APIRef_tm_net_ipsec_ike-peer¶
mgmt/tm/net/ipsec/ike-peer
Specifies IKE phase 1 parameters for remote ike peers.
REST Endpoints
- Collection URI
/mgmt/tm/net/ipsec/ike-peer- Collection Methods
OPTIONS, GET- Resource URI
/mgmt/tm/net/ipsec/ike-peer/~resource id- Resource Methods
OPTIONS, GET, PUT, PATCH, DELETE, POST- Resource Natural Key
name, subPath
Properties
| Name | Type | Default Value | Required | Access | Description |
|---|---|---|---|---|---|
appService |
string | optional | read/write | The application service that the object belongs to. | |
caCertFile |
string | optional | read/write | Specifies the file name, which contains the certificates of the trusted root and intermediate certificate authorities. | |
crlFile |
string | optional | read/write | Specifies the file name of the Certificate Revocation List. Only supported in IKEv1. | |
description |
string | optional | read/write | User defined description. | |
dpdDelay |
integer | 30 | optional | read/write | Specifies the number of seconds between Dead Peer Detection messages. |
generatePolicy |
string | off | optional | read/write | Enable or disable the generation of Security Policy Database entries(SPD) when the device is the responder of the IKE remote node. |
lifetime |
integer | 1440 | optional | read/write | Defines the lifetime in minutes of an IKE SA which will be proposed in the phase 1 negotiations. |
mode |
string | main | optional | read/write | Defines the exchange mode for phase 1 when racoon is the initiator, or the acceptable exchange mode when racoon is the responder. |
myCertFile |
string | optional | read/write | Specifies the name of the certificate file object. Note that certificates for DSS and ECDSA authentication methods are not provided by default. | |
myCertKeyFile |
string | optional | read/write | Specifies the name of the certificate key file object. Note that keys for DSS and ECDSA authentication methods are not provided by default. | |
myCertKeyPassphrase |
string | optional | read/write | Specifies the passphrase of the key used for my-cert-key-file. Only supported in IKEv2. | |
myIdType |
string | address | optional | read/write | Specifies the identifier type sent to the remote host to use in the phase 1 negotiation. Only address type is supported in IKEv2. |
myIdValue |
string | optional | read/write | Specifies the identifier value sent to the remote host in the phase 1 negotiation. | |
natTraversal |
string | off | optional | read/write | Enables use of the NAT-Traversal IPsec extension (NAT-T). NAT-T allows one or both peers to reside behind a NAT gateway (that is, doing address- or port-translation). The presence of NAT gateways along the path is discovered during the phase 1 handshake, and if found, NAT-T is negotiated. When NAT-T is in charge, all ESP and AH packets of a given connection are encapsulated into UDP datagrams (port 4500, by default). The options are: on, off, and force. |
passive |
string | false | optional | read/write | Specifies whether the local IKE agent can be the initiator of the IKE negotiation with this ike-peer. |
peersCertFile |
string | optional | read/write | Specifies the peer’s certificate for authentication. Unused in IKEv2. | |
peersCertType |
string | none | optional | read/write | Specifies that the only peers-cert-type supported is certfile. Unused in IKEv2. |
peersIdType |
string | address | optional | read/write | Specifies which of address, fqdn, asn1dn, user-fqdn or keyid-tag types to use as peers-id-type. Only address type is supported in IKEv2. |
peersIdValue |
string | optional | read/write | Specifies the peer’s identifier to be received. If it is not defined, then the IKE agent will not verify the peer’s identifier in the ID payload transmitted from the peer. The usage of peers-id-type and peers-id-value is the same as my-id-type and my-id-value except that the individual component values of an asn1dn identifier may specified as * to match any value (e.g. “C=XX, O=MyOrg, OU=*, CN=Mine”). | |
phase1AuthMethod |
string | rsa-signature | optional | read/write | Specifies the authentication method used for phase 1 negotiation. Possible values are: pre-shared-key if using pre-shared passphrase, and rsa-signature, dss, ecdsa-256, ecdsa-384 or ecdsa-521 if using X.509 certificate-based authentication. Note that dss, ecdsa certificates are supported in IKEv2 only. |
phase1EncryptAlgorithm |
string | 3des | optional | read/write | Specifies the encryption algorithm used for the isakmp phase 1 negotiation. This directive must be defined. Possible value is one of following: des, 3des, blowfish, cast128, aes, or camellia for Oakley. |
phase1HashAlgorithm |
string | sha256 | optional | read/write | Defines the hash algorithm used for the isakmp phase 1 negotiation. This directive must be defined. The algorithm should be one of following: md5, sha1, sha256, sha384, or sha512 for Oakley. |
phase1PerfectForwardSecrecy |
string | modp1024 | optional | read/write | Defines the Diffie-Hellman group for key exchange to provide perfect forward secrecy. This directive must be defined as one of Diffie-Hellman (DH) groups: modp768, modp1024, modp1536, modp2048, modp3072, modp4096, modp6144 and modp8192, or one of Elliptic-Curve Diffie-Hellman (ECDH) groups: ecp256, ecp384 and ecp521. ECDH is only supported in IKEv2. |
presharedKey |
string | optional | read/write | Specifies the preshared key for ISAKMP SAs. This field is valid only when phase1-auth-method is pre-shared-key. | |
presharedKeyEncrypted |
string | optional | read/write | Display the encrypted preshared-key for the IKE remote node. | |
prf |
string | sha256 | optional | read/write | Specifies the pseudo-random function used to derive keying material for all cryptographic operations. This attribute is only valid for IKEv2. Possible values are: sha1, sha256, sha384, or sha512 |
proxySupport |
string | enabled | optional | read/write | If this value is enabled, both values of ID payloads in the phase 2 exchange are used as the addresses of end-point of IPsec-SAs. This attribute must be enabled, which is the default value. This field is used only for IKEv1. |
remoteAddress |
string | optional | read/write | Specifies the IP address of the IKE remote node. | |
replayWindowSize |
integer | 64 | optional | read/write | Specifies the replay window size of the IPsec SAs negotiated with the IKE remote node |
state |
string | enabled | optional | read/write | Enables or disables this IKE remote node. |
trafficSelector |
string | optional | read/write | Specifies the names of the traffic-selector objects associated with this ike-peer. | |
verifyCert |
string | false | optional | read/write | Specifies whether to verify the certificate chain of the remote peer based on the trusted certificates in ca-cert-file. Additionally in IKEv1, it specifies whether to verify that the peers-id-value matches the identifier of the remote peer in isakmp ID payload and in the certificate. If peers-id-type is asn1dn, the entire certificate’s subject name is compared. If peers-id-type is address, fqdn or user_fqdn, the certificate’s subjectAltName is compared. If the two do not match, the negotiation will fail. The default value is false, which is not to verify the peer’s certificate or the identifier. |
version |
string | v1 | optional | read/write | Specifies which version of IKE to be used. The default value is v1. Possible values are: v1 or v2. |
Copyright (c) 2016, F5 Networks Inc. All Rights Reserved.
The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.