ZyXEL Communications 3.1 ユーザーズマニュアル
Chapter 17 IPSec VPN
ZyWALL (ZLD) CLI Reference Guide
144
17.2.2 IPSec SA Commands (except Manual Keys)
This table lists the commands for IPSec SAs, excluding manual keys (VPN connections using VPN
gateways).
gateways).
group1
group2
group5
Sets the DHx group to the specified group.
[no] natt
Enables NAT traversal. The
no
command disables NAT traversal.
local-ip {ip {ip | domain_name} |
interface interface_name}
Sets the local gateway address to the specified IP address, domain
name, or interface.
name, or interface.
peer-ip {ip | domain_name} [ip |
domain_name]
Sets the remote gateway address(es) to the specified IP
address(es) or domain name(s).
address(es) or domain name(s).
keystring pre_shared_key
Sets the pre-shared key that can be used for authentication. The
pre_shared_key
pre_shared_key
can be:
•
8 - 32 alphanumeric characters or ,;|`~!@#$%^&*()_+\{}':./
<>=-".
•
16 - 64 hexadecimal (0-9, A-F) characters, preceded by “0x”.
The pre-shared key is case-sensitive.
local-id type {ip ip | fqdn domain_name |
mail e_mail | dn distinguished_name}
Sets the local ID type and content to the specified IP address,
domain name, or e-mail address.
domain name, or e-mail address.
peer-id type {any | ip ip | fqdn
domain_name | mail e_mail | dn
distinguished_name}
Sets the peer ID type and content to any value, the specified IP
address, domain name, or e-mail address.
address, domain name, or e-mail address.
[no] xauth type {server xauth_method |
client name username password password}
Enables extended authentication and specifies whether the ZyWALL
is the server or client. If the ZyWALL is the server, it also specifies
the extended authentication method (
is the server or client. If the ZyWALL is the server, it also specifies
the extended authentication method (
aaa authentication
profile_name
); if the ZyWALL is the client, it also specifies the
username and password to provide to the remote IPSec router. The
no
command disables extended authentication.
username
: You can use alphanumeric characters, underscores (_),
and dashes (-), and it can be up to 31 characters long.
password
: You can use most printable ASCII characters. You cannot
use square brackets [ ], double quotation marks (“), question marks
(?), tabs or spaces. It can be up to 31 characters long.
(?), tabs or spaces. It can be up to 31 characters long.
isakmp policy rename policy_name policy_name
Renames the specified IKE SA (first policy_name) to the specified
name (second policy_name).
name (second policy_name).
Table 71
isakmp Commands: IKE SAs (continued)
COMMAND
DESCRIPTION
Table 72
crypto Commands: IPSec SAs
COMMAND
DESCRIPTION
[no] crypto ignore-df-bit
Fragment packets larger than the MTU (Maximum Transmission
Unit) that have the “don’t” fragment” bit in the header turned on.
The
Unit) that have the “don’t” fragment” bit in the header turned on.
The
no
command has the ZyWALL drop packets larger than the
MTU that have the “don’t” fragment” bit in the header turned on.
show crypto map [map_name]
Shows the specified IPSec SA or all IPSec SAs.
crypto map dial map_name
Dials the specified IPSec SA manually. This command does not
work for IPSec SAs using manual keys or for IPSec SAs where the
remote gateway address is 0.0.0.0.
work for IPSec SAs using manual keys or for IPSec SAs where the
remote gateway address is 0.0.0.0.
[no] crypto map map_name
Creates the specified IPSec SA if necessary and enters sub-
command mode. The
command mode. The
no
command deletes the specified IPSec SA.