ipsec.IkePolicy (NSP Network Functions Manager

ipsec
IkePolicy

Inheritance Hierarchy
- ManagedObject
  - policy.PolicyObject
    - policy.PolicyDefinition
      - ipsec. IkePolicy

Parent Hierarchy
- netw.Network
  - netw.NetworkElement
    - policy.Manager [ikePolicy]
      - ipsec.IkePolicy [[network]:[${systemAddress}]:[$%{policyTypeManaged}]:[ikePolicy-${*id}]]
- parent []
  - ipsec.IkePolicy [[backup-${policyTypeManaged}]:[ikePolicy-${*id}]]
- policy.Manager [ikePolicy]
  - ipsec.IkePolicy [[$%{policyTypeManaged}]:[ikePolicy-${*id}]]

Children Hierarchy
- ipsec.IkePolicy
  - ipsec.IkeTransformAssociation

Relationships
- ipsec.IkePolicy may be associated with many ipsec.IPSecGateways (implied relationship)
- ipsec.IkePolicy may be associated with many ipsec.IPSecTunnels (implied relationship)
- many ipsec.IkePolicys may be associated with ipsec.IkePolicy (implied relationship)
- ipsec.IkePolicy may be associated with many ipsec.IkePolicys (implied relationship)
- many ipsec.IkePolicys may be associated with ipsec.IkeTransform (implied relationship)
- one ipsec.IkePolicy may be a direct parent of many ipsec.IkeTransformAssociations (parent-child relationship)
- many ipsec.IkePolicys may be direct children of one policy.Manager (child-parent relationship)

IkePolicy

Relative Name=[[ikePolicy-${*id}]]

