Manualshelf

Specifications

ManualsBrandsEfficient Networks ManualsComputer equipmentRouter family Command line interface
141142143144145146147148149150
Chapter 5. Configuring Software Options 143
ike ipsec policies set mode <TUNNEL | TRANSPORT> <PolicyName>
Specifies the encapsulation mode (tunnel or transport) that may be used for the connection. The default is
tunnel mode.
ike ipsec policies set proposal <ProposalName> <PolicyName>
Specifies an IKE IPSec proposal that may be used for the connection. (It must have been defined by IKE
IPSec proposal commands.) The policy may allow more than one value for the proposal parameter. For
example, two set proposal commands could specify two proposals, either of which could be used by the
connection.
ike ipsec policies set pfs <none | 1 | 2 > <PolicyName>
Sets the Perfect Forward Secrecy negotiation and specifies the Diffie-Hellman group used for each rekey
(none or group 1 or 2). Perfect Forward Secrecy increases the security of the key exchange; compromise
of a single key permits access to only the data protected by that particular key. However, the additional
encryption slows the IKE process so it is not always desirable.
ike ipsec policies set source <IPaddress> <IPmask> <PolicyName>
Requires that the data come from the specified source IP address and mask.
ike ipsec policies set dest <IPaddress> <IPmask> <PolicyName>
Requires that the data be intended for the specified destination IP address and mask.
ike ipsec policies set translate on | off <PolicyName>
Determines whether the router applies NAT (network address translation) before the packets are
encrypted by IPSec. If translate is set to on, the packets are sent using the host routerÕs public IP
address. The remote must have IP address translation enabled (see NAT on page 91
). The address that
NAT translates to should be the source or destination address for the policy (use the set source or set
dest commands).
ike ipsec policies set protocol <ProtocolNumber | TCP | UDP | *> <PolicyName>
Requires a specific protocol that must be used or allows any protocol (*).
ike ipsec policies set sourceport <PortNumber | TELNET | HTTP | SMTP | TFTP | *> <PolicyName>
Requires a specific source port for the data or allows any source port (*) (Because port numbers are TCP
and UDP specific, a port filter is effective only when the protocol filter is TCP or UDP.)
ike ipsec policies set destport <PortNumber | TELNET | HTTP | SMTP | TFTP | *> <PolicyName>
Requires a specific destination port for the data or allows any destination port (*). (Because port numbers
are TCP and UDP specific, a port filter is effective only when the protocol filter is TCP or UDP.)
ike ipsec policies set interface <interface> <PolicyName>
Requires a specific interface that must be used or allows all interfaces (all). The policy is only used when
the specified interface is connected. The specified interface must be the interface to the IKE peer.