The table of IKE hosts can store up to 32 entries, indexed starting from 0 up to 31.
In the table of IKE hosts, configurations may be added, modified, deleted while the Abilis CPX is working, without needing to restart it. Changes made in the table are immediately actives by executing the command INIT PO:xxx, where "xxx" is the IKE port number.
Commands for handling IKE hosts are described in the IKE host table section of the document Commands relating to IKE.
The available commands are the following:
A IKE HOST:Here is an example of the IKE host table:
[21:30:22] ABILIS_CPX:D IKE HOST
-------------------------------------------------------------------------------
HOST: NAME: LOC-IP: IPP: KEY-TRIES:
CIPHER: AUTH: HASH: DH: REM-IP: SIDE: LIFE-TIME:
ID-TYPE: IP: FQDN:
PEER-ID-TYPE: PEER-IP: PEER-FQDN:
-------------------------------------------------------------------------------
0 CPX_1-to-CPX_2 192.168.002.001 1 3
3DES PSK MD5 MODP1024 192.168.002.002 AUTO 3600
IP 192.168.002.001
IP 192.168.002.002
-------------------------------------------------------------------------------
1 CPX_1-to-CPX_3 192.168.002.001 1 3
IDEA PSK SHA MODP1536 * AUTO 3600
IP 192.168.002.001
FQDN www.antek.it
-------------------------------------------------------------------------------
Here is an example of the single IKE host connection 0:
[11:18:29] ABILIS_CPX:D IKE HOST:0 Parameter: |Value: ------------------------------------------------------------------------------ HOST: 0 NAME: CPX_1-to-CPX_2 LOC-IP: 192.168.002.001 REM-IP: 192.168.002.002 CIPHER: 3DES AUTH: PSK HASH: MD5 DH: MODP1024 KEY-TRIES: 3 LIFE-TIME: 3600 ID-TYPE: IP IP: 192.168.002.001 PEER-ID-TYPE: IP PEER-IP: 192.168.002.002 IPP: 0 SIDE: AUTO ------------------------------------------------------------------------------
| HOST: | Host connection identifier |
| no default | 0-31 |
It is the host connection identifier. The identifier is a numeric value that is assigned by the system to the IKE host connection when it is added the first time. It can be used for clearing/displaying and setting operations to reference the host connection.
| NAME: | Name of the host connection |
| empty | from 0 up to 32 ASCII printable characters. Spaces are not allowed. Case is preserved. |
Specifies name of the current host connection.
| LOC-IP: | Local IP address. |
| 0.0.0.0 | 0.0.0.0, 1-126.x.x.x, 128-223.x.x.x, 0-63 |
Specifies local IP address for the this host connection.
0-63: IP port. The IKE driver uses specified IP Port to get information about local IP address to use.
0.0.0.0, 1-126.x.x.x, 128-223.x.x.x: IP address. The driver uses specified value as local IP address.
| REM-IP: | Remote IP address. |
| 0.0.0.0 | 0.0.0.0, 1-126.x.x.x, 128-223.x.x.x, *, 1- 64 |
*: Any IP address. The IKE driver accepts all remote IP addresses (only for responder).
1-64: IP list. The IKE driver accepts only remote IP addresses present into specified list (only for responder).
0.0.0.0, 1-126.x.x.x, 128-223.x.x.x: IP address. The IKE driver uses specified value as remote IP address.
| CIPHER: | Encryption algorithm for the ISAKMP/OAKLEY negotiation (ISAKMP SA). |
| NONE | NONE, DES, 3DES, IDEA, CAST, BLOWFISH, AES128, AES192, AES256 |
Specifies encryption algorithm for Encryption algorithm for the ISAKMP/OAKLEY negotiation (ISAKMP SA) for this host connection.
NONE: No algorithms.
DES: DES encryption algorithm in CBC mode.
3DES: Triple DES encryption algorithm in CBC mode.
IDEA: IDEA encryption algorithm in CBC mode.
CAST: CAST encryption algorithm in CBC mode.
BLOWFISH: BLOWFISH encryption algorithm in CBC mode.
AES128: AES encryption algorithm in CBC mode with 128 bits key length.
AES192: AES encryption algorithm in CBC mode with 192 bits key length.
AES256: AES encryption algorithm in CBC mode with 256 bits key length.
| AUTH: | Authentication method for the ISAKMP/OAKLEY negotiation (ISAKMP SA). |
| PSK | PSK |
Specifies authentication method for the ISAKMP/OAKLEY negotiation (ISAKMP SA) for this host connection.
PSK: Message Digest Algorithm SHA-1.
| HASH: | Hash algorithm for the ISAKMP/OAKLEY negotiation (ISAKMP SA). |
| MD5 | MD5, SHA |
Specifies authentication method for the ISAKMP/OAKLEY negotiation (ISAKMP SA) for this host connection.
