CONFIG IPSEC PEER NEW

Level

vpn+modify

History

Appears in 9.0.0
auto mode appears in 9.0.1
ikeversion appears in 2.0.0
peeridentifier appears in 3.0.0
reauth appears in 3.5.0
inactivity appears in 3.8.0

Description

Create a new peer

Implementation notes

If mode is not defined, it is calculated automatically according to type and identifier.
xauth and xauth_pki authentication methods are IKEv1 only.
Default IKE version is 1.

Usage

name=<peername> dst=<host|any> src=<host|any> conf=<phase1profile> [comment=<str>] [global=<0|1>] [ikeversion=<1|2>] [specific mandatory/optionnal tokens for this authentication method] [specific mandatory/optional tokens for this ike version]
IKEV1 TOKENS
method=<psk|pki|xauth|xauth_pki>
[(dpd_mode=<off|passive|low|high>) | (dpd_mode=manual dpd_delay=<num> dpd_retry=<num> dpd_maxfail=<num>)]
[mode=<auto|main|aggressive>]
[backupmode=<temporary|permanent>]
[backuppeer=<peername>]
[responderonly=<0|1>]
[natt=<none|auto|force>]
[checkmode=<strict|claim|obey|exact>]
[ike_frag=<0|1>]
[sharedsa=<0|1>]
IKEV2 TOKENS
method=<psk|pki>
[dpd_mode=<passive|low|high>]
[natt=<auto|force>]
[responderonly=<0|1>]
[ike_frag=<0|1>]
[reauth=<0|1>] : Enable the IKE SA reauthentication when it is about to expire (default is 1)
[inactivity=<num>]
PSK TOKENS
[psk=<key>]
[identifier=<asn1dn|user_fqdn|fqdn|ip>]
[peeridentifier=<asn1dn|user_fqdn|fqdn|ip>]
psk is forbiden for anonymous peer.
psk can be specified in roadwarrior psks instead of here.
PKI TOKENS
cert=<certname>
[identifier=<asn1dn|user_fqdn|fqdn|ip>]
[peeridentifier=<asn1dn|user_fqdn|fqdn|ip>]
[peercert=<certname>]
[sendcert=<0|1>]
[sendcr=<0|1>]
in IKEv2, the identifiers have to be confirmed by the certificates
XAUTH/XAUTH_PKI TOKENS
cert=<certname>

Example

CONFIG IPSEC PEER NEW name=mypeer type=pki dst=host1 src=Firewall_Out conf=myph1 cert=mycert CACHE_CATEGORY_CLONE ipsec_peer