IPsec port configuration example. CPX to CPX.

Revised for CPX 4.8.0.

Manual mode
    Transport (host-to-host)
    Tunnel (gateway-to-gateway)
IKE mode
    Transport (host-to-host)
    Tunnel (gateway-to-gateway)
    Tunnel (gateway-to-2 gateways)
    Tunnel (gateway-to-2 anonymous gateways)
    Tunnel (gateway-to-1 gateway + 1 anonymous gateway)

Manual mode

MODE parameter of the IPsec driver must be set to the MANUAL mode for both CPXs.

 
[21:14:29] CPX_1:d p po:ipsec

PO:920 
IPSEC  ------------------------------------------------------------------------
       LOG:DS         ACT:YES    MODE:MANUAL  mxps:2048   IN-CHK:YES  TTL:0
       ECN:FORBIDDEN  DF:CLEAR

 
[21:14:29] CPX_2:d p po:ipsec

PO:920 
IPSEC  ------------------------------------------------------------------------
       LOG:DS         ACT:YES    MODE:MANUAL  mxps:2048   IN-CHK:YES  TTL:0
       ECN:FORBIDDEN  DF:CLEAR

IKE port should be deactivated for both CPXs (set ACT parameter to the NO):

 
[21:14:32] CPX_1:d p po:ike

PO:921 ------------------------------------------------------------------------
IKE    LOG:DS       lowpo:902       ACT:NO       mxps:2048   NRTY:3    TB:10
       WDIR:C:\APP\IKE\
       NATT:YES     NATT-N-IKE:YES  NATT-PF:YES  NATT-KA:20

 
[21:14:32] CPX_2:d p po:ike

PO:921 ------------------------------------------------------------------------
IKE    LOG:DS       lowpo:902       ACT:NO>       mxps:2048   NRTY:3    TB:10
       WDIR:C:\APP\IKE\
       NATT:YES     NATT-N-IKE:YES  NATT-PF:YES  NATT-KA:20

Manual mode. Transport (host-to-host)

Figure 1. Host-to-host layout.

There are two CPXs. Each CPX has IP interface:

CPX 1 (host) has IP interface 0 with 192.168.2.1 IP address.
CPX 2 (host) has IP interface 0 with 192.168.2.2 IP address.

CPX 1.

Policy table:

[21:28:23] CPX_1:d ipsec policy

-------------------------------------------------------------------------------
POLICY:  NAME:                            NET-SRC:           PORT-SRC:
         DIR: BUNDLE: RULE:               NET-DST:           PORT-DST:
-------------------------------------------------------------------------------
0        CPX_1-to-CPX_2                   192.168.002.001/32 *
         OUT  0       IPSEC               192.168.002.002/32 *
-------------------------------------------------------------------------------
1        CPX_2-to-CPX_1                   192.168.002.002/32 *
         IN   1       IPSEC               192.168.002.001/32 *
-------------------------------------------------------------------------------
2        Drop policy                      000.000.000.000/0  *
         OUT  NONE    DROP                000.000.000.000/0  *
-------------------------------------------------------------------------------

CPX 2.

Policy table:

[21:28:23] CPX_2:d ipsec policy

-------------------------------------------------------------------------------
POLICY:  NAME:                            NET-SRC:           PORT-SRC:
         DIR: BUNDLE: RULE:               NET-DST:           PORT-DST:
-------------------------------------------------------------------------------
0        CPX_2-to-CPX_1                   192.168.002.002/32 *
         OUT  0       IPSEC               192.168.002.001/32 *
-------------------------------------------------------------------------------
1        CPX_1-to-CPX_2                   192.168.002.001/32 *
         IN   1       IPSEC               192.168.002.002/32 *
-------------------------------------------------------------------------------
2        Drop policy                      000.000.000.000/0  *
         OUT  NONE    DROP                000.000.000.000/0  *
-------------------------------------------------------------------------------

Example 1.

IPsec: ESP protocol with MD5 authentication and 3DES encryption.

CPX 1.

SA table:

[21:25:43] CPX_1:d ipsec sa

-------------------------------------------------------------------------------
SA:  NAME:                SPI:           SRC-IP:         PROT: AUTH:    CIPHER:
     DIR: BUNDLE: TUNNEL: IPP:   SIDE:   DST-IP:               AUTHKEY: ENCKEY:
-------------------------------------------------------------------------------
0    CPX_1-to-CPX_2       00000200       192.168.002.001 ESP   MD5      3DES
     OUT  0       NO      1      AUTO    192.168.002.002       *******  ******* 
-------------------------------------------------------------------------------
1    CPX_2-to-CPX_1       00000400       192.168.002.002 ESP   MD5      3DES
     IN   1       NO      1      AUTO    192.168.002.001       *******  ******* 
-------------------------------------------------------------------------------

CPX 2.

SA table:

[21:25:43] CPX_2:d ipsec sa

-------------------------------------------------------------------------------
SA:  NAME:                SPI:           SRC-IP:         PROT: AUTH:    CIPHER:
     DIR: BUNDLE: TUNNEL: IPP:   SIDE:   DST-IP:               AUTHKEY: ENCKEY:
-------------------------------------------------------------------------------
0    CPX_2-to-CPX_1       00000400       192.168.002.002 ESP   MD5      3DES
     OUT  0       NO      1      AUTO    192.168.002.001       *******  ******* 
-------------------------------------------------------------------------------
1    CPX_1-to-CPX_2       00000200       192.168.002.001 ESP   MD5      3DES
     IN   1       NO      1      AUTO    192.168.002.002       *******  ******* 
-------------------------------------------------------------------------------

Notes:

TUNNEL fields of all SA records must be set to the NO for both CPXs.
AUTH, AUTHKEY, CIPHER and ENCKEY fields of OUT SA for CPX_1 and corresponding fields of IN SA for CPX_2 must be identical.
AUTH, AUTHKEY, CIPHER and ENCKEY fields of IN SA for CPX_1 and corresponding fields of OUT SA for CPX_2 must be identical.
SPI field of OUT SA for CPX_1 and corresponding field of IN SA for CPX_2 must be identical (0x200) and and vice versa (0x400).

Example 2.

IPsec: SA bundle: ESP protocol with MD5 authentication and 3DES encryption, AH protocol with SHA-1 authentication.

CPX 1.

