net ipsec ike-peer
net ipsec ike-peer(1) BIG-IP TMSH Manual net ipsec ike-peer(1)
NAME
ike-peer - Configures one or more IKE peers for IPsec.
MODULE
net ipsec
SYNTAX
Configure the ike-peer component within the net ipsec module using the syntax in the following sections.
CREATE/MODIFY
create ike-peer [name]
modify ike-peer [name]
options:
address-list [string]
app-service [[string] | none]
ca-cert-file [certificate file]
crl-file [CRL file]
description [string]
dpd-delay [integer]
debug-payloads [string]
generate-policy [off | on | unique ]
ip4-dhcp [ip address]
ip6-dhcp [ip address]
ip4-dns [ip address]
ip6-dns [ip address]
ip-macro [string]
lifetime [minutes]
local-port [port]
mode [main | aggressive]
my-cert-file [certificate file]
my-cert-key-file [certificate key file]
my-cert-key-passphrase [none | [string] ]
my-id-type [address | asn1dn | fqdn | keyid-tag | user-fqdn]
my-id-value [string]
nat-traversal [on | off | force]
ocsp-cert-validator [ocsp-cert-validator-name-string]
ocsp-lifetime [minutes]
ocsp-jitter-percent [zero-to-fifty-percent]
ocsp-ha-reauth [minutes]
ocsp-reauth-fail-open [true | false]
passive [true | false]
peers-cert-file [certificate file]
peers-cert-type [certfile | none]
peers-id-type [address | asn1dn | fqdn | keyid-tag | user-fqdn]
peers-id-value [string]
phase1-auth-method [pre-shared-key | rsa-signature | dss | ecdsa-256 | ecdsa-384 | ecdsa-521 ]
phase1-encrypt-algorithm [3des | aes | blowfish | camellia | cast128 | des]
phase1-hash-algorithm [md5 | sha1 | sha256 | sha384 | sha512]
phase1-perfect-forward-secrecy [modp1024 | modp1536 | modp2048 | modp3072 | modp4096 | modp6144 | modp768 | modp8192 | ecp256 | ecp384 | ecp521 ]
preshared-key [string]
preshared-key-encrypted [string]
prf [sha1 | sha256 | sha384 | sha512]
proxy-support [disabled | enabled]
remote-address [ip address]
remote-port [port]
replay-window-size [integer]
state [disabled | enabled]
traffic-selector [name]
verify-cert [true | false]
version [add | delete | none | replace-all-with] {
[v1|v2]
}
DISPLAY
list ike-peer
list ike-peer [name]
show running-config ike-peer
show running-config ike-peer [name]
options:
all-properties
non-default-properties
one-line
DELETE
delete ike-peer
delete ike-peer [name]
DESCRIPTION
You can use the ike-peer component to modify the IKE phase 1 parameters for each remote IKE peer. The setting in the
default anonymous ike-peer will apply to any peer that does not match a more specific ike-peer directive.
EXAMPLES
create ike-peer SanJose { remote-address 1.2.3.4 preshared-key abc phase1-auth-method pre-shared-key }
Creates an ike-peer named SanJose that has the IP address of 1.2.3.4 using preshared key as the authentication method.
OPTIONS
app-service
Specifies the name of the application service to which the object belongs. The default value is none. Note: If the
strict-updates option is enabled on the application service that owns the object, you cannot modify or delete the
object. Only the application service can modify or delete the object.
ca-cert-file
Specifies the file name, which contains the certificates of the trusted root and intermediate certificate authorities.
crl-file
Specifies the file name of the Certificate Revocation List.
description
User-defined description.
dpd-delay
This option activates the Dead Peer Detection (DPD) and sets the time (in seconds) allowed between two proofs of
liveness requests. The default value is 30. When the value is set to 0, it means to disable DPD monitoring, but still
negotiate DPD support.
generate_policy
This directive is for the responder. To use it, set passive to true so the IKE peer is only a responder. If the
responder does not have any policy in the Security Policy Database (SPD) during phase 2 negotiation, and the directive
is set to on, then the racoon daemon chooses the first proposal in the Security Association (SA) payload from the
initiator, and generates policy entries from the proposal. It is useful to negotiate with clients whose IP address is
allocated dynamically. If an inappropriate policy is installed into the responder's SPD by the initiator, other
communications might fail due to a policy mismatch between the initiator and the responder. The initiator ignores this
directive. The default value is off.
lifetime
Specifies the lifetime of an IKE SA that will be proposed in the phase 1 negotiations.
mode Specifies the exchange mode for phase 1 when racoon is the initiator, or the acceptable exchange mode when racoon is
the responder.
my-cert-file
Specifies the name of my certificate file. The certificate type must match the phase1-auth-method value. Note that
there are no default certificates for DSS and ECDSA authentication methods.
my-cert-key-file
Specifies the name of my certificate key file. The certificate key type must match the phase1-auth-method value. Note
that there are no default keys for DSS and ECDSA authentication methods.
my-cert-key-passphrase
Specifies the passphrase of the key used for my-cert-key-file. Note that only IKEv2 supports passphrase.
