1. ACLI Reference Guide
  2. ACLI Configuration Elements A-M
  3. ikev2-ipsec-wancom0-params

ikev2-ipsec-wancom0-params

Parameters

The ikev2-ipsec-wancom0-params configuration element contains the following parameters:

name
A user-supplied name.
state
The state of this connection.
  • Default: enabled
  • Values: enabled | disabled
remoteip
The IPv4 or IPv6 address of the remote peer.
remotesubnet
The private subnet behind the remote participant. For example, 10.0.0.1/24 or 2001:DB8:0:56::/64. Defaults to a /32 for IPv4 or /128 for IPv6.
remoteproto
The transport protocol or protocols of the remote peer that will be protected within the tunnel.
  • Default: ALL
  • Values: TCP | UDP | ICMP | SCTP | IPV6-ICMP | ALL
remoteport
The port that the remote peer will use to communicate within the tunnel. For example, 1812 or 49. Use 0 to match any port.
  • Default: 0
  • Min: 0 | Max: 65535
localip
The IPv4 or IPv6 address of the local participant's public-network interface. The only accepted value is the IP address of wancom0.
localsubnet
The private subnet behind the local participant. The only accepted value is the wancom0 IP address with a /32 for IPv4 or /128 for IPv6.
localproto
The transport protocol or protocols of the local peer that will be protected within the tunnel.
  • Default: ALL
  • Values: TCP | UDP | ICMP | SCTP | IPV6-ICMP | ALL
localport
The port that the local peer will use to communicate within the tunnel. Use 0 to match any port.
  • Default: 0
  • Min: 0 | Max: 65535
auto
The action taken on IPsec startup. The 'start' action adds and establishes an IPsec connection. The 'ondemand' action establishes an IPsec connection only when an ingressing or egressing packet matches the connection's traffic parameters. The 'ignore' action causes no automatic IPsec startup operation.
  • Default: ondemand
  • Values: start | ondemand | ignore
ike-algorithms
The IKE algorithm used for IKE security association connections (phase 1). The format is <cipher>-<hash>;<dhgroup>. For example: aes256-sha256;dh14. Using the correct separator is required.
  • Default: aes256-sha256;dh14
  • Allowed ciphers: aes128, aes192, aes256, aes_ctr128, aes_ctr192, aes_ctr256, aes_gcm128, aes_gcm192, aes_gcm256
  • Allowed hash: sha256, sha512
  • Allowed DH: dh14, dh15, dh16, dh17, dh18
ipsec-protocol
The type of IPsec security association.
  • Default: esp
  • Values: ah | esp
ipsec-algorithms
The IPsec algorithms offered and accepted during phase 2 negotiation. The format is <cipher>-<hash>[;<DH-group>]. For example: aes256-sha256;modp2048. Using the correct separator is required.
  • Default: aes256-sha256;modp2048
  • Allowed ciphers: aes128, aes192, aes256, aes_ctr128, aes_ctr192, aes_ctr256
  • Allowed hash: sha256, sha512, aes_xcbc
  • Allowed DH: modp2048
pfs
Whether perfect forward secrecy is used.
  • Default: yes
  • Values: yes | no
authby
How the two endpoints authenticate each other. Use 'secret' for a pre-shared key; use 'never' if negotiation is never to be attempted or accepted; and use 'rsasig' for RSA authentication with SHA-1.
  • Default: rsasig
  • Values: secret | never | rsasig
ipsec-mode
The mode of the IPsec connection.
  • Default: tunnel
  • Values:
    • tunnel—A host-to-host, host-to-subnet, or subnet-to-subnet tunnel
    • transport—A host-to-host tunnel.
    • passthrough—no IPsec processing
    • drop—Discard the packets.
    • reject—The packets are discarded and a diagnostic ICMP returned.
esn
Whether to enable extended sequence numbers for the IPsec SA. If 'either' is specified, the responder decides. If the SBC is the responder and 'either' is selected, the SBC picks 'no'.
  • Default: no
  • Values: yes | no | either
rekey
Whether a connection should be renegotiated when it is about to expire.
  • Default: yes
  • Values: no | yes
ipsec-sa-life-secs
The number of seconds an IPsec SA connection lasts.
  • Default: 28800
  • Min: 1 | Max: 86400
ike-sa-life-secs
The number of seconds an IKEv2 SA connection lasts.
  • Default: 3600
  • Min: 1 | Max: 86400
rekeymargin
The number of seconds before an SA expires during which to negotiate a new connection.
  • Default: 10
  • Min: 1 | Max: 86400
rekeyfuzz
The maximum percentage by which the rekeymargin should be randomly increased to randomize rekeying intervals.
  • Default: 0
  • Min: 0 | Max: 8640000
shared-password
The password for IKE PSK authentication.
local-certificate-profile-identity
Specify the identity of the ike-certificate-profile to use for the local peer. This string should match the Subject Alernative Name of the local end-entity-certificate attribute in the ike-certificate-profile element.
remote-certificate-identity
Specify the identity of the ike-certificate-profile to use for the remote peer. This string should match the Subject Alternative Name of the peer's certificate.
dpddelay
The number of seconds between DPD keepalive messages.
  • Default: 0 (disabled)
  • Min: 0 | Max: 999999999
dpdtimeout
The number of seconds to idle without hearing back from the peer.
  • Default: 0
  • Min: 0 | Max: 999999999
dpdaction
The action to be taken once a peer is declared dead.
  • Default: hold
  • Values: hold | clear | restart

Path

The ikev2-ipsec-wancom0-params configuration element is in the security element. 

ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# ikev2-ipsec-wancom0-params
ORACLE(ikev2-ipsec-wancom0-params)#