Netopia CLI 874 manual Command Line Interface Commands Reference

3-32 Command Line Interface Commands Reference

cp { name index } ipsec suite encapsulation { esp ah esp+ah } [ encryption { des 3des null } ]

[ authentication esp { md5 hmac-md5-96 sha1 hmac-sha1-96 } ] [ authentication ah { md5 hmac-md5-96 sha1 hmac-sha1-96 } ] [ compression lzs ]

show cp { name index } ipsec suite

Note: This is an extended version of an existing CLI command. The existing command is modified to add an encapsulation clause and to allow for one or two authentication clauses. See “IPSec/IKE” on page 3-26 for more information.

These commands set or display the IPSec encapsulation, encryption, authentication, and compression parameters for the specified connection profile.

Note: The authentication clause may appear either one or two times; if it appears twice, one occurrence must specify ah and the other must specify esp.

The keywords md5 and hmac-md5-96are synonyms, although the latter keyword is preferred, the former being retained only for backwards compatibility. The keywords sha1 and hmac-sha1-96are synonyms, although the latter keyword is preferred, the former being retained only for backwards compatibility.

cp { name index } ipsec ip [remote

[members {a.b.c.d a.b.c.d/n a.b.c.d e.f.g.h a.b.c.d-e.f.g.h}] [tep a.b.c.d] ]

[local

[members {a.b.c.d a.b.c.d/n a.b.c.d e.f.g.h a.b.c.d-e.f.g.h}] [tep a.b.c.d] ]

[via a.b.c.d]

show cp { name index } ipsec ip

Note: This is an extended version of an existing CLI command. The existing command is modified to allow a members specification to appear in the local clause and to allow for a host address or an IP address range (rather than a network address and subnet mask) in the remote and local members clauses. See “IPSec/IKE” on page 3-26 for more information.

This command sets the pertinent IP values for the IPSec tunnel, and may contain zero or one instances of each of three possible clauses: remote, local, and via. The remote clause, if specified, may include a members specification or a tunnel endpoint (“tep”) specification, or both. The local clause, if specified, may contain a members specification or a tunnel endpoint specification, or both. The optional via clause sets the next hop gateway. The keyword sg (short for “security-gateway”) is an acceptable synonym for the keyword tep.

cp { name index } ipsec sa lifetime { seconds kbytes } { non-negative-integernone } show cp { name index } ipsec sa lifetime [ { seconds kbytes } ]

no cp { name index } ipsec sa lifetime [ { seconds kbytes } ]

These commands set, display, or disable one or both of the two IKE Phase 2 SA lifetimes (in seconds and/or kbytes protected) for the specified IPSec protocol for the specified connection profile. Specifying neither the keyword seconds nor the keyword kbytes with the show variant of this command displays both lifetime values. The keyword none is equivalent to the value zero, and indicates that there is no lifetime of the specified type.