Displayed Name=IPsec IKE Policy

Properties
authAlgorithm	DEPRECATED: 17.3 - No longer supported in SR 15.0R1, use ipsec.IkeTransform.authAlgorithm instead type=ipsec.AuthAlgorithm default=sha1 Displayed(tab/group)=Authorization Algorithm
authMethod	type=ipsec.AuthMethod default=psk Displayed(tab/group)=Authorization Method
autoEapMethod	Specifies the automatic EAP fallback authentication method for the remote-peer used with this IKE policy. This property is only meaningful when the value of authMethod is 'autoEapRadius'. type=ipsec.AutoEapMethod default=cert Displayed(tab/group)=Automatic EAP Method
autoEapOwnMethod	Specifies the automatic EAP fallback authentication method used with this IKE policy on its own side. This object is only meaningful when the value of authMethod is 'autoEap'. type=ipsec.AutoEapOwnMethod default=cert Displayed(tab/group)=Self Automatic EAP Method
dhgGroup	DEPRECATED: 17.3 - No longer supported in SR 15.0R1, use ipsec.IkeTransform.dhGroup instead type=ipsec.IkePolicyDHGroup default=group2 Displayed(tab/group)=Diffie-Hellman (DH) Group
encryptionAlgorithm	DEPRECATED: 17.3 - No longer supported in SR 15.0R1, use ipsec.IkeTransform.encryptionAlgorithm instead type=ipsec.EncryptionAlgorithm default=aes128 Displayed(tab/group)=Encryption Algorithm
ikeVersion	type=ipsec.IkeVersion default=v1 Displayed(tab/group)=Version
ikev1Ph1RespDelNtfy	Specifies whether or not the system, when deleting an IKEv1 phase 1 for which it was the responder, sends a delete notification to the peer. This object is only meaningful when the value of ikeVersion is V1. type=boolean default=true Displayed(tab/group)=IKEv1 Phase 1 Responder Delete Notify
ipsec.IkeTransformAssociation-Set	type=Children-Set
ipsecLifeTime	type=long default=3600 minimum=1200 maximum=31536000 units=seconds Displayed(tab/group)=IPsec Life Time
isakmpLifeTime	DEPRECATED: 17.3 - No longer supported in SR 15.0R1, use ipsec.IkeTransform.isaKmpLifeTime instead type=long default=86400 minimum=1200 maximum=172800 units=seconds Displayed(tab/group)=Internet Security Association and Key Management Life Time
limitInitExchange	Specifies whether or not the system limits the number of in-progress initial IKE exchanges to one per IPsec tunnel. The value of 'false' specifies that the system allows up to 32 in-progress initial IKE exchanges per IPsec tunnel. type=boolean default=true Displayed(tab/group)=Limit Initial IKE Exchanges
lockout	Specifies whether or not the IPsec Client Lockout is enabled. type=boolean default=false Displayed(tab/group)=Enable Lockout (Lockout)
lockoutBlock	Specifies the maximum time period that the system drops IKE packets after the maximum number of consecutive failed authentication attempts reaches lockoutFailedAtempt within lockoutDuration type=int default=10 minimum=0 maximum=1440 units=minutes Displayed(tab/group)=IKE packets block duration (Lockout/Lockout)
lockoutDuration	Specifies the maximum duration in minutes that the system can afford lockoutFailedAtempt number of failed authentication attempts from the same remote client. type=int default=5 minimum=1 maximum=60 units=minutes Displayed(tab/group)=Maximum failed attempt duration (Lockout/Lockout)
lockoutFailedAttempt	Specifies the maximum number of consecutive failed authentication attempts from the same remote client. type=int default=3 minimum=1 maximum=64 Displayed(tab/group)=Maximum consecutive failed attempt (Lockout/Lockout)
lockoutMaxPortPerIp	Specifies the maximum number of port that can be lockout under the same IP address. Once the number of lockout port under the same IP address reaches lockoutMaxPortPerIp, all ports under the same IP address will be lockout in the next lockoutBlock minutes. type=int default=16 minimum=1 maximum=32000 Displayed(tab/group)=Maximum port per IP allowed (Lockout/Lockout)
matchPeerToCert	type=boolean default=false Displayed(tab/group)=Match Peer ID to Certificate
mode	type=ipsec.IkePolicyMode default=main Displayed(tab/group)=Mode
natBehindNatOnly	type=boolean default=true Displayed(tab/group)=Force Keep Alive (NAT Traversal)
natKeepAliveInterval	type=long default=0 minimum=0 maximum=600 Displayed(tab/group)=Keep-Alive Interval (NAT Traversal)
natTraversal	type=ipsec.NatTraversalMode default=disable Displayed(tab/group)=NAT Traversal (NAT Traversal)
ownAuthMethod	type=ipsec.OwnAuthMethod default=symmetric Displayed(tab/group)=Self Authorization Method
pfs	type=boolean default=false Displayed(tab/group)=Perfect Forward Secrecy (PFS)
pfsDhgGroup	type=ipsec.IkePolicyDHGroup default=group2 Displayed(tab/group)=PFS DH Group
policyDpd	type=ipsec.IkePolicyDpdMode default=disable Displayed(tab/group)=Dead Peer Detection (DPD) (DPD)
policyDpdInterval	type=long default=30 minimum=10 maximum=300 Displayed(tab/group)=Interval (DPD)
policyDpdMaxRetries	type=long default=3 minimum=2 maximum=5 Displayed(tab/group)=Max Retries (DPD)
reducedMaxExchgTimeout	specifies the maximum timeout for the in-progress initial IKE exchange. The value of '0' specifies that there is no reduction of the current exchange timeout which is 120 seconds. type=int default=2 minimum=0 maximum=60 units=seconds Displayed(tab/group)=Reduced Max Exchange Timeout
relayUnSolCfgAttr	type=ipsec.RelayUnSolCfgAttrType Displayed(tab/group)=Relay Unsolicited Configuration Attributes
sendIdrAfterEapSuccess	Specifies whether or not the system adds the Identification Responder (IDr) payload in the lsat IKE authentication response after the Extensible Authentication Protocol (EAP) success type=boolean default=true Displayed(tab/group)=Send Identification Responder (IDr) After EAP Success
v2Fragment	Specifies whether or not the IKEv2 Fragmentation is enabled. type=boolean default=false Displayed(tab/group)=Fragment (Fragment)
v2FragmentMtu	Specifies the MTU size for the IKEv2 fragmentation. type=int default=1500 minimum=512 maximum=9000 units=Octets Displayed(tab/group)=MTU Size (Fragment/Fragment)
v2FragmentReAssyTmOut	Specifies the maximum number of seconds to wait to receive all fragments of an IKEv2 message for reassembly. type=int default=2 minimum=1 maximum=5 units=seconds Displayed(tab/group)=Reassembly TimeOut (Fragment/Fragment)

Properties

authAlgorithm

DEPRECATED: 17.3 - No longer supported in SR 15.0R1, use ipsec.IkeTransform.authAlgorithm instead
type=ipsec.AuthAlgorithm
default=sha1
Displayed(tab/group)=Authorization Algorithm

authMethod

type=ipsec.AuthMethod
default=psk
Displayed(tab/group)=Authorization Method

autoEapMethod

Specifies the automatic EAP fallback authentication method for the remote-peer used with this IKE policy. This property is only meaningful when the value of authMethod is 'autoEapRadius'.

