About this Resource

Modified: for 3.0.0

Defines the IPsec Tunnel Managed Object

REST API Methods for this Resource

Resource Schema

Configuration

Parameter Name Required Service Affecting Data Type Default Value Possible Values Description
TunnelActivationYesYesEnum1Possible values:
  • 0 - eAlways
  • 1 - eLinkMonitorAction
 Activates SBC communication with remote IPsec peer by intiating the IKE and IPsec phase negotiations as permanent or on-demand service type. This parameter is applicable when the "Operating Mode" is set to "Initiator".
  • Always: Always initiates the IKE Security Association(SA) and IPsec phase negotiations permanently with the remote IPsec peer.
  • Link Monitor Action: Initiates the IKE and IPsec phase negotiations with the remote IPsec peer as on-demand upon request from the link monitor switch-over action.
TunnelNameYesYesstringnone64 - Max Length Specifies the IPsec tunnel name that this IPsec object is associated with. The tunnel name must not contain any space characters.
OperatingModeYesYesEnum0Possible values:
  • 0 - eInitiator
  • 1 - eResponder
 Controls SBC communication with remote peer for IKE negotiations and IPsec connections.
  • Initiator mode: Enables the branch office SBC gateway to initiate the IKE Security Association(SA) and IPsec tunnel negotiation request.
  • Responder mode: Enables the corporate SBC gateway to receive the request to establish an IKE/IPsec tunnel connection.
allowAnyLocalAddressYesYesEnum0Possible values:
  • 0 - btFalse
  • 1 - btTrue
  • True: signifies the local address to be filled in during negotiation by automatic keying although a concrete local address has been assigned.
  • False: signifies that the static Local Address assignment parameter is used.
localAddressYesYesstringnone255 - Max Length Specifies the IP address or fully-qualified domain name of the local network interface. If "Allow any address" is set True, then it will allow any outgoing address during negotiations.
allowAnyRemoteAddressYesYesEnum0Possible values:
  • 0 - btFalse
  • 1 - btTrue
  • True: signifies the remote address to be filled in during negotiation by automatic keying although a concrete remote address has been assigned.
  • False: signifies that the static Remote Address assignment parameter is used.
remoteAddressYesYesstringnone255 - Max Length Specifies the IP address or fully-qualified domain name of the remote network interface. If "Allow any address" is set True, then it will allow any incoming address during negotiations.
localSubnetAddressYesYesstringnone200 - Max Length Specifies the IP address of the private subnet behind the local network interface. This can be expressed as network/netmask. Maximum of 10 subnets can be specified by separated commas.
remoteSubnetAddressYesYesstringnone200 - Max Length Specifies the IP address of the private subnet behind the remote network interface. This can be expressed as network/netmask. Maximum of 10 subnets can be specified by separated commas.
applyPolicyRulesYesNoEnum1Possible values:
  • 0 - btFalse
  • 1 - btTrue
  • True: signifies that the local gateway is doing forwarding-firewalling using iptables for traffic from Local Subnet Address and Remote Subnet Address.
  • False: signifies that the iptables policy rules are not created for traffic to and from the peer endpoint.
useSANIdentifierNoNoEnum0Possible values:
  • 0 - btFalse
  • 1 - btTrue
  • True: The Subject Alternative Name(SAN) identifier must be configured in the "localSANIdentifier" attribute and sent to the remote gateway for an authentication config match.
  • False: By default, the SBC Certificate's Subject Distinguished Name(Subject DN) identifier is automatically extracted from the certificate and sent to the remote gateway for an authentication config match.
localSANIdentifierYesYesstringnone255 - Max Length Specifies the configured Subject Alternative Name(SAN) identifier to be sent to the remote gateway for a peer authentication config match. If "peerAuthIdentifier" on the remote gateway is configured to authenticate a SAN identifier from the peer's certificate, it will attempt to match its configured SAN identifier with the expected SAN identifier retrieved from the peer authentication config. If "useSANIdentifier" is set True, the Subject Alternative Name(SAN) identifier must be picked from a list of DNS names displayed under the local attributes for the 'SBC Certificate'.

