vpn ipsec

Configure IPsec settings. The ACOS software supports Internet Protocol Security (IPsec). IPsec is a suite of protocols that secures private traffic over a public network. To protect communications, organizations need to encrypt data at high speed and scale out VPN tunnel capacity on demand.

IPsec, as defined in RFC 4301, provides a means by which to ensure the authenticity, integrity, and confidentiality of data at the network layer of the Open System Interconnection (OSI) stack.

Benefits of IPsec include:

  • Secure high-capacity links between data centers at unparalleled speeds
  • Consolidate IPsec VPN, server load balancing and stateful firewall functionality
  • Provide application scaling, redundancy, and denial-of-service attack prevention
  • Reduce rack space and power requirements
  • Scale capacity by launching new VPN gateways on-demand

ipsec Specification

Type Collection
Object Key(s) name
Collection Name ipsec-list
Collection URI /axapi/v3/vpn/ipsec/
Element Name ipsec
Element URI /axapi/v3/vpn/ipsec/{name}
Element Attributes ipsec_attributes
Statistics Data URI /axapi/v3/vpn/ipsec/{name}/stats
Operational Data URI /axapi/v3/vpn/ipsec/{name}/oper
Schema ipsec schema

Operations Allowed:

Operation Method URI Payload

Create Object

POST

/axapi/v3/vpn/ipsec/

ipsec Attributes

Create List

POST

/axapi/v3/vpn/ipsec/

ipsec Attributes

Get Object

GET

/axapi/v3/vpn/ipsec/{name}

ipsec Attributes

Get List

GET

/axapi/v3/vpn/ipsec/

ipsec-list

Modify Object

POST

/axapi/v3/vpn/ipsec/{name}

ipsec Attributes

Replace Object

PUT

/axapi/v3/vpn/ipsec/{name}

ipsec Attributes

Replace List

PUT

/axapi/v3/vpn/ipsec/

ipsec-list

Delete Object

DELETE

/axapi/v3/vpn/ipsec/{name}

ipsec Attributes

Get Stats

GET

/axapi/v3/vpn/ipsec/{name}/stats

stats data

Get Oper

GET

/axapi/v3/vpn/ipsec/{name}/oper

operational data

ipsec-list

ipsec-list is JSON List of ipsec Attributes

ipsec-list : [

ipsec Attributes

anti-replay-window

Description: Specifies the number of IPsec packets for which the ACOS device remembers the IPsec packet sequence numbers. The anti-replay window protects against replay attacks, in which a malicious party sends IPsec packets containing sequence numbers captured from the session’s legitimate traffic.
  • 0 : Disable Anti-Replay Window Check.
  • 16 : Window Size of 16 bits
  • 32 : Window Size of 32 bits
  • 64 : Window Size of 64 bits
  • 128 : Window Size of 128 bits
  • 256 : Window Size of 256 bits

Type: string

Supported Values: 0, 16, 32, 64, 128, 256

Default: 0

bind-tunnel

Description: bind-tunnel is a JSON Block . Please see below for bind-tunnel

Type: Object

Reference Object: /axapi/v3/vpn/ipsec/{name}/bind-tunnel

dh-group

Description: Diffie-Hellman (DH) group to use for Perfect Forward Secrecy.
  • 0 : PFS disabled
  • 1 : Diffie-Hellman group 1
  • 2 : Diffie-Hellman group 2
  • 5 : Diffie-Hellman group 5
  • 14 : Diffie-Hellman group 14
  • 15 : Diffie-Hellman group 15
  • 16 : Diffie-Hellman group 16
  • 18 : Diffie-Hellman group 18

Type: string

Supported Values: 0, 1, 2, 5, 14, 15, 16, 18

Default: 0

enc-cfg

Description: enc-cfg is a JSON List . Please see below for enc-cfg

Type: List

ike-gateway

Description: Gateway to use for IPsec SA

Type: string

Reference Object: /axapi/v3/vpn/ike-gateway

lifebytes

Description: Maximum number of megabytes (MB) of data that can be transferred using a given SA. Setting this option to 0 (unlimited) disables aging based on bytes.