type=ipsec.AutoEapMethod
default=cert
Displayed(tab/group)=Automatic EAP Method

autoEapOwnMethod

Specifies the automatic EAP fallback authentication method used with this IKE policy on its own side. This object is only meaningful when the value of authMethod is 'autoEap'.

type=ipsec.AutoEapOwnMethod
default=cert
Displayed(tab/group)=Self Automatic EAP Method

dhgGroup

DEPRECATED: 17.3 - No longer supported in SR 15.0R1, use ipsec.IkeTransform.dhGroup instead
type=ipsec.IkePolicyDHGroup
default=group2
Displayed(tab/group)=Diffie-Hellman (DH) Group

encryptionAlgorithm

DEPRECATED: 17.3 - No longer supported in SR 15.0R1, use ipsec.IkeTransform.encryptionAlgorithm instead
type=ipsec.EncryptionAlgorithm
default=aes128
Displayed(tab/group)=Encryption Algorithm

ikeVersion

type=ipsec.IkeVersion
default=v1
Displayed(tab/group)=Version

ikev1Ph1RespDelNtfy

Specifies whether or not the system, when deleting an IKEv1 phase 1 for which it was the responder, sends a delete notification to the peer. This object is only meaningful when the value of ikeVersion is V1.

type=boolean
default=true
Displayed(tab/group)=IKEv1 Phase 1 Responder Delete Notify

ipsec.IkeTransformAssociation-Set

type=Children-Set

ipsecLifeTime

type=long
default=3600
minimum=1200
maximum=31536000
units=seconds
Displayed(tab/group)=IPsec Life Time

isakmpLifeTime

DEPRECATED: 17.3 - No longer supported in SR 15.0R1, use ipsec.IkeTransform.isaKmpLifeTime instead
type=long
default=86400
minimum=1200
maximum=172800
units=seconds
Displayed(tab/group)=Internet Security Association and Key Management Life Time

limitInitExchange

Specifies whether or not the system limits the number of in-progress initial IKE exchanges to one per IPsec tunnel. The value of 'false' specifies that the system allows up to 32 in-progress initial IKE exchanges per IPsec tunnel.

type=boolean
default=true
Displayed(tab/group)=Limit Initial IKE Exchanges

lockout

Specifies whether or not the IPsec Client Lockout is enabled.

type=boolean
default=false
Displayed(tab/group)=Enable Lockout (Lockout)

lockoutBlock

Specifies the maximum time period that the system drops IKE packets after the maximum number of consecutive failed authentication attempts reaches lockoutFailedAtempt within lockoutDuration

type=int
default=10
minimum=0
maximum=1440
units=minutes
Displayed(tab/group)=IKE packets block duration (Lockout/Lockout)

lockoutDuration

Specifies the maximum duration in minutes that the system can afford lockoutFailedAtempt number of failed authentication attempts from the same remote client.

type=int
default=5
minimum=1
maximum=60
units=minutes
Displayed(tab/group)=Maximum failed attempt duration (Lockout/Lockout)

lockoutFailedAttempt

Specifies the maximum number of consecutive failed authentication attempts from the same remote client.

type=int
default=3
minimum=1
maximum=64
Displayed(tab/group)=Maximum consecutive failed attempt (Lockout/Lockout)

lockoutMaxPortPerIp

Specifies the maximum number of port that can be lockout under the same IP address. Once the number of lockout port under the same IP address reaches lockoutMaxPortPerIp, all ports under the same IP address will be lockout in the next lockoutBlock minutes.