This option is available if "UseSANIdentifier" is set to "True".

peerAuthMode YesYesEnum0Possible values:
  • 0 - eAuthCertificate
  • 1 - eAuthPresharedKey
 Specifies the authentication method required from the remote side. Certificate authentication mode: Specifies the use of public key signature when authenticating the peer IPsec gateway. The system must contain server certificate/private key, Certificate Authority(CA) which signed the certificate and peers CA for identifying the peer. Preshared Key authentication mode: Specifies the key to be shared with the peer. This key must match the same key configured on the peer system.
peerAuthIdentifierYesYesstringnone255 - Max Length Specifies how the peer should be identified for IKE certificate authentication. On selection of Certificate as the peer authentication mode, valid identifier should be set to the peer certificate's Subject Alternative Name(SAN) or the peer's subject Distinguished Name (Subject DN). Alternatively, if SAN or Subject DN is not known, it can be configured for 'any' on the SBC responder-side gateway configured for 'any' remote address.

This option is available if "Peer Authentication Mode" is set to "Certificate".

remoteIdentifierYesYesstringnone255 - Max Length Specifies how the peer should be identified for IKE preshared key authentication. The identifier selector can be an all host address(0.0.0.0), a specific IP address or a fully-qualified domain name of the remote LAN network interface.

This option is available when "Allow any address" is set "True" and the "Peer Authentication Mode" is set to "Preshared Key".

EncryptedPresharedKeyYesYesstringnone256 - Max Length Specifies the secret value which is shared with the peer. On selection of Preshared Key as the peer authentication mode, the secret value can be a pass-phrase or hex string. This key must match the key configured on the peer system.

This option is available if "Peer Authentication Mode" is set to "Preshared Key".

encryptionYesNoEnum1Possible values:
  • 0 - aes256
  • 1 - aes128
  • 2 - des_cbc3
 The Internet Key Exchange(IKE) protocol establishes a secure channel for IKE Phase 1 protected authentication and IPsec Phase 2 traffic protection with the Encapsulating Security Payload(ESP) protocol using the encryption algorithm to provide data confidentiality.
integrityYesNoEnum0Possible values:
  • 0 - sha1
  • 1 - sha256
 The Internet Key Exchange(IKE) protocol establishes a secure channel for IKE Phase 1 protected authentication and IPsec Phase 2 traffic protection with the Encapsulating Security Payload(ESP) protocol using the hash algorithm to provide integrity.
dhgroupYesNoEnum3Possible values:
  • 0 - dhgroup1
  • 1 - dhgroup2
  • 2 - dhgroup5
  • 3 - dhgroup14
 The Internet Key Exchange(IKE) protocol establishes a secure channel for IKE Phase 1 protected authentication and IPsec Phase 2 traffic protection with the Encapsulating Security Payload(ESP) protocol using the encryption algorithm to provide authenticity.
enablePFSYesNoEnum1Possible values:
  • 0 - btFalse
  • 1 - btTrue
 If enabled, a new ISAKMP SA is created for each IPsec SA negotiation and a Diffie-Hellman exchange is performed for each IPsec SA negotiation. True: signifies that DH Group is defined by the Phase 2 Diffie-Hellman Group parameter. False: signifies that Phase 2 DH Group will automatically not be specified and exchanged for IPsec Phase 2 negotiations.
enableRekeyingYesNoEnum0Possible values:
  • 0 - btFalse
  • 1 - btTrue
 True: Initiate SA Negotiation upon connection expiry. Applies to both IKE SA and IPsec SA. False: SA Negotiation is not initiated upon connection expiry.
enableReauthenticationYesNoEnum0Possible values:
  • 0 - btFalse
  • 1 - btTrue
  • True: IKE SA Rekeying also initiates Peer Authentication. IKE and IPsec SA’s are uninstalled then recreated.
  • False: IKE SA Rekeying performed without the Peer Authentication
keyingRetriesYesNoint3Possible values:
  • 1 - Minimum
  • 10 - Maximum
 Specifies how many attempts should be made to negotiate a connection. This parameter applies to both IKE SA and IPsec SA.
ikeLifetimeYesNoint10800Possible values:
  • 3600 - Minimum
  • 86400 - Maximum
 Specifies the life time of IKE SA connection, from successful negotiation to expiry.
ipsecLifetimeYesNoint3600Possible values:
  • 3600 - Minimum
  • 86400 - Maximum
 Specifies the life time of IPsec SA connection, from successful negotiation to expiry.
marginTimeYesNoint600Possible values:
  • 60 - Minimum
  • 600 - Maximum
 Time before SA expiry the rekeying should start. Applies to both IKE SA and IPsec SA.