The no form of the command removes the string from the configuration.
The shutdown command administratively disables an entity. The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.
The no form of the command deletes the specified tunnel group from the configuration
The no form of the command removes the specified module from the IPSec group.
|
Values
|
mda-id: slot/ mda
slot 1 — up to 10 depending on chassis model mda 1 — 2
|
The no form of the command removes the specified primary ID from the group’s configuration.
The no form of the command disables IP packet reassembly.
The no form of the command removes the profile name from the cert-profile configuration.
The no form of the command removes the entry-id from the cert-profile configuration.
The no form of the command removes the cert-file-name from the entry configuration.
The no form of the command removes the key-filename from the entry configuration.
The configuration of this command is optional, by default system will only send the certificate specified by cert command in the selected entry to the peer. This command allows system to send additional CA certificates to the peer. These additional CA certificates must be in the certificate chain of the certificate specified by the
cert command in the same entry.
The no form of the command
The no form of the command removes the parameter from the configuration.
auth-method {psk
|plain-psk-xauth
|cert-auth
|psk-radius
|cert-radius
|eap
|auto-eap-radius
}
The no form of the command removes the parameter from the configuration.
Note that this command only applies when auth-method is configured as
auto-eap-radius.
Note that this command only applies when auth-method is configured as
auto-eap-radius.
The no form of the command removes the Diffie-Hellman group specification.
dpd [interval
interval] [max-retries
max-retries] [reply-only
]
The no form of the command removes the parameters from the configuration.
Specifies the maximum number of retries before the tunnel is removed.
The no form of the command removes the encryption algorithm from the configuration.
This parameter configures the 56-bit des algorithm for encryption. This is an older algorithm, with relatively weak security. While better than nothing, it should only be used where a strong algorithm is not available on both ends at an acceptable performance level.
This parameter configures the 3-des algorithm for encryption. This is a modified application of the
des algorithm which uses multiple
des operations for more security.
The no form of the command removes the mode of operation from the configuration.
The no form of the command reverts the
ipsec-lifetime value to the default.
This command specifies the lifetime of a phase one SA. ISAKMP stands for Internet Security Association and Key Management Protocol
The no form of the command reverts the
isakmp-lifetime value to the default.
[no
] match-peer-id-to-cert
nat-traversal [force
] [keep-alive
-interval
keep-alive-interval] [force-keep-alive]
The no form of the command reverts the parameters to the default.
pfs [dh-group
{1
| 2
| 5
| 14
| 15
}]
The no form of the command
disables PFS. If this it turned off during an active SA, when the SA expires and it is time to re-key the session, the original Diffie-hellman primes will be used to generate the new keys.
[no
] internal-ip4-netmask
The no form of the command reverts to the default value.
The no form of the command reverts to the default value.
The SPI value specifies the SPI that will be used in the encoding of the outgoing packets when the when the value of the direction command is
outbound. The remote node can use this SPI to lookup the instruction to verify and decrypt the packet.
If no spi is selected, then this static SA cannot be used.
The no form of the command reverts to the default value.
The no form of the command removes the ID from the configuration.
The no form of the command disables the authentication.
The no form of the command removes the
The no form of the command removes the parameter from the configuration.
The no form of the command disables sp-reverse-route.
transform transform-id [transform-id...(up to 4 max)]
Note that the ip-mtu command (under
ipsec-tunnel or
tunnel-template) specifies the private MTU for the ipsec-tunnel or dynamic tunnel.
local-ip {ip-prefix/prefix-length | ip-prefix netmask | any
}
Only one entry is necessary to describe a potential flow. The local-ip and
remote-ip commands can be defined only once. The system will evaluate the local IP as the source IP when traffic is examined in the direction of VPN to the tunnel and as the destination IP when traffic flows from the tunnel to the VPN. The remote IP will be evaluated as the source IP when traffic flows from the tunnel to the VPN when traffic flows from the VPN to the tunnel.
remote-ip ip-prefix/prefix-length | ip-prefix netmask | any
}
Only one entry is necessary to describe a potential flow. The local-ip and
remote-ip commands can be defined only once. The system will evaluate the local IP as the source IP when traffic is examined in the direction of VPN to the tunnel and as the destination IP when traffic flows from the tunnel to the VPN. The remote IP will be evaluated as the source IP when traffic flows from the tunnel to the VPN when traffic flows from the VPN to the tunnel.
address ipv6-address/prefix-length [eui-64
] [preferred
] [track-srrp
srrp-instance]
When the eui-64 keyword is specified, a complete IPv6 address from the supplied prefix and 64-bit interface identifier is formed. The 64-bit interface identifier is derived from MAC address on Ethernet interfaces. For interfaces without a MAC address, for example ATM interfaces, the Base MAC address of the chassis is used.
