CONFIG IPSEC UPDATE
Level
vpn,modify
History
Appears in Netasq 9.0.0
CRLrequired appears in Netasq 9.0.1
cfg_domain appears in Netasq 9.0.1
DoSProtection appears in 2.3.0
CookieThreshold appears in 2.3.0
BlockThreshold appears in 2.3.0
RetransmitTries appears in 2.3.0
RetransmitTimeout appears in 2.3.0
RetransmitBase appears in 2.3.0
MakeBeforeBreak appears in 3.0.0
NATKeepalive appears in 3.0.0
FragmentSize appears in 3.2.0
IKEDaemon appears in 3.3.0
CheckDuplicatePh1 appears in 4.0.0
CryptoLoadBalance appears in 2.7.3
CryptoLoadBalance can be auto in 4.2.0
IKEDaemon removed in 4.2.0
retry removed in 4.2.0
interval removed in 4.2.0
ph1delay removed in 4.2.0
ph2delay removed in 4.2.0
bindall removed in 4.2.0
PMTUD appears in 4.3.0
UsedInterface appears in 4.3.0
RemoteFetch appears in 4.7.0
UACForceCert appears in 4.7.0
HalfOpenTimeout appears in 4.3.18
MergeGroups appears in 4.8.0
CheckSameUID appears in 4.8.0
FetchTimeout appears in 4.8.0
Description
Update global information about a slot
Usage
slot=<1-10> [cfg_dns=<host>] [cfg_domain=<domain1,domain2,...>] [useoldsa=<0|1>] [certNID=<num>] [LdapField=<str>] [CRLrequired=<0|1>] [UACServCert=<0|1>] [DoSProtection=<0|1>] [CookieThreshold=<num>] [BlockThreshold=<num>] [RetransmitTries=<num>] [RetransmitTimeout=<num>] [RetransmitBase=<float>] [MakeBeforeBreak=<0|1>] [NATKeepalive=<num>] [FragmentSize=<num>] [BypassLocalTraffic=<0|1>] [global=<0|1>] [CheckDuplicatePh1=<0|1>] [CryptoLoadBalance=<0|1|auto>] [PMTUD=<0|1|2>] [UsedInterface=<itf1,itf2,...>] [HalfOpenTimeout=<num>] [MergeGroups=<0|1>] [CheckSameUID=<0|1>] [FetchTimeout=<num>]
- cfg_domain: 32 domains max
- RetransmitBase: min is 1
- NATKeepalive: period in seconds between keepalive packets when NAT is detected (0 to disable)
- FragmentSize: min is 512
- BypassLocalTraffic: set to 1 to generate a bypass policy for each local IP addresses that are included in the remote IP addresses
- CRLRequired: certificate is checked with OCSP if available and CRL if needed. If all checks failed, no tunnel is negociated
- CheckDuplicatePh1: each time a phase1 is up on StrongSwan, we check if an old one should be deleted.
- CryptoLoadBalance: 0 to disable load balancing, 1 to enable, auto to let SNS choose
- PMTUD: 0 to disable IPsec DF bit, 1 to force DF bit, 2 to set DF bit only if clear packet has DF bit set
- UsedInterface: comma separated list of interfaces on which Strongswan should listen.
- RemoteFetch: 1 to enable remote CRL / OCSP fetch by IKE daemon, 0 to disable
- HalfOpenTimeout: timeout in seconds for connecting IKE_SAs
- MergeGroups: 1 to merge groups between authentication rounds, 0 to disable
- CheckSameUID: 1 to check an UID is the same between authentication rounds, 0 to disable
- FetchTimeout: timeout in seconds when fetching a CRL or an OCSP status
Example
CONFIG IPSEC UPDATE slot=01 dnscfg=host5