IPSec Configuration

ipsec configurationon ipsec configurationon show ipsec show ipsec \[command] show ipsec \[purpose] display ipsec information \[view] system view \[use cases] sonic# show ipsec ipsec ipsec name \[command] ipsec name \[purpose] create and enter ipsec view \[view] system configuration view \[use cases] sonic# ipsec test ike crypto alg ike crypto alg \[command] ike crypto alg {des iv64|des|3des|rc5|idea|cast|blowfish|3idea|des iv32|null|aes cbc|aes ctr|aes gcm 16} crypto alg size 0 65535 integ alg {none|md5 96|sha1 96|des mac|kpdk md5|aes xcbc 96|md5 128|sha1 160|cmac 96|aes 128 gmac|aes 192 gmac|aes 256 gmac|hmac sha2 256 128|hmac sha2 384 192|hmac sha2 512 256} dh {none|modp 768|modp 1024|modp 1536|modp 2048|modp 3072|modp 4096|modp 6144|modp 8192|ecp 192|ecp 256|ecp 384|ecp 512|modp 1024 160|modp 2048 224|modp 2048 256} \[purpose] ike authentication algorithm, key length, encryption algorithm, dh algorithm \[view] ipsec configuration view \[parameter] parameter description crypto alg encryption algorithm crypto alg size key length integ alg authentication algorithm dh dh algorithm \[use cases] sonic(config ipsec test)# ike crypto alg des iv64 crypto alg size 128 integ alg md5 128 dh modp 4096 ike local type {ip4|ip6|rfc822|fqdn} data ike local type {ip4|ip6|rfc822|fqdn} data value \[command] ike local type {ip4|ip6|rfc822|fqdn} data value \[purpose] configure the id type and id of the local user in ike users \[view] ipsec configuration view \[parameter] parameter description type id type data id value \[use cases] sonic(config ipsec test)# ike local type ip4 data 1 1 1 1 ike remote type {ip4|ip6|rfc822|fqdn} data ike remote type {ip4|ip6|rfc822|fqdn} data value \[command] ike remote type {ip4|ip6|rfc822|fqdn} data value \[purpose] configure the id ty and id of the remote user in ike users \[view] ipsec configuration view \[parameter] parameter description type id type data id value \[use cases] sonic(config ipsec test)# ike remote type ip4 data 1 1 1 1 ike traffic selector {local|remote} {ip4|ip6} addr start ike traffic selector {local|remote} {ip4|ip6} addr start a b c d addr end a b c d port start 0 65535 port end 0 65535 protocol 0 255 \[command] ike traffic selector {local|remote} {ip4|ip6} addr start a b c d addr end a b c d port start 0 65535 port end 0 65535 protocol 0 255 \[purpose] configure the data streams to be protected \[view] ipsec configuration view \[parameter] parameter description local|remote local ip or remote ip ip4|ip6 ip type addr start start ip address addr end end ip address port start start port port end end port protocol protocol \[use cases] sonic(config ipsec test)# ike traffic selector local ip4 addr start 1 1 1 1 addr end 2 2 2 2 port start 0 port end 65535 protocol 6 sa sa \[command] sa {des iv64|des|3des|rc5|idea|cast|blowfish|3idea|des iv32|null|aes cbc|aes ctr|aes gcm 16} crypto alg size 0 65535 integ alg {none|md5 96|sha1 96|des mac|kpdk md5|aes xcbc 96|md5 128|sha1 160|cmac 96|aes 128 gmac|aes 192 gmac|aes 256 gmac|hmac sha2 256 128|hmac sha2 384 192|hmac sha2 512 256} \[purpose] sa authentication algorithm, key length, encryption algorithm \[view] ipsec configuration view \[parameter] parameter description sa encryption algorithm crypto alg size key length integ alg authentication algorithm \[use cases] sonic(config ipsec test)# sa des iv64 crypto alg size 128 integ alg md5 128 dh modp 4096 sa lifetime sa lifetime value \[jitter value ] \[handover value ] \[max bytes value ] \[command] sa lifetime value \[jitter value ] \[handover value ] \[max bytes value ] \[purpose] sa negotiation configuration \[view] ipsec configuration view \[parameter] parameter description lifetime lifetime of sa jitter random jitter time (seconds), to avoid simultaneous renegotiation at both ends handover smooth transition time (seconds), old sa retention time to ensure that traffic is not interrupted before the new sa is established max bytes sa data transfer limit; renegotiation triggered when limit is exceeded \[use cases] sonic(config ipsec test)# sa lifetime 600 jitter 300 hadover 120 max bytes 10000 sa natt {enable|disable} sa natt {enable|disable} \[command] sa natt {enable|disable} \[purpose] nat traversal detection switch \[view] ipsec configuration view \[use cases] sonic(config ipsec test)# sa natt enable sa tunnel {ip4|ip6} src ip sa tunnel {ip4|ip6} src ip a b c d dst ip a b c d next hop a b c d remote ip a b c d/m shared interface name \[command] sa tunnel {ip4|ip6} src ip a b c d dst ip a b c d next hop a b c d remote ip a b c d/m shared interface name \[purpose] configure ipsec tunnel \[view] ipsec configuration view \[parameter] parameter description ip4|ip6 tunnel ip type src ip ike local ip dst ip ike remote ip next hop next node remote ip router to destination shared interface ipsec tunnel port \[use cases] sonic(config ipsec test)# sa tunnel ip4 src ip 10 1 1 101 dst ip 20 1 1 2 next hop 10 1 1 1 remote ip 90 0 0 0/24 shared interface dialer1 shared key mic {string|hex} shared key mic {string|hex} value \[command] shared key mic {string|hex} value \[purpose] configure shared keys \[view] ipsec configuration view \[parameter] parameter description value shared key \[use cases] sonic(config ipsec test)# shared key mic string 12345678 ipsec name peer {ip4|ip6} ipsec name peer {ip4|ip6} a b c d|x\ x x x x \[command] ipsec name peer {ip4|ip6} a b c d | x\ x x x \[purpose] port ipsec configuration \[view] interface configuration view \[parameter] parameter description name ipsec configuration group name a b c d|x\ x x x peer ipv4/ipv6 address \[use cases] sonic(config if 16)# ipsec test peer ip4 1 1 1 1