VPN Interface IPsec Feature Template

Configure a standard IPsec interface, the interface name, the admin status, the IKEv2 parameters, the IPsec parameters, the tunnel source interface, the tunnel destination, the IP maximum transmission unit (MTU), the Transmission Control Protocol maximum segment size (TCP MSS), and more.

Diagram

Classes

edge_feature_templates (sdwan)

Name	Type	Constraint	Mandatory	Default Value
ipsec_interface_templates	List	[ipsec_interface_templates]	No

ipsec_interface_templates (sdwan.edge_feature_templates)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: ^[^<>!&" ]{1,128}$	Yes
description	String		Yes
device_types	List	Choice[ASR-1001-HX, ASR-1001-X, ASR-1002-HX, ASR-1002-X, ASR-1006-X, C1101-4P, C1101-4PLTEP, C1101-4PLTEPW, C1109-2PLTEGB, C1109-2PLTEUS, C1109-2PLTEVZ, C1109-4PLTE2P, C1109-4PLTE2PW, C1111-4P, C1111-4PLTEEA, C1111-4PLTELA, C1111-4PW, C1111-8P, C1111-8PLTEEA, C1111-8PLTEEAW, C1111-8PLTELA, C1111-8PLTELAW, C1111-8PW, C1111X-8P, C1112-8P, C1112-8PLTEEA, C1112-8PLTEEAWE, C1112-8PWE, C1113-8P, C1113-8PLTEEA, C1113-8PLTEEAW, C1113-8PLTELA, C1113-8PLTELAWZ, C1113-8PLTEW, C1113-8PM, C1113-8PMLTEEA, C1113-8PMWE, C1113-8PW, C1116-4P, C1116-4PLTEEA, C1116-4PLTEEAWE, C1116-4PWE, C1117-4P, C1117-4PLTEEA, C1117-4PLTEEAW, C1117-4PLTELA, C1117-4PLTELAWZ, C1117-4PM, C1117-4PMLTEEA, C1117-4PMLTEEAWE, C1117-4PMWE, C1117-4PW, C1118-8P, C1121-4P, C1121-4PLTEP, C1121-8P, C1121-8PLTEP, C1121-8PLTEPW, C1121X-8P, C1121X-8PLTEP, C1121X-8PLTEPW, C1126-8PLTEP, C1126X-8PLTEP, C1127-8PLTEP, C1127-8PMLTEP, C1127X-8PLTEP, C1127X-8PMLTEP, C1128-8PLTEP, C1131-8PLTEPW, C1131-8PW, C1131X-8PLTEPW, C1131X-8PW, C1161-8P, C1161-8PLTEP, C1161X-8P, C1161X-8PLTEP, C8000V, C8200-1N-4T, C8200L-1N-4T, C8300-1N1S-4T2X, C8300-1N1S-6T, C8300-2N2S-4T2X, C8300-2N2S-6T, C8500-12X, C8500-12X4QC, C8500-20X6C, C8500L-8S4X, IR-1101, IR-1821, IR-1831, IR-1833, IR-1835, IR-8140H, IR-8140H-P, IR-8340, ISR-4221, ISR-4221X, ISR-4321, ISR-4331, ISR-4351, ISR-4431, ISR-4451-X, ISR-4461, ISR1100-4G-XE, ISR1100-4GLTEGB-XE, ISR1100-4GLTENA-XE, ISR1100-6G-XE, ISR1100X-4G-XE, ISR1100X-6G-XE]	No
application	Choice	none, sig	No
application_variable	String	Regex: ^[^"~$&+,]255$`	No
clear_dont_fragment	Boolean	true, false	No
clear_dont_fragment_variable	String	Regex: ^[^"~$&+,]255$`	No
dead_peer_detection_interval	Integer	min: 10, max: 3600	No
dead_peer_detection_interval_variable	String	Regex: ^[^"~$&+,]255$`	No
dead_peer_detection_retries	Integer	min: 2, max: 60	No
dead_peer_detection_retries_variable	String	Regex: ^[^"~$&+,]255$`	No
ike	Class	[ike]	No
interface_description	String		No
interface_description_variable	String	Regex: ^[^"~$&+,]255$`	No
interface_name	String	Regex: ^(ipsec[0-9]{0,3}|gre[0-9]{0,3})$	No
interface_name_variable	String	Regex: ^[^"~$&+,]255$`	No
ip_address	IP		No
ip_address_variable	String	Regex: ^[^"~$&+,]255$`	No
ipsec	Class	[ipsec]	No
mtu	Integer	min: 576, max: 9216	No
mtu_variable	String	Regex: ^[^"~$&+,]255$`	No
shutdown	Boolean	true, false	No
shutdown_variable	String	Regex: ^[^"~$&+,]255$`	No
tcp_mss	Integer	min: 500, max: 1460	No
tcp_mss_variable	String	Regex: ^[^"~$&+,]255$`	No
tracker	String		No
tracker_variable	String	Regex: ^[^"~$&+,]255$`	No
tunnel_destination	Any	IP or String	No
tunnel_destination_variable	String	Regex: ^[^"~$&+,]255$`	No
tunnel_source_interface	String		No
tunnel_source_interface_variable	String	Regex: ^[^"~$&+,]255$`	No
tunnel_source_ip	IP		No
tunnel_source_ip_variable	String	Regex: ^[^"~$&+,]255$`	No

