ip/ipsec
Package: security
Type: Directory
ip/ipsec/active-peers
Package: security
Type: Directory
| Flag | Name | Description |
|---|
| R | responder | responder |
| N | natt-peer | natt-peer |
| P | ppk | ppk |
| Read-only Argument | Type | Description |
|---|
| id | string | |
| local-address | alt { ip6Addr
, ipAddr
} | |
| port | num | |
| remote-address | alt { ip6Addr
, ipAddr
} | |
| state | enum (spawning | starting | message-1-received | message-1-sent | message-2-received | message-2-sent | message-3-received | message-3-sent | message-4-received | established | expired | no-phase1 | eap | crypto | qkd) | |
| side | bool | |
| dynamic-address | alt { ipAddr
} | |
| uptime | time | |
| last-seen | time | |
| ph2-total | num | |
| spii | string | |
| spir | string | |
| rx-packets | num | |
| rx-bytes | num | |
| tx-packets | num | |
| tx-bytes | num | |
ip/ipsec/active-peers/kill-connections
Package: security
Type: Command
ip/ipsec/identity
Package: security
Type: Directory
| Flag | Name | Description |
|---|
| D | dynamic | dynamic |
| X | disabled | disabled |
| Argument | Type | Description |
|---|
| peer ( mandatory ) | enum | |
| auth-method | enum (pre-shared-key | digital-signature | eap | eap-radius | pre-shared-key-xauth | rsa-key | rsa-signature-hybrid) | |
| eap-methods | multi { array-id, enum (eap-tls | eap-ttls | eap-peap | eap-mschapv2) { eap-tls:ident::EAP_TLS, eap-ttls:ident::EAP_TTLS, eap-peap:ident::EAP_PEAP, eap-mschapv2:ident::EAP_MSCHAPV2 }
, } | EAP methods |
| mode-config | enum (none) | |
| notrack-chain | string | Add dynamic raw notrack rules for dynamic policies |
| my-id | alt { composite { , } { , }
, composite { , } { , }
, enum (auto | dn) { auto:ident::IDT_AUTO, dn:ident::IDT_ASN1DN }
, } | |
| remote-id | alt { composite { , } { , }
, composite { , } { , }
, enum (auto | ignore | dn) { auto:ident::IDT_AUTO, ignore:ident::IDT_IGNORE, dn:ident::IDT_ASN1DN }
, } | |
| match-by | enum (remote-id | certificate) | identity lookup method for the responder |
| key | enum () | key for raw RSA authentication (ike1 only) |
| remote-key | enum () | remote key for raw RSA authentication (ike1 only) |
| secret | string { } | pre-shared key secret |
| certificate | multi { array-id, enum
, } | local certificate |
| remote-certificate | enum (none) | use this certificate when peer does not send one |
| username | string { } | EAP or XAuth user |
| password | string { } | EAP or XAuth password |
| generate-policy | enum (no | port-override | port-strict) | |
| policy-template-group | enum | |
ip/ipsec/installed-sa
Package: security
Type: Directory
| Flag | Name | Description |
|---|
| S | seen-traffic | seen-traffic |
| H | hw-aead | hw-aead |
| A | AH | AH |
| E | ESP | ESP |
| Argument | Type | Description |
|---|
| spi | num | |
| state | enum (larval | mature | dying | dead) | |
| auth-algorithm | enum (none | md5 | sha1 | sha256 | sha512) | |
| enc-algorithm | enum (none | des | 3des | null | aes-cbc | aes-ctr | aes-gcm | blowfish | twofish | camellia | chacha20poly1305) | |
| enc-key-size | num | |
| auth-key | string | |
| enc-key | string | |
| addtime | date | |
| expires-in | time | |
| add-lifetime | composite { , } | |
| current-bytes | num | |
| current-packets | num | |
| invalid-packets | num | |
| replay | num | |
| Read-only Argument | Type | Description |
|---|
| src-address | super { alt { ip6Addr
, ipAddr
} { ip6Addr
, ipAddr
}
, :num
} | |
| dst-address | super { alt { ip6Addr
, ipAddr
} { ip6Addr
, ipAddr
}
, :num
} | |
ip/ipsec/installed-sa/flush
Package: security
Type: Command
ip/ipsec/key
Package: security
Type: Directory
ip/ipsec/key/psk
Package: security
Type: Directory
| Argument | Type | Description |
|---|
| peer ( mandatory ) | enum | |
| id ( mandatory ) | string | |
| key ( mandatory ) | string | |
ip/ipsec/key/psk/generate
Package: security
Type: Command
| Argument | Type | Description |
|---|
| peer | enum | |
| size | num | |
| count | num | |
ip/ipsec/key/qkd
Package: security
Type: Settings Directory
| Argument | Type | Description |
|---|
| enabled | bool | |
| address | string | KME device address |
| kme-id | string | should match the KME ID in the received TLS certificate |
| key-size | num | in bits |
