ike-sainfo
The ike-sainfo configuration element enables negotiation and establishment of IPsec tunnels.
Parameters
- name
- Enter the unique name of this instance of the ike-sainfo configuration element.
- Default: None
- Values: A valid configuration element name, that is unique within the ike-sainfo namespace
- security-protocol
- Enter the IPsec security (authentication and encryption) protocols supported by this SA.
- Default: ah
- Values:
- ah—RFC 4302 authentication services
- esp—RFC 4303 encryption services
- esp-auth—RFC 4303 encryption and authentication services
- esp-null—RFC 4303 encapsulation, lacks encryption — not for production environments
- auth-algo — Set the authentication algorithms supported by this SA.
- auth-algo
- Set the authentication algorithms supported by this SA.
- Default: any
- Values:
- ah-Chose any
- md5-Message Digest algorithm 5
- sha1-Secure Hash Algorithm
- ipsec-mode
- Select the IPSec operational mode. Transport mode provides a secure end-to-end connection between two IP hosts. Tunnel mode provides VPN service where entire IP packets are encapsulated within an outer IP envelope and delivered from source (an IP host) to destination (generally a secure gateway) across an untrusted internet.
- Default: transport
- Values: transport | tunnel
- tunnel-local-addr
- Enter the IP address of the local IP interface that terminates the IPsec tunnel (relevant only if the ipsec-mode is tunnel, and otherwise is ignored).
- Default: None
- Values: Any valid local IP address
- tunnel-remote-addr
- Enter the IP address of the remote peer or host (relevant only if the ipsec-mode is tunnel, and is otherwise ignored).
- Default: * (matches all IP addresses)
- Values: Any valid IP address
Path
ike-sainfo is a subelement under the ike element. The full path from the topmost ACLI prompt is: configure terminal > security > ike > ike-sainfo.
Note:
This is a multiple instance configuration element.Configures an ike-sainfo instance named star.
Default values for auth-algo (any) and encryption-algo (any) provide support for MD5 and SHA1 authentication and AES/3DES encryption. The default value for tunnel-remote-address (*) matches all IPv4 addresses.
Non-default values specify IPsec tunnel mode running ESP, and identify the local tunnel endpoint.