Type: number

Range: 0-8000000

Default: 0

lifetime

Description: Maximum number of seconds an SA can remain in effect.

Type: number

Range: 300-28800

Default: 28800

mode

Description: Specifies the encapsulation used for the IPsec traffic. Only tunnel mode is supported (Default). In tunnel mode, the client packet is encrypted and encapsulated in an IP packet.

Type: string

Supported Values: tunnel

Default: tunnel

name

Description: IPsec name

Type: string

Required: Yes

proto

Description: Used to encrypt traffic on the tunnel. The current release supports ESP : Encapsulating security protocol (Default).

Type: string

Supported Values: esp

Default: esp

sampling-enable

Description: sampling-enable is a JSON List . Please see below for sampling-enable

Type: List

sequence-number-disable

Description: Do not use incremental sequence number in the ESP header

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

traffic-selector

Description: traffic-selector is a JSON Block . Please see below for traffic-selector

Type: Object

up

Description: Initiates SA negotiation to bring the IPsec connection up

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

user-tag

Description: Customized tag

Type: string

Format: string-rlx

uuid

Description: uuid of the object

Type: string

bind-tunnel

Specification
Type object

next-hop

Description: IPsec Next Hop IP Address

Type: string

Format: ipv4-address

tunnel

Description: Tunnel interface index

Type: number

Range: 1-128

Reference Object: /axapi/v3/interface/tunnel

uuid

Description: uuid of the object

Type: string

sampling-enable

Specification
Type list
Block object keys

counters1

Description: ‘all’: all; ‘packets-encrypted’: Encrypted Packets; ‘packets-decrypted’: Decrypted Packets; ‘anti-replay-num’: Anti-Replay Failure; ‘rekey-num’: Rekey Times; ‘packets-err-inactive’: Inactive Error; ‘packets-err-encryption’: Encryption Error; ‘packets-err-pad-check’: Pad Check Error; ‘packets-err-pkt-sanity’: Packets Sanity Error; ‘packets-err-icv-check’: ICV Check Error; ‘packets-err-lifetime-lifebytes’: Lifetime Lifebytes Error; ‘bytes-encrypted’: Encrypted Bytes; ‘bytes-decrypted’: Decrypted Bytes; ‘prefrag-success’: Pre-frag Success; ‘prefrag-error’: Pre-frag Error; ‘cavium-bytes-encrypted’: CAVIUM Encrypted Bytes; ‘cavium-bytes-decrypted’: CAVIUM Decrypted Bytes; ‘cavium-packets-encrypted’: CAVIUM Encrypted Packets; ‘cavium-packets-decrypted’: CAVIUM Decrypted Packets; ‘tunnel-intf-down’: Packet dropped: Tunnel Interface Down; ‘pkt-fail-prep-to-send’: Packet dropped: Failed in prepare to send; ‘no-next-hop’: Packet dropped: No next hop; ‘invalid-tunnel-id’: Packet dropped: Invalid tunnel ID; ‘no-tunnel-found’: Packet dropped: No tunnel found; ‘pkt-fail-to-send’: Packet dropped: Failed to send;

Type: string

Supported Values: all, packets-encrypted, packets-decrypted, anti-replay-num, rekey-num, packets-err-inactive, packets-err-encryption, packets-err-pad-check, packets-err-pkt-sanity, packets-err-icv-check, packets-err-lifetime-lifebytes, bytes-encrypted, bytes-decrypted, prefrag-success, prefrag-error, cavium-bytes-encrypted, cavium-bytes-decrypted, cavium-packets-encrypted, cavium-packets-decrypted, tunnel-intf-down, pkt-fail-prep-to-send, no-next-hop, invalid-tunnel-id, no-tunnel-found, pkt-fail-to-send

traffic-selector

Specification
Type object

ipv4

Description: ipv4 is a JSON Block . Please see below for l32_ipv4

Type: Object

traffic-selector.ipv4

Specification
Type object

local

Description: Local IPv4 address of the interface that terminates the tunnel.

