ipsec.IPSecTunnelTemplate (NSP Network Functions Manager

ipsec
IPSecTunnelTemplate

This class represents the IP Sec Tunnel Template objects that are used as a model for the IP Sec Tunnel objects that can be instantiated on an IP Sec Interface.

Inheritance Hierarchy
- ManagedObject
  - policy.PolicyObject
    - policy.PolicyDefinition
      - ipsec. IPSecTunnelTemplate

Parent Hierarchy
- netw.Network
  - netw.NetworkElement
    - policy.Manager [ipSecTunnelTemplate]
      - ipsec.IPSecTunnelTemplate [[network]:[${systemAddress}]:[$%{policyTypeManaged}]:[ipSecTnlTemp-${*id}]]
- parent []
  - ipsec.IPSecTunnelTemplate [[backup-${policyTypeManaged}]:[ipSecTnlTemp-${*id}]]
- policy.Manager [ipSecTunnelTemplate]
  - ipsec.IPSecTunnelTemplate [[$%{policyTypeManaged}]:[ipSecTnlTemp-${*id}]]

Children Hierarchy
- ipsec.IPSecTunnelTemplate

Relationships
- ipsec.IPSecTunnelTemplate may be associated with many ipsec.IPSecGateways (implied relationship)
- many ipsec.IPSecTunnelTemplates may be associated with ipsec.IPSecTransform (implied relationship)
- many ipsec.IPSecTunnelTemplates may be associated with ipsec.IPSecTunnelTemplate (implied relationship)
- ipsec.IPSecTunnelTemplate may be associated with many ipsec.IPSecTunnelTemplates (implied relationship)
- many ipsec.IPSecTunnelTemplates may be direct children of one policy.Manager (child-parent relationship)

IPSecTunnelTemplate

Relative Name=[[ipSecTnlTemp-${*id}]]