SA table:

[21:25:43] CPX_1:d ipsec sa

-------------------------------------------------------------------------------
SA:  NAME:                SPI:           SRC-IP:         PROT: AUTH:    CIPHER:
     DIR: BUNDLE: TUNNEL: IPP:   SIDE:   DST-IP:               AUTHKEY: ENCKEY:
-------------------------------------------------------------------------------
0    CPX_1-to-CPX_2_ESP   00000200       192.168.002.001 ESP   MD5      3DES
     OUT  0       NO      1      AUTO    192.168.002.002       *******  ******* 
-------------------------------------------------------------------------------
1    CPX_1-to-CPX_2_AH    00000201       192.168.002.001 AH    SHA      
     OUT  0       NO      1      AUTO    192.168.002.002       *******   
-------------------------------------------------------------------------------
2    CPX_2-to-CPX_1_AH    00000401       192.168.002.002 AH    SHA      
     IN   1       NO      1      AUTO    192.168.002.001       *******   
-------------------------------------------------------------------------------
3    CPX_2-to-CPX_1_ESP   00000400       192.168.002.002 ESP   MD5      3DES
     IN   1       NO      1      AUTO    192.168.002.001       *******  ******* 
-------------------------------------------------------------------------------

CPX 2.

SA table:

[21:25:43] CPX_2:d ipsec sa

-------------------------------------------------------------------------------
SA:  NAME:                SPI:           SRC-IP:         PROT: AUTH:    CIPHER:
     DIR: BUNDLE: TUNNEL: IPP:   SIDE:   DST-IP:               AUTHKEY: ENCKEY:
-------------------------------------------------------------------------------
0    CPX_2-to-CPX_1_ESP   00000400       192.168.002.001 ESP   MD5      3DES
     OUT  0       NO      1      AUTO    192.168.002.002       *******  ******* 
-------------------------------------------------------------------------------
1    CPX_2-to-CPX_1_AH    00000401       192.168.002.001 AH    SHA      
     OUT  0       NO      1      AUTO    192.168.002.002       *******   
-------------------------------------------------------------------------------
2    CPX_1-to-CPX_2_AH    00000201       192.168.002.002 AH    SHA      
     IN   1       NO      1      AUTO    192.168.002.001       *******   
-------------------------------------------------------------------------------
3    CPX_1-to-CPX_2_ESP   00000200       192.168.002.002 ESP   MD5      3DES
     IN   1       NO      1      AUTO    192.168.002.001       *******  ******* 
-------------------------------------------------------------------------------

Notes:

TUNNEL fields of all SA records must be set to the NO for both CPXs.
AUTH, AUTHKEY, CIPHER and ENCKEY fields of OUT AH SA for CPX_1 and corresponding fields of IN AH SA for CPX_2 must be identical.
AUTH, AUTHKEY, CIPHER and ENCKEY fields of OUT ESP SA for CPX_1 and corresponding fields of IN ESP SA for CPX_2 must be identical.
AUTH, AUTHKEY, CIPHER and ENCKEY fields of IN AH SA for CPX_1 and corresponding fields of OUT AH SA for CPX_2 must be identical.
AUTH, AUTHKEY, CIPHER and ENCKEY fields of IN ESP SA for CPX_1 and corresponding fields of OUT ESP SA for CPX_2 must be identical.
SPI field of OUT AH SA for CPX_1 and corresponding field of IN AH SA for CPX_2 must be identical (0x201) and and vice versa (0x401).
SPI field of OUT ESP SA for CPX_1 and corresponding field of IN ESP SA for CPX_2 must be identical (0x200) and and vice versa (0x400).

Manual mode. Tunnel (gateway-to-gateway).

Figure 2. IPsec gateway-to-gateway network layout.

There are two CPXs. Each CPX has two IP interfaces:

CPX 1 (gateway) has IP interface 0 with 192.168.1.1 IP address and IP interface 1 with 192.168.2.1 IP address.
CPX 2 (gateway) has IP interface 0 with 192.168.3.1 IP address and IP interface 1 with 192.168.2.2 IP address.

Example 1.

IPsec: ESP protocol with MD5 authentication and 3DES encryption.

CPX 1.

Policy table:

[21:28:23] CPX_1:d ipsec policy

-------------------------------------------------------------------------------
POLICY:  NAME:                            NET-SRC:           PORT-SRC:
         DIR: BUNDLE: RULE:               NET-DST:           PORT-DST:
-------------------------------------------------------------------------------
0        CPX_1-to-CPX_2                   192.168.001.000/24 *
         OUT  0       IPSEC               192.168.003.000/24 *
-------------------------------------------------------------------------------
1        CPX_2-to-CPX_1                   192.168.003.000/24 *
         IN   1       IPSEC               192.168.001.000/24 *
-------------------------------------------------------------------------------
2        Drop policy                      000.000.000.000/0  *
         OUT  NONE    DROP                000.000.000.000/0  *
-------------------------------------------------------------------------------

SA table:

[21:25:43] CPX_1:d ipsec sa

-------------------------------------------------------------------------------
SA:  NAME:                SPI:           SRC-IP:         PROT: AUTH:    CIPHER:
     DIR: BUNDLE: TUNNEL: IPP:   SIDE:   DST-IP:               AUTHKEY: ENCKEY:
-------------------------------------------------------------------------------
0    CPX_1-to-CPX_2       00000200       192.168.002.001 ESP   MD5      3DES
     OUT  0       YES     1      AUTO    192.168.002.002       *******  ******* 
-------------------------------------------------------------------------------
1    CPX_2-to-CPX_1       00000400       192.168.002.002 ESP   MD5      3DES
     IN   1       YES     1      AUTO    192.168.002.001       *******  ******* 
-------------------------------------------------------------------------------

CPX 2.

Policy table:

[21:28:23] CPX_2:d ipsec policy

-------------------------------------------------------------------------------
POLICY:  NAME:                            NET-SRC:           PORT-SRC:
         DIR: BUNDLE: RULE:               NET-DST:           PORT-DST:
-------------------------------------------------------------------------------
0        CPX_2-to-CPX_1                   192.168.003.000/24 *
         OUT  0       IPSEC               192.168.001.000/24 *
-------------------------------------------------------------------------------
1        CPX_1-to-CPX_2                   192.168.001.000/24 *
         IN   1       IPSEC               192.168.003.000/24 *
-------------------------------------------------------------------------------
2        Drop policy                      000.000.000.000/0  *
         OUT  NONE    DROP                000.000.000.000/0  *
-------------------------------------------------------------------------------

SA table:

[21:25:43] CPX_2:d ipsec sa

-------------------------------------------------------------------------------
SA:  NAME:                SPI:           SRC-IP:         PROT: AUTH:    CIPHER:
     DIR: BUNDLE: TUNNEL: IPP:   SIDE:   DST-IP:               AUTHKEY: ENCKEY:
-------------------------------------------------------------------------------
0    CPX_2-to-CPX_1       00000400       192.168.002.002 ESP   MD5      3DES
     OUT  0       YES     1      AUTO    192.168.002.001       *******  ******* 
-------------------------------------------------------------------------------
1    CPX_1-to-CPX_2       00000200       192.168.002.001 ESP   MD5      3DES
     IN   1       YES     1      AUTO    192.168.002.002       *******  ******* 
-------------------------------------------------------------------------------

Notes:

TUNNEL fields of all SA records must be set to the YES for both CPXs.
AUTH, AUTHKEY, CIPHER and ENCKEY fields of OUT SA for CPX_1 and corresponding fields of IN SA for CPX_2 must be identical.
AUTH, AUTHKEY, CIPHER and ENCKEY fields of IN SA for CPX_1 and corresponding fields of OUT SA for CPX_2 must be identical.
SPI field of OUT SA for CPX_1 and corresponding field of IN SA for CPX_2 must be identical (0x200) and and vice versa (0x400).

