vpn¶
VPN Commands
vpn Specification¶
Type Configuration Resource Element Name vpn Element URI /axapi/v3/vpn Element Attributes vpn_attributes Statistics Data URI /axapi/v3/vpn/stats Operational Data URI /axapi/v3/vpn/oper Schema vpn schemaOperations Allowed:
| Operation | Method | URI | Payload | |
|---|---|---|---|---|
Create Object | POST | /axapi/v3/vpn | ||
Get Object | GET | /axapi/v3/vpn | ||
Modify Object | POST | /axapi/v3/vpn | ||
Replace Object | PUT | /axapi/v3/vpn | ||
Delete Object | DELETE | /axapi/v3/vpn |
vpn attributes¶
asymmetric-flow-support
Description Support asymmetric flows pass through IPsec tunnel
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
crl
Description: crl is a JSON Block. Please see below for crl
Type: Object
Reference Object: /axapi/v3/vpn/crl
default
Description: default is a JSON Block. Please see below for default
Type: Object
Reference Object: /axapi/v3/vpn/default
error
Description: error is a JSON Block. Please see below for error
Type: Object
Reference Object: /axapi/v3/vpn/error
errordump
Description: errordump is a JSON Block. Please see below for errordump
Type: Object
Reference Object: /axapi/v3/vpn/errordump
fragment-after-encap
Description Fragment after adding IPsec headers
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
Mutual Exclusion: fragment-after-encap and jumbo-fragment are mutually exclusive
ike-gateway-list
Type: List
Reference Object: /axapi/v3/vpn/ike-gateway/{name}
ike-sa-timeout
Description Timeout IKE-SA in connecting state in seconds (default 600s)
Type: number
Range: 300-86400
Default: 600
ike-stats-global
Description: ike-stats-global is a JSON Block. Please see below for ike-stats-global
Type: Object
Reference Object: /axapi/v3/vpn/ike-stats-global
ipsec-error-dump
Description Support record the error ipsec cavium information in dump file
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
ipsec-list
Type: List
Reference Object: /axapi/v3/vpn/ipsec/{name}
ipsec_sa_by_gw
Description: ipsec_sa_by_gw is a JSON Block. Please see below for ipsec_sa_by_gw
Type: Object
Reference Object: /axapi/v3/vpn/ipsec_sa_by_gw
jumbo-fragment
Description Support IKE jumbo fragment packet
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
Mutual Exclusion: jumbo-fragment and fragment-after-encap are mutually exclusive
log
Description: log is a JSON Block. Please see below for log
Type: Object
Reference Object: /axapi/v3/vpn/log
nat-traversal-flow-affinity
Description Choose IPsec UDP source port based on port of inner flow (only for A10 to A10)
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
ocsp
Description: ocsp is a JSON Block. Please see below for ocsp
Type: Object
Reference Object: /axapi/v3/vpn/ocsp
revocation-list
Type: List
Reference Object: /axapi/v3/vpn/revocation/{name}
sampling-enable
Type: Liststateful-mode
Description VPN module will work in stateful mode and create sessions
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
tcp-mss-adjust-disable
Description Disable TCP MSS adjustment in SYN packet
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
log¶
Specification Type object uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
ipsec_sa_by_gw¶
Specification Type object uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
crl¶
Specification Type object uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
