.. _vpn_ipsec: vpn ipsec ========= IPsec settings ipsec Specification ------------------- ===================================== ========================================================= ===================================== ========================================================= **Type** *Collection* **Object Key(s)** *name* **Collection Name** :ref:`1798_ipsec_list` **Collection URI** /axapi/v3/vpn/ipsec **Element Name** ipsec **Element URI** /axapi/v3/vpn/ipsec/{name} **Element Attributes** ipsec_attributes **Statistics Data URI** /axapi/v3/vpn/ipsec/{name}/stats **Operational Data URI** /axapi/v3/vpn/ipsec/{name}/oper **Schema** :download:`ipsec schema ` ===================================== ========================================================= **Operations Allowed:** .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html
OperationMethodURIPayload
Create Object .. raw:: html POST .. raw:: html /axapi/v3/vpn/ipsec .. raw:: html :ref:`1798_ipsec_attributes` .. raw:: html
Create List .. raw:: html POST .. raw:: html /axapi/v3/vpn/ipsec .. raw:: html :ref:`1798_ipsec_attributes` .. raw:: html
Get Object .. raw:: html GET .. raw:: html /axapi/v3/vpn/ipsec/{name} .. raw:: html :ref:`1798_ipsec_attributes` .. raw:: html
Get List .. raw:: html GET .. raw:: html /axapi/v3/vpn/ipsec .. raw:: html :ref:`1798_ipsec_list` .. raw:: html
Modify Object .. raw:: html POST .. raw:: html /axapi/v3/vpn/ipsec/{name} .. raw:: html :ref:`1798_ipsec_attributes` .. raw:: html
Replace Object .. raw:: html PUT .. raw:: html /axapi/v3/vpn/ipsec/{name} .. raw:: html :ref:`1798_ipsec_attributes` .. raw:: html
Replace List .. raw:: html PUT .. raw:: html /axapi/v3/vpn/ipsec .. raw:: html :ref:`1798_ipsec_list` .. raw:: html
Delete Object .. raw:: html DELETE .. raw:: html /axapi/v3/vpn/ipsec/{name} .. raw:: html :ref:`1798_ipsec_attributes` .. raw:: html
.. _1798_ipsec_list: ipsec-list ---------- ipsec-list is **JSON List** of :ref:`1798_ipsec_attributes` ipsec-list : [ { :ref:`1798_ipsec_attributes` }, { :ref:`1798_ipsec_attributes` }, ... ] .. _1798_ipsec_attributes: ipsec attributes ---------------- **anti-replay-window** **Description** '0': Disable Anti-Replay Window Check; '32': Window size of 32; '64': Window size of 64; '128': Window size of 128; '256': Window size of 256; '512': Window size of 512; '1024': Window size of 1024; **Type:** string **Supported Values:** 0, 32, 64, 128, 256, 512, 1024 **Default:** 0 **bind-tunnel** **Description:** bind-tunnel is a **JSON Block**. Please see below for :ref:`1798_bind-tunnel` **Type:** Object **Reference Object:** :doc:`/axapi/v3/vpn/ipsec/{name}/bind-tunnel ` **dh-group** **Description** '0': Diffie-Hellman group 0 (Default); '1': Diffie-Hellman group 1 - 768-bits; '2': Diffie-Hellman group 2 - 1024-bits; '5': Diffie-Hellman group 5 - 1536-bits; '14': Diffie-Hellman group 14 - 2048-bits; '15': Diffie-Hellman group 15 - 3072-bits; '16': Diffie-Hellman group 16 - 4096-bits; '18': Diffie-Hellman group 18 - 8192-bits; **Type:** string **Supported Values:** 0, 1, 2, 5, 14, 15, 16, 18, 19, 20 **Default:** 0 **enc-cfg** **Type:** List **ike-gateway** **Description** Gateway to use for IPsec SA **Type:** string **Maximum Length:** 31 characters **Maximum Length:** 1 characters **Reference Object:** :doc:`/axapi/v3/vpn/ike-gateway ` **lifebytes** **Description** IPsec SA age in megabytes (0 indicates unlimited bytes) **Type:** number **Range:** 0-8000000 **Default:** 0 **lifetime** **Description** IPsec SA age in seconds **Type:** number **Range:** 300-28800 **Default:** 28800 **mode** **Description** 'tunnel': Encapsulating the packet in IPsec tunnel mode (Default); **Type:** string **Supported Values:** tunnel **Default:** tunnel **name** **Description** IPsec name **Type:** string **Maximum Length:** 31 characters **Maximum Length:** 1 characters **proto** **Description** 'esp': Encapsulating security protocol (Default); **Type:** string **Supported Values:** esp **Default:** esp **sampling-enable** **Type:** List **sequence-number-disable** **Description** Do not use incremental sequence number in the ESP header **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **traffic-selector** **Description:** traffic-selector is a **JSON Block**. Please see below for :ref:`1798_traffic-selector` **Type:** Object **up** **Description** Initiates SA negotiation to bring the IPsec connection up **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **user-tag** **Description** Customized tag **Type:** string **Format:** string-rlx **Maximum Length:** 127 characters **Maximum Length:** 