net ipsec ike-peer
net ipsec ike-peer(1) BIG-IP TMSH Manual net ipsec ike-peer(1)
NAME
ike-peer - Configures one or more IKE peers for IPsec.
MODULE
net ipsec
SYNTAX
Configure the ike-peer component within the net ipsec module using the
syntax in the following sections.
CREATE/MODIFY
create ike-peer [name]
modify ike-peer [name]
options:
app-service [[string] | none]
ca-cert-file [certificate file]
crl-file [CRL file]
description [string]
dpd-delay [integer]
generate-policy [off | on | unique ]
lifetime [minutes]
mode [main | aggressive]
my-cert-file [certificate file]
my-cert-key-file [certificate key file]
my-cert-key-passphrase [none | [string] ]
my-id-type [address | asn1dn | fqdn | keyid-tag | user-fqdn]
my-id-value [string]
nat-traversal [on | off | force]
passive [true | false]
peers-cert-file [certificate file]
peers-cert-type [certfile | none]
peers-id-type [address | asn1dn | fqdn | keyid-tag | user-fqdn]
peers-id-value [string]
phase1-auth-method [pre-shared-key | rsa-signature | dss | ecdsa-256 | ecdsa-384 | ecdsa-521 ]
phase1-encrypt-algorithm [3des | aes | blowfish | camellia | cast128 | des]
phase1-hash-algorithm [md5 | sha1 | sha256 | sha384 | sha512]
phase1-perfect-forward-secrecy [modp1024 | modp1536 | modp2048 | modp3072 | modp4096 | modp6144 | modp768 | modp8192 | ecp256 | ecp384 | ecp521 ]
preshared-key [string]
preshared-key-encrypted [string]
prf [sha1 | sha256 | sha384 | sha512]
proxy-support [disabled | enabled]
remote-address [ip address]
replay-window-size [integer]
state [disabled | enabled]
traffic-selector [name]
verify-cert [true | false]
version [add | delete | none | replace-all-with] {
[v1|v2]
}
DISPLAY
list ike-peer
list ike-peer [name]
show running-config ike-peer
show running-config ike-peer [name]
options:
all-properties
non-default-properties
one-line
DELETE
delete ike-peer
delete ike-peer [name]
DESCRIPTION
You can use the ike-peer component to modify the IKE phase 1 parameters
for each remote IKE peer. The setting in the default anonymous ike-peer
will apply to any peer that does not match a more specific ike-peer
directive.
EXAMPLES
create ike-peer SanJose { remote-address 1.2.3.4 preshared-key abc
phase1-auth-method pre-shared-key }
Creates an ike-peer named SanJose that has the IP address of 1.2.3.4
using preshared key as the authentication method.
OPTIONS
app-service
Specifies the name of the application service to which the object
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the object. Only the application
service can modify or delete the object.
ca-cert-file
Specifies the file name, which contains the certificates of the
trusted root and intermediate certificate authorities.
crl-file
Specifies the file name of the Certificate Revocation List.
description
User-defined description.
dpd-delay
This option activates the Dead Peer Detection (DPD) and sets the
time (in seconds) allowed between two proofs of liveness requests.
The default value is 30. When the value is set to 0, it means to
disable DPD monitoring, but still negotiate DPD support.
generate_policy
This directive is for the responder. To use it, set passive to
true so the IKE peer is only a responder. If the responder does
not have any policy in the Security Policy Database (SPD) during
phase 2 negotiation, and the directive is set to on, then the
racoon daemon chooses the first proposal in the Security
Association (SA) payload from the initiator, and generates policy
entries from the proposal. It is useful to negotiate with clients
whose IP address is allocated dynamically. If an inappropriate
policy is installed into the responder's SPD by the initiator,
other communications might fail due to a policy mismatch between
the initiator and the responder. The initiator ignores this
directive. The default value is off.
lifetime
Specifies the lifetime of an IKE SA that will be proposed in the
phase 1 negotiations.
mode Specifies the exchange mode for phase 1 when racoon is the
initiator, or the acceptable exchange mode when racoon is the
responder.
my-cert-file
Specifies the name of my certificate file. The certificate type
must match the phase1-auth-method value. Note that there are no
default certificates for DSS and ECDSA authentication methods.
my-cert-key-file
Specifies the name of my certificate key file. The certificate key
type must match the phase1-auth-method value. Note that there are
no default keys for DSS and ECDSA authentication methods.
my-cert-key-passphrase
Specifies the passphrase of the key used for my-cert-key-file.