default¶
Specification Type object uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
ocsp¶
Specification Type object uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
ike-stats-global¶
Specification Type object sampling-enable
Type: Listuuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
ike-stats-global_sampling-enable¶
Specification Type list Block object keys counters1
Description ‘all’: all; ‘v2-init-rekey’: Initiate Rekey; ‘v2-rsp-rekey’: Respond Rekey; ‘v2-child-sa-rekey’: Child SA Rekey; ‘v2-in-invalid’: Incoming Invalid; ‘v2-in-invalid-spi’: Incoming Invalid SPI; ‘v2-in-init-req’: Incoming Init Request; ‘v2-in-init-rsp’: Incoming Init Response; ‘v2-out-init-req’: Outgoing Init Request; ‘v2-out-init-rsp’: Outgoing Init Response; ‘v2-in-auth-req’: Incoming Auth Request; ‘v2-in-auth-rsp’: Incoming Auth Response; ‘v2-out-auth-req’: Outgoing Auth Request; ‘v2-out-auth-rsp’: Outgoing Auth Response; ‘v2-in-create-child-req’: Incoming Create Child Request; ‘v2-in-create-child-rsp’: Incoming Create Child Response; ‘v2-out-create-child-req’: Outgoing Create Child Request; ‘v2-out-create-child-rsp’: Outgoing Create Child Response; ‘v2-in-info-req’: Incoming Info Request; ‘v2-in-info-rsp’: Incoming Info Response; ‘v2-out-info-req’: Outgoing Info Request; ‘v2-out-info-rsp’: Outgoing Info Response; ‘v1-in-id-prot-req’: Incoming ID Protection Request; ‘v1-in-id-prot-rsp’: Incoming ID Protection Response; ‘v1-out-id-prot-req’: Outgoing ID Protection Request; ‘v1-out-id-prot-rsp’: Outgoing ID Protection Response; ‘v1-in-auth-only-req’: Incoming Auth Only Request; ‘v1-in-auth-only-rsp’: Incoming Auth Only Response; ‘v1-out-auth-only-req’: Outgoing Auth Only Request; ‘v1-out-auth-only-rsp’: Outgoing Auth Only Response; ‘v1-in-aggressive-req’: Incoming Aggressive Request; ‘v1-in-aggressive-rsp’: Incoming Aggressive Response; ‘v1-out-aggressive-req’: Outgoing Aggressive Request; ‘v1-out-aggressive-rsp’: Outgoing Aggressive Response; ‘v1-in-info-v1-req’: Incoming Info Request; ‘v1-in-info-v1-rsp’: Incoming Info Response; ‘v1-out-info-v1-req’: Outgoing Info Request; ‘v1-out-info-v1-rsp’: Outgoing Info Response; ‘v1-in-transaction-req’: Incoming Transaction Request; ‘v1-in-transaction-rsp’: Incoming Transaction Response; ‘v1-out-transaction-req’: Outgoing Transaction Request; ‘v1-out-transaction-rsp’: Outgoing Transaction Response; ‘v1-in-quick-mode-req’: Incoming Quick Mode Request; ‘v1-in-quick-mode-rsp’: Incoming Quick Mode Response; ‘v1-out-quick-mode-req’: Outgoing Quick Mode Request; ‘v1-out-quick-mode-rsp’: Outgoing Quick Mode Response; ‘v1-in-new-group-mode-req’: Incoming New Group Mode Request; ‘v1-in-new-group-mode-rsp’: Incoming New Group Mode Response; ‘v1-out-new-group-mode-req’: Outgoing New Group Mode Request; ‘v1-out-new-group-mode-rsp’: Outgoing New Group Mode Response;
Type: string
