Security Feature Template
Change the rekey time, anti-replay window, and authentication types for IPsec.
Diagram
Classes
edge_feature_templates (sdwan)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| security_templates | List | [security_templates] | No |
security_templates (sdwan.edge_feature_templates)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[^<>!&" ]{1,128}$ | Yes | |
| description | String | Yes | ||
| device_types | List | Choice[ASR-1001-HX, ASR-1001-X, ASR-1002-HX, ASR-1002-X, ASR-1006-X, C1101-4P, C1101-4PLTEP, C1101-4PLTEPW, C1109-2PLTEGB, C1109-2PLTEUS, C1109-2PLTEVZ, C1109-4PLTE2P, C1109-4PLTE2PW, C1111-4P, C1111-4PLTEEA, C1111-4PLTELA, C1111-4PW, C1111-8P, C1111-8PLTEEA, C1111-8PLTEEAW, C1111-8PLTELA, C1111-8PLTELAW, C1111-8PW, C1111X-8P, C1112-8P, C1112-8PLTEEA, C1112-8PLTEEAWE, C1112-8PWE, C1113-8P, C1113-8PLTEEA, C1113-8PLTEEAW, C1113-8PLTELA, C1113-8PLTELAWZ, C1113-8PLTEW, C1113-8PM, C1113-8PMLTEEA, C1113-8PMWE, C1113-8PW, C1116-4P, C1116-4PLTEEA, C1116-4PLTEEAWE, C1116-4PWE, C1117-4P, C1117-4PLTEEA, C1117-4PLTEEAW, C1117-4PLTELA, C1117-4PLTELAWZ, C1117-4PM, C1117-4PMLTEEA, C1117-4PMLTEEAWE, C1117-4PMWE, C1117-4PW, C1118-8P, C1121-4P, C1121-4PLTEP, C1121-8P, C1121-8PLTEP, C1121-8PLTEPW, C1121X-8P, C1121X-8PLTEP, C1121X-8PLTEPW, C1126-8PLTEP, C1126X-8PLTEP, C1127-8PLTEP, C1127-8PMLTEP, C1127X-8PLTEP, C1127X-8PMLTEP, C1128-8PLTEP, C1131-8PLTEPW, C1131-8PW, C1131X-8PLTEPW, C1131X-8PW, C1161-8P, C1161-8PLTEP, C1161X-8P, C1161X-8PLTEP, C8000V, C8200-1N-4T, C8200L-1N-4T, C8300-1N1S-4T2X, C8300-1N1S-6T, C8300-2N2S-4T2X, C8300-2N2S-6T, C8500-12X, C8500-12X4QC, C8500-20X6C, C8500L-8S4X, IR-1101, IR-1821, IR-1831, IR-1833, IR-1835, IR-8140H, IR-8140H-P, IR-8340, ISR-4221, ISR-4221X, ISR-4321, ISR-4331, ISR-4351, ISR-4431, ISR-4451-X, ISR-4461, ISR1100-4G-XE, ISR1100-4GLTEGB-XE, ISR1100-4GLTENA-XE, ISR1100-6G-XE, ISR1100X-4G-XE, ISR1100X-6G-XE] | No | |
| authentication_types | List | Choice[none, esp, ip-udp-esp, ip-udp-esp-no-id] | No | |
| authentication_types_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| extended_anti_replay_window | Integer | min: 10, max: 2048 | No | |
| extended_anti_replay_window_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| key_chains | List | [key_chains] | No | |
| keys | List | [keys] | No | |
| pairwise_keying | Boolean | true, false | No | |
| pairwise_keying_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| rekey_interval | Integer | min: 1, max: 1209600 | No | |
| rekey_interval_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| replay_window | Choice | 64, 128, 256, 512, 1024, 2048, 4096, 8192 | No | |
| replay_window_variable | String | Regex: ^[^"~$&+,]255$` | No |
key_chains (sdwan.edge_feature_templates.security_templates)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Yes | ||
| key_id | Integer | min: 0, max: 2147483647 | Yes |
keys (sdwan.edge_feature_templates.security_templates)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| accept_ao_mismatch | Boolean | true, false | No | |
| accept_lifetime | Boolean | true, false | No | |
| accept_lifetime_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| accept_lifetime_duration_seconds | Integer | No | ||
| accept_lifetime_duration_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| accept_lifetime_end_time_epoch | Integer | No | ||
| accept_lifetime_end_time_format | Choice | infinite, duration, end-epoch | No | |
| accept_lifetime_start_time_epoch | Integer | No | ||
| crypto_algorithm | Choice | aes-128-cmac, hmac-sha-1, hmac-sha-256 | Yes | |
| id | Integer | min: 0, max: 2147483647 | Yes | |
| include_tcp_options | Boolean | true, false | No | |
| include_tcp_options_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| key_chain_name | String | Yes | ||
| key_string | String | starts_with: $CRYPT_CLUSTER$, min: 1, max: 128 | No | |
| key_string_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| send_id | Integer | min: 0, max: 255 | No | |
| send_id_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| send_lifetime | Boolean | true, false | No | |
| send_lifetime_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| send_lifetime_duration_seconds | Integer | No | ||
| send_lifetime_duration_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| send_lifetime_end_time_epoch | Integer | No | ||
| send_lifetime_end_time_format | Choice | infinite, duration, end-epoch | No | |
| send_lifetime_start_time_epoch | Integer | No | ||
| receive_id | Integer | min: 0, max: 255 | No | |
| receive_id_variable | String | Regex: ^[^"~$&+,]255$` | No |
Examples
sdwan:
edge_feature_templates:
security_templates:
- name: FT-CEDGE-SECURITY-01
description: "Base SD-WAN data-plane security"
rekey_interval: 172800
replay_window: 8192
key_chains:
- name: CHAIN1
key_id: 1
keys:
- id: 1
key_chain_name: CHAIN1
crypto_algorithm: hmac-sha-256
key_string: $CRYPT_CLUSTER$LWNAaNmLFvqA+58XSHEQHw==$h2ZTQ6rZdN3te+7M5QszqQ==