ipsec

---

ip/ipsec

Type: Directory

ip/ipsec/policy

Type: Directory

Flag	Name	Description
T	template	template
B	backup	backup
X	disabled	disabled
D	dynamic	dynamic
I	invalid	invalid
A	active	active
*	default	default

Argument	Type	Description
peer	multi_arg { array-id, enum }
tunnel	bool
group	enum ()
src-address	alt { ip6_prefix_arg , ip_prefix_arg }
src-port	num
dst-address	alt { ip6_prefix_arg , ip_prefix_arg }
dst-port	num
protocol	enum (all)
action	enum (encrypt | discard | none)
level	enum (require | use | unique)
ipsec-protocols	enum (ah | esp)
sa-src-address	alt { ip6Addr , ipAddr , }
sa-dst-address	alt { ip6Addr , ipAddr , }
proposal	enum
template	bool

Read-only Argument	Type	Description
ph2-count	num
ph2-state	enum (spawning | starting | ready-to-send | getspi-sent | getspi-done | msg1-sent | ready-to-establish | commiting | adding-sa | established | expired | no-phase2)

ip/ipsec/policy/group

Type: Directory

Flag	Name	Description
*	default	default

Argument	Type	Description
name ( mandatory )	string

ip/ipsec/installed-sa

Type: Directory

Flag	Name	Description
S	seen-traffic	seen-traffic
H	hw-aead	hw-aead
A	AH	AH
E	ESP	ESP

Argument	Type	Description
spi	num
state	enum (larval | mature | dying | dead)
auth-algorithm	enum (none | md5 | sha1 | sha256 | sha512)
enc-algorithm	enum (none | des | 3des | null | aes-cbc | aes-ctr | aes-gcm | blowfish | twofish | camellia | chacha20poly1305)
enc-key-size	num
auth-key	string
enc-key	string
addtime	date_arg
expires-in	time
add-lifetime	composite_arg { , }
current-bytes	num
current-packets	num
invalid-packets	num
replay	num

Read-only Argument	Type	Description
src-address	super { alt { ip6Addr , ipAddr } { ip6Addr , ipAddr } , :num }
dst-address	super { alt { ip6Addr , ipAddr } { ip6Addr , ipAddr } , :num }

ip/ipsec/installed-sa/flush

Type: Command

ip/ipsec/peer

Type: Directory

Flag	Name	Description
X	disabled	disabled
D	dynamic	dynamic
R	responder	responder

Argument	Type	Description
name	string
address	alt { ip6_prefix_arg , ip_prefix_arg , string , }
local-address	alt { ip6Addr , ipAddr }
passive	bool
port	num { }
profile	enum
exchange-mode	enum (main | base | aggressive | ike2)
send-initial-contact	bool
ppk-secret	string

Read-only Argument	Type	Description
current-address	alt { ip6Addr , ipAddr }

ip/ipsec/profile

Type: Directory

Flag	Name	Description
*	default	default

Argument	Type	Description
name ( mandatory )	string
hash-algorithm	enum (md5 | sha1 | sha256 | sha384 | sha512)
prf-algorithm	enum (auto | sha1 | sha256 | sha384 | sha512)
enc-algorithm	ubit (aes-256, aes-192, aes-128, 3des, des)
dh-group	ubit (x25519, ecp256, ecp384, ecp521, modp6144, modp4096, modp3072, modp2048, modp1536, modp1024, modp768)
lifetime	time
lifebytes	num
proposal-check	enum (obey | strict | claim | exact)
nat-traversal	bool
ppk	enum (no | psk | psk-ike-initial | qkd)
dpd-interval	alt { enum (disable-dpd) { disable-dpd:0 } , time [ .. 3600] }
dpd-maximum-failures	num { }

ip/ipsec/identity

Type: Directory

Flag	Name	Description
D	dynamic	dynamic
X	disabled	disabled

Argument	Type	Description
peer ( mandatory )	enum
auth-method	enum (pre-shared-key | digital-signature | eap | eap-radius | pre-shared-key-xauth | rsa-key | rsa-signature-hybrid)
eap-methods	multi_arg { array-id, enum (eap-tls | eap-ttls | eap-peap | eap-mschapv2) { eap-tls:ident::EAP_TLS, eap-ttls:ident::EAP_TTLS, eap-peap:ident::EAP_PEAP, eap-mschapv2:ident::EAP_MSCHAPV2 } , }
mode-config	enum (none)
notrack-chain	string
my-id	alt { composite_arg { , } { , } , composite_arg { , } { , } , enum (auto | dn) { auto:ident::IDT_AUTO, dn:ident::IDT_ASN1DN } , }
remote-id	alt { composite_arg { , } { , } , composite_arg { , } { , } , enum (auto | ignore | dn) { auto:ident::IDT_AUTO, ignore:ident::IDT_IGNORE, dn:ident::IDT_ASN1DN } , }
match-by	enum (remote-id | certificate)
key	enum ()
remote-key	enum ()
secret	string { }
certificate	multi_arg { array-id, enum , }
remote-certificate	enum (none)
username	string { }
password	string { }
generate-policy	enum (no | port-override | port-strict)
policy-template-group	enum