Displayed Name=IPsec Tunnel Template

Properties
clearDfBit	This specifies whether to clear Do not Fragment (DF) bit in the outgoing packets for tunnels created using this template. type=boolean default=false Displayed(tab/group)=Clear Do-Not-Fragment Bit
copyTrafficClass	While set to true, it will cause DSCP/ECN(IPv4) or traffic class(IPv6) to be copied from outer IP header to inner IP header after decapsulation. type=boolean default=false Displayed(tab/group)=Copy Traffic Class Upon Decapsulation
dynamicKeyTransformId1	Specifies the first transform-id for this IPsec Tunnel template to use. type=int access=read-only default=0 minimum=0 maximum=2048
dynamicKeyTransformId2	Specifies the second transform-id for this IPsec Tunnel template to use. type=int access=read-only default=0 minimum=0 maximum=2048
dynamicKeyTransformId3	Specifies the third transform-id for this IPsec Tunnel template to use. type=int access=read-only default=0 minimum=0 maximum=2048
dynamicKeyTransformId4	Specifies the fourth transform-id for this IPsec Tunnel template to use. type=int access=read-only default=0 minimum=0 maximum=2048
encapsulatedIpMtu	This specifies the MTU size for IP packets after tunnel encapsulation has been added. The range is 0 or between 512 and 9000. When a value of zero (0) is specified, it indicates the maximum supported MTU size on the SAP for this tunnel. type=long default=0 minimum=0 maximum=9000 units=Octets Displayed(tab/group)=Encapsulated IP MTU (/IP Fragmentation)
icmp6NumPkt2Big	This specifies how many packet-too-big ICMPv6 messages are issued. type=long default=100 minimum=10 maximum=1000 Displayed(tab/group)=Number of Messages (/ICMPv6 Message Generation)
icmp6Pkt2Big	This specifies whether packet-too-big ICMP messages should be sent. type=boolean default=true Displayed(tab/group)=Packet-Too-Big Messages Enabled (/ICMPv6 Message Generation)
icmp6Pkt2BigTime	This specifies the time frame in seconds that is used to limit the number of packet-too-big ICMPv6 messages issued per time frame. type=long default=10 minimum=1 maximum=60 units=seconds Displayed(tab/group)=Message Time Frame (/ICMPv6 Message Generation)
icmpFragReq	Specifies whether or not 'Fragmentation required and DF flag set' ICMP messages should be sent. If icmpFragReq is not enabled, both icmpFragReqNum and icmpFragReqTime values are set to default. type=boolean default=true Displayed(tab/group)=Fragmentation Messages Enabled (/ICMP Message Generation)
icmpFragReqNum	Specifies how many 'Fragmentation required and DF flag set' ICMP messages are transmitted in the time frame specified by icmpFragReqTime type=long default=100 minimum=10 maximum=1000 Displayed(tab/group)=Number of Messages (/ICMP Message Generation)
icmpFragReqTime	Specifies the time frame in seconds that is used to limit the number of 'Fragmentation required and DF flag set' ICMP messages transmitted per time frame. type=int default=10 minimum=1 maximum=60 units=seconds Displayed(tab/group)=Message Time Frame (/ICMP Message Generation)
ignoreDefaultRoute	The value 'false' for ignoreDefaultRoute will cause the IPsec gateway to remove dynamic LAN-to-LAN tunnels whenever IKE negotiates a remote traffic selector containing a default route (0.0.0.0/0 or ::/0). The value 'true' will cause the IPsec gateway to ignore such default routes in negotiated remote traffic selectors, thereby retaining the associated dynamic lan-to-lan tunnels with no impact on IPsec-managed reverse routes. type=boolean default=false Displayed(tab/group)=Ignore Default Route
ipMtu	This specifies the MTU size for IP packets for this tunnel. The range is 0 or between 512 and 9000. When a value of zero (0) is specified, it indicates the maximum supported MTU size on the SAP for this tunnel. type=long default=0 minimum=0 maximum=9000 units=Octets Displayed(tab/group)=Configured IP MTU (/IP Fragmentation)
pMtuDiscoveryAging	Specifies the number of seconds used to age out the learned MTU, which is obtained through path MTU discovery. type=long default=900 minimum=900 maximum=3600 units=seconds Displayed(tab/group)=Path MTU Aging Time (/IP Fragmentation)
privateTcpMssAdjust	Specifies the Maximum Segment Size (MSS) for the TCP traffic in an IPsec tunnel which is sent from the private network to the public network. The system may use this value to adjust or insert the MSS option in TCP SYN packet. Valid values (-1\|512..9000). The value of '-1' specifies that the TCP MSS adjustment functionality on the private side is disabled. type=long default=-1 minimum=-1 maximum=9000 Displayed(tab/group)=Private (/TCP MSS Adjust)
propogatePMtuV4	Specifies whether or not to propogate a path MTU to IPv4 hosts. type=boolean default=true Displayed(tab/group)=Propogate Path MTU IPv4 (/IP Fragmentation)
propogatePMtuV6	Specifies whether or not to propogate a path MTU to IPv6 hosts. type=boolean default=true Displayed(tab/group)=Propogate Path MTU IPv6 (/IP Fragmentation)
publicTcpMssAdjust	Specifies the Maximum Segment Size (MSS) for the TCP traffic in an IPsec tunnel which is sent from the public network to the private network. The system may use this value to adjust or insert the MSS option in TCP SYN packet Valid values (-1\|0\|512..9000). The TCP MSS adjustment functionality on the public side network is disabled when the following conditions are met. 1) The value of publicTcpMssAdjust is '-1' or 2) The values of publicTcpMssAdjust and encapsulatedIpMtu are both '0'. The new MSS is calculated based on the following rules. 1) When the value of publicTcpMssAdjust is '0' (auto) and encapsulatedIpMtu has a non-zero value, New MSS = encapsulatedIpMtu - total header size (e.g., encryption, encapsulation, TCP and IP headers) 2) When the value of publicTcpMssAdjust is in the range of (512..9000) New MSS = publicTcpMssAdjust. type=long default=-1 minimum=-1 maximum=9000 Displayed(tab/group)=Public (/TCP MSS Adjust)
replayWindow	Specifies the type / range of the anti-replay window for the template. If the value is set to 0, then the anti-replay feature is disabled. type=ipsec.ReplayWindowType default=replayWindowRange0 Displayed(tab/group)=Replay Window
reverseRoute	Specifies whether the node using this template will accept framed-routes sent by RADIUS server and install them for the lifetime of the tunnel as managed routes. If this object is set to 'useSecurityPolicy' then the node using this template will add a route to every client-side-protected-subnet as signaled by the client. type=ipsec.ReverseRoute default=none Displayed(tab/group)=Reverse Route
transformPointer1	type=Pointer default= Displayed(tab/group)=Transform ID 1 (IPsec Transforms)
transformPointer2	type=Pointer default= Displayed(tab/group)=Transform ID 2 (IPsec Transforms)
transformPointer3	type=Pointer default= Displayed(tab/group)=Transform ID 3 (IPsec Transforms)
transformPointer4	type=Pointer default= Displayed(tab/group)=Transform ID 4 (IPsec Transforms)