Supported Values: all, v2-init-rekey, v2-rsp-rekey, v2-child-sa-rekey, v2-in-invalid, v2-in-invalid-spi, v2-in-init-req, v2-in-init-rsp, v2-out-init-req, v2-out-init-rsp, v2-in-auth-req, v2-in-auth-rsp, v2-out-auth-req, v2-out-auth-rsp, v2-in-create-child-req, v2-in-create-child-rsp, v2-out-create-child-req, v2-out-create-child-rsp, v2-in-info-req, v2-in-info-rsp, v2-out-info-req, v2-out-info-rsp, v1-in-id-prot-req, v1-in-id-prot-rsp, v1-out-id-prot-req, v1-out-id-prot-rsp, v1-in-auth-only-req, v1-in-auth-only-rsp, v1-out-auth-only-req, v1-out-auth-only-rsp, v1-in-aggressive-req, v1-in-aggressive-rsp, v1-out-aggressive-req, v1-out-aggressive-rsp, v1-in-info-v1-req, v1-in-info-v1-rsp, v1-out-info-v1-req, v1-out-info-v1-rsp, v1-in-transaction-req, v1-in-transaction-rsp, v1-out-transaction-req, v1-out-transaction-rsp, v1-in-quick-mode-req, v1-in-quick-mode-rsp, v1-out-quick-mode-req, v1-out-quick-mode-rsp, v1-in-new-group-mode-req, v1-in-new-group-mode-rsp, v1-out-new-group-mode-req, v1-out-new-group-mode-rsp
revocation-list¶
Specification Type list Block object keys ca
Description Certificate Authority file name
Type: string
Maximum Length: 255 characters
Maximum Length: 1 characters
crl
Description: crl is a JSON Block. Please see below for revocation-list_crl
Type: Object
name
Description Revocation name
Type: string
Maximum Length: 31 characters
Maximum Length: 1 characters
ocsp
Description: ocsp is a JSON Block. Please see below for revocation-list_ocsp
Type: Object
user-tag
Description Customized tag
Type: string
Format: string-rlx
Maximum Length: 127 characters
Maximum Length: 1 characters
uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
revocation-list_ocsp¶
Specification Type object ocsp-pri
Description Primary OCSP Authentication Server
Type: string
Maximum Length: 63 characters
Maximum Length: 1 characters
Reference Object: /axapi/v3/aam/authentication/server/ocsp/instance
ocsp-sec
Description Secondary OCSP Authentication Server
Type: string
Maximum Length: 63 characters
Maximum Length: 1 characters
Reference Object: /axapi/v3/aam/authentication/server/ocsp/instance
revocation-list_crl¶
Specification Type object crl-pri
Description Primary CRL URL (http://www.example.com/ocsp) (only .der filetypes)
Type: string
Format: string-rlx
Maximum Length: 255 characters
Maximum Length: 1 characters
crl-sec
Description Secondary CRL URL (http://www.example.com/ocsp) (only .der filetypes)
Type: string
Format: string-rlx
Maximum Length: 255 characters
Maximum Length: 1 characters
sampling-enable¶
Specification Type list Block object keys counters1
Description ‘all’: all; ‘passthrough’: passthrough;
Type: string
Supported Values: all, passthrough, ha-standby-drop
error¶
Specification Type object uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
ike-gateway-list¶
Specification Type list Block object keys auth-method
Description ‘preshare-key’: Authenticate the remote gateway using a pre-shared key (Default); ‘rsa-signature’: Authenticate the remote gateway using an RSA certificate;
Type: string
Supported Values: preshare-key, rsa-signature, ecdsa-signature
Default: preshare-key
dh-group
Description ‘1’: Diffie-Hellman group 1 (Default); ‘2’: Diffie-Hellman group 2; ‘5’: Diffie-Hellman group 5; ‘14’: Diffie-Hellman group 14; ‘15’: Diffie-Hellman group 15; ‘16’: Diffie-Hellman group 16; ‘18’: Diffie-Hellman group 18;
Type: string
Supported Values: 1, 2, 5, 14, 15, 16, 18, 19, 20
Default: 1
dpd
Description: dpd is a JSON Block. Please see below for ike-gateway-list_dpd
Type: Object
enc-cfg
Type: Listike-version
Description ‘v1’: IKEv1 key exchange; ‘v2’: IKEv2 key exchange;
Type: string
Supported Values: v1, v2
Default: v2
key
Description Private Key
Type: string
Maximum Length: 255 characters
Maximum Length: 1 characters
key-passphrase
Description Private Key Pass Phrase