Type: string

Format: ipv4-address

local_netmask

Description: IPv4 Address Network Mask

Type: string

Format: ipv4-netmask

local_port

Description: Port Number

Type: number

Range: 0-65535

protocol

Description: IP Protocol Number (0-255)

Type: number

Range: 0-255

remote

Description: Remote IPv4 address of the interface that terminates the tunnel.

Type: string

Format: ipv4-address

remote_netmask

Description: IPv4 Address Network Mask

Type: string

Format: ipv4-netmask

remote_port

Description: Port Number

Type: number

Range: 0-65535

enc-cfg

Specification
Type list
Block object keys

encryption

Description: ‘des’: Data Encryption Standard algorithm; ‘3des’: Triple Data Encryption Standard algorithm; ‘aes-128’: Advanced Encryption Standard algorithm (key size: 128 bits); ‘aes-192’: Advanced Encryption Standard algorithm (key size: 192 bits); ‘aes-256’: Advanced Encryption Standard algorithm (key size: 256 bits); ‘null’: No encryption algorithm;

Type: string

Supported Values: des, 3des, aes-128, aes-192, aes-256, null

hash

Description: ‘md5’: MD5 Dessage-Digest Algorithm; ‘sha1’: Secure Hash Algorithm 1; ‘sha256’: Secure Hash Algorithm 256; ‘null’: No hash algorithm;

Type: string

Supported Values: md5, sha1, sha256, null

priority

Description: Prioritizes (1-10) security protocol, least value has highest priority

Type: number

Range: 1-10

Default: 5

stats data

Counter Size Description
anti-replay-num 8 Anti-Replay Failure
packets-decrypted 8 Decrypted Packets
tunnel-intf-down 8 Packet dropped: Tunnel Interface Down
pkt-fail-to-send 8 Packet dropped: Failed to send
packets-encrypted 8 Encrypted Packets
bytes-encrypted 4 Encrypted Bytes
no-tunnel-found 8 Packet dropped: No tunnel found
prefrag-success 4 Pre-frag Success
prefrag-error 4 Pre-frag Error
bytes-decrypted 4 Decrypted Bytes
invalid-tunnel-id 8 Packet dropped: Invalid tunnel ID
pkt-fail-prep-to-send 8 Packet dropped: Failed in prepare to send
cavium-packets-encrypted 8 CAVIUM Encrypted Packets
packets-err-icv-check 4 ICV Check Error
packets-err-inactive 4 Inactive Error
cavium-bytes-decrypted 4 CAVIUM Decrypted Bytes
packets-err-pad-check 4 Pad Check Error
packets-err-pkt-sanity 4 Packets Sanity Error
cavium-bytes-encrypted 4 CAVIUM Encrypted Bytes
packets-err-lifetime-lifebytes 8 Lifetime Lifebytes Error
packets-err-encryption 4 Encryption Error
rekey-num 8 Rekey Times
cavium-packets-decrypted 8 CAVIUM Decrypted Packets
no-next-hop 8 Packet dropped: No next hop

operational data

Name Type Description
Hash-Algorithm string Hash-Algorithm
Protocol string Protocol
DH-Group number DH-Group
Remote-SPI string Remote-SPI
Local-IP string Local-IP
Anti-Replay string Anti-Replay
Lifebytes string Lifebytes
NAT-Traversal number NAT-Traversal
SA-Index number SA-Index
Peer-IP string Peer-IP
Mode string Mode
Encryption-Algorithm string Encryption-Algorithm
Local-SPI string Local-SPI
Lifetime number Lifetime