An IP filter
Security algorithms for authentication and key exchange
An action
You can configure IPsec on IPv4/IPv6 interfaces. First, create and configure an IPsec policy, and then add and enable the policy on an interface.
After you enable IPsec, the device encrypts all control traffic on the interface based on the policy. You have to specify individual policies to target a particular interface address or multiple addresses. By default, this implementation does not work on a subnet.
The Security Policy Database (SPD) maintains the IPsec security policies. The device checks every ingress or egress packet for the IPsec base protocol, either AH or ESP. The base protocol interacts with the security policy database (SPD) and security association database (SADB) to check the level of security to apply to that packet.
The IPsec feature only adds policies if the source address in the policy specified matches an interface IP address.
The IPsec feature restricts the policy match source address to the interface address of the router and destination IPv6 address.