1 characters **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _1798_bind-tunnel: bind-tunnel ^^^^^^^^^^^ =============================== =================================================== **Specification** =============================== =================================================== **Type** *object* =============================== =================================================== **next-hop** **Description** IPsec Next Hop IP Address **Type:** string **Format:** ipv4-address **Mutual Exclusion:** next-hop and next-hop-v6 are mutually exclusive **next-hop-v6** **Description** IPsec Next Hop IPv6 Address **Type:** string **Format:** ipv6-address **Mutual Exclusion:** next-hop-v6 and next-hop are mutually exclusive **tunnel** **Description** Tunnel interface index **Type:** number **Range:** 1-128 **Reference Object:** :doc:`/axapi/v3/interface/tunnel ` **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _1798_sampling-enable: sampling-enable ^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** =============================== =================================================== **Type** *list* **Block object keys** =============================== =================================================== **counters1** **Description** 'all': all; 'packets-encrypted': Encrypted Packets; 'packets-decrypted': Decrypted Packets; 'anti-replay-num': Anti-Replay Failure; 'rekey-num': Rekey Times; 'packets-err-inactive': Inactive Error; 'packets-err-encryption': Encryption Error; 'packets-err-pad-check': Pad Check Error; 'packets-err-pkt-sanity': Packets Sanity Error; 'packets-err-icv-check': ICV Check Error; 'packets-err-lifetime-lifebytes': Lifetime Lifebytes Error; 'bytes-encrypted': Encrypted Bytes; 'bytes-decrypted': Decrypted Bytes; 'prefrag-success': Pre-frag Success; 'prefrag-error': Pre-frag Error; 'cavium-bytes-encrypted': CAVIUM Encrypted Bytes; 'cavium-bytes-decrypted': CAVIUM Decrypted Bytes; 'cavium-packets-encrypted': CAVIUM Encrypted Packets; 'cavium-packets-decrypted': CAVIUM Decrypted Packets; 'tunnel-intf-down': Packet dropped: Tunnel Interface Down; 'pkt-fail-prep-to-send': Packet dropped: Failed in prepare to send; 'no-next-hop': Packet dropped: No next hop; 'invalid-tunnel-id': Packet dropped: Invalid tunnel ID; 'no-tunnel-found': Packet dropped: No tunnel found; 'pkt-fail-to-send': Packet dropped: Failed to send; **Type:** string **Supported Values:** all, packets-encrypted, packets-decrypted, anti-replay-num, rekey-num, packets-err-inactive, packets-err-encryption, packets-err-pad-check, packets-err-pkt-sanity, packets-err-icv-check, packets-err-lifetime-lifebytes, bytes-encrypted, bytes-decrypted, prefrag-success, prefrag-error, cavium-bytes-encrypted, cavium-bytes-decrypted, cavium-packets-encrypted, cavium-packets-decrypted, tunnel-intf-down, pkt-fail-prep-to-send, no-next-hop, invalid-tunnel-id, no-tunnel-found, pkt-fail-to-send, frag-after-encap-frag-packets, frag-received, sequence-num, sequence-num-rollover, packets-err-nh-check .. _1798_traffic-selector: traffic-selector ^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** =============================== =================================================== **Type** *object* =============================== =================================================== **ipv4** **Description:** ipv4 is a **JSON Block**. Please see below for :ref:`1798_traffic-selector_ipv4` **Type:** Object **ipv6** **Description:** ipv6 is a **JSON Block**. Please see below for :ref:`1798_traffic-selector_ipv6` **Type:** Object .. _1798_traffic-selector_ipv4: traffic-selector_ipv4 ^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** =============================== =================================================== **Type** *object* =============================== =================================================== **local** **Description** Local Traffic Selector **Type:** string **Format:** ipv4-address **Mutual Exclusion:** local and localv6 are mutually exclusive **local_netmask** **Description** IPv4 Address Network Mask **Type:** string **Format:** ipv4-netmask **local_port** **Description** Port Number **Type:** number **Range:** 0-65535 **protocol** **Description** IP Protocol Number (0-255) **Type:** number **Range:** 0-255 **remote** **Description** IPv4 Address **Type:** string **Format:** ipv4-address **remote_netmask** **Description** IPv4 Address Network Mask **Type:** string **Format:** ipv4-netmask **remote_port** **Description** Port Number **Type:** number **Range:** 0-65535 .. _1798_traffic-selector_ipv6: traffic-selector_ipv6 ^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** =============================== =================================================== **Type** *object* =============================== =================================================== **local_portv6** **Description** Port Number **Type:** number **Range:** 0-65535 **localv6** **Description** Local Traffic Selector **Type:** string **Format:** ipv6-address-plen **Mutual Exclusion:** localv6 and local are mutually exclusive **protocolv6** **Description** IP Protocol Number (0-255) **Type:** number **Range:** 0-255 **remote_portv6** **Description** Port Number **Type:** number **Range:** 0-65535 **remotev6** **Description** IPv6 Address **Type:** string **Format:** ipv6-address-plen .. _1798_enc-cfg: enc-cfg ^^^^^^^ =============================== =================================================== **Specification** =============================== =================================================== **Type** *list* **Block object keys** =============================== =================================================== **encryption** **Description** 'des': Data Encryption Standard algorithm; '3des': Triple Data Encryption Standard algorithm; 'aes-128': Advanced Encryption Standard algorithm (key size: 128 bits); 'aes-192': Advanced Encryption Standard algorithm (key size: 192 bits); 'aes-256': Advanced Encryption Standard algorithm (key size: 256 bits); 'null': No encryption algorithm; **Type:** string **Supported Values:** des, 3des, aes-128, aes-192, aes-256, aes-gcm-128, aes-gcm-192, aes-gcm-256, null **gcm_priority** **Description** Prioritizes (1-10) security protocol, least value has highest priority **Type:** number **Range:** 1-10 **Default:** 5 **hash** **Description** 'md5': MD5 Dessage-Digest Algorithm; 'sha1': Secure Hash Algorithm 1; 'sha256': Secure Hash Algorithm 256; 'null': No hash algorithm; **Type:** string **Supported Values:** md5, sha1, sha256, sha384, sha512, null **priority** **Description** Prioritizes (1-10) security protocol, least value has highest priority **Type:** number **Range:** 1-10 **Default:** 5 .. _1798_stats_data: stats data ---------- .. list-table:: :widths: 10 20 30 80 :header-rows: 2 :stub-columns: 1 * - - Counter - Size - Description * - - - - * - - sequence-num-rollover - 8 - Sequence Number Rollover * - - anti-replay-num - 8 - Anti-Replay Failure * - - packets-decrypted - 8 - Decrypted Packets * - - tunnel-intf-down - 8 - Packet dropped: Tunnel Interface Down * - - pkt-fail-to-send - 8 - Packet dropped: Failed to send * - - packets-encrypted - 8 - Encrypted Packets * - - bytes-encrypted - 4 - Encrypted Bytes * - - packets-err-nh-check - 4 - Next Header Check Error * - - no-tunnel-found - 8 - Packet dropped: No tunnel found * - - prefrag-success - 4 - Pre-frag Success * - - prefrag-error - 4 - Pre-frag Error * - - bytes-decrypted - 4 - Decrypted Bytes * - - invalid-tunnel-id - 8 - Packet dropped: Invalid tunnel ID * - - pkt-fail-prep-to-send - 8 - Packet dropped: Failed in prepare to send * - - cavium-packets-encrypted - 8 - CAVIUM Encrypted Packets * - - packets-err-icv-check - 4 - ICV Check Error * - - packets-err-inactive - 4 - Inactive Error * - - cavium-bytes-decrypted - 4 - CAVIUM Decrypted Bytes * - - packets-err-pad-check - 4 - Pad Check Error * - - packets-err-pkt-sanity - 4 - Packets Sanity Error * - - cavium-bytes-encrypted - 4 - CAVIUM Encrypted Bytes * - - sequence-num - 8 - Sequence Number * - - packets-err-lifetime-lifebytes - 8 - Lifetime Lifebytes Error * - - packets-err-encryption - 4 - Encryption Error * - - rekey-num - 8 - Rekey Times * - - cavium-packets-decrypted - 8 - CAVIUM Decrypted Packets * - - frag-after-encap-frag-packets - 8 - Frag-after-encap Fragment Generated * - - no-next-hop - 8 - Packet dropped: No next hop * - - frag-received - 8 - Fragment Received .. _1798_oper_data: operational data ---------------- .. list-table:: :widths: 10 20 30 80 :header-rows: 2 :stub-columns: 1 * - - Counter - Size - Description * - - - - * - - Status - string - Status * - - Hash-Algorithm - string - Hash-Algorithm * - - Protocol - string - Protocol * - - DH-Group - number - DH-Group * - - Peer-IP - string - Peer-IP * - - Local-IP - string - Local-IP * - - Anti-Replay - string - Anti-Replay * - - Lifebytes - string - Lifebytes * - - NAT-Traversal - number - NAT-Traversal * - - SA-Index - number - SA-Index * - - Remote-SPI - string - Remote-SPI * - - Mode - string - Mode * - - Encryption-Algorithm - string - Encryption-Algorithm * - - Local-SPI - string - Local-SPI * - - Lifetime - number - Lifetime