The interface command, under the context of services, is used to create and maintain IP routing interfaces within VPRN service IDs. The
interface command can be executed in the context of an VPRN service ID. The IP interface created is associated with the service core network routing instance and default routing table. The typical use for IP interfaces created in this manner is for subscriber internet access.
Interface names are case sensitive and must be unique within the group of defined IP interfaces defined for config router interface and
config service vprn interface. Interface names must not be in the dotted decimal notation of an IP address. For example, the name “1.1.1.1” is not allowed, but “int-1.1.1.1” is allowed. Show commands for router interfaces use either interface names or the IP addresses. Use unique IP address values and IP address names to maintain clarity. It could be unclear to the user if the same IP address and IP address name values are used. Although not recommended, duplicate interface names can exist in different router instances.
The available IP address space for local subnets and routes is controlled with the config router service-prefix command. The
service-prefix command administers the allowed subnets that can be defined on service IP interfaces. It also controls the prefixes that may be learned or statically defined with the service IP interface as the egress interface. This allows segmenting the IP address space into
config router and
config service domains.
The no form of this command removes IP the interface and all the associated configuration. The interface must be administratively shutdown before issuing the
no interface command.
All SAPs must be explicitly created. If no SAPs are created within a service or on an IP interface, a SAP will not exist on that object.
Enter an existing SAP without the create keyword to edit SAP parameters. The SAP is owned by the service in which it was created.
A SAP can only be associated with a single service. A SAP can only be defined on a port that has been configured as an access port using the
config interface port-type port-id mode access command. Channelized TDM ports are always access ports.
If a port is shutdown, all SAPs on that port become operationally down. When a service is shutdown, SAPs for the service are not displayed as operationally down although all traffic traversing the service will be discarded. The operational state of a SAP is relative to the operational state of the port on which the SAP is defined.
The no form of this command deletes the SAP with the specified port. When a SAP is deleted, all configuration parameters for the SAP will also be deleted.
sap tunnel-
id.
private |
public:
tag — This parameter associates a tunnel group SAP with this interface.
The port-id must reference a valid port type. When the
port-id parameter represents SONET/SDH and TDM channels the port ID must include the channel ID. A period “.” separates the physical port from the
channel-id. The port must be configured as an access port.
[no
] bfd-enable service
service-id interface
interface-name dst-ip
ip-address
The no form of the command disables the automatic attempts to establish a phase 1 exchange.
transform transform-id [transform-id...(up to 4 max)]
security-association security-entry-id authentication-key
authentication-key encryption-key
encryption-key spi
spi transform
transform-id direction
{inbound
| outbound
}
{32 |
64 |
128 |
256 |
512}
This command configures an IPSec security policy. The policy may then be associated with tunnels defined in the same context.
The no form of the command deletes the specified IP/GRE or IP-IP tunnel from the configuration. The tunnel must be administratively shutdown before issuing the
no ip-tunnel command.
The no form of the command deletes the source address from the GRE tunnel configuration. The tunnel must be administratively shutdown before issuing the
no source command.
The no form of the command deletes the destination address from the GRE tunnel configuration.
The no form of the command deletes the backup-destination address from the GRE tunnel configuration.
The no form of the command disables the DF bit reset.
The no form of the command deletes the delivery-service from the GRE tunnel configuration.
|
Values
|
be, cp1, cp2, cp3, cp4, cp5, cp6, cp7, cs1, cp9, af11, cp11, af12, cp13, af13, cp15, cs2, cp17, af21, cp19, af22, cp21, af23, cp23, cs3, cp25, af31, cp27, af32, cp29, af33, cp31, cs4, cp33, af41, cp35, af42, cp37, af43, cp39, cs5, cp41, cp42, cp43, cp44, cp45, ef, cp47, nc1, cp49, cp50, cp51, cp52, cp53, cp54, cp55, nc2, cp57, cp58, cp59, cp60, cp61, cp62, cp63
|
This command configures configures a private IPv4 or IPv6 address of the remote tunnel endpoint. A tunnel can have up to 16 dest-ip commands. At least one
dest-ip address is required in the configuration of a tunnel. A tunnel does not come up operationally unless all
dest-ip addresses are reachable (part of a local subnet).
