Configuring an IPsec policy

Use the following procedure to configure an IPsec policy. An IPsec policy defines the level of security for different types of traffic.

Before you begin

  • Create an IPsec policy.

About this task

You can only configure the IPsec policies for IPv4 addresses for UDP, TCP, and ICMPv4 protocols. You can continue to configure IPsec policies for IPv6 addresses for ICMPv6, OSPFv3, TCP, and UDP.

If you downgrade your software, the current IPsec configurations are no longer supported. You must boot with the factory default settings for IPsec, and then reconfigure the IPsec features.

You cannot delete or modify a policy if the policy links to a security association, or if the policy links to a port or VLAN interface. If you need to modify a policy you must first unlink the policy from the security association, and the port or VLAN interface.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Configure the remote address:

    ipsec policy WORD<1–32> raddr WORD<1–32>

  3. Optional: Configure the local address:

    ipsec policy WORD<1–32> laddr WORD<1–32>

    The laddr parameter is an optional parameter that you can configure to have multiple local addresses for each remote address.

  4. Configure the protocol:

    ipsec policy WORD<1–32>[protocol <icmp|icmpv6|ospfv3|tcp|udp>] [sport<1–65535|any>][dport<1–65535|any>]

  5. Configure the policy action:

    ipsec policy WORD<1–32> [action <drop|permit>]

Example

Configure the remote address to 2001:db8:0:0:0:0:0:1 and local address to 2001:db8:0:0:0:0:0:15. configure the protocol to TCP source port 4 and destination port 5. Configure the policy to permit.

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#ipsec policy Ipv6policy raddr 2001:db8:0:0:0:0:0:1
Switch:1(config)#ipsec policy Ipv6policy laddr 2001:db8:0:0:0:0:0:15  
Switch:1(config)#ipsec policy Ipv6policy protocol tcp sport 4 dport 5
Switch:1(config)#ipsec policy Ipv6policy action permit

Configure the remote address to 192.0.1.1 and local address to 192.0.1.2. configure the protocol to TCP source port 4 and destination port 5. Configure the policy to drop.

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#ipsec policy Ipv4policy raddr 192.0.1.1
Switch:1(config)#ipsec policy Ipv4policy laddr 192.0.1.2  
Switch:1(config)#ipsec policy Ipv4policy protocol tcp sport 4 dport 5
Switch:1(config)#ipsec policy Ipv4policy action drop

Variable Definitions

The following table defines parameters for the ipsec policy command.

Variable

Value

action <drop|permit>

Specifies the action the policy takes.

The default is permit.

laddr WORD<1–32>

Specifies the local address. The laddr parameter is an optional parameter that you can configure to have multiple local addresses for each remote address.

The default is 0::0.

protocol <icmp|icmpv6|ospfv3|tcp|udp>] [sport<1–65535>|any>][dport<1–65535>|any>]

Specifies the protocol, as one of the following:
  • ICMP

  • ICMPv6

  • OSPFv3

  • TCP

  • UDP

sport — Specifies the source port for TCP and UDP. You can specify any to configure any port as the source port.

dport — Specifies the destination port for TCP and UDP. You can specify any to configure any port as the destination port.

The default protocol is TCP any.

IPv4 only supports ICMP, UDP, and TCP.

raddr WORD<1–32>

Specifies the remote address.

The default is 0::0.

WORD<1–32>

Specifies the policy name.