vpn ike-gateway

Configure IKE-gateway settings. Internet Key Exchange (IKE) - IKE is a key management protocol that creates dynamic SAs; it negotiates SAs for IPSec. An IKE configuration defines the algorithms and keys used to establish a secure connection with a peer security

gateway.

ike-gateway Specification

Type Collection
Object Key(s) name
Collection Name ike-gateway-list
Collection URI /axapi/v3/vpn/ike-gateway/
Element Name ike-gateway
Element URI /axapi/v3/vpn/ike-gateway/{name}
Element Attributes ike-gateway_attributes
Statistics Data URI /axapi/v3/vpn/ike-gateway/{name}/stats
Operational Data URI /axapi/v3/vpn/ike-gateway/{name}/oper
Schema ike-gateway schema

Operations Allowed:

Operation Method URI Payload

Create Object

POST

/axapi/v3/vpn/ike-gateway/

ike-gateway Attributes

Create List

POST

/axapi/v3/vpn/ike-gateway/

ike-gateway Attributes

Get Object

GET

/axapi/v3/vpn/ike-gateway/{name}

ike-gateway Attributes

Get List

GET

/axapi/v3/vpn/ike-gateway/

ike-gateway-list

Modify Object

POST

/axapi/v3/vpn/ike-gateway/{name}

ike-gateway Attributes

Replace Object

PUT

/axapi/v3/vpn/ike-gateway/{name}

ike-gateway Attributes

Replace List

PUT

/axapi/v3/vpn/ike-gateway/

ike-gateway-list

Delete Object

DELETE

/axapi/v3/vpn/ike-gateway/{name}

ike-gateway Attributes

Get Stats

GET

/axapi/v3/vpn/ike-gateway/{name}/stats

stats data

Get Oper

GET

/axapi/v3/vpn/ike-gateway/{name}/oper

operational data

ike-gateway-list

ike-gateway-list is JSON List of ike-gateway Attributes

ike-gateway-list : [

ike-gateway Attributes

auth-method

Description: The authentication method used for IKE phase 1. Pre-shared key and rsa-signature are both supported.

Type: string

Supported Values: preshare-key, rsa-signature

Default: preshare-key

dh-group

Description: The Diffie-Hellman (DH) group controls the strength of the keying material exchanged during initiation of the IKA SA. During this phase, the devices at each end of the VPN tunnel use the keying materials to generate the public (shared) key, and their own private keys. Higher DH groups provide stronger keying material than lower-numbered groups. Accordingly, higher DH groups also require more processing power than lower numbered groups.
  • 1 : Diffie-Hellman group 1 (Default)
  • 2 : Diffie-Hellman group 2
  • 5 : Diffie-Hellman group 5
  • 14 : Diffie-Hellman group 14
  • 15 : Diffie-Hellman group 15
  • 16 : Diffie-Hellman group 16
  • 18 : Diffie-Hellman group 18

Type: string

Supported Values: 1, 2, 5, 14, 15, 16, 18

Default: 1

dpd

Description: dpd is a JSON Block . Please see below for dpd

Type: Object

enc-cfg

Description: enc-cfg is a JSON List . Please see below for enc-cfg

Type: List

ike-version

Description: IKE version used to negotiate the Security Associations (SAs) for IPsec sessions.
  • v1 : IKEv1 key exchange
  • v2 : IKEv2 key exchange

Type: string

Supported Values: v1, v2

Default: v2

key

Description: key is a JSON Block . Please see below for key

Type: Object

lifetime

Description: The maximum number of seconds an IKA SA can remain in effect. After the SA ages out, a new IKA SA and child ESP SA are negotiated. Then, the old SA and any child SAs for ESP based on the old IKA SA are deleted.

Type: number

Range: 300-86400

Default: 86400

local-address

Description: local-address is a JSON Block . Please see below for local-address

Type: Object

local-cert

Description: local-cert is a JSON Block . Please see below for local-cert

Type: Object

local-id

Description: Value of the gateway for IKE phase 1. Use a valid fully-qualified domain name (FQDN) string.