IKE mode

MODE parameter of the IPsec driver must be set to the IKE mode for both CPXs.

 
[21:14:29] CPX_1:d p po:ipsec

PO:920 
IPSEC  ------------------------------------------------------------------------
       LOG:DS         ACT:YES    MODE:IKE     mxps:2048   IN-CHK:YES  TTL:0
       ECN:FORBIDDEN  DF:CLEAR

 
[21:14:29] CPX_2:d p po:ipsec

PO:920 
IPSEC  ------------------------------------------------------------------------
       LOG:DS         ACT:YES    MODE:IKE     mxps:2048   IN-CHK:YES  TTL:0
       ECN:FORBIDDEN  DF:CLEAR

IKE port must be activated for both CPXs (set ACT parameter to the YES):

 
[21:14:32] CPX_1:d p po:ike

PO:921 ------------------------------------------------------------------------
IKE    LOG:DS       lowpo:902       ACT:YES       mxps:2048   NRTY:3    TB:10
       WDIR:C:\APP\IKE\
       NATT:YES     NATT-N-IKE:YES  NATT-PF:YES  NATT-KA:20

 
[21:14:32] CPX_2:d p po:ike

PO:921 ------------------------------------------------------------------------
IKE    LOG:DS       lowpo:902       ACT:YES       mxps:2048   NRTY:3    TB:10
       WDIR:C:\APP\IKE\
       NATT:YES     NATT-N-IKE:YES  NATT-PF:YES  NATT-KA:20

IKE mode. Transport (host-to-host)

Network layout is the same as on Figure 1.

Example 1.

ISAKMP: 1024 DH group, PSK authentication, MD5 hash and 3DES encryption.
IPsec: ESP protocol with SHA-1 authentication and DES encryption.
PFS: disabled.

Only CPX 1 can begin to negotiate IPsec connection. CPX 2 is in the PASSIVE mode.

CPX 1.

IKE host connections table:

[21:30:22] CPX_1:d ike host

-------------------------------------------------------------------------------
HOST: NAME:                            LOC-IP:              IPP:    KEY-TRIES:
      CIPHER:   AUTH: HASH: DH:        REM-IP:              SIDE:   LIFE-TIME:
      ID-TYPE:        IP:              FQDN:
      PEER-ID-TYPE:   PEER-IP:         PEER-FQDN:
-------------------------------------------------------------------------------
0     CPX_1-to-CPX_2                   192.168.002.001      1       3
      3DES      PSK   MD5   MODP1024   192.168.002.002      AUTO    3600
      IP              192.168.002.001
      IP              192.168.002.002   
-------------------------------------------------------------------------------

IKE client connections table:

[21:30:58] CPX_1:d ike cli

-------------------------------------------------------------------------------
CLI: NAME:                            HOST-ID: RULE:        LIFE-TIME:    PFS:
     ESP: ESP-CIPHER: ESP-AUTH:       PASSIVE: PERMANENT:   NET-SRC:
     AH:              AH-AUTH:                 TUNNEL:      NET-DST:
-------------------------------------------------------------------------------
0    CPX_1-to-CPX_2                   0        IPSEC        28800         NO
     YES  DES         SHA             NO       YES          192.168.002.001/32
     NO               MD5                      NO           192.168.002.002/32
-------------------------------------------------------------------------------
1    Drop                             NONE     DROP         28800         NO
     NO   DES         SHA             NO       YES          000.000.000.000/0
     NO               MD5                      NO           000.000.000.000/0
-------------------------------------------------------------------------------

IKE PSK table:

[21:30:19] CPX_1:d ike psk

-------------------------------------------------------------------------------
PSK: KEY:     ID-TYPE:  IP:             FQDN:
-------------------------------------------------------------------------------
0    ******** IP        192.168.002.2

CPX 2.

IKE host connections table:

[21:30:22] CPX_2:d ike host

-------------------------------------------------------------------------------
HOST: NAME:                            LOC-IP:              IPP:    KEY-TRIES:
      CIPHER:   AUTH: HASH: DH:        REM-IP:              SIDE:   LIFE-TIME:
      ID-TYPE:        IP:              FQDN:
      PEER-ID-TYPE:   PEER-IP:         PEER-FQDN:
-------------------------------------------------------------------------------
0     CPX_2-to-CPX_1                   192.168.002.002      1       3
      3DES      PSK   MD5   MODP1024   192.168.002.001      AUTO    3600
      IP              192.168.002.002
      IP              192.168.002.001   
-------------------------------------------------------------------------------

IKE client connections table:

[21:30:58] CPX_2:d ike cli

-------------------------------------------------------------------------------
CLI: NAME:                            HOST-ID: RULE:        LIFE-TIME:    PFS:
     ESP: ESP-CIPHER: ESP-AUTH:       PASSIVE: PERMANENT:   NET-SRC:
     AH:              AH-AUTH:                 TUNNEL:      NET-DST:
-------------------------------------------------------------------------------
0    CPX_2-to-CPX_1                   0        IPSEC        28800         NO
     YES  DES         SHA             YES      YES          192.168.002.002/32
     NO               MD5                      NO           192.168.002.001/32
-------------------------------------------------------------------------------
1    Drop                             NONE     DROP         28800         NO
     NO   DES         SHA             NO       YES          000.000.000.000/0
     NO               MD5                      NO           000.000.000.000/0
-------------------------------------------------------------------------------

IKE PSK table:

[21:30:19] CPX_2:d ike psk

-------------------------------------------------------------------------------
PSK: KEY:     ID-TYPE:  IP:             FQDN:
-------------------------------------------------------------------------------
0    ******** IP        192.168.002.1

Example 2.

ISAKMP: 1024 DH group, PSK authentication, MD5 hash and 3DES encryption.
IPsec: SA bundle: ESP protocol with SHA-1 authentication and IDEA encryption, AH protocol with SHA-1 authentication.
PFS: enabled.

Both CPX 1 and CPX 2 can begin to negotiate IPsec connection.

CPX 1.

