![background image](http://html.mh-extra.com/html/zyxel-communications/uag-series/uag-series_reference-manual_944300199.webp)
Chapter 40 IPSec VPN
UAG CLI Reference Guide
199
40.2.2 IPSec SA Commands (except Manual Keys)
This table lists the commands for IPSec SAs, excluding manual keys (VPN connections using VPN
gateways).
Table 122
crypto Commands: IPSec SAs
COMMAND
DESCRIPTION
[no] crypto ignore-df-bit
Fragment packets larger than the MTU (Maximum Transmission
Unit) that have the “don’t” fragment” bit in the header turned on.
The
no
command has the UAG drop packets larger than the MTU
that have the “don’t” fragment” bit in the header turned on.
show crypto map [
map_name
]
Shows the specified IPSec SA or all IPSec SAs.
crypto map dial
map_name
Dials the specified IPSec SA manually. This command does not
work for IPSec SAs using manual keys or for IPSec SAs where the
remote gateway address is 0.0.0.0.
[no] crypto map
map_name
Creates the specified IPSec SA if necessary and enters sub-
command mode. The
no
command deletes the specified IPSec SA.
activate
deactivate
Activates or deactivates the specified IPSec SA.
adjust-mss {auto | <200..1500>}
Set a specific number of bytes for the Maximum Segment Size
(MSS) meaning the largest amount of data in a single TCP
segment or IP datagram for this VPN connection or use
auto
to
have the UAG automatically set it.
ipsec-isakmp
policy_name
Specifies the IKE SA for this IPSec SA and disables manual key.
encapsulation {tunnel | transport}
Sets the encapsulation mode.
transform-set
crypto_algo_esp
[
crypto_algo_esp
[
crypto_algo_esp
]]
Sets the active protocol to ESP and sets the encryption and
authentication algorithms for each proposal.
crypto_algo_esp
: esp-null-md5 | esp-null-sha | esp-null-sha256
| esp-null-sha512 | esp-des-md5 | esp-des-sha | esp-des-sha256
| esp-des-sha512 | esp-3des-md5 | esp-3des-sha | esp-3des-
sha256 | esp-3des-sha512 | esp-aes128-md5 | esp-aes128-sha |
esp-aes128-sha256 | esp-aes128-sha512 | esp-aes192-md5 |
esp-aes192-sha | esp-aes192-sha256 | esp-aes192-sha512 | esp-
aes256-md5 | esp-aes256-sha | esp-aes256-sha256 | esp-
aes256-sha512
transform-set
crypto_algo_ah
[
crypto_algo_ah
[
crypto_algo_ah
]]
Sets the active protocol to AH and sets the encryption and
authentication algorithms for each proposal.
crypto_algo_ah
: ah-md5 | ah-sha | ah-sha256 | ah-sha512
scenario {site-to-site-static|site-to-
site-dynamic|remote-access-server|remote-
access-client}
Select the scenario that best describes your intended VPN
connection.
Site-to-site
: The remote IPSec router has a static IP address or
a domain name. This UAG can initiate the VPN tunnel.
site-to-site-dynamic
: The remote IPSec router has a dynamic
IP address. Only the remote IPSec router can initiate the VPN
tunnel.
remote-access-server
: Allow incoming connections from IPSec
VPN clients. The clients have dynamic IP addresses and are also
known as dial-in users. Only the clients can initiate the VPN tunnel.
remote-access-client
: Choose this to connect to an IPSec
server. This UAG is the client (dial-in user) and can initiate the VPN
tunnel.
Summary of Contents for UAG Series
Page 5: ...Document Conventions UAG CLI Reference Guide 5 Server Firewall Telephone Switch Router ...
Page 22: ...22 PART I Introduction ...
Page 23: ...23 ...
Page 41: ...41 PART II Reference ...
Page 42: ...42 ...