Skip to content
Network as Code

VPN Interface IPsec Feature Template

Configure a standard IPsec interface, the interface name, the admin status, the IKEv2 parameters, the IPsec parameters, the tunnel source interface, the tunnel destination, the IP maximum transmission unit (MTU), the Transmission Control Protocol maximum segment size (TCP MSS), and more.

Diagram

Diagram

Classes

edge_feature_templates (sdwan)

NameTypeConstraintMandatoryDefault Value
ipsec_interface_templatesList[ipsec_interface_templates]No

ipsec_interface_templates (sdwan.edge_feature_templates)

NameTypeConstraintMandatoryDefault Value
nameStringRegex: ^[^<>!&" ]{1,128}$Yes
descriptionStringYes
device_typesListChoice[ASR-1001-HX, ASR-1001-X, ASR-1002-HX, ASR-1002-X, ASR-1006-X, C1101-4P, C1101-4PLTEP, C1101-4PLTEPW, C1109-2PLTEGB, C1109-2PLTEUS, C1109-2PLTEVZ, C1109-4PLTE2P, C1109-4PLTE2PW, C1111-4P, C1111-4PLTEEA, C1111-4PLTELA, C1111-4PW, C1111-8P, C1111-8PLTEEA, C1111-8PLTEEAW, C1111-8PLTELA, C1111-8PLTELAW, C1111-8PW, C1111X-8P, C1112-8P, C1112-8PLTEEA, C1112-8PLTEEAWE, C1112-8PWE, C1113-8P, C1113-8PLTEEA, C1113-8PLTEEAW, C1113-8PLTELA, C1113-8PLTELAWZ, C1113-8PLTEW, C1113-8PM, C1113-8PMLTEEA, C1113-8PMWE, C1113-8PW, C1116-4P, C1116-4PLTEEA, C1116-4PLTEEAWE, C1116-4PWE, C1117-4P, C1117-4PLTEEA, C1117-4PLTEEAW, C1117-4PLTELA, C1117-4PLTELAWZ, C1117-4PM, C1117-4PMLTEEA, C1117-4PMLTEEAWE, C1117-4PMWE, C1117-4PW, C1118-8P, C1121-4P, C1121-4PLTEP, C1121-8P, C1121-8PLTEP, C1121-8PLTEPW, C1121X-8P, C1121X-8PLTEP, C1121X-8PLTEPW, C1126-8PLTEP, C1126X-8PLTEP, C1127-8PLTEP, C1127-8PMLTEP, C1127X-8PLTEP, C1127X-8PMLTEP, C1128-8PLTEP, C1131-8PLTEPW, C1131-8PW, C1131X-8PLTEPW, C1131X-8PW, C1161-8P, C1161-8PLTEP, C1161X-8P, C1161X-8PLTEP, C8000V, C8200-1N-4T, C8200L-1N-4T, C8300-1N1S-4T2X, C8300-1N1S-6T, C8300-2N2S-4T2X, C8300-2N2S-6T, C8500-12X, C8500-12X4QC, C8500-20X6C, C8500L-8S4X, IR-1101, IR-1821, IR-1831, IR-1833, IR-1835, IR-8140H, IR-8140H-P, IR-8340, ISR-4221, ISR-4221X, ISR-4321, ISR-4331, ISR-4351, ISR-4431, ISR-4451-X, ISR-4461, ISR1100-4G-XE, ISR1100-4GLTEGB-XE, ISR1100-4GLTENA-XE, ISR1100-6G-XE, ISR1100X-4G-XE, ISR1100X-6G-XE]No
applicationChoicenone, sigNo
application_variableStringRegex: ^[^"~$&+,]255$`No
clear_dont_fragmentBooleantrue, falseNo
clear_dont_fragment_variableStringRegex: ^[^"~$&+,]255$`No
dead_peer_detection_intervalIntegermin: 10, max: 3600No
dead_peer_detection_interval_variableStringRegex: ^[^"~$&+,]255$`No
dead_peer_detection_retriesIntegermin: 2, max: 60No
dead_peer_detection_retries_variableStringRegex: ^[^"~$&+,]255$`No
ikeClass[ike]No
interface_descriptionStringNo
interface_description_variableStringRegex: ^[^"~$&+,]255$`No
interface_nameStringRegex: ^(ipsec[0-9]{0,3}|gre[0-9]{0,3})$No
interface_name_variableStringRegex: ^[^"~$&+,]255$`No
ip_addressIPNo
ip_address_variableStringRegex: ^[^"~$&+,]255$`No
ipsecClass[ipsec]No
mtuIntegermin: 576, max: 9216No
mtu_variableStringRegex: ^[^"~$&+,]255$`No
shutdownBooleantrue, falseNo
shutdown_variableStringRegex: ^[^"~$&+,]255$`No
tcp_mssIntegermin: 500, max: 1460No
tcp_mss_variableStringRegex: ^[^"~$&+,]255$`No
trackerStringNo
tracker_variableStringRegex: ^[^"~$&+,]255$`No
tunnel_destinationAnyIP or StringNo
tunnel_destination_variableStringRegex: ^[^"~$&+,]255$`No
tunnel_source_interfaceStringNo
tunnel_source_interface_variableStringRegex: ^[^"~$&+,]255$`No
tunnel_source_ipIPNo
tunnel_source_ip_variableStringRegex: ^[^"~$&+,]255$`No