IKE host connections table:

[21:30:22] CPX_1:d ike host

-------------------------------------------------------------------------------
HOST: NAME:                            LOC-IP:              IPP:    KEY-TRIES:
      CIPHER:   AUTH: HASH: DH:        REM-IP:              SIDE:   LIFE-TIME:
      ID-TYPE:        IP:              FQDN:
      PEER-ID-TYPE:   PEER-IP:         PEER-FQDN:
-------------------------------------------------------------------------------
0     CPX_1-to-CPX_2                   192.168.002.001      1       3
      3DES      PSK   MD5   MODP1024   192.168.002.002      AUTO    3600
      IP              192.168.002.001
      IP              192.168.002.002   
-------------------------------------------------------------------------------

IKE client connections table:

[21:30:58] CPX_1:d ike cli

-------------------------------------------------------------------------------
CLI: NAME:                            HOST-ID: RULE:        LIFE-TIME:    PFS:
     ESP: ESP-CIPHER: ESP-AUTH:       PASSIVE: PERMANENT:   NET-SRC:
     AH:              AH-AUTH:                 TUNNEL:      NET-DST:
-------------------------------------------------------------------------------
0    CPX_1-to-CPX_2                   0        IPSEC        28800         YES
     YES  IDEA        SHA             NO       YES          192.168.002.001/32
     YES              SHA                      NO           192.168.002.002/32
-------------------------------------------------------------------------------
1    Drop                             NONE     DROP         28800         NO
     NO   DES         SHA             NO       YES          000.000.000.000/0
     NO               MD5                      NO           000.000.000.000/0
-------------------------------------------------------------------------------

IKE PSK table:

[21:30:19] CPX_1:d ike psk

-------------------------------------------------------------------------------
PSK: KEY:     ID-TYPE:  IP:             FQDN:
-------------------------------------------------------------------------------
0    ******** IP        192.168.002.2

CPX 2.

IKE host connections table:

[21:30:22] CPX_2:d ike host

-------------------------------------------------------------------------------
HOST: NAME:                            LOC-IP:              IPP:    KEY-TRIES:
      CIPHER:   AUTH: HASH: DH:        REM-IP:              SIDE:   LIFE-TIME:
      ID-TYPE:        IP:              FQDN:
      PEER-ID-TYPE:   PEER-IP:         PEER-FQDN:
-------------------------------------------------------------------------------
0     CPX_2-to-CPX_1                   192.168.002.002      1       3
      3DES      PSK   MD5   MODP1024   192.168.002.001      AUTO    3600
      IP              192.168.002.002
      IP              192.168.002.001   
-------------------------------------------------------------------------------

IKE client connections table:

[21:30:58] CPX_2:d ike cli

-------------------------------------------------------------------------------
CLI: NAME:                            HOST-ID: RULE:        LIFE-TIME:    PFS:
     ESP: ESP-CIPHER: ESP-AUTH:       PASSIVE: PERMANENT:   NET-SRC:
     AH:              AH-AUTH:                 TUNNEL:      NET-DST:
-------------------------------------------------------------------------------
0    CPX_2-to-CPX_1                   0        IPSEC        28800         YES
     YES  IDEA        SHA             NO       YES          192.168.002.002/32
     YES              SHA                      NO           192.168.002.001/32
-------------------------------------------------------------------------------
1    Drop                             NONE     DROP         28800         NO
     NO   DES         SHA             NO       YES          000.000.000.000/0
     NO               MD5                      NO           000.000.000.000/0
-------------------------------------------------------------------------------

IKE PSK table:

[21:30:19] CPX_2:d ike psk

-------------------------------------------------------------------------------
PSK: KEY:     ID-TYPE:  IP:             FQDN:
-------------------------------------------------------------------------------
0    ******** IP        192.168.002.1

IKE mode. Tunnel (gateway-to-gateway).

Network layout is the same as on Figure 2.

Example 1.

ISAKMP: 1024 DH group, PSK authentication, MD5 hash and 3DES encryption.
IPsec: ESP protocol with SHA-1 authentication and DES encryption.
PFS: disabled.

Only CPX 1 can begin to negotiate IPsec connection. CPX 2 is in the PASSIVE mode.

CPX 1.

IKE host connections table:

[21:30:22] CPX_1:d ike host

-------------------------------------------------------------------------------
HOST: NAME:                            LOC-IP:              IPP:    KEY-TRIES:
      CIPHER:   AUTH: HASH: DH:        REM-IP:              SIDE:   LIFE-TIME:
      ID-TYPE:        IP:              FQDN:
      PEER-ID-TYPE:   PEER-IP:         PEER-FQDN:
-------------------------------------------------------------------------------
0     CPX_1-to-CPX_2                   192.168.002.001      1       3
      3DES      PSK   MD5   MODP1024   192.168.002.002      AUTO    3600
      IP              192.168.002.001
      IP              192.168.002.002   
-------------------------------------------------------------------------------

IKE client connections table:

[21:30:58] CPX_1:d ike cli

-------------------------------------------------------------------------------
CLI: NAME:                            HOST-ID: RULE:        LIFE-TIME:    PFS:
     ESP: ESP-CIPHER: ESP-AUTH:       PASSIVE: PERMANENT:   NET-SRC:
     AH:              AH-AUTH:                 TUNNEL:      NET-DST:
-------------------------------------------------------------------------------
0    CPX_1-to-CPX_2                   0        IPSEC        28800         NO
     YES  DES         SHA             NO       YES          192.168.001.000/24
     NO               MD5                      YES          192.168.003.000/24
-------------------------------------------------------------------------------
1    Drop                             NONE     DROP         28800         NO
     NO   DES         SHA             NO       YES          000.000.000.000/0
     NO               MD5                      NO           000.000.000.000/0
-------------------------------------------------------------------------------

IKE PSK table:

[21:30:19] CPX_1:d ike psk

-------------------------------------------------------------------------------
PSK: KEY:     ID-TYPE:  IP:             FQDN:
-------------------------------------------------------------------------------
0    ******** IP        192.168.002.2

CPX 2.

