Skip to content
Network as Code

System Security Feature

Change the rekey time, anti-replay window, and authentication types for IPsec.

Diagram

Diagram

Classes

system_profiles (sdwan.feature_profiles)

NameTypeConstraintMandatoryDefault Value
securityClass[security]No

security (sdwan.feature_profiles.system_profiles)

NameTypeConstraintMandatoryDefault Value
nameStringRegex: ^[^&<>! "]{1,128}$Nosecurity
descriptionStringNo
anti_replay_windowChoice64, 128, 256, 512, 1024, 2048, 4096, 8192No
anti_replay_window_variableStringRegex: ^[./\[\]a-zA-Z0-9_-]{1,64}$No
extended_anti_replay_windowIntegermin: 10, max: 2048No
extended_anti_replay_window_variableStringRegex: ^[./\[\]a-zA-Z0-9_-]{1,64}$No
integrity_typesListChoice[esp, ip-udp-esp, none, ip-udp-esp-no-id]No
integrity_types_variableStringRegex: ^[./\[\]a-zA-Z0-9_-]{1,64}$No
ipsec_pairwise_keyingBooleantrue, falseNo
ipsec_pairwise_keying_variableStringRegex: ^[./\[\]a-zA-Z0-9_-]{1,64}$No
key_chainsList[key_chains]No
keysList[keys]No
rekey_timeIntegermin: 10, max: 1209600No
rekey_time_variableStringRegex: ^[./\[\]a-zA-Z0-9_-]{1,64}$No

key_chains (sdwan.feature_profiles.system_profiles.security)

NameTypeConstraintMandatoryDefault Value
key_idIntegermin: 0, max: 2147483647Yes
nameStringmax: 236Yes

keys (sdwan.feature_profiles.system_profiles.security)

NameTypeConstraintMandatoryDefault Value
idIntegerYes
accept_ao_mismatchBooleantrue, falseNo
accept_ao_mismatch_variableStringRegex: ^[./\[\]a-zA-Z0-9_-]{1,64}$No
accept_life_time_durationIntegermin: 1, max: 2147483646No
accept_life_time_exactIntegerNo
accept_life_time_infiniteBooleantrue, falseNo
accept_life_time_localBooleantrue, falseNo
accept_life_time_local_variableStringRegex: ^[./\[\]a-zA-Z0-9_-]{1,64}$No
accept_life_time_start_epochIntegerYes
crypto_algorithmChoiceaes-128-cmac, hmac-sha-1, hmac-sha-256Yes
include_tcp_optionsBooleantrue, falseNo
include_tcp_options_variableStringRegex: ^[./\[\]a-zA-Z0-9_-]{1,64}$No
key_chain_nameStringYes
key_stringStringmin: 1No
key_string_variableStringRegex: ^[./\[\]a-zA-Z0-9_-]{1,64}$No
receiver_idIntegermin: 0, max: 255No
receiver_id_variableStringRegex: ^[./\[\]a-zA-Z0-9_-]{1,64}$No
send_idIntegermin: 0, max: 255No
send_id_variableStringRegex: ^[./\[\]a-zA-Z0-9_-]{1,64}$No
send_life_time_durationIntegermin: 1, max: 2147483646No
send_life_time_exactIntegerNo
send_life_time_infiniteBooleantrue, falseNo
send_life_time_localBooleantrue, falseNo
send_life_time_local_variableStringRegex: ^[./\[\]a-zA-Z0-9_-]{1,64}$No
send_life_time_start_epochIntegerYes

Examples

sdwan:
  feature_profiles:
    system_profiles:
      - name: system1
        description: this is test system profile
        security:
          name: security
          description: basic security
          anti_replay_window: 8192
          extended_anti_replay_window_variable: extended_arw
          integrity_types:
            - esp
            - ip-udp-esp
          key_chains:
            - name: CHAIN1
              key_id: 1
          keys:
            - accept_life_time_start_epoch: 1714125354
              accept_life_time_exact: 1774125354
              crypto_algorithm: hmac-sha-256
              id: 1
              key_chain_name: CHAIN1
              key_string: lpqBQBw92hQOkcsmT7pLZq
              receiver_id_variable: key_recv_id
              send_id: 10
              send_life_time_start_epoch: 1714125354
              send_life_time_infinite: true
          rekey_time: 172800