set ipsec <1-255>

Configures parameters for IPsec tunnels on Fabric IPsec Gateway Virtual Machine (VM).

Syntax

set ipsec <1-255> admin-state enable
set ipsec <1-255> auth-key WORD <1-32>
set ipsec <1-255> auth-method <psk | rsasig>
set ipsec <1-255> cert-subject <subject_label>
set ipsec <1-255> compression
set ipsec <1-255> egress-shaping-rate <1-1000>
set ipsec <1-255> encryption-key-length <128 | 256>
set ipsec <1-255> esp <aes128gcm16-sha256 | aes256-sha256 | aes256gcm16-sha256>
set ipsec <1-255> fe-tunnel-dest-ip {A.B.C.D}
set ipsec <1-255> fragment-before-encrypt enable
set ipsec <1-255> ipsec-dest-ip {A.B.C.D}
set ipsec <1-255> mtu <1300-9000>
set ipsec <1-255> responder-only <true | false>
set ipsec <1-255> tunnel-name WORD <1-64>

Command Parameters

admin-state enable: Enables IPsec on the specific IPsec tunnel.
auth-key WORD <1-32>: Specifies the pre-shared authentication key.

Note

Do not use special characters ?, \, &, <, >, #.
auth-method <psk | rsasig>: Specifies the authentication type for IPsec tunnels. The default is pre-shared key (psk).
cert-subject <subject_label>: Specifies the certificate identity to use with the IPsec tunnel.
compression: Enables IPsec compression on the specific IPsec tunnel. You must enable IPsec compression on both ends of the adjacency. The default is disabled.
egress-shaping-rate <1-1000>: Specifies the egress shaping rate for the IPsec tunnel.
encryption-key-length <128 | 256>: Specifies the encryption key length for the IPsec tunnel. The default encryption key length is 128 bit. As a best practice, use the newer esp parameter instead.
esp <aes128gcm16-sha256 | aes256-sha256 | aes256gcm16-sha256>: Specifies the ESP cipher suites for the IPsec tunnel. The default is aes128gcm16-sha256. aes256-sha256 is not supported in the current release.
fe-tunnel-dest-ip {A.B.C.D}: Specifies the destination IP address for Fabric Extend (FE) tunnel.
fragment-before-encrypt enable: Enables the fragmentation of packets before IPsec encryption on the tunnel. By default, fragmentation before encryption is disabled.
ipsec-dest-ip {A.B.C.D}: Specifies the destination IP address for IPsec tunnel.
mtu <1300-9000>: Specifies the Maximum Transmission Unit (MTU) value for the FE tunnel with both IPsec and fragmentation and assembly capabilities.
responder-only <true | false>: Specifies if the IPsec session in the FE tunnel will be in responder only mode or initiator mode. When in responder mode the FE tunnel will only respond to the incoming request and not initiate the IPsec connection. By default both sides of IPSec connection will be initiators in the FE tunnel. Configure the IPsec tunnel to be in responder only mode when there is Network Address Translation (NAT) between the IPsec connection. For more information about NAT, see Fabric Engine User Guide.
tunnel-name WORD <1-64>: Specifies a name for the IPsec tunnel.

Default

None.

Command Mode

Fabric IPsec Gateway Configuration

Usage Guidelines

This command does not apply to all hardware platforms. For more information about feature support, see Fabric Engine and VOSS Feature Support Matrix.

You must disable the IPsec administrative state on the tunnel before you can remove IPsec configuration.