Virtual Private Networks (SVTI and EzVPN)
The REST API client can use the default IOS isakmp profile and IOS ipsec policy. If the defaults are not used, the REST API client must define an IKE policy and/or IPSec policy before configuring the IPSec site-to-site VPN.
Workflows
Create an IPSEC VPN Tunnel
1. Create a keyring. The keyring can be shared by more than one tunnels.
POST /api/v1/vpn-svc/ike/keyrings
Create an IKE Keyring
2. (Optional) Create the IKE policy (can use one of the default policies). The IKE policy can be shared by more than one tunnel.
POST /api/v1/vpn-svc/ike/policies
Create an IKE Policy
3. Create IPSEC policy (it include transform set and ipsec profile, they can be shared by many tunnels).
POST /api/v1/vpn-svc/ipsec/policies
Create an IPSec Policy
4. Create IPSEC VPN tunnel endpoint ( it will reference ike/ipsec policy or profile, this will create a tunnel interface).
POST /api/v1/vpn-svc/site-to-site
Create a Site-to-Site VPN Tunnel
Resource Summary for IPSec VPN
|
|
|
|
|
|
|
|
|
IPSec VPN site-to-site |
/api/v1/vpn-svc/site-to-site |
Y |
Y |
N |
N |
IPSec VPN site-to-site interface |
/api/v1/vpn-svc/site-to-site/{vpn-interface-id} |
Y |
N |
Y |
Y |
VPN site-to-site interface state |
/api/v1/vpn-svc/site-to-site/{vpn-interface-id}/state |
Y |
N |
Y |
N |
DMVPN Hub |
/api/v1/vpn-svc/dmvpn/hub |
Y |
Y |
N |
N |
/api/v1/vpn-svc/dmvpn/hub/{vpn-id} |
Y |
N |
Y |
Y |
Keyrings |
/api/v1/vpn-svc/ike/keyrings |
Y |
Y |
N |
N |
Keyring ID |
/api/v1/vpn-svc/ike/keyrings/{keyring-id} |
Y |
N |
Y |
Y |
IKE policies |
/api/v1/vpn-svc/ike/policies |
N |
N |
N |
N |
/api/v1/vpn-svc/ike/policies/{policy-id} |
N |
N |
N |
N |
IKE Keep Alive |
/api/v1/vpn-svc/ike/keepalive |
Y |
N |
Y |
Y |
IKEv2 Policy |
/api/v1/vpn-svc/ikev2/policy |
Y |
Y |
N |
N |
/api/v1/vpn-svc/ikev2/policy/{resource-id} |
Y |
N |
Y |
Y |
IKEv2 Keyring |
/api/v1/vpn-svc/ikev2/keyring |
Y |
N |
N |
N |
/api/v1/vpn-svc/ikev2/keyring/(resource-id} |
Y |
N |
N |
Y |
IKEv2 Keyring Peer |
/api/v1/vpn-svc/ikev2/keyring/(resource-id}/add-peer |
N |
Y |
N |
N |
/api/v1/vpn-svc/ikev2/keyring/(resource-id}/add-peer/{peer-name} |
N |
N |
Y |
Y |
IKEv2 Profile |
/api/v1/vpn-svc/ikev2/profile |
Y |
Y |
N |
N |
/api/v1/vpn-svc/ikev2/profile/{resource-id} |
Y |
N |
Y |
Y |
IPSec policies |
/api/v1/vpn-svc/ipsec/policies |
Y |
Y |
N |
N |
/api/v1/vpn-svc/ipsec/policies/{policy-id} |
Y |
N |
Y |
Y |
Active sessions |
/api/v1/vpn-svc/site-to-site/active/sessions |
Y |
N |
N |
N |
Site-to-site statistics |
/api/v1/vpn-svc/site-to-site/statistics |
Y |
N |
N |
N |
IKE Crypto Key Ring Resource
History
|
|
IOS XE 3.10 |
Introduced for the CSR1000V platform |
IOS XE 3.14 |
Introduced for ASR1001-X and ASR1002-X platforms |
Properties
|
|
Required for POST and PUT
|
|
kind |
string |
Not applicable |
Must be object#ike-keyring. |
keyring-id |
string |
Mandatory |
IKE key ring name. This cannot be changed once it is configured. |
pre-shared-key-list |
array |
Mandatory |
List of pre-shared-key information. This is equivalent to the IOS “crypto keyring” with one or more (key, remote-address) pairs. |
key |
string |
Mandatory |
Pre-shared-key value |
peer-address |
string |
Mandatory |
Host name or IP address in CIDR format x.x.x.x/nn |
JSON Representation for REST API IKE Profile (IOS Crypto Keyring)
"kind" : "object#ike-keyring",
"keyring-id": "{string}",
"peer-address": "{string}"
Resource URI
|
|
GET |
/api/v1/vpn-svc/ike/keyrings/{keyring-id} |
Example
JSON Request
GET /api/v1/vpn-svc/ike/keyrings/myKeyring
JSON Response
Content-type: application/json
"kind": "object#ike-policy"
"keyring-id": "myKeyring",
"peer-address": "pepsi-1"
Retrieve All IKE Keyrings
Resource URI
|
|
GET |
/api/v1/vpn-svc/ike/keyrings |
Properties for Retrieve All
|
|
Required for POST and PUT
|
|
kind |
string |
Not applicable |
Object#ike-keying |
items |
array |
Mandatory |
List of IKE keyring objects. |
JSON Representation
"kind": "collection#ike-keyring",
{ IKE keyring JSON object } *
Example
JSON Request
GET /api/v1/vpn-svc/ike/keyrings
JSON Response
Content-type: application/json
"kind": "collection#ike-keyring",
"kind": "object#ike-keyring",
"keyring-id": "myIkeKeyring",
