Dell POWEREDGE M1000E User Manual
Page 468
436
Fabric OS Command Reference
53-1001764-02
ipSecConfig
2
-mode tunnel|transport
Specifies the IPSec transform mode. In tunnel mode, the IP datagram is
fully encapsulated by a new IP datagram using the IPSec protocol. In
transport mode, only the payload of the IP datagram is handled by the
IPSec protocol inserting the IPSec header between the IP header and the
upper-layer protocol header.
-sa-proposal
name
Specifies the SA proposal to be included in the transform. You must
create the SA proposal first before you can include it in the transform.
Use ipsecConfig --show policy ips sa-proposal -a for a listing of existing
SA proposals.
-action discard|bypass|protect
Specifies the protective action the transform should take regarding the
traffic flows.
-ike name
Specifies the IKE policy to be included in the transform. This operand is
optional. Use ipsecConfig --show policy ike -a for a listing of existing IKE
policies.
-local IP_address[/prefixlength]
Specifies the source IPv4 or IPv6 address. This operand is optional. If a
local source IP address is defined, a remote peer IP address must also be
defined.
-remote IP_address[/prefixlength]
Specifies the peer IPv4 or IPv6 address. This operand is optional. If a
remote peer IP address is defined, a local source IP address must also be
defined.
sa-proposal
Defines the security associations (SA) proposal, including name, SAs to
be included and lifetime of the proposal. The following operands are
supported:
-tag name
Specifies a name for the SA proposal. This is a user-generated name. The
name must be between 1 and 32 characters in length, and may include
alphanumeric characters, dashes (-), and underscores (_).
-sa name[,name]
Specifies the SAs to include in the SA proposal. The bundle consists of
one or two SA names, separated by commas. For SA bundles, [AH, ESP] is
the supported combination. The SAs must be created prior to being
included in the SA proposal. This operand is required.
-lttime number
Specifies the SA proposal’s lifetime in seconds. This operand is optional.
If a lifetime is not specified, the SA does not expire. If lifetime is specified
both in seconds and in bytes, the SA expires when the first expiration
criterion is met.