Link an IPsec Policy to an Interface

Use the following procedure to link an IPsec policy to an interface, and configure a policy direction. By default, the direction is both.

Before you begin

  • You must enable IPsec on the interface first, and then you link the IPsec policy to the interface.

About this task

You cannot delete or modify an IPsec policy if the policy links to a port or VLAN interface. If you need to modify the policy, first unlink the policy from the port or VLAN interface.

Procedure

  1. Enter Interface Configuration mode:

    enable

    configure terminal

    followed by one of the following:

    • interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]][,...]}

    • interface loopback <1–256>

    • interface mgmtEthernet <mgmt | mgmt2>

    • interface vlan <1–4059>

    Note

    Note

    If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.

  2. Link the IPsec policy to an IPv4 interface:

    ip ipsec policy WORD<1–32> dir <both|in|out>

  3. Link the IPsec policy to an IPv6 interface:

    ipv6 ipsec policy WORD<1–32> dir <both|in|out>

  4. Optional: Unlink the IPsec policy from an IPv4 interface:

    no ip ipsec policy WORD<1–32> dir <both|in|out>

  5. Optional: Unlink the IPsec policy from an IPv6 interface:

    no ipv6 ipsec policy WORD<1–32> dir <both|in|out>

Example

Link the IPsec policy newpolicy to the IPv6 interface VLAN 100:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface vlan 100
Switch:1(config-if)#ipv6 ipsec policy newpolicy dir both

Variable Definitions

The following table defines parameters for the ip ipsec policy and ipv6 ipsec policy commands.

Variable

Value

WORD<1–32>

Specifies the policy ID.

dir <both|in|out>

Specifies the direction you want to protect with IPsec:
  • both—Specifies both ingress and egress traffic.

  • in—Specifies ingress traffic.

  • out—Specifies egress traffic.

The default is both.