MD5: Message Digest Algorithm MD5.
SHA: Message Digest Algorithm SHA-1.
| DH: | Diffi-Hellman group for the ISAKMP/OAKLEY negotiation (ISAKMP SA). |
| MODP1024 | MODP768, MODP1024, MODP1536 |
Specifies Diffi-Hellman group for the ISAKMP/OAKLEY negotiation (ISAKMP SA) for this host connection.
MODP768: 768 Diffi-Hellman group.
MODP1024: 1024 Diffi-Hellman group.
MODP1536: 1536 Diffi-Hellman group
| ID-TYPE: | Type of local host ID. |
| AUTO | AUTO, IP, FQDN, USER-FQDN |
Specifies type of local host ID for this host connection.
AUTO: Local ID will be set automatically in run-time as local IP address.
IP: Local ID is local IP address.
FQDN: Local ID is fully-qualified domain name (FQDN), e.g. www.antek.it.
USER-FQDN: Local ID is fully-qualified user domain name (FQDN), e.g. konstt@antek.it.
| IP: | Specifies local host ID as IP address. |
| 0.0.0.0 | 0.0.0.0, 1-126.x.x.x, 128-223.x.x.x |
Specifies local host ID as IP address.
This value is used only if ID-TYPE parameter is set to IP.
| FQDN: | Specifies local host ID as FQDN or USER-FQDN. |
| empty | FQDN: From 0 up to 64 characters, range: ['0'..'9', 'A'..'Z', 'a'..'z', '-', '.']. USER-FQDN must be an ASCII printable user name string, where spaces are not allowed, plus a '@' character and a FQDN string. Case is not preserved. |
Specifies local host ID as as FQDN or USER-FQDN.
This value is used only if ID-TYPE parameter is set to FQDN or USER-FQDN.
| PEER-ID-TYPE: | Type of peer host ID. |
| AUTO | AUTO, IP, FQDN, USER-FQDN |
Specifies type of peer host ID for this host connection.
AUTO: Peer ID will be set automatically in run-time as remote IP address.
IP: Peer ID is remote IP address.
FQDN: Peer ID is fully-qualified domain name (FQDN), e.g. www.antek.it.
USER-FQDN: Peer ID is fully-qualified user domain name (FQDN), e.g. konstt@antek.it.
| PEER-IP: | Specifies peer host ID as IP address. |
| 0.0.0.0 | 0.0.0.0, 1-126.x.x.x, 128-223.x.x.x |
Specifies peer host ID as IP address.
This value is used only if PEER-ID-TYPE parameter is set to IP.
| PEER-FQDN: | Specifies peer host ID as FQDN or USER-FQDN. |
| empty | FQDN: From 0 up to 64 characters, range: ['0'..'9', 'A'..'Z', 'a'..'z', '-', '.']. USER-FQDN must be an ASCII printable user name string, where spaces are not allowed, plus a '@' character and a FQDN string. Case is not preserved. |
Specifies peer host ID as as FQDN or USER-FQDN.
This value is used only if PEER-ID-TYPE parameter is set to FQDN or USER-FQDN.
| IPP: | Tunnel IP port. |
| # | #, 0-63 |
Specifies IP port used for this host connection.
| SIDE: | NAT side type of tunnel. |
| AUTO | NONE, INSIDE, OUTSIDE, AUTO |
Specifies NAT side type of tunnel (when available).
| KEY-TRIES: | Number of ISAKMP SA rekeying. |
| 3 | INFINITE, 1-100 |
Specifies how many times IKE should try to negotiate an ISAKMP SA, either for the first time or for rekeying.
| LIFE-TIME: | Life time of ISAKMP SA. |
| 3600 | 900-28800 |
Specifies how long IKE will propose that an ISAKMP SA be allowed to live.
The table of IKE clients can store up to 64 entries, indexed starting from 0 up to 63.
In the table of IKE clients, configurations may be added, modified, deleted while the Abilis CPX is working, without needing to restart it. Changes made in the table are immediately actives by executing the command INIT PO:xxx, where "xxx" is the IKE port number.
Commands for handling IKE hosts are described in the IKE client table section of the document Commands relating to IKE.
