IPSec Configuration
show ipsec
Section titled “show ipsec”[Command] show ipsec
[Purpose] Display ipsec information
[View] System view
[Use Cases]
sonic# show ipsec[Command] ipsecname
[Purpose] Create and enter ipsec view
[View] System configuration view
[Use Cases]
sonic# ipsec testike crypto_alg
Section titled “ike crypto_alg”[Command] ike crypto_alg {des-iv64|des|3des|rc5|idea|cast|blowfish|3idea|des-iv32|null|aes-cbc|aes-ctr|aes-gcm-16} crypto_alg_size0-65535integ_alg {none|md5-96|sha1-96|des-mac|kpdk-md5|aes-xcbc-96|md5-128|sha1-160|cmac-96|aes-128-gmac|aes-192-gmac|aes-256-gmac|hmac-sha2-256-128|hmac-sha2-384-192|hmac-sha2-512-256} dh {none|modp-768|modp-1024|modp-1536|modp-2048|modp-3072|modp-4096|modp-6144|modp-8192|ecp-192|ecp-256|ecp-384|ecp-512|modp-1024-160|modp-2048-224|modp-2048-256}
[Purpose] IKE authentication algorithm, key length, encryption algorithm, DH algorithm
[View] IPSec configuration view
[Parameter]
| Parameter | Description |
|---|---|
| crypto_alg | encryption algorithm |
| crypto_alg_size | key length |
| integ_alg | authentication algorithm |
| dh | DH algorithm |
[Use Cases]
sonic(config-ipsec-test)# ike crypto_alg des-iv64 crypto_alg_size 128 integ_alg md5-128 dh modp-4096ike local type {ip4|ip6|rfc822|fqdn} data
Section titled “ike local type {ip4|ip6|rfc822|fqdn} data”[Command] ike local type {ip4|ip6|rfc822|fqdn} datavalue
[Purpose] Configure the ID type and ID of the local user in IKE users.
[View] IPSec configuration view
[Parameter]
| Parameter | Description |
|---|---|
| type | ID type |
| data | ID value |
[Use Cases]
sonic(config-ipsec-test)# ike local type ip4 data 1.1.1.1ike remote type {ip4|ip6|rfc822|fqdn} data
Section titled “ike remote type {ip4|ip6|rfc822|fqdn} data”[Command] ike remote type {ip4|ip6|rfc822|fqdn} datavalue
[Purpose] Configure the ID ty and ID of the remote user in IKE users.
[View] IPSec configuration view
[Parameter]
| Parameter | Description |
|---|---|
| type | ID type |
| data | ID value |
[Use Cases]
sonic(config-ipsec-test)# ike remote type ip4 data 1.1.1.1ike traffic_selector {local|remote} {ip4|ip6} addr_start
Section titled “ike traffic_selector {local|remote} {ip4|ip6} addr_start”[Command] ike traffic_selector {local|remote} {ip4|ip6} addr_startA.B.C.Daddr_endA.B.C.Dport_start0-65535port_end0-65535protocol0-255
[Purpose] Configure the data streams to be protected
[View] IPSec configuration view
[Parameter]
| Parameter | Description |
|---|---|
| local|remote | local ip or remote ip |
| ip4|ip6 | ip type |
| addr_start | start ip address |
| addr_end | end ip address |
| port_start | start port |
| port_end | end port |
| protocol | protocol |
[Use Cases]
sonic(config-ipsec-test)# ike traffic_selector local ip4 addr_start 1.1.1.1 addr_end 2.2.2.2 port_start 0 port_end 65535 protocol 6[Command] sa {des-iv64|des|3des|rc5|idea|cast|blowfish|3idea|des-iv32|null|aes-cbc|aes-ctr|aes-gcm-16} crypto_alg_size0-65535integ_alg {none|md5-96|sha1-96|des-mac|kpdk-md5|aes-xcbc-96|md5-128|sha1-160|cmac-96|aes-128-gmac|aes-192-gmac|aes-256-gmac|hmac-sha2-256-128|hmac-sha2-384-192|hmac-sha2-512-256}
[Purpose] sa authentication algorithm, key length, encryption algorithm
[View] IPSec configuration view
[Parameter]
| Parameter | Description |
|---|---|
| sa | encryption algorithm |
| crypto_alg_size | key length |
| integ_alg | authentication algorithm |
[Use Cases]
sonic(config-ipsec-test)# sa des-iv64 crypto_alg_size 128 integ_alg md5-128 dh modp-4096sa lifetime
Section titled “sa lifetime”[Command] sa lifetimevalue**[jittervalue] [handovervalue] [max_bytesvalue]**
[Purpose] sa negotiation configuration
[View] IPSec configuration view
[Parameter]
| Parameter | Description |
|---|---|
| lifetime | lifetime of sa |
| jitter | Random jitter time (seconds), to avoid simultaneous renegotiation at both ends |
| handover | Smooth transition time (seconds), old SA retention time to ensure that traffic is not interrupted before the new SA is established. |
| max_bytes | SA data transfer limit; renegotiation triggered when limit is exceeded |
[Use Cases]
sonic(config-ipsec-test)# sa lifetime 600 jitter 300 hadover 120 max_bytes 10000sa natt {enable|disable}
Section titled “sa natt {enable|disable}”[Command] sa natt {enable|disable}
[Purpose] NAT traversal detection switch
[View] IPSec configuration view
[Use Cases]
sonic(config-ipsec-test)# sa natt enablesa tunnel {ip4|ip6} src_ip
Section titled “sa tunnel {ip4|ip6} src_ip”[Command] sa tunnel {ip4|ip6} src_ipA.B.C.Ddst_ipA.B.C.Dnext_hopA.B.C.Dremote_ipA.B.C.D/Mshared_interfacename
[Purpose] Configure ipsec tunnel
[View] IPSec configuration view
[Parameter]
| Parameter | Description |
|---|---|
| ip4|ip6 | tunnel ip type |
| src_ip | ike local ip |
| dst_ip | ike remote ip |
| next_hop | next node |
| remote_ip | router to destination |
| shared_interface | IPsec tunnel port |
[Use Cases]
sonic(config-ipsec-test)# sa tunnel ip4 src_ip 10.1.1.101 dst_ip 20.1.1.2 next_hop 10.1.1.1 remote_ip 90.0.0.0/24 shared_interface Dialer1shared_key_mic {string|hex}
Section titled “shared_key_mic {string|hex}”[Command] **shared_key_mic {string|hex}**value
[Purpose] Configure shared keys
[View] IPSec configuration view
[Parameter]
| Parameter | Description |
|---|---|
| value | shared key |
[Use Cases]
sonic(config-ipsec-test)# shared_key_mic string 12345678ipsec name peer {ip4|ip6} X
Section titled “ipsec name peer {ip4|ip6} X”[Command] ipsecname**peer {ip4|ip6}A.B.C.D|**X:X::X:X
[Purpose] Port IPSec configuration
[View] Interface configuration view
[Parameter]
| Parameter | Description |
|---|---|
| name | IPsec configuration group name |
| A.B.C.D|X:X::X:X | Peer IPv4/IPv6 address |
[Use Cases]
sonic(config-if-16)# ipsec test peer ip4 1.1.1.1