System Security Feature

Change the rekey time, anti-replay window, and authentication types for IPsec.

Diagram

Classes

system_profiles (sdwan.feature_profiles)

Name	Type	Constraint	Mandatory	Default Value
security	Class	`[security]`	No

security (sdwan.feature_profiles.system_profiles)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[^&<>! "]{1,128}$`	No	`security`
description	String		No
anti_replay_window	Choice	`64`, `128`, `256`, `512`, `1024`, `2048`, `4096`, `8192`	No
anti_replay_window_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
extended_anti_replay_window	Integer	min: `10`, max: `2048`	No
extended_anti_replay_window_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
integrity_types	List	Choice[`esp`, `ip-udp-esp`, `none`, `ip-udp-esp-no-id`]	No
integrity_types_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
ipsec_pairwise_keying	Boolean	`true`, `false`	No
ipsec_pairwise_keying_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
key_chains	List	`[key_chains]`	No
keys	List	`[keys]`	No
rekey_time	Integer	min: `10`, max: `1209600`	No
rekey_time_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No

key_chains (sdwan.feature_profiles.system_profiles.security)

Name	Type	Constraint	Mandatory	Default Value
key_id	Integer	min: `0`, max: `2147483647`	Yes
name	String	max: `236`	Yes

keys (sdwan.feature_profiles.system_profiles.security)

Name	Type	Constraint	Mandatory
id	Integer		Yes
accept_ao_mismatch	Boolean	`true`, `false`	No
accept_ao_mismatch_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
accept_life_time_duration	Integer	min: `1`, max: `2147483646`	No
accept_life_time_exact	Integer		No
accept_life_time_infinite	Boolean	`true`, `false`	No
accept_life_time_local	Boolean	`true`, `false`	No
accept_life_time_local_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
accept_life_time_start_epoch	Integer		Yes
crypto_algorithm	Choice	`aes-128-cmac`, `hmac-sha-1`, `hmac-sha-256`	Yes
include_tcp_options	Boolean	`true`, `false`	No
include_tcp_options_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
key_chain_name	String		Yes
key_string	String	min: `1`	No
key_string_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
receiver_id	Integer	min: `0`, max: `255`	No
receiver_id_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
send_id	Integer	min: `0`, max: `255`	No
send_id_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
send_life_time_duration	Integer	min: `1`, max: `2147483646`	No
send_life_time_exact	Integer		No
send_life_time_infinite	Boolean	`true`, `false`	No
send_life_time_local	Boolean	`true`, `false`	No
send_life_time_local_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
send_life_time_start_epoch	Integer		Yes

Examples

sdwan:
  feature_profiles:
    system_profiles:
      - name: system1
        description: this is test system profile
        security:
          name: security
          description: basic security
          anti_replay_window: 8192
          extended_anti_replay_window_variable: extended_arw
          integrity_types:
            - esp
            - ip-udp-esp
          key_chains:
            - name: CHAIN1
              key_id: 1
          keys:
            - accept_life_time_start_epoch: 1714125354
              accept_life_time_exact: 1774125354
              crypto_algorithm: hmac-sha-256
              id: 1
              key_chain_name: CHAIN1
              key_string: lpqBQBw92hQOkcsmT7pLZq
              receiver_id_variable: key_recv_id
              send_id: 10
              send_life_time_start_epoch: 1714125354
              send_life_time_infinite: true
          rekey_time: 172800