Security Feature
Change the rekey time, anti-replay window, and authentication types for IPsec.
Diagram
Classes
system_profiles (sdwan.feature_profiles)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| security | Class | [security] | No |
security (sdwan.feature_profiles.system_profiles)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[^&<>! "]{1,128}$ | Yes | |
| description | String | No | ||
| anti_replay_window | Choice | 64, 128, 256, 512, 1024, 2048, 4096, 8192 | No | |
| anti_replay_window_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| extended_anti_replay_window | Integer | min: 10, max: 2048 | No | |
| extended_anti_replay_window_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| integrity_types | List | Choice[esp, ip-udp-esp, none, ip-udp-esp-no-id] | No | |
| integrity_types_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| ipsec_pairwise_keying | Boolean | true, false | No | |
| ipsec_pairwise_keying_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| key_chains | List | [key_chains] | No | |
| keys | List | [keys] | No | |
| rekey_time | Integer | min: 10, max: 1209600 | No | |
| rekey_time_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No |
key_chains (sdwan.feature_profiles.system_profiles.security)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| key_id | Integer | min: 0, max: 2147483647 | Yes | |
| name | String | max: 236 | Yes |
keys (sdwan.feature_profiles.system_profiles.security)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| id | Integer | Yes | ||
| accept_ao_mismatch | Boolean | true, false | No | |
| accept_ao_mismatch_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| accept_life_time_duration | Integer | min: 1, max: 2147483646 | No | |
| accept_life_time_exact | Integer | No | ||
| accept_life_time_infinite | Boolean | true, false | No | |
| accept_life_time_local | Boolean | true, false | No | |
| accept_life_time_local_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| accept_life_time_start_epoch | Integer | Yes | ||
| crypto_algorithm | Choice | aes-128-cmac, hmac-sha-1, hmac-sha-256 | Yes | |
| include_tcp_options | Boolean | true, false | No | |
| include_tcp_options_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| key_chain_name | String | Yes | ||
| key_string | String | min: 1 | No | |
| key_string_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| receiver_id | Integer | min: 0, max: 255 | No | |
| receiver_id_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| send_id | Integer | min: 0, max: 255 | No | |
| send_id_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| send_life_time_duration | Integer | min: 1, max: 2147483646 | No | |
| send_life_time_exact | Integer | No | ||
| send_life_time_infinite | Boolean | true, false | No | |
| send_life_time_local | Boolean | true, false | No | |
| send_life_time_local_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| send_life_time_start_epoch | Integer | Yes |
Examples
sdwan:
feature_profiles:
system_profiles:
- name: system1
description: this is test system profile
security:
name: security
description: basic security
anti_replay_window: 8192
extended_anti_replay_window_variable: extended_arw
integrity_types:
- esp
- ip-udp-esp
key_chains:
- name: CHAIN1
key_id: 1
keys:
- accept_life_time_start_epoch: 1714125354
accept_life_time_exact: 1774125354
crypto_algorithm: hmac-sha-256
id: 1
key_chain_name: CHAIN1
key_string: lpqBQBw92hQOkcsmT7pLZq
receiver_id_variable: key_recv_id
send_id: 10
send_life_time_start_epoch: 1714125354
send_life_time_infinite: true
rekey_time: 172800