Chapter 15 IPSec VPN
ZyWALL (ZLD) CLI Reference Guide
124
15.2.2 IPSec SA Commands (except Manual Keys)
This table lists the commands for IPSec SAs, excluding manual keys (VPN connections using
VPN gateways).
peer-ip {ip | domain_name} [ip |
domain_name]
Sets the remote gateway address(es) to the
specified IP address(es) or domain name(s).
authentication {pre-share | rsa-sig} Specifies whether to use a pre-shared key or a
certificate for authentication.
keystring pre_shared_key Sets the pre-shared key that can be used for
authentication. The PRE_SHARED_KEY can be:
• 8 - 32 alphanumeric characters or
,;|`~!@#$%^&*()_+\{}':./<>=-".
• 16 - 64 hexadecimal (0-9, A-F) characters,
preceded by “0x”.
The pre-shared key is case-sensitive.
certificate certificate-name Sets the certificate that can be used for
authentication.
local-id type {ip ip | fqdn domain_name |
mail e_mail | dn distinguished_name}
Sets the local ID type and content to the specified
IP address, domain name, or e-mail address.
peer-id type {any | ip ip | fqdn
domain_name | mail e_mail | dn
distinguished_name}
Sets the peer ID type and content to any value, the
specified IP address, domain name, or e-mail
address.
[no] xauth type {server xauth_method |
client name username password password}
Enables extended authentication and specifies
whether the ZyWALL is the server or client. If the
ZyWALL is the server, it also specifies the
extended authentication method (
aaa
authentication profile_name); if the
ZyWALL is the client, it also specifies the
username and password to provide to the remote
IPSec router. The
no command disables extended
authentication.
username: You can use alphanumeric characters,
underscores (_), and dashes (-), and it can be up to
31 characters long.
password: You can use most printable ASCII
characters. You cannot use square brackets [ ],
double quotation marks (“), question marks (?),
tabs or spaces. It can be up to 31 characters long.
Table 63 isakmp Commands: IKE SAs (continued)
COMMAND DESCRIPTION
Table 64 crypto Commands: IPSec SAs
COMMAND DESCRIPTION
[no] crypto ignore-df-bit Fragment packets larger than the MTU (Maximum
Transmission Unit) that have the “don’t” fragment”
bit in the header turned on. The no command has
the ZyWALL drop packets larger than the MTU that
have the “don’t” fragment” bit in the header turned
on.
show crypto map [map_name] Shows the specified IPSec SA or all IPSec SAs.
crypto map dial map_name Dials the specified IPSec SA manually. This
command does not work for IPSec SAs using
manual keys or for IPSec SAs where the remote
gateway address is 0.0.0.0.
To Next Page
Loading...