Properties

clearDfBit

This specifies whether to clear Do not Fragment (DF) bit in the outgoing packets for tunnels created using this template.

type=boolean
default=false
Displayed(tab/group)=Clear Do-Not-Fragment Bit

copyTrafficClass

While set to true, it will cause DSCP/ECN(IPv4) or traffic class(IPv6) to be copied from outer IP header to inner IP header after decapsulation.

type=boolean
default=false
Displayed(tab/group)=Copy Traffic Class Upon Decapsulation

dynamicKeyTransformId1

Specifies the first transform-id for this IPsec Tunnel template to use.

type=int
access=read-only
default=0
minimum=0
maximum=2048

dynamicKeyTransformId2

Specifies the second transform-id for this IPsec Tunnel template to use.

type=int
access=read-only
default=0
minimum=0
maximum=2048

dynamicKeyTransformId3

Specifies the third transform-id for this IPsec Tunnel template to use.

type=int
access=read-only
default=0
minimum=0
maximum=2048

dynamicKeyTransformId4

Specifies the fourth transform-id for this IPsec Tunnel template to use.

type=int
access=read-only
default=0
minimum=0
maximum=2048

encapsulatedIpMtu

This specifies the MTU size for IP packets after tunnel encapsulation has been added. The range is 0 or between 512 and 9000. When a value of zero (0) is specified, it indicates the maximum supported MTU size on the SAP for this tunnel.

type=long
default=0
minimum=0
maximum=9000
units=Octets
Displayed(tab/group)=Encapsulated IP MTU (/IP Fragmentation)

icmp6NumPkt2Big

This specifies how many packet-too-big ICMPv6 messages are issued.

type=long
default=100
minimum=10
maximum=1000
Displayed(tab/group)=Number of Messages (/ICMPv6 Message Generation)

icmp6Pkt2Big

This specifies whether packet-too-big ICMP messages should be sent.

type=boolean
default=true
Displayed(tab/group)=Packet-Too-Big Messages Enabled (/ICMPv6 Message Generation)

icmp6Pkt2BigTime

This specifies the time frame in seconds that is used to limit the number of packet-too-big ICMPv6 messages issued per time frame.

type=long
default=10
minimum=1
maximum=60
units=seconds
Displayed(tab/group)=Message Time Frame (/ICMPv6 Message Generation)

icmpFragReq

Specifies whether or not 'Fragmentation required and DF flag set' ICMP messages should be sent. If icmpFragReq is not enabled, both icmpFragReqNum and icmpFragReqTime values are set to default.

type=boolean
default=true
Displayed(tab/group)=Fragmentation Messages Enabled (/ICMP Message Generation)

icmpFragReqNum

Specifies how many 'Fragmentation required and DF flag set' ICMP messages are transmitted in the time frame specified by icmpFragReqTime

type=long
default=100
minimum=10
maximum=1000
Displayed(tab/group)=Number of Messages (/ICMP Message Generation)

icmpFragReqTime

Specifies the time frame in seconds that is used to limit the number of 'Fragmentation required and DF flag set' ICMP messages transmitted per time frame.

type=int
default=10
minimum=1
maximum=60
units=seconds
Displayed(tab/group)=Message Time Frame (/ICMP Message Generation)

ignoreDefaultRoute

The value 'false' for ignoreDefaultRoute will cause the IPsec gateway to remove dynamic LAN-to-LAN tunnels whenever IKE negotiates a remote traffic selector containing a default route (0.0.0.0/0 or ::/0). The value 'true' will cause the IPsec gateway to ignore such default routes in negotiated remote traffic selectors, thereby retaining the associated dynamic lan-to-lan tunnels with no impact on IPsec-managed reverse routes.

type=boolean
default=false
Displayed(tab/group)=Ignore Default Route

ipMtu

This specifies the MTU size for IP packets for this tunnel. The range is 0 or between 512 and 9000. When a value of zero (0) is specified, it indicates the maximum supported MTU size on the SAP for this tunnel.

type=long
default=0
minimum=0
maximum=9000
units=Octets
Displayed(tab/group)=Configured IP MTU (/IP Fragmentation)

pMtuDiscoveryAging

Specifies the number of seconds used to age out the learned MTU, which is obtained through path MTU discovery.