my-id-type
Specifies the identifier type sent to the remote host to use in the phase 1 negotiation.
my-id-value
Specifies the identifier value sent to the remote host to use in the phase 1 negotiation.
nat-traversal
Enables use of the NAT-Traversal IPsec extension (NAT-T). NAT-T allows one or both peers to reside behind a NAT
gateway (that is, performing address- or port-translation). The presence of NAT gateways along the path is discovered
during the phase 1 handshake, and if found, NAT-T is negotiated. When NAT-T is in charge, all ESP and AH packets of a
given connection are encapsulated into UDP datagrams (port 4500, by default). The options are:
force
NAT-T is used regardless of whether NAT is detected between the peers.
off NAT-T is not proposed/accepted. This is the default.
on NAT-T is used when a NAT gateway is detected between the peers.
passive
Specify true if you do not want to be the initiator of the IKE negotiation with this ike-peer.
peers-cert-file
Specifies the peer's certificate for authentication. Deprecated in IKEv2 configuration.
peers-cert-type
Specifies that the only peers-cert-type supported is certfile. Deprecated in IKEv2 configuration.
peers-id-type
Specifies that address, fqdn, asn1dn, user-fqdn, or keyid-tag can be used as peers-id-type.
peers-id-value
Specifies the peer's identifier to be received. If it is not defined, then the IKE agent will not verify the peer's
identifier in the ID payload transmitted from the peer. The usage of peers-id-type and peers-id-value is the same as
my-id-type and my-id-value except that the individual component values of an asn1dn identifier may specified as * to
match any value (for example, "C=XX, O=MyOrg, OU=*, CN=Mine").
phase1-auth-method
Defines the authentication method used for the phase 1 negotiation. Possible values are: pre-shared-key if using
preshared-key, and rsa-signature, dss, ecdsa-256, ecdsa-384 or ecdsa-521 if using X.509 certificate-based
authentication. Note that dss, ecdsa certificates are supported in IKEv2 only."
phase1-encrypt-algorithm
Specifies the encryption algorithm used for the ISAKMP phase 1 negotiation. This directive must be defined. Possible
value is one of following: des, 3des, blowfish, cast128, aes, or camellia for Oakley.
phase1-hash-algorithm
Defines the hash algorithm used for the ISAKMP phase 1 negotiation. This directive must be defined. The algorithm
should be one of following: md5, sha1, sha256, sha384, or sha512 for Oakley.
phase1-perfect-forward-secrecy
Defines the Diffie-Hellman group for key exchange to provide perfect forward secrecy. This directive must be defined
in one of Diffie-Hellman groups: modp768, modp1024, modp1536, modp2048, modp3072, modp4096, modp6144 and modp8192, or
one of Elliptic-Curve Diffie-Hellman groups: ecp256, ecp384 and ecp521. Note that ECDH is supported in IKEv2 only.
preshared-key
Specifies the preshared key for ISAKMP SAs. This field is valid only when phase1-auth-method is pre-shared-key.
preshared-key-encrypted
Specifies the preshared key for ISAKMP SAs. This field is valid only when phase1-auth-method is pre-shared-key. Stores
preshared-key in encrypted form.
prf Specifies the pseudo-random function to derive keying material for all cryptographic operations.
proxy-support
If this value is enabled, both values of ID payloads in the phase 2 exchange are used as the addresses of end-point of
IPsec-SAs. This attribute must be enabled, which is the default value. This field is used only for IKEv1.
remote-address
Specifies the IP address of the IKE remote node. The format required for specifying a route domain ID in an IP
address is A.B.C.D%ID. For example, A.B.C.D%2, where the IP address A.B.C.D pertains to route domain 2. The route
domain id should be same as the route domain id specified in the source/destination address of the traffic selector
associated with this remote node.
replay-window-size
Specifies the replay window size of the IPsec SAs negotiated with the IKE remote node. This window limits the number
of out-of-order IPsec packets that can be received relative to the packet with the highest sequence number that has
been authenticated so far. Packets with older sequence numbers that are outside this range are rejected. The default
value is 64. The valid range is from 4 to 255.
state
Enables or disables this IKE remote node.
traffic-selector
Specifies the names of the traffic-selector objects associated with this ike-peer.
verify-cert If set to true, the identifier sent by the remote host (as specified in its my_identifier statement) is
compared with the credentials in the certificate as follows: Type asn1dn: the entire certificate subject name is compared
with the identifier, e.g. \"C=XX, O=YY, ...\". Type address, fqdn, or user_fqdn: The certificate's subjectAltName is
compared with the identifier. If the two do not match, the negotiation will fail. The default value is false, which is not
to verify the identifier using the peer's certificate.
version
Specifies which version of IKE to be used. The default value is v1. The following versions are available:
v1 Specifies version IKEv1 will be used.
v2 Specifies version IKEv2 will be used.
SEE ALSO
create, modify, delete, list, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2011-2013, 2015-2016. All rights reserved.
BIG-IP 2021-08-18 net ipsec ike-peer(1)