You are here: Home > CLI Commands > Just_CLI_Topics > crypto-local ipsec-map

crypto-local ipsec-map

crypto-local ipsec-map <ipsec-map-name> <ipsec-map-number>

client-mode [<nat>|<network>]

disable

dst-net <ipsec-map-dst-net> <mask> | any

dst-net-ipv6 <ipsec-map-dst-net-ipv6> <ipsec-map-dst-prefix-len>

enrolled-cert-auth

factory-cert-auth

force-natt {enable|disable}

force-tunnel-mode

ip access-group in <access-group>

ip-compression {enable|disable}

load-balance

local-fqdn <local_id_fqdn>

monitor <ip> <frequency> <burst count> <retry num>

no ...

peer-cert-dn <peer-dn>

peer-fqdn {any-fqdn|peer-fqdn <peer-id-fqdn>}

peer-ip <ipaddr>

peer-ipv6 <ipsec-map-peer-ipv6>

pre-connect {disable|enable}

set ca-certificate <cacert-name>

set ike1-policy <policy-v1-number>

set ikev2-policy <policy-v2-number>

set pfs {group1|group2|group14|group19|group20}

set security-association lifetime kilobytes <kilobytes>

set security-association lifetime seconds <seconds>

set server-certificate <cert-name>

set transform-set <name1> [<name2>] [<name3>] [<name4>]

src-net <ipsec-map-src-net> vlan <mask> | any

src-net-ipv6 <ipsec-map-src-net-ipv6>

<ipsec-map-src-prefix-len>

trusted {enable|disable}

uplink failover {enable|disable}

version {v1|v2}

vlan <ipsec-map-vlan-id>

Description

This command configures IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. mapping for site-to-site VPNs.

Syntax

Parameter

Description

Range

Default

<map>

Name of the IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map.

<priority>

Priority of the entry.

1-9998

client-mode [<nat>|<network>]

Enables client-mode where:

nat enables nat mode with any and any.

network enables network mode

dst-net

IP address and netmaskNetmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. for the destination network.

disable

Disables an existing IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map. New maps are enabled by default.

dst-net <ipsec-map-dst-net>

<ipsec-map-dst-mask> | any

IP address and netmaskNetmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. for the destination network.

dst-net-ipv6

<ipsec-map-dst-net-ipv6>

<ipsec-map-dst-prefix-len>

IPv6 address and netmaskNetmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. for the destination network.

enrolled-cert-auth

Enables the enrolled certificate authentication for site-to-site tunnel.

factory-cert-auth

Enables factory certificate authentication for site-to-site VPNs.

Disabled

force-natt

Include this parameter to always enforce UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. 4500 for IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. and IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.. This option is disabled by default.

Disabled

force-tunnel-mode

Configures the force-tunnel-mode flag.

ip access-group in <access-group>

Configures the IP access group name. Attach a route ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. to the IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map for a site-to-site VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two..

When you associate a routing ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. to inbound traffic on a Mobility Master terminating a site-to-site VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two., that ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. can forward traffic as normal, route traffic to a nexthop router on a nexthop list, or redirect traffic over an L3 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel or tunnel group. For more information on creating a routing ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port., see ip access-list route.

ip-compression

Enable compression for traffic in an IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. site-to-site tunnel between a master and local 7000 Series Mobility Master. Compression is disabled by default.

Disabled

load-balance

Enable VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. load balancing for any tunnel.

Disabled

local-fqdn <local_id_fqdn>

If the managed device has a dynamic IP address, you must specify the FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. of the managed device to configure it as a initiator of IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. aggressive-mode.

monitor <monitor-ip> interval <interval_secs>

Configure link monitor where

<monitor-ip> is IP address of monitor server.

interval <interval_secs> is optional interval in seconds.

no

Negates a configured parameter.

peer-cert-dn <peer-dn>

If you are using IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. to establish a site-to-site VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. to a statically addressed remote peer, identify the peer device by entering its certificate subject name in the Peer Certificate Subject Name field

peer-fqdn

For site-to-site VPNs with dynamically addressed peers, specify a FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. for the managed device:

any-fqdn: Any remote FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. ID

fqdn-id: Unique remote FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. ID

any-fqdn

peer-ip <ipaddr>

If you are using IKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. to establish a site-to-site VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. to a statically addressed remote peer, identify the peer device by entering the IP address of the peer gatewayGateway is a network node that allows traffic to flow in and out of the network..