ike (sdwan.edge_feature_templates.ipsec_interface_templates)

NameTypeConstraintMandatoryDefault Value
ciphersuiteChoiceaes256-cbc-sha1, aes256-cbc-sha2, aes128-cbc-sha1, aes128-cbc-sha2No
ciphersuite_variableStringRegex: ^[^"~$&+,]255$`No
groupChoice2, 14, 15, 16, 19, 20, 21, 24No
group_variableStringRegex: ^[^"~$&+,]255$`No
modeChoicemain, aggressiveNo
mode_variableStringRegex: ^[^"~$&+,]255$`No
pre_shared_keyStringmax: 127No
pre_shared_key_variableStringRegex: ^[^"~$&+,]255$`No
pre_shared_key_local_idStringmax: 63No
pre_shared_key_local_id_variableStringRegex: ^[^"~$&+,]255$`No
pre_shared_key_remote_idStringmax: 63No
pre_shared_key_remote_id_variableStringRegex: ^[^"~$&+,]255$`No
rekey_intervalIntegermin: 60, max: 86400No
rekey_interval_variableStringRegex: ^[^"~$&+,]255$`No
versionIntegermin: 1, max: 2No

ipsec (sdwan.edge_feature_templates.ipsec_interface_templates)

NameTypeConstraintMandatoryDefault Value
ciphersuiteChoiceaes256-cbc-sha1, aes256-cbc-sha384, aes256-cbc-sha256, aes256-cbc-sha512, aes256-gcm, null-sha1, null-sha384, null-sha256, null-sha512No
ciphersuite_variableStringRegex: ^[^"~$&+,]255$`No
perfect_forward_secrecyChoicegroup-1, group-2, group-5, group-14, group-15, group-16, group-19, group-20, group-21, group-24, noneNo
perfect_forward_secrecy_variableStringRegex: ^[^"~$&+,]255$`No
rekey_intervalIntegermin: 120, max: 2592000No
rekey_interval_variableStringRegex: ^[^"~$&+,]255$`No
replay_windowIntegermin: 64, max: 4096No
replay_window_variableStringRegex: ^[^"~$&+,]255$`No

Examples

sdwan:
  edge_feature_templates:
    ipsec_interface_templates:
      - name: FT-CEDGE-IPSEC101-V01
        description: "Manual IPSec Tunnel #1"
        dead_peer_detection_interval: 20
        interface_description: "Manual IPSec tunnel #1"
        interface_name: ipsec101
        ike:
          pre_shared_key_local_id: localid@acme.com
          pre_shared_key_variable: vpn0_ipsec101_pre_shared_key
          ciphersuite: aes256-cbc-sha1
          group: 14
          rekey_interval: 14400
          version: 2
        ipsec:
          ciphersuite: null-sha1
          rekey_interval: 28800
          perfect_forward_secrecy: none
        mtu: 1400
        shutdown: false
        tcp_mss: 1360
        tunnel_destination_variable: vpn0_ipsec101_tunnel_dest_ip
        tunnel_source_interface_variable: vpn0_ipsec101_source_wan_if