Index |
A unique index identifying this entry. |
Description |
An optional description for this profile. |
AuthMethod |
This object specifies the authentication method used for this profile.
Possible values:
pre-sh-key(1), -- Authentication using pre shared keys
dss-sig(2), -- Authentication using DSS signatures
rsa-sig(3), -- Authentication using RSA signatures
rsa-enc(4), -- Authentication using RSA encryption
default(14), -- use settings from default profile
-- (pre-sh-key if this is the default profile)
delete(15) -- mark this entry for deletion. Enumerations: - pre-sh-key (1)
- dss-sig (2)
- rsa-sig (3)
- rsa-enc (4)
- default (14)
- delete (15)
|
Mode |
This object specifies the exchange mode used for IKE
SA negotiation.
Possible values:
id-protect(1), -- Use identity protection (main) mode
aggressive(2), -- Use aggressive mode
default(3), -- Use default setting from the
-- global profile
id-protect-only(4), -- only id-protect mode allowed
aggressive-only(5) -- only aggressive mode allowed. Enumerations: - id-protect (1)
- aggressive (2)
- default (3)
- id-protect-only (4)
- aggressive-only (5)
|
Proposal |
The index of the first IKE proposal which may be used
for IKE SA negotiation with this profile. |
Group |
This object specifies the IKE group to use with this profile.
Possible values:
1: a 768-bit MODP group
2: a 1024-bit MODP group
5: a 1536-bit MODP group |
Cert |
The index of the certificate used for authentication
in the certTable. Ignored for AuthMethod == pre_shared_key. |
LocalId |
The local ID used for authentication with this profile.
Syntax:
- X500 distinguished name:
- IPV4-Address:
|123.456.789.012| with or without '|'
- IPV4 Address Range:
|123.456.789.012-123.456.789.013| with or without '|'
- IPV4 Address Subnet:
|123.456.789.012/255.255.255.0| with or without '|'
or:
|123.456.789.012/24| with or without '|'
- Key-ID: arbitrary length hexadecimal string
with even number of digits:
{ 01 23 45 67 89 ab cd ef }
- Fully Qualified User Name (FQUN):
(anything) or user@domain with mandatory '@'
- Fully Qualified Domain Name (FQDN):
[anything] or any name without '@' not matching any other
syntax |
CaCerts |
Receives a comma separated list with indices (0..32767)
of special certificate authority certificates accepted
for this profile. |
LifeTime |
This object specifies an index in the ipsecLifeTimeTable with the
lifetime settings to be used for IKE SA negotiation with this profile.
If the lifetime pointed to by this index does not exist or is
inappropriate, the default lifetime is taken.
The usage of this object is deprecated, use the ikePrfLifeXxx
variables directly instead. |
BlockTime |
This object specifies the time in seconds for which a peer is
blocked for any IPSec operations after a phase 1 initiator
negotiation failed.
Special values:
-1: use settings from global profile (do not block by default)
0: do not block the peer at all. |
PfsIdentity |
This object specifies whether IKE SA's should be deleted
immediately after a phase 2 (IPSec-) SA pair has been
negotiated.
The consequence of enabling this feature is that before each
phase 2 negotiation there always has to be a phase 1
negotiation. Thus individual phase 2 SAs cannot be
associated with one another or, respectively, if the
identity of a remote peer is known to an eavesdropper
for one SA, he cannot conclude that the next SA is
negotiated with the same remote peer.
Note: Setting this flag only makes sense if configured
together with id-protect mode or RSA encryption for
authentication and if the IP address of the remote
peer does not allow conclusions about its identity
(i.e. dynamic remote peer addresses).
Possible values:
true(1), -- delete phase 1 SAs
false(2), -- reuse phase 1 SAs
default(3) -- use value from default profile
-- (false if this is the default profile). Enumerations: - true (1)
- false (2)
- default (3)
|
Heartbeats |
This object specifies whether heartbeats should be sent
over phase 1 SAs for this profile.
Possible values:
none(1), -- neither send nor expect heartbeats
expect(2), -- expect heartbeats
send(3), -- send heartbeats
both(4), -- send and expect heartbeats
default(5), -- use value from default profile
-- (auto if this is the default profile)
auto(6), -- detect support using vendor id
dpd(7), -- use DPD method for proof-of-liveliness
dpd-idle(8) -- use DPD, detect dead peers even while idle. Enumerations: - none (1)
- expect (2)
- send (3)
- both (4)
- default (5)
- auto (6)
- dpd (7)
- dpd-idle (8)
|
NatT |
This object specifies whether NAT-Traversal is enabled
Possible values:
enabled(1), -- enable Nat-Traversal
disabled(2), -- disable Nat-Traversal
default(3) -- use value from default profile
-- (disabled, if this is the default profile). Enumerations: - enabled (1)
- disabled (2)
- default (3)
|
LifeKBytes |
The maximum amount of data (in KB) which may be protected
by an SA before it is deleted. |
LifeSeconds |
The maximum time (in seconds) after which an SA will be
deleted. |
MtuMax |
The maximum MTU value allowed for ipsecPeerMtu.
Zero means use value from global profile,
if this is the global profile, 1418 is assumed.
Nonzero values smaller than 214 are reset to the minimum of 214. |
LifeRekeyPercent |
The percentage of the lifetimes (traffic and time based)
after which rekeying is started. |
LifePolicy |
This object specifies the way a lifetime proposal is
handled. Possible values:
loose(1), -- accept and use anything proposed
strict(2), -- accept and use only what is configured
notify(3), -- accept anything, if own values are smaller
than what was proposed use these and
send responder lifetime notification
use_default_lifetime(4) -- use lifetime values from default
-- profile. Enumerations: - loose (1)
- strict (2)
- notify (3)
- use-default-lifetime (4)
|