ike (sdwan.edge_feature_templates.ipsec_interface_templates)

Name	Type	Constraint	Mandatory	Default Value
ciphersuite	Choice	aes256-cbc-sha1, aes256-cbc-sha2, aes128-cbc-sha1, aes128-cbc-sha2	No
ciphersuite_variable	String	Regex: ^[^"~$&+,]255$`	No
group	Choice	2, 14, 15, 16, 19, 20, 21, 24	No
group_variable	String	Regex: ^[^"~$&+,]255$`	No
mode	Choice	main, aggressive	No
mode_variable	String	Regex: ^[^"~$&+,]255$`	No
pre_shared_key	String	max: 127	No
pre_shared_key_variable	String	Regex: ^[^"~$&+,]255$`	No
pre_shared_key_local_id	String	max: 63	No
pre_shared_key_local_id_variable	String	Regex: ^[^"~$&+,]255$`	No
pre_shared_key_remote_id	String	max: 63	No
pre_shared_key_remote_id_variable	String	Regex: ^[^"~$&+,]255$`	No
rekey_interval	Integer	min: 60, max: 86400	No
rekey_interval_variable	String	Regex: ^[^"~$&+,]255$`	No
version	Integer	min: 1, max: 2	No

ipsec (sdwan.edge_feature_templates.ipsec_interface_templates)

Name	Type	Constraint	Mandatory	Default Value
ciphersuite	Choice	aes256-cbc-sha1, aes256-cbc-sha384, aes256-cbc-sha256, aes256-cbc-sha512, aes256-gcm, null-sha1, null-sha384, null-sha256, null-sha512	No
ciphersuite_variable	String	Regex: ^[^"~$&+,]255$`	No
perfect_forward_secrecy	Choice	group-1, group-2, group-5, group-14, group-15, group-16, group-19, group-20, group-21, group-24, none	No
perfect_forward_secrecy_variable	String	Regex: ^[^"~$&+,]255$`	No
rekey_interval	Integer	min: 120, max: 2592000	No
rekey_interval_variable	String	Regex: ^[^"~$&+,]255$`	No
replay_window	Integer	min: 64, max: 4096	No
replay_window_variable	String	Regex: ^[^"~$&+,]255$`	No

Examples

sdwan:
  edge_feature_templates:
    ipsec_interface_templates:
      - name: FT-CEDGE-IPSEC101-V01
        description: "Manual IPSec Tunnel #1"
        dead_peer_detection_interval: 20
        interface_description: "Manual IPSec tunnel #1"
        interface_name: ipsec101
        ike:
          pre_shared_key_local_id: localid@acme.com
          pre_shared_key_variable: vpn0_ipsec101_pre_shared_key
          ciphersuite: aes256-cbc-sha1
          group: 14
          rekey_interval: 14400
          version: 2
        ipsec:
          ciphersuite: null-sha1
          rekey_interval: 28800
          perfect_forward_secrecy: none
        mtu: 1400
        shutdown: false
        tcp_mss: 1360
        tunnel_destination_variable: vpn0_ipsec101_tunnel_dest_ip
        tunnel_source_interface_variable: vpn0_ipsec101_source_wan_if