vpn¶
VPN Commands
vpn Specification¶
Parameter Value Type Configuration Resource Element Name vpn Element URI /axapi/v3/vpn Element Attributes vpn_attributes Partition Visibility shared Statistics Data URI /axapi/v3/vpn/stats Operational Data URI /axapi/v3/vpn/oper Schema vpn schemaOperations Allowed:
| Operation | Method | URI | Payload | |
|---|---|---|---|---|
Create Object | POST | /axapi/v3/vpn | ||
Get Object | GET | /axapi/v3/vpn | ||
Modify Object | POST | /axapi/v3/vpn | ||
Replace Object | PUT | /axapi/v3/vpn | ||
Delete Object | DELETE | /axapi/v3/vpn | ||
vpn attributes¶
asymmetric-flow-support
Description Support asymmetric flows pass through IPsec tunnel
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
crl
Description: crl is a JSON Block. Please see below for crl
Type: Object
Reference Object: /axapi/v3/vpn/crl
default
Description: default is a JSON Block. Please see below for default
Type: Object
Reference Object: /axapi/v3/vpn/default
enable-vpn-metrics
Description Enable exporting vpn statstics to Harmony
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
error
Description: error is a JSON Block. Please see below for error
Type: Object
Reference Object: /axapi/v3/vpn/error
errordump
Description: errordump is a JSON Block. Please see below for errordump
Type: Object
Reference Object: /axapi/v3/vpn/errordump
extended-matching
Description Enable session extended matching for packet comes from IPsec tunnel
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
fragment-after-encap
Description Fragment after adding IPsec headers
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
Mutual Exclusion: fragment-after-encap and jumbo-fragment are mutually exclusive
group-list
Description: group-list is a JSON Block. Please see below for group-list
Type: Object
Reference Object: /axapi/v3/vpn/group-list
ike-acc-enable
Description Enable IKE Acceleration by Cavium Nitrox card
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
ike-gateway-list
Type: List
Reference Object: /axapi/v3/vpn/ike-gateway/{name}
ike-logging-enable
Description Enable IKE negotiation logging
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
ike-sa
Description: ike-sa is a JSON Block. Please see below for ike-sa
Type: Object
Reference Object: /axapi/v3/vpn/ike-sa
ike-sa-brief
Description: ike-sa-brief is a JSON Block. Please see below for ike-sa-brief
Type: Object
Reference Object: /axapi/v3/vpn/ike-sa-brief
ike-sa-clients
Description: ike-sa-clients is a JSON Block. Please see below for ike-sa-clients
Type: Object
Reference Object: /axapi/v3/vpn/ike-sa-clients
ike-sa-timeout
Description Timeout IKE-SA in connecting state in seconds (default 600s)
Type: number
Range: 300-86400
Default: 600
ike-stats-by-gw
Description: ike-stats-by-gw is a JSON Block. Please see below for ike-stats-by-gw
Type: Object
Reference Object: /axapi/v3/vpn/ike-stats-by-gw
ike-stats-global
Description: ike-stats-global is a JSON Block. Please see below for ike-stats-global
Type: Object
Reference Object: /axapi/v3/vpn/ike-stats-global
ipsec-cipher-check
Description Enable cipher check, IPsec SA cipher must weaker than IKE gateway cipher, and DES/3DES/MD5/null will not work.
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
ipsec-error-dump
Description Support record the error ipsec cavium information in dump file
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
ipsec-group-list
Type: List
Reference Object: /axapi/v3/vpn/ipsec-group/{name}
ipsec-list
Type: List
Reference Object: /axapi/v3/vpn/ipsec/{name}
ipsec-mgmt-default-policy-drop
Description Drop MGMT traffic that is not match ipsec tunnel, share partition only
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
ipsec-sa
Description: ipsec-sa is a JSON Block. Please see below for ipsec-sa
Type: Object
Reference Object: /axapi/v3/vpn/ipsec-sa
ipsec-sa-by-gw
Description: ipsec-sa-by-gw is a JSON Block. Please see below for ipsec-sa-by-gw
Type: Object
Reference Object: /axapi/v3/vpn/ipsec-sa-by-gw
ipsec-sa-clients
Description: ipsec-sa-clients is a JSON Block. Please see below for ipsec-sa-clients
Type: Object
Reference Object: /axapi/v3/vpn/ipsec-sa-clients
ipsec-sa-stats-list
Type: List
Reference Object: /axapi/v3/vpn/ipsec-sa-stats/{sampling-enable}
jumbo-fragment
Description Support IKE jumbo fragment packet
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
Mutual Exclusion: jumbo-fragment and fragment-after-encap are mutually exclusive
log
Description: log is a JSON Block. Please see below for log
Type: Object
Reference Object: /axapi/v3/vpn/log
nat-traversal-flow-affinity
Description Choose IPsec UDP source port based on port of inner flow (only for A10 to A10)
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
ocsp
Description: ocsp is a JSON Block. Please see below for ocsp
Type: Object
Reference Object: /axapi/v3/vpn/ocsp
revocation-list
Type: List
Reference Object: /axapi/v3/vpn/revocation/{name}
sampling-enable
Type: Listsignature-authentication
Description Enable use of different hash algorithms for signature authentication in IKEv2
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
stateful-mode
Description VPN module will work in stateful mode and create sessions
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
tcp-mss-adjust-disable
Description Disable TCP MSS adjustment in SYN packet
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
ipsec-sa-stats-list¶
Specification Value Type list Block object keys sampling-enable
Type: List
ipsec-sa-stats-list_sampling-enable¶
Specification Value Type list Block object keys counters1
Description ‘all’: all; ‘packets-encrypted’: Encrypted Packets; ‘packets-decrypted’: Decrypted Packets; ‘anti-replay-num’: Anti-Replay Failure; ‘rekey-num’: Rekey Times; ‘packets-err-inactive’: Inactive Error; ‘packets-err-encryption’: Encryption Error; ‘packets-err-pad-check’: Pad Check Error; ‘packets-err-pkt-sanity’: Packets Sanity Error; ‘packets-err-icv-check’: ICV Check Error; ‘packets-err-lifetime-lifebytes’: Lifetime Lifebytes Error; ‘bytes-encrypted’: Encrypted Bytes; ‘bytes-decrypted’: Decrypted Bytes; ‘prefrag-success’: Pre-frag Success; ‘prefrag-error’: Pre-frag Error; ‘cavium-bytes-encrypted’: CAVIUM Encrypted Bytes; ‘cavium-bytes-decrypted’: CAVIUM Decrypted Bytes; ‘cavium-packets-encrypted’: CAVIUM Encrypted Packets; ‘cavium-packets-decrypted’: CAVIUM Decrypted Packets; ‘qat-bytes-encrypted’: QAT Encrypted Bytes; ‘qat-bytes-decrypted’: QAT Decrypted Bytes; ‘qat-packets-encrypted’: QAT Encrypted Packets; ‘qat-packets-decrypted’: QAT Decrypted Packets; ‘tunnel-intf-down’: Packet dropped: Tunnel Interface Down; ‘pkt-fail-prep-to-send’: Packet dropped: Failed in prepare to send; ‘no-next-hop’: Packet dropped: No next hop; ‘invalid-tunnel-id’: Packet dropped: Invalid tunnel ID; ‘no-tunnel-found’: Packet dropped: No tunnel found; ‘pkt-fail-to-send’: Packet dropped: Failed to send; ‘frag-after-encap-frag-packets’: Frag-after-encap Fragment Generated; ‘frag-received’: Fragment Received; ‘sequence-num’: Sequence Number; ‘sequence-num-rollover’: Sequence Number Rollover; ‘packets-err-nh-check’: Next Header Check Error;
Type: string
Supported Values: all, packets-encrypted, packets-decrypted, anti-replay-num, rekey-num, packets-err-inactive, packets-err-encryption, packets-err-pad-check, packets-err-pkt-sanity, packets-err-icv-check, packets-err-lifetime-lifebytes, bytes-encrypted, bytes-decrypted, prefrag-success, prefrag-error, cavium-bytes-encrypted, cavium-bytes-decrypted, cavium-packets-encrypted, cavium-packets-decrypted, qat-bytes-encrypted, qat-bytes-decrypted, qat-packets-encrypted, qat-packets-decrypted, tunnel-intf-down, pkt-fail-prep-to-send, no-next-hop, invalid-tunnel-id, no-tunnel-found, pkt-fail-to-send, frag-after-encap-frag-packets, frag-received, sequence-num, sequence-num-rollover, packets-err-nh-check
ike-sa-clients¶
Specification Value Type object uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
ipsec-sa-clients¶
Specification Value Type object uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
ipsec-group-list¶
Specification Value Type list Block object keys ipsecgroup-cfg
Type: Listname
Description Group name
Type: string
Maximum Length: 31 characters
Maximum Length: 1 characters
user-tag
Description Customized tag
Type: string
Format: string-rlx
Maximum Length: 127 characters
Maximum Length: 1 characters
uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
ipsec-group-list_ipsecgroup-cfg¶
Specification Value Type list Block object keys ipsec
Description specify a name to group active/backup tunnels
Type: string
Maximum Length: 31 characters
Maximum Length: 1 characters
Reference Object: /axapi/v3/vpn/ipsec
priority
Description Highest priority value is the active tunnel
Type: number
Range: 1-10
log¶
Specification Value Type object uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
ike-sa-brief¶
Specification Value Type object uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
ocsp¶
Specification Value Type object uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
ipsec-sa-by-gw¶
Specification Value Type object uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
ike-gateway-list¶
Specification Value Type list Block object keys auth-method
Description ‘preshare-key’: Authenticate the remote gateway using a pre-shared key (Default); ‘rsa-signature’: Authenticate the remote gateway using an RSA certificate; ‘ecdsa-signature’: Authenticate the remote gateway using an ECDSA certificate; ‘eap-radius’: Authenticate the remote gateway using an EAP Radius server; ‘eap-tls’: Authenticate the remote gateway using EAP TLS;
Type: string
Supported Values: preshare-key, rsa-signature, ecdsa-signature, eap-radius, eap-tls
Default: preshare-key
configuration-payload
Description ‘dhcp’: Enable DHCP configuration-payload; ‘radius’: Enable RADIUS configuration-payload;
Type: string
Supported Values: dhcp, radius
dh-group
Description ‘1’: Diffie-Hellman group 1 - 768-bit(Default); ‘2’: Diffie-Hellman group 2 - 1024-bit; ‘5’: Diffie-Hellman group 5 - 1536-bit; ‘14’: Diffie-Hellman group 14 - 2048-bit; ‘15’: Diffie-Hellman group 15 - 3072-bit; ‘16’: Diffie-Hellman group 16 - 4096-bit; ‘18’: Diffie-Hellman group 18 - 8192-bit; ‘19’: Diffie-Hellman group 19 - 256-bit Elliptic Curve; ‘20’: Diffie-Hellman group 20 - 384-bit Elliptic Curve;
Type: string
Supported Values: 1, 2, 5, 14, 15, 16, 18, 19, 20
Default: 1
dhcp-server
Description: dhcp-server is a JSON Block. Please see below for ike-gateway-list_dhcp-server
Type: Object
disable-rekey
Description Disable initiating rekey
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
dpd
Description: dpd is a JSON Block. Please see below for ike-gateway-list_dpd
Type: Object
enc-cfg
Type: Listfragment-size
Description Enable IKE message fragment and set fragment size
Type: number
Range: 576-1280
hash
Description ‘sha256’: Secure Hash Algorithm 256; ‘sha384’: Secure Hash Algorithm 384; ‘sha512’: Secure Hash Algorithm 512;
Type: string
Supported Values: sha256, sha384, sha512
ike-version
Description ‘v1’: IKEv1 key exchange; ‘v2’: IKEv2 key exchange;
Type: string
Supported Values: v1, v2
Default: v2
interface-management
Description only handle traffic on management interface, share partition only
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
key
Description Private Key
Type: string
Maximum Length: 255 characters
Maximum Length: 1 characters
key-passphrase
Description Private Key Pass Phrase
Type: string
Format: password
Maximum Length: 127 characters
Maximum Length: 1 characters
key-passphrase-encrypted
Description Do NOT use this option manually. (This is an A10 reserved keyword.) (The ENCRYPTED key string)lifetime
Description IKE SA age in seconds
Type: number
Range: 300-86400
Default: 86400
local-address
Description: local-address is a JSON Block. Please see below for ike-gateway-list_local-address
Type: Object
local-cert
Description: local-cert is a JSON Block. Please see below for ike-gateway-list_local-cert
Type: Object
local-id
Description Local Gateway Identity
Type: string
Format: string-rlx
Maximum Length: 255 characters
Maximum Length: 1 characters
mode
Description ‘main’: Negotiate Main mode (Default); ‘aggressive’: Negotiate Aggressive mode;
Type: string
Supported Values: main, aggressive
Default: main
name
Description IKE-gateway name
Type: string
Maximum Length: 31 characters
Maximum Length: 1 characters
nat-traversal
Description
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
preshare-key-encrypted
Description Do NOT use this option manually. (This is an A10 reserved keyword.) (The ENCRYPTED pre-shared key string)preshare-key-value
Description pre-shared key
Type: string
Format: password
Maximum Length: 127 characters
Maximum Length: 1 characters
radius-server
Description: radius-server is a JSON Block. Please see below for ike-gateway-list_radius-server
Type: Object
remote-address
Description: remote-address is a JSON Block. Please see below for ike-gateway-list_remote-address
Type: Object
remote-ca-cert
Description: remote-ca-cert is a JSON Block. Please see below for ike-gateway-list_remote-ca-cert
Type: Object
remote-id
Description Remote Gateway Identity
Type: string
Format: string-rlx
Maximum Length: 255 characters
Maximum Length: 1 characters
sampling-enable
Type: Listuser-tag
Description Customized tag
Type: string
Format: string-rlx
Maximum Length: 127 characters
Maximum Length: 1 characters
uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
vrid
Description: vrid is a JSON Block. Please see below for ike-gateway-list_vrid
Type: Object
ike-gateway-list_local-cert¶
Specification Value Type object local-cert-name
Description Certificate File Name
Type: string
Maximum Length: 255 characters
Maximum Length: 1 characters
ike-gateway-list_dhcp-server¶
Specification Value Type object pri
Description: pri is a JSON Block. Please see below for ike-gateway-list_dhcp-server_pri
Type: Object
sec
Description: sec is a JSON Block. Please see below for ike-gateway-list_dhcp-server_sec
Type: Object
ike-gateway-list_dhcp-server_sec¶
Specification Value Type object dhcp-sec-ipv4
Description Secondary DHCP Server IP Address
Type: string
Format: ipv4-address
ike-gateway-list_dhcp-server_pri¶
Specification Value Type object dhcp-pri-ipv4
Description Primary DHCP Server IP Address
Type: string
Format: ipv4-address
ike-gateway-list_enc-cfg¶
Specification Value Type list Block object keys encryption
Description ‘des’: Data Encryption Standard algorithm; ‘3des’: Triple Data Encryption Standard algorithm; ‘aes-128’: Advanced Encryption Standard algorithm CBC Mode(key size: 128 bits); ‘aes-192’: Advanced Encryption Standard algorithm CBC Mode(key size: 192 bits); ‘aes-256’: Advanced Encryption Standard algorithm CBC Mode(key size: 256 bits); ‘aes-gcm-128’: Advanced Encryption Standard algorithm Galois/Counter Mode(key size: 128 bits, ICV size: 16 bytes), only for IKEv2; ‘aes-gcm-192’: Advanced Encryption Standard algorithm Galois/Counter Mode(key size: 192 bits, ICV size: 16 bytes), only for IKEv2; ‘aes-gcm-256’: Advanced Encryption Standard algorithm Galois/Counter Mode(key size: 256 bits, ICV size: 16 bytes), only for IKEv2; ‘null’: No encryption algorithm, only for IKEv2;
Type: string
Supported Values: des, 3des, aes-128, aes-192, aes-256, aes-gcm-128, aes-gcm-192, aes-gcm-256, null
gcm_priority
Description Prioritizes (1-10) security protocol, least value has highest priority
Type: number
Range: 1-10
Default: 5
hash
Description ‘md5’: MD5 Dessage-Digest Algorithm; ‘sha1’: Secure Hash Algorithm 1; ‘sha256’: Secure Hash Algorithm 256; ‘sha384’: Secure Hash Algorithm 384; ‘sha512’: Secure Hash Algorithm 512;
Type: string
Supported Values: md5, sha1, sha256, sha384, sha512
prf
Description ‘md5’: MD5 Dessage-Digest Algorithm; ‘sha1’: Secure Hash Algorithm 1; ‘sha256’: Secure Hash Algorithm 256; ‘sha384’: Secure Hash Algorithm 384; ‘sha512’: Secure Hash Algorithm 512;
Type: string
Supported Values: md5, sha1, sha256, sha384, sha512
priority
Description Prioritizes (1-10) security protocol, least value has highest priority
Type: number
Range: 1-10
Default: 5
ike-gateway-list_vrid¶
Specification Value Type object default
Description Default VRRP-A vrid
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
Mutual Exclusion: default and vrid-num are mutually exclusive
vrid-num
Description Specify ha VRRP-A vrid
Type: number
Range: 0-31
Mutual Exclusion: vrid-num and default are mutually exclusive
ike-gateway-list_radius-server¶
Specification Value Type object radius-pri
Description Primary RADIUS Authentication Server
Type: string
Maximum Length: 63 characters
Maximum Length: 1 characters
Reference Object: /axapi/v3/aam/authentication/server/radius/instance
radius-sec
Description Secondary RADIUS Authentication Server
Type: string
Maximum Length: 63 characters
Maximum Length: 1 characters
Reference Object: /axapi/v3/aam/authentication/server/radius/instance
ike-gateway-list_local-address¶
Specification Value Type object local-ip
Description Ipv4 address
Type: string
Format: ipv4-address
Mutual Exclusion: local-ip and local-ipv6 are mutually exclusive
local-ipv6
Description Ipv6 address
Type: string
Format: ipv6-address
Mutual Exclusion: local-ipv6 and local-ip are mutually exclusive
ike-gateway-list_remote-address¶
Specification Value Type object dns
Description Remote IP based on Domain name
Type: string
Maximum Length: 128 characters
Maximum Length: 1 characters
Mutual Exclusion: dns, remote-ip, and remote-ipv6 are mutually exclusive
remote-ip
Description Ipv4 address
Type: string
Format: ipv4-address
Mutual Exclusion: remote-ip, dns, and remote-ipv6 are mutually exclusive
remote-ipv6
Description Ipv6 address
Type: string
Format: ipv6-address
Mutual Exclusion: remote-ipv6, remote-ip, and dns are mutually exclusive
ike-gateway-list_remote-ca-cert¶
Specification Value Type object remote-cert-name
Description Remote CA certificate DN (C=, ST=, L=, O=, CN=) without emailAddress
Type: string
Format: string-rlx
Maximum Length: 127 characters
Maximum Length: 1 characters
ike-gateway-list_sampling-enable¶
Specification Value Type list Block object keys counters1
Description ‘all’: all; ‘v2-init-rekey’: Initiate Rekey; ‘v2-rsp-rekey’: Respond Rekey; ‘v2-child-sa-rekey’: Child SA Rekey; ‘v2-in-invalid’: Incoming Invalid; ‘v2-in-invalid-spi’: Incoming Invalid SPI; ‘v2-in-init-req’: Incoming Init Request; ‘v2-in-init-rsp’: Incoming Init Response; ‘v2-out-init-req’: Outgoing Init Request; ‘v2-out-init-rsp’: Outgoing Init Response; ‘v2-in-auth-req’: Incoming Auth Request; ‘v2-in-auth-rsp’: Incoming Auth Response; ‘v2-out-auth-req’: Outgoing Auth Request; ‘v2-out-auth-rsp’: Outgoing Auth Response; ‘v2-in-create-child-req’: Incoming Create Child Request; ‘v2-in-create-child-rsp’: Incoming Create Child Response; ‘v2-out-create-child-req’: Outgoing Create Child Request; ‘v2-out-create-child-rsp’: Outgoing Create Child Response; ‘v2-in-info-req’: Incoming Info Request; ‘v2-in-info-rsp’: Incoming Info Response; ‘v2-out-info-req’: Outgoing Info Request; ‘v2-out-info-rsp’: Outgoing Info Response; ‘v1-in-id-prot-req’: Incoming ID Protection Request; ‘v1-in-id-prot-rsp’: Incoming ID Protection Response; ‘v1-out-id-prot-req’: Outgoing ID Protection Request; ‘v1-out-id-prot-rsp’: Outgoing ID Protection Response; ‘v1-in-auth-only-req’: Incoming Auth Only Request; ‘v1-in-auth-only-rsp’: Incoming Auth Only Response; ‘v1-out-auth-only-req’: Outgoing Auth Only Request; ‘v1-out-auth-only-rsp’: Outgoing Auth Only Response; ‘v1-in-aggressive-req’: Incoming Aggressive Request; ‘v1-in-aggressive-rsp’: Incoming Aggressive Response; ‘v1-out-aggressive-req’: Outgoing Aggressive Request; ‘v1-out-aggressive-rsp’: Outgoing Aggressive Response; ‘v1-in-info-v1-req’: Incoming Info Request; ‘v1-in-info-v1-rsp’: Incoming Info Response; ‘v1-out-info-v1-req’: Outgoing Info Request; ‘v1-out-info-v1-rsp’: Outgoing Info Response; ‘v1-in-transaction-req’: Incoming Transaction Request; ‘v1-in-transaction-rsp’: Incoming Transaction Response; ‘v1-out-transaction-req’: Outgoing Transaction Request; ‘v1-out-transaction-rsp’: Outgoing Transaction Response; ‘v1-in-quick-mode-req’: Incoming Quick Mode Request; ‘v1-in-quick-mode-rsp’: Incoming Quick Mode Response; ‘v1-out-quick-mode-req’: Outgoing Quick Mode Request; ‘v1-out-quick-mode-rsp’: Outgoing Quick Mode Response; ‘v1-in-new-group-mode-req’: Incoming New Group Mode Request; ‘v1-in-new-group-mode-rsp’: Incoming New Group Mode Response; ‘v1-out-new-group-mode-req’: Outgoing New Group Mode Request; ‘v1-out-new-group-mode-rsp’: Outgoing New Group Mode Response; ‘v1-child-sa-invalid-spi’: Invalid SPI for Child SAs; ‘v2-child-sa-invalid-spi’: Invalid SPI for Child SAs; ‘ike-current-version’: IKE version;
Type: string
Supported Values: all, v2-init-rekey, v2-rsp-rekey, v2-child-sa-rekey, v2-in-invalid, v2-in-invalid-spi, v2-in-init-req, v2-in-init-rsp, v2-out-init-req, v2-out-init-rsp, v2-in-auth-req, v2-in-auth-rsp, v2-out-auth-req, v2-out-auth-rsp, v2-in-create-child-req, v2-in-create-child-rsp, v2-out-create-child-req, v2-out-create-child-rsp, v2-in-info-req, v2-in-info-rsp, v2-out-info-req, v2-out-info-rsp, v1-in-id-prot-req, v1-in-id-prot-rsp, v1-out-id-prot-req, v1-out-id-prot-rsp, v1-in-auth-only-req, v1-in-auth-only-rsp, v1-out-auth-only-req, v1-out-auth-only-rsp, v1-in-aggressive-req, v1-in-aggressive-rsp, v1-out-aggressive-req, v1-out-aggressive-rsp, v1-in-info-v1-req, v1-in-info-v1-rsp, v1-out-info-v1-req, v1-out-info-v1-rsp, v1-in-transaction-req, v1-in-transaction-rsp, v1-out-transaction-req, v1-out-transaction-rsp, v1-in-quick-mode-req, v1-in-quick-mode-rsp, v1-out-quick-mode-req, v1-out-quick-mode-rsp, v1-in-new-group-mode-req, v1-in-new-group-mode-rsp, v1-out-new-group-mode-req, v1-out-new-group-mode-rsp, v1-child-sa-invalid-spi, v2-child-sa-invalid-spi, ike-current-version
ike-gateway-list_dpd¶
Specification Value Type object interval
Description Interval time in seconds
Type: number
Range: 1-3600
retry
Description Retry times
Type: number
Range: 1-10
ike-stats-by-gw¶
Specification Value Type object uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
ike-stats-global¶
Specification Value Type object sampling-enable
Type: Listuuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
ike-stats-global_sampling-enable¶
Specification Value Type list Block object keys counters1
Description ‘all’: all; ‘v2-init-rekey’: Initiate Rekey; ‘v2-rsp-rekey’: Respond Rekey; ‘v2-child-sa-rekey’: Child SA Rekey; ‘v2-in-invalid’: Incoming Invalid; ‘v2-in-invalid-spi’: Incoming Invalid SPI; ‘v2-in-init-req’: Incoming Init Request; ‘v2-in-init-rsp’: Incoming Init Response; ‘v2-out-init-req’: Outgoing Init Request; ‘v2-out-init-rsp’: Outgoing Init Response; ‘v2-in-auth-req’: Incoming Auth Request; ‘v2-in-auth-rsp’: Incoming Auth Response; ‘v2-out-auth-req’: Outgoing Auth Request; ‘v2-out-auth-rsp’: Outgoing Auth Response; ‘v2-in-create-child-req’: Incoming Create Child Request; ‘v2-in-create-child-rsp’: Incoming Create Child Response; ‘v2-out-create-child-req’: Outgoing Create Child Request; ‘v2-out-create-child-rsp’: Outgoing Create Child Response; ‘v2-in-info-req’: Incoming Info Request; ‘v2-in-info-rsp’: Incoming Info Response; ‘v2-out-info-req’: Outgoing Info Request; ‘v2-out-info-rsp’: Outgoing Info Response; ‘v1-in-id-prot-req’: Incoming ID Protection Request; ‘v1-in-id-prot-rsp’: Incoming ID Protection Response; ‘v1-out-id-prot-req’: Outgoing ID Protection Request; ‘v1-out-id-prot-rsp’: Outgoing ID Protection Response; ‘v1-in-auth-only-req’: Incoming Auth Only Request; ‘v1-in-auth-only-rsp’: Incoming Auth Only Response; ‘v1-out-auth-only-req’: Outgoing Auth Only Request; ‘v1-out-auth-only-rsp’: Outgoing Auth Only Response; ‘v1-in-aggressive-req’: Incoming Aggressive Request; ‘v1-in-aggressive-rsp’: Incoming Aggressive Response; ‘v1-out-aggressive-req’: Outgoing Aggressive Request; ‘v1-out-aggressive-rsp’: Outgoing Aggressive Response; ‘v1-in-info-v1-req’: Incoming Info Request; ‘v1-in-info-v1-rsp’: Incoming Info Response; ‘v1-out-info-v1-req’: Outgoing Info Request; ‘v1-out-info-v1-rsp’: Outgoing Info Response; ‘v1-in-transaction-req’: Incoming Transaction Request; ‘v1-in-transaction-rsp’: Incoming Transaction Response; ‘v1-out-transaction-req’: Outgoing Transaction Request; ‘v1-out-transaction-rsp’: Outgoing Transaction Response; ‘v1-in-quick-mode-req’: Incoming Quick Mode Request; ‘v1-in-quick-mode-rsp’: Incoming Quick Mode Response; ‘v1-out-quick-mode-req’: Outgoing Quick Mode Request; ‘v1-out-quick-mode-rsp’: Outgoing Quick Mode Response; ‘v1-in-new-group-mode-req’: Incoming New Group Mode Request; ‘v1-in-new-group-mode-rsp’: Incoming New Group Mode Response; ‘v1-out-new-group-mode-req’: Outgoing New Group Mode Request; ‘v1-out-new-group-mode-rsp’: Outgoing New Group Mode Response;
Type: string
Supported Values: all, v2-init-rekey, v2-rsp-rekey, v2-child-sa-rekey, v2-in-invalid, v2-in-invalid-spi, v2-in-init-req, v2-in-init-rsp, v2-out-init-req, v2-out-init-rsp, v2-in-auth-req, v2-in-auth-rsp, v2-out-auth-req, v2-out-auth-rsp, v2-in-create-child-req, v2-in-create-child-rsp, v2-out-create-child-req, v2-out-create-child-rsp, v2-in-info-req, v2-in-info-rsp, v2-out-info-req, v2-out-info-rsp, v1-in-id-prot-req, v1-in-id-prot-rsp, v1-out-id-prot-req, v1-out-id-prot-rsp, v1-in-auth-only-req, v1-in-auth-only-rsp, v1-out-auth-only-req, v1-out-auth-only-rsp, v1-in-aggressive-req, v1-in-aggressive-rsp, v1-out-aggressive-req, v1-out-aggressive-rsp, v1-in-info-v1-req, v1-in-info-v1-rsp, v1-out-info-v1-req, v1-out-info-v1-rsp, v1-in-transaction-req, v1-in-transaction-rsp, v1-out-transaction-req, v1-out-transaction-rsp, v1-in-quick-mode-req, v1-in-quick-mode-rsp, v1-out-quick-mode-req, v1-out-quick-mode-rsp, v1-in-new-group-mode-req, v1-in-new-group-mode-rsp, v1-out-new-group-mode-req, v1-out-new-group-mode-rsp
revocation-list¶
Specification Value Type list Block object keys ca
Description Certificate Authority file name
Type: string
Maximum Length: 255 characters
Maximum Length: 1 characters
crl
Description: crl is a JSON Block. Please see below for revocation-list_crl
Type: Object
name
Description Revocation name
Type: string
Maximum Length: 31 characters
Maximum Length: 1 characters
ocsp
Description: ocsp is a JSON Block. Please see below for revocation-list_ocsp
Type: Object
user-tag
Description Customized tag
Type: string
Format: string-rlx
Maximum Length: 127 characters
Maximum Length: 1 characters
uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
revocation-list_ocsp¶
Specification Value Type object ocsp-pri
Description Primary OCSP Authentication Server
Type: string
Maximum Length: 63 characters
Maximum Length: 1 characters
Reference Object: /axapi/v3/aam/authentication/server/ocsp/instance
ocsp-sec
Description Secondary OCSP Authentication Server
Type: string
Maximum Length: 63 characters
Maximum Length: 1 characters
Reference Object: /axapi/v3/aam/authentication/server/ocsp/instance
revocation-list_crl¶
Specification Value Type object crl-pri
Description Primary CRL URL (http://www.example.com/ocsp) (only .der filetypes)
Type: string
Format: string-rlx
Maximum Length: 255 characters
Maximum Length: 1 characters
crl-sec
Description Secondary CRL URL (http://www.example.com/ocsp) (only .der filetypes)
Type: string
Format: string-rlx
Maximum Length: 255 characters
Maximum Length: 1 characters
ipsec-sa¶
Specification Value Type object uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
default¶
Specification Value Type object uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
ike-sa¶
Specification Value Type object uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
sampling-enable¶
Specification Value Type list Block object keys counters1
Description ‘all’: all; ‘passthrough’: some help string; ‘ha-standby-drop’: some help string;
Type: string
Supported Values: all, passthrough, ha-standby-drop
errordump¶
Specification Value Type object uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
error¶
Specification Value Type object uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
group-list¶
Specification Value Type object uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
ipsec-list¶
Specification Value Type list Block object keys anti-replay-window
Description ‘0’: Disable Anti-Replay Window Check; ‘32’: Window size of 32; ‘64’: Window size of 64; ‘128’: Window size of 128; ‘256’: Window size of 256; ‘512’: Window size of 512; ‘1024’: Window size of 1024; ‘2048’: Window size of 2048; ‘3072’: Window size of 3072; ‘4096’: Window size of 4096; ‘8192’: Window size of 8192;
Type: string
Supported Values: 0, 32, 64, 128, 256, 512, 1024, 2048, 3072, 4096, 8192
Default: 0
bind-tunnel
Description: bind-tunnel is a JSON Block. Please see below for ipsec-list_bind-tunnel
Type: Object
Reference Object: /axapi/v3/vpn/ipsec/{name}/bind-tunnel
dh-group
Description ‘0’: Diffie-Hellman group 0 (Default); ‘1’: Diffie-Hellman group 1 - 768-bits; ‘2’: Diffie-Hellman group 2 - 1024-bits; ‘5’: Diffie-Hellman group 5 - 1536-bits; ‘14’: Diffie-Hellman group 14 - 2048-bits; ‘15’: Diffie-Hellman group 15 - 3072-bits; ‘16’: Diffie-Hellman group 16 - 4096-bits; ‘18’: Diffie-Hellman group 18 - 8192-bits; ‘19’: Diffie-Hellman group 19 - 256-bit Elliptic Curve; ‘20’: Diffie-Hellman group 20 - 384-bit Elliptic Curve;
Type: string
Supported Values: 0, 1, 2, 5, 14, 15, 16, 18, 19, 20
Default: 0
dscp
Description ‘default’: Default dscp (000000); ‘af11’: AF11 (001010); ‘af12’: AF12 (001100); ‘af13’: AF13 (001110); ‘af21’: AF21 (010010); ‘af22’: AF22 (010100); ‘af23’: AF23 (010110); ‘af31’: AF31 (011010); ‘af32’: AF32 (011100); ‘af33’: AF33 (011110); ‘af41’: AF41 (100010); ‘af42’: AF42 (100100); ‘af43’: AF43 (100110); ‘cs1’: CS1 (001000); ‘cs2’: CS2 (010000); ‘cs3’: CS3 (011000); ‘cs4’: CS4 (100000); ‘cs5’: CS5 (101000); ‘cs6’: CS6 (110000); ‘cs7’: CS7 (111000); ‘ef’: EF (101110); ‘0’: 000000; ‘1’: 000001; ‘2’: 000010; ‘3’: 000011; ‘4’: 000100; ‘5’: 000101; ‘6’: 000110; ‘7’: 000111; ‘8’: 001000; ‘9’: 001001; ‘10’: 001010; ‘11’: 001011; ‘12’: 001100; ‘13’: 001101; ‘14’: 001110; ‘15’: 001111; ‘16’: 010000; ‘17’: 010001; ‘18’: 010010; ‘19’: 010011; ‘20’: 010100; ‘21’: 010101; ‘22’: 010110; ‘23’: 010111; ‘24’: 011000; ‘25’: 011001; ‘26’: 011010; ‘27’: 011011; ‘28’: 011100; ‘29’: 011101; ‘30’: 011110; ‘31’: 011111; ‘32’: 100000; ‘33’: 100001; ‘34’: 100010; ‘35’: 100011; ‘36’: 100100; ‘37’: 100101; ‘38’: 100110; ‘39’: 100111; ‘40’: 101000; ‘41’: 101001; ‘42’: 101010; ‘43’: 101011; ‘44’: 101100; ‘45’: 101101; ‘46’: 101110; ‘47’: 101111; ‘48’: 110000; ‘49’: 110001; ‘50’: 110010; ‘51’: 110011; ‘52’: 110100; ‘53’: 110101; ‘54’: 110110; ‘55’: 110111; ‘56’: 111000; ‘57’: 111001; ‘58’: 111010; ‘59’: 111011; ‘60’: 111100; ‘61’: 111101; ‘62’: 111110; ‘63’: 111111;
Type: string
Supported Values: default, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, ef, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63
enc-cfg
Type: Listenforce-traffic-selector
Description Enforce Traffic Selector
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
ipsec-gateway
Description: ipsec-gateway is a JSON Block. Please see below for ipsec-list_ipsec-gateway
Type: Object
Reference Object: /axapi/v3/vpn/ipsec/{name}/ipsec-gateway
lifebytes
Description IPsec SA age in megabytes (0 indicates unlimited bytes)
Type: number
Range: 0-8000000
Default: 0
lifetime
Description IPsec SA age in seconds
Type: number
Range: 300-28800
Default: 28800
mode
Description ‘tunnel’: Encapsulating the packet in IPsec tunnel mode (Default);
Type: string
Supported Values: tunnel
Default: tunnel
name
Description IPsec name
Type: string
Maximum Length: 31 characters
Maximum Length: 1 characters
proto
Description ‘esp’: Encapsulating security protocol (Default);
Type: string
Supported Values: esp
Default: esp
sampling-enable
Type: Listsequence-number-disable
Description Do not use incremental sequence number in the ESP header
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
traffic-selector
Description: traffic-selector is a JSON Block. Please see below for ipsec-list_traffic-selector
Type: Object
up
Description Initiates SA negotiation to bring the IPsec connection up
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
user-tag
Description Customized tag
Type: string
Format: string-rlx
Maximum Length: 127 characters
Maximum Length: 1 characters
uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
ipsec-list_traffic-selector¶
Specification Value Type object ipv4
Description: ipv4 is a JSON Block. Please see below for ipsec-list_traffic-selector_ipv4
Type: Object
ipv6
Description: ipv6 is a JSON Block. Please see below for ipsec-list_traffic-selector_ipv6
Type: Object
ipsec-list_traffic-selector_ipv4¶
Specification Value Type object local
Description Local Traffic Selector
Type: string
Format: ipv4-address
Mutual Exclusion: local and localv6 are mutually exclusive
local_netmask
Description IPv4 Address Network Mask
Type: string
Format: ipv4-netmask
local_port
Description Port Number
Type: number
Range: 0-65535
protocol
Description IP Protocol Number (0-255)
Type: number
Range: 0-255
remote-ip
Description IPv4 Address
Type: string
Format: ipv4-address
Mutual Exclusion: remote-ip and remote-ipv4-assigned are mutually exclusive
remote-ipv4-assigned
Description Remote IP address assigned
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
Mutual Exclusion: remote-ipv4-assigned and remote-ip are mutually exclusive
remote_netmask
Description IPv4 Address Network Mask
Type: string
Format: ipv4-netmask
remote_port
Description Port Number
Type: number
Range: 0-65535
ipsec-list_traffic-selector_ipv6¶
Specification Value Type object local_portv6
Description Port Number
Type: number
Range: 0-65535
localv6
Description Local Traffic Selector
Type: string
Format: ipv6-address-plen
Mutual Exclusion: localv6 and local are mutually exclusive
protocolv6
Description IP Protocol Number (0-255)
Type: number
Range: 0-255
remote-ipv6
Description IPv6 Address
Type: string
Format: ipv6-address-plen
Mutual Exclusion: remote-ipv6 and remote-ipv6-assigned are mutually exclusive
remote-ipv6-assigned
Description Remote IPv6 address assigned
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
Mutual Exclusion: remote-ipv6-assigned and remote-ipv6 are mutually exclusive
remote_portv6
Description Port Number
Type: number
Range: 0-65535
ipsec-list_bind-tunnel¶
Specification Value Type object next-hop
Description IPsec Next Hop IP Address
Type: string
Format: ipv4-address
Mutual Exclusion: next-hop and next-hop-v6 are mutually exclusive
next-hop-v6
Description IPsec Next Hop IPv6 Address
Type: string
Format: ipv6-address
Mutual Exclusion: next-hop-v6 and next-hop are mutually exclusive
tunnel
Description Tunnel interface index
Type: number
Range: 1-128
Reference Object: /axapi/v3/interface/tunnel
uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
ipsec-list_sampling-enable¶
Specification Value Type list Block object keys counters1
Description ‘all’: all; ‘packets-encrypted’: Encrypted Packets; ‘packets-decrypted’: Decrypted Packets; ‘anti-replay-num’: Anti-Replay Failure; ‘rekey-num’: Rekey Times; ‘packets-err-inactive’: Inactive Error; ‘packets-err-encryption’: Encryption Error; ‘packets-err-pad-check’: Pad Check Error; ‘packets-err-pkt-sanity’: Packets Sanity Error; ‘packets-err-icv-check’: ICV Check Error; ‘packets-err-lifetime-lifebytes’: Lifetime Lifebytes Error; ‘bytes-encrypted’: Encrypted Bytes; ‘bytes-decrypted’: Decrypted Bytes; ‘prefrag-success’: Pre-frag Success; ‘prefrag-error’: Pre-frag Error; ‘cavium-bytes-encrypted’: CAVIUM Encrypted Bytes; ‘cavium-bytes-decrypted’: CAVIUM Decrypted Bytes; ‘cavium-packets-encrypted’: CAVIUM Encrypted Packets; ‘cavium-packets-decrypted’: CAVIUM Decrypted Packets; ‘qat-bytes-encrypted’: QAT Encrypted Bytes; ‘qat-bytes-decrypted’: QAT Decrypted Bytes; ‘qat-packets-encrypted’: QAT Encrypted Packets; ‘qat-packets-decrypted’: QAT Decrypted Packets; ‘tunnel-intf-down’: Packet dropped: Tunnel Interface Down; ‘pkt-fail-prep-to-send’: Packet dropped: Failed in prepare to send; ‘no-next-hop’: Packet dropped: No next hop; ‘invalid-tunnel-id’: Packet dropped: Invalid tunnel ID; ‘no-tunnel-found’: Packet dropped: No tunnel found; ‘pkt-fail-to-send’: Packet dropped: Failed to send; ‘frag-after-encap-frag-packets’: Frag-after-encap Fragment Generated; ‘frag-received’: Fragment Received; ‘sequence-num’: Sequence Number; ‘sequence-num-rollover’: Sequence Number Rollover; ‘packets-err-nh-check’: Next Header Check Error;
Type: string
Supported Values: all, packets-encrypted, packets-decrypted, anti-replay-num, rekey-num, packets-err-inactive, packets-err-encryption, packets-err-pad-check, packets-err-pkt-sanity, packets-err-icv-check, packets-err-lifetime-lifebytes, bytes-encrypted, bytes-decrypted, prefrag-success, prefrag-error, cavium-bytes-encrypted, cavium-bytes-decrypted, cavium-packets-encrypted, cavium-packets-decrypted, qat-bytes-encrypted, qat-bytes-decrypted, qat-packets-encrypted, qat-packets-decrypted, tunnel-intf-down, pkt-fail-prep-to-send, no-next-hop, invalid-tunnel-id, no-tunnel-found, pkt-fail-to-send, frag-after-encap-frag-packets, frag-received, sequence-num, sequence-num-rollover, packets-err-nh-check
ipsec-list_ipsec-gateway¶
Specification Value Type object ike-gateway
Description Gateway to use for IPsec SA
Type: string
Maximum Length: 31 characters
Maximum Length: 1 characters
Reference Object: /axapi/v3/vpn/ike-gateway
uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
ipsec-list_enc-cfg¶
Specification Value Type list Block object keys encryption
Description ‘des’: Data Encryption Standard algorithm; ‘3des’: Triple Data Encryption Standard algorithm; ‘aes-128’: Advanced Encryption Standard algorithm CBC Mode(key size: 128 bits); ‘aes-192’: Advanced Encryption Standard algorithm CBC Mode(key size: 192 bits); ‘aes-256’: Advanced Encryption Standard algorithm CBC Mode(key size: 256 bits); ‘aes-gcm-128’: Advanced Encryption Standard algorithm Galois/Counter Mode(key size: 128 bits, ICV size: 16 bytes); ‘aes-gcm-192’: Advanced Encryption Standard algorithm Galois/Counter Mode(key size: 192 bits, ICV size: 16 bytes); ‘aes-gcm-256’: Advanced Encryption Standard algorithm Galois/Counter Mode(key size: 256 bits, ICV size: 16 bytes); ‘null’: No encryption algorithm;
Type: string
Supported Values: des, 3des, aes-128, aes-192, aes-256, aes-gcm-128, aes-gcm-192, aes-gcm-256, null
gcm_priority
Description Prioritizes (1-10) security protocol, least value has highest priority
Type: number
Range: 1-10
Default: 5
hash
Description ‘md5’: MD5 Dessage-Digest Algorithm; ‘sha1’: Secure Hash Algorithm 1; ‘sha256’: Secure Hash Algorithm 256; ‘sha384’: Secure Hash Algorithm 384; ‘sha512’: Secure Hash Algorithm 512; ‘null’: No hash algorithm;
Type: string
Supported Values: md5, sha1, sha256, sha384, sha512, null
priority
Description Prioritizes (1-10) security protocol, least value has highest priority
Type: number
Range: 1-10
Default: 5
crl¶
Specification Value Type object uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters