CONFIG IPSEC PEER NEW
Level
vpn,modify
History
Appears in Netasq 9.0.0
auto mode appears in Netasq 9.0.1
ikeversion appears in 2.0.0
peeridentifier appears in 3.0.0
reauth appears in 3.5.0
inactivity appears in 3.8.0
ikedscp appears in 3.10.0
useclone appears in 4.2.0
force appears in 4.2.0
sharedsa removed in 4.2.0
backupmode removed in 4.2.0
backuppeer removed in 4.2.0
checkmode removed in 4.2.0
dpd_delay removed in 4.2.0
dpd_retry removed in 4.2.0
dpd_maxfail removed in 4.2.0
xauth method removed in 4.2.1
mobike appears in 4.3.0
unique appears in 4.5.0
eap_gtc method appears in 4.8.0
pki_eap_gtc method appears in 4.8.0
groups appears in 4.8.0
UDPEncapPreferred appears in 4.8.0
ocsp appears in 4.8.0
ppk_secret appears in 4.8.0
ppk_id appears in 4.8.0
ppk_required appears in 4.8.0
Description
Create a new peer
Usage
name=<peername> dst=<host|any> src=<host|any> conf=<phase1profile> [comment=<str>] [global=<0|1>] [force=<0|1>] [ikeversion=<1|2>] [dpd_mode=<passive|low|high>] [useclone=<0|1>] [specific mandatory/optionnal tokens for this authentication method] [specific mandatory/optional tokens for this ike version]
IKEV1 TOKENS
method=<psk|pki|xauth_pki>
[mode=<main|aggressive>]
[responderonly=<0|1>]
[natt=<auto|force>]
[ike_frag=<0|1>]
IKEV2 TOKENS
method=<psk|pki|eap_gtc|pki_eap_gtc>
[natt=<auto|force>]
[responderonly=<0|1>]
[ike_frag=<0|1>]
[reauth=<0|1>] : Enable the IKE SA reauthentication when it is about to expire (default is 1)
[inactivity=<num>]
[mobike=<0|1>]
[groups=<group1[,group2[...]]>] : Comma separated list of groups; at least one should be in an user's groups for this peer to be selected by the IKE daemon
[ocsp=<both|reply|request|never>] : OCSP extension in IKEv2 behavior
PSK TOKENS
[psk=<key>]
[identifier=<asn1dn|user_fqdn|fqdn|ip>]
[peeridentifier=<asn1dn|user_fqdn|fqdn|ip>]
psk can be specified in roadwarrior psks instead of here.
PKI TOKENS
cert=<certname>
[identifier=<asn1dn|user_fqdn|fqdn|ip>]
[peeridentifier=<asn1dn|user_fqdn|fqdn|ip>]
[peercert=<certname>]
[sendcert=<0|1>]
[sendcr=<0|1>]
[ppk_secret=<key>]
[ppk_id=<str>]
[ppk_required=<0|1>]
in IKEv2, the identifiers have to be confirmed by the certificates
XAUTH/XAUTH_PKI TOKENS
cert=<certname>
MISC TOKENS
[unique=<keep|replace|no|never] : enforce a uniqueness policy, using INITIAL_CONTACT notifies
[ikedscp=(""|<0-63>)]
[UDPEncapPreferred=<on|off>] : force udp encapsulation in DR mode
Example
CONFIG IPSEC PEER NEW name=mypeer type=pki dst=host1 src=Firewall_Out conf=myph1 cert=mycert
Cache category clone
ipsec_peer