Type: string

Format: string-rlx

mode

Description: Specifies the encapsulation used for IKE v1 during generation of the secret shared key and private keys:
  • main : Negotiate Main mode (Default)
  • aggressive : Negotiate Aggressive mode

Type: string

Supported Values: main, aggressive

Default: main

name

Description: Name of the VPN IKE gateway.

Type: string

Required: Yes

nat-traversal

Description: Enables support for NAT. When this option is enabled, the ACOS device encapsulates ESP traffic inside UDP packets before sending them to the peer VPN gateway.

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

preshare-key-encrypted

Description: Do NOT use this option manually. (This is an A10 reserved keyword.) (The ENCRYPTED pre-shared key string)

preshare-key-value

Description: pre-shared key

Type: string

Format: password

remote-address

Description: remote-address is a JSON Block . Please see below for remote-address

Type: Object

remote-ca-cert

Description: remote-ca-cert is a JSON Block . Please see below for remote-ca-cert

Type: Object

remote-id

Description: ID value of the peer gateway for IKE phase 1. Use a valid fully-qualified domain name (FQDN) string.

Type: string

Format: string-rlx

sampling-enable

Description: sampling-enable is a JSON List . Please see below for sampling-enable

Type: List

user-tag

Description: Customized tag

Type: string

Format: string-rlx

uuid

Description: uuid of the object

Type: string

vrid

Description: vrid is a JSON Block . Please see below for vrid

Type: Object

local-cert

Specification
Type object

local-cert-name

Description: Name of the certificate the ACOS device should present to the remote gateway during IKE negotiation. The certificate must be imported in order for the VPN gateway to access the certificate. The SCEP-enrolled certificates are supported.

Type: string

enc-cfg

Specification
Type list
Block object keys

encryption

Description: ‘des’: Data Encryption Standard algorithm; ‘3des’: Triple Data Encryption Standard algorithm; ‘aes-128’: Advanced Encryption Standard algorithm (key size: 128 bits); ‘aes-192’: Advanced Encryption Standard algorithm (key size: 192 bits); ‘aes-256’: Advanced Encryption Standard algorithm (key size: 256 bits); ‘null’: No encryption algorithm, only for IKEv2;

Type: string

Supported Values: des, 3des, aes-128, aes-192, aes-256, null

hash

Description: ‘md5’: MD5 Dessage-Digest Algorithm; ‘sha1’: Secure Hash Algorithm 1; ‘sha256’: Secure Hash Algorithm 256;

Type: string

Supported Values: md5, sha1, sha256

priority

Description: Prioritizes (1-10) security protocol, least value has highest priority

Type: number

Range: 1-10

Default: 5

vrid

Specification
Type object

default

Description: Enable VRRP-A for high availability redundancy (disabled by default).

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: default and vrid-num are mutually exclusive

vrid-num

Description: Specify the HA VRRP-A vrid number.

Type: number

Range: 1-31

Mutual Exclusion: vrid-num and default are mutually exclusive

local-address

Specification
Type object

local-ip

Description: The IPv4 address of the VPN gateway.

Type: string

Format: ipv4-address

key

Specification
Type object

key-name

Description: Private Key File Name

Type: string

key-passphrase

Description: Private Key Pass Phrase

Type: string

remote-address

Specification
Type object

dns

Description: The DNS name of the peer VPN gateway.

Type: string

Mutual Exclusion: dns and remote-ip are mutually exclusive

remote-ip

Description: The IPv4 address of the peer VPN gateway.

Type: string

Format: ipv4-address

Mutual Exclusion: remote-ip and dns are mutually exclusive

remote-ca-cert

Specification
Type object

remote-cert-name

Description: File name of the remote gateway’s CA Certificate DN.