Note: Unnumbered interfaces are not supported.
gre-header send-key
send-key receive-key
receive-key
The ip-mtu command instructs the MS-ISA to perform IP packet fragmentation, prior to IPSec encryption and encapsulation, based on the configured MTU value. In particular:
The no ip-mtu command, corresponding to the default behavior, disables fragmentation of IP packets by the MS-ISA; all IP packets, regardless of size or DF bit setting, are allowed into the tunnel.
|
Values
|
service-id: 1 — 2147483648 svc-name: An existing service name up to 64 characters in length.
|
In order to use this feature, the relay-proxy must be enabled on the corresponding interface (either the private interface or the interface that has the gi-address as the interface address.
server ip-address [ip-address...(upto 8 max)] router
router-instance
server ip-address [ip-address...(upto 8 max)] service-name
service-name
[no
] local-address-assignment
|
Values
|
service-id: 1 — 2147483648 svc-name: Specifies an existing service name up to 64 characters in length.
|
The no form of the command removes the parameters from the configuration.
|
•
|
key file must be already configured
|
The no form of the command removes the entry from the local configuration.
The no form of the command reverts to the default.
The no form of the command reverts to the default.
The no form of the command removes the tunnel group ID from the configuration.
The no form of the command removes the tunnel group ID from the configuration.
The no form of the command removes the priority value from the configuration.
protocol {protocol} [all | instance instance]
When the ipsec is specified this means IPSecroutes.
The no form of the command removes the protocol match criterion.
|
Values
|
direct, static, bgp, isis, ospf, rip, aggregate, bgp-vpn, igmp, pim, ospf3, ldp, sub-mgmt, mld, managed, vpn-leak, tms, nat, periodic, ipsec, mpls
|
[no
] ipsec-responder-only
[no
] include-radius-attribute
The no form of the command excludes called station id attributes.
This command references an existing radius-server-policy (available under the config>aaa context) for use in subscriber management authentication and accounting.
The no form of the command removes the radius-server-policy reference from the configuration
The no form of the command resets the password to its default of
ALU and will be stored using hash/hash2 encryption.
Specifies the key is entered in a more complex encrypted form. If the
hash2 parameter is not used, the less encrypted
hash form is assumed.
This command creates a new ca-profile or enter the configuration context of an existing
ca-profile. Up to 128 ca-profiles could be created in the system. A
shutdown the ca-profile will not affect the current up and running
ipsec-tunnel or
ipsec-gw that associated with the
ca-profile. But authentication afterwards will fail with a
shutdown ca-profile.
Executing a no shutdown command in this context will cause system to reload the configured cert-file and crl-file.
A ca-profile can be applied under the
ipsec-tunnel or
ipsec-gw configuration.
The no form of the command removes the name parameter from the configuration. A ca-profile can not be removed until all the association(ipsec-tunnel/gw) have been removed.
[no
] accept-unprotected-errormsg
The no form of the command causes the system to only accept protected PKI confirmation message.
[no
] accept-unprotected-pkiconf
The no form of the command causes the system to only accept protected PKI confirmation message.
[no
] always-set-sender-for-ir
key password [hash
|hash2
] reference
reference-number
The no form of the command removes the parameters from the configuration.
cmp-url url-string [service-id
service-id]
If the service-id is 0 or omitted, then system will try to resolve the FQDN via DNS server configured in bof.cfg. After resolution, the system will connect to the address in management routing instance first, then base routing instance.
This command specifies the revocation method system used to check the revocation status of certificate issued by the CA, the default value is crl, which will use CRL. But if it is
crl-optional, then it means when the user disables the ca-profile, then the system will try to load the configured CRL (specified by the
crl-file command). But if the system fails to load it for following reasons, then the system will still bring ca-profile oper-up, but leave the CRL as non-exist.
The no form of the command reverts to the default.
[no
] same-recipnonce-for-pollreq
cert-request ca ca-profile-name current-key
key-filename current-cert
cert-filename [hash-alg
hash-algorithm] newkey
key-filename subject-dn
subject-dn [domain-name
<[255 chars max]> [ip-addr
<ip-address|ipv6-address>] save-as
save-path-of-result-cert
In some cases, the CA may not return a certificate immediately, due to reasons such as request processing need manual intervention. In such cases, the
admin certificate cmpv2 poll command can be used to poll the status of the request.
initial-registration ca ca-profile-name key-to-certify
key-filename protection-alg
{password
password reference
ref-number | signature
[cert
cert-file-name [send-chain
[with-ca
ca-profile-name]]] [protection-key
key-file-name] [hash-alg
{md5
| sha1
| sha224
| sha256
| sha384
| sha512
}]} subject-dn
dn [domain-name
<[255 chars max]> [ip-addr
<ip-address|ipv6-address>] save-as
save-path-of-result-cert
The ca parameter specifies a CA-profile which includes CMP server information.