type=long
default=900
minimum=900
maximum=3600
units=seconds
Displayed(tab/group)=Path MTU Aging Time (/IP Fragmentation)

privateTcpMssAdjust

Specifies the Maximum Segment Size (MSS) for the TCP traffic in an IPsec tunnel which is sent from the private network to the public network. The system may use this value to adjust or insert the MSS option in TCP SYN packet. Valid values (-1|512..9000). The value of '-1' specifies that the TCP MSS adjustment functionality on the private side is disabled.

type=long
default=-1
minimum=-1
maximum=9000
Displayed(tab/group)=Private (/TCP MSS Adjust)

propogatePMtuV4

Specifies whether or not to propogate a path MTU to IPv4 hosts.

type=boolean
default=true
Displayed(tab/group)=Propogate Path MTU IPv4 (/IP Fragmentation)

propogatePMtuV6

Specifies whether or not to propogate a path MTU to IPv6 hosts.

type=boolean
default=true
Displayed(tab/group)=Propogate Path MTU IPv6 (/IP Fragmentation)

publicTcpMssAdjust

Specifies the Maximum Segment Size (MSS) for the TCP traffic in an IPsec tunnel which is sent from the public network to the private network. The system may use this value to adjust or insert the MSS option in TCP SYN packet Valid values (-1|0|512..9000). The TCP MSS adjustment functionality on the public side network is disabled when the following conditions are met. 1) The value of publicTcpMssAdjust is '-1' or 2) The values of publicTcpMssAdjust and encapsulatedIpMtu are both '0'. The new MSS is calculated based on the following rules. 1) When the value of publicTcpMssAdjust is '0' (auto) and encapsulatedIpMtu has a non-zero value, New MSS = encapsulatedIpMtu - total header size (e.g., encryption, encapsulation, TCP and IP headers) 2) When the value of publicTcpMssAdjust is in the range of (512..9000) New MSS = publicTcpMssAdjust.

type=long
default=-1
minimum=-1
maximum=9000
Displayed(tab/group)=Public (/TCP MSS Adjust)

replayWindow

Specifies the type / range of the anti-replay window for the template. If the value is set to 0, then the anti-replay feature is disabled.

type=ipsec.ReplayWindowType
default=replayWindowRange0
Displayed(tab/group)=Replay Window

reverseRoute

Specifies whether the node using this template will accept framed-routes sent by RADIUS server and install them for the lifetime of the tunnel as managed routes. If this object is set to 'useSecurityPolicy' then the node using this template will add a route to every client-side-protected-subnet as signaled by the client.

type=ipsec.ReverseRoute
default=none
Displayed(tab/group)=Reverse Route

transformPointer1

type=Pointer
default=
Displayed(tab/group)=Transform ID 1 (IPsec Transforms)

transformPointer2

type=Pointer
default=
Displayed(tab/group)=Transform ID 2 (IPsec Transforms)

transformPointer3

type=Pointer
default=
Displayed(tab/group)=Transform ID 3 (IPsec Transforms)

transformPointer4

type=Pointer
default=
Displayed(tab/group)=Transform ID 4 (IPsec Transforms)

Overridden Properties
description	Specifies the user-provided description for the template.
id	minimum=1 maximum=2048

Overridden Properties

description

Specifies the user-provided description for the template.

minimum=1
maximum=2048

Properties inherited from policy.PolicyDefinition
configurationAction, configurationMode, discoveryState, displayedName, distributionMode, isMaster, lastSyncTime, numberOfUnderlyingPolicyItems, origin, policyMode, policySyncGroupPointer, policyType

Properties inherited from policy.PolicyDefinition

configurationAction, configurationMode, discoveryState, displayedName, distributionMode, isMaster, lastSyncTime, numberOfUnderlyingPolicyItems, origin, policyMode, policySyncGroupPointer, policyType

Properties inherited from policy.PolicyObject
description, displayedName, globalPolicy, id, isLocal, policyType, siteId, siteName, templateObject

Properties inherited from policy.PolicyObject

description, displayedName, globalPolicy, id, isLocal, policyType, siteId, siteName, templateObject

Properties inherited from ManagedObject
actionMask, children-Set, deploymentState, isFaultSquelched, name, objectFullName, selfAlarmed

Properties inherited from ManagedObject

actionMask, children-Set, deploymentState, isFaultSquelched, name, objectFullName, selfAlarmed