IKE host connections table:

[21:30:22] CPX_2:d ike host

-------------------------------------------------------------------------------
HOST: NAME:                            LOC-IP:              IPP:    KEY-TRIES:
      CIPHER:   AUTH: HASH: DH:        REM-IP:              SIDE:   LIFE-TIME:
      ID-TYPE:        IP:              FQDN:
      PEER-ID-TYPE:   PEER-IP:         PEER-FQDN:
-------------------------------------------------------------------------------
0     CPX_2-to-CPX_1                   192.168.002.002      1       3
      3DES      PSK   MD5   MODP1024   192.168.002.001      AUTO    3600
      IP              192.168.002.002
      IP              192.168.002.001   
-------------------------------------------------------------------------------

IKE client connections table:

[21:30:58] CPX_2:d ike cli

-------------------------------------------------------------------------------
CLI: NAME:                            HOST-ID: RULE:        LIFE-TIME:    PFS:
     ESP: ESP-CIPHER: ESP-AUTH:       PASSIVE: PERMANENT:   NET-SRC:
     AH:              AH-AUTH:                 TUNNEL:      NET-DST:
-------------------------------------------------------------------------------
0    CPX_2-to-CPX_1                   0        IPSEC        28800         NO
     YES  DES         SHA             YES      YES          192.168.003.000/24
     NO               MD5                      YES          192.168.001.000/24
-------------------------------------------------------------------------------
1    Drop                             NONE     DROP         28800         NO
     NO   DES         SHA             NO       YES          000.000.000.000/0
     NO               MD5                      NO           000.000.000.000/0
-------------------------------------------------------------------------------

IKE PSK table:

[21:30:19] CPX_2:d ike psk

-------------------------------------------------------------------------------
PSK: KEY:     ID-TYPE:  IP:             FQDN:
-------------------------------------------------------------------------------
0    ******** IP        192.168.002.1

Example 2.

ISAKMP: 1024 DH group, PSK authentication, MD5 hash and 3DES encryption.
IPsec: SA bundle: ESP protocol with SHA-1 authentication and IDEA encryption, AH protocol with SHA-1 authentication.
PFS: enabled.

Both CPX 1 and CPX 2 can begin to negotiate IPsec connection.

CPX 1.

IKE host connections table:

[21:30:22] CPX_1:d ike host

-------------------------------------------------------------------------------
HOST: NAME:                            LOC-IP:              IPP:    KEY-TRIES:
      CIPHER:   AUTH: HASH: DH:        REM-IP:              SIDE:   LIFE-TIME:
      ID-TYPE:        IP:              FQDN:
      PEER-ID-TYPE:   PEER-IP:         PEER-FQDN:
-------------------------------------------------------------------------------
0     CPX_1-to-CPX_2                   192.168.002.001      1       3
      3DES      PSK   MD5   MODP1024   192.168.002.002      AUTO    3600
      IP              192.168.002.001
      IP              192.168.002.002   
-------------------------------------------------------------------------------

IKE client connections table:

[21:30:58] CPX_1:d ike cli

-------------------------------------------------------------------------------
CLI: NAME:                            HOST-ID: RULE:        LIFE-TIME:    PFS:
     ESP: ESP-CIPHER: ESP-AUTH:       PASSIVE: PERMANENT:   NET-SRC:
     AH:              AH-AUTH:                 TUNNEL:      NET-DST:
-------------------------------------------------------------------------------
0    CPX_1-to-CPX_2                   0        IPSEC        28800         YES
     YES  IDEA        SHA             NO       YES          192.168.001.000/24
     YES              SHA                      YES          192.168.003.000/24
-------------------------------------------------------------------------------
1    Drop                             NONE     DROP         28800         NO
     NO   DES         SHA             NO       YES          000.000.000.000/0
     NO               MD5                      NO           000.000.000.000/0
-------------------------------------------------------------------------------

IKE PSK table:

[21:30:19] CPX_1:d ike psk

-------------------------------------------------------------------------------
PSK: KEY:     ID-TYPE:  IP:             FQDN:
-------------------------------------------------------------------------------
0    ******** IP        192.168.002.2

CPX 2.

IKE host connections table:

[21:30:22] CPX_2:d ike host

-------------------------------------------------------------------------------
HOST: NAME:                            LOC-IP:              IPP:    KEY-TRIES:
      CIPHER:   AUTH: HASH: DH:        REM-IP:              SIDE:   LIFE-TIME:
      ID-TYPE:        IP:              FQDN:
      PEER-ID-TYPE:   PEER-IP:         PEER-FQDN:
-------------------------------------------------------------------------------
0     CPX_2-to-CPX_1                   192.168.002.002      1       3
      3DES      PSK   MD5   MODP1024   192.168.002.001      AUTO    3600
      IP              192.168.002.002
      IP              192.168.002.001   
-------------------------------------------------------------------------------

IKE client connections table:

[21:30:58] CPX_2:d ike cli

-------------------------------------------------------------------------------
CLI: NAME:                            HOST-ID: RULE:        LIFE-TIME:    PFS:
     ESP: ESP-CIPHER: ESP-AUTH:       PASSIVE: PERMANENT:   NET-SRC:
     AH:              AH-AUTH:                 TUNNEL:      NET-DST:
-------------------------------------------------------------------------------
0    CPX_2-to-CPX_1                   0        IPSEC        28800         YES
     YES  IDEA        SHA             NO       YES          192.168.003.000/24
     YES              SHA                      YES          192.168.001.000/24
-------------------------------------------------------------------------------
1    Drop                             NONE     DROP         28800         NO
     NO   DES         SHA             NO       YES          000.000.000.000/0
     NO               MD5                      NO           000.000.000.000/0
-------------------------------------------------------------------------------

IKE PSK table:

[21:30:19] CPX_2:d ike psk

-------------------------------------------------------------------------------
PSK: KEY:     ID-TYPE:  IP:             FQDN:
-------------------------------------------------------------------------------
0    ******** IP        192.168.002.1

IKE mode. Tunnel (gateway-to-2 gateways).

Figure 3. Gateway-to-2 gateways layout.

There are three CPXs. Each CPX has two IP interfaces:

CPX 1 (gateway) has IP interface 0 with 192.168.1.1 IP address and IP interface 1 with public 83.149.0.35 IP address.
CPX 2 (gateway) has IP interface 0 with 192.168.3.1 IP address and IP interface 1 with public 213.206.129.60 IP address.
CPX 3 (gateway) has IP interface 0 with 192.168.4.1 IP address and IP interface 1 with public 212.171.210.147 IP address.

There are two IPsec tunnels: CPX 1-to-CPX 2 and CPX 1-to-CPX 3.

Example 1.

ISAKMP: 1024 DH group, PSK authentication, MD5 hash and 3DES encryption.
IPsec: SA bundle: ESP protocol with MD5 authentication and 3DES encryption, AH protocol with MD5 authentication.
PFS: enabled for the CPX 1-to-CPX 2 tunnel and disabled for the CPX 1-to-CPX 3 one.

Only CPX 2 and CPX 3 can begin to negotiate IPsec connection. CPX 1 is in PASSIVE mode (IPsec server).

CPX 1.