| certificate | enum (none) | this also specifies your SAE ID |
| peer-sae-id | string | peer (master or slave) SAE ID |
| cache-size | num | number of unused keys to keep in cache |
| Read-only Argument | Type | Description |
|---|
| cache-state | num | number of current unused keys in cache |
| total-keys-received | num | total number of received keys |
ip/ipsec/key/qkd/get-key
Package: security
Type: Command
| Argument | Type | Description |
|---|
| additional-sae-ids | multi { array-id, string
} | additional SAEs which will also get the generated key |
| number | num | number of keys to generate |
| Read-only Argument | Type | Description |
|---|
| keys | object { super { string
, : string
} { string
, : string
}
} | |
ip/ipsec/key/qkd/get-key-cached
Package: security
Type: Command
| Read-only Argument | Type | Description |
|---|
| key-id | string | |
| key | string | |
ip/ipsec/key/qkd/get-key-with-ids
Package: security
Type: Command
| Argument | Type | Description |
|---|
| key-ids | multi { array-id, string
} | |
| Read-only Argument | Type | Description |
|---|
| keys | object { super { string
, : string
} { string
, : string
}
} | |
ip/ipsec/key/qkd/get-status
Package: security
Type: Command
| Argument | Type | Description |
|---|
| sae-id | string | if not specified, peer-sae-id will be used |
| Read-only Argument | Type | Description |
|---|
| source-kme-id | string | |
| target-kme-id | string | |
| master-sae-id | string | |
| slave-sae-id | string | |
| key-size | num | |
| stored-key-count | num | |
| max-key-count | num | |
| max-key-per-request | num | |
| max-key-size | num | |
| min-key-size | num | |
| max-sae-id-count | num | |
ip/ipsec/key/rsa
Package: security
Type: Directory
| Flag | Name | Description |
|---|
| P | private-key | private-key |
| R | rsa | rsa |
| Argument | Type | Description |
|---|
| name | string | |
| Read-only Argument | Type | Description |
|---|
| key-size | num | |
ip/ipsec/key/rsa/export-pub-key
Package: security
Type: Command
| Argument | Type | Description |
|---|
| key | enum | |
| file-name | string | |
ip/ipsec/key/rsa/generate-key
Package: security
Type: Command
| Argument | Type | Description |
|---|
| name | string | |
| key-size | alt { enum (2048 | 4096 | 8192) { 2048:2048, 4096:4096, 8192:8192 }
} | |
ip/ipsec/key/rsa/import
Package: security
Type: Command
| Argument | Type | Description |
|---|
| file-name | file | |
| name | string | |
| passphrase | string | |
ip/ipsec/mode-config
Package: security
Type: Directory
| Flag | Name | Description |
|---|
| * | default | default |
| R | responder | responder |
| Argument | Type | Description |
|---|
| name ( mandatory ) | string | |
| responder | bool | peer shoud request or send the config |
| system-dns | bool { } | send system dns servers to peer |
| static-dns | object { alt { ipAddr
} { ipAddr
}
, } | dns servers sent to peer, exclusive with system-dns |
| address | ipAddr { } | |
| address-pool | enum (none) | issue one address for peer from this pool |
| address-prefix-length | num { } | issued address netmask |
| split-include | object { , alt { ipPrefix
} { ipPrefix
}
} | additional protected subnets |
| split-dns | multi { array-id, string
, } | DNS name to be resolved using internal server |
| src-address-list | enum () | address list name to be added to srcnat chain for initiator |
| connection-mark | enum () | conection-mark to be added to srcnat chain for initiator |
| use-responder-dns | enum (no | yes | exclusively) | if the dns servers sent should be used by the initiator |
ip/ipsec/peer
Package: security
Type: Directory
| Flag | Name | Description |
|---|
| X | disabled | disabled |
| D | dynamic | dynamic |
| R | responder | responder |
| Argument | Type | Description |
|---|
| name | string | |
| address | alt { ip6Prefix
, ipPrefix
, string
, } | |
| local-address | alt { ip6Addr
, ipAddr
} | |
| passive | bool | Passive peer won't initiate connection |
| port | num { } | peer's port |
| profile | enum | |
| exchange-mode | enum (main | base | aggressive | ike2) | |
| send-initial-contact | bool | |
| ppk-secret | string | static PPK secret with "static-ppk-secret" ID used when no one-time key/psk exist for this peer, ensure the key has 256 bits of entropy |
