Cryptography (X.509, IPSec)

NVIDIA UFM-SDN Appliance Command Reference Guide v4.9.0

crypto ipsec ike {clear sa [peer {any | <ipv4v6-address>} local <ip-address>] | restart}

Manage the IKE (ISAKMP) process or database state.

Syntax Description

clear

Clears IKE (ISAKMP) peering state

sa

Clears IKE generated ISAKMP and IPSec security associations (remote peers are affected)

peer

Clears security associations for the specified IKE peer (remote peers are affected).

  • all – clears security associations for all IKE peerings with a specific local address (remote peers are affected)

  • IPv4 or IPv6 address – clears security associations for specific IKE peering with a specific local address (remote peers are affected)

local

Clear security associations for the specified/all IKE peering (remote peer is affected)

restart

Restarts the IKE (ISAKMP) daemon (clears all IKE state, peers may be affected)

Default

N/A

Configuration Mode

config

History

1.1.0

Example

Copy
Copied!
            

ufmapl [ mgmt-sa ] (config) # crypto ipsec ike restart

Related Commands

Notes

crypto ipsec peer <ipv4v6-address> local <ipv4v6-address> {enable | keying {ike [auth {hmac-md5 | hmac-sha1 | hmac-sha256 | null} | dh-group | disable | encrypt | exchange-mode | lifetime | local-identity | mode | peer-identity | pfs-group | preshared-key | prompt-preshared-key | transform-set] | manual [auth | disable | encrypt | local-spi | mode | remote-spi]}}

Configures ipsec in the system.

Syntax Description

enable

Enables IPSec peering

ike

Configures IPSec peering using IKE ISAKMP to manage SA keys.

  • auth – configures the authentication algorithm for IPSec peering

  • dh-group – configures the phase1 Diffie-Hellman group proposed for secure IKE key exchange

  • disable – configures this IPSec peering administratively disabled

  • encrypt – configures the encryption algorithm for IPSec peering

  • exchange-mode – configures the IKE key exchange mode to propose for peering

  • lifetime – configures the SA lifetime to propose for this IPSec peering

  • local-identity – configures the ISAKMP payload identification value to send as local endpoint's identity

  • mode – configures the peering mode for this IPSec peering

  • peer-identity – configures the identification value to match against the peer's ISAKMP payload identification

  • pfs-group – configures the phase2 PFS (Perfect Forwarding Secrecy) group to propose for Diffie-Hellman exchange for this IPSec peering

  • preshared-key – configures the IKE pre-shared key for the IPSec peering

  • prompt-preshared-key – prompts for the pre-shared key, rather than entering it on the command line

  • transform-set – configures transform proposal parameters

keying

Configures key management for this IPSec peering:

  • auth – configures the authentication algorithm for this IPSec peering

  • disable – configures this IPSec peering administratively disabled

  • encrypt – configures the encryption algorithm for this IPSec peering

  • local-spi – configures the local SPI for this manual IPSec peering

  • mode – configures the peering mode for this IPSec peering

  • remote-spi – configures the remote SPI for this manual IPSec peering

manual

Configures IPSec peering using manual keys

Default

N/A

Configuration Mode

config

History

1.1.0

Example

Copy
Copied!
            

ufmapl [ mgmt-sa ] (config) # crypto ipsec peer 10.10.10.10 local 10.7.34.139 enable

Related Commands

Notes

crypto certificate ca-list [default-ca-list {name {<CA list name> | system-self-signed}}]
no crypto certificate ca-list [default-ca-list {name {<cert-name> | system-self-signed}}]

Adds the specified CA certificate to the default CA certificate list.
The no form of the command removes the certificate from the default CA certificate list.

Syntax Description

cert-name

Name of the certificate

Default

N/A

Configuration Mode

config

History

1.1.0

Example

Copy
Copied!
            

ufmapl [ mgmt-sa ] (config) # crypto certificate ca-list default-ca-list name test

Related Commands

Notes

  • Two certificates with the same subject and issuer fields cannot both be placed onto the CA list

  • The no form of the command does not delete the certificate from the certificate database

  • Unless specified otherwise, applications that use CA certificates will still consult the well-known certificate bundle before looking at the default-ca-list

crypto certificate default-cert [{name {<cert-name> | system-self-signed}}]
no crypto certificate default-cert [{name {<cert-name> | system-self-signed}

Designates the named certificate as the global default certificate role for authentication of this system to clients.
The no form of the command reverts the default-cert name to "system-self-signed" (the "cert-name" value is optional and ignored).

Syntax Description

cert-name

Name of the certificate

Default

N/A

Configuration Mode

config

History

1.1.0

Example

Copy
Copied!
            

ufmapl [ mgmt-sa ] (config) # crypto certificate default-cert name test

Related Commands

Notes

  • A certificate must already be defined before it can be configured in the default-cert role

  • If the named default-cert is deleted from the database, the default-cert automatically becomes reconfigured to the factory default, the "system-self-signed" certificate

crypto certificate generation {default {country-code | days-valid | email-addr | key-size-bits | locality | org-unit | organization | state-or-prov}

Configures default values for certificate generation.