ip/ipsec/mode-config

Type: Directory

Flag	Name	Description
*	default	default
R	responder	responder

Argument	Type	Description
name ( mandatory )	string
responder	bool
system-dns	bool { }
static-dns	obj_arg { alt { ipAddr } { ipAddr } , }
address	ipAddr { }
address-pool	enum (none)
address-prefix-length	num { }
split-include	obj_arg { , alt { ip_prefix_arg } { ip_prefix_arg } }
split-dns	multi_arg { array-id, string , }
src-address-list	enum ()
connection-mark	enum ()
use-responder-dns	enum (no | yes | exclusively)

ip/ipsec/proposal

Conditions: IKE2_DEV
Type: Directory

Flag	Name	Description
X	disabled	disabled
*	default	default

Argument	Type	Description
name	string
auth-algorithms	ubit (sha512, sha256, sha1, md5, null)
enc-algorithms	ubit (chacha20poly1305, aes-256-cbc, aes-256-ctr, aes-256-gcm, camellia-256, aes-192-cbc, aes-192-ctr, aes-192-gcm, camellia-192, aes-128-cbc, aes-128-ctr, aes-128-gcm, camellia-128, 3des, blowfish, twofish, des, null)
lifetime	time
pfs-group	enum (none | ecp256 | ecp384 | ecp521 | modp6144 | modp4096 | modp3072 | modp2048 | modp1536 | modp1024 | modp768)

ip/ipsec/active-peers

Type: Directory

Flag	Name	Description
R	responder	responder
N	natt-peer	natt-peer
P	ppk	ppk

Read-only Argument	Type	Description
id	string
local-address	alt { ip6Addr , ipAddr }
port	num
remote-address	alt { ip6Addr , ipAddr }
state	enum (spawning | starting | message-1-received | message-1-sent | message-2-received | message-2-sent | message-3-received | message-3-sent | message-4-received | established | expired | no-phase1 | eap | crypto | qkd)
side	bool
dynamic-address	alt { ipAddr }
uptime	time
last-seen	time
ph2-total	num
spii	string
spir	string
rx-packets	num
rx-bytes	num
tx-packets	num
tx-bytes	num

ip/ipsec/active-peers/kill-connections

Type: Command

ip/ipsec/statistics

Type: Settings Directory

Read-only Argument	Type	Description
in-errors	num
in-buffer-errors	num
in-header-errors	num
in-no-states	num
in-state-protocol-errors	num
in-state-mode-errors	num
in-state-sequence-errors	num
in-state-expired	num
in-state-mismatches	num
in-state-invalid	num
in-template-mismatches	num
in-no-policies	num
in-policy-blocked	num
in-policy-errors	num
out-errors	num
out-bundle-errors	num
out-bundle-check-errors	num
out-no-states	num
out-state-protocol-errors	num
out-state-mode-errors	num
out-state-sequence-errors	num
out-state-expired	num
out-policy-blocked	num
out-policy-dead	num
out-policy-errors	num

ip/ipsec/key

Type: Directory

ip/ipsec/key/psk

Type: Directory

Argument	Type	Description
peer ( mandatory )	enum
id ( mandatory )	string
key ( mandatory )	string

ip/ipsec/key/psk/generate

Type: Command

Argument	Type	Description
peer	enum
size	num
count	num

ip/ipsec/key/qkd

Type: Settings Directory

Argument	Type	Description
enabled	bool
address	string
kme-id	string
key-size	num
certificate	enum (none)
peer-sae-id	string
cache-size	num

Read-only Argument	Type	Description
cache-state	num
total-keys-received	num

ip/ipsec/key/qkd/get-status

Type: Command

Argument	Type	Description
sae-id	string

Read-only Argument	Type	Description
source-kme-id	string
target-kme-id	string
master-sae-id	string
slave-sae-id	string
key-size	num
stored-key-count	num
max-key-count	num
max-key-per-request	num
max-key-size	num
min-key-size	num
max-sae-id-count	num

ip/ipsec/key/qkd/get-key

Type: Command

Argument	Type	Description
additional-sae-ids	multi_arg { array-id, string }
number	num

Read-only Argument	Type	Description
keys	obj_arg { super { string , : string } { string , : string } }

ip/ipsec/key/qkd/get-key-with-ids

Type: Command

Argument	Type	Description
key-ids	multi_arg { array-id, string }

Read-only Argument	Type	Description
keys	obj_arg { super { string , : string } { string , : string } }

ip/ipsec/key/qkd/get-key-cached

Type: Command

Read-only Argument	Type	Description
key-id	string
key	string

ip/ipsec/key/rsa

Type: Directory

Flag	Name	Description
P	private-key	private-key
R	rsa	rsa

Argument	Type	Description
name	string

Read-only Argument	Type	Description
key-size	num

ip/ipsec/key/rsa/import

Type: Command

Argument	Type	Description
file-name	file_enum
name	string
passphrase	string

ip/ipsec/key/rsa/export-pub-key

Type: Command

Argument	Type	Description
key	enum
file-name	string

ip/ipsec/key/rsa/generate-key

Type: Command

Argument	Type	Description
name	string
key-size	alt { enum (2048 | 4096 | 8192) { 2048:2048, 4096:4096, 8192:8192 } }

ip/ipsec/settings

Type: Settings Directory

Argument	Type	Description
xauth-use-radius	bool
accounting	bool
interim-update	time
ddos-cookie-threshold	num