CONFIG IPSEC UPDATE

Level

vpn,modify

History

Appears in Netasq 9.0.0
CRLrequired appears in Netasq 9.0.1
cfg_domain appears in Netasq 9.0.1
DoSProtection appears in 2.3.0
CookieThreshold appears in 2.3.0
BlockThreshold appears in 2.3.0
RetransmitTries appears in 2.3.0
RetransmitTimeout appears in 2.3.0
RetransmitBase appears in 2.3.0
MakeBeforeBreak appears in 3.0.0
NATKeepalive appears in 3.0.0
FragmentSize appears in 3.2.0
IKEDaemon appears in 3.3.0
CheckDuplicatePh1 appears in 4.0.0
CryptoLoadBalance appears in 2.7.3
CryptoLoadBalance can be auto in 4.2.0
IKEDaemon removed in 4.2.0
retry removed in 4.2.0
interval removed in 4.2.0
ph1delay removed in 4.2.0
ph2delay removed in 4.2.0
bindall removed in 4.2.0
PMTUD appears in 4.3.0
UsedInterface appears in 4.3.0
RemoteFetch appears in 4.7.0
UACForceCert appears in 4.7.0 HalfOpenTimeout appears in 4.3.18

Description

Update global information about a slot

Usage

slot=<1-10> [cfg_dns=<host>] [cfg_domain=<domain1,domain2,...>] [useoldsa=<0|1>] [certNID=<num>] [LdapField=<str>] [CRLrequired=<0|1>] [UACServCert=<0|1>] [DoSProtection=<0|1>] [CookieThreshold=<num>] [BlockThreshold=<num>] [RetransmitTries=<num>] [RetransmitTimeout=<num>] [RetransmitBase=<float>] [MakeBeforeBreak=<0|1>] [NATKeepalive=<num>] [FragmentSize=<num>] [BypassLocalTraffic=<0|1>] [global=<0|1>] [CheckDuplicatePh1=<0|1>] [CryptoLoadBalance=<0|1|auto>] [PMTUD=<0|1|2>] [UsedInterface=<itf1,itf2,...>] [HalfOpenTimeout=<num>]
- cfg_domain: 32 domains max
- RetransmitBase: min is 1
- NATKeepalive: period in seconds between keepalive packets when NAT is detected (0 to disable)
- FragmentSize: min is 512
- BypassLocalTraffic: set to 1 to generate a bypass policy for each local IP addresses that are included in the remote IP addresses
- CRLRequired: certificate is checked with OCSP if available and CRL if needed. If all checks failed, no tunnel is negociated
- CheckDuplicatePh1: each time a phase1 is up on StrongSwan, we check if an old one should be deleted.
- CryptoLoadBalance: 0 to disable load balancing, 1 to enable, auto to let SNS choose
- PMTUD: 0 to disable IPsec DF bit, 1 to force DF bit, 2 to set DF bit only if clear packet has DF bit set
- UsedInterface: comma separated list of interfaces on which Strongswan should listen.
- RemoteFetch: 1 to enable remote CRL / OCSP fetch by IKE daemon, 0 to disable
- HalfOpenTimeout: timeout in seconds for connecting IKE_SAs

Example

CONFIG IPSEC UPDATE slot=01 dnscfg=host5