To display or specify the encryption key auto exchange settings, use the "ipsec ike" command.
Display current settings
msh> ipsec ike {1|2|3|4|default}
To display the settings 1-4, specify the number [1-4].
To display the default setting, specify [default].
Not specifying any value displays all of the settings.
Disable settings
msh> ipsec ike {1|2|3|4|default} disable
To disable the settings 1-4, specify the number [1-4].
To disable the default settings, specify [default].
Specify the user-specific local address / remote address.
msh> ipsec ike {1|2|3|4} {ipv4|ipv6} "local address" "remote address"
Enter the separate setting number [1-4], and the address type to specify local and remote address.
To set the local or remote address values, specify masklen by entering [/] and an integer 0-32 when settings an IPv4 address. When setting an IPv6 address, specify masklen by entering [/] and an integer 0-128.
Not specifying an address value displays the current setting.
Specify the address type in default setting
msh> ipsec ike default {ipv4|ipv6|any}
Specify the address type for the default setting.
To specify both IPv4 and IPv6, enter [any].
Security policy setting
msh> ipsec ike {1|2|3|4|default} proc {apply|bypass|discard}
Enter the separate setting number [1-4] or [default] and specify the security policy for the address specified in the selected setting.
To apply IPsec to the relevant packets, specify [apply]. To not apply IPsec, specify [bypass].
If you specify [discard], any packets to which IPsec can be applied are discarded.
Not specifying a security policy displays the current setting.
Security protocol setting
msh> ipsec ike {1|2|3|4|default} proto {ah|esp|dual}
Enter the separate setting number [1-4] or [default] and specify the security protocol.
To specify AH, enter [ah]. To specify ESP, enter [esp]. To specify AH and ESP, enter [dual].
Not specifying a protocol displays the current setting.
IPsec requirement level setting
msh> ipsec ike {1|2|3|4|default} level {require|use}
Enter the separate setting number [1-4] or [default] and specify the IPsec requirement level.
If you specify [require], data will not be transmitted when IPsec cannot be used. If you specify [use], data will be sent normally when IPsec cannot be used. When IPsec can be used, IPsec transmission is performed.
Not specifying a requirement level displays the current setting.
Encapsulation mode setting
msh> ipsec ike {1|2|3|4|default} mode {transport|tunnel}
Enter the separate setting number [1-4] or [default] and specify the encapsulation mode.
To specify transport mode, enter [transport]. To specify tunnel mode, enter [tunnel].
If you have set the address type in the default setting to [any], you cannot use [tunnel] in encapsulation mode.
Not specifying an encapsulation mode displays the current setting.
Tunnel end point setting
msh> ipsec ike {1|2|3|4|default} tunneladdr "beginning IP address" "ending IP address"
Enter the separate setting number [1-4] or [default] and specify the tunnel end point beginning and ending IP address.
Not specifying either the beginning or ending address displays the current setting.
IKE partner authentication method setting
msh> ipsec ike {1|2|3|4|default} auth {psk|rsasig}
Enter the separate setting number [1-4] or [default] and specify the authentication method.
Specify [psk] to use a shared key as the authentication method. Specify [rsasig] to use a certificate at the authentication method.
You must also specify the PSK character string when you select [psk].
Note that if you select "Certificate", the certificate for IPsec must be installed and specified before it can be used. To install and specify the certificate use Web Image Monitor.
PSK character string setting
msh> ipsec ike {1|2|3|4|default} psk "PSK character string"
If you select PSK as the authentication method, enter the separate setting number [1-4] or [default] and specify the PSK character string.
Specify the character string in ASCII characters. There can be no abbreviations.
ISAKMP SA (phase 1) hash algorithm setting
msh> ipsec ike {1|2|3|4|default} ph1 hash {md5|sha1|sha256|sha384|sha512}
Enter the separate setting number [1-4] or [default] and specify the ISAKMP SA (phase 1) hash algorithm.
Not specifying the hash algorithm displays the current setting.
ISAKMP SA (phase 1) encryption algorithm setting
msh> ipsec ike {1|2|3|4|default} ph1 encrypt {des|3des|aes128|aes192|aes256}
Enter the separate setting number [1-4] or [default] and specify the ISAKMP SA (phase 1) encryption algorithm.
Not specifying an encryption algorithm displays the current setting.
ISAKMP SA (phase 1) Diffie-Hellman group setting
msh> ipsec ike {1|2|3|4|default} ph1 dhgroup {1|2|14}
Enter the separate setting number [1-4] or [default] and specify the ISAKMP SA (phase 1) Diffie-Hellman group number.
Specify the group number to be used.
Not specifying a group number displays the current setting.
ISAKMP SA (phase 1) validity period setting
msh> ipsec ike {1|2|3|4|default} ph1 lifetime "validity period"
Enter the separate setting number [1-4] or [default] and specify the ISAKMP SA (phase 1) validity period.
Enter the validity period (in seconds) from 300 to 172800.
Not specifying a validity period displays the current setting.
IPsec SA (phase 2) authentication algorithm setting
msh> ipsec ike {1|2|3|4|default} ph2 auth {hmac-md5|hmac-sha1|hmac-sha256|hmac-sha384|hmac-sha512}
Enter the separate setting number [1-4] or [default] and specify the IPsec SA (phase 2) authentication algorithm.
Separate multiple encryption algorithm entries with a comma (,). The current setting values are displayed in order of highest priority.
Not specifying an authentication algorithm displays the current setting.
IPsec SA (phase 2) encryption algorithm setting
msh> ipsec ike {1|2|3|4|default} ph2 encrypt {null|des|3des|aes128|aes192|aes256}
Enter the separate setting number [1-4] or [default] and specify the IPsec SA (phase 2) encryption algorithm.
Separate multiple encryption algorithm entries with a comma (,). The current setting values are displayed in order of highest priority.
Not specifying an encryption algorithm displays the current setting.
IPsec SA (phase 2) PFS setting
msh> ipsec ike {1|2|3|4|default} ph2 pfs {none|1|2|14}
Enter the separate setting number [1-4] or [default] and specify the IPsec SA (phase 2) Diffie-Hellman group number.
Specify the group number to be used.
Not specifying a group number displays the current setting.
IPsec SA (phase 2) validity period setting
msh> ipsec ike {1|2|3|4|default} ph2 lifetime "validity period"
Enter the separate setting number [1-4] or [default] and specify the IPsec SA (phase 2) validity period.
Enter the validity period (in seconds) from 300 to 172800.
Not specifying a validity period displays the current setting.
Reset setting values
msh> ipsec ike {1|2|3|4|default|all} clear
Enter the separate setting number [1-4] or [default] and reset the specified setting. Specifying [all] resets all of the settings, including default.