Chapter 17 IPSec VPN

Table 71 isakmp Commands: IKE SAs (continued)

COMMAND

DESCRIPTION

group1

Sets the DHx group to the specified group.

group2

 

group5

 

[no] natt

Enables NAT traversal. The no command disables NAT traversal.

local-ip {ip {ip domain_name}

Sets the local gateway address to the specified IP address, domain

interface interface_name}

name, or interface.

peer-ip {ip domain_name} [ip

Sets the remote gateway address(es) to the specified IP

domain_name]

address(es) or domain name(s).

keystring pre_shared_key

Sets the pre-shared key that can be used for authentication. The

 

pre_shared_key can be:

 

• 8 - 32 alphanumeric characters or ,;`~!@#$%^&*()_+\{}':./

 

<>=-".

 

• 16 - 64 hexadecimal (0-9, A-F) characters, preceded by “0x”.

 

The pre-shared key is case-sensitive.

 

 

local-id type {ip ip fqdn domain_name

Sets the local ID type and content to the specified IP address,

mail e_mail dn distinguished_name}

domain name, or e-mail address.

peer-id type {any ip ip fqdn

Sets the peer ID type and content to any value, the specified IP

domain_name mail e_mail dn

address, domain name, or e-mail address.

distinguished_name}

 

[no] xauth type {server xauth_method

Enables extended authentication and specifies whether the ZyWALL

client name username password password}

is the server or client. If the ZyWALL is the server, it also specifies

 

the extended authentication method (aaa authentication

 

profile_name); if the ZyWALL is the client, it also specifies the

 

username and password to provide to the remote IPSec router. The

 

no command disables extended authentication.

 

username: You can use alphanumeric characters, underscores (_),

 

and dashes (-), and it can be up to 31 characters long.

 

password: You can use most printable ASCII characters. You cannot

 

use square brackets [ ], double quotation marks (“), question marks

 

(?), tabs or spaces. It can be up to 31 characters long.

 

 

isakmp policy rename policy_name policy_name

Renames the specified IKE SA (first policy_name) to the specified

 

name (second policy_name).

 

 

17.2.2 IPSec SA Commands (except Manual Keys)

This table lists the commands for IPSec SAs, excluding manual keys (VPN connections using VPN gateways).

Table 72 crypto Commands: IPSec SAs

COMMAND

DESCRIPTION

[no] crypto ignore-df-bit

Fragment packets larger than the MTU (Maximum Transmission

 

Unit) that have the “don’t” fragment” bit in the header turned on.

 

The no command has the ZyWALL drop packets larger than the

 

MTU that have the “don’t” fragment” bit in the header turned on.

show crypto map [map_name]

Shows the specified IPSec SA or all IPSec SAs.

crypto map dial map_name

Dials the specified IPSec SA manually. This command does not

 

work for IPSec SAs using manual keys or for IPSec SAs where the

 

remote gateway address is 0.0.0.0.

 

 

[no] crypto map map_name

Creates the specified IPSec SA if necessary and enters sub-

 

command mode. The no command deletes the specified IPSec SA.

144

 

ZyWALL (ZLD) CLI Reference Guide