Technical Documentation

[edit security ipsec] Hierarchy Level

security {ipsec {internal ipsec-policy-name {security-association sa-name {manual {direction (bidirectional | inbound | outbound) {authentication {algorithm hmac-sha1-96;key ascii-text key;}encryption {encryption-algorithm 3des-cbc;key ascii-text key;}protocol esp;spi spi-index;}}}}policy ipsec-policy-name {description description;perfect-forward-secrecy {keys (group1 | group2 | group5);}proposal-set (basic | compatible | standard);proposals [ proposal-names ];}proposal ipsec-proposal-name {authentication-algorithm (hmac-md5-96 | hmac-sha1-96);description description;encryption-algorithm (3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc);lifetime-kilobytes kilobytes;lifetime-seconds seconds;protocol (ah | bundle | esp);}security-association sa-name {description description;dynamic {ipsec-policy policy-name;replay-window-size (32 | 64);}manual {direction (bidirectional | inbound | outbound) {authentication {algorithm (hmac-md5-96 | hmac-sha1-96);key (ascii-text key | hexadecimal key);}auxiliary-spi spi-index;encryption {encryption-algorithm (3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc);key (ascii-text key | hexadecimal key);}protocol (ah | bundle | esp);spi spi-index;}}mode (transport | tunnel);}traceoptions {flag flag;}vpn vpn-name {bind-interface interface-name;df-bit (clear | copy | set);establish-tunnels (immediately | on-traffic);ike {gateway gateway-name;idle-time seconds;install-interval seconds;ipsec-policy policy-name;no-anti-replay;proxy-identity {local ip-prefix</prefix-length>;remote ip-prefix</prefix-length>;service service-name;}}manual {authentication {algorithm (hmac-md5-96 | hmac-sha1-96);key (ascii-text key | hexadecimal key);}encryption {encryption-algorithm (3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc);key (ascii-text key | hexadecimal key);}external-interface interface-name;gateway address;protocol (ah | esp);spi spi-index;}vpn-monitor {destination-ip address;optimized;source-interface interface-name;}vpn-monitor-options {interval seconds;threshold failures;}}}}

Published: 2010-04-28