NOTE: If you are configuring an IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map for a static-ip managed device with a dynamically addressed remote peer, you must leave the peer gatewayGateway is a network node that allows traffic to flow in and out of the network. set to its default value of 0.0.0.0.

peer-ipv6 <ipsec-map-peer-ipv6>

If you are using IKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. to establish a site-to-site VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. to a statically addressed remote peer, identify the peer device by entering the IPv6 address of the peer gatewayGateway is a network node that allows traffic to flow in and out of the network..

NOTE: If you are configuring an IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map for a static-ip managed device with a dynamically addressed remote peer, you must leave the peer gatewayGateway is a network node that allows traffic to flow in and out of the network. set to its default value.

   

pre-connect

Enables or disables pre-connection.

disabled

set ca-certificate <cacert-name>

User-defined name of a trusted CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate installed on the Mobility Master. Use the show crypto-local pki TrustedCA command to display the CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificates that have been imported into the Mobility Master. The CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate name must be between 1-64 characters in length.

1-64 characters

set ike1-policy <policy-v1-number>

Select an IKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. policy for the ipsec-map. Predefined policies are described in the table below.

set ikev2-policy
<policy-v2-number>

Select IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. policy for the ipsec-map. Predefined policies are described in the table below.

set pfs

If you enable Perfect Forward Secrecy (PFSPerfect Forward Secrecy. PFS refers to the condition in which a current session key or long-term private key does not compromise the past or subsequent keys.) mode, new session keys are not derived from previously used session keys. Therefore, if a key is compromised, that compromised key will not affect any previous session keys. To enable this feature, specify one of the following Perfect Forward Secrecy modes:

group1: 768-bit Diffie Hellman prime modulus group.

group2: 1024-bit Diffie Hellman prime modulus group.

group14: 2048-bit Diffie Hellman prime modulus group.

group19: 256-bit random Diffie Hellman ECP modulus group. (For IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. only)

group20: 384-bit random Diffie Hellman ECP modulus group. (For IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. only)

disabled

set security-association lifetime kilobytes

<kilobytes>

Configures the lifetime for the security association (SASecurity Association. SA is the establishment of shared security attributes between two network entities to support secure communication.) in kilobytes.

1000 - 1000000000 kilobytes

set security-association

lifetime seconds <seconds>

Configures the lifetime for the security association (SASecurity Association. SA is the establishment of shared security attributes between two network entities to support secure communication.) in seconds 300-86400 seconds 7200 seconds

set server-certificate <cert-name>

User-defined name of a server certificate installed for the site-to-site IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map. Use the show crypto-local pki ServerCert command to display the server certificates that have been imported into the Mobility Master. The server certificate name must be between 1-64 characters in length.

1-64 characters

set transform-set

<transform-set-name1>

[<transform-set-name2>]

[<transform-set-name3>]

[<transform-set-name4>]

Name of the transform set for this IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map. One transform set name is required, but you can specify up to four transform sets. Configure transform sets with the crypto ipsec transform-set command.

default-transform

src-net <ipsec-map-src-net>

<ipsec-map-src-mask> | any

IP address and netmaskNetmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. for the source network.

src-net-ipv6

<ipsec-map-src-net-ipv6>

<ipsec-map-src-prefix-len>

IPv6 address and netmaskNetmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. for the source network.

trusted

Enables a trusted tunnel.

NOTE: The trusted <disable> sub-parameter is not supported on the managed device. You must always use the trusted <enable> sub-parameter so that the traffic can pass through.

disabled

uplink failover

Enables or disables uplink failover for site-to-site tunnels.

disabled

version

Select the IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. version for the IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map.

v1: IKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.

v2: IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306.