| Read-only Argument | Type | Description |
|---|
| current-address | alt { ip6Addr
, ipAddr
} | |
ip/ipsec/policy
Package: security
Type: Directory
| Flag | Name | Description |
|---|
| T | template | template |
| B | backup | backup |
| X | disabled | disabled |
| D | dynamic | dynamic |
| I | invalid | invalid |
| A | active | active |
| * | default | default |
| Argument | Type | Description |
|---|
| peer | multi { array-id, enum
} | auto activates peer establishes connection, use with shunt policy |
| tunnel | bool | |
| group | enum () | |
| src-address | alt { ip6Prefix
, ipPrefix
} | |
| src-port | num | |
| dst-address | alt { ip6Prefix
, ipPrefix
} | |
| dst-port | num | |
| protocol | enum (all) | |
| action | enum (encrypt | discard | none) | |
| level | enum (require | use | unique) | |
| ipsec-protocols | enum (ah | esp) | which ipsec protocol to use |
| sa-src-address | alt { ip6Addr
, ipAddr
, } | endpoint address |
| sa-dst-address | alt { ip6Addr
, ipAddr
, } | endpoint address |
| proposal | enum | |
| template | bool | |
| Read-only Argument | Type | Description |
|---|
| ph2-count | num | |
| ph2-state | enum (spawning | starting | ready-to-send | getspi-sent | getspi-done | msg1-sent | ready-to-establish | commiting | adding-sa | established | expired | no-phase2) | |
ip/ipsec/policy/group
Package: security
Type: Directory
| Flag | Name | Description |
|---|
| * | default | default |
| Argument | Type | Description |
|---|
| name ( mandatory ) | string | |
ip/ipsec/profile
Package: security
Type: Directory
| Flag | Name | Description |
|---|
| * | default | default |
| Argument | Type | Description |
|---|
| name ( mandatory ) | string | |
| hash-algorithm | enum (md5 | sha1 | sha256 | sha384 | sha512) | |
| prf-algorithm | enum (auto | sha1 | sha256 | sha384 | sha512) | IKEv2 only |
| enc-algorithm | ubit (aes-256, aes-192, aes-128, 3des, des) | |
| dh-group | ubit (x25519, ecp256, ecp384, ecp521, modp6144, modp4096, modp3072, modp2048, modp1536, modp1024, modp768) | |
| lifetime | time | IKEv1 only |
| lifebytes | num | IKEv1 only |
| proposal-check | enum (obey | strict | claim | exact) | Lifetime check logic (IKEv1 only) |
| nat-traversal | bool | IKEv1 only |
| ppk | enum (no | psk | psk-ike-initial | qkd) | post-quantum preshared key (IKEv2 only) |
| dpd-interval | alt { enum (disable-dpd) { disable-dpd:0 }
, time [ .. 3600]
} | |
| dpd-maximum-failures | num { } | IKEv1 only |
ip/ipsec/proposal
Conditions: IKE2_DEV
Package: security
Type: Directory
| Flag | Name | Description |
|---|
| X | disabled | disabled |
| * | default | default |
| Argument | Type | Description |
|---|
| name | string | |
| auth-algorithms | ubit (sha512, sha256, sha1, md5, null) | |
| enc-algorithms | ubit (chacha20poly1305, aes-256-cbc, aes-256-ctr, aes-256-gcm, camellia-256, aes-192-cbc, aes-192-ctr, aes-192-gcm, camellia-192, aes-128-cbc, aes-128-ctr, aes-128-gcm, camellia-128, 3des, blowfish, twofish, des, null) | |
| lifetime | time | |
| pfs-group | enum (none | ecp256 | ecp384 | ecp521 | modp6144 | modp4096 | modp3072 | modp2048 | modp1536 | modp1024 | modp768) | |
ip/ipsec/settings
Package: security
Type: Settings Directory
| Argument | Type | Description |
|---|
| xauth-use-radius | bool | |
| accounting | bool | |
| interim-update | time | |
| ddos-cookie-threshold | num | DDOS cookie activation threshold |
ip/ipsec/statistics
Package: security
Type: Settings Directory
| Read-only Argument | Type | Description |
|---|
| in-errors | num | |
| in-buffer-errors | num | |
| num | |
| in-no-states | num | |
| in-state-protocol-errors | num | |
| in-state-mode-errors | num | |
| in-state-sequence-errors | num | |
| in-state-expired | num | |
| in-state-mismatches | num | |
| in-state-invalid | num | |
| in-template-mismatches | num | |
| in-no-policies | num | |
| in-policy-blocked | num | |
| in-policy-errors | num | |
| out-errors | num | |
| out-bundle-errors | num | |
| out-bundle-check-errors | num | |
| out-no-states | num | |
| out-state-protocol-errors | num | |
| out-state-mode-errors | num | |
| out-state-sequence-errors | num | |
| out-state-expired | num | |
| out-policy-blocked | num | |
| out-policy-dead | num | |
| out-policy-errors | num | |