| PreIpsecRules |
| This object specifies an index in the IPsec traffic table containing a list of traffic definitions which has to be considered prior to the traffic lists of the IPSec peers in IPSec traffic processing. It may contain either pass or drop entries (protect entries are ignored, if erroneously configured). |
| DefaultRule |
| This object specifies how to treat packets which do not match any entry in the traffic lists of the active peers or the pre-and post IPSec rules. Possible values: drop(1), -- drop all packets pass(2) -- allow all packets pass plain. |
| Use32BitCpi |
| This object specifies whether the CPI values in IKE IPComP negotiations should be sent as 16 bit numbers. Possible values: true(1), -- send CPI as 32 bit numbers false(2) -- send CPI as 16 bit numbers. |
| NoWellKnownCpis |
| This object specifies whether the well known CPI values should be used in IKE IPComP negotiations. If set to true, IKE will allocate random CPI values from the negotiable range 256-61439. Possible values: true(1), -- do not use the well known cpi values false(2) -- use the well known cpi values. |
| NoPmtuDiscovery |
| This object specifies the default PMTU discovery policy if the ipsecPeerPmtuDiscovery flag is set to default. Possible values: true(1), -- do not perform PMTU discovery false(2) -- perform PMTU discovery. CAUTION: This object is obsolete. |
| DefaultPmtuTtl |
| This object specifies the time-to-live (in minutes) of a PMTU value derived from an ICMP PMTU message received for an IPSec packet. After this time, the mtu is increased step-by-step using the values from RFC 1191 until a new ICMP PMTU message is received. A ttl value of 0 means infinite. |
| PrivateInterface |
| This object specifies the index of the systems' private interface. If the private interface is set (i.e. non-negative), certain address spoofing attacks are made impossible from IPSec itself. |
| SaSyncInterface |
| This object specifies whether IKE and IPSec SA's should be are deleted if the interface over which the packets are initially sent is going down or dormant Possible values: true(1), -- delete SAs false(2) -- do not delete SAs. |
| PostIpsecRules |
| This object specifies an index in the IPsec traffic table containing a list of traffic definitions which has to be considered after the traffic lists of the IPSec peers in IPSec traffic processing. It may contain either pass or drop entries (protect entries are ignored, if erroneously configured). |
| DefaultPfsIdentity |
| This object specifies whether IKE SA's should be deleted immediately after a phase 2 (IPSec-) SA pair has been negotiated. It may be overridden by the individual settings for a peer entry, if the ipsecPeerPfsIdentity is not set to 'default'. The consequence of enabling this feature is that before each phase 2 negotiation there always has to be a phase 1 negotiation. Thus individual phase 2 SAs cannot be associated with one another or, respectively, if the identity of a remote peer is known to an eavesdropper for one SA, he cannot conclude that the next SA is negotiated with the same remote peer. Note: Setting this flag only makes sense if configured together with id-protect mode or RSA encryption for authentication and if the IP address of the remote peer does not allow conclusions about its identity (i.e. dynamic remote peer addresses). Possible values: true(1), -- delete phase 1 SAs false(2) -- do not delete phase 1 SAs. |
| IkeLoggingLevel |
| This object specifies the IKE logging level. IKE log messages are output as syslog messages on level debug. Note that the global syslog table level must be set to debug in order to see these messages. Possible values: 0: no IKE log messages ... 3: IKE error output ... 6: IKE trace output ... 9: IKE detailed results output 10 ...: hexdumps of IKE messages. |
| DialBlockTime |
| Amount of time in minutes how long an ipsecDial entry remains in state blocked-for-outgoing after a cost producing trigger call was detected. Given value denotes time in minutes. Special value -1 means to block entry until unblocked manually by deactivating entry and reactivating it afterwards. Default value is -1. |
| PfsIdentityDelay |
| This object specifies the number of seconds to wait before deleting the underlying phase 1 SA after a Phase 2 SA has been established, if PFS for identity is configured. |
| HeartbeatDefault |
| This object specifies whether heartbeats should be sent over phase 1 SAs. Possible values: none(1), -- neither send nor expect heartbeats expect(2), -- expect heartbeats send(3), -- send heartbeats both(4) -- send and expect heartbeats. CAUTION: This object is obsolete. |
| HeartbeatInterval |
| This object specifies the time interval in seconds between heartbeats. At this rate heartbeats are sent and/or expected if configured. |
| HeartbeatTolerance |
| This object specifies the maximum number of missing heartbeats allowed before an SA is discarded. |
| ObsoleteFeatureMask |
| Some obsolete features are represented by a bit in this mask and could be re-enabled for testing or compatibility purpose. A mask-bit of 1 enable the approprate (obsolete) feature. A mask-bit of 0 disable the appropriate feature completely. Bit Feature 0x00000001: re-enable delayed apf-graph-node-memory free 0x00000002: tbd. The default-value is 0 - all obsolete features are disabled. Do not change this default-value if not really necessary |
| P1Always |
| This object specifies whether a phase 1 rekeying is always done immediately before phase 2 rekeying. Note this is different from pfs for identity because the latter discards the phase 1 SA immediately after phase 2 establishment. This feature is mainly a compatibility flag for some non-standard implementations which always expect a phase 1 SA if a phase 2 SA exists. Please also select a longer lifetime for phase 1 than phase 2 then. |
| HwAccel |
| Enables/disables usage of encryption engine. |
| SupportVarKeyLength4Twofish |
| Enables/disables support of variable key sizes for the Twofish algorithm. Note that the Twofish related settings within the ipsecAlgorithmTable will be synchronized accordingly. If set to no (2) the system will act in the backward compatibility mode. This setting might be necessary in some dedicated cases in order to avoid IKE negotiation problems. |
| Ikev2Profile |
| This object specifies the default IKE_SA profile to use (only for IKEv2). If set to 0 no profile is configured as default. |
| MaxIkev2Sas |
| This object specifies the maximum number of simultaneous IKEv2 Security associations allowed. If this limit is reached, the entries are removed from the database, starting with the ones that will expire very soon. If that is not enough, the entries are deleted in reverse LRU order. |
| PathFinder |
| Enables/disables the IPSec pathfinder mode, that means all the traffic (IKE, ESP and AH) is embedded within a pseudo HTTPS session between the peers (similar to the NAT-T mode). |
| XauthTimeout |
| If an extended authentication is requested, this is the time (in seconds) the device will wait for response. A useful value is important when username and password are entered manually by the user. |
| Compatiblity |
| This bitfield defines IPSec compatibibilty flags: ripe-md160-4: If enabled, use 4 as class value for RIPEMD160 hash algorithm for backward compatibility reasons. If disabled 65001 is used as class value. |
| MaxIkev2RdrEntries |
| This object specifies the maximum number of entries in the ikev2RedirectTable. A value of 0 means that Redirect for IKEv2 (RFC 5685) is disabled. A value greater than 0 means that Redirect for IKEv2 (RFC 5685) is enabled and each redirect request from gateway leads to at least one entry in ikev2RedirectTable. When the maximum number of entries is reached the oldest entry is deleted each time a new entry is added. |
| MobikeFactor |
| Multiplier for the ipsecGlobDPDIdleThreshold setting, mostly required in IKEv2 mobike scenarios according RFC 4555. Due to backward compalibilty reasons the default value is set to '10'. |
| DnsSelectRoundRobin |
| Just being considered in case of IKEv2 or IKEv2 initiator role, if set to enabled (1) the retrieved A or AAAA records will be used in a round robin scheme. |