"peer-address": "pepsi-1"
"kind": "object#ike-keyring",
"keyring-id": "myOtherIkeKeyring",
"peer-address": "marketing"
Resource URI
|
|
PUT |
/api/v1/vpn-svc/ike/keyrings/{keyring-id} |
Example: Request to Add Another Key and Peer-address
JSON Request
PUT /api/v1/vpn-svc/ike/myIkeKeyring
Content-type: application/json
"keyring-id": "myIkeKeyring",
{"key": "cisco123", "peer-address": "pepsi-1"},
{"key": "root123", "peer-address": "coke"}
JSON Response
Location: http://http/host/api/v1/vpn-svc/ike/myIkeKeyring
Resource URI
|
|
DELETE |
/api/v1/vpn-svc/ike/keyrings/{keyring-id} |
Example
JSON Request
DELETE /api/v1/vpn-svc/ike/profiles/myIkeKeyring
JSON Response
Resource URI
|
|
POST |
/api/v1/vpn-svc/ike/keyrings |
Example
JSON Request
POST /api/v1/vpn-svc/ike/keyrings
Content-type: application/json
"keyring-name": "myIkeKeyring",
"key": "XnX1B0I9Z4CWNCGzeEhlNuTFxWBD1vng",
"peer-address": "10.0.149.217/32"
JSON Response
Location: http://host/api/v1/vpn-svc/ike/keyrings/myIkeKeyring
IKE Policy Resource
An IKE policy resource must be created before creating a VPN site-to-site tunnel. The policy is a global configuration and can be applied to more than one VPN tunnel.
History
|
|
IOS XE 3.10 |
Introduced for the CSR1000V platform |
IOS XE 3.14 |
Introduced for ASR1001-X and ASR1002-X platforms |
Properties
|
|
Required for POST and PUT
|
|
kind |
string |
Not applicable |
Must be object#ike-policy. |
priority-id |
string |
Mandatory |
This is the ISAKMP policy priority number, so it must be a number in IKEv1 (it is different for ikev2). |
version |
string |
Optional |
IKE version. Only “v1” is supported. |
local-auth-method |
string |
Optional |
“pre-share” for pre-shared key (default). “rsa-sig” and “rsa-encr” are not supported. |
encryption |
string |
Optional |
Values are
- “3des”- triple DES
- “aes”: AES - Advanced Encryption Standard.
- “des”: DES - Data Encryption Standard (56 bit keys)
|
hash |
string |
Optional |
- md5: Message Digest 5
- sha: Secure Hash Standard
There is a default. |
dhGroup |
number |
Optional |
- 1 Diffie-Hellman group 1 (768 bit)
- 2 Diffie-Hellman group 2 (1024 bit)
- 5 Diffie-Hellman group 5 (1536 bit)
There is a default. |
lifetime |
number |
Optional |
<60-86400> lifetime in seconds. There is a default. |
JSON Representation for REST API IKE Policy (IOS ISAKMP Policy)
"kind" : "object#ike-policy",
"priority-id": "{string}",
"local-auth-method": "{string}",
"encryption": "{string}",
Resource URI
|
|
GET |
api/v1/vpn-svc/ike/policies/{policy-id} |
Example
JSON Request
GET /api/v1/vpn-svc/ike/policies/2
JSON Response
Content-type: application/json
"kind": "object#ike-policy"
"local-auth-method": "pre-share",
Retrieve All IKE Policies
Resource URI
|
|
GET |
/api/v1/vpn-svc/ike/policies |
Properties for Retrieve All
|
|
Required for POST and PUT
|
|
kind |
string |
Not applicable |
Must be “collection#ike-policy” |
items |
array |
|
List of IKE policy objects. |
JSON Representation
"kind": "collection#ike-policy",
{ IKE policy JSON object } *
Example
JSON Request
GET /api/v1/vpn-svc/ike/policies
JSON Response
Content-type: application/json
"kind": "collection#ike-policy",
"kind": "object#ike-policy",
"local-auth-method": "pre-share",
"kind": "object#ike-policy",
"local-auth-method": "pre-share",
Resource URI
|
|
PUT |
/api/v1/vpn-svc/ike/policies/{policy-id} |
Example: Modifying the Protection-suite Encryption from 3DES to AES128
JSON Request
PUT /api/v1/vpn-svc/ike/2
Content-type: application/json
"local-auth-method": "pre-share",
JSON Response
Location: http://http/host/api/v1/vpn-svc/ike/2
Resource URI
|
|
DELETE |
/api/v1/vpn-svc/ike/policies/{policy-id} |
Example
JSON Request
DELETE /api/v1/vpn-svc/ike/policies/2
JSON Response
Resource URI
|
|
POST |
/api/v1/vpn-svc/ike/policies |
Example
JSON Request
POST /api/v1/vpn-svc/ike/policies
Content-type: application/json
"local-auth-method": "pre-share",
JSON Response
Location: http://host/api/v1/vpn-svc/ike/policies/2
IKE Keepalive Resource
The IKE Keepalive is a single global Resource. DELETE on this resource removes the IKE Keepalive configuration on the router. GET on this resource will return 404 Not Found when IKE Keepalive is not configured.
History
|
|
IOS XE 3.11 |
Introduced for the CSR1000V platform |
IOS XE 3.14 |
Introduced for ASR1001-X and ASR1002-X platforms |
Properties
|
|
Required for POST and PUT
|
|
kind |
string |
Not applicable |
Object type: “object#ike-keepalive” |
interval |
number |
Mandatory |
Keepalive interval time (10 - 3600) |
retry |
number |
Mandatory |
Retry time (2 - 60), default 2 seconds |
periodic |
boolean |
Mandatory |
Keepalive mode, TRUE is periodic, FALSE is on-demand which is the default |
JSON Representation for IKE Keepalive
{
"kind ": "object#ike-keepalive",
"interval ": {number},
"retry ": {number},
"periodic ": {boolean}
}
Resource URI
|
|
GET |
/api/v1/vpn-svc/ike/keepalive |
Example
JSON Request
GET /api/v1/vpn-svc/ike/keepalive
Accept: application/json
JSON Response
200 OK
Content-Type: application/json
{
"kind ": "object#ike-keepalive",
"interval ": 30,
"retry ": 2,
"periodic ": false
}
Resource URI
|
|
PUT |
/api/v1/vpn-svc/ike/keepalive |
Example
JSON Request
PUT /api/v1/vpn-svc/ike/keepalive
Content-Type: application/json
{
"interval ": 30,
"retry ": 10,
"periodic ": true
}
JSON Response
204 No Content
Resource URI
|
|
DELETE |
/api/v1/vpn-svc/ike/keepalive |
Example
JSON Request
DELETE /api/v1/vpn-svc/ike/keepalive
JSON Response
204 No Content
IPSec Policy Resource
An IPSec policy resource must be created before creating a VPN site-to-site tunnel. The policy is a global configuration and can be applied to more than one VPN tunnel.
History
|
|
IOS XE 3.10 |
Introduced for the CSR1000V platform |
IOS XE 3.14 |
Introduced for ASR1001-X and ASR1002-X platforms |
Properties
|
|
Required for POST and PUT
|
|
kind |
string |
Not applicable |
Object#ipsec-policy |
policy-id |
string |
Mandatory |
IPSec policy name |
protection-suite |
|
Mandatory |
Optional as there is a default protection suite (IOS transform-set). |
esp-encryption |
string |
Mandatory |
(sub-property of protection-suite) ESP encryption transform. There is a default.
- esp-3des: ESP transform using 3DES(EDE) cipher (168 bits)
- esp-aes: ESP transform using AES cipher. Default.
- esp-des: ESP transform using DES cipher (56 bits)
- esp-null: ESP transform w/o cipher
- esp-seal: ESP transform using SEAL cipher (160 bits)
|
esp-authentication |
string |
Optional |
(sub-property of protection-suite) ESP authentication transform.
- esp-md5-hmac: ESP transform using HMAC-MD5 auth
- esp-sha-hmac: ESP transform using HMAC-SHA auth. Default.
|
ah |
string |
Optional |
(sub-property of protection-suite) AH transform:
- ah-md5-hmac: AH-HMAC-MD5 transform
- ah-sha-hmac: AH-HMAC-SHA transform
|
anti-replay-window-size |
string |
Optional |
“Disable” or one of these numbers
- 1024: Window size of 1024
- 128: Window size of 128
- 256: Window size of 256
- 512: Window size of 512
- 64: Window size of 64 (default).
|
lifetime-sec lifetime-kb idle-time |
number number number |
Optional Optional Optional |
Default of 3600 seconds. Default is 4608000. IPSec idle timer in seconds. |
pfs |
string |
Optional |
Default is Disable. If enable, specifies DH group. Optional.
- group1: D-H Group1 (768-bit modp)
- group14: D-H Group14 (2048-bit modp)
- group15: D-H Group15 (3072-bit modp)
- group16: D-H Group16 (4096-bit modp)
- group19: D-H Group19 (256-bit ecp)
- group2: D-H Group2 (1024-bit modp)
- group20: D-H Group20 (384-bit ecp)
- group24: D-H Group24 (2048-bit modp, 256 bit subgroup)
- group5: D-H Group5 (1536-bit modp)
|
JSON Representation
"kind": "object#ipsec-policy",
"esp-encryption": "{string}",
"esp-authentication": "{string}",
"anti-replay-window-size": "{string}",
"lifetime-sec": {number},
Resource URI
|
|
GET |
/api/v1/vpn-svc/ipsec/policies/{policy-id} |
Example
JSON Request
GET /api/v1/vpn-svc/ipsec/policies/myIpsecPolicy
JSON Response
Content-type: application/json
"kind": "object#ipsec-policy",
"policy-id": "myIpsecPolicy",
"esp-encryption": "esp-3des",
"esp-authentication": "esp-sha-hmac"
"anti-replay-window-size": 64,
Retrieve All IPSec Policies
Resource URI
|
|
GET |
/api/v1/vpn-svc/ipsec/policies |
Properties for Retrieve All
|
|
Required for POST and PUT
|
|
kind |
string |
Not applicable |
Must be “collection#ipsec-policy” |
Items |
array |
Mandatory |
List of IPSec policy objects. |
JSON Representation
"kind": "collection#ipsec-policy",
{ IPSec policy JSON object } *
Example
JSON Request
GET /api/v1/vpn-svc/ipsec/policies
JSON Response
Content-type: application/json
"kind": "collection#ipsec-policy",
"kind": "object#ipsec-policy",
"policy-id": "myIpsecPolicy",
"esp-encryption": "esp-aes",
"esp-authentication": "esp-md5-hmac",
"anti-replay-window-size": 512,
"kind": "object#ipsec-policy",
"policy-id": "testPolicy",
"esp-encryption": "esp-aes"
"anti-replay-window-size": "512",
Resource URI
|
|
PUT |
/api/v1/vpn-svc/ipsec/policies/{policy-id} |
Example
JSON Request
PUT /api/v1/vpn-svc/ipsec/policies/myIpsecPolicy
Content-type: application/json
"policy-id": "myIpsecPolicy",
"esp-encryption": "esp-3des",
"esp-authentication": "esp-sha-hmac"
"anti-replay-window-size": 64,
JSON Response
Resource URI
|
|
DELETE |
/api/v1/vpn-svc/ipsec/policies/{policy-id} |
Example
JSON Request
DELETE /api/v1/vpn-svc/ipsec/policies/myIpsecPolicy
JSON Response
Resource URI
|
|
POST |
/api/v1/vpn-svc/ipsec/policies |
Example
JSON Request
POST /api/v1/vpn-svc/ipsec/policies
Content-type: application/json
"policy-id": "myIpsecPolicy",
"esp-encryption": "esp-aes",
"esp-authentication": "esp-md5-hmac",
"anti-replay-window-size": 512,
JSON Response
Location: http://host/api/v1/vpn-svc/ipsec/policies/myIpsecPolicy
Site-to-Site Tunnel
History
|
|
IOS XE 3.10 |
Introduced for the CSR1000V platform |
IOS XE 3.11 |
For the local-device property, added the option of entering an interface name instead of an IP address. |
IOS XE 3.12 |
Added ike-profile and mtu properties. |
IOS XE 3.14 |
Introduced for ASR1001-X and ASR1002-X platforms |
Properties
|
|
Required for POST and PUT
|
|
vpn-interface-name |
string |
Mandatory |
A unique name of the form “tunnel<number>”. For example, “tunnel1”. |
ike-profile |
string |
Optional |
IKE profile name |
mtu |
number |
Optional |
MTU of the VPN tunnel Range: 68 to 9192 |
vpn-type |
string |
Mandatory |
Must be “site-to-site”. |
ip-version |
string |
Mandatory |
“ipv4” or “ipv6”. The default is IPv4. Optional. |
ipsec-policy-id |
string |
Optional |
IPSec policy name. |
local-device
- ip-address
- tunnel-ip-address
|
string |
Mandatory |
The local device
- Tunnel interface's IP address. It can be in CIDR format x.x.x.x/nn or an interface name. When it is an interface name, it is an IP unnumbered interface name.
- Required for svti and dvti. name or IP address in x.x.x.x format.
|
remote-device
|
string |
Mandatory |
Remote peer IP address in x.x.x.x format. |
JSON Representation
"kind": "object#vpn-site-to-site"
"vpn-type": "site-to-site",
"vpn-interface-name": "{string}",
"ike-profile" : "{string}",
"ip-version": "{string}",
"ipsec-policy-id": "{string}",
"ip-address": "{string}",
"tunnel-ip-address": "{string}"
"tunnel-ip-address": "{string}",
Retrieve a Site-to-Site VPN Tunnel
Resource URI
|
|
GET |
/api/v1/vpn-svc/site-to-site/{vpn-id} |
Example
JSON Request
GET /api/v1/vpn-svc/site-to-site/tunnel100
JSON Response
Content-type: application/json
"kind": "object#vpn-site-to-site",
"vpn-interface-name": "tunnel100",
"vpn-type": "site-to-site",
"ipsec-policy-id": "myIpsecPolicy",
"ip-address": "10.0.51.203/24",
"tunnel-ip-address": "10.0.149.203"
"tunnel-ip-address": "10.0.149.217"
Retrieve All Site-to-Site VPN Tunnels
Resource URI
|
|
GET |
/api/v1/vpn-svc/site-to-site |
Properties for Retrieve All
|
|
Required for POST and PUT
|
|
kind |
string |
Not applicable |
Must be “collection#vpn-site-to-site”. |
items |
array |
Not applicable |
List of VPN objects. |
JSON Representation
"kind": "collection#vpn-site-to-site",
{vpn site-to-site json object}+
Example
JSON Request
GET /api/v1/vpn-svc/site-to-site
JSON Response
Content-type: application/json
"kind": "collection#vpn-site-to-site",
"kind": "object#vpn-site-to-site",
"vpn-type": "site-to-site",
"vpn--name": "tunnel100",
"ike-profile": "ike-profile-1",
"ipsec-policy-id": "myIpsecPolicy",
"ip-address": "10.0.51.203/24",
"tunnel-ip-address": "10.0.149.203",
"tunnelIpAddress": "10.0.149.217"
"kind": "object#vpn-site-to-site",
"vpn-type": "site-to-site",
"ike-profile": "ike-profile-1",
"ipsec-policy-id": "ciscoIpsecPolicy",
"ip-address": "100.0.51.203/24",
"tunnel-ip-address": "100.0.149.203",
"tunnelIpAddress": "100.0.149.217"
Create a Site-to-Site VPN Tunnel
Resource URI
|
|
POST |
/api/v1/vpn-svc/site-to-site |
Example
This POST example relates to the VPN tunnel example given in Retrieve All Site-to-Site VPN Tunnels.
JSON Request
POST /api/v1/vpn-svc/site-to-site
Content-type: application/json
"vpn-type": "site-to-site",
"vpn-interface-name": "tunnel100",
"ike-profile": "ike-profile-1",
"ipsec-policy-id": "myIpsecPolicy",
"ip-address": "10.0.51.203/24",
"tunnel-ip-address": "10.0.149.203"
"tunnel-ip-address": "10.0.149.217"
JSON Response
Location: http://host/api/v1/vpn-svc/site-to-site/tunnel100
Modify a Site-to-Site VPN
Resource URI
|
|
PUT |
/api/v1/vpn-svc/site-to-site/{vpn--id} |
Example: Modifying the Remote Tunnel IP Address
JSON Request
PUT /api/v1/vpn-svc/site-to-site/tunnel100
Content-type: application/json
"vpn-interface-name": "tunnel100",
"vpn-type": "site-to-site",
"ipsec-policy-id": "myIpsecPolicy",
"ip-address": "10.0.51.203/24",
"tunnel-ip-address": "10.0.149.203",
"tunnel-ip-address": "10.0.149.218"
JSON Response
HTTP DELETE a VPN Site-to-Site Tunnel
Resource URI
|
|
DELETE |
/api/v1/vpn-svc/site-to-site/{vpn-id} |
Example
JSON Request
DELETE /api/v1/vpn-svc/site-to-site/tunnel100
JSON Response
Change State of a Tunnel Interface
Use this resource to configure or retrieve the state of a tunnel interface.
History
|
|
IOS XE 3.13 |
Introduced for the CSR1000V platform |
IOS XE 3.14 |
Introduced for ASR1001-X and ASR1002-X platforms |
Properties
|
|
Required for POST and PUT
|
|
kind |
string |
Optional |
object#vpn-site-to-site-state |
vpn-interface-name |
string |
Optional |
VPN interface name Example: Tunnel100 |
enabled |
Boolean |
Mandatory |
False = shut the tunnel interface True = no shut the tunnel interface |
line-protocol-state |
string |
Optional |
Used only in GET API, not in PUT. Possible values: "up" or "down" |
JSON Representation
"kind" : "object#vpn-site-to-site-state",
"vpn-interface-name" : "{string}",
"line-protocol-state": "{string}",
Configure Tunnel Interface State
Resource URI
|
|
PUT |
/api/v1/vpn-svc/site-to-site/{vpn-interface-id}/state |
Example
JSON Request
PUT /api/v1/vpn-svc/site-to-site/tunnel100/state
Content-Type: application/json
"vpn-interface-name" : "tunnel100",
JSON Response
Retrieve Tunnel Interface State
Resource URI
|
|
GET |
/api/v1/vpn-svc/site-to-site/{vpn-interface-id}/state |
Example
JSON Request
GET /api/v1/vpn-svc/site-to-site/tunnel100/state
JSON Response
Content-type: application/json
"kind" : "object#vpn-site-to-site-state",
"vpn-interface-name" : "tunnel100",
"line-protocol-state": "down",
VPN Active Sessions Collection Resource
History
|
|
IOS XE 3.10 |
Introduced for the CSR1000V platform |
IOS XE 3.14 |
Introduced for ASR1001-X and ASR1002-X platforms |
Properties
|
|
Required for POST and PUT
|
|
kind |
string |
Not applicable |
Must be collection#vpn-active-session |
items |
array |
Not applicable |
List of vpn-active-session JSON object |
vpn-type |
string |
Not applicable |
Must be “site-to-site”. |
vpn-interface-name |
string |
Not applicable |
Unique number identifying the VPN tunnel. |
status |
string |
Not applicable |
See the next table for a description of the possible tunnel states. |
local-address |
ipaddress |
Not applicable |
Tunnel source IP address in x.x.x.x format. |
remote-address |
string |
Not applicable |
Tunnel destination IP address in x.x.x.x format. |
ike-remaining-lifetime |
number |
Not applicable |
IKE SA remaining lifetime in HH:MM:SS format. |
ipsec-tx-remaining- lifetime-kb |
number |
Not applicable |
IPSec outbound SA remaining lifetime in KB. |
ipsec-rx-remaining- lifetime-kb |
number |
Not applicable |
IPSec inbound SA remaining lifetime in KB. |
ipsec-tx-remaining- lifetime-sec |
number |
Not applicable |
IPSec outbound SA remaining lifetime in seconds. |
ipsec-rx-remaining- lifetime-sec |
number |
Not applicable |
IPSec inbound SA remaining lifetime in seconds. |
JSON Representation
"kind": "collection#vpn-active-session",
"kind": "object#vpn-active-session",
"vpn-type": "site-to-site",
"vpn-interface-name": "{string}",
"local-address": "{ipaddress}",
"remote-address": "{ipaddress}",
"ike-remaining-lifetime": "hh:mm:ss",
"ipsec-tx-remaining-lifetime-in-KB": {number},
"ipsec-rx-remaining-lifetime-in-KB": {number},
"ipsec-tx-remaining-lifetime-in-sec": {number},
"ipsec-rx-remaining-lifetime-in-sec": {number}
Tunnel States
The following table lists the tunnel states.
|
|
|
Exist, Active |
Exist (flow exists) |
UP-ACTIVE |
Exist, active |
None (flow exists) |
UP-IDLE |
Exist, inactive |
Exist (flow exists) |
UP-NO-IKE |
Exist, inactive |
None (flow exists) |
DOWN-NEGOTIATING |
Exist, inactive |
None (no flow) |
DOWN-NEGOTIATING |
None |
Exist (flow exists) |
UP-NO-IKE |
None |
None (flow exists) |
DOWN |
None |
None (no flow) |
DOWN |
Retrieve VPN Active Sessions
Resource URI
|
|
GET |
/api/v1/vpn-svc/site-to-site/active/sessions |
Example
JSON Request
GET /api/v1/vpn-svc/site-to-site/active/sessions
JSON Response
Content-type: application/json
"kind": "collection#vpn-active-session",
"kind": "object#vpn-active-session",
"vpn-interface-name": "tunnel100",
"vpn-type": "site-to-site",
"local-address": "10.1.1.4",
"remote-address": "10.1.1.3",
"ike-remaining-lifetime": "22:03:24",
"ipsec-tx-remaining-lifetime-in-KB": 4605665,
"ipsec-rx-remaining-lifetime-in-KB": 4605400,
"ipsec-tx-remaining-lifetime-in-sec": 2949,
"ipsec-rx-remaining-lifetime-in-sec": 2949
Retrieve All VPN Active Session Statistics
Resource URI
|
|
GET |
/api/v1/vpn-svc/site-to-site/active/sessions |
Properties for Retrieve All
|
|
Required for POST and PUT
|
|
kind |
string |
Not applicable |
Must be “collection#vpn-statistics”. |
items |
array |
Not applicable |
List of object#vpn-statistics |
vpn-type |
string |
Not applicable |
Must be “site-to-site” in IOS-XE 3.10 |
vpn-interface-name |
string |
Not applicable |
The IOS tunnel number in “tunnel<number>” format, such as “tunnel2”. |
local-address |
ipaddress |
Not applicable |
Tunnel source IP address in x.x.x.x format. |
remote-address |
ipaddress |
Not applicable |
Tunnel destination IP address in x.x.x.x format. |
encapsulated |
number |
Not applicable |
Number of encapsulated packets. |
decapsulated |
number |
Not applicable |
Number of decapsulated packets. |
encrypted |
number |
Not applicable |
Number of encrypted packets. |
decrypted |
number |
Not applicable |
Number of decrypted packets. |
send-errors |
number |
Not applicable |
Number of transmit error packets. |
receive-errors |
number |
Not applicable |
Number of receive error packets. |
JSON Representation
"kind": "collection#vpn-statistics",
"kind": "object#vpn-statistics",
"vpn-type": "site-to-site",
"vpn-interface-name": "{string}",
"local-address": "{ipaddress}",
"remote-address": "{ipaddress}",
"encapsulated": {number},
"decapsulated": {number},
"receive-errors": {number}
}
Example
JSON Request
GET /api/v1/vpn-svc/site-to-site/statistics
JSON Response
Content-type: application/json
"kind": "collection#vpn-statistics",
"kind": "object#vpn-statistics",
"vpn-type": "site-to-site",
"vpn-interface-name": "tunnel100",
"local-address": "10.10.10.1",
"remote-address": "13.13.13.1",
Remote Access VPN Server
To create the EzVPN server, the following objects need to be defined (other than the ike-policy, keyring and ipsec-profile that is already defined for P2P tunneling).
