IPsec VPNs

Supported Modes

  • VTI (default?)
  • GRE in transport mode

General Syntax

network vpn ipsec connection new blah --type=[net-to-net|host-to-net]
network vpn ipsec connection destroy blah

network vpn ipsec connection blah key value ...

Name

The name must of course be ASCII only and unique

Mode

network vpn ipsec connection mode tunnel (default)
network vpn ipsec connection mode vti
network vpn ipsec connection mode gre-transport

Peer

network vpn ipsec connection blah peer 1.2.3.4
network vpn ipsec connection blah peer blah.tld.com

Security Policy

network vpn ipsec connection blah security-policy secure

Authentication

network vpn ipsec connection blah authentication mode pre-shared-key
network vpn ipsec connection blah authentication pre-shared-key super-secret-key

network vpn ipsec connection blah authentication mode certificate???

Prefixes

network vpn ipsec connection blah remote prefix 192.168.0.0/24
network vpn ipsec connection blah remote prefix +192.168.1.0/24 -192.168.0.0/24

network vpn ipsec connection blah local prefix 192.168.10.0/24

IDs

network vpn ipsec connection blah remote id @abc
network vpn ipsec connection blah local id 1.2.3.4

valid ip or string beginning with @

Inactivity

network vpn ipsec connection blah inactivity-timeout 10m

Missing Things

  • always-on vs. on-demand
  • VTIs?
  • How do we handle changes of the auth mode (especially what do we with the unused passwords/keys)
  • Why do we add connection before everything? Although this may be useful
    *
Edit Page ‐ Yes, you can edit!

Older Revisions • July 26, 2017 at 9:19 am • Michael Tremer