The available commands are the following:
A IKE CLI:Here is an example of the IKE client connection table:
[21:25:43] CPX_1:D IKE CLI
-------------------------------------------------------------------------------
CLI: NAME: HOST-ID: RULE: LIFE-TIME: PFS:
ESP: ESP-CIPHER: ESP-AUTH: PASSIVE: PERMANENT: NET-SRC:
AH: AH-AUTH: TUNNEL: NET-DST:
-------------------------------------------------------------------------------
0 CPX_1-to-CPX_2 0 IPSEC 28800 YES
YES 3DES MD5 YES YES 192.168.001.000/24
NO MD5 YES 192.168.003.000/24
-------------------------------------------------------------------------------
1 CPX_1-to-CPX_3 1 IPSEC 28800 YES
YES 3DES MD5 YES YES 192.168.001.000/24
NO MD5 YES 192.168.004.000/24
-------------------------------------------------------------------------------
Here is an example of the IKE client table record 0:
[14:22:45] ABILIS_CPX:D IKE CLI:0 - Not Saved (SAVE CONF) ------------------------------------------------------- Parameter: |Value: ------------------------------------------------------------------------------ CLI: 0 NAME: CPX_1-to-CPX_2 HOST-ID: 0 RULE: IPSEC PASSIVE: YES PERMANENT: YES TUNNEL: YES ESP: YES ESP-CIPHER: 3DES ESP-AUTH: MD5 AH: NO AH-AUTH: MD5 LIFE-TIME: 28800 PFS: YES NET-SRC: 192.168.001.000/24 NET-DST: 192.168.003.000/24 ------------------------------------------------------------------------------
| CLI: | Client connection identifier |
| no default | 0-63 |
It is the client connection identifier. The identifier is a numeric value that is assigned by the system to the IKE client connection when it is added the first time. It can be used for clearing/displaying and setting operations to reference the client connection.
| NAME: | Name of the client connection |
| empty | from 0 up to 32 ASCII printable characters. Spaces are not allowed. Case is preserved. |
Specifies name of the current client connection.
| HOST-ID: | Identifier of host connection |
| NONE | NONE, 0-31 |
Specifies identifier of IKE host connection associated with this client connection.
Value NONE means "not defined". For the client connection with IPSEC rule, this parameter must not be NONE. The host connection with HOST-ID identifier must be present in the host connection table
| RULE: | Rule for this client connection |
| IPSEC | BYPASS, DROP, IPSEC |
Specifies rule for this client connection.
BYPASS: IP packet will be bypassed by IPsec driver.
DROP: IP packet will be dropped by IPsec driver.
IPSEC: IP packet will be processed by IPsec.
| PASSIVE: | Initiate mode of IKE negotiation |
| YES | NO, YES |
Specifies initiate mode of IKE negotiation.
NO: Negotiation can be started as initiator (by IPsec driver request or if this connection is PERMANENT) and as responder.
YES: Client connection is passive (IPsec server). Negotiation can be started as responder only.
This parameter takes effect only for client connections with IPSEC rule.
| PERMANENT: | Initiate mode of IKE negotiation |
| YES | NO, YES |
Specifies initiate mode of IKE negotiation.
NO: Initiation of this connection never starts automatically.
YES: After start of the IKE driver or after INIT PO:IKE command,
(re-)negotiation of this connection is started automatically as initiator. Negotiated connection is saved into the IKE.CNS file.
This parameter takes effect only for client connections with IPSEC rule.
| TUNNEL: | Tunnel mode flag. |
| NO | NO, YES |
Specifies tunnel mode for this client connection.
NO: Tunnel mode is disabled. Transport mode.
YES: Tunnel mode is enabled.
| AH: | Enable/disable AH IKE protocol. |
| NO | NO, YES |
Enable/disable AH IKE protocol for this client connection.
NO: IPsec protocol AH is disable.
YES: IPsec protocol AH is enable.
This parameter takes effect only for client connections with IPSEC rule.
| AH-AUTH: | Authentication method for the AH protocol. |
| MD5 | MD5, SHA |
Specifies authentication method for the AH protocol for this client connection.
MD5: Message Digest Algorithm MD5.
SHA: Message Digest Algorithm SHA-1.
This parameter takes effect only for client connections with IPSEC rule.
| ESP: | Enable/disable ESP IKE protocol. |
| YES | NO, YES |
Enable/disable ESP IKE protocol for this client connection.
NO: IPsec protocol ESP is disable.
YES: IPsec protocol ESP is enable.
This parameter takes effect only for client connections with IPSEC rule.
| ESP-AUTH: | Authentication method for the ESP protocol. |
| MD5 | NONE, MD5, SHA |
Specifies authentication method for the ESP protocol for this client connection.
NONE: No authentication.
MD5: Message Digest Algorithm MD5.
SHA: Message Digest Algorithm SHA-1.
This parameter takes effect only for client connections with IPSEC rule.
| ESP-CIPHER: | Encryption algorithm for the ESP protocol. |
| 3DES | NONE, DES, 3DES, IDEA, CAST, BLOWFISH, AES128, AES192, AES256 |
Specifies encryption algorithm for ESP protocol for this client connection.
NONE: No encryption.
DES: DES encryption algorithm in CBC mode.
