Skip to content

IPSec Configurationon

[Command]

show ipsec

[Purpose]

Display ipsec information

[View]

System view

[Use Cases]

sonic# show ips

[Command]

ipsec name

[Purpose]

Create and enter ipsec view

[View]

System configuration view

[Use Cases]

sonic# ipsec test

[Command]

ike crypto_alg {des-iv64|des|3des|rc5|idea|cast|blowfish|3idea|des-iv32|null|aes-cbc|aes-ctr|aes-gcm-16} crypto_alg_size 0-65535 integ_alg {none|md5-96|sha1-96|des-mac|kpdk-md5|aes-xcbc-96|md5-128|sha1-160|cmac-96|aes-128-gmac|aes-192-gmac|aes-256-gmac|hmac-sha2-256-128|hmac-sha2-384-192|hmac-sha2-512-256} dh {none|modp-768|modp-1024|modp-1536|modp-2048|modp-3072|modp-4096|modp-6144|modp-8192|ecp-192|ecp-256|ecp-384|ecp-512|modp-1024-160|modp-2048-224|modp-2048-256}

[Purpose]

IKE authentication algorithm, key length, encryption algorithm, DH algorithm

[View]

IPSec configuration view

[Parameter]

crypto_alg encryption algorithm

crypto_alg_size key length

integ_alg authentication algorithm

dh DH algorithm

[Use Cases]

sonic(config-ipsec-test)# ike crypto_alg des-iv64 crypto_alg_size 128 integ_alg md5-128 dh modp-4096

ike local type {ip4|ip6|rfc822|fqdn} data value

Section titled “ike local type {ip4|ip6|rfc822|fqdn} data value”

[Command]

ike local type {ip4|ip6|rfc822|fqdn} data value

[Purpose]

Configure the ID type and ID of the local user in IKE users.

[View]

IPSec configuration view

[Parameter]

type ID type

data ID value

[Use Cases]

sonic(config-ipsec-test)# ike local type ip4 data 1.1.1.1

ike remote type {ip4|ip6|rfc822|fqdn} data value

Section titled “ike remote type {ip4|ip6|rfc822|fqdn} data value”

[Command]

ike remote type {ip4|ip6|rfc822|fqdn} data value

[Purpose]

Configure the ID ty and ID of the remote user in IKE users.

[View]

IPSec configuration view

[Parameter]

type ID type

data ID value

[Use Cases]

sonic(config-ipsec-test)# ike remote type ip4 data 1.1.1.1

ike traffic_selector {local|remote} {ip4|ip6} addr_start A.B.C.D addr_end A.B.C.D port_start 0-65535 port_end 0-65535 protocol 0-255

Section titled “ike traffic_selector {local|remote} {ip4|ip6} addr_start A.B.C.D addr_end A.B.C.D port_start 0-65535 port_end 0-65535 protocol 0-255”

[Command]

ike traffic_selector {local|remote} {ip4|ip6} addr_start A.B.C.D addr_end A.B.C.D port_start 0-65535 port_end 0-65535 protocol 0-255

[Purpose]

Configure the data streams to be protected

[View]

IPSec configuration view

[Parameter]

local|remote local ip or remote ip

ip4|ip6 ip type

addr_start start ip address

addr_end end ip address

port_start start port

port_end end port

protocol protocol

[Use Cases]

sonic(config-ipsec-test)# ike traffic_selector local ip4 addr_start 1.1.1.1 addr_end 2.2.2.2 port_start 0 port_end 65535 protocol 6

[Command]

sa {des-iv64|des|3des|rc5|idea|cast|blowfish|3idea|des-iv32|null|aes-cbc|aes-ctr|aes-gcm-16} crypto_alg_size 0-65535 integ_alg {none|md5-96|sha1-96|des-mac|kpdk-md5|aes-xcbc-96|md5-128|sha1-160|cmac-96|aes-128-gmac|aes-192-gmac|aes-256-gmac|hmac-sha2-256-128|hmac-sha2-384-192|hmac-sha2-512-256}

[Purpose]

sa authentication algorithm, key length, encryption algorithm

[View]

IPSec configuration view

[Parameter]

sa encryption algorithm

crypto_alg_size key length

integ_alg authentication algorithm

[Use Cases]

sonic(config-ipsec-test)# sa des-iv64 crypto_alg_size 128 integ_alg md5-128 dh modp-4096

sa lifetime value [jitter value] [handover value] [max_bytes value]

Section titled “sa lifetime value [jitter value] [handover value] [max_bytes value]”

[Command]

sa lifetime value [jitter value] [handover value] [max_bytes value]

[Purpose]

sa negotiation configuration

[View]

IPSec configuration view

[Parameter]

lifetime lifetime of sa

jitter Random jitter time (seconds), to avoid simultaneous renegotiation at both ends

handover Smooth transition time (seconds), old SA retention time to ensure that traffic is not interrupted before the new SA is established.

max_bytes SA data transfer limit; renegotiation triggered when limit is exceeded

[Use Cases]

sonic(config-ipsec-test)# sa lifetime 600 jitter 300 hadover 120 max_bytes 10000

[Command]

sa natt {enable|disable}

[Purpose]

NAT traversal detection switch

[View]

IPSec configuration view

[Use Cases]

sonic(config-ipsec-test)# sa natt enable

sa tunnel {ip4|ip6} src_ip A.B.C.D dst_ip A.B.C.D next_hop A.B.C.D remote_ip A.B.C.D/M shared_interface name

Section titled “sa tunnel {ip4|ip6} src_ip A.B.C.D dst_ip A.B.C.D next_hop A.B.C.D remote_ip A.B.C.D/M shared_interface name”

[Command]

sa tunnel {ip4|ip6} src_ip A.B.C.D dst_ip A.B.C.D next_hop A.B.C.D remote_ip A.B.C.D/M shared_interface name

[Purpose]

Configure ipsec tunnel

[View]

IPSec configuration view

[Parameter]

ip4|ip6 tunnel ip type

src_ip ike local ip

dst_ip ike remote ip

next_hop next node

remote_ip router to destination

shared_interface IPsec tunnel port

[Use Cases]

sonic(config-ipsec-test)# sa tunnel ip4 src_ip 10.1.1.101 dst_ip 20.1.1.2 next_hop 10.1.1.1 remote_ip 90.0.0.0/24 shared_interface Dialer1

[Command]

shared_key_mic {string|hex} value

[Purpose]

Configure shared keys

[View]

IPSec configuration view

[Parameter]

value shared key

[Use Cases]

sonic(config-ipsec-test)# shared_key_mic string 12345678

ipsec name peer {ip4|ip6} A.B.C.D|X:X::X:X

Section titled “ipsec name peer {ip4|ip6} A.B.C.D|X:X::X:X”

[Command]

ipsec name peer {ip4|ip6} A.B.C.D|X:X::X:X

[Purpose]

Port IPSec configuration

[View]

Interface configuration view

[Parameter]

name IPsec configuration group name

A.B.C.D|X:X::X:X Peer IPv4/IPv6 address

[Use Cases]

sonic(config-if-16)# ipsec test peer ip4 1.1.1.1