Type: string

Format: string-rlx

sampling-enable

Specification
Type list
Block object keys

counters1

Description: ‘all’: all; ‘v2-init-rekey’: Initiate Rekey; ‘v2-rsp-rekey’: Respond Rekey; ‘v2-child-sa-rekey’: Child SA Rekey; ‘v2-in-invalid’: Incoming Invalid; ‘v2-in-invalid-spi’: Incoming Invalid SPI; ‘v2-in-init-req’: Incoming Init Request; ‘v2-in-init-rsp’: Incoming Init Response; ‘v2-out-init-req’: Outgoing Init Request; ‘v2-out-init-rsp’: Outgoing Init Response; ‘v2-in-auth-req’: Incoming Auth Request; ‘v2-in-auth-rsp’: Incoming Auth Response; ‘v2-out-auth-req’: Outgoing Auth Request; ‘v2-out-auth-rsp’: Outgoing Auth Response; ‘v2-in-create-child-req’: Incoming Create Child Request; ‘v2-in-create-child-rsp’: Incoming Create Child Response; ‘v2-out-create-child-req’: Outgoing Create Child Request; ‘v2-out-create-child-rsp’: Outgoing Create Child Response; ‘v2-in-info-req’: Incoming Info Request; ‘v2-in-info-rsp’: Incoming Info Response; ‘v2-out-info-req’: Outgoing Info Request; ‘v2-out-info-rsp’: Outgoing Info Response; ‘v1-in-id-prot-req’: Incoming ID Protection Request; ‘v1-in-id-prot-rsp’: Incoming ID Protection Response; ‘v1-out-id-prot-req’: Outgoing ID Protection Request; ‘v1-out-id-prot-rsp’: Outgoing ID Protection Response; ‘v1-in-auth-only-req’: Incoming Auth Only Request; ‘v1-in-auth-only-rsp’: Incoming Auth Only Response; ‘v1-out-auth-only-req’: Outgoing Auth Only Request; ‘v1-out-auth-only-rsp’: Outgoing Auth Only Response; ‘v1-in-aggressive-req’: Incoming Aggressive Request; ‘v1-in-aggressive-rsp’: Incoming Aggressive Response; ‘v1-out-aggressive-req’: Outgoing Aggressive Request; ‘v1-out-aggressive-rsp’: Outgoing Aggressive Response; ‘v1-in-info-v1-req’: Incoming Info Request; ‘v1-in-info-v1-rsp’: Incoming Info Response; ‘v1-out-info-v1-req’: Outgoing Info Request; ‘v1-out-info-v1-rsp’: Outgoing Info Response; ‘v1-in-transaction-req’: Incoming Transaction Request; ‘v1-in-transaction-rsp’: Incoming Transaction Response; ‘v1-out-transaction-req’: Outgoing Transaction Request; ‘v1-out-transaction-rsp’: Outgoing Transaction Response; ‘v1-in-quick-mode-req’: Incoming Quick Mode Request; ‘v1-in-quick-mode-rsp’: Incoming Quick Mode Response; ‘v1-out-quick-mode-req’: Outgoing Quick Mode Request; ‘v1-out-quick-mode-rsp’: Outgoing Quick Mode Response; ‘v1-in-new-group-mode-req’: Incoming New Group Mode Request; ‘v1-in-new-group-mode-rsp’: Incoming New Group Mode Response; ‘v1-out-new-group-mode-req’: Outgoing New Group Mode Request; ‘v1-out-new-group-mode-rsp’: Outgoing New Group Mode Response; ‘v1-child-sa-invalid-spi’: Invalid SPI for Child SAs; ‘ike-current-version’: IKE version;

Type: string

Supported Values: all, v2-init-rekey, v2-rsp-rekey, v2-child-sa-rekey, v2-in-invalid, v2-in-invalid-spi, v2-in-init-req, v2-in-init-rsp, v2-out-init-req, v2-out-init-rsp, v2-in-auth-req, v2-in-auth-rsp, v2-out-auth-req, v2-out-auth-rsp, v2-in-create-child-req, v2-in-create-child-rsp, v2-out-create-child-req, v2-out-create-child-rsp, v2-in-info-req, v2-in-info-rsp, v2-out-info-req, v2-out-info-rsp, v1-in-id-prot-req, v1-in-id-prot-rsp, v1-out-id-prot-req, v1-out-id-prot-rsp, v1-in-auth-only-req, v1-in-auth-only-rsp, v1-out-auth-only-req, v1-out-auth-only-rsp, v1-in-aggressive-req, v1-in-aggressive-rsp, v1-out-aggressive-req, v1-out-aggressive-rsp, v1-in-info-v1-req, v1-in-info-v1-rsp, v1-out-info-v1-req, v1-out-info-v1-rsp, v1-in-transaction-req, v1-in-transaction-rsp, v1-out-transaction-req, v1-out-transaction-rsp, v1-in-quick-mode-req, v1-in-quick-mode-rsp, v1-out-quick-mode-req, v1-out-quick-mode-rsp, v1-in-new-group-mode-req, v1-in-new-group-mode-rsp, v1-out-new-group-mode-req, v1-out-new-group-mode-rsp, v1-child-sa-invalid-spi, ike-current-version

dpd

Specification
Type object

interval

Description: Dead Peer Detection interval time in seconds.

Type: number

Range: 10-3600

retry

Description: Dead Peer Detection retry time.

Type: number

Range: 1-10

stats data

Counter Size Description
v1-in-id-prot-rsp 8 Incoming ID Protection Response
v1-in-auth-only-rsp 8 Incoming Auth Only Response
v1-out-new-group-mode-rsp 8 Outgoing New Group Mode Response
v1-out-aggressive-req 8 Outgoing Aggressive Request
v2-child-sa-rekey 8 Child SA Rekey
ike-current-version 8 IKE version
v2-out-auth-req 8 Outgoing Auth Request
v2-rsp-rekey 8 Respond Rekey
v2-out-info-req 8 Outgoing Info Request
v2-out-init-req 8 Outgoing Init Request
v1-in-info-v1-rsp 8 Incoming Info Response
v1-out-id-prot-req 8 Outgoing ID Protection Request
v2-in-invalid 8 Incoming Invalid
v1-in-aggressive-req 8 Incoming Aggressive Request
v1-child-sa-invalid-spi 8 Invalid SPI for Child SAs
v2-in-info-rsp 8 Incoming Info Response
v1-out-quick-mode-req 8 Outgoing Quick Mode Request
v2-out-auth-rsp 8 Outgoing Auth Response
v1-in-auth-only-req 8 Incoming Auth Only Request
v1-in-aggressive-rsp 8 Incoming Aggressive Response
v2-in-create-child-req 8 Incoming Create Child Request
v2-out-info-rsp 8 Outgoing Info Response
v2-out-create-child-req 8 Outgoing Create Child Request
v2-in-auth-rsp 8 Incoming Auth Response
v2-in-init-req 8 Incoming Init Request
v1-out-info-v1-req 8 Outgoing Info Request
v2-init-rekey 8 Initiate Rekey
v1-out-transaction-rsp 8 Outgoing Transaction Response
v1-out-quick-mode-rsp 8 Outgoing Quick Mode Response
v1-out-auth-only-rsp 8 Outgoing Auth Only Response
v1-out-auth-only-req 8 Outgoing Auth Only Request
v1-in-quick-mode-rsp 8 Incoming Quick Mode Response
v1-in-new-group-mode-req 8 Incoming New Group Mode Request
v1-out-id-prot-rsp 8 Outgoing ID Protection Response
v1-in-transaction-rsp 8 Incoming Transaction Response
v2-in-info-req 8 Incoming Info Request
v1-in-transaction-req 8 Incoming Transaction Request
v1-in-quick-mode-req 8 Incoming Quick Mode Request
v1-in-info-v1-req 8 Incoming Info Request
v2-in-invalid-spi 8 Incoming Invalid SPI
v2-out-init-rsp 8 Outgoing Init Response
v1-out-transaction-req 8 Outgoing Transaction Request
v1-out-new-group-mode-req 8 Outgoing New Group Mode Request
v1-out-info-v1-rsp 8 Outgoing Info Response
v2-in-init-rsp 8 Incoming Init Response
v2-in-create-child-rsp 8 Incoming Create Child Response
v2-in-auth-req 8 Incoming Auth Request
v1-in-id-prot-req 8 Incoming ID Protection Request
v1-in-new-group-mode-rsp 8 Incoming New Group Mode Response
v2-out-create-child-rsp 8 Outgoing Create Child Response
v1-out-aggressive-rsp 8 Outgoing Aggressive Response

operational data

Name Type Description
Status string Status
Remote-IP string Remote-IP
Hash string Hash
Encryption string Encryption
Responder-SPI string Responder-SPI
Local-IP string Local-IP
Lifetime number Lifetime
Initiator-SPI string Initiator-SPI