net ipsec ike-peer
net ipsec ike-peer(1) BIG-IP TMSH Manual net ipsec ike-peer(1)
NAME
ike-peer - Configures one or more IKE peers for IPsec.
MODULE
net ipsec
SYNTAX
Configure the ike-peer component within the net ipsec module using the syntax in the following sections.
CREATE/MODIFY
create ike-peer [name]
modify ike-peer [name]
options:
app-service [[string] | none]
ca-cert-file [certificate file]
crl-file [CRL file]
description [string]
dpd-delay [integer]
generate-policy [off | on | unique ]
lifetime [minutes]
mode [main | aggressive]
my-cert-file [certificate file]
my-cert-key-file [certificate key file]
my-cert-key-passphrase [none | [string] ]
my-id-type [address | asn1dn | fqdn | keyid-tag | user-fqdn]
my-id-value [string]
nat-traversal [on | off | force]
ocsp-cert-validator [ocsp-cert-validator-name-string]
ocsp-lifetime [minutes]
ocsp-jitter-percent [zero-to-fifty-percent]
passive [true | false]
peers-cert-file [certificate file]
peers-cert-type [certfile | none]
peers-id-type [address | asn1dn | fqdn | keyid-tag | user-fqdn]
peers-id-value [string]
phase1-auth-method [pre-shared-key | rsa-signature | dss | ecdsa-256 | ecdsa-384 | ecdsa-521 ]
phase1-encrypt-algorithm [3des | aes | blowfish | camellia | cast128 | des]
phase1-hash-algorithm [md5 | sha1 | sha256 | sha384 | sha512]
phase1-perfect-forward-secrecy [modp1024 | modp1536 | modp2048 | modp3072 | modp4096 | modp6144 | modp768 | modp8192 | ecp256 | ecp384 | ecp521 ]
preshared-key [string]
preshared-key-encrypted [string]
prf [sha1 | sha256 | sha384 | sha512]
proxy-support [disabled | enabled]
remote-address [ip address]
replay-window-size [integer]
state [disabled | enabled]
traffic-selector [name]
verify-cert [true | false]
version [add | delete | none | replace-all-with] {
[v1|v2]
}
DISPLAY
list ike-peer
list ike-peer [name]
show running-config ike-peer
show running-config ike-peer [name]
options:
all-properties
non-default-properties
one-line
DELETE
delete ike-peer
delete ike-peer [name]
DESCRIPTION
You can use the ike-peer component to modify the IKE phase 1 parameters for each remote IKE peer. The setting
in the default anonymous ike-peer will apply to any peer that does not match a more specific ike-peer
directive.
EXAMPLES
create ike-peer SanJose { remote-address 1.2.3.4 preshared-key abc phase1-auth-method pre-shared-key }
Creates an ike-peer named SanJose that has the IP address of 1.2.3.4 using preshared key as the authentication
method.
OPTIONS
app-service
Specifies the name of the application service to which the object belongs. The default value is none.
Note: If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete the object. Only the application service can modify or delete the object.
ca-cert-file
Specifies the file name, which contains the certificates of the trusted root and intermediate certificate
authorities.
crl-file
Specifies the file name of the Certificate Revocation List.
description
User-defined description.
dpd-delay
This option activates the Dead Peer Detection (DPD) and sets the time (in seconds) allowed between two
proofs of liveness requests. The default value is 30. When the value is set to 0, it means to disable DPD
monitoring, but still negotiate DPD support.
generate_policy
This directive is for the responder. To use it, set passive to true so the IKE peer is only a responder.
If the responder does not have any policy in the Security Policy Database (SPD) during phase 2
negotiation, and the directive is set to on, then the racoon daemon chooses the first proposal in the
Security Association (SA) payload from the initiator, and generates policy entries from the proposal. It
is useful to negotiate with clients whose IP address is allocated dynamically. If an inappropriate policy
is installed into the responder's SPD by the initiator, other communications might fail due to a policy
mismatch between the initiator and the responder. The initiator ignores this directive. The default value
is off.
lifetime
Specifies the lifetime of an IKE SA that will be proposed in the phase 1 negotiations.
mode Specifies the exchange mode for phase 1 when racoon is the initiator, or the acceptable exchange mode
when racoon is the responder.
my-cert-file
Specifies the name of my certificate file. The certificate type must match the phase1-auth-method value.
