[edit security] Hierarchy Level
security {
certificates {
cache-size bytes;
cache-timeout-negative seconds;
certification-authority ca-profile-name {
ca-name certificate-authority-name;
crl file-name;
encoding (binary | pem);
file certifcate-file-name;
enrollment-url url-name;
ldap-url url-name;
}
enrollment-retry number;
local certificate-name;
maximum-certificates number;
path-length bytes;
}
ike {
proposal ike-proposal-name {
authentication-algorithm (md5 | sha1);
authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures);
dh-group (group1 | group2);
encryption-algorithm (3des-cbc | des-cbc);
lifetime-seconds seconds;
}
policy ike-peer-address {
description policy-description;
encoding (binary | pem);
identity identity-name;
local-certificate certificate-file-name;
local-key-pair private-public-key-file;
mode (aggressive | main);
pre-shared-key (ascii-text key | hexadecimal key);
proposal [ ike-proposal-names ];
}
ipsec {
proposal ipsec-proposal-name {
authentication-algorithm (hmac-md5-96 | hmac-sha1-96);
encryption-algorithm (3des-cbc | des-cbc);
lifetime-seconds seconds;
protocol (ah | esp | bundle);
}
policy ipsec-policy-name {
perfect-forward-secrecy {
keys (group1 | group2);
}
proposal [ipsec-proposal-names];
}
security-association name {
mode (tunnel | transport);
manual {
direction (inbound | outbound | bi-directional) {
auxiliary-spi auxiliary-spi-value;
spi spi-value;
protocol (ah | esp | bundle);
authentication {
algorithm (hmac-md5-96 | hmac-sha1-96);
key (ascii-text key | hexadecimal key);
}
encryption {
algorithm (des-cbc | 3des-cbc);
key (ascii-text key | hexadecimal key);
}
}
dynamic {
<security-association (32 | 64)>;
ipsec-policy policy-name;
}
traceoptions {
file <files number> <size size>;
flag all;
flag database;
flag general;
flag ike;
flag parse;
flag policy-manager;
flag routing-socket;
flag timer;
}
}
}
} # End of [edit security] hierarchy level