1. ACLI Reference Guide
  2. ACLI Configuration Elements A-M
  3. ike-sainfo

ike-sainfo

The ike-sainfo configuration element enables negotiation and establishment of IPsec tunnels. To configure this element, install your platform-specific IPsec license.

Parameters

name
Enter the unique name of this instance of the ike-sainfo configuration element.
  • Default: None
  • Values: A valid configuration element name, that is unique within the 
 ike-sainfo namespace
security-protocol
Enter the IPsec security (authentication and encryption) protocols supported by this SA.
  • Default: esp-auth
  • Values:
    • ah—RFC 4302 authentication services
    • esp—RFC 4303 encryption services
    • esp-auth—RFC 4303 encryption and authentication services
    • esp-null—RFC 4303 encapsulation, lacks encryption.

      Note:

      For development environments only.

Note:

On virtual platforms, only the default setting is supported.
auth-algo
Set the authentication algorithms supported by this SA.
  • Default: sha2-512
  • Values: any | md5 | sha1 | xcbc | sha2-256 | sha2-384 | sha2-512

Note:

On virtual platforms, only the default setting is supported.
encryption-algo
Set the allowed encryption algorithms.
  • Default: aes
  • Values: any | 3des | aes | aes-ctr | null

Note:

On virtual platforms, only the default setting is supported.
ipsec-mode
Select the IPSec operational mode. Transport mode provides a secure end-to-end connection between two IP hosts. Tunnel mode provides VPN service where entire IP packets are encapsulated within an outer IP envelope and delivered from source (an IP host) to destination (generally a secure gateway) across an untrusted internet.
  • Default: transport
  • Values: transport | tunnel
tunnel-local-addr
Enter the IP address of the local IP interface that terminates the IPsec tunnel (relevant only if the ipsec-mode is tunnel, and otherwise is ignored).
  • Default: None
  • Values: Any valid local IP address
tunnel-remote-addr
Enter the IP address of the remote peer or host (relevant only if the ipsec-mode is tunnel, and is otherwise ignored).
  • Default: * (matches all IP addresses)
  • Values: Any valid IP address
local-id-profile
Applies the applicable local (SBC) ike-key-id for this ike-sainfo element. That ike-key-id element contains information needed to associate an asserted identity with a PSK.
remote-id-profile
Applies the applicable remote (remote station) ike-key-id element for this ike-sainfo element when configured with the ike-key-id name. That ike-key-id element contains information needed to associate an asserted identity with a PSK.

Path

ike-sainfo is a subelement under the ike element. The full path from the topmost ACLI prompt is: security > ike > ike-sainfo.

Note:

This is a multiple instance configuration element.

Configures an ike-sainfo instance named star.

The default value for tunnel-remote-address (*) matches all IPv4 addresses.

Non-default values specify IPsec tunnel mode running ESP, and identify the local tunnel endpoint.