- IP local address pool
- Client-config-profile (this configuration is pushed to remote client once it connects)
- Vtemplate (a dynamic tunnel is cloned once a remote client connects)
- IKE profile (classifies who belongs to the group, and what policy to apply)
EzVPN Server
The CSR1000v supports the Easy VPN (EzVPN) server only. To create the EzVPN server, the following objects need to be defined (other than the ike-policy, keyring and ipsec-profile that is already defined for:
- P2P tunneling).
- IP local address pool
- Client-config-profile (this configuration is pushed to remote client once it connects)
- Vtemplate (a dynamic tunnel is cloned once a remote client connects)
- IKE profile (classifies who belongs to the group, and what policy to apply)
Create an EzVPN Server
1. Create a keyring.
POST /api/v1/vpn-svc/ike/keyrings
See Create an IKE Keyring.
2. (Optional) Create an IKE policy.
POST /api/v1/vpn-svc/ike/policies
See Create an IKE Policy.
3. Create an IPSEC profile.
Include transform-set and ipsec profile.
POST /api/v1/vpn-svc/ipsec/policies
See Create an IPSec Policy.
4. Create a local-pool. The local-pool is used to assign an address to the remote user.
POST /api/v1/vpn-svc/ezvpn/pools
See Create an IP Local Pool.
5. (Required) Create a client-config-profile.
See EzVPN Client Config Profile.
6. (Required) Create an IKE profile (cannot be a shared profile).
See IKE Profile.
7. Configure the EzVPN server. This is the remote access endpoint. The server will refer to the IKE/IPSEC policy or profile. The server will create a virtual-template interface, which will be cloned by the DVTI interface during remote login.
See EzVPN Server Interface.
Resource Summary for EzVPN
|
|
|
GET |
POST |
PUT |
DELETE |
Local pool |
/api/v1/globle/local-pool/ |
Y |
Y |
Y |
Y |
Ike-profile |
/api/v1/vpn-svc/ike/ike-profile/{ike-profile-id} |
Y |
N |
Y |
Y |
all ike-profile |
/api/v1/vpn-svc/ike/ike-profiles |
Y |
Y |
N |
N |
Client-config profile |
/api/v1/vpn-svc/ezvpn/client-config-profiles |
Y |
Y |
Y |
Y |
EzVPN server |
/api/v1/vpn-svc/ezvpn/ezvpn-servers |
Y |
Y |
N |
N |
EzVPN server |
/api/v1/vpn-svc/ezvpn/ezvpn-servers/{ezvpn-id} |
Y |
N |
Y |
Y |
History
|
|
IOS XE 3.11 |
Introduced for the CSR1000V platform |
IOS XE 3.14 |
Introduced for ASR1001-X and ASR1002-X platforms |
Properties
|
|
Required for POST and PUT
|
|
pool-name |
string |
Mandatory |
Pool name |
ip-version |
string |
Optional |
IPv4 format |
start_address |
string |
Mandatory |
Starting address |
end_address |
string |
Mandatory |
Ending address |
JSON Representation for the IP Local Pool Command
"description" : "IP local pool",
"pool-name":{"type": "string"},
"ip-version":{"type":"string"},
"start-address":{"type":"string"},
"end-address":{"type":"string"},
Example
POST /api/v1/vpn-svc/ezvpn/pools
Content-Type: application/json
"start-address": "10.1.1.1",
"end-address":"10.1.1.255"
JSON Response
Location: https://host/api/v1/vpn-svc/ezvpn/pools/pool1
Retrieve an IP Local Pool
Example
GET /api/v1/vpn-svc/ezvpn/pools/pool1
JSON Response
Content-Type: application/json
"kind" : "object#local-pool",
"start-address" : "10.1.1.1"
"end-address " : "10.1.1.255"
Example
DELETE /api/v1/ezvpn/pools/pool1
JSON Response
History
|
|
IOS XE 3.11 |
Introduced for the CSR1000V platform |
IOS XE 3.14 |
Introduced for ASR1001-X and ASR1002-X platforms |
JSON Representation for the ike-profile Resource
"description": "IKE profile",
"ike-profile-name": {"type": "string"},
"keyring": {"type": "string", "optional": true},
"category": {"type": "string",
"enum": ["group", "address", "host", "host domain",
"value": {"type": "string"}
