ZyXEL Communications 3.1 ユーザーズマニュアル
Chapter 17 IPSec VPN
ZyWALL (ZLD) CLI Reference Guide
143
The following sections list the IPSec VPN commands.
17.2.1 IKE SA Commands
This table lists the commands for IKE SAs (VPN gateways).
distinguished_name
A domain name. You can use up to 511 alphanumeric, characters, spaces, or .@=,_-
characters.
characters.
sort_order
Sort the list of currently connected SAs by one of the following classifications.
algorithm
encapsulation
inbound
name
outbound
policy
timeout
uptime
Table 70
Input Values for IPSec VPN Commands (continued)
LABEL
DESCRIPTION
Table 71
isakmp Commands: IKE SAs
COMMAND
DESCRIPTION
show isakmp keepalive
Displays the Dead Peer Detection period.
show isakmp policy [policy_name]
Shows the specified IKE SA or all IKE SAs.
isakmp keepalive <2..60>
Sets the Dead Peer Detection period.
[no] isakmp policy policy_name
Creates the specified IKE SA if necessary and enters sub-command
mode. The
mode. The
no
command deletes the specified IKE SA.
activate
deactivate
Activates or deactivates the specified IKE SA.
authentication {pre-share | rsa-sig}
Specifies whether to use a pre-shared key or a certificate for
authentication.
authentication.
certificate certificate-name
Sets the certificate that can be used for authentication.
[no] dpd
Enables Dead Peer Detection (DPD). The
no
command disables
DPD.
[no] fall-back
Set this to have the ZyWALL reconnect to the primary address when
it becomes available again and stop using the secondary
connection, if the connection to the primary address goes down and
the ZyWALL changes to using the secondary connection.
it becomes available again and stop using the secondary
connection, if the connection to the primary address goes down and
the ZyWALL changes to using the secondary connection.
Users will lose their VPN connection briefly while the ZyWALL
changes back to the primary connection. To use this, the peer
device at the secondary address cannot be set to use a nailed-up
VPN connection.
changes back to the primary connection. To use this, the peer
device at the secondary address cannot be set to use a nailed-up
VPN connection.
fall-back-check-interval <60..86400>
Sets how often (in seconds) the ZyWALL checks if the primary
address is available.
address is available.
mode {main | aggressive}
Sets the negotiating mode.
transform-set isakmp-algo [isakmp_algo
[isakmp_algo]]
Sets the encryption and authentication algorithms for each IKE SA
proposal.
proposal.
isakmp_algo
: {des-md5 | des-sha | 3des-md5 | 3des-sha |
aes128-md5 | aes128-sha | aes192-md5 | aes192-sha | aes256-
md5 | aes256-sha | aes256-sha256 | aes256-sha512}
md5 | aes256-sha | aes256-sha256 | aes256-sha512}
lifetime <180..3000000>
Sets the IKE SA life time to the specified value.