Syntax Description

country-code

Configures the default certificate value for country code with a two-alphanumeric-character code or – for none

days-valid

Configures the default certificate valid days. Default: 365 days.

email-addr

Configures the default certificate value for email address

key-size-bits

Configures the default certificate value for private key size. (Private key length in bits – at least 1024, but 2048 is strongly recommended.)

locality

Configures the default certificate value for locality

org-unit

Configures the default certificate value for organizational unit

organization

Configures the default certificate value for the organization name

state-or-prov

Configures the default certificate value for state or province

Default

N/A

Configuration Mode

config

History

1.1.0

Example

Copy
Copied!
            

ufmapl [ mgmt-sa ] (config) # crypto certificate generation default days-valid

Related Commands

Notes

crypto certificate name {<name> | system-self-signed} {comment <new comment> | generate self-signed [comment <cert-comment> | common-name <domain> | country-code <code> | days-valid <days> | email-addr <address> | key-size-bits <bits> | locality <name> | org-unit <name> | organization <name> | serial-num <number> | state-or-prov <name>]} | private-key pem <PEM string> | prompt-private-key | public-cert [comment <comment string> | pem <PEM string>] | regenerate days-valid <days> | rename <new name>}
no crypto certificate name <cert-name>

Configures default values for certificate generation.
The no form of the command clears/deletes certain certificate settings.

Syntax Description

cert-name

Unique name by which the certificate is identified

comment

Specifies a certificate comment

generate self-signed

Generates certificates. This option has the following parameters which may be entered sequentially in any order:

  • comment – specifies a certificate comment (free string)

  • common-name– specifies the common name of the issuer and subject (e.g. a domain name)

  • country-code – specifies the country codwo-alphanumeric-character country code, or “--” for none)

  • days-valid – specifies the number of days the certificate is valid

  • email-addr – specifies the email address

  • key-size-bits – specifies the size of the private key in bits (private key length in bits – at least 1024 but 2048 is strongly recommended)

  • locality – specifies the locality name

  • org-unit – specifies the organizational unit name

  • organization – specifies the organization name

  • serial-num – specifies the serial number for the certificate (a lower-case hexadecimal serial number prefixed with “0x”)

  • state-or-prov – specifies the state or province name

private-key pem

Specifies certificate contents in PEM format

prompt-private-key

Prompts for certificate private key with secure echo

public-cert

Installs a certificate

regenerate

Regenerates the named certificate using configured certificate generation default values for the specified validity period

rename

Renames the certificate

Default

N/A

Configuration Mode

config

History

1.1.0

Example

Copy
Copied!
            

ufmapl [ mgmt-sa ] (config) # crypto certificate name system-self-signed generate self-signed key-size-bits 2048

Related Commands

Notes

crypto certificate system-self-signed regenerate [days-valid <days>]

Configures default values for certificate generation.

Syntax Description

days-valid

Specifies the number of days the certificate is valid

Default

N/A

Configuration Mode

config

History

1.1.0

Example

Copy
Copied!
            

ufmapl [ mgmt-sa ] (config) # crypto certificate system-self-signed regenerate days-valid 3

Related Commands

Notes

show crypto certificate [detail | public-pem | default-cert [detail | public-pem] | [name <cert-name> [detail | public-pem] | ca-list [default-ca-list]]

Displays information about all certificates in the certificate database.

Syntax Description

ca-list

Specifies the number of days the certificate is valid

default-ca-list

Displays information about the currently configured default certificates of the CA list

default-cert

Displays information about the currently configured default certificate

detail

Displays all attributes related to the certificate

name

Displays information about the certificate specified

public-pem

Displays the uninterpreted public certificate as a PEM formatted data string

Default

N/A

Configuration Mode

Any configuration mode

History

1.1.0

Example

Copy
Copied!
            

ufmapl [ mgmt-sa ] (config) # show crypto certificate Certificate with name 'system-self-signed' (default-cert) Comment: system-generated self-signed certificate Private Key: present Serial Number: 0x546c935511bcafc21ac0e8249fbe0844 SHA-1 Fingerprint: fe6df38dd26801971cb2d44f62dbe492b6063c5f   Validity: Starts: 2012/12/02 13:45:05 Expires: 2013/12/02 13:45:05   Subject: Common Name: IBM-DEV-Bay4 Country: IS State or Province: Locality: Organization: Organizational Unit: E-mail Address:   Issuer: Common Name: IBM-DEV-Bay4 Country: IS State or Province: Locality: Organization: Organizational Unit: E-mail Address:

Related Commands

Notes

show crypto ipsec [brief | configured | ike | policy | sa]

Displays information ipsec configuration.

Syntax Description

N/A

Default

N/A

Configuration Mode

Any configuration mode

History

1.1.0

Example

Copy
Copied!
            

ufmapl [ mgmt-sa ] (config) # show crypto ipsec IPSec Summary ------------- Crypto IKE is using pluto (Openswan) daemon. Daemon process state is stopped.   No IPSec peers configured.     IPSec IKE Peering State ----------------------- Crypto IKE is using pluto (Openswan) daemon. Daemon process state is stopped.   No active IPSec IKE peers.     IPSec Policy State ------------------ No active IPSec policies.     IPSec Security Association State -------------------------------- No active IPSec security associations.

Related Commands

Notes

© Copyright 2023, NVIDIA. Last updated on Sep 6, 2023.