"authentication-list": {"type": "string", "optinal": true},
"authorization-list": {"type": "string", "optional": true},
"accounting": {"type": "string", "optional": true},
"client-group": {"type": "string", "optional": true},
"type": "string", "optional": true,
"enum": ["push", "on-demand", "both"]
"initiate-mode-aggressive": { "type": "boolean", "optional": true},
"type": "object", "optional": true,
"interval": {"type": "number", "min": 10, "max": 3600},
"retry": {"type": "number", "min": 2, "max": 60}
"vtemplate-if-name": {"type": "string", "optional": true},
EzVPN Client Config Profile
History
|
|
IOS XE 3.11 |
Introduced for the CSR1000V platform |
IOS XE 3.14 |
Introduced for ASR1001-X and ASR1002-X platforms |
JSON Representation for ezvpn-client-config-profile Resource
"description": "client-config-profile",
"profile-name": {"type": "string"},
"pre-shared-key": {"type": "string"},
"type": "object", "optional": true,
"type": "string", "format": "ip-address"},
"type": "string", "format": "ip-address", "optional": true}
"type": "object", "optional": true,
"type": "string", "format": "ip-address"},
"type": "string", "format": "ip-address", "optional": true}
"split-tunnel-acl": {"type": "string", "optional": true},
"domain": {"type": "string", "optional": true},
"pool-name": {"type": "string"},
"prefix-len": {"type": "number"},
"client-banner": {"type": "string", "optional": true, "maxlength": 500},
EzVPN Server Interface
The virtual-template interface requirement allows a dynamic VTI interface to be cloned and provides the user with the ability to configure additional IOS features, such as a firewall, to EzVPN tunnels.
History
|
|
IOS XE 3.11 |
Introduced for the CSR1000V platform |
IOS XE 3.14 |
Introduced for ASR1001-X and ASR1002-X platforms |
Properties
|
|
Required for POST and PUT
|
|
description |
string |
Mandatory |
Descriptive string for the EzVPN server. |
vpn-type |
string |
Mandatory |
"ezvpn" |
vpn-interface-name |
string |
Mandatory |
vtemplate name. If it does not exist, the system will create one. |
ip-version |
sting |
Mandatory |
IPv4 |
ike-profile-id |
string |
Mandatory |
The ike-profile the server is going to use to negotiate with remote, it should include client-config file to push to remote. |
ipsec-policy-id |
string |
Optional |
IPSEC policy name |
local-device |
object |
Mandatory |
IP address of the vtemplate and IP address of the tunnel source. |
ip-address |
string |
Mandatory |
(sub-property of local-device) Interface name or IP address of the vtemplate. |
tunnel-ip-address |
string |
Mandatory |
(sub-property of local-device) Interface name (preferable) or IP address of the tunnel source. |
JSON Representation for EzVPN-server Resource
"vpn-interface-name":"string",
"ike-profile-id":"string",
"ipsec-policy-id":"string",
"tunnel-ip-address":"string",
Create EzVPN Server Interface
Example
JSON Request
POST /api/v1/vpn-svc/ezvpn/servers
Content-Type: application/json
"vpn-interface-name": "Virtual-Template11",
"ipsec-policy-id": "profile101",
"ike-profile-id": "ezvpn",
"ip-address": "loopback0",
"tunnel-ip-address": "gigabitethernet1"
JSON Response
Location: https://host/api/v1/vpn-svc/ezvpn/servers/Virtual-Template11
Retrieve EzVPN Server Interface
Example
JSON Request
GET /api/v1/vpn-svc/ezvpn/servers/virtual-Template1
JSON Response
Content-Type: application/json
{ "kind": "object#ezvpn-server",
"vpn-interface-name": "Virtual-Template11",
"ipsec-policy-id": "profile101",
"ike-profile-id": "ezvpn",
"ip-address" : "loopback0",
"tunnel-ip-address": "gigabitethernet1"
Delete EzVPN Server Interface
Example
JSON Request
DELETE /api/v1/vpn-svc/ezvpn/servers/Virtual-Template1
JSON Response