The key-to-certify is an imported key file to be certified by the CA.
subject-dn specifies the subject of the requesting certificate.
save-as specifies full path name of saving the result certificate.
In some cases, CA may not return certificate immediately, due to reason like request processing need manual intervention. In such cases, the admin certificate cmpv2 poll command could be used to poll the status of the request. If key-list is not configured in the corresponding
ca-profile, then the system will use the existing password to authenticate the CMPv2 packets from server if it is in password protection.
If key-list is configured in the corresponding ca-profile and server doesn't send SenderKID, then the system will use lexicographical first key in the key-list to authenticate the CMPv2 packets from server in case it is in password protection.
key-update ca ca-profile-name newkey
key-filename oldkey
key-filename oldcert
cert-filename [hash-alg
hash-algorithm] save-as
save-path-of-result-cert
The file-transmission-profile context defines transport parameters for protocol such as HTTP, include routing instance, source address, timeout value, etc.
The no form of this command uses the default source address which typically is the address of the egress interface.
The no form of this command uses the default source address which typically is the address of egress interface.
When the virtual router does not receive any data from a server (e.g., FTP or HTTP server) after the configured timeout seconds, the router may repeat the request to the server. The number of retries specifies the maximum number of repeated requests.
The no form of this command disables the retry.
|
Values
|
<router-instance> :<router-name>|< service-id> router-name "Base"|"management"|"vpls-management" service-id [1..2147483647]
|
This command creates an auto CRL update configuration context with the create parameter, or enters the auto-crl-update configuration context without the
create parameter.
This command enables the context to configure crl-urls parameters. The system allows up to eight URL entries to be configured and will try each URL in order and stop when a qualified CRL is successfully downloaded. A qualified CRL is a valid CRL signed by the CA and is more recent than the existing CRL.
This command creates a new crl-url entry with the
create parameter, or enters an existing url-entry configuration context without
create parameter.
The no form of this command removes the specified entry.
This command specifies the file-transmission-profile for the url-entry. When the system downloads a CRL from the configured URL in the
url-entry it will use the transportation parameter configured in the
file-transmission-profile.
auto-crl-update supports Base/Management/VPRN routing instance.
vpls-management is not supported. In case of VPRN, the HTTP server port can only be 80 or 8080.
The no form of the command removes the specified profile name.
This command specifies the HTTP URL of the CRL file for the url-entry. The system supports both IPv4 and IPv6 HTTP connections.
The no form of the command causes the system to retry immediately without waiting.
|
•
|
periodic: — The system will download a CRL periodically at the interval configured via the periodic-update-interval command. For example, if the periodic-update-interval is 1 day, then the system will download a CRL every 1 day. The minimal periodic-update-interval is 1 hour.
|
|
•
|
ext-update-based — The system will download a CRL at the time = Next_Update_of_existing_CRL minus pre-update-time. For example, if the Nex-Update of the existing CRL is 2015-06-30 06:00 and pre-update-time is 1 hour, then the system will start downloading at 2015-06-30, 05:00.
|
The no form of this command enables an auto CRL update. Upon
no shutdown, if the configured CRL file does not exist, is invalid or is expired or if the schedule-type is next-update-based and current time passed (Next-Update_of_existing_CRL - pre-update-time), then system will start downloading CRL right away.