Note that there are no default certificates for DSS and ECDSA authentication methods.
my-cert-key-file
Specifies the name of my certificate key file. The certificate key type must match the phase1-auth-method
value. Note that there are no default keys for DSS and ECDSA authentication methods.
my-cert-key-passphrase
Specifies the passphrase of the key used for my-cert-key-file. Note that only IKEv2 supports passphrase.
my-id-type
Specifies the identifier type sent to the remote host to use in the phase 1 negotiation.
my-id-value
Specifies the identifier value sent to the remote host to use in the phase 1 negotiation.
nat-traversal
Enables use of the NAT-Traversal IPsec extension (NAT-T). NAT-T allows one or both peers to reside behind
a NAT gateway (that is, performing address- or port-translation). The presence of NAT gateways along the
path is discovered during the phase 1 handshake, and if found, NAT-T is negotiated. When NAT-T is in
charge, all ESP and AH packets of a given connection are encapsulated into UDP datagrams (port 4500, by
default). The options are:
force
NAT-T is used regardless of whether NAT is detected between the peers.
off NAT-T is not proposed/accepted. This is the default.
on NAT-T is used when a NAT gateway is detected between the peers.
passive
Specify true if you do not want to be the initiator of the IKE negotiation with this ike-peer.
peers-cert-file
Specifies the peer's certificate for authentication. Deprecated in IKEv2 configuration.
peers-cert-type
Specifies that the only peers-cert-type supported is certfile. Deprecated in IKEv2 configuration.
peers-id-type
Specifies that address, fqdn, asn1dn, user-fqdn, or keyid-tag can be used as peers-id-type.
peers-id-value
Specifies the peer's identifier to be received. If it is not defined, then the IKE agent will not verify
the peer's identifier in the ID payload transmitted from the peer. The usage of peers-id-type and peers-
id-value is the same as my-id-type and my-id-value except that the individual component values of an
asn1dn identifier may specified as * to match any value (for example, "C=XX, O=MyOrg, OU=*, CN=Mine").
phase1-auth-method
Defines the authentication method used for the phase 1 negotiation. Possible values are: pre-shared-key
if using preshared-key, and rsa-signature, dss, ecdsa-256, ecdsa-384 or ecdsa-521 if using X.509
certificate-based authentication. Note that dss, ecdsa certificates are supported in IKEv2 only."
phase1-encrypt-algorithm
Specifies the encryption algorithm used for the ISAKMP phase 1 negotiation. This directive must be
defined. Possible value is one of following: des, 3des, blowfish, cast128, aes, or camellia for Oakley.
phase1-hash-algorithm
Defines the hash algorithm used for the ISAKMP phase 1 negotiation. This directive must be defined. The
algorithm should be one of following: md5, sha1, sha256, sha384, or sha512 for Oakley.
phase1-perfect-forward-secrecy
Defines the Diffie-Hellman group for key exchange to provide perfect forward secrecy. This directive must
be defined in one of Diffie-Hellman groups: modp768, modp1024, modp1536, modp2048, modp3072, modp4096,
modp6144 and modp8192, or one of Elliptic-Curve Diffie-Hellman groups: ecp256, ecp384 and ecp521. Note
that ECDH is supported in IKEv2 only.
preshared-key
Specifies the preshared key for ISAKMP SAs. This field is valid only when phase1-auth-method is pre-
shared-key.
preshared-key-encrypted
Specifies the preshared key for ISAKMP SAs. This field is valid only when phase1-auth-method is pre-
shared-key. Stores preshared-key in encrypted form.
prf Specifies the pseudo-random function to derive keying material for all cryptographic operations.
proxy-support
If this value is enabled, both values of ID payloads in the phase 2 exchange are used as the addresses of
end-point of IPsec-SAs. This attribute must be enabled, which is the default value. This field is used
only for IKEv1.
remote-address
Specifies the IP address of the IKE remote node. The format required for specifying a route domain ID in
an IP address is A.B.C.D%ID. For example, A.B.C.D%2, where the IP address A.B.C.D pertains to route
domain 2. The route domain id should be same as the route domain id specified in the source/destination
address of the traffic selector associated with this remote node.
replay-window-size
Specifies the replay window size of the IPsec SAs negotiated with the IKE remote node. This window limits
the number of out-of-order IPsec packets that can be received relative to the packet with the highest
sequence number that has been authenticated so far. Packets with older sequence numbers that are outside
this range are rejected. The default value is 64. The valid range is from 4 to 255.
state
Enables or disables this IKE remote node.
traffic-selector
Specifies the names of the traffic-selector objects associated with this ike-peer.
verify-cert If set to true, the identifier sent by the remote host (as specified in its my_identifier
statement) is compared with the credentials in the certificate as follows: Type asn1dn: the entire certificate
subject name is compared with the identifier, e.g. \"C=XX, O=YY, ...\". Type address, fqdn, or user_fqdn: The
certificate's subjectAltName is compared with the identifier. If the two do not match, the negotiation will
fail. The default value is false, which is not to verify the identifier using the peer's certificate.
version
Specifies which version of IKE to be used. The default value is v1. The following versions are available:
v1 Specifies version IKEv1 will be used.
v2 Specifies version IKEv2 will be used.
SEE ALSO
create, modify, delete, list, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2011-2013, 2015-2016. All rights reserved.
BIG-IP 2019-02-15 net ipsec ike-peer(1)