Note that only IKEv2 supports passphrase.
my-id-type
Specifies the identifier type sent to the remote host to use in
the phase 1 negotiation.
my-id-value
Specifies the identifier value sent to the remote host to use in
the phase 1 negotiation.
nat-traversal
Enables use of the NAT-Traversal IPsec extension (NAT-T). NAT-T
allows one or both peers to reside behind a NAT gateway (that is,
performing address- or port-translation). The presence of NAT
gateways along the path is discovered during the phase 1
handshake, and if found, NAT-T is negotiated. When NAT-T is in
charge, all ESP and AH packets of a given connection are
encapsulated into UDP datagrams (port 4500, by default). The
options are:
force
NAT-T is used regardless of whether NAT is detected between
the peers.
off NAT-T is not proposed/accepted. This is the default.
on NAT-T is used when a NAT gateway is detected between the
peers.
passive
Specify true if you do not want to be the initiator of the IKE
negotiation with this ike-peer.
peers-cert-file
Specifies the peer's certificate for authentication. Deprecated in
IKEv2 configuration.
peers-cert-type
Specifies that the only peers-cert-type supported is certfile.
Deprecated in IKEv2 configuration.
peers-id-type
Specifies that address, fqdn, asn1dn, user-fqdn, or keyid-tag can
be used as peers-id-type.
peers-id-value
Specifies the peer's identifier to be received. If it is not
defined, then the IKE agent will not verify the peer's identifier
in the ID payload transmitted from the peer. The usage of peers-
id-type and peers-id-value is the same as my-id-type and my-id-
value except that the individual component values of an asn1dn
identifier may specified as * to match any value (for example,
"C=XX, O=MyOrg, OU=*, CN=Mine").
phase1-auth-method
Defines the authentication method used for the phase 1
negotiation. Possible values are: pre-shared-key if using
preshared-key, and rsa-signature, dss, ecdsa-256, ecdsa-384 or
ecdsa-521 if using X.509 certificate-based authentication. Note
that dss, ecdsa certificates are supported in IKEv2 only."
phase1-encrypt-algorithm
Specifies the encryption algorithm used for the ISAKMP phase 1
negotiation. This directive must be defined. Possible value is one
of following: des, 3des, blowfish, cast128, aes, or camellia for
Oakley.
phase1-hash-algorithm
Defines the hash algorithm used for the ISAKMP phase 1
negotiation. This directive must be defined. The algorithm should
be one of following: md5, sha1, sha256, sha384, or sha512 for
Oakley.
phase1-perfect-forward-secrecy
Defines the Diffie-Hellman group for key exchange to provide
perfect forward secrecy. This directive must be defined in one of
Diffie-Hellman groups: modp768, modp1024, modp1536, modp2048,
modp3072, modp4096, modp6144 and modp8192, or one of Elliptic-
Curve Diffie-Hellman groups: ecp256, ecp384 and ecp521. Note that
ECDH is supported in IKEv2 only.
preshared-key
Specifies the preshared key for ISAKMP SAs. This field is valid
only when phase1-auth-method is pre-shared-key.
preshared-key-encrypted
Specifies the preshared key for ISAKMP SAs. This field is valid
only when phase1-auth-method is pre-shared-key. Stores preshared-
key in encrypted form.
prf Specifies the pseudo-random function to derive keying material for
all cryptographic operations.
proxy-support
If this value is enabled, both values of ID payloads in the phase
2 exchange are used as the addresses of end-point of IPsec-SAs.
This attribute must be enabled, which is the default value. This
field is used only for IKEv1.
remote-address
Specifies the IP address of the IKE remote node. The format
required for specifying a route domain ID in an IP address is
A.B.C.D%ID. For example, A.B.C.D%2, where the IP address A.B.C.D
pertains to route domain 2. The route domain id should be same as
the route domain id specified in the source/destination address of
the traffic selector associated with this remote node.
replay-window-size
Specifies the replay window size of the IPsec SAs negotiated with
the IKE remote node. This window limits the number of out-of-order
IPsec packets that can be received relative to the packet with the
highest sequence number that has been authenticated so far.
Packets with older sequence numbers that are outside this range
are rejected. The default value is 64. The valid range is from 4
to 255.
state
Enables or disables this IKE remote node.
traffic-selector
Specifies the names of the traffic-selector objects associated
with this ike-peer.
verify-cert If set to true, the identifier sent by the remote host (as
specified in its my_identifier statement) is compared with the
credentials in the certificate as follows: Type asn1dn: the entire
certificate subject name is compared with the identifier, e.g. \"C=XX,
O=YY, ...\". Type address, fqdn, or user_fqdn: The certificate's
subjectAltName is compared with the identifier. If the two do not
match, the negotiation will fail. The default value is false, which is
not to verify the identifier using the peer's certificate.
version
Specifies which version of IKE to be used. The default value is
v1. The following versions are available:
v1 Specifies version IKEv1 will be used.
v2 Specifies version IKEv2 will be used.
SEE ALSO
create, modify, delete, list, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2011-2013, 2015-2016. All rights
reserved.
BIG-IP 2017-08-05 net ipsec ike-peer(1)