*A:Dut-A# show ipsec cert-profile cert "cert-1.der"
==============================================================================
Certificate Profile Entry
==============================================================================
Id Cert Key Status Flags
------------------------------------------------------------------------------
1 cert-1.der key-1.der
==============================================================================
*A:Dut-A#
*A:Dut-A# show ipsec cert-profile "cert-1.der" entry 1
===============================================================================
IPsec Certificate Profile: cert-1.der Entry: 1 Detail
===============================================================================
Cert File : cert-1.der
Key File : key-1.der
Status Flags : (Not Specified)
Comp Chain : complete
Compute Chain CA Profiles
-------------------------------------------------------------------------------
CA10
CA9
CA8
CA7
CA6
===============================================================================
*A:Dut-A# exit
*A:Dut-B# show certificate ca-profile
-------------------------------------------------------------------------------
Max Cert Chain Depth: 7 (default)
-------------------------------------------------------------------------------
Certificate Display Format: 1 ASCII
===============================================================================
CA Profile
===============================================================================
CA Profile Admin Oper Cert File CRL File
State State
-------------------------------------------------------------------------------
CA0 up up CA1-00cert.der CA1-00crl.der
CA1 up up CA1-01cert.der CA1-01crl.der
CA2 up up CA1-02cert.der CA1-02crl.der
CA3 up up CA1-03cert.der CA1-03crl.der
CA4 up up CA1-04cert.der CA1-04crl.der
CA5 up up rsa_sha512_1024_0cert.d* rsa_sha512_1024_0crl.der
CA6 up up rsa_sha512_1024_1cert.d* rsa_sha512_1024_1crl.der
CA7 up up rsa_sha512_1024_2cert.d* rsa_sha512_1024_2crl.der
CA8 up up rsa_sha512_1024_3cert.d* rsa_sha512_1024_3crl.der
CA9 up up rsa_sha512_1024_4cert.d* rsa_sha512_1024_4crl.der
CA10 up up rsa_sha512_1024_5cert.d* rsa_sha512_1024_5crl.der
CA11 up up rsa_sha384_1024_0cert.d* rsa_sha384_1024_0crl.der
CA12 up up rsa_sha384_1024_1cert.d* rsa_sha384_1024_1crl.der
CA13 up up rsa_sha384_1024_2cert.d* rsa_sha384_1024_2crl.der
CA14 up up rsa_sha384_1024_3cert.d* rsa_sha384_1024_3crl.der
CA15 up up rsa_sha384_1024_4cert.d* rsa_sha384_1024_4crl.der
CA16 up up rsa_sha384_1024_5cert.d* rsa_sha384_1024_5crl.der
CMPv2 up up rsaCMPv2cert.der rsaCMPv2CRL.der
-------------------------------------------------------------------------------
Entries found: 18
===============================================================================
* indicates that the corresponding row element may have been truncated.
*A:Dut-B#
*A:Dut-B# show ipsec certificate cert-1.der association
===============================================================================
Associated Tunnels
===============================================================================
Tunnel SvcId Sap Admin
-------------------------------------------------------------------------------
tun-1-s-cert-v2 3 tunnel-1.private:3 Up
tun-1-s-cert-MTA-v2 8 tunnel-1.private:7 Up
tun-1-s-cert-i_op-ss-v2 42 tunnel-1.private:10 Up
tun-1-s-cert-MTA-i_op-ss-v2 48 tunnel-1.private:11 Up
-------------------------------------------------------------------------------
IPsec Tunnels: 4
===============================================================================
*A:Dut-B#
*A:Dut-B# show ipsec cert-profile association "cert-1.der"
===============================================================================
IPsec tunnels using certificate profile
===============================================================================
SvcId Type SAP Tunnel
-------------------------------------------------------------------------------
3 vprn tunnel-1.private:3 tun-1-s-cert-v2
8 vprn tunnel-1.private:7 tun-1-s-cert-MTA-v2
42 vprn tunnel-1.private:10 tun-1-s-cert-i_op-ss-v2
48 vprn tunnel-1.private:11 tun-1-s-cert-MTA-i_op-ss-v2
===============================================================================
Number of tunnel entries: 4
===============================================================================
===============================================================================
IPsec gateways using certificate profile
===============================================================================
SvcId Type SAP Gateway
-------------------------------------------------------------------------------
1057 vprn tunnel-1.public:18 d-cert-MTA-g1-1-v2
1092 vprn tunnel-1.public:21 d-cert-i_op-ss-g1-1-v2
===============================================================================
Number of gateway entries: 2
===============================================================================
*A:Dut-B#
gateway [name
name] tunnel state
state
gateway [name
name] tunnel idi-value
idi-prefix
show ipsec gateway
===============================================================================
