PreIpsecRules |
This object specifies an index in the IPsec traffic
table containing a list of traffic definitions which
has to be considered prior to the traffic lists of
the IPSec peers in IPSec traffic processing.
It may contain either pass or drop entries (protect entries
are ignored, if erroneously configured). |
DefaultRule |
This object specifies how to treat packets which do not match
any entry in the traffic lists of the active peers or the
pre-and post IPSec rules.
Possible values:
drop(1), -- drop all packets
pass(2) -- allow all packets pass plain. Enumerations: |
Use32BitCpi |
This object specifies whether the CPI values in IKE IPComP
negotiations should be sent as 16 bit numbers.
Possible values:
true(1), -- send CPI as 32 bit numbers
false(2) -- send CPI as 16 bit numbers. Enumerations: |
NoWellKnownCpis |
This object specifies whether the well known CPI values
should be used in IKE IPComP negotiations. If set to true,
IKE will allocate random CPI values from the negotiable
range 256-61439.
Possible values:
true(1), -- do not use the well known cpi values
false(2) -- use the well known cpi values. Enumerations: |
NoPmtuDiscovery |
This object specifies the default PMTU discovery policy
if the ipsecPeerPmtuDiscovery flag is set to default.
Possible values:
true(1), -- do not perform PMTU discovery
false(2) -- perform PMTU discovery. Enumerations: |
DefaultPmtuTtl |
This object specifies the time-to-live (in minutes) of a
PMTU value derived from an ICMP PMTU message
received for an IPSec packet. After this time, the mtu is
increased step-by-step using the values from RFC 1191 until
a new ICMP PMTU message is received. A ttl value of 0 means
infinite. |
PrivateInterface |
This object specifies the index of the systems' private
interface. If the private interface is set (i.e. non-negative),
certain address spoofing attacks are made impossible from IPSec
itself. |
SaSyncInterface |
This object specifies whether IKE and IPSec SA's should be
are deleted if the interface over which the packets are
initially sent is going down or dormant
Possible values:
true(1), -- delete SAs
false(2) -- do not delete SAs. Enumerations: |
PostIpsecRules |
This object specifies an index in the IPsec traffic
table containing a list of traffic definitions which
has to be considered after the traffic lists of
the IPSec peers in IPSec traffic processing.
It may contain either pass or drop entries (protect entries
are ignored, if erroneously configured). |
DefaultPfsIdentity |
This object specifies whether IKE SA's should be deleted
immediately after a phase 2 (IPSec-) SA pair has been
negotiated.
It may be overridden by the individual settings for a peer
entry, if the ipsecPeerPfsIdentity is not set to 'default'.
The consequence of enabling this feature is that before each
phase 2 negotiation there always has to be a phase 1
negotiation. Thus individual phase 2 SAs cannot be
associated with one another or, respectively, if the
identity of a remote peer is known to an eavesdropper
for one SA, he cannot conclude that the next SA is
negotiated with the same remote peer.
Note: Setting this flag only makes sense if configured
together with id-protect mode or RSA encryption for
authentication and if the IP address of the remote
peer does not allow conclusions about its identity
(i.e. dynamic remote peer addresses).
Possible values:
true(1), -- delete phase 1 SAs
false(2) -- do not delete phase 1 SAs. Enumerations: |
IkeLoggingLevel |
This object specifies the IKE logging level.
IKE log messages are output as syslog messages on level debug.
Note that the global syslog table level must be set to debug
in order to see these messages.
Possible values:
0: no IKE log messages
... 3: IKE error output
... 6: IKE trace output
... 9: IKE detailed results output
10 ...: hexdumps of IKE messages. |
DialBlockTime |
Amount of time in minutes how long an ipsecDial entry remains
in state blocked-for-outgoing after a cost producing trigger
call was detected. Given value denotes time in minutes.
Special value -1 means to block entry until unblocked manually
by deactivating entry and reactivating it afterwards.
Default value is -1. |
PfsIdentityDelay |
This object specifies the number of seconds to wait before
deleting the underlying phase 1 SA after a Phase 2 SA has
been established, if PFS for identity is configured. |
HeartbeatDefault |
This object specifies whether heartbeats should be sent
over phase 1 SAs.
Possible values:
none(1), -- neither send nor expect heartbeats
expect(2), -- expect heartbeats
send(3), -- send heartbeats
both(4) -- send and expect heartbeats. Enumerations: - none (1)
- expect (2)
- send (3)
- both (4)
|
HeartbeatInterval |
This object specifies the time interval in seconds between
heartbeats. At this rate heartbeats are sent and/or
expected if configured. |
HeartbeatTolerance |
This object specifies the maximum number of missing heartbeats
allowed before an SA is discarded. |
MinFcChangeDelay |
The time (in milliseconds) the update of the filter
code is delayed. If more changes to the filter code
occur during this time, the change of the filter code
is delayed up to a maximum of ipsecGlobMaxFcChangeDelay. |
MaxFcChangeDelay |
The maximum time (in milliseconds) the update of the filter
code is delayed if multiple phase 2 SA negotiations occur
within ipsecGlobMinFcChangeDelay |
ObsoleteFeatureMask |
Some obsolete features are represented by a bit in this mask
and could be re-enabled for testing or compatibility purpose.
A mask-bit of 1 enable the approprate (obsolete) feature.
A mask-bit of 0 disable the appropriate feature completely.
Bit Feature
0x00000001: re-enable delayed apf-graph-node-memory free
0x00000002: tbd.
The default-value is 0 - all obsolete features are disabled.
Do not change this default-value if not really necessary |
UniqueIds |
This flag decides how an INITIAL CONTACT notification
from a remote peer is handled: if set to true, all
SAs negotiated with peers having the same phase
1 ID than the peer which sent the notification are
deleted. If set to false, all SAs negotiated with
peers having the same remote address are deleted. Enumerations: |
AntiSpoofing |
This object allows to enable the IPSec anti spoofing feature:
It makes IPSec drop incoming clear text packets which are
configured to be protected by IPSec.
Note: enabling this feature together with overlapping
local and remote networks increases memory consumption
significantly.
You can disable this feature if the spoofing protection is
done e.g. by NAT. Enumerations: |
P1Always |
This object specifies whether a phase 1 rekeying is always
done immediately before phase 2 rekeying.
Note this is different from pfs for identity because the
latter discards the phase 1 SA immediately after phase 2
establishment.
This feature is mainly a compatibility flag for some
non-standard implementations which always expect a phase 1 SA
if a phase 2 SA exists. Please also select a longer lifetime
for phase 1 than phase 2 then. Enumerations: |