Chapter 33 IPSec VPN
ZyWALL Series CLI Reference Guide
289
33.2.7 IPv4 IKEv2 SA Commands
This table lists the commands for the IPv4 IKEv2 SA.
Table 153 sa Commands: IPv4 IKEv2
COMMAND DESCRIPTION
show ikev2 policy
[policy_name]
Shows the specified IKEv2 SA or all IKEv2 SAs.
[no] ikev2 policy
policy_name
Creates the specified IKEv2 SA if necessary and enters sub-command
mode. The no command deletes the specified IKEv2 SA.
activate
deactivate
Activates or deactivates the specified IKEv2 SA.
authentication {pre-
share | rsa-sig}
Specifies whether to use a pre-shared key or a certificate for
authentication
certificate
certificate-name
Sets the certificate that can be used for authentication.
[no] fall-back
Set this to have the Zyxel Device reconnect to the primary address when it
becomes available again and stop using the secondary connection, if the
connection to the primary address goes down and the Zyxel Device
changes to using the secondary connection. Users will lose their VPN
connection briefly while the Zyxel Device changes back to the primary
connection. To use this, the peer device at the secondary address cannot
be set to use a nailed-up VPN connection.
fall-back-check-
interval <60..86400>
Sets how often (in seconds) the Zyxel Device checks if the primary address
is available.
transform-set isakmp-
algo [isakmp_algo
[isakmp_algo]]
Sets the encryption and authentication algorithms for each IKEv2 SA
proposal.
isakmp_algo: {des-md5 | des-sha | 3des-md5 | 3des-sha |
aes128-md5 | aes128-sha | aes192-md5 | aes192-sha | aes256-
md5 | aes256-sha | aes256-sha256 | aes256-sha512}
lifetime <180..3000000>
Sets the IKEv2 SA life time to the specified value.
group1
group2
group5
group14
group15
group16
group17
group18
Sets the DH group to the specified group.
Different operating systems may support different DH key groups. Check
your operating system documentation.
• For Windows VPN clients, Zyxel SecuExtender perpetual VPN clients
versions 3.8.203.61.32 and earlier support DH1 to DH14.
• For macOS VPN clients, Zyxel SecuExtender subscription VPN clients
versions 1.2.0.7 and later support DH14 to DH21. For Windows VPN
clients, Zyxel SecuExtender subscription VPN clients versions 5.6.80.007
and later support DH14 to DH21.
• Windows versions 7, 10, 11 built-in IKEv2 VPN clients support DH2 by
default.
• macOS versions 14.2 and later built-in IKEv2 VPN clients support DH14
by default.
• iOS versions 10.15 and later built-in IKEv2 VPN clients support DH14 by
default.
local-ip {ip {ip |
domain_name} |
interface
interface_name}
Sets the local gateway address to the specified IP address, domain name,
or interface.
peer-ip {ip |
domain_name} [ip |
domain_name]
Sets the remote gateway address(es) to the specified IP address(es) or
domain name(s).
To Next Page
Loading...