Type: string
Format: password
Maximum Length: 127 characters
Maximum Length: 1 characters
key-passphrase-encrypted
Description Do NOT use this option manually. (This is an A10 reserved keyword.) (The ENCRYPTED key string)lifetime
Description IKE SA age in seconds
Type: number
Range: 300-86400
Default: 86400
local-address
Description: local-address is a JSON Block. Please see below for ike-gateway-list_local-address
Type: Object
local-cert
Description: local-cert is a JSON Block. Please see below for ike-gateway-list_local-cert
Type: Object
local-id
Description Local Gateway Identity
Type: string
Format: string-rlx
Maximum Length: 256 characters
Maximum Length: 1 characters
mode
Description ‘main’: Negotiate Main mode (Default); ‘aggressive’: Negotiate Aggressive mode;
Type: string
Supported Values: main, aggressive
Default: main
name
Description IKE-gateway name
Type: string
Maximum Length: 31 characters
Maximum Length: 1 characters
nat-traversal
Description
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
preshare-key-encrypted
Description Do NOT use this option manually. (This is an A10 reserved keyword.) (The ENCRYPTED pre-shared key string)preshare-key-value
Description pre-shared key
Type: string
Format: password
Maximum Length: 127 characters
Maximum Length: 1 characters
remote-address
Description: remote-address is a JSON Block. Please see below for ike-gateway-list_remote-address
Type: Object
remote-ca-cert
Description: remote-ca-cert is a JSON Block. Please see below for ike-gateway-list_remote-ca-cert
Type: Object
remote-id
Description Remote Gateway Identity
Type: string
Format: string-rlx
Maximum Length: 256 characters
Maximum Length: 1 characters
sampling-enable
Type: Listuser-tag
Description Customized tag
Type: string
Format: string-rlx
Maximum Length: 127 characters
Maximum Length: 1 characters
uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
vrid
Description: vrid is a JSON Block. Please see below for ike-gateway-list_vrid
Type: Object
ike-gateway-list_local-cert¶
Specification Type object local-cert-name
Description Certificate File Name
Type: string
Maximum Length: 255 characters
Maximum Length: 1 characters
ike-gateway-list_enc-cfg¶
Specification Type list Block object keys encryption
Description ‘des’: Data Encryption Standard algorithm; ‘3des’: Triple Data Encryption Standard algorithm; ‘aes-128’: Advanced Encryption Standard algorithm (key size: 128 bits); ‘aes-192’: Advanced Encryption Standard algorithm (key size: 192 bits); ‘aes-256’: Advanced Encryption Standard algorithm (key size: 256 bits); ‘null’: No encryption algorithm, only for IKEv2;
Type: string
Supported Values: des, 3des, aes-128, aes-192, aes-256, aes-gcm-128, aes-gcm-192, aes-gcm-256, null
gcm_priority
Description Prioritizes (1-10) security protocol, least value has highest priority
Type: number
Range: 1-10
Default: 5
hash
Description ‘md5’: MD5 Dessage-Digest Algorithm; ‘sha1’: Secure Hash Algorithm 1; ‘sha256’: Secure Hash Algorithm 256;
Type: string
Supported Values: md5, sha1, sha256, sha384, sha512
prf
Description ‘md5’: MD5 Dessage-Digest Algorithm; ‘sha1’: Secure Hash Algorithm 1; ‘sha256’: Secure Hash Algorithm 256; ‘sha384’: Secure Hash Algorithm 384; ‘sha512’: Secure Hash Algorithm 512;
Type: string
Supported Values: md5, sha1, sha256, sha384, sha512
priority
Description Prioritizes (1-10) security protocol, least value has highest priority
Type: number
Range: 1-10
Default: 5
ike-gateway-list_vrid¶
Specification Type object default
Description Default VRRP-A vrid
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
Mutual Exclusion: default and vrid-num are mutually exclusive
vrid-num
Description Specify ha VRRP-A vrid
Type: number
Range: 0-31
Mutual Exclusion: vrid-num and default are mutually exclusive
ike-gateway-list_local-address¶
Specification Type object local-ip
Description Ipv4 address
Type: string
Format: ipv4-address
Mutual Exclusion: local-ip and local-ipv6 are mutually exclusive
local-ipv6
Description Ipv6 address
Type: string
Format: ipv6-address
Mutual Exclusion: local-ipv6 and local-ip are mutually exclusive
ike-gateway-list_remote-address¶
Specification Type object dns
Description Remote IP based on Domain name
Type: string
Maximum Length: 128 characters
Maximum Length: 1 characters
Mutual Exclusion: dns remote-ip and remote-ipv6 are mutually exclusive
remote-ip
Description Ipv4 address
Type: string
Format: ipv4-address
Mutual Exclusion: remote-ip dns and remote-ipv6 are mutually exclusive
remote-ipv6
Description Ipv6 address
Type: string
Format: ipv6-address
Mutual Exclusion: remote-ipv6 remote-ip and dns are mutually exclusive
ike-gateway-list_remote-ca-cert¶
Specification Type object remote-cert-name
Description Remote CA certificate DN (C=, ST=, L=, O=, CN=) without emailAddress
Type: string
Format: string-rlx
Maximum Length: 127 characters
Maximum Length: 1 characters
ike-gateway-list_sampling-enable¶
Specification Type list Block object keys counters1
Description ‘all’: all; ‘v2-init-rekey’: Initiate Rekey; ‘v2-rsp-rekey’: Respond Rekey; ‘v2-child-sa-rekey’: Child SA Rekey; ‘v2-in-invalid’: Incoming Invalid; ‘v2-in-invalid-spi’: Incoming Invalid SPI; ‘v2-in-init-req’: Incoming Init Request; ‘v2-in-init-rsp’: Incoming Init Response; ‘v2-out-init-req’: Outgoing Init Request; ‘v2-out-init-rsp’: Outgoing Init Response; ‘v2-in-auth-req’: Incoming Auth Request; ‘v2-in-auth-rsp’: Incoming Auth Response; ‘v2-out-auth-req’: Outgoing Auth Request; ‘v2-out-auth-rsp’: Outgoing Auth Response; ‘v2-in-create-child-req’: Incoming Create Child Request; ‘v2-in-create-child-rsp’: Incoming Create Child Response; ‘v2-out-create-child-req’: Outgoing Create Child Request; ‘v2-out-create-child-rsp’: Outgoing Create Child Response; ‘v2-in-info-req’: Incoming Info Request; ‘v2-in-info-rsp’: Incoming Info Response; ‘v2-out-info-req’: Outgoing Info Request; ‘v2-out-info-rsp’: Outgoing Info Response; ‘v1-in-id-prot-req’: Incoming ID Protection Request; ‘v1-in-id-prot-rsp’: Incoming ID Protection Response; ‘v1-out-id-prot-req’: Outgoing ID Protection Request; ‘v1-out-id-prot-rsp’: Outgoing ID Protection Response; ‘v1-in-auth-only-req’: Incoming Auth Only Request; ‘v1-in-auth-only-rsp’: Incoming Auth Only Response; ‘v1-out-auth-only-req’: Outgoing Auth Only Request; ‘v1-out-auth-only-rsp’: Outgoing Auth Only Response; ‘v1-in-aggressive-req’: Incoming Aggressive Request; ‘v1-in-aggressive-rsp’: Incoming Aggressive Response; ‘v1-out-aggressive-req’: Outgoing Aggressive Request; ‘v1-out-aggressive-rsp’: Outgoing Aggressive Response; ‘v1-in-info-v1-req’: Incoming Info Request; ‘v1-in-info-v1-rsp’: Incoming Info Response; ‘v1-out-info-v1-req’: Outgoing Info Request; ‘v1-out-info-v1-rsp’: Outgoing Info Response; ‘v1-in-transaction-req’: Incoming Transaction Request; ‘v1-in-transaction-rsp’: Incoming Transaction Response; ‘v1-out-transaction-req’: Outgoing Transaction Request; ‘v1-out-transaction-rsp’: Outgoing Transaction Response; ‘v1-in-quick-mode-req’: Incoming Quick Mode Request; ‘v1-in-quick-mode-rsp’: Incoming Quick Mode Response; ‘v1-out-quick-mode-req’: Outgoing Quick Mode Request; ‘v1-out-quick-mode-rsp’: Outgoing Quick Mode Response; ‘v1-in-new-group-mode-req’: Incoming New Group Mode Request; ‘v1-in-new-group-mode-rsp’: Incoming New Group Mode Response; ‘v1-out-new-group-mode-req’: Outgoing New Group Mode Request; ‘v1-out-new-group-mode-rsp’: Outgoing New Group Mode Response; ‘v1-child-sa-invalid-spi’: Invalid SPI for Child SAs; ‘ike-current-version’: IKE version;
Type: string
Supported Values: all, v2-init-rekey, v2-rsp-rekey, v2-child-sa-rekey, v2-in-invalid, v2-in-invalid-spi, v2-in-init-req, v2-in-init-rsp, v2-out-init-req, v2-out-init-rsp, v2-in-auth-req, v2-in-auth-rsp, v2-out-auth-req, v2-out-auth-rsp, v2-in-create-child-req, v2-in-create-child-rsp, v2-out-create-child-req, v2-out-create-child-rsp, v2-in-info-req, v2-in-info-rsp, v2-out-info-req, v2-out-info-rsp, v1-in-id-prot-req, v1-in-id-prot-rsp, v1-out-id-prot-req, v1-out-id-prot-rsp, v1-in-auth-only-req, v1-in-auth-only-rsp, v1-out-auth-only-req, v1-out-auth-only-rsp, v1-in-aggressive-req, v1-in-aggressive-rsp, v1-out-aggressive-req, v1-out-aggressive-rsp, v1-in-info-v1-req, v1-in-info-v1-rsp, v1-out-info-v1-req, v1-out-info-v1-rsp, v1-in-transaction-req, v1-in-transaction-rsp, v1-out-transaction-req, v1-out-transaction-rsp, v1-in-quick-mode-req, v1-in-quick-mode-rsp, v1-out-quick-mode-req, v1-out-quick-mode-rsp, v1-in-new-group-mode-req, v1-in-new-group-mode-rsp, v1-out-new-group-mode-req, v1-out-new-group-mode-rsp, v1-child-sa-invalid-spi, v2-child-sa-invalid-spi, ike-current-version
ike-gateway-list_dpd¶
Specification Type object interval
Description Interval time in seconds
Type: number
Range: 10-3600
retry
Description Retry times
Type: number
Range: 1-10
ipsec-list¶
Specification Type list Block object keys anti-replay-window
Description ‘0’: Disable Anti-Replay Window Check; ‘32’: Window Size of 32; ‘64’: Window Size of 64; ‘128’: Window Size of 128; ‘256’: Window Size of 256; ‘512’: Window Size of 512; ‘1024’: Window Size of 1024;
Type: string
Supported Values: 0, 32, 64, 128, 256, 512, 1024
Default: 0
bind-tunnel
Description: bind-tunnel is a JSON Block. Please see below for ipsec-list_bind-tunnel
Type: Object
Reference Object: /axapi/v3/vpn/ipsec/{name}/bind-tunnel
dh-group
Description ‘0’: Diffie-Hellman group 0 (Default); ‘1’: Diffie-Hellman group 1; ‘2’: Diffie-Hellman group 2; ‘5’: Diffie-Hellman group 5; ‘14’: Diffie-Hellman group 14; ‘15’: Diffie-Hellman group 15; ‘16’: Diffie-Hellman group 16; ‘18’: Diffie-Hellman group 18;
Type: string
Supported Values: 0, 1, 2, 5, 14, 15, 16, 18, 19, 20
Default: 0
enc-cfg
Type: Listike-gateway
Description Gateway to use for IPsec SA
Type: string
Maximum Length: 31 characters
Maximum Length: 1 characters
Reference Object: /axapi/v3/vpn/ike-gateway
lifebytes
Description IPsec SA age in megabytes (0 indicates unlimited bytes)
Type: number
Range: 0-8000000
Default: 0
lifetime
Description IPsec SA age in seconds
Type: number
Range: 300-28800
Default: 28800
mode
Description ‘tunnel’: Encapsulating the packet in IPsec tunnel mode (Default);
Type: string
Supported Values: tunnel
Default: tunnel
name
Description IPsec name
Type: string
Maximum Length: 31 characters
Maximum Length: 1 characters
proto
Description ‘esp’: Encapsulating security protocol (Default);
Type: string
Supported Values: esp
Default: esp
sampling-enable
Type: Listsequence-number-disable
Description Do not use incremental sequence number in the ESP header
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
traffic-selector
Description: traffic-selector is a JSON Block. Please see below for ipsec-list_traffic-selector
Type: Object
up
Description Initiates SA negotiation to bring the IPsec connection up
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
user-tag
Description Customized tag
Type: string
Format: string-rlx
Maximum Length: 127 characters
Maximum Length: 1 characters
uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
ipsec-list_bind-tunnel¶
Specification Type object next-hop
Description IPsec Next Hop IP Address
Type: string
Format: ipv4-address
Mutual Exclusion: next-hop and next-hop-v6 are mutually exclusive
next-hop-v6
Description IPsec Next Hop IPv6 Address
Type: string
Format: ipv6-address
Mutual Exclusion: next-hop-v6 and next-hop are mutually exclusive
tunnel
Description Tunnel interface index
Type: number
Range: 1-128
Reference Object: /axapi/v3/interface/tunnel
uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
ipsec-list_sampling-enable¶
Specification Type list Block object keys counters1
Description ‘all’: all; ‘packets-encrypted’: Encrypted Packets; ‘packets-decrypted’: Decrypted Packets; ‘anti-replay-num’: Anti-Replay Failure; ‘rekey-num’: Rekey Times; ‘packets-err-inactive’: Inactive Error; ‘packets-err-encryption’: Encryption Error; ‘packets-err-pad-check’: Pad Check Error; ‘packets-err-pkt-sanity’: Packets Sanity Error; ‘packets-err-icv-check’: ICV Check Error; ‘packets-err-lifetime-lifebytes’: Lifetime Lifebytes Error; ‘bytes-encrypted’: Encrypted Bytes; ‘bytes-decrypted’: Decrypted Bytes; ‘prefrag-success’: Pre-frag Success; ‘prefrag-error’: Pre-frag Error; ‘cavium-bytes-encrypted’: CAVIUM Encrypted Bytes; ‘cavium-bytes-decrypted’: CAVIUM Decrypted Bytes; ‘cavium-packets-encrypted’: CAVIUM Encrypted Packets; ‘cavium-packets-decrypted’: CAVIUM Decrypted Packets; ‘tunnel-intf-down’: Packet dropped: Tunnel Interface Down; ‘pkt-fail-prep-to-send’: Packet dropped: Failed in prepare to send; ‘no-next-hop’: Packet dropped: No next hop; ‘invalid-tunnel-id’: Packet dropped: Invalid tunnel ID; ‘no-tunnel-found’: Packet dropped: No tunnel found; ‘pkt-fail-to-send’: Packet dropped: Failed to send;
Type: string
Supported Values: all, packets-encrypted, packets-decrypted, anti-replay-num, rekey-num, packets-err-inactive, packets-err-encryption, packets-err-pad-check, packets-err-pkt-sanity, packets-err-icv-check, packets-err-lifetime-lifebytes, bytes-encrypted, bytes-decrypted, prefrag-success, prefrag-error, cavium-bytes-encrypted, cavium-bytes-decrypted, cavium-packets-encrypted, cavium-packets-decrypted, tunnel-intf-down, pkt-fail-prep-to-send, no-next-hop, invalid-tunnel-id, no-tunnel-found, pkt-fail-to-send, frag-after-encap-frag-packets, frag-received, sequence-num, sequence-num-rollover, packets-err-nh-check
ipsec-list_traffic-selector¶
Specification Type object ipv4
Description: ipv4 is a JSON Block. Please see below for ipsec-list_traffic-selector_ipv4
Type: Object
ipv6
Description: ipv6 is a JSON Block. Please see below for ipsec-list_traffic-selector_ipv6
Type: Object
ipsec-list_traffic-selector_ipv4¶
Specification Type object local
Description Local Traffic Selector
Type: string
Format: ipv4-address
Mutual Exclusion: local and localv6 are mutually exclusive
local_netmask
Description IPv4 Address Network Mask
Type: string
Format: ipv4-netmask
local_port
Description Port Number
Type: number
Range: 0-65535
protocol
Description IP Protocol Number (0-255)
Type: number
Range: 0-255
remote
Description IPv4 Address
Type: string
Format: ipv4-address
remote_netmask
Description IPv4 Address Network Mask
Type: string
Format: ipv4-netmask
remote_port
Description Port Number
Type: number
Range: 0-65535
ipsec-list_traffic-selector_ipv6¶
Specification Type object local_portv6
Description Port Number
Type: number
Range: 0-65535
localv6
Description Local Traffic Selector
Type: string
Format: ipv6-address-plen
Mutual Exclusion: localv6 and local are mutually exclusive
protocolv6
Description IP Protocol Number (0-255)
Type: number
Range: 0-255
remote_portv6
Description Port Number
Type: number
Range: 0-65535
remotev6
Description IPv6 Address
Type: string
Format: ipv6-address-plen
ipsec-list_enc-cfg¶
Specification Type list Block object keys encryption
Description ‘des’: Data Encryption Standard algorithm; ‘3des’: Triple Data Encryption Standard algorithm; ‘aes-128’: Advanced Encryption Standard algorithm (key size: 128 bits); ‘aes-192’: Advanced Encryption Standard algorithm (key size: 192 bits); ‘aes-256’: Advanced Encryption Standard algorithm (key size: 256 bits); ‘null’: No encryption algorithm;
Type: string
Supported Values: des, 3des, aes-128, aes-192, aes-256, aes-gcm-128, aes-gcm-192, aes-gcm-256, null
gcm_priority
Description Prioritizes (1-10) security protocol, least value has highest priority
Type: number
Range: 1-10
Default: 5
hash
Description ‘md5’: MD5 Dessage-Digest Algorithm; ‘sha1’: Secure Hash Algorithm 1; ‘sha256’: Secure Hash Algorithm 256; ‘null’: No hash algorithm;
Type: string
Supported Values: md5, sha1, sha256, sha384, sha512, null
priority
Description Prioritizes (1-10) security protocol, least value has highest priority
Type: number
Range: 1-10
Default: 5
errordump¶
Specification Type object uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
stats data¶
| Counter | Size | Description | |
|---|---|---|---|
| passthrough | 8 | passthrough | |
| ha-standby-drop | 8 | ha-standby-drop |
operational data¶
| Counter | Size | Description | |
|---|---|---|---|
| all-partitions | flag | all-partitions | |
| Num-hardware-devices | number | Num-hardware-devices | |
| IPsec-mode | string | IPsec-mode | |
| specific-partition | string | specific-partition | |
| IKE-Gateway-total | number | IKE-Gateway-total | |
| all-partition-list | all-partition-list | ||
| IPsec-SA-total | number | IPsec-SA-total | |
| Crypto-cores-assigned-to-IPsec | number | Crypto-cores-assigned-to-IPsec | |
| IKE-SA-total | number | IKE-SA-total | |
| Crypto-cores-total | number | Crypto-cores-total | |
| IPsec-total | number | IPsec-total | |
| shared | flag | shared | |
| Crypto-mem | number | Crypto-mem |