type=int
default=16
minimum=1
maximum=32000
Displayed(tab/group)=Maximum port per IP allowed (Lockout/Lockout)

matchPeerToCert

type=boolean
default=false
Displayed(tab/group)=Match Peer ID to Certificate

mode

type=ipsec.IkePolicyMode
default=main
Displayed(tab/group)=Mode

natBehindNatOnly

type=boolean
default=true
Displayed(tab/group)=Force Keep Alive (NAT Traversal)

natKeepAliveInterval

type=long
default=0
minimum=0
maximum=600
Displayed(tab/group)=Keep-Alive Interval (NAT Traversal)

natTraversal

type=ipsec.NatTraversalMode
default=disable
Displayed(tab/group)=NAT Traversal (NAT Traversal)

ownAuthMethod

type=ipsec.OwnAuthMethod
default=symmetric
Displayed(tab/group)=Self Authorization Method

pfs

type=boolean
default=false
Displayed(tab/group)=Perfect Forward Secrecy (PFS)

pfsDhgGroup

type=ipsec.IkePolicyDHGroup
default=group2
Displayed(tab/group)=PFS DH Group

policyDpd

type=ipsec.IkePolicyDpdMode
default=disable
Displayed(tab/group)=Dead Peer Detection (DPD) (DPD)

policyDpdInterval

type=long
default=30
minimum=10
maximum=300
Displayed(tab/group)=Interval (DPD)

policyDpdMaxRetries

type=long
default=3
minimum=2
maximum=5
Displayed(tab/group)=Max Retries (DPD)

reducedMaxExchgTimeout

specifies the maximum timeout for the in-progress initial IKE exchange. The value of '0' specifies that there is no reduction of the current exchange timeout which is 120 seconds.

type=int
default=2
minimum=0
maximum=60
units=seconds
Displayed(tab/group)=Reduced Max Exchange Timeout

relayUnSolCfgAttr

type=ipsec.RelayUnSolCfgAttrType
Displayed(tab/group)=Relay Unsolicited Configuration Attributes

sendIdrAfterEapSuccess

Specifies whether or not the system adds the Identification Responder (IDr) payload in the lsat IKE authentication response after the Extensible Authentication Protocol (EAP) success

type=boolean
default=true
Displayed(tab/group)=Send Identification Responder (IDr) After EAP Success

v2Fragment

Specifies whether or not the IKEv2 Fragmentation is enabled.

type=boolean
default=false
Displayed(tab/group)=Fragment (Fragment)

v2FragmentMtu

Specifies the MTU size for the IKEv2 fragmentation.

type=int
default=1500
minimum=512
maximum=9000
units=Octets
Displayed(tab/group)=MTU Size (Fragment/Fragment)

v2FragmentReAssyTmOut

Specifies the maximum number of seconds to wait to receive all fragments of an IKEv2 message for reassembly.

type=int
default=2
minimum=1
maximum=5
units=seconds
Displayed(tab/group)=Reassembly TimeOut (Fragment/Fragment)

Overridden Properties
id	minimum=1 maximum=2048

Overridden Properties

minimum=1
maximum=2048

Properties inherited from policy.PolicyDefinition
configurationAction, configurationMode, discoveryState, displayedName, distributionMode, isMaster, lastSyncTime, numberOfUnderlyingPolicyItems, origin, policyMode, policySyncGroupPointer, policyType

Properties inherited from policy.PolicyDefinition

configurationAction, configurationMode, discoveryState, displayedName, distributionMode, isMaster, lastSyncTime, numberOfUnderlyingPolicyItems, origin, policyMode, policySyncGroupPointer, policyType

Properties inherited from policy.PolicyObject
description, displayedName, globalPolicy, id, isLocal, policyType, siteId, siteName, templateObject

Properties inherited from policy.PolicyObject

description, displayedName, globalPolicy, id, isLocal, policyType, siteId, siteName, templateObject

Properties inherited from ManagedObject
actionMask, children-Set, deploymentState, isFaultSquelched, name, objectFullName, selfAlarmed

Properties inherited from ManagedObject

actionMask, children-Set, deploymentState, isFaultSquelched, name, objectFullName, selfAlarmed

Methods inherited from policy.PolicyDefinition
distribute, distributeUsingGroups, distributeV2, evaluatePolicy, findGlobal, findLocal, findReleased, getSyncTaskResult, resetToReleasedPolicy, setConfigurationModeToDraft, setConfigurationModeToReleased, setDistributionModeToLocalEditOnly, setDistributionModeToSyncWithGlobal, syncTo, syncToLocalWithResync

Methods inherited from policy.PolicyDefinition

distribute, distributeUsingGroups, distributeV2, evaluatePolicy, findGlobal, findLocal, findReleased, getSyncTaskResult, resetToReleasedPolicy, setConfigurationModeToDraft, setConfigurationModeToReleased, setDistributionModeToLocalEditOnly, setDistributionModeToSyncWithGlobal, syncTo, syncToLocalWithResync