 

v1

vlan <ipsec-map-vlan-id>

VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID. Enter 0 for the loopback, and 4095 for cellular.

1-4094

Usage Guidelines

You can use Mobility Master instead of VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. concentrators to connect sites at different physical locations.

You can configure separate CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. and server certificates for each site-to-site VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.. You can also configure the same CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. and server certificates for site-to-site VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. and client VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.. Use the show crypto-local ipsec-map command to display the certificates associated with all configured site-to-site VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. maps; use the tag <map> option to display certificates associated with a specific site-to-site VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. map.

Mobility Master supports site-to-site VPNs with two statically addressed managed device, or with one static and one dynamically addressed managed device. By default, site-to-site VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. uses IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Main-mode with Pre-Shared-Keys to authenticate the IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. SASecurity Association. SA is the establishment of shared security attributes between two network entities to support secure communication.. This method uses the IP address of the peer, and therefore will not work for dynamically addressed peers.

To support site-site VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. with dynamically addressed devices, you must enable IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Aggressive-Mode with Authentication based on a Pre-Shared-Key. A managed device with a dynamic IP address must be configured to be the initiator of IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Aggressive-mode for Site-Site VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two., while the managed device with a static IP address must be configured as the responder of IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Aggressive-mode.

IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. site-to-site VPNs between Mobility Master and 7000 Series Mobility Master support traffic compression between those devices. When this hardware-based compression feature is enabled, the quality of unencrypted traffic (such as Skype4b or Voice traffic) is not compromised by increased latency or decreased throughput.

Understanding Default IKE policies

ArubaOS includes the following default IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. policies. These policies are predefined and cannot be edited.

Table 1: Default IKE Policy Settings

Policy Name

Policy

Number

IKE Version

Encryption Algorithm

Hash Algorithm

Authentica-tion Method

PRF Method

Diffie-Hellman Group

Default protection suite

10001

IKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.

3DESTriple Data Encryption Standard. 3DES is a symmetric-key block cipher that applies the DES cipher algorithm three times to each data block.-168

SHASecure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. 160

Pre-Shared Key

N/A

2 (1024 bit)

Default Remote AP Certificate protection suite

10002

IKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.

AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. -256

SHASecure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. 160

RSARivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. Signature

N/A

2 (1024 bit)

Default Remote AP PSK protection suite

10003

 

AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. -256

SHASecure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. 160

Pre-Shared Key

 

N/A

2 (1024 bit)

Default Remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. RSARivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. protection suite

1004

IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306.

AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. -256

SSHA160

RSARivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. Signature

hmac-sha1

 

2 (1024 bit)

Default Cluster PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. protection suite

10005

IKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.

AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. -256

SHA160

Pre-Shared Key

Pre-Shared Key

2 (1024 bit)

Default IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. RSARivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. protection suite

1006

IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306.

AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. - 128

SHASecure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. 96

RSARivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. Signature

hmac-sha1

2 (1024 bit)

Default IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. protection suite

10007

IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306.

AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. - 128

 

SHASecure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. 96

Pre-shared key

 

hmac-sha1

2 (1024 bit)

Default Suite-B 128bit ECDSAElliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information. protection suite

10008

IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306.

AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. - 128

SHASecure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. 256-128

ECDSAElliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information.-256 Signature

 

hmac-sha2-256

 

Random ECP Group (256 bit)

Default Suite-B 256 bit ECDSAElliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information. protection suite

10009

IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306.

AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. -256

SHASecure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. 384-192

ECDSAElliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information.-384 Signature

 

hmac-sha2-384

 

Random ECP Group (384 bit)

Default Suite-B 128bit IKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. ECDSAElliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information. protection suite

10010

IKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.

AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-GCM-128

SHASecure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. 256-128

 

ECDSAElliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information.-256 Signature

 

hmac-sha2-256

 

Random ECP Group (256 bit)

Default Suite-B 256‑bit IKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. ECDSAElliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information. protection suite

10011

IKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.

AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-GCM-256

SHASecure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. 256-128

 

ECDSAElliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information.-256 Signature

 

hmac-sha2-256

 

Random ECP Group (256 bit)

 

When using a default IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. (V1 or V2) policy for an IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map, the priority number should be the same as the policy number.

Examples

The following commands configures site-to-site VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. between two managed devices:

(host) [mynode] (config) #crypto-local ipsec-map sf-chi-vpn 100

src-net 101.1.1.0 255.255.255.0

dst-net 100.1.1.0 255.255.255.0

peer-ip 172.16.0.254

vlan 1

trusted

 

(host) [mynode] (config) #crypto-local ipsec-map chi-sf-vpn 100

src-net 100.1.1.0 255.255.255.0

dst-net 101.1.1.0 255.255.255.0

peer-ip 172.16.100.254

vlan 1

trusted

 

For a dynamically addressed managed device that initiates IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Aggressive-mode for Site-Site VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.:

(host) [mynode] (config) #crypto-local ipsec-map <ipsec-map-name> <ipsec-map-number>

src-net <ipsec-map-src-net> <ipsec-map-src-mask>

dst-net <ipsec-map-dst-net> <ipsec-map-dst-mask>

peer-ip <ipaddr>

local-fqdn <local_id_fqdn>

vlan <ipsec-map-vlan-id>

pre-connect {enable|disable}

trusted enable

For the Pre-shared-key:

crypto-local isakmp key <key> address <ipaddr> netmask <mask>

 

For a static IP managed device that responds to IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Aggressive-mode for Site-Site VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.:

(host) [mynode] (config) #crypto-local ipsec-map <ipsec-map-name> <ipsec-map-number>

src-net <ipsec-map-src-net> <ipsec-map-src-mask>

dst-net <ipsec-map-dst-net> <ipsec-map-dst-mask>

peer-ip 0.0.0.0

peer-fqdn fqdn-id <peer_id_fqdn>

vlan <ipsec-map-vlan-id>

trusted enable

For the Pre-shared-key:

crypto-local isakmp key <key> fqdn <fqdn-id>

For a static IP managed device that responds to IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Aggressive-mode for Site-Site VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. with One PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. for All FQDNs:

(host) [mynode] (config) #crypto-local ipsec-map <ipsec-map-name> <ipsec-map-number>

src-net <ipaddr> <mask>

peer-ip 0.0.0.0

peer-fqdn any-fqdn

vlan <id>

trusted enable

For the Pre-shared-key for All FQDNs:

crypto-local isakmp key <key> fqdn-any

The following example displays the use of extended scope of address range:

(host) [mynode] (config) #crypto-local ipsec-map sparta2vesuvius 100

version v2

set ikev2-policy 10009

peer-ipv6 2004::1

peer-cert-dn "/C=US/ST=HI/L=Camp Smith/O=PACOM/OU=mil/CN=vesuvius.red1.vpn/emailAddress=admin@pacom.mil"

vlan 202

src-net-ipv6 2012:: 64

dst-net-ipv6 2014:: 64

set transform-set "default-gcm256"

set pfs group20

trusted

set ca-certificate red.ca

set server-certificate sparta.red.vpn

!

Related Commands

Command

Description

show crypto-local ipsec-map

Displays current IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map configurations for site-to-site VPNs.

crypto_local isakmp disable-ipcomp

Globally disables IP compression on all site-to-site VPNs between Mobility Master and managed devices by disabling compression from the master.

Command History

Release

Modification

ArubaOS 8.2.0.0

The enrolled-cert-auth and force-tunnel-mode parameters were added.

Updated the new syntax as ip access-group in <access-group>.

ArubaOS 8.1.0.0

The any sub-parameter was added in dst-net, and src-net parameters.

The client-mode, load-balance, and monitor parameters were added.

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

Licensing

Command Mode

All platforms

The group19 and group20 PFSPerfect Forward Secrecy. PFS refers to the condition in which a current session key or long-term private key does not compromise the past or subsequent keys. options requires the Advanced Cryptography (ACR) license. All other parameters are available in the base operating system.

Config mode on Mobility Master.

/*]]>*/