interface tunnel ipsec

Configuration Commands : interface tunnel ipsec

interface tunnel ipsec

Description

Use the interface tunnel ipsec command to create IPSec (Internet Protocol Security) options for this tunnel.

Syntax

interface tunnel <tunnel name> ipsec {disable | enable}

interface tunnel <tunnel name> ipsec enable preshared-key <key>

interface tunnel <tunnel name> ipsec enable replay-check-window {64 | 1024 | disable | auto}

Arguments

<tunnel name>

Specifies the name for this tunnel.

disable

Disables IPSec for this tunnel.

enable

Enables IPSec for this tunnel.

enable preshared-key <key>

Configures preshared key for IPSec for this tunnel.

replay-check-window {64 | 1024 | disable | auto}

Configures the IPSec anti-replay-check window for this tunnel.

The IPSec Anti-replay window provides protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. The decryptor keeps track of which packets it has seen on the basis of these numbers.

The default window size is 64 packets.

Defaults

None.

Command Mode

Global Configuration Mode

See Also

See the following related commands:

n

“interface tunnel admin”

n

“interface tunnel control-packet”

n

“interface tunnel create”

n

“interface tunnel gre-protocol”

n

“interface tunnel max-bandwidth”

n

“interface tunnel min-bandwidth”

n

“interface tunnel mode”

n

“interface tunnel mtu”

n

“interface tunnel packet”

n

“interface tunnel revert”

n

“interface tunnel threshold”

n

“interface tunnel udp-flow”

n

“interface tunnel udp-port”

n

“show interfaces tunnel”

Usage Guidelines

To see a list of the available tunnel names you may use, enter the following command:

<silver-peak> (config) # interface tunnel ?

Configurable IPSEC anti-replay Window

In environments with significant out-of-order packet delivery, IPSec may drop packets that are outside of the anti-replay window.

n

To determine whether packets are falling outside of the antireplay window, execute the following CLI command:

show interfaces tunnel <tunnel name> stats ipsec

and look for increases in “Total bytes dropped in replay check”.

n

To change the IPSec anti-replay window, use the following CLI command:

interface tunnel <tunnel name> ipsec replay-check-window <64|1024|disable|auto>

Examples

None.

<tunnel name>	Specifies the name for this tunnel.
disable	Disables IPSec for this tunnel.
enable	Enables IPSec for this tunnel.
enable preshared-key <key>	Configures preshared key for IPSec for this tunnel.
replay-check-window {64 \| 1024 \| disable \| auto}	Configures the IPSec anti-replay-check window for this tunnel. The IPSec Anti-replay window provides protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. The decryptor keeps track of which packets it has seen on the basis of these numbers. The default window size is 64 packets.

Please send comments or suggestions regarding user documentation to techpubs@silver-peak.com.