Supported Network Elements
7750 SR	Supported from 10.0.R1 until 13.0.R13 Excluded chassis types: 7750-SR1, 7750-SRc4, 7750-SRa4, 7750-SRa8, 7750 SR-1e, 7750 SR-2e, 7750 SR-3e, 7750-SR1 Fixed CFM, 7750 SR-14s, 7750 SR-7s, 7750 SR-1s, 7750 SR-2s Supported from 13.0.R13 until 14.0.R1 Excluded chassis types: 7750-SRc4, 7750-SRa4, 7750-SRa8, 7750-SR1 Fixed CFM, 7750 SR-14s, 7750 SR-7s, 7750 SR-1s, 7750 SR-2s Supported from 14.0.R1 until 14.0.R4 Excluded chassis types: 7750-SRc4, 7750-SRa4, 7750-SRa8, 7750 SR-1e, 7750 SR-2e, 7750 SR-3e, 7750-SR1 Fixed CFM, 7750 SR-14s, 7750 SR-7s, 7750 SR-1s, 7750 SR-2s Supported from 14.0.R4 until 20.10.R1 Excluded chassis types: 7750-SRc4, 7750-SRa4, 7750-SRa8, 7750-SR1 Fixed CFM, 7750 SR-14s, 7750 SR-7s, 7750 SR-1s, 7750 SR-2s Supported from 20.10.R1 until 21.2.R1 Excluded chassis types: 7750-SRc4, 7750-SRa4, 7750-SRa8, 7750 SR-14s, 7750 SR-7s, 7750 SR-1s Supported from 21.2.R1 until 21.7.R1 Excluded chassis types: 7750-SRc4, 7750-SRa4, 7750-SRa8, 7750 SR-7s, 7750 SR-14s Supported from 21.7.R1 Excluded chassis types: 7750-SRc4, 7750-SRa4, 7750-SRa8
7705 SAR Gen 2
7450 ESS	Supported from 11.0.R1 Excluded chassis types: 7450-ESS1
7705 SAR	Supported from 6.1.R1 Excluded chassis types: 7705-SARM ASAP, 7705-SARM, 7705-SARM ASAP FL, 7705-SARM FL, 7705 SAR-A T1/E1, 7705 SAR-A, 7705-SARF
7705 SAR H	Supported from 6.1.R1
7705 SAR Hm
Product Specifics
7450 ESS 20.0	Warning: iframes not supported by this browser.
7450 ESS 21.0
7450 ESS 22.0
7450 ESS 23.0
7450 ESS 24.0
7450 ESS 25.0
7705 SAR Gen 2 (all versions)
7705 SAR Gen 2 25.0
7705 SAR H 20.0
7705 SAR H 21.0
7705 SAR H 22.0
7705 SAR H 23.0
7705 SAR H 24.0
7705 SAR H 25.0
7705 SAR H 9.0
7705 SAR Hm 20.0
7705 SAR Hm 21.0
7705 SAR Hm 22.0
7705 SAR Hm 23.0
7705 SAR Hm 24.0
7705 SAR Hm 25.0
7705 SAR 20.0
7705 SAR 21.0
7705 SAR 22.0
7705 SAR 23.0
7705 SAR 24.0
7705 SAR 25.0
7750 SR (all versions)
7750 SR 20.0
7750 SR 21.0
7750 SR 22.0
7750 SR 23.0
7750 SR 24.0
7750 SR 25.0

Supported Network Elements

7750 SR

Supported from 10.0.R1 until 13.0.R13

Excluded chassis types: 7750-SR1, 7750-SRc4, 7750-SRa4, 7750-SRa8, 7750 SR-1e, 7750 SR-2e, 7750 SR-3e, 7750-SR1 Fixed CFM, 7750 SR-14s, 7750 SR-7s, 7750 SR-1s, 7750 SR-2s

Supported from 13.0.R13 until 14.0.R1

Excluded chassis types: 7750-SRc4, 7750-SRa4, 7750-SRa8, 7750-SR1 Fixed CFM, 7750 SR-14s, 7750 SR-7s, 7750 SR-1s, 7750 SR-2s

Supported from 14.0.R1 until 14.0.R4

Excluded chassis types: 7750-SRc4, 7750-SRa4, 7750-SRa8, 7750 SR-1e, 7750 SR-2e, 7750 SR-3e, 7750-SR1 Fixed CFM, 7750 SR-14s, 7750 SR-7s, 7750 SR-1s, 7750 SR-2s

Supported from 14.0.R4 until 20.10.R1