IKE host connections table:

[21:30:22] CPX_1:d ike host

-------------------------------------------------------------------------------
HOST: NAME:                            LOC-IP:              IPP:    KEY-TRIES:
      CIPHER:   AUTH: HASH: DH:        REM-IP:              SIDE:   LIFE-TIME:
      ID-TYPE:        IP:              FQDN:
      PEER-ID-TYPE:   PEER-IP:         PEER-FQDN:
-------------------------------------------------------------------------------
0     CPX_1-to-CPX_2                   083.149.000.035      1       3
      3DES      PSK   MD5   MODP1024   213.206.129.060      AUTO    3600
      IP              083.149.000.035
      IP              213.206.129.060   
-------------------------------------------------------------------------------
1     CPX_1-to-CPX_3                   083.149.000.035      0       3
      3DES      PSK   MD5   MODP1024   212.171.210.147      AUTO    3600
      IP              083.149.000.035
      IP              212.171.210.147   
-------------------------------------------------------------------------------

IKE client connections table:

[21:30:58] CPX_1:d ike cli

-------------------------------------------------------------------------------
CLI: NAME:                            HOST-ID: RULE:        LIFE-TIME:    PFS:
     ESP: ESP-CIPHER: ESP-AUTH:       PASSIVE: PERMANENT:   NET-SRC:
     AH:              AH-AUTH:                 TUNNEL:      NET-DST:
-------------------------------------------------------------------------------
0    CPX_1-to-CPX_2                   0        IPSEC        28800         YES
     YES  3DES        MD5             YES      YES          192.168.001.000/24
     YES              MD5                      YES          192.168.003.000/24
-------------------------------------------------------------------------------
1    CPX_1-to-CPX_3                   1        IPSEC        28800         NO
     YES  3DES        MD5             YES      YES          192.168.001.000/24
     YES              MD5                      YES          192.168.004.000/24
-------------------------------------------------------------------------------
2    Drop                             NONE     DROP         28800         NO
     NO   DES         SHA             NO       YES          000.000.000.000/0
     NO               MD5                      NO           000.000.000.000/0
-------------------------------------------------------------------------------

IKE PSK table:

[21:30:19] CPX_1:d ike psk

-------------------------------------------------------------------------------
PSK: KEY:     ID-TYPE:  IP:             FQDN:
-------------------------------------------------------------------------------
0    ******** IP        213.206.129.060
1    ******** IP        212.171.210.147

CPX 2.

IKE host connections table:

[21:30:22] CPX_2:d ike host

-------------------------------------------------------------------------------
HOST: NAME:                            LOC-IP:              IPP:    KEY-TRIES:
      CIPHER:   AUTH: HASH: DH:        REM-IP:              SIDE:   LIFE-TIME:
      ID-TYPE:        IP:              FQDN:
      PEER-ID-TYPE:   PEER-IP:         PEER-FQDN:
-------------------------------------------------------------------------------
0     CPX_2-to-CPX_1                   213.206.129.060      1       3
      3DES      PSK   MD5   MODP1024   083.149.000.035      AUTO    3600
      IP              213.206.129.060
      IP              083.149.000.035   
-------------------------------------------------------------------------------

IKE client connections table:

[21:30:58] CPX_2:d ike cli

-------------------------------------------------------------------------------
CLI: NAME:                            HOST-ID: RULE:        LIFE-TIME:    PFS:
     ESP: ESP-CIPHER: ESP-AUTH:       PASSIVE: PERMANENT:   NET-SRC:
     AH:              AH-AUTH:                 TUNNEL:      NET-DST:
-------------------------------------------------------------------------------
0    CPX_2-to-CPX_1                   0        IPSEC        28800         YES
     YES  3DES        MD5             NO       YES          192.168.003.000/24
     YES              MD5                      YES          192.168.001.000/24
-------------------------------------------------------------------------------
1    Drop                             NONE     DROP         28800         NO
     NO   DES         SHA             NO       YES          000.000.000.000/0
     NO               MD5                      NO           000.000.000.000/0
-------------------------------------------------------------------------------

IKE PSK table:.

[21:30:19] CPX_2:d ike psk

-------------------------------------------------------------------------------
PSK: KEY:     ID-TYPE:  IP:             FQDN:
-------------------------------------------------------------------------------
0    ******** IP        083.149.000.035

CPX 3.

IKE host connections table:

[21:30:22] CPX_3:d ike host

-------------------------------------------------------------------------------
HOST: NAME:                            LOC-IP:              IPP:    KEY-TRIES:
      CIPHER:   AUTH: HASH: DH:        REM-IP:              SIDE:   LIFE-TIME:
      ID-TYPE:        IP:              FQDN:
      PEER-ID-TYPE:   PEER-IP:         PEER-FQDN:
-------------------------------------------------------------------------------
0     CPX_3-to-CPX_1                   212.171.210.147      1       3
      3DES      PSK   MD5   MODP1024   083.149.000.035      AUTO    3600
      IP              212.171.210.147
      IP              083.149.000.035   
-------------------------------------------------------------------------------

IKE client connections table:

[21:30:58] CPX_3:d ike cli

-------------------------------------------------------------------------------
CLI: NAME:                            HOST-ID: RULE:        LIFE-TIME:    PFS:
     ESP: ESP-CIPHER: ESP-AUTH:       PASSIVE: PERMANENT:   NET-SRC:
     AH:              AH-AUTH:                 TUNNEL:      NET-DST:
-------------------------------------------------------------------------------
0    CPX_3-to-CPX_1                   0        IPSEC        28800         NO
     YES  3DES        MD5             NO       YES          192.168.004.000/24
     YES              MD5                      YES          192.168.001.000/24
-------------------------------------------------------------------------------
1    Drop                             NONE     DROP         28800         NO
     NO   DES         SHA             NO       YES          000.000.000.000/0
     NO               MD5                      NO           000.000.000.000/0
-------------------------------------------------------------------------------

IKE PSK table:.

[21:30:19] CPX_3:d ike psk

-------------------------------------------------------------------------------
PSK: KEY:     ID-TYPE:  IP:             FQDN:
-------------------------------------------------------------------------------
0    ******** IP        083.149.000.035

IKE mode. Tunnel (gateway-to-2 anonymous gateways).

Figure 4. Gateway-to-2 anonymous gateways layout.

There are three CPXs. Each CPX has two IP interfaces:

CPX 1 (gateway) has IP interface 0 with 192.168.1.1 IP address and IP interface 1 with public 83.149.0.35 IP address.
CPX 2 (gateway) has IP interface 0 with 192.168.3.1 IP address and IP interface 1 with dynamic IP address.
CPX 3 (gateway) has IP interface 0 with 192.168.4.1 IP address and IP interface 1 with dynamic IP address.

There are two IPsec tunnels: CPX 1-to-CPX 2 and CPX 1-to-CPX 3.

Example 1.

ISAKMP: 1024 DH group, PSK authentication, MD5 hash and 3DES encryption.
IPsec: ESP protocol with MD5 authentication and 3DES encryption.
PFS: enabled for both tunnels.

Only CPX 2 and CPX 3 can begin to negotiate IPsec connection. CPX 1 is in PASSIVE mode (IPsec server).