IPSec Gateway
===============================================================================
Name LclGwAddr Adm Opr Ike Auth
SAP Service
-------------------------------------------------------------------------------
rw 172.16.100.1 Up Up 2 certRadius
tunnel-1.public:100 300
-------------------------------------------------------------------------------
Number of gateways: 1
===============================================================================
show ipsec gateway name "rw"
===============================================================================
IPSec Gateway (SAP)
===============================================================================
-------------------------------------------------------------------------------
IPSec Gateway ( rw )
-------------------------------------------------------------------------------
Sap : tunnel-1.public:100 Service : 300
Local GW : 172.16.100.1
Admin State : Up Oper State : Up
Def Secure Svc : 400
Def Secure Svc If : priv
Ike Policy Id : 2
Ike Version : 2 Ike Policy Auth : certRadius
Pre Shared Key : haha
X509 Cert : (Not Specified)
Key : (Not Specified)
Local Id Type : fqdn
Local Id Value : segwmobilelab.alu.com
Cert Profile : segw-mlab
Trust Anchor Prof : sc-root
Radius Acct Plcy : rad-acct-policy-1
Radius Auth Plcy : rad-auth-policy-1
TS-List : <none>
Certificate Status Verify
-------------------------------------------------------------------------------
Primary : crl Secondary : none
Default Result : good
-------------------------------------------------------------------------------
Template Id: 1
-------------------------------------------------------------------------------
Transform Id1 : 1 Transform Id2 : None
Transform Id3 : None Transform Id4 : None
Reverse Route : none Replay Window : None
IP MTU : max Encap IP MTU : max
Pkt Too Big : true Clear DF BIT : false
Pkt Too Big Number : 100 Pkt Too Big Intvl : 10 secs
===============================================================================
show ipsec gateway name "rw" tunnel
===============================================================================
IPsec Remote User Tunnels
===============================================================================
Remote Endpoint Addr GW Name
GW Lcl Addr SvcId TnlType
Private Addr Secure SvcId BiDirSA
Idi-Type Value*
-------------------------------------------------------------------------------
11.0.0.100:500 rw
172.16.100.1 300 certRadius
2001:beef::50 400 true
derAsn1Dn C=US,ST=CA,O=ALU,CN=Smallcell-1
-------------------------------------------------------------------------------
IPsec Gateway Tunnels: 1
===============================================================================
show ipsec gateway name "rw" tunnel 11.0.0.100
===============================================================================
IPsec Remote Users Tunnel Detail
===============================================================================
-------------------------------------------------------------------------------
IP Addr: 11.0.0.100, port: 500
-------------------------------------------------------------------------------
Service Id : 300 Sap Id : tunnel-1.public:100
Address : 11.0.0.100
Private If : priv
Private Address : 2001:beef::50
Private Service : 400 Template Id : 1
Replay Window : None Bi Direction SA : true
Host MDA : 1/2
Match TrustAnchor: smallcell-root
Last Oper Changed: 12/05/2014 23:01:48
IKE IDI Type : derAsn1Dn
IKE IDI Value : C=US,ST=CA,O=ALU,CN=Smallcell-1
-------------------------------------------------------------------------------
Dynamic Keying Parameters
-------------------------------------------------------------------------------
Transform Id1 : 1 Transform Id2 : None
Transform Id3 : None Transform Id4 : None
IPsec GW Name : rw
Local GW Address : 172.16.100.1
Ike Policy Id : 2 Ike Pol Auth : certRadius
Pre Shared Key : haha
Cert Profile : segw-mlab
Trust Anchor Prof: sc-root
Selected Cert : SeGW-MLAB.cert
Selected Key : SeGW-MLAB.key
Send Chain Prof : None
Local Id Type : fqdn
Local Id Value : segwmobilelab.alu.com
Radius Acct Plcy : rad-acct-policy-1
Radius Auth Plcy : rad-auth-policy-1
TS-List : <none>
Certificate Status Verify
-------------------------------------------------------------------------------
Primary : crl Secondary : none
Default Result : good
-------------------------------------------------------------------------------
ISAKMP-SA
-------------------------------------------------------------------------------
State : Up
Established : 12/05/2014 23:01:49 Lifetime : 86400
Expires : 12/06/2014 23:01:49
ISAKMP Statistics
--------------------
Tx Packets : 2 Rx Packets : 2
Tx Errors : 0 Rx Errors : 0
Tx DPD : 0 Rx DPD : 0
Tx DPD ACK : 0 Rx DPD ACK : 0
DPD Timeouts : 0 Rx DPD Errors : 0
-------------------------------------------------------------------------------
IPsec-SA : 1, Inbound (index 2)
-------------------------------------------------------------------------------
SPI : 203073
Auth Algorithm : Sha1 Encr Algorithm : Aes128
Installed : 12/05/2014 23:01:48 Lifetime : 3600
