Appendix A: IPSec Configuration File
116 NI Series WebConsole & Programming Guide
Internet Key Exchange (IKE)ikeAddPeerAuth
ikeAddPeerAuth
NAME ikeAddPeerAuth – add a peer's authentication information
SYNOPSIS ikeAddPeerAuth=configString
DESCRIPTION This rule is used to specify IKE authentication information between the host and a peer. This
rule may be called multiple times to define a set of peers with which the host will conduct IKE
negotiations.
NOTE Specifying KEYPFS to this function will not enable perfect forward secrecy when negotiating
with the peer unless a DHGROUP is also specified in the Phase 2 attributes, set via
spdSetPropAttrib.
Rule Value:
configString
A string formatted as follows:
peerIpAddress,interfaceIpAddress,proposalName,PFS,
authenticationMethod,authenticationInfo
where
- peerIpAddress is the address of the IKE peer.
- interfaceIpAddress is the local IP address that is to communicate with the peer.
- proposalName is an existing Phase 1 proposal name, defined via ikeSetProp.
- authenticationMethod is PSK (pre-shared key) or RSA (certificate support).
- authenticationInfo depends on authenticationMethod. See below.
When authenticationMethod is PSK, authenticationInfo is the pre-shared key, represented as
printable ASCII.
When authenticationMethod is RSA, authenticationInfo is a string formatted as follows:
localKey,localKeyPassword,localCertificate[,PEER_CERT,peerCertifica
te]
•localKey - The filename where the local peer's key is stored.
•localKeyPassword - The password for the local peer's key. Specify NOPASS if there is no
password. Note that the maximum password length is
MAX_PRIVATE_KEY_PASSWORD_LENGTH.
•localCertificate - The filename where the local peer's certificate is stored.
•peerCertificate - The filename where the remote peer's certificate is locally stored. If
PEER_CERT is specified, any certificate payload(s) received from the remote IKE peer
during IKE phase 1 negotiation will be ignored and the certificate specified in
peerCertificate will be used to authenticate the remote peer.
All keys and certificates are stored on the local file system, in the directory set by the project
facility parameter IKE_CERT_PATH.