Methods inherited from policy.PolicyDefinition
distribute, distributeUsingGroups, distributeV2, evaluatePolicy, findGlobal, findLocal, findReleased, getSyncTaskResult, resetToReleasedPolicy, setConfigurationModeToDraft, setConfigurationModeToReleased, setDistributionModeToLocalEditOnly, setDistributionModeToSyncWithGlobal, syncTo, syncToLocalWithResync

Methods inherited from policy.PolicyDefinition

distribute, distributeUsingGroups, distributeV2, evaluatePolicy, findGlobal, findLocal, findReleased, getSyncTaskResult, resetToReleasedPolicy, setConfigurationModeToDraft, setConfigurationModeToReleased, setDistributionModeToLocalEditOnly, setDistributionModeToSyncWithGlobal, syncTo, syncToLocalWithResync

Supported Network Elements
7750 SR	Supported from 10.0.R1 until 13.0.R13 Excluded chassis types: 7750-SR1, 7750-SRc4, 7750-SRa4, 7750-SRa8, 7750 SR-1e, 7750 SR-2e, 7750 SR-3e, 7750-SR1 Fixed CFM, 7750 SR-14s, 7750 SR-7s, 7750 SR-1s, 7750 SR-2s Supported from 13.0.R13 until 14.0.R1 Excluded chassis types: 7750-SRc4, 7750-SRa4, 7750-SRa8, 7750-SR1 Fixed CFM, 7750 SR-14s, 7750 SR-7s, 7750 SR-1s, 7750 SR-2s Supported from 14.0.R1 until 14.0.R4 Excluded chassis types: 7750-SRc4, 7750-SRa4, 7750-SRa8, 7750 SR-1e, 7750 SR-2e, 7750 SR-3e, 7750-SR1 Fixed CFM, 7750 SR-14s, 7750 SR-7s, 7750 SR-1s, 7750 SR-2s Supported from 14.0.R4 until 20.10.R1 Excluded chassis types: 7750-SRc4, 7750-SRa4, 7750-SRa8, 7750-SR1 Fixed CFM, 7750 SR-14s, 7750 SR-7s, 7750 SR-1s, 7750 SR-2s Supported from 20.10.R1 until 21.2.R1 Excluded chassis types: 7750-SRc4, 7750-SRa4, 7750-SRa8, 7750 SR-14s, 7750 SR-7s, 7750 SR-1s Supported from 21.2.R1 until 21.7.R1 Excluded chassis types: 7750-SRc4, 7750-SRa4, 7750-SRa8, 7750 SR-7s, 7750 SR-14s Supported from 21.7.R1 Excluded chassis types: 7750-SRc4, 7750-SRa4, 7750-SRa8
7705 SAR Gen 2
7450 ESS	Supported from 11.0.R1 Excluded chassis types: 7450-ESS1
7705 SAR Hm
Product Specifics
7450 ESS 20.0	Warning: iframes not supported by this browser.
7450 ESS 21.0
7450 ESS 22.0
7450 ESS 23.0
7450 ESS 24.0
7450 ESS 25.0
7705 SAR Gen 2 25.0
7705 SAR Hm 20.0
7705 SAR Hm 21.0
7705 SAR Hm 22.0
7705 SAR Hm 23.0
7705 SAR Hm 24.0
7705 SAR Hm 25.0
7750 SR 20.0
7750 SR 21.0
7750 SR 22.0
7750 SR 23.0
7750 SR 24.0
7750 SR 25.0

Supported Network Elements

7750 SR

Supported from 10.0.R1 until 13.0.R13

Excluded chassis types: 7750-SR1, 7750-SRc4, 7750-SRa4, 7750-SRa8, 7750 SR-1e, 7750 SR-2e, 7750 SR-3e, 7750-SR1 Fixed CFM, 7750 SR-14s, 7750 SR-7s, 7750 SR-1s, 7750 SR-2s

Supported from 13.0.R13 until 14.0.R1

Excluded chassis types: 7750-SRc4, 7750-SRa4, 7750-SRa8, 7750-SR1 Fixed CFM, 7750 SR-14s, 7750 SR-7s, 7750 SR-1s, 7750 SR-2s

Supported from 14.0.R1 until 14.0.R4

Excluded chassis types: 7750-SRc4, 7750-SRa4, 7750-SRa8, 7750 SR-1e, 7750 SR-2e, 7750 SR-3e, 7750-SR1 Fixed CFM, 7750 SR-14s, 7750 SR-7s, 7750 SR-1s, 7750 SR-2s

Supported from 14.0.R4 until 20.10.R1