3DES: Triple DES encryption algorithm in CBC mode.
IDEA: IDEA encryption algorithm in CBC mode.
CAST: CAST encryption algorithm in CBC mode.
BLOWFISH: BLOWFISH encryption algorithm in CBC mode.
AES128: AES encryption algorithm in CBC mode with 128 bits key length.
AES192: AES encryption algorithm in CBC mode with 192 bits key length.
AES256: AES encryption algorithm in CBC mode with 256 bits key length.
This parameter takes effect only for client connections with IPSEC rule.
| LIFE-TIME: | Life time of IPsec SAs which are associated with current client connection. |
| 28800 | 14400-86400 |
Specifies how long IKE will propose that an IPsec SA be allowed to live.
This parameter takes effect only for client connections with IPSEC rule.
| PFS: | Enable/disable Perfect Forward Secrecy (PFS). |
| YES | NO, YES |
Enable/disable PFS for IPsec SA negotiation for this client connection.
NO: PFS is disable.
YES: PFS is enable.
This parameter takes effect only for client connections with IPSEC rule.
| NET-SRC: | Source subnet address and mask. |
| 0.0.0.0/0 | net: 0.0.0.0, 1.0.0.0-126.255.255.255, 128.0.0.0-223.255.255.255 mask: 0-32 |
Specifies network address and mask of the source subnet/host in Slash Notation [x.x.x.x/yy].
| NET-DST: | Destination subnet address and mask. |
| 0.0.0.0/0 | net: 0.0.0.0, 1.0.0.0-126.255.255.255, 128.0.0.0-223.255.255.255 mask: 0-32 |
Specifies network address and mask of the destination subnet/host in Slash Notation [x.x.x.x/yy].
The table of IKE psk can store up to 64 entries, indexed starting from 0 up to 63.
In the table of IKE psk, configurations may be added, modified, deleted while the Abilis CPX is working, without needing to restart it. Changes made in the table are immediately actives by executing the command INIT PO:xxx, where "xxx" is the IKE port number.
Commands for handling IKE psk are described in the IKE psk table section of the document Commands relating to IKE.
The available commands are the following:
A IKE PSK:Here is an example of the IKE PSK table:
[21:25:43] ABILIS_CPX:D IKE PSK - Not Saved (SAVE CONF) ------------------------------------------------------- ------------------------------------------------------------------------------- PSK: KEY: ID-TYPE: IP: FQDN: ------------------------------------------------------------------------------- 0 ******** IP 192.168.002.001 1 ******** ANONYMOUS 2 ******** FQDN konstt
Here is an example of the IKE PSK table record 0:
[15:57:03] ABILIS_CPX:D IKE PSK:2 - Not Saved (SAVE CONF) ------------------------------------------------------- Parameter: |Value: ------------------------------------------------------------------------------ PSK: 2 KEY: ******** ID-TYPE: FQDN FQDN: konstt ------------------------------------------------------------------------------
| PSK: | PSK record identifier |
| no default | 0-63 |
It is the PSK record identifier. The identifier is a numeric value that is assigned by the system to the IKE PSK record when it is added the first time. It can be used for clearing/displaying and setting operations to reference the PSK record.
| ID-TYPE: | Type of peer host ID. |
| UNDEF | UNDEF, IP, FQDN, USER-FQDN, ANONYMOUS |
Specifies type of peer host ID for this PSK record.
UNDEF: "not assigned".
IP: ID is peer IP address.
FQDN: Peer ID is fully-qualified domain name (FQDN), e.g. www.antek.it.
USER-FQDN: Peer ID is fully-qualified user domain name (FQDN), e.g. konstt@antek.it.
ANONYMOUS: Used to keep PSK for anonymous peer's.
| IP: | Specifies peer host ID as IP address. |
| 0.0.0.0 | 0.0.0.0, 1-126.x.x.x, 128-223.x.x.x |
Specifies peer host ID as IP address.
This value is used only if ID-TYPE parameter is set to IP.
| FQDN: | Specifies peer host ID as FQDN or USER-FQDN. |
| empty | FQDN: From 0 up to 64 characters, range: ['0'..'9', 'A'..'Z', 'a'..'z', '-', '.']. USER-FQDN must be an ASCII printable user name string, where spaces are not allowed, plus a '@' character and a FQDN string. Case is not preserved. |
Specifies peer host ID as as FQDN or USER-FQDN.
This value is used only if ID-TYPE parameter is set to FQDN or USER-FQDN.
| KEY: | Specifies value of the pre-shared key. |
| empty | From 0 up to 64 ASCII printable characters. Case is preserved. Spaces are allowed. Strings holding spaces must be written between quotation marks (E.g.: "my key"). |
Specifies value of the pre-shared key.
Print this page