CPX 1.

IKE host connections table:

[21:30:22] CPX_1:d ike host

-------------------------------------------------------------------------------
HOST: NAME:                            LOC-IP:              IPP:    KEY-TRIES:
      CIPHER:   AUTH: HASH: DH:        REM-IP:              SIDE:   LIFE-TIME:
      ID-TYPE:        IP:              FQDN:
      PEER-ID-TYPE:   PEER-IP:         PEER-FQDN:
-------------------------------------------------------------------------------
0     CPX_1-to-CPX_2                   083.149.000.035      1       3
      3DES      PSK   MD5   MODP1024   *                    AUTO    3600
      IP              083.149.000.035
      FQDN                             konstt
-------------------------------------------------------------------------------
1     CPX_1-to-CPX_3                   083.149.000.035      1       3
      3DES      PSK   MD5   MODP1024   *                    AUTO    3600
      IP              083.149.000.035
      FQDN                             castagna
-------------------------------------------------------------------------------

IKE client connections table:

[21:30:58] CPX_1:d ike cli

-------------------------------------------------------------------------------
CLI: NAME:                            HOST-ID: RULE:        LIFE-TIME:    PFS:
     ESP: ESP-CIPHER: ESP-AUTH:       PASSIVE: PERMANENT:   NET-SRC:
     AH:              AH-AUTH:                 TUNNEL:      NET-DST:
-------------------------------------------------------------------------------
0    CPX_1-to-CPX_2                   0        IPSEC        28800         YES
     YES  3DES        MD5             YES      YES          192.168.001.000/24
     NO               MD5                      YES          192.168.003.000/24
-------------------------------------------------------------------------------
1    CPX_1-to-CPX_3                   1        IPSEC        28800         YES
     YES  3DES        MD5             YES      YES          192.168.001.000/24
     NO               MD5                      YES          192.168.004.000/24
-------------------------------------------------------------------------------
2    Drop                             NONE     DROP         28800         NO
     NO   DES         SHA             NO       YES          000.000.000.000/0
     NO               MD5                      NO           000.000.000.000/0
-------------------------------------------------------------------------------

IKE PSK table:

[21:30:19] CPX_1:d ike psk

-------------------------------------------------------------------------------
PSK: KEY:     ID-TYPE:  IP:             FQDN:
-------------------------------------------------------------------------------
0    ******** ANONYMOUS

CPX 2.

IKE host connections table:

[21:30:22] CPX_2:d ike host

-------------------------------------------------------------------------------
HOST: NAME:                            LOC-IP:              IPP:    KEY-TRIES:
      CIPHER:   AUTH: HASH: DH:        REM-IP:              SIDE:   LIFE-TIME:
      ID-TYPE:        IP:              FQDN:
      PEER-ID-TYPE:   PEER-IP:         PEER-FQDN:
-------------------------------------------------------------------------------
0     CPX_2-to-CPX_1                   0                    1       3
      3DES      PSK   MD5   MODP1024   083.149.000.035      AUTO    3600
      FQDN                             konstt
      IP              083.149.000.035   
-------------------------------------------------------------------------------

IKE client connections table:

[21:30:58] CPX_2:d ike cli

-------------------------------------------------------------------------------
CLI: NAME:                            HOST-ID: RULE:        LIFE-TIME:    PFS:
     ESP: ESP-CIPHER: ESP-AUTH:       PASSIVE: PERMANENT:   NET-SRC:
     AH:              AH-AUTH:                 TUNNEL:      NET-DST:
-------------------------------------------------------------------------------
0    CPX_2-to-CPX_1                   0        IPSEC        28800         YES
     YES  3DES        MD5             NO       YES          192.168.003.000/24
     NO               MD5                      YES          192.168.001.000/24
-------------------------------------------------------------------------------
1    Drop                             NONE     DROP         28800         NO
     NO   DES         SHA             NO       YES          000.000.000.000/0
     NO               MD5                      NO           000.000.000.000/0
-------------------------------------------------------------------------------

IKE PSK table:.

[21:30:19] CPX_2:d ike psk

-------------------------------------------------------------------------------
PSK: KEY:     ID-TYPE:  IP:             FQDN:
-------------------------------------------------------------------------------
0    ******** IP        083.149.000.035

CPX 3.

IKE host connections table:

[21:30:22] CPX_3:d ike host

-------------------------------------------------------------------------------
HOST: NAME:                            LOC-IP:              IPP:    KEY-TRIES:
      CIPHER:   AUTH: HASH: DH:        REM-IP:              SIDE:   LIFE-TIME:
      ID-TYPE:        IP:              FQDN:
      PEER-ID-TYPE:   PEER-IP:         PEER-FQDN:
-------------------------------------------------------------------------------
0     CPX_3-to-CPX_1                   0                    1       3
      3DES      PSK   MD5   MODP1024   083.149.000.035      AUTO    3600
      FQDN                             castagna
      IP              083.149.000.035   
-------------------------------------------------------------------------------

IKE client connections table:

[21:30:58] CPX_3:d ike cli

-------------------------------------------------------------------------------
CLI: NAME:                            HOST-ID: RULE:        LIFE-TIME:    PFS:
     ESP: ESP-CIPHER: ESP-AUTH:       PASSIVE: PERMANENT:   NET-SRC:
     AH:              AH-AUTH:                 TUNNEL:      NET-DST:
-------------------------------------------------------------------------------
0    CPX_3-to-CPX_1                   0        IPSEC        28800         YES
     YES  3DES        MD5             NO       YES          192.168.004.000/24
     NO               MD5                      YES          192.168.001.000/24
-------------------------------------------------------------------------------
1    Drop                             NONE     DROP         28800         NO
     NO   DES         SHA             NO       YES          000.000.000.000/0
     NO               MD5                      NO           000.000.000.000/0
-------------------------------------------------------------------------------

IKE PSK table:.

[21:30:19] CPX_3:d ike psk

-------------------------------------------------------------------------------
PSK: KEY:     ID-TYPE:  IP:             FQDN:
-------------------------------------------------------------------------------
0    ******** IP        083.149.000.035

IKE mode. Tunnel (gateway-to-1 gateway + 1 anonymous gateway).

Figure 5. Gateway-to-1 gateway + 1 anonymous gateway layout.

There are three CPXs. Each CPX has two IP interfaces:

CPX 1 (gateway) has IP interface 0 with 192.168.1.1 IP address and IP interface 1 with public 83.149.0.35 IP address.
CPX 2 (gateway) has IP interface 0 with 192.168.3.1 IP address and IP interface 1 public with 213.206.129.60 IP address.
CPX 3 (gateway) has IP interface 0 with 192.168.4.1 IP address and public IP interface 1 with dynamic IP address.

