Configuring an IPsec policy
Use the following procedure to configure an IPsec policy. An IPsec policy defines the level of security for different types of traffic.
Before you begin
Create an IPsec policy.
About this task
You can only configure the IPsec policies for IPv4 addresses for UDP, TCP, and ICMPv4 protocols. You can continue to configure IPsec policies for IPv6 addresses for ICMPv6, OSPFv3, TCP, and UDP.
If you downgrade your software, the current IPsec configurations are no longer supported. You must boot with the factory default settings for IPsec, and then reconfigure the IPsec features.
You cannot delete or modify a policy if the policy links to a security association, or if the policy links to a port or VLAN interface. If you need to modify a policy you must first unlink the policy from the security association, and the port or VLAN interface.
Procedure
Example
Configure the remote address to 2001:db8:0:0:0:0:0:1 and local address to 2001:db8:0:0:0:0:0:15. configure the protocol to TCP source port 4 and destination port 5. Configure the policy to permit.
Switch:1>enable Switch:1#configure terminal Switch:1(config)#ipsec policy Ipv6policy raddr 2001:db8:0:0:0:0:0:1 Switch:1(config)#ipsec policy Ipv6policy laddr 2001:db8:0:0:0:0:0:15 Switch:1(config)#ipsec policy Ipv6policy protocol tcp sport 4 dport 5 Switch:1(config)#ipsec policy Ipv6policy action permit
Configure the remote address to 192.0.1.1 and local address to 192.0.1.2. configure the protocol to TCP source port 4 and destination port 5. Configure the policy to drop.
Switch:1>enable Switch:1#configure terminal Switch:1(config)#ipsec policy Ipv4policy raddr 192.0.1.1 Switch:1(config)#ipsec policy Ipv4policy laddr 192.0.1.2 Switch:1(config)#ipsec policy Ipv4policy protocol tcp sport 4 dport 5 Switch:1(config)#ipsec policy Ipv4policy action drop
Variable Definitions
The following table defines parameters for the ipsec policy command.
Variable |
Value |
---|---|
action <drop|permit> |
Specifies the action the policy takes. The default is permit. |
laddr WORD<1–32> |
Specifies the local address. The laddr parameter is an optional parameter that you can configure to have multiple local addresses for each remote address. The default is 0::0. |
protocol <icmp|icmpv6|ospfv3|tcp|udp>] [sport<1–65535>|any>][dport<1–65535>|any>] |
Specifies the protocol, as one of the following:
sport — Specifies the source port for TCP and UDP. You can specify any to configure any port as the source port. dport — Specifies the destination port for TCP and UDP. You can specify any to configure any port as the destination port. The default protocol is TCP any. IPv4 only supports ICMP, UDP, and TCP. |
raddr WORD<1–32> |
Specifies the remote address. The default is 0::0. |
WORD<1–32> |
Specifies the policy name. |