Local Traffic Selectors:
2003:dead::1-2003:dead::1
Remote Traffic Selectors:
2001:beef::50-2001:beef::50
Aggregate Statistics
--------------------
Bytes Processed : 0 Packets Processed: 0
Crypto Errors : 0 Replay Errors : 0
SA Errors : 0 Policy Errors : 0
-------------------------------------------------------------------------------
IPsec-SA : 1, Outbound (index 1)
-------------------------------------------------------------------------------
SPI : 3232561216
Auth Algorithm : Sha1 Encr Algorithm : Aes128
Installed : 12/05/2014 23:01:48 Lifetime : 3600
Local Traffic Selectors:
2003:dead::1-2003:dead::1
Remote Traffic Selectors:
2001:beef::50-2001:beef::50
Aggregate Statistics
--------------------
Bytes Processed : 0 Packets Processed: 0
Crypto Errors : 0 Replay Errors : 0
SA Errors : 0 Policy Errors : 0
===============================================================================
Fragmentation Statistics
===============================================================================
Encapsulation Overhead : 73
Pre-Encapsulation
Fragmentation Count : 0
Last Fragmented Packet Size : 0
Post-Encapsulation
Fragmentation Count : 0
Last Fragmented Packet Size : 0
===============================================================================
===============================================================================
dut-A# show gre tunnel
===============================================================================
GRE Tunnels
===============================================================================
TunnelName LocalAddress SvcId Admn
SapId RemoteAddress DlvrySvcId Oper
To Bkup RemAddr DSCP Oper Rem Addr
-------------------------------------------------------------------------------
toce2 50.1.1.7 500 Up
tunnel-1.private:1 30.1.1.3 500 Up
20.1.1.2 30.1.2.7 None 30.1.1.3
toce2_backup 50.1.2.3 502 Up
tunnel-1.private:3 30.1.1.3 502 Up
20.1.2.2 0.0.0.0 None 30.1.1.3
-------------------------------------------------------------------------------
GRE Tunnels: 2
===============================================================================
A:Dut-A# show gre tunnel "toce2"
===============================================================================
GRE Tunnel Configuration Detail
===============================================================================
Service Id : 500 Sap Id : tunnel-1.private:1
Tunnel Name : toce2
Description : None
Target Address : 20.1.1.2 Delivery Service : 500
Admin State : Up Oper State : Up
Source Address : 50.1.1.7 Oper Remote Addr : 30.1.1.3
Remote Address : 30.1.1.3 Backup Address : 30.1.2.7
DSCP : None
Oper Flags : None
===============================================================================
GRE Tunnel Statistics: toce2
===============================================================================
Errors Rx : 0 Errors Tx : 0
Pkts Rx : 165342804 Pkts Tx : 605753463
Bytes Rx : 84986201256 Bytes Tx : 296819196870
Key Ignored Rx : 0 Too Big Tx : 0
Seq Ignored Rx : 0
Vers Unsup. Rx : 0
Invalid Chksum Rx: 0
Loops Rx : 0
===============================================================================
===============================================================================
A:Dut-A# show gre tunnel count
--------------------------------------------------------------------------------
GRE Tunnels: 2
--------------------------------------------------------------------------------
*A:ALA-48# show ipsec ike-policy 10
===============================================================================
IPsec IKE policy Configuration Detail
===============================================================================
Policy Id : 10 IKE Mode : main
DH Group : Group2 Auth Method : psk
PFS : False PFS DH Group : Group2
Auth Algorithm : Sha1 Encr Algorithm : Aes128
ISAKMP Lifetime : 86400 IPsec Lifetime : 3600
NAT Traversal : Disabled
NAT-T Keep Alive : 0 Behind NAT Only : True
DPD : Disabled
DPD Interval : 30 DPD Max Retries : 3
Description : (Not Specified)
===============================================================================
*A:ALA-48#
show ipsec radius-accounting-policy
===============================================================================
Radius Accounting Policy
===============================================================================
Policy Name Server Policy Include Attribs Upd Int
Jitter
-------------------------------------------------------------------------------
rad-acct-policy-1 nasId nasPortId 20
framedIpAddr
10
===============================================================================
Number of entries: 1
===============================================================================
show ipsec radius-accounting-policy "rad-acct-policy-1"
===============================================================================
IPsec Radius Accounting Policy Detail
===============================================================================
Name : rad-acct-policy-1
Server Policy : (Not Specified)
Include Attr : nasId nasPortId framedIpAddr
Update Interval : 20
Jitter : 10 sec.
===============================================================================
*A:ALA-48>show>ipsec# security-policy 1
========================================================================
Security Policy Param Entries
========================================================================
SvcId Security Policy LocalIp RemoteIp
PlcyId ParamsId
------------------------------------------------------------------------
1 1 1 0.0.0.0/0 0.0.0.0/0
------------------------------------------------------------------------
No. of IPsec Security Policy Param Entries: 1
========================================================================
*A:ALA-48>show>ipsec#
*A:ALA-48>config>ipsec# show ipsec transform 1
================================================================
IPsec Transforms
================================================================
TransformId EspAuthAlgorithm EspEncryptionAlgorithm
----------------------------------------------------------------
1 Sha1 Aes128
----------------------------------------------------------------
No. of IPsec Transforms: 1
================================================================
*A:ALA-48>config>ipsec#
*A:Dut-A# show ipsec trust-anchor-profile
==================================================================
Trust Anchor Profile Information
==================================================================
Name CA Profiles Down
------------------------------------------------------------------
CA0wCMPv2 0
CA1wCMPv2 0
CA2wCMPv2 0
CA3wCMPv2 0
CA4wCMPv2 0
CA5wCMPv2 0
CA6wCMPv2 0
CA7wCMPv2 0
CA8wCMPv2 0
CA9wCMPv2 0
CA10wCMPv2 0
==================================================================
*A:Dut-A#
*A:Dut-A# show ipsec trust-anchor-profile
==================================================================
Trust Anchor CA-profile List
==================================================================
CA Profile Admin/Oper State
------------------------------------------------------------------
CA6 up/up
CMPv2 up/up
==================================================================
*A:Dut-A#
show ipsec ts-list "ts1"
===============================================================================
TS-List Local Entry
===============================================================================
Entry Id IP Address Range or Prefix/Prefix-Len
-------------------------------------------------------------------------------
1 192.168.1.0/24
2 192.168.2.0/24
===============================================================================
show ipsec ts-list "ts1" association
===============================================================================
IPsec gateway using traffic-selection-list
===============================================================================
SvcId Type SAP
-------------------------------------------------------------------------------
300 ies tunnel-1.public:100
===============================================================================
Number of entries: 1
===============================================================================
*A:ALA-48>config>ipsec# show ipsec tunnel-template 1
===============================================================================
IPSec Tunnel Template
===============================================================================
Id Trnsfrm1 Trnsfrm2 Trnsfrm3 Trnsfrm4 ReverseRoute ReplayWnd
-------------------------------------------------------------------------------
1 1 none none none useSecurityPolicy 128
-------------------------------------------------------------------------------
Number of templates: 1
===============================================================================
*A:ALA-48>config>ipsec#
|
|
|
|
|
|
|
|
|
|
|
Displays nominal or notReady.
notReady means the system is not ready for a switchover. There could be major traffic impact if switchover happens in case of notReady.
nominal means the tunnel-group is in a better situation to switchover than notReady. However there still might be traffic impact.
|
|
|
|
|
|
|
|
|
|
|
|
|
show redundancy multi-chassis mc-ipsec peer 2.2.2.2
===============================================================================
Multi-Chassis MC-IPsec
===============================================================================
Peer Name : (Not Specified)
Peer Addr : 2.2.2.2
Keep Alive Intvl: 1.0 secs Hold on Nbr Fail : 3
Discovery Intvl : 300 secs Discovery Boot Intvl : 300 secs
BFD : Disable
Last update : 09/27/2012 00:44:23
======================================================================
Multi-Chassis IPsec Multi Active Tunnel-Group Table
======================================================================
ID Peer Group Priority Admin State Mastership
----------------------------------------------------------------------
1 2 100 Up standby
----------------------------------------------------------------------
Multi Active Tunnel Group Entries found: 1
======================================================================
show redundancy multi-chassis mc-ipsec peer 2.2.2.2 tunnel-group 1
===============================================================================
Multi-Chassis MC-IPsec Multi Active Tunnel-Group: 1
===============================================================================
Peer Ex Tnl Grp : 2 Priority : 100
Master State : standby Protection Status : nominal
Admin State : Up Oper State : Up
===============================================================================
======================================================================
Multi-Chassis Tunnel Statistics
======================================================================
Static Dynamic
----------------------------------------------------------------------
Installed 1 0
Installing 0 0
Awaiting Config 0 0
Failed 0 0
======================================================================
gateway name name tunnel
ip-address[:port] [nat-ip
nat-ip[:port]] [detail
] [no-dpd-debug
]
tunnel ipsec-tunnel-name [detail
] [no-dpd-debug
]
[no
] ca-profile
profile-name
[no
] ocsp
ca-profile-name