There are two IPsec tunnels: CPX 1-to-CPX 2 and CPX 1-to-CPX 3.

Example 1.

ISAKMP: 1024 DH group, PSK authentication, MD5 hash and 3DES encryption for CPX 1-to-CPX 2 tunnel, 1536 DH group, PSK authentication, SHA-1 hash and IDEA encryption CPX 1-to-CPX 3 tunnel.
IPsec: ESP protocol with MD5 authentication and 3DES encryption.
PFS: enabled for both tunnels.

Only CPX 2 and CPX 3 can begin to negotiate IPsec connection. CPX 1 is in PASSIVE mode (IPsec server).

CPX 1.

IKE host connections table:

[21:30:22] CPX_1:d ike host

-------------------------------------------------------------------------------
HOST: NAME:                            LOC-IP:              IPP:    KEY-TRIES:
      CIPHER:   AUTH: HASH: DH:        REM-IP:              SIDE:   LIFE-TIME:
      ID-TYPE:        IP:              FQDN:
      PEER-ID-TYPE:   PEER-IP:         PEER-FQDN:
-------------------------------------------------------------------------------
0     CPX_1-to-CPX_2                   083.149.000.035      1       3
      3DES      PSK   MD5   MODP1024   213.206.129.060      AUTO    3600
      IP              083.149.000.035
      IP              213.206.129.060
-------------------------------------------------------------------------------
1     CPX_1-to-CPX_3                   083.149.000.035      1       3
      IDEA      PSK   SHA   MODP1536   *                    AUTO    3600
      IP              083.149.000.035
      FQDN                             castagna
-------------------------------------------------------------------------------

IKE client connections table:

[21:30:58] CPX_1:d ike cli

-------------------------------------------------------------------------------
CLI: NAME:                            HOST-ID: RULE:        LIFE-TIME:    PFS:
     ESP: ESP-CIPHER: ESP-AUTH:       PASSIVE: PERMANENT:   NET-SRC:
     AH:              AH-AUTH:                 TUNNEL:      NET-DST:
-------------------------------------------------------------------------------
0    CPX_1-to-CPX_2                   0        IPSEC        28800         YES
     YES  3DES        MD5             YES      YES          192.168.001.000/24
     NO               MD5                      YES          192.168.003.000/24
-------------------------------------------------------------------------------
1    CPX_1-to-CPX_3                   1        IPSEC        28800         YES
     YES  3DES        MD5             YES      YES          192.168.001.000/24
     NO               MD5                      YES          192.168.004.000/24
-------------------------------------------------------------------------------
2    Drop                             NONE     DROP         28800         NO
     NO   DES         SHA             NO       YES          000.000.000.000/0
     NO               MD5                      NO           000.000.000.000/0
-------------------------------------------------------------------------------

IKE PSK table:

[21:30:19] CPX_1:d ike psk

-------------------------------------------------------------------------------
PSK: KEY:     ID-TYPE:  IP:             FQDN:
-------------------------------------------------------------------------------
0    ******** ANONYMOUS
1    ******** IP        213.206.129.060

CPX 2.

IKE host connections table:

[21:30:22] CPX_2:d ike host

-------------------------------------------------------------------------------
HOST: NAME:                            LOC-IP:              IPP:    KEY-TRIES:
      CIPHER:   AUTH: HASH: DH:        REM-IP:              SIDE:   LIFE-TIME:
      ID-TYPE:        IP:              FQDN:
      PEER-ID-TYPE:   PEER-IP:         PEER-FQDN:
-------------------------------------------------------------------------------
0     CPX_2-to-CPX_1                   213.206.129.060      1       3
      3DES      PSK   MD5   MODP1024   083.149.000.035      AUTO    3600
      IP              213.206.129.060
      IP              083.149.000.035   
-------------------------------------------------------------------------------

IKE client connections table:

[21:30:58] CPX_2:d ike cli

-------------------------------------------------------------------------------
CLI: NAME:                            HOST-ID: RULE:        LIFE-TIME:    PFS:
     ESP: ESP-CIPHER: ESP-AUTH:       PASSIVE: PERMANENT:   NET-SRC:
     AH:              AH-AUTH:                 TUNNEL:      NET-DST:
-------------------------------------------------------------------------------
0    CPX_2-to-CPX_1                   0        IPSEC        28800         YES
     YES  3DES        MD5             NO       YES          192.168.003.000/24
     NO               MD5                      YES          192.168.001.000/24
-------------------------------------------------------------------------------
1    Drop                             NONE     DROP         28800         NO
     NO   DES         SHA             NO       YES          000.000.000.000/0
     NO               MD5                      NO           000.000.000.000/0
-------------------------------------------------------------------------------

IKE PSK table:.

[21:30:19] CPX_2:d ike psk

-------------------------------------------------------------------------------
PSK: KEY:     ID-TYPE:  IP:             FQDN:
-------------------------------------------------------------------------------
0    ******** IP        083.149.000.035

CPX 3.

IKE host connections table:

[21:30:22] CPX_3:d ike host

-------------------------------------------------------------------------------
HOST: NAME:                            LOC-IP:              IPP:    KEY-TRIES:
      CIPHER:   AUTH: HASH: DH:        REM-IP:              SIDE:   LIFE-TIME:
      ID-TYPE:        IP:              FQDN:
      PEER-ID-TYPE:   PEER-IP:         PEER-FQDN:
-------------------------------------------------------------------------------
0     CPX_3-to-CPX_1                   0                    1       3
      IDEA      PSK   SHA   MODP1536   083.149.000.035      AUTO    3600
      FQDN                             castagna
      IP              083.149.000.035   
-------------------------------------------------------------------------------

IKE client connections table:

[21:30:58] CPX_3:d ike cli

-------------------------------------------------------------------------------
CLI: NAME:                            HOST-ID: RULE:        LIFE-TIME:    PFS:
     ESP: ESP-CIPHER: ESP-AUTH:       PASSIVE: PERMANENT:   NET-SRC:
     AH:              AH-AUTH:                 TUNNEL:      NET-DST:
-------------------------------------------------------------------------------
0    CPX_3-to-CPX_1                   0        IPSEC        28800         YES
     YES  3DES        MD5             NO       YES          192.168.004.000/24
     NO               MD5                      YES          192.168.001.000/24
-------------------------------------------------------------------------------
1    Drop                             NONE     DROP         28800         NO
     NO   DES         SHA             NO       YES          000.000.000.000/0
     NO               MD5                      NO           000.000.000.000/0
-------------------------------------------------------------------------------

IKE PSK table:.

[21:30:19] CPX_3:d ike psk

-------------------------------------------------------------------------------
PSK: KEY:     ID-TYPE:  IP:             FQDN:
-------------------------------------------------------------------------------
0    ******** IP        083.149.000.035

print this page