Chapter 3. Command Reference

auto-connect-phase2 < enable disable >

enables phase 2 auto-connect. Use auto-connect if you want to initiate the VPN on startup with IKE phase 2 proposals automatically established.

Note: To enable phase 2 auto-connect, phase 1 autoconnect (auto-connect enable) must also be enabled.

ca-cert < any certificate-name>

specifies the name of the CA certificate, if you are using certificates for authentication.

dpd < enable disable >

enables dead peer detection.

local-id-type < ip email domain dn >

configures the identifier that the device will use for validation purposes. Use this if you are using pre-shared key with aggressive mode. This identifier must match the remote Peer ID Type.

Note: The local IDs for the email address and domain name types are configured in the IKE Proposal. The local ID for the IP address type is the WAN IP address.

local-x509-cert certificate-name

specifies the name of the local certificate if you are using certificates for authentication.

nat-t < enable disable >

enables NAT-Transversal. Use NAT-Transversal if there is a NAT device between the two VPN devices.

peer-id-type < ip email domain dn >

selects the identifier for the device to use for validation purposes, either IP address, email address or domain name. This must match the local ID type.

pfs < enable disable >

enables or disables Perfect Forward Secrecy.

phase1-dh-group < 1 2 5 >

selects the Diffie-Hellman group number for IKE phase 1.

phase1-encryption < des-cbc 3des-cbc aes-cbc-128 aes-cbc-192 aes-cbc-256 >

configures encryption for IKE phase 1. Some options are only valid on the High Encryption agent, which can be downloaded from the TMC.

phase1-integrity < md5 sha1 >

configures integrity for IKE phase 1.

72 X Family CLI Reference V 2.5.1