template number description string
	Tree	description
	String Length	1 to 80
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

encapsulated-ip-mtu number

	Synopsis	Maximum size of the encapsulated tunnel packet
	Context	configure ipsec tunnel-template number encapsulated-ip-mtu number
	Tree	encapsulated-ip-mtu
	Description	This command specifies the maximum size of the encapsulated tunnel packet to the IPsec tunnel, the IP tunnel, or the dynamic tunnels terminated on the IPsec Gateway. If the encapsulated IPv4 or IPv6 tunnel packet exceeds this value, the system fragments the packet.
	Range	512 to 9000
	Units	octets
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

icmp-generation

	Synopsis	Enter the icmp-generation context
	Context	configure ipsec tunnel-template number icmp-generation
	Tree	icmp-generation
	Description	Commands in this context configure settings for ICMPv4 message generation.
	Introduced	21.5.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

frag-required

	Synopsis	Enter the frag-required context
	Context	configure ipsec tunnel-template number icmp-generation frag-required
	Tree	frag-required
	Description	Commands in this context configure the attributes for sending generated ICMP Destination Unreachable "fragmentation needed and DF set" messages (type 3, code 4) back to the source, if the received size of the IPv4 packet on the private side exceeds the private MTU size.
	Introduced	21.5.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

admin-state keyword

	Synopsis	Administrative state of sending ICMP messages
	Context	configure ipsec tunnel-template number icmp-generation frag-required admin-state keyword
	Tree	admin-state
	Description	This command configures the administrative state of sending ICMP Destination Unreachable "fragmentation needed, DF set" messages (type 3, code 4) messages to the source if the received size of the IPv4 packet on the private side exceeds the private MTU size.
	Default	enable
	Options	enable, disable
	Introduced	21.5.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

interval number

	Synopsis	Interval for sending ICMP messages
	Context	configure ipsec tunnel-template number icmp-generation frag-required interval number
	Tree	interval
	Description	This command configures the interval for sending ICMP Destination Unreachable "fragmentation needed, DF set" messages (type 3, code 4).
	Range	1 to 60
	Default	10
	Units	seconds
	Introduced	21.5.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

message-count number

	Synopsis	Maximum number of ICMP messages that can be sent
	Context	configure ipsec tunnel-template number icmp-generation frag-required message-count number
	Tree	message-count
	Description	This command configures the maximum number of ICMP Destination Unreachable "fragmentation needed, DF set" messages (type 3, code 4) that can be sent during the configured interval.
	Range	10 to 1000
	Default	100
	Introduced	21.5.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

icmp6-generation

	Synopsis	Enter the icmp6-generation context
	Context	configure ipsec tunnel-template number icmp6-generation
	Tree	icmp6-generation
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

pkt-too-big

	Synopsis	Enter the pkt-too-big context
	Context	configure ipsec tunnel-template number icmp6-generation pkt-too-big
	Tree	pkt-too-big
	Description	Commands in this context configure values for the ICMPv6 Packet Too Big (PTB) messages. The system sends PTB messages if an IPv6 packet is received on the private side that is larger than 1280 bytes and also exceeds the private MTU of the tunnel.
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

admin-state keyword

	Synopsis	Administrative state of Packet Too Big message sends
	Context	configure ipsec tunnel-template number icmp6-generation pkt-too-big admin-state keyword
	Tree	admin-state
	Default	enable
	Options	enable, disable
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

interval number

	Synopsis	Maximum interval during which PTB messages can be sent
	Context	configure ipsec tunnel-template number icmp6-generation pkt-too-big interval number
	Tree	interval
	Range	1 to 60
	Default	10
	Units	seconds
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

message-count number

	Synopsis	Max ICMPv6 messages that can be sent during interval
	Context	configure ipsec tunnel-template number icmp6-generation pkt-too-big message-count number
	Tree	message-count
	Range	10 to 1000
	Default	100
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ignore-default-route boolean

	Synopsis	Ignore any full range traffic selector in TSi
	Context	configure ipsec tunnel-template number ignore-default-route boolean
	Tree	ignore-default-route
	Description	When configured to true, any full range traffic selector is ignored when creating a reverse route. When configured to false, no CHILD_SA is created if any full range traffic selector is included in TSi.
	Default	false
	Introduced	19.7.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ip-mtu number

	Synopsis	Maximum size of the IP MTU for the payload packets
	Context	configure ipsec tunnel-template number ip-mtu number
	Tree	ip-mtu
	Range	512 to 9000
	Units	octets
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

ipsec-transform reference

	Synopsis	IPsec transform ID for the tunnel template
	Context	configure ipsec tunnel-template number ipsec-transform reference
	Tree	ipsec-transform
	Reference	configure ipsec ipsec-transform number
	Max. Instances	4
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

pmtu-discovery-aging number

	Synopsis	Aging out time of the learned path MTU
	Context	configure ipsec tunnel-template number pmtu-discovery-aging number
	Tree	pmtu-discovery-aging
	Description	This command configures the temporary public and private MTU expiration time. The temporary MTU is used for MTU propagation.
	Range	900 to 3600
	Default	900
	Units	seconds
	Introduced	21.5.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

private-tcp-mss-adjust number

	Synopsis	New TCP MSS value on the private side
	Context	configure ipsec tunnel-template number private-tcp-mss-adjust number
	Tree	private-tcp-mss-adjust
	Description	This command specifies the new (adjusted) TCP MSS value of TCP SYN packets on the private side. When unconfigured, the MSS value is derived from the received TCP SYN packet on the private side.
	Range	512 to 9000
	Units	octets
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

propagate-pmtu-v4 boolean

	Synopsis	Enable propagation of the path MTU to IPv4 hosts
	Context	configure ipsec tunnel-template number propagate-pmtu-v4 boolean
	Tree	propagate-pmtu-v4
	Description	When configured to true, the system propagates the path MTU learned from the public side to the private side (IPv4 hosts).
	Default	true
	Introduced	21.5.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

propagate-pmtu-v6 boolean

	Synopsis	Enable propagation of the path MTU to IPv6 hosts
	Context	configure ipsec tunnel-template number propagate-pmtu-v6 boolean
	Tree	propagate-pmtu-v6
	Description	When configured to true, the system propagates the path MTU learned from the public side to the private side (IPv6 hosts).
	Default	true
	Introduced	21.5.R1
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

public-tcp-mss-adjust (number | keyword)

	Synopsis	New TCP MSS value on the public side
	Context	configure ipsec tunnel-template number public-tcp-mss-adjust (number \| keyword)
	Tree	public-tcp-mss-adjust
	Description	This command specifies the new (adjusted) TCP MSS value for the TCP traffic in an IPsec tunnel which is sent from the public network to the private network. The system can use this value to adjust or insert the MSS option in the TCP SYN packet. When unconfigured, the MSS value is derived from the public MTU and IPsec overhead.
	Range	512 to 9000
	Units	octets
	Options	auto
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

replay-window number

	Synopsis	Anti-replay window size for the tunnel template
	Context	configure ipsec tunnel-template number replay-window number
	Tree	replay-window
	Range	32 \| 64 \| 128 \| 256 \| 512
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

sp-reverse-route keyword

	Synopsis	Reverse route creation method in private service
	Context	configure ipsec tunnel-template number sp-reverse-route keyword
	Tree	sp-reverse-route
	Description	This command allows the system to automatically create a reverse route based on dynamic LAN-to-LAN tunnel's TSi in private service.
	Default	none
	Options	none, use-security-policy
	Introduced	16.0.R4
	Platforms	7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR