Fabric OS Command Reference
459
53-1001764-01
ipSecConfig
2
-mode
tunnel | transport
Specifies the IPSec transform mode. In tunnel mode, the IP datagram is fully
encapsulated by a new IP datagram using the IPSec protocol. In transport
mode, only the payload of the IP datagram is handled by the IPSec protocol
inserting the IPSec header between the IP header and the upper-layer
protocol header.
-sa-proposal
name
Specifies the SA proposal to be included in the transform. You must create
the SA proposal first before you can include it in the transform. Use
ipsecConfig --show policy ips sa-proposal -a
for a listing of existing SA
proposals.
-action
discard | bypass | protect
Specifies the protective action the transform should take regarding the traffic
flows.
-ike
name
Specifies the IKE policy to be included in the transform. This operand is
optional. Use
ipsecConfig --show policy ike -a
for a listing of existing IKE
policies.
-local
IP_address
[/
prefixlength
]
Specifies the source IPv4 or IPv6 address. This operand is optional. If a local
source IP address is defined, a remote peer IP address must also be defined.
-remote
IP_address
[/
prefixlength
]
Specifies the peer IPv4 or IPv6 address. This operand is optional. If a remote
peer IP address is defined, a local source IP address must also be defined.
sa-proposal
Defines the security associations (SA) proposal, including name, SAs to be
included and lifetime of the proposal. The following operands are supported:
-tag
name
Specifies a name for the SA proposal. This is a user-generated name. The
name must be between 1 and 32 characters in length, and may include
alphanumeric characters, dashes (-), and underscores (_).
-sa
name
[,
name
]
Specifies the SAs to include in the SA proposal. The bundle consists of one
or two SA names, separated by commas. For SA bundles, [AH, ESP] is the
supported combination. The SAs must be created prior to being included in
the SA proposal. This operand is required.
-lttime
number
Specifies the SA proposal's lifetime in seconds. This operand is optional. If a
lifetime is not specified, the SA does not expire. If lifetime is specified both in
seconds and in bytes, the SA expires when the first expiration criterion is met.
-ltbyte
number
Specifies the SA proposal's lifetime in bytes. The SA expiries after the
specified number of bytes have been transmitted. This operand is optional.
sa
Defines the Security Association. An SA specifies the IPSec protocol (AH or
ESP), the algorithms used for encryption and authentication, and the
expiration definitions used in security associations of the traffic. IKE uses
these values in negotiations to create IPSec SAs.
You cannot modify an SA once it is created. Use
ipsecConfig --flush
manual-sa
to remove all SA entries from the kernel SA database (SADB)
and start over.
Summary of Contents for Fabric OS v7.0.1
Page 1: ...53 1002447 01 15 December 2011 Fabric OS Command Reference Supporting Fabric OS v7 0 1 ...
Page 6: ...vi Fabric OS Command Reference 53 1002447 01 ...
Page 30: ...4 Fabric OS Command Reference 53 1002447 01 Using the command line interface 1 ...
Page 1132: ...1106 Fabric OS Command Reference 